Professional Cloud Developer
Professional Cloud Developer
Gauge your current knowledge
Gauge your current knowledge
Professional Cloud Developer
Gauge your current knowledge
Gauge your current knowledge
Service accounts are special identities used by applications and workloads instead of people. To build secure applications, developers must follow the principle of least privilege, which means giving an identity only the exact permissions it needs to do its job. By limiting access, you reduce the risk of a security breach spreading through your system, which minimizes the "attack surface" of your cloud-native applications.
When you enable certain services, Google Cloud often creates default service accounts that may automatically receive broad permissions like the Editor role. These primitive roles are often too powerful and create security risks if the account is ever compromised. It is a best practice to disable automatic role grants for these accounts. Instead, developers should evaluate the specific needs of each application to avoid giving away excess power.
User-managed service accounts are the preferred choice for running secure services because they are created for a single purpose. You should create a unique service account for each application to keep their permissions separate. Key benefits of this strategy include isolation (problems in one app do not affect others), auditing (you can easily see which app performed a specific action), and control (you can revoke access for one service without stopping others). Using dedicated accounts makes it much easier to manage security as your project grows and prevents a single compromised account from giving a hacker access to your entire cloud environment.
To manage access, you can assign predefined roles, which are groups of permissions managed by Google for common tasks. If a predefined role provides too much access, you can create custom roles to define a specific list of permissions. Custom roles offer the most granular control over what an application can do, ensuring that your workload has exactly what it needs and nothing more.
Proper service account management involves following clear naming conventions and documenting who is responsible for each account. You should regularly identify and disable unused service accounts to prevent them from being abused. It is also important to avoid using service account keys whenever possible, as they can be leaked easily. Instead, use more secure methods like Workload Identity Federation or attaching the account directly to a resource. While IAM roles are the primary way to control access, access scopes are a legacy method that can further limit what a virtual machine can do. The modern best practice is to set the cloud-platform scope on a resource and use IAM roles to handle the actual security. This combination ensures that authorization is managed in one central place, making your security architecture easier to understand and maintain.
To build secure cloud-native applications, developers must follow the principle of least privilege. This means giving a service only the minimum permissions it needs to perform its specific tasks. Instead of granting access to an entire project, you should apply IAM policies at the most granular level possible. Restricting access to specific resources like a single Cloud Storage bucket helps protect sensitive data from unauthorized users.
Applying resource-level scoping is a key strategy to prevent lateral movement within a cloud environment. If a bad actor compromises one part of your system, resource-level restrictions ensure they cannot easily jump to other sensitive areas. By using this method, you create a smaller attack surface for your application. This approach is essential for designing highly scalable and reliable systems that remain secure under pressure.
Every application should run using its own dedicated service account to ensure isolation. This allows you to tailor permissions specifically for that application's unique functions. Using application-specific service accounts helps you avoid over-permissioning by only granting access to resources that each individual application requires. Common resources to scope include Cloud Storage buckets for data storage, Pub/Sub topics for messaging, and BigQuery datasets for analytics.
Security should be integrated early in the development process, a concept known as shift-left security. Using infrastructure as code (IaC) allows you to define IAM policies alongside your application code, so that permissions are reviewed and tested before deployment. This automation reduces the chance of human error and ensures that resource-level restrictions are consistently applied across environments.
Workload Identity is a secure way to manage how applications running on Google Cloud access other services. Instead of using permanent passwords, you use a Service Account, which acts as an identity for a piece of code rather than a person. This helps developers follow the principle of least privilege by giving the application only the specific permissions it needs to do its job.
When running code on resources like Compute Engine, the preferred authentication method is to attach a service account directly to that resource. This allows the application to automatically use the service account's credentials to prove its identity to Google APIs. This process ensures that the application has a clear identity from the moment it starts, and it involves installing the Google Cloud CLI to manage resources, creating a specific Service Account for the workload, and attaching that identity to the compute resource during creation.
To further improve security, developers should use Workload Identity Federation for applications running outside of Google Cloud or in GKE. This process provides ephemeral credentials, which are temporary and expire quickly, instead of using long-lived service account keys that could be stolen. By using these temporary tokens, you significantly minimize the attack surface of your cloud-native applications.
Managing access requires assigning specific IAM Roles to each service account to ensure granular identity and access management. In production environments, you should avoid broad roles like Owner or Editor and instead use predefined roles that limit what the application can do. Using these specific roles helps maintain a secure environment as your application scales and provides reduced risk of unauthorized data access, better control over resource usage, and easier auditing of which service performed which action.
Advanced security can also be achieved through Service Account Impersonation, which allows one identity to temporarily act as another without needing a physical key file. Google also provides tools like Access Transparency and Security Command Center to monitor these identities and detect any suspicious behavior or access violations. These services help ensure that your highly scalable applications remain reliable and secure against modern threats.