Wednesday, October 19, 2022

[FIXED] How can I ensure that GCP service accounts do not have Admin privileges?

      , , ,      No comments   

Issue

I would like to ensure that Google Cloud Platform service accounts do not have Admin privileges.

Furthermore, I would like to prevent users from creating service accounts with admin privileges, or adding admin rights to existing service accounts.

Do you know of a method to ensure this via Policies?


Solution

You can use granular permission depending on what users needs to do.

It is possible to limit the resources and even using those granular permissions you can create a custom role based of compute admin, and just removing all the permissions that follow the syntax "..setIamPolicy". i.e.

compute.instances.setIamPolicy
compute.licenses.setIamPolicy
compute.machineImages.setIamPolicy
compute.licenseCodes.setIamPolicy

This can limit the users to set IAM bindings, but It is limited in general, for users, not just service accounts. Use for only SA's it's not possible.

I recommend you to follow up, the IAM best practices, so you can better manage your security, if needed, you can create feature request, to support IAM conditions role bindings.



Answered By - Agustin Lopez
Answer Checked By - Robin (PHPFixing Admin)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...