Can this be refactored not to grant `Service Account User` to the default compute service account?

[diwu-sf]

Right now, the default compute principal has the role Service Account User roles/iam.serviceAccountuser

Is it possible to change this or make the project work without this role? Or grant it to a specific service account instead of the default compute service account?

This particular role is causing a Soc2 Vanta compliance check to fail:

Vanta recommendations:

Remove role grants that assign critical IAM roles to service accounts.

Visit the GCP [IAM & admin console](https://console.cloud.google.com/iam-admin/iam) and remove offending role grants.

If a service account still needs some of the permissions from the removed role grant, define a new custom role with permissions according to the [principle of least privilege](https://cloud.google.com/iam/docs/using-iam-securely) and grant this new role to the service account.

Policies granting offending roles may be associated with the project, in any enclosing folder of the project, or in the root GCP organization.

The following roles are considered critical:

roles/owner
roles/editor
roles/viewer
roles/billing.admin
roles/iam.organizationRoleAdmin
roles/iam.roleAdmin
roles/iam.securityAdmin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountKeyAdmin
roles/iam.serviceAccountUser
roles/resourcemanager.organizationAdmin
roles/resourcemanager.folderAdmin
roles/resourcemanager.folderEditor
roles/resourcemanager.folderMover
Note: GCP may create user-managed "default service accounts" with the Editor role (roles/editor) when a Google Cloud service is enabled. GCP recommends that you restrict permissions for all such user-managed "default service accounts," whereas Google managed service accounts need not be restricted. If you are unsure which category a service account belongs to, consult [GCP's documentation](https://cloud.google.com/iam/docs/service-accounts#types).

[Neutrollized]

Yes, but it's not a priority for me at the moment. I had considered this back when I made the previous update/fixes in Nov., but ultimately it came down to the easier fix then and planned on updating it to use a custom SA (better for PoLP anyway) in the future. For me, it serves its purpos as I use it for my own projects/demos and such and I don't need it to be SOC 2 compliant. I don't really have a timeline for you -- maybe a month or two.

As the "runAs" applies to the Cloud Build service account, you can always just comment it out and deploy it using a shell script running the gcloud commands for now (which I did provide as part of the README in the cloud-run folder.