Description:
A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.
Rationale:
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights.
Removing '*Admin or '*admin' or 'Editor' or 'Owner' role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionalities.
From Console:
From Command Line:
gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
For example, to grant the role roles/appengine.appViewer to the 'ServiceAccount' which is roles/editor, you would change the example shown below as follows:
{
"bindings": [
{
"members": [
"serviceAccount:[email protected]",
],
"role": "roles/appengine.appViewer"
},
{
"members": [
"user:[email protected]"
],
"role": "roles/owner"
},
{
"members": [
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
],
"role": "roles/editor"
}
],
"etag": "BwUjMhCsNvY="
}
2. Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json