Default service account is used Affecting Compute Engine service in Google


    Severity Framework
    Snyk CCSS
    Rule category
    IAM / Least Privilege

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    CIS-Controls CIS-Google CSA-CCM HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00380
  • credit Snyk Research Team


The default Compute Engine service account has an "Editor" role, which allows read and write access to most Google Cloud services. To mitigate the risk of a Compute Engine instance being compromised, create a new service account for an instance with only the necessary permissions assigned. Note that GKE-created instances should be exempted from this.

How to fix?

Set service_account attribute with custom service account information.

Example Configuration

resource "google_service_account" "test" {
  account_id   = "test-service-account"
  display_name = "Test Service Account"

resource "google_compute_instance" "test" {
  name         = "no-metadata-keys-set"
  machine_type = "e2-micro"
  zone         = "us-east1-b"

  service_account {
    email  =
    scopes = ["logging-write"]

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"

  network_interface {
    network = "default"