under "APIs & Services" there is a section called "Credentials" where you can create:

API Keys (used for APIs that does not access personal data like Google Maps and Google Translate)
OAuth2 Client IDs (used when your application needs to interact with end-user data)

for example "gpup" CLI tool requires the user to setup their own oauth2 client ID so
that it can upload photos to "google photos" on your behalf.
for a commericial app 'foo' accessing your "google photos", the app developers would setup the
oauth2 client id so the end user only needs to click "allow 'foo' to access your google photos?"


service accounts (can be configured with specific narrow roles etc)

used when you have a backend service that wants to use some google API like "google vision API" etc




"IAM & Admin > Service Accounts" is the main view for adding/editing/deleting service accounts

service accounts exists inside a "project"
giving roles "owner" or "editor" to a service account gives it very broad permissions, it can even create new service accounts
to see which roles a service account has, go to "permissions" tab and click "view access" button, this opens the "Policy Analyzer" and you have to click "Analyze" followed by "Run Query" to see the actual list of roles
this command lists all available roles (nice for grepping):

gcloud iam roles list > all-roles.txt




to delete a project, select it and then go to "IAM & Admin > Settings" and click "Shutdown Project" button

note: it's best to disable billing for the project before shutting it down


some APIs require a billing account + added payment method to work (even free tiers)

select a project and then click "Billing" :: "Link Billing Account"
under "Manager Billing Accounts" you can create billing accounts and add payment methods etc