About GCP Cloud APIs
→ 日本語版を読むIn GCP, each service becomes available by enabling its Cloud API on a per-project basis. Even when using services from the Cloud Console, the Cloud API must be enabled. What looks like operating through the Cloud Console is actually making API calls behind the scenes.
Enabling a Cloud API is done per service per project. If a Cloud API for a specific service is enabled in a project, GCP listens for API requests for that service. This does not mean that all accounts' (including service accounts') API requests are authorized. To have GCP authorize an API request, appropriate permissions are still required per account.
Initially, I mistakenly thought Cloud API enablement was per account. I thought you first enable an API at the project level, then link which of the enabled APIs each account can use.
In reality, Cloud API enablement is done at the project level, and account permission management is handled with IAM. That finally clicked for me.