This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Storage: remove service account permissions

Posted on 03-18-2024 10:05 AM
kevimunis
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We have a google cloud storage bucket that we want to use for storing sensitive data. As per the documentation, we are trying to use uniform bucket-level access. The permissions tab shows a number of service accounts having access to the bucket, such as container registry, cloud functions, etc. Access from these service accounts cannot be disabled as the permissions are inherited.

The concern with leaving access from these service accounts in place would be:

  • Existing service accounts may provide access to the bucket data, through functionality provided elsewhere. For example, any cloud functions using the default cloud functions service account would need to tracked and audited.
  • Newly added service accounts may be created in future without being aware of the sensitivity of the data stored in the service bucket.

Is there any way to prevent access from these service accounts? There are deny level policies, but it's unclear if they could be used to prevent this access, or if such an approach would recommended.

2 2 841
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
Marramirez
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Hello @kevimunis,

You can take a look at the following options:

  1. Check this documentation: Manage access to projects, folders, and organizations. You can then revoke a single role from a principal.
  2. If the above option doesn't work, you can contact Google Cloud Support to further look into your case. Hope it helps, thanks!

Posted on --/--/---- --:-- AM
kevimunis
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@Marramirez, thanks for the reply. Unfortunately this isn't a solution.

One of the principals in question (container registry service agent) is a google managed service account using a predefined role. It does not show up under the IAM list or the service accounts list, and we cannot modify this principal.

This also would not prevent any configuration changes in the environment in future from introducing new principals which have access. For example, enabling a service or API may have the side effect of adding a new google managed service account with a role that provides access.

Top Labels in this Space