Skip to main content
Checks that GCP service accounts do not have admin-level privileges.

About

When you connect Google Cloud Platform (GCP) to DSALTA, the platform syncs your users, roles, and access settings using read-only API access. DSALTA evaluates this control on every sync. If the requirement is not met, DSALTA activates this check.

Why This Matters

Stale, unused, or overly powerful credentials are a primary attack vector. Rotating and removing them limits how much damage a compromised key can do — a core hygiene control in SOC 2 and the CIS Benchmarks.

How to Fix

Before you begin
  • Ensure you have the IAM admin role on the GCP project.
Restrict service account privileges
  1. Sign in to the Google Cloud Console and navigate to IAM & Admin → IAM.
  2. Filter for service accounts and review their roles.
  3. Remove Owner/Editor/admin roles and grant only the minimum predefined or custom roles required.
  4. For keys, remove user-managed keys and prefer Workload Identity Federation; rotate any remaining keys every 90 days.
Once service account privileges follow least privilege, DSALTA retrieves the change on the next sync and sets the check status to Passing.

Frequently Asked Questions

This check runs automatically every 24 hours while the Google Cloud Platform (GCP) integration is connected. You can also trigger a manual sync from Integrations in the sidebar.
A failing check appears in your Data Library → Tests dashboard. Work through the steps above; once the underlying configuration is fixed, the status updates automatically on the next sync.
Yes. If it does not apply to your environment, mark it as Not Applicable with a justification. The exclusion is documented for auditors.
No. DSALTA uses read-only API access and never modifies, creates, or deletes resources. All remediation is performed by your team directly in Google Cloud Platform (GCP).