Restricting Service Account Usage

The Resource Manager provides constraints that can be used in organization policies to limit the usage of Cloud Identity and Access Management service accounts.

When you set these constraints, they apply to future creation of and modifications to service accounts. These constraints are not retroactive and will not affect previously created and configured service accounts.

Disable service account creation

You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects.

Disable service account key creation

You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint.

Setting the policy

The service account restriction constraint is a type of boolean constraint.

You must have permission to modify organization policies to set this constraint. For example, the resourcemanager.organizationAdmin role has permission to set organization policy constraints. Read the Using Constraints page to learn more about managing policies at the organization level.

Console

To set an organization policy including a constraint to disable service account key creation:

  1. Go to the Organization policies page in the Google Cloud Console.

    Go to the Organization policies page

  2. Click the Organization drop-down list at the top of the page and then select your organization.
  3. Click Disable Service Account Creation or Disable Service Account Key Creation.
  4. Click the Edit button.
  5. Under Applies to, select Customize.
  6. Under Enforcement, select On.
  7. Click Save. A notification will appear to confirm that the policy has been updated.

gcloud

Policies can be set through the gcloud command-line tool.

To disable service account creation, run the following command:

gcloud alpha resource-manager org-policies enable-enforce \
    --organization 'ORGANIZATION_ID' \
    iam.disableServiceAccountCreation

To disable service account key creation, run the following command:

gcloud alpha resource-manager org-policies enable-enforce \
    --organization 'ORGANIZATION_ID' \
    iam.disableServiceAccountKeyCreation

To disable the policy, the same command can be issued with the

disable-enforce
command.

To learn about using constraints in organization policies, see Using Constraints.

Example policy

The following code snippet shows an organization policy including the disable service account creation constraint:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.disableServiceAccountCreation"
  etag: "\a\005L\252\122\321\946\334"
  boolean_policy {
  enforced: true
  }
}

The following code snippet shows an organization policy including the disable service account key creation constraint:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.disableServiceAccountKeyCreation"
  etag: "\a\005L\252\122\321\946\334"
  boolean_policy {
  enforced: true
  }
}

Restrict service account key upload

You can use the iam.allowedPublicCertificateTrustedRootCA list constraint to restrict the public keys that can be uploaded to service accounts. This constraint allows you to define a set of trusted certificate authorities from which the issued public certificates can be uploaded to Cloud Identity and Access Management service accounts. Additionally, you can also fully disable service account key upload by setting this list constraint to Deny All.

Setting the policy

The service account upload restriction constraint is a type of list constraint.

You must have permission to modify organization policies to set this constraint. For example, the resourcemanager.organizationAdmin role has permission to set organization policy constraints. For more information about managing policies at the organization level, see Using Constraints.

Console

To set an organization policy including a constraint to service account key upload:

  1. Go to the Organization policies page in the Google Cloud Console.

    Go to the Organization policies page

  2. Click the Organization drop-down list at the top of the page and then select your organization.
  3. Click Define allowed root certificate authority.
  4. Click the Edit button.
  5. Under Applies to, select Customize.
  6. Under Policy Values, select Custom.
  7. Enter a Certificate Authority into the Custom values text box.
    1. To enter multiple values, click New policy value and enter one certificate authority per line.
  8. Click Save. A notification will appear to confirm that the policy has been updated.

gcloud

Policies can be set through the gcloud command-line tool.

To set allowed certificate authority for service account key upload, run the following command:

gcloud alpha resource-manager org-policies allow \
    iam.allowedPublicCertificateTrustedRootCA \
    'ALLOWED_VALUE' \
    --organization 'ORGANIZATION_ID' \

To set disallowed certificate authority, the same command can be issued with the following command:

gcloud alpha resource-manager org-policies deny \
    iam.allowedPublicCertificateTrustedRootCA \
    'DENIED_VALUE' \
    --organization 'ORGANIZATION_ID' \

To learn about using list constraints in organization policies, see Using Constraints.

Example organization policy

The following code snippet shows an organization policy including an allowed certificate authority:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.allowedPublicCertificateTrustedRootCA"
  etag: "\a\005L\252\122\321\946\334"
  list_policy {
  allowed_values: "issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd"
  }
}

Retrieve certificate authority from a public key certificate

The certificate authority of a public key certificate can be obtained using following command:

openssl x509 -noout -in $PUBLIC_KEY_CERT_PATH -issuer

Please note that this command only works for public key certificates that are in X509 PEM format.

Error Messages

Disable service account creation

If iam.disableServiceAccountCreation is enforced, creating a service account will fail with the error:

FAILED_PRECONDITION: Service account creation is not allowed on this project.

Disable service account key creation

If iam.disableServiceAccountKeyCreation is enforced, creating a service account will fail with the error:

FAILED_PRECONDITION: Key creation is not allowed on this service account.

Troubleshooting Known Issues

Default service accounts

Applying the iam.disableServiceAccountCreation constraint will prevent the creation of service accounts in that project. This limitation also affects Google Cloud services that, when enabled, automatically create default service accounts in the project, such as:

  • Compute Engine
  • GKE
  • App Engine
  • Dataflow

If the iam.disableServiceAccountCreation constraint is applied, attempting to enable these services will fail because their default service accounts cannot be created.

To resolve this issue:

  1. Temporarily remove the iam.disableServiceAccountCreation constraint.
  2. Enable the desired services.
  3. Create any other desired service accounts.
  4. Finally, re-apply the constraint.
¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

Resource Manager Documentation