How do I restrict a Google service account?

If I create a service account in my project and give it to a third party, can that third party abuse it to create VM instances etc? Or is it only allowed to do things that I give it explicit permission to do?

In the "permissions" section of the Google developers console I can set the service account to "Can edit" or "Can view", but what do those mean?

If you give "edit" or "owner" permissions, the user can create, modify, or delete GCE VM instances (among other resources). If you only give "view" permissions, then they can't create, modify, or delete GCE VM instances.

However, you cannot give fine-grained permissions such as "user can only edit this VM instance, but not this other one".

Per Google Compute Engine docs:

Can View

Provides READ access:

Can see the state of your instances.

Can list and get any resource type.

Can Edit

Provides "Can View" access, plus:

Can modify instances.

On standard images released after March 22, 2012, can ssh into the project's instances.

Is Owner

Provides "Can Edit" access, plus:

Can change membership of the project.

Per Google Cloud Storage docs:

Project team members are given the following permissions based on their roles:

All Project Team Members

All project team members can list buckets within a project.

Project Editors

All project editors can list, create, and delete buckets.

Project Owners

All project owners can list, create, and delete buckets, and can also perform administrative tasks like adding and removing team members and changing billing. The project owners group is the owner of all buckets within a project, regardless of who may be the original bucket creator.

When you create a bucket without specifying an ACL, the project-private ACL is applied to the bucket automatically. This ACL provides additional permissions to team members, as described in default bucket ACLs.

Per Google Cloud SQL docs:

Team members may be authorized to have one of three levels of access:

“can View” (called Viewer in App Engine Console) allows read-only access.

“can Edit” (called Developer in App Engine Console) allows modify and delete access.

This allows a developer to deploy the application and modify or configure its resources.

“is Owner” (called Owner in App Engine Console) allows full administrative access.

This includes the ability to add members and set the authorization level of team members.