Google Cloud IAM

Service accounts, least privilege, and workload identity

Google Cloud Platform

Infrastructure

Use in Builder All Google Cloud Platform Options

Details

Language / Topic

Google Cloud Platform

Rules

Google Cloud IAM · balanced balanced

- Never use the default Compute Engine service account. Create distinct Service Accounts for each application.

- Use Workload Identity Federation instead of exporting long-lived JSON service account keys.

- Strictly enforce the Principle of Least Privilege. Avoid granting `roles/editor` or `roles/owner` to service accounts.

- Never deploy applications using the Default Compute service account. Provision dedicated, granular service accounts for every distinct microservice or Cloud Run instance.

- Avoid exporting long-lived JSON service account keys. Use Workload Identity Federation to authenticate external resources (like GitHub Actions) securely via OIDC.