How to disable exposed security key feature withou...

zzorba · 03-18-2024 01:29 PM

Today Google sent me a very alarmist email about some new feature they are turning on automatically. They had instructions on how to disable it, however it seems to require your projects to be in an organization.

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disa...

My projects are not in an organization, I am the sole owner of these projects. Is it possible to disable this feature without an organization, I get permissions errors when I try, despite being the (sole) Owner of each of these projects.

maltem-za

It's not even clear whether this will be enabled for projects that aren't part of an organization. I actually wanted to opt in early for a particular project and found that I couldn't. Some more clarity would be appreciated.

zzorba

My worry is that leaked key detectors routinely flag client side keys (like firebase configs that ship in your JS code directly, i.e. not secure at all), and it's not clear if this new feature is going to apply to these or not.

I never turned on a Google workspace for my domains, and it doesn't seem to be possible to make an organization anymore without that.

maltem-za

Technically those are not service account keys, so I would hazard a guess that they won't be affected, but it's still a valid concern.

J_J

I have opted to disable all my service accounts. I have no idea if this will prevent any nefarious activity as mentioned in the email, but I'm not sure what else to to do as I don't seem to be able to set "IAM.serviceAccountKeyExposureResponse" to "DISABLE_KEY".

In honesty I'm not sure how I would go about making that change. I have owners, editors and a few other roles set up on a few projects, but I can't see how to set policies on the prinipals that have those roles. If someone could link me a tutorial or the documentation on where I can set the "IAM.serviceAccountKeyExposureResponse" to "DISABLE_KEY" that would be greatly appreciated as I struggling to find the area in IAM & Admin at the moment. I assumed (maybe wrongly) that it is because I need to set up an organization.

maltem-za

Note that disabling all the service accounts will probably have unintended consequences, as they are used for all sorts of automation within Google Cloud. If you haven't created and downloaded keys for service accounts to be used elsewhere, you don't have anything to worry about. Also, the accounts representing real people (owners, editors, etc.) that you mentioned are normally not related/connected to service accounts.

The instructions can be found at the link OP shared, and yes, it appears you do need an organization.

zzorba

The question is what happens if you don't have an organization? It also seems like you can no longer create an organization without signing up for additional services, now that workspace is not available for personal use.

They really need to improve their documentation to make the behavior clear.

severinsimmler

Hi @zzorba, did you find out something new in the meantime? 🙂

zzorba

Nope. Just sort of hoping it doesn't all break when it rolls out later this
year.

Isn't Google cloud the best!

How to disable exposed security key feature without an organization