Google Cloud Service Account has Translate API access without any roles assigned

Question

I created a service account to use with Cloud Translate API (from my app), and have noticed that I can make the call even thought I have not assigned it any roles!!!

I have verified (based on this answer) via gcloud projects get-iam-policy MYPROJECTID and the service account I used has no roles associated....

I thought service account would need at least "Cloud Translation API User" role in order to work....

1. How do I restrict the service account to only be able to use the Translate API
2. If this is not possible, does this mean that some APIs are accessible by any service account in project?

Thanks Z

Answer 1

The Translate API v2 isn't integrated with Cloud IAM, but the V3 is and that's why there are Cloud Translation roles (which also apply for the Cloud AutoML Translation service).

Regarding Question 1: For non-IAM-integrated services the only way to constrain authorization is through OAuth Scopes. So, for Translation API v2 you can't restrict the service account to use only this API unless Translate is the only API-enabled in the project.

Regarding Question 2: API services not integrated with Cloud IAM can be accessed using only a service account, even if it doesn't have any roles (because there are no Cloud IAM roles associated with the service yet).