diff --git a/spread/google.go b/spread/google.go
index d1b08a5b..db81e2c7 100644
--- a/spread/google.go
+++ b/spread/google.go
@@ -459,6 +459,17 @@ func (p *googleProvider) createMachine(ctx context.Context, system *System) (*go
 		},
 	}
 
+	if serviceAccount := p.backend.GoogleServiceAccount; serviceAccount != "" {
+		// XXX the service account could be set from google key
+		// credentials, but the account used in the context of the
+		// request may not have the permissions to attach a service
+		// account to the instance
+		params["serviceAccounts"] = []googleParams{{
+			"email":  serviceAccount,
+			"scopes": []string{"https://www.googleapis.com/auth/cloud-platform"},
+		}}
+	}
+
 	if system.SecureBoot {
 		params["shieldedInstanceConfig"] = googleParams{
 			"enableSecureBoot":          true,
diff --git a/spread/project.go b/spread/project.go
index e70470f0..f591ecab 100644
--- a/spread/project.go
+++ b/spread/project.go
@@ -82,6 +82,9 @@ type Backend struct {
 
 	Priority OptionalInt
 	Manual   bool
+
+	// Only relevant for the Google backend
+	GoogleServiceAccount string `yaml:"google-service-account"`
 }
 
 func (b *Backend) String() string { return fmt.Sprintf("backend %q", b.Name) }
@@ -1024,6 +1027,12 @@ func (p *Project) Jobs(options *Options) ([]*Job, error) {
 		}
 		backend.Key = strings.TrimSpace(value)
 
+		value, err = evalone(bname+" backend GCP service account", backend.GoogleServiceAccount, cmdcache, true, penv, benv)
+		if err != nil {
+			return nil, err
+		}
+		backend.GoogleServiceAccount = strings.TrimSpace(value)
+
 		for _, system := range backend.Systems {
 			if system.Username != "" {
 				value, err := evalone(system.String()+" username", system.Username, cmdcache, false, penv, benv)