The default Compute Engine service account has Editor role on the project, allowing read and write access to most Google Cloud Services.
We recommend you configure your instance to not use the default Compute Engine service account.
You should create a new service account and assign only the permissions needed by your instance. This helps defend against compromised VM privilege escalations and prevent an attacker from gaining access to all of your project.
The default Compute Engine service account is named:
To change the policy using the GCP Console, follow these steps:
- Log in to the GCP Console at https://console.cloud.google.com.
- Navigate to VM instances.
- Click on the instance name to go to its VM instance details page.
- Click STOP, then click EDIT.
- Under the section Service Account, select a service account. You may first need to create a new service account.
Do not select the default Compute Engine service account.
- Click Save and then click START.
- Stop the instance:
gcloud compute instances stop INSTANCE_NAME
- Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME - -serviceaccount=SERVICE_ACCOUNT
- Restart the instance:
gcloud compute instances start INSTANCE_NAME
- Resource: google_compute_instance
- Field: service_account
- Argument: email = <email other than the default service_account's>
Updated about 1 month ago