In Google Compute Engine we can assign a service account to a VM instance. However, this means that the service account credentials are accessible to any process running on the VM via the metadata server.
Suppose now we have:
- a Linux user A or container on the VM running code that has no need to use the service account (and may be more vulnerable);
- another Linux user B running fully trusted code which does require access to the service account.
Good security practices imply we should only grant Linux user B access to the service account. What is the recommended way to achieve this?
Some thoughts:
- We could firewall off the metadata server's IP from the user A's processes, but this doesn't feel very robust (the IP does seem fixed for now but I cannot find in the official documentation that one should depend on this).
- We could generate service account keys and store them in a file that only user B can read. However, this has many drawbacks such as: (1) account keys require more manual management and this increases risk (therefore the official documentation recommends against using them whenever possible), (2) we need to somehow provision these keys ourselves and cannot immediately use them in our startup scripts (we could add them using guest metadata and remove them in the startup script after reading them, but the official documentation recommends not storing sensitive data here)