Skip to content


Identities and Roles

  • 4 types of Principals:
  • Two special members:
    • allAuthenticatedUsers: everyone authenticated to GCP, not just in your Org
    • allUser: anyone on the internet, authenticated or not
  • Set of permissions grouped together, each one representing a fine grained operation
  • Types:
    • Primitive (Basic) Roles
      • Apply across all GCP services in a project
      • Managed by Google, so the set of permissions can change over time
      • Can assign ACL grants (legacy authz system for Buckets/BigQuery) to those bound to a primitive role in the Project
    • Predefined roles
      • Apply to a particular GCP service in a project
      • Provide granular access for a specific service
      • Managed by Google
    • Custom Roles
  • Each policy contains a set of roles and role members
  • Policies are inherited downwards in the hierarchy
  • Policies implemented at a higher level in the hierarchy can't take away access that's granted at a lower level
  • If a parent policy is less restrictive, it overrides a more restrictive resource policy
  • If a parent policy is more restrictive, it does not override a less restrictive resource policy

Service Accounts

General Info


Type Description
User Managed
  • Manually created by users, alongside a private key
  • Keys lifecycle is your responsibility
Google Managed
  • No need to generate keys for them
  • Applications can just assume their identity
  • Example:
    • Each Project comes with a default service account that is used by Compute Engine (GCE) services
    • VMs will transparently be identified by that service account, and they are authorized to request short-lived authorization tokens from the internal metadata service
Structure of a Service Account Key
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account-email",
  "client_id": "client-id",
  "auth_uri": "",
  "token_uri": "",
  "auth_provider_x509_cert_url": "",
  "client_x509_cert_url": ""


Recommendation Description
Do not use the Default Compute Engine Service Account
  • By default, these default service accounts automatically receive the Editor role when they are created
  • Create a new Service Account and use it as the default account used by a VM
  • Disable Automatic IAM Grants for Default Service Accounts via Organizational Policies: constraints/iam.automaticIamGrantsForDefaultServiceAccounts