Restricting service account usage

The Resource Manager provides constraints that can be used in organization policies to limit the usage of Identity and Access Management service accounts.

When you set these constraints, they apply to future creation of and modifications to service accounts. These constraints are not retroactive and will not affect previously created and configured service accounts.

Before you begin

You must have permission to modify organization policies to set constraints. For example, the orgpolicy.policyAdmin role has permission to set organization policy constraints. Read the Using Constraints page to learn more about managing policies at the organization level.

Boolean constraints

The following constraints are types of boolean constraint, which are set to true or false.

Disable automatic role grants to default service accounts

Some Google Cloud services automatically create default service accounts. When a default service account is created, it is automatically granted the Editor role (roles/editor) on your project.

To improve security, we strongly recommend that you disable the automatic role grant. Use the iam.automaticIamGrantsForDefaultServiceAccounts boolean constraint to disable the automatic role grant.

Disable service account creation

You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects.

Disable service account key creation

You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint.

Disable service account key upload

You can use the iam.disableServiceAccountKeyUpload boolean constraint to disable the upload of external public keys to service accounts. When this constraint is set, users cannot upload public keys to service accounts in projects affected by the constraint.

Disable workload identity cluster creation

You can use the iam.disableWorkloadIdentityClusterCreation boolean constraint to require that any new Google Kubernetes Engine clusters have the Workload Identity feature disabled at the time of their creation. If you want to tightly control service account access in your organization, you may want to disable Workload Identity in addition to service account creation and service account key creation.

Existing GKE clusters with Workload Identity enabled will not be affected, and will continue to work as normal.

Setting a boolean constraint

Console

To set an organization policy including a constraint to restrict service account usage:

  1. Go to the Organization policies page in the Google Cloud Console.

    Go to the Organization policies page

  2. Click the Organization drop-down list at the top of the page and then select your organization.
  3. Click one of the service account usage boolean constraints listed above.
  4. Click the Edit button.
  5. Under Applies to, select Customize.
  6. Under Enforcement, select On.
  7. Click Save. A notification will appear to confirm that the policy has been updated.

gcloud

Policies can be set through the gcloud command-line tool.

To restrict service account usage, run the following command:

gcloud resource-manager org-policies enable-enforce \
    --organization 'ORGANIZATION_ID' \
    BOOLEAN_CONSTRAINT

Where BOOLEAN_CONSTRAINT is the boolean constraint you want to enforce.

To disable the policy, the same command can be issued with the

disable-enforce
command.

To learn about using constraints in organization policies, see Using Constraints.

Example policy with boolean constraint

The following code snippet shows an organization policy that enforces the iam.disableServiceAccountCreation boolean constraint, which prevents service accounts from being created:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.disableServiceAccountCreation"
  etag: "\a\005L\252\122\321\946\334"
  boolean_policy {
  enforced: true
  }
}

List constraints

The following constraints are types of list constraint, which are set to true or false.

Extend lifetime of OAuth 2.0 access tokens

You can create an OAuth 2.0 access token that provides short-lived credentials for a service account. By default, the maximum lifetime of an access token is 1 hour (3,600 seconds). However, you can extend the maximum lifetime to 12 hours. To do so, identify the service accounts that need an extended lifetime for access tokens, then add these service accounts to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.

Setting a list constraint

Console

To set an organization policy that extends the maximum lifetime of OAuth 2.0 access tokens for a service account:

  1. Go to the Organization policies page in the Google Cloud Console.

    Go to the Organization policies page

  2. Click the Organization drop-down list at the top of the page and then select your organization.
  3. Click the constraints/iam.allowServiceAccountCredentialLifetimeExtension constraint.
  4. Click the Edit button.
  5. Under Applies to, select Customize.
  6. Under Policy enforcement, select Merge with parent to merge this policy with existing policies in your hierarchy.
  7. Under Policy values, select Custom.
  8. Under Policy type, select Allow.
  9. Under Custom values, enter the email address of a service account for which you want to extend the lifetime of OAuth 2.0 access tokens.
    1. If you want to add more addresses, click New policy value to create more rows, and add one address to each row.
  10. Click Save. A notification confirms that the policy has been updated.

gcloud

Policies can be set through the gcloud command-line tool.

To set an organization policy that extends the maximum lifetime of OAuth 2.0 access tokens for a service account, run the following command:

gcloud resource-manager org-policies allow \
    constraints/iam.allowServiceAccountCredentialLifetimeExtension \
    SERVICE_ACCOUNT_ADDRESS [SERVICE_ACCOUNT_ADDRESS ...] \
    --organization 'ORGANIZATION_ID' \

Where SERVICE_ACCOUNT_ADDRESS is the list of service account email addresses you want to provide extended access tokens.

To learn about using constraints in organization policies, see Using Constraints.

Example policy with list constraint

The following code snippet shows an organization policy that enforces the iam.allowServiceAccountCredentialLifetimeExtension list constraint, which extends the maximum lifetime of OAuth 2.0 access tokens for listed service accounts:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.allowServiceAccountCredentialLifetimeExtension"
  etag: "\a\005L\252\122\321\946\334"
  listPolicy {
    allowedValues:
      - <var>SERVICE_ACCOUNT_ADDRESS</var>
  }
  updateTime: <var>CURRENT_TIME</var>
}

Error messages

Disable service account creation

If iam.disableServiceAccountCreation is enforced, creating a service account will fail with the error:

FAILED_PRECONDITION: Service account creation is not allowed on this project.

Disable service account key creation

If iam.disableServiceAccountKeyCreation is enforced, creating a service account will fail with the error:

FAILED_PRECONDITION: Key creation is not allowed on this service account.

Disable workload identity cluster creation

If iam.disableWorkloadIdentityClusterCreation is enforced, creating a GKE cluster with Workload Identity enabled will fail with the error:

FAILED_PRECONDITION: Workload Identity is disabled by the organization
policy constraints/iam.disableWorkloadIdentityClusterCreation. Contact your
administrator to enable this feature.

Troubleshooting known issues

Default service accounts

Applying the iam.disableServiceAccountCreation constraint will prevent the creation of service accounts in that project. This limitation also affects Google Cloud services that, when enabled, automatically create default service accounts in the project, such as:

  • Compute Engine
  • GKE
  • App Engine
  • Dataflow

If the iam.disableServiceAccountCreation constraint is applied, attempting to enable these services will fail because their default service accounts cannot be created.

To resolve this issue:

  1. Temporarily remove the iam.disableServiceAccountCreation constraint.
  2. Enable the desired services.
  3. Create any other desired service accounts.
  4. Finally, re-apply the constraint.