Service accounts- at Org, Folder Levels – and at Resource Levels
High level service accounts (Folders, projects and Org level)
should be few SAs. No keys allowed. The AD groups (containing human users) should be defined for these with all the members in the AD group. Human Users should be granted the ServiceAccountUser role and that's it ( not Service Account Token creator)
Resource Level service accounts
Can be many. Keys allowed. Service account Impersonation may be allowed.
Leave a Reply