The authorization provided to applications hosted on a Compute Engine instance is limited by two separate configurations: the roles granted to the attached service account, and the access scopes that you set on the instance. Both of these configurations must allow access before the application running on the instance can access a resource.
Don’t rely on default Service Account.
- Create one service account for each of your services
- Allow access to only the required Resources and scopes