Instances must not be configured to use the Default Service Account that has full access to all Cloud APIs

ID

gcp_using_default_service_account

Severity

low

Vendor

GCP

Resource

IAM

Tags

reachable

Description

Using the default service account for a Google Cloud compute instance can pose some risks, such as:

  • The default service account has broad permissions by default, which can be exploited by attackers or malicious applications.

  • The default service account is shared across multiple applications or VM instances, which can lead to confusion and conflicts.

  • The default service account cannot be deleted or renamed, which can limit your flexibility and control.

To fix it, you must change the service_account_email property and use a custom service account instead.

Learn more about this topic at Best practices for using Service Account

Examples

---
- name: create a instance4
  google.cloud.gcp_compute_instance:
    name: test_object4
    machine_type: n1-standard-1
    disks:
    - auto_delete: 'true'
      boot: 'true'
      source: "{{ disk }}"
    - auto_delete: 'true'
      interface: NVME
      type: SCRATCH
      initialize_params:
        disk_type: local-ssd
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    labels:
      environment: production
    network_interfaces:
    - network: "{{ network }}"
      access_configs:
      - name: External NAT
        nat_ip: "{{ address }}"
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_email: "admin@developer.gserviceaccount.com"
    state: present

Mitigation / Fix

---
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    machine_type: n1-standard-1
    disks:
    - auto_delete: 'true'
      boot: 'true'
      source: '{{ disk }}'
    - auto_delete: 'true'
      interface: NVME
      type: SCRATCH
      initialize_params:
        disk_type: local-ssd
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    labels:
      environment: production
    network_interfaces:
    - network: '{{ network }}'
      access_configs:
      - name: External NAT
        nat_ip: '{{ address }}'
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_email: admin@admin.com
    state: present