Reputation: 1
How can I disable a GCP Service Account to create VM instances?
I need to disable a service account in Cloud IAM to create Compute Engine instances. Currently the service account has the Editor role on the project.
I tried adding a condition to disable compute/instance using condition builder but it doesn't allow this, saying primitive roles cannot be edited.
Upvotes: 0
Views: 492
Answers (1)
Reputation: 1028
Condition Builder is in Beta.
You can remove the editor role and assign the required (custom) role to Service Account.
Open the IAM & Admin page in the Cloud Console. Click Select a project, choose a project, and click Open.
Identify the service account to which you want to add a role.
If the service account isn't already on the members list, it doesn't have any roles assigned to it. Click Add and enter the email address of the service account. If the service account is already on the
members list, it has existing roles. To edit the service account's
roles, click the Edit edit button. Select one or more roles to apply to the service account.Click Save to apply the roles to the service account.
Another option is: Restrict access who can use the Service account.
Upvotes: 1
Related Questions
- GCP limit service account to have conditional access to a single instance
- What IAM permissions do I need to use to create a Service Account similar to Default Compute Engine Service Account?
- Permission denied when creating GCP Service Account Key
- GCP: Compute Engine Default Service Account missing
- Restricting user access for VM in gcp
- Modifying gcloud VM service account permissions without stopping the VM
- GCP SERVICE_ACCOUNT_ACCESS_DENIED when trying to deploy instance with deployment manager
- IAM Role to allow IAM users to create only VM Instances and Disk in GCP?
- How to give permission for an IAM service account to run a docker container within a GCP VM?
- How can I create a new service account for Google Compute Engine VMs?