Google Cloud 如何对默认服务帐号进行身份验证？

Question

I wonder how Google authenticates default service accounts in user's projects.

For instance, I have default service account for compute in my project but it has no associated means for impersonation or authentication (no IAM policy bindings, like iam.ServiceAccounts.getAccessToken, and no keys):

$ gcloud iam service-accounts list
DISPLAY NAME                            EMAIL                                               DISABLED
Compute Engine default service account  502923505097-compute@developer.gserviceaccount.com  False

$ gcloud iam service-accounts get-iam-policy 502923505097-compute@developer.gserviceaccount.com
etag: ACAB 

There are some bindings inherited from project level. For example there is binding for Compute Engine Service Agent:

$ gcloud projects get-iam-policy  cedar-lexicon-312307
bindings:
- members:
  - serviceAccount:service-502923505097@compute-system.iam.gserviceaccount.com
  role: roles/compute.serviceAgent

Do I understand correctly that Compute Engine Service Agent is authorised to impersonate any service account in my project and is used to impersonate compute's default service account? Are there any other means (may be hidden to users) by which Google Services impersonate default service accounts?

Answer 1

You can see in the documentation the roles of the service agent. It's Google Managed service account, granted on your project, to let google automation services interact with your project. You can remove permission on these service account service agent to remove the permission to Google Platform product to interact with your project. Use at your own risk!

If you want to roll back your test, you can try to disable and then enable the related API.

You can also add manually the service account service agent email to your project, with the correct role.