A service account is specifically designed for use by applications or compute workloads, such as a Compute Engine virtual machine (VM) instance, rather than by individuals. It enables applications to make authorized API calls, either on behalf of the service account itself or through domain-wide delegation for Google Workspace or Cloud Identity users. For instance, attaching a service account to a Compute Engine VM allows applications running on that VM to authenticate as the service account. Furthermore, the service account can be assigned IAM roles to access resources, serving as the application's identity and determining its resource access capabilities.

Reference: Google Cloud Service Accounts Documentation