疑似Oday
Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced for your Google Cloud Platform (GCP) organizations and projects in order to deactivate the automatic IAM role grant for default service accounts. When a default service account is created, it is automatically granted the Editor role ("roles/editor") on your project.
id: gcloud-org-auto-iam-grants
info:
name: Automatic IAM Role Grants for Default Service Accounts
...