For a Management Service to talk to Cloud APIs such as GCE, you can use Service Accounts. The blog post introducing these has a lot of pointers.
In this case, the management service would have a single (or handful) of service accounts when talking to Google. This is slightly simpler but results in a single set of credentials between the Management Service and Google for a large number of projects/accounts.
- Create an API project at the API console. This will represent the Management Service in the Google world.
- Create a 'Service Account' inside of that project. Instructions to do that are here. This Service Account has an email address that can be added to ACLs at Google. It is an expression of code/service into the Google user system. You can think of it as a supported w