Skip to content


Ensure Default Service account is not used at a project level

It is recommended not to set IAM role binding using the default compute engine service account (which has a name like on Folder level in the resource manager hierarchy. This poses unecessary risk as it would apply to an arbitrary hierarchy of projects which we may change over time. In case of a compromise of the service account it would allow for privilege escalation across a large scope.


Insecure Example

resource "google_folder_iam_member" "folder" {
  folder  = "folders/1234567"
  role    = "roles/editor"
  member  = ""

Secure Example

You should simply avoid doing that.

More information