Minimum IAM Permissions for Google Cloud

Michael Kimble

Dec 22, 2022, 2:56 AM PST


As per the documentation, Packer needs the iam.serviceAccountUser role. However, it is insecure to set this at project level as there is a risk of abusing elevated permissions. Could it be clarified what is the minimum permission that is required?

Does it only need permission to impersonate the service account of the instance it creates before it takes the image?