GCP Service Accounts & IAM

Secure Workload Identity and precise GCP permissions.

Language / Topic

Google Cloud Platform

Rules

GCP Service Accounts & IAM · balanced balanced

- Use service accounts with least-privilege IAM roles; prefer predefined roles over primitive roles (Owner/Editor/Viewer).

- Use Workload Identity Federation for external services — avoid exporting service account keys.

- Use dedicated service accounts per workload; never use the default compute service account in production.

- Assign predefined IAM roles (e.g., `roles/storage.objectViewer`) at the resource level — avoid primitive roles.

- Use Workload Identity Federation for CI/CD and external clouds — eliminates long-lived service account keys.

- Disable service account key creation via organization policies; use impersonation (`--impersonate-service-account`) instead.

- Audit IAM bindings with Policy Analyzer and recommender; remove unused permissions regularly.