Reputation: 125
Restricting key creation for specific GCP Service account in specific project belonging to an organization
I have a requirement where I want to restrict certain service account from creating key (json/yaml file) but that restriction should only affect specific service account in a specific project which belongs to an organization.
I did go through the following documentation, but It did not match the requirement of restricting only certain service account rather than all service account in that particular organization.
Upvotes: 2
Views: 330
Answers (1)
Reputation: 1235
As far as I know, you can only restrict key creation on project level.
Based on you configuration, in may be viable to restrict user's access to a Service Account - link.
Another workaround would be to split your resources into smaller projects, so that they are easier to manage.
If you think that policy restricting key creation for only selected service accounts should be available, you can file a Feature Request on Google Public Issue Tracker.
Upvotes: 1
Related Questions
- GCP limit service account to have conditional access to a single instance
- Restrict service account in organization level from specific projects
- Permission denied when creating GCP Service Account Key
- GCP - how to add a Google account as an IAM principal to a project
- How to allow a GCP Identity to modify specific service accounts
- Restrict our G-Suite email / service account of our project so that the user cannot add them to his personal GCP project
- Limiting Access to GCP Resources with Google Identity and IAM
- Service account key creation in GCP using rest API
- How to restrict accessing resource from a service account in GCP
- How do I restrict a Google service account?