How does google compute engine create users and how to disable them?
You can prevent a GCE instance from adding accounts by ensuring the google-account-manager service does not run. On CoreOS you can stop this service with sudo systemctl stop google-accounts-manager.service
and then disable it permanantly with sudo systemctl disable google-accounts-manager.service
.
You may want to make an image with the service pre-disabled (or even delete the unit file) so that when you create instances it doesn't create accounts before you disable the service.
As of March 2017 you can prevent the accounts from being created by disabling the Accounts daemon, that is deployed on all images in GCE.
To do that:
-
Create
/etc/default/instance_configs.cfg.template
file with the following content:[Daemons] accounts_daemon = false
Run
/usr/bin/google_instance_setup
This should stop and disable the daemon permanently, even in case of daemon's package update.
You can read more about daemons and other things deployed by Google on GCE systems images in the GoogleCloudPlatform/compute-image-packages project README and code.