Cloud Build Service Account Change

Cloud Build automatically selects the Cloud Build service account to execute builds on your behalf, unless you override this behavior.

On April 29, 2024, we are introducing changes to Cloud Build's default behavior and use of service accounts in new projects. These changes will improve the default security posture of our customers going forward.

New projects and existing projects that enable the Cloud Build API after the April 29, 2024 release will see the following changes:

• The Cloud Build service account will be referred to from now on as the legacy Cloud Build service account.

• Projects will begin using the Compute Engine service account by default for directly submitted builds.

• Projects will have to explicitly specify a service account when you create a new trigger.

• For organizations, you can adjust the organization policy to opt out of the upcoming changes.

• The behavior for existing projects that enable the Cloud Build API before the changes are introduced will remain unchanged.

What do you need to do?

If you are part of an organization, the organization can opt out of the changes by setting a new organization policy.

To run directly submitted builds, if you don't want to or cannot adjust organization policy, validate that the Compute Engine default service account is sufficient for your builds, or use your own service account. In both cases, the users submitting the build must have the iam.serviceAccounts.actAs permission on the service account.

To create new triggers, you have to explicitly specify a service account.

New organization policy

Cloud Build is introducing a new organization policy boolean constraint that controls the creation of the legacy Cloud Build service account:

constraints/cloudbuild.disableCreateDefaultServiceAccount

Organizations that want to opt out of the upcoming changes, and who are aware of the security trade-offs involved, can do so by updating the enforcement rules on Google Cloud console or on Google Cloud CLI:

• Select the constraints/cloudbuild.disableCreateDefaultServiceAccount and set the Enforcement option to Off in the Google Cloud console, or

• Disable the constraint enforcement in the Google Cloud CLI.

This policy constraint will affect projects that enable the Cloud Build API after April 29. For more information about organization policies see the Introduction to the Organization Policy Service.