Request for Assistance in Setting Least Privilege ...

TVBangalore · 06-17-2024 12:17 AM

Hello GCP Community

We are aiming to deploy an application on Google Cloud Platform (GCP) using Cloud Shell, with the least privileges assigned to the default App-level IAM service account i.e appspot.gserviceaccount.com, to ensure restricted access from other Google Cloud services.

The following link provides a comprehensive list of IAM roles for various use cases: https://cloud.google.com/iam/docs/understanding-roles.
We are seeking specific roles that can be applied to the service account for the aforementioned use case.

Your insights on the appropriate roles to set for providing least privilege access would be greatly appreciated

Thanks

NoCommandLine

Hi,

Note: Since this post is tagged "App Engine", I assume your app is to be deployed to Google App Engine

My advice is that you don't touch the default service account. This way, you have it as a fallback if something goes wrong with your roles or you need to do something else and can't figure out the role to do it.

Instead, you should create a new service account and set it as the default for your app (see documentation on how to do this).

For a list of Google App Engine specific roles, see this.

......NoCommandLine ......
https://nocommandline.com

Analytics & GUI for
App Engine & Datastore Emulator

Request for Assistance in Setting Least Privilege IAM Roles for GCP Deployment