Cloud Build Service Account Change

Cloud Build automatically selects the Cloud Build service account to execute builds on your behalf, unless you override this behavior. This service account may have permissions that are unnecessarily broad for your use case, like access to your Cloud Source Repositories and any Cloud Storage bucket in your project

We're changing the default behavior for how Cloud Build uses service accounts in new projects. We're rolling out these changes region by region over several weeks in May and June 2024. These changes will improve the default security posture of our customers going forward. You can opt out of these changes by configuring the organization policy constraint.

How your projects are impacted depends on whether you're part of an organization. In general, after the change has rolled out to the region you're using, you will see the following changes:

Projects without an organization. If you enable the Cloud Build API on your projects after the change, you will use the Compute Engine service account by default for builds submitted using the Cloud Build API or the Google Cloud CLI. These projects won't have the option to use the legacy Cloud Build service account, but can use a user-specified service account.
Projects with an organization. If you enable the Cloud Build API on your projects after the change, you will use the Compute Engine service account by default for builds submitted using the Cloud Build API or the Google Cloud CLI. You can use a user-specified service account or opt out of the change by enabling the Cloud Build service account in your organization.
Existing projects without an organization. If you enabled the Cloud Build API on your projects before the change, you will continue with the old behavior, using the legacy Cloud Build service account by default for all your builds. You can continue to use a user-specified service account, by either selecting the Compute Engine service account or creating your own.
Existing projects with an organization. If you enabled the Cloud Build API on your projects before the change, you will continue with the old behavior, using the legacy Cloud Build service account by default. You can also continue to use a user-specified service account.
Triggering. You'll have to specify a service account when you create or update a trigger, unless the default service account for your project is the legacy Cloud Build service account.
API. Enabling the Cloud Build API also enables the Identity and Access Management API.
Cloud Build service account name: The Cloud Build service account will be referred to as the legacy Cloud Build service account.

What do you need to do?

If you're part of an organization, your organization can opt out of this change by setting the following organization policy boolean constraint:

Not Enforced: constraints/cloudbuild.disableCreateDefaultServiceAccount

If you can't or don't want to adjust the organization policy, and you enable the Cloud Build API after change is rolled out, validate that either the Compute Engine default service account or your user-created service account has enough permissions for your build. In particular, the user submitting the build must have the iam.serviceAccounts.actAs permission on the service account.

Configure availability of the legacy Cloud Build service account

To help you configure the availability of the legacy Cloud Build service account when you enable the Cloud Build API, Cloud Build will introduce the following boolean policy constraint:

Not enforced: constraints/cloudbuild.disableCreateDefaultServiceAccount. Allows the use of the legacy Cloud Build service as default in new projects.
Enforced: constraints/cloudbuild.disableCreateDefaultServiceAccount. Disables the use of the legacy Cloud Build service account in new projects. This is the default value of the constraint.

To update the policy constraint, update the enforcement rules:

Select the constraints/cloudbuild.disableCreateDefaultServiceAccount and set the Enforcement option to On or Off in the Google Cloud console, or
Configure the constraint enforcement in the Google Cloud CLI.

This constraint only affects projects that enable the Cloud Build API after the change is rolled out. If you decide not to enforce the policy constraint, the change is permanent for all the projects that enable the API when that configuration is active. You can't toggle off the availability of the legacy Cloud Build service account on a project where the service account was previously available.

Get the current default service account for a project

To determine which service account Cloud Build is using as default for a project, you can use Google Cloud CLI or the Cloud Build API:

gcloud CLI

Run the following command to get the default service account for the current project:

gcloud builds get-default-service-account

Cloud Build API

Use cURL to call the Cloud Build API:

curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     https://cloudbuild.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/defaultServiceAccount

Replace the placeholder values with the following:

PROJECT_ID: the ID of the project.
REGION: one of the supported regions.