---
title: VM with full cloud access
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > VM with full cloud access
---

# VM with full cloud access

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `bc20bbc6-0697-4568-9a73-85af1dd97bdd`

**Cloud Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-service_accounts/scopes)

### Description{% #description %}

Granting the `cloud-platform` OAuth scope to a VM's service account gives that instance full access to all Google Cloud APIs. This increases the blast radius if the VM or its credentials are compromised and enables unintended lateral movement or data access.

In Ansible tasks using `google.cloud.gcp_compute_instance` or `gcp_compute_instance`, inspect the `service_accounts` property's `scopes` list and ensure it does not contain the `cloud-platform` scope (for example, `cloud-platform` or `https://www.googleapis.com/auth/cloud-platform`). Resources with `service_accounts.scopes` containing the `cloud-platform` scope are flagged.

Specify only the minimal OAuth scopes required for the workload, or avoid broad instance-level scopes by assigning appropriate IAM roles to the service account or using Workload Identity.

Secure configuration example with a limited scope:

```yaml
- name: Create VM with minimal OAuth scopes
  google.cloud.gcp_compute_instance:
    name: my-instance
    machine_type: n1-standard-1
    service_accounts:
      - email: my-service-account@project.iam.gserviceaccount.com
        scopes:
          - https://www.googleapis.com/auth/compute.readonly
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_accounts:
      - scopes:
          - cloud-platform
    state: present
```