diff --git a/fence/models.py b/fence/models.py
index 582eb81ee..1db0b62af 100644
--- a/fence/models.py
+++ b/fence/models.py
@@ -347,6 +347,79 @@ class GoogleProxyGroupToGoogleBucketAccessGroup(Base):
     )
 
 
+class UserServiceAccount(Base):
+    __tablename__ = "user_service_account"
+    id = Column(Integer, primary_key=True)
+
+    # The uniqueId google provides to resources is ONLY unique within
+    # the given project, so we shouldn't rely on that for a primary key (in
+    # case we're ever juggling mult. projects)
+    google_unique_id = Column(
+        String,
+        nullable=False)
+
+    email = Column(
+        String,
+        nullable=False)
+
+    google_project_id = Column(
+        String,
+        nullable=False)
+
+
+class ServiceAccountAccessPrivilege(Base):
+    __tablename__ = "service_account_access_privilege"
+
+    id = Column(Integer, primary_key=True)
+
+    project_id = Column(
+        Integer,
+        ForeignKey(Project.id),
+        nullable=False)
+
+    project = relationship(
+        'Project',
+        backref=backref(
+            'sa_access_privileges', cascade='all, delete-orphan'))
+
+    service_account_id = Column(
+        Integer,
+        ForeignKey(UserServiceAccount.id),
+        nullable=False)
+
+    service_account = relationship(
+        'UserServiceAccount',
+        backref=backref(
+            'access_privileges', cascade='all, delete-orphan'))
+
+
+class ServiceAccountToGoogleBucketAccessGroup(Base):
+    __tablename__ = "service_account_to_google_bucket_access_group"
+    id = Column(Integer, primary_key=True)
+
+    service_account_id = Column(
+        Integer,
+        ForeignKey(UserServiceAccount.id),
+        nullable=False)
+
+    service_account = relationship(
+        'UserServiceAccount',
+        backref=backref(
+            'to_access_groups', cascade='all, delete-orphan'))
+
+    expires = Column(BigInteger)
+
+    access_group_id = Column(
+        Integer,
+        ForeignKey(GoogleBucketAccessGroup.id),
+        nullable=False)
+
+    access_group = relationship(
+        'GoogleBucketAccessGroup',
+        backref=backref(
+            'to_access_groups', cascade='all, delete-orphan'))
+
+
 to_timestamp = "CREATE OR REPLACE FUNCTION pc_datetime_to_timestamp(datetoconvert timestamp) " \
                "RETURNS BIGINT AS " \
                "$BODY$ " \
diff --git a/tests/test_datamodel.py b/tests/test_datamodel.py
index cebdb505c..459eb6bf4 100644
--- a/tests/test_datamodel.py
+++ b/tests/test_datamodel.py
@@ -1,4 +1,12 @@
-from fence.models import User, Client
+from fence.models import (
+    Client,
+    GoogleBucketAccessGroup,
+    ServiceAccountAccessPrivilege,
+    ServiceAccountToGoogleBucketAccessGroup,
+    User,
+    UserServiceAccount
+)
+from userdatamodel.user import Bucket, Project
 from fence.utils import random_str
 
 
@@ -19,3 +27,62 @@ def test_user_delete_cascade(db_session):
         db_session.query(Client).filter_by(client_id=client.client_id).count()
         == 0
     )
+
+
+def test_service_account_relationsips(db_session):
+    """
+    test service account tables have proper relationships/fields
+    """
+    project = Project(id=1)
+    bucket = Bucket(id=1)
+    user_sa = UserServiceAccount(
+        id=1,
+        google_unique_id="guid",
+        email="email@google.com",
+        google_project_id="gpid"
+    )
+    sa_access_privilege = ServiceAccountAccessPrivilege(
+        id=1,
+        project_id=1,
+        service_account_id=1
+    )
+    gbag = GoogleBucketAccessGroup(
+        id=1,
+        bucket_id=1,
+        email="email@google.com")
+    sa_to_gbag = ServiceAccountToGoogleBucketAccessGroup(
+        id=1,
+        service_account_id=1,
+        expires=0,
+        access_group_id=1)
+    db_session.add(project)
+    db_session.add(bucket)
+    db_session.add(user_sa)
+    db_session.add(sa_access_privilege)
+    db_session.add(gbag)
+    db_session.add(sa_to_gbag)
+    db_session.commit()
+    assert (
+        project.sa_access_privileges[0].__class__
+        == ServiceAccountAccessPrivilege)
+    assert project.sa_access_privileges[0].id == 1
+    assert sa_access_privilege.project.__class__ == Project
+    assert sa_access_privilege.project.id == 1
+    assert sa_access_privilege.service_account.__class__ == UserServiceAccount
+    assert sa_access_privilege.service_account.id == 1
+    assert (
+        user_sa.access_privileges[0].__class__ 
+        == ServiceAccountAccessPrivilege)
+    assert user_sa.access_privileges[0].id == 1
+    assert (
+        user_sa.to_access_groups[0].__class__
+        == ServiceAccountToGoogleBucketAccessGroup)
+    assert user_sa.to_access_groups[0].id == 1
+    assert sa_to_gbag.service_account.__class__ == UserServiceAccount
+    assert sa_to_gbag.service_account.id == 1
+    assert sa_to_gbag.access_group.__class__ == GoogleBucketAccessGroup
+    assert sa_to_gbag.access_group.id == 1
+    assert (
+        gbag.to_access_groups[0].__class__
+        == ServiceAccountToGoogleBucketAccessGroup)
+    assert gbag.to_access_groups[0].id == 1
\ No newline at end of file