The Resource Manager provides constraints that can be usedin organization policies to limit the usage ofIdentity and Access Management (IAM) service accounts.
Many of these constraints determine whether service accounts and other resourcescan be created or configured in specific ways. These constraints are notretroactive; they do not affect previously created and configured serviceaccounts.
Before you begin
You must have permission to modifyorganization policies to setconstraints. For example, theorgpolicy.policyAdminrole has permission to set organization policy constraints. Read theUsing Constraintspage to learn more about managing policies at the organization level.
Boolean constraints
The following constraints are types ofboolean constraint, which are set totrue or false.
Disable automatic role grants to default service accounts
Some Google Cloud services automatically createdefault service accounts. When a defaultservice account is created, it is automatically granted the Editor role(roles/editor) on your project.
To improve security, we strongly recommend that you disable the automatic rolegrant. Use the iam.automaticIamGrantsForDefaultServiceAccounts booleanconstraint to disable the automatic role grant.
Disable service account creation
You can use the iam.disableServiceAccountCreation boolean constraint todisable the creation of new service accounts. This allows you to centralizemanagement of service accounts while not restricting the other permissions yourdevelopers have on projects.
If you enforce this constraint in a project, then some Google Cloudservices cannot automatically createdefault service accounts. As a result, ifthe project runs workloads that need toimpersonate a service account, theproject might not contain a service account that the workload can use. Toaddress this issue, you canenable service account impersonation across projects.When you enable this feature, you can create service accounts in a centralizedproject, then attach the service accounts to resources in other projects.
For more information about organizing service accounts, seeWhere to create service accounts.
Disable service account key creation
You can use the iam.disableServiceAccountKeyCreation boolean constraint todisable the creation of new external service account keys. This allows you tocontrol the use of unmanaged long-term credentials for service accounts. Whenthis constraint is set, user-managed credentials cannot be created for serviceaccounts in projects affected by the constraint.
Disable service account key upload
You can use the iam.disableServiceAccountKeyUpload boolean constraint todisable the upload of external public keys to service accounts. When thisconstraint is set, users cannot upload public keys to service accounts inprojects affected by the constraint.
Disable attachment of service accounts to resources in other projects
Each service account is located in a project. You can use theiam.disableCrossProjectServiceAccountUsage boolean constraint to preventservice accounts in a project from being attached to resources in otherprojects.
If you want to allow service accounts to be used across projects, seeEnabling service account impersonation across projects.
Restrict removal of project liens when service accounts are used across projects
When you allow a project's service accounts to be attached to resources in otherprojects, IAM adds aproject lien that prevents you fromdeleting the project. By default, anyone who has theresourcemanager.projects.updateLiens permission on the project can delete thelien.
If you enforce the iam.restrictCrossProjectServiceAccountLienRemoval booleanconstraint, then principals can delete the lien only if they have theresourcemanager.projects.updateLiens permission on the organization.
We recommend enforcing this constraint if any of your projects allowservice account impersonation across projects.
Disable workload identity cluster creation
You can use the iam.disableWorkloadIdentityClusterCreation boolean constraintto require that any new Google Kubernetes Engine clusters have theWorkload Identity featuredisabled at the time of their creation. If you want to tightly control serviceaccount access in your organization, you may want to disable Workload Identityin addition to service account creation and service account key creation.
Existing GKE clusters with Workload Identity enabled willnot be affected, and will continue to work as normal.
Enforcing a boolean constraint
Console
To set an organization policy that enforces a constraint to restrict serviceaccount usage:
In the Google Cloud console, go to the Organization policies page.
Go to Organization policies
From the project picker, select the organization for which you want torestrict service account usage.
Click one of the service account usage boolean constraints listed on thispage.
Click Manage policy.
Under Applies to, select Override parent's policy.
Click Add a rule.
Under Enforcement, select On.
To enforce the policy, click Set policy.
gcloud
Policies can be set through the Google Cloud CLI.
To restrict service account usage, run the following command:
gcloud resource-manager org-policies enable-enforce \ --organization 'ORGANIZATION_ID' \ BOOLEAN_CONSTRAINT
Where BOOLEAN_CONSTRAINT is the boolean constraint you want toenforce.
To disable enforcement, the same command can be issued with the
disable-enforce
To learn about using constraints in organization policies, seeUsing Constraints.
Example policy with boolean constraint
The following code snippet shows an organization policy that enforces theiam.disableServiceAccountCreation boolean constraint, which prevents serviceaccounts from being created:
name: organizations/012345678901/policies/iam.disableServiceAccountCreationspec: rules: - enforce: trueList constraints
The following constraints are types oflist constraint,which are set to a list of values.
Extend lifetime of OAuth 2.0 access tokens
You can create an OAuth 2.0 access token that provides short-lived credentials for a service account.By default, the maximum lifetime of an access token is 1 hour (3,600 seconds).However, you can extend the maximum lifetime to 12 hours. To do so, identify theservice accounts that need an extended lifetime for access tokens, then addthese service accounts to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.
Limit lifetime of service account keys
A service account key lets youauthenticate a request as a service account. By default, service account keysnever expire. You can change this default by setting an expiry time for allnewly created keys in your project, folder, or organization.
To set an expiry time, use the constraints/iam.serviceAccountKeyExpiryHourslist constraint to specify the number of hours for which a newly created key isvalid. After this amount of time, the service account key expires, and you canno longer use it.
This list constraint accepts the following ALLOW values; it does not acceptDENY values. As a best practice, use the shortest expiry time that meets yourneeds:
1h: 1 hour8h: 8 hours24h: 24 hours (1 day)168h: 168 hours (7 days)336h: 336 hours (14 days)720h: 720 hours (30 days)1440h: 1,440 hours (60 days)2160h: 2,160 hours (90 days)
The constraints/iam.serviceAccountKeyExpiryHours constraint can't be mergedwith a parent policy. To enforce this constraint, you must either replace orinherit the parent policy.
Specify allowed external identity providers
If you useworkload identity federation, whichlets external identities access Google Cloud resources, you can specifywhich external identity providers are allowed. By default, all providers areallowed. To set a limit, use theconstraints/iam.workloadIdentityPoolProviders list constraint to specify URIsfor the allowed providers, using the following formats:
Amazon Web Services (AWS):
https://sts.amazonaws.comTo limit which AWS accounts are allowed, use theconstraints/iam.workloadIdentityPoolAwsAccounts list constraintas described on this page.
Microsoft Azure:
https://sts.windows.net/azure-tenant-idOther identity providers that support OpenID Connect (OIDC): Use the issuerURI from your identity provider.
Specify allowed AWS accounts
If you useworkload identity federation, whichlets external identities access Google Cloud resources, you can specifywhich AWS accounts are allowed to access your resources. By default, workloadsfrom any AWS account are allowed to access your Google Cloud resources. Tolimit which AWS accounts are allowed, use theconstraints/iam.workloadIdentityPoolAwsAccounts list constraint to specify alist of allowed account IDs.
Automatically disable exposed service account keys
Google Cloud occasionally detects that a particular service account key has beenexposed—for example, it might detect a key in a public repository. Tospecify what Google Cloud does with these keys, use theiam.serviceAccountKeyExposureResponse list constraint.
This list constraint accepts the following ALLOW values; it doesn't acceptDENY values.
DISABLE_KEY: If Google Cloud detects an exposed key, it willautomatically disable the key. It also creates a Cloud Audit Logs event andsends a notification about the exposed key to project owners and securitycontacts.WAIT_FOR_ABUSE: Google Cloud won't proactively disable exposed keys.However, Google Cloud might still disable exposed keys if they're usedin ways that adversely affect the platform. Regardless of whether the exposedkey is disabled, Google Cloud creates a Cloud Audit Logs event andsends a notification about the exposed key to project owners and securitycontacts.
Cloud Audit Logs events are created when Google Cloud detects aleaked key or disables a key.
When Google Cloud detects that a key has been leaked, an abuse event iscreated in the Abuse Event logs.
When Google Cloud disables a key, the audit logs contain the disableaction by principal
[email protected].
We strongly recommend that you set this constraint to DISABLE_KEY. Settingthis constraint to WAIT_FOR_ABUSE increases the risk that leaked keys will bemisused.
If you do decide to set the constraint to WAIT_FOR_ABUSE, we recommend thatyou subscribe to Cloud Audit Logs events, review your security contact informationin Essential Contacts,and ensure that your security contacts respond to notifications in a timely manner.
The iam.serviceAccountKeyExposureResponse constraint can't be merged with aparent policy. To enforce this constraint, you must replace the parent policy.
Setting a list constraint
Console
To set an organization policy that contains a list constraint:
In the Google Cloud console, go to the Organization policies page.
Go to Organization policies
From the project picker, select the resource for which you wantto set the organization policy.
On the Organization policies page, select a constraint from the list.The Policy details page for that constraint appears.
To update the organization policy for this resource, clickManage policy.
Under Policy enforcement, select an enforcement option:
- To merge and evaluate your organization policies together, selectMerge with parent. For more information about inheritance and theresource hierarchy, seeUnderstanding hierarchy evaluation.
- To override policies inherited from a parent resource, selectReplace.
Click Add a rule.
Under Policy values, select Custom.
Under Policy type, select Allow.
Under Custom values, enter the first value for the list constraint.
- If you want to add more values, click Add value to createmore rows, and add one value to each row.
When you have finished adding values, click Done.
To enforce the policy, click Set policy.
gcloud
Policies can be set through the Google Cloud CLI:
gcloud resource-manager org-policies allow \ CONSTRAINT_NAME \ VALUE_1 [VALUE_N ...] \ --organization=ORGANIZATION_ID \
Replace the following values:
CONSTRAINT_NAME: The name of the list constraint.For example,constraints/iam.allowServiceAccountCredentialLifetimeExtension.VALUE_1,VALUE_N...:Values for the list constraint.
To learn about using constraints in organization policies, seeUsing Constraints.
Example policy with list constraint
The following code snippet shows an organization policy that enforces theiam.allowServiceAccountCredentialLifetimeExtension list constraint, whichextends the maximum lifetime of OAuth 2.0 access tokens for listed serviceaccounts:
name: organizations/012345678901/policies/iam.allowServiceAccountCredentialLifetimeExtensionspec: rules: - values: allowedValues: - SERVICE_ACCOUNT_ADDRESSError messages
Disable service account creation
If iam.disableServiceAccountCreation is enforced, creating a service accountwill fail with the error:
FAILED_PRECONDITION: Service account creation is not allowed on this project.
Disable service account key creation
If iam.disableServiceAccountKeyCreation is enforced, creating a service accountwill fail with the error:
FAILED_PRECONDITION: Key creation is not allowed on this service account.
Disable workload identity cluster creation
If iam.disableWorkloadIdentityClusterCreation is enforced, creating aGKE cluster with Workload Identity enabled will fail with theerror:
FAILED_PRECONDITION: Workload Identity is disabled by the organizationpolicy constraints/iam.disableWorkloadIdentityClusterCreation. Contact youradministrator to enable this feature.
Troubleshooting known issues
Default service accounts
Applying the iam.disableServiceAccountCreation constraint will prevent thecreation of service accounts in that project. This limitation also affectsGoogle Cloud services that, when enabled, automatically create defaultservice accounts in the project, such as:
- Compute Engine
- GKE
- App Engine
- Dataflow
If the iam.disableServiceAccountCreation constraint is applied, attempting toenable these services will fail because their default service accounts cannot becreated.
To resolve this issue:
- Temporarily remove the
iam.disableServiceAccountCreationconstraint. - Enable the desired services.
- Create any other desired service accounts.
- Finally, re-apply the constraint.
