I am working on minimising permission of each service account. I found a weird behavior on Cloud Speech-to-Text API. I was able to use/call Cloud Speech-to-Text API without permission on the active service account. I just only had the service account, I could call to Cloud Speech-to-Text API. I don’t understand SA concepts anymore. Anyone tells me why?
PS. As I observed, I think this behavior only exists on the Cloud Speech-to-Text API.
Maybe the endpoint is Public (Unauthenticated) Access by Default:
Some Google Cloud APIs (including Speech-to-Text) allow access as long as the request is authenticated (i.e., using a valid service account), even if that service account has no explicit IAM roles.
These APIs don’t check IAM roles for read-only or usage operations like sending an audio file for transcription.
They simply need the request to be signed by a valid service account or API key — they don’t care what roles it has.
Speech-to-Text Is a Global, Projectless API (in some modes):
You’re not accessing resources in your project like GCS buckets or Compute instances.
You’re sending input (like audio) and getting a response.
IAM isn’t involved in that flow unless you’re interacting with other resources (e.g., reading a GCS file to transcribe).
Thank for your response!
Then, which use cases of speech-to-text- roles used if we
cannot limit access via IAM roles. (Speech-to-Text roles and permissions | IAM Documentation | Google Cloud)
This is official documentation that talks about the IAM roles and permissions for Speech-to-text resources.