GCP Default compute account is project Editor

Published Sun, Nov 22nd, 2020


When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privilege excalation and resource abuse in the project. Especially, all new VMs created inherit this permissions by default. This issue is arguably a technical decision by GCP, but the documents advise customers to undo this.

Affected Services



Remove these permissions, it can be done via an organization policy

Tracked CVEs

No tracked CVEs


Disclosure Date
Exploitablity Period
Since the creation of GCP
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by