openshift · lpettyjo · Jan 9, 2026 · chao007 · Jan 16, 2026 · lpettyjo
diff --git a/installing/installing_gcp/installing-gcp-account.adoc b/installing/installing_gcp/installing-gcp-account.adoc
@@ -19,6 +19,10 @@ include::modules/installation-gcp-limits.adoc[leveloffset=+1]
 
 include::modules/installation-gcp-service-account.adoc[leveloffset=+1]
 
+[role="_additional-resources"]
+.Additional resources
+* xref:../../storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc#persistent-storage-csi-gcp-pd-reduce-permissions_persistent-storage-csi-gcp-pd[Reducing permissions while using the {gcp-short} CSI Driver Operator]
+
 include::modules/installation-gcp-permissions.adoc[leveloffset=+2]
 
 include::modules/minimum-required-permissions-ipi-gcp.adoc[leveloffset=+2]

diff --git a/modules/installation-gcp-service-account.adoc b/modules/installation-gcp-service-account.adoc
@@ -8,8 +8,14 @@
 [id="installation-gcp-service-account_{context}"]
 = Creating a service account in {gcp-short}
 
+[role="_abstract"] 
 {product-title} requires a {gcp-first} service account that provides authentication and authorization to access data in the Google APIs. If you do not have an existing IAM service account that contains the required roles in your project, you must create one.
 
+[NOTE]
+====
+To reduce the scope of permissions granted to the main service account in your Google Cloud project while still being able to use the {gcp-short} Container Storage Interface (CSI) Driver Operator, you can transfer the control of permissions from the project-wide service account to the control plane and compute node service accounts instead, thus reducing the scope of the permission. For more information, see Section _Reducing permissions while using the {gcp-short} CSI Driver Operator_.
+====
+
 .Prerequisites
 
 * You created a project to host your cluster.

diff --git a/modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc b/modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc
@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-gcp-pd-reduce-permissions_{context}"]
+= Reducing permissions while using the GCP PD CSI Driver Operator
+
+[role="_abstract"] 
+You can reduce the scope of permissions granted to the main service account in your Google Cloud project while still being able to use the GCP PD CSI Driver Operator.
+
+To reduce permissions, remove the `iam.serviceAccountUser` field from the project-wide service account, and then grant it to the control plane and compute node service accounts instead, thus reducing the scope of the permission.
+
+.Procedure
+
+. Grant scoped `serviceAccountUser` role for node service accounts by running the following Bash script:
++
+[source,terminal]
+----
+SA_USER_ROLE="roles/iam.serviceAccountUser"
+logger "INFO" "Granting ${SA_USER_ROLE} for node service accounts: ${MASTER_NODE_SA}, ${WORKER_NODE_SA}"
+CMD="gcloud iam service-accounts add-iam-policy-binding \"${MASTER_NODE_SA}\" --project=\"${GOOGLE_PROJECT_ID}\" --member=\"serviceAccount:${SERVICE_ACCOUNT_EMAIL}\" --role=\"${SA_USER_ROLE}\" --condition=None"
+run_command "${CMD}"
+CMD="gcloud iam service-accounts add-iam-policy-binding \"${WORKER_NODE_SA}\" --project=\"${GOOGLE_PROJECT_ID}\" --member=\"serviceAccount:${SERVICE_ACCOUNT_EMAIL}\" --role=\"${SA_USER_ROLE}\" --condition=None"
+run_command "${CMD}"
+----
++
+* `GOOGLE_PROJECT_ID`: The unique ID of your Google Cloud project.
+
+* `SERVICE_ACCOUNT_EMAIL`: The email address of the "Member" (the person or service account) who is being granted the new permissions.
+
+* `MASTER_NODE_SA`: The email address of the service account used by your cluster's master node.
+
+* `WORKER_NODE_SA`: The email address of the service account used by your cluster's worker nodes.
+
+. Remove project-level `serviceAccountUser` role from the binding created by the installation program by running the following Bash script:
++
+[source,terminal]
+----
+logger "INFO" "Removing ${SA_USER_ROLE} from project-level binding for ${SERVICE_ACCOUNT_EMAIL}"
+CMD="gcloud projects remove-iam-policy-binding \"${GOOGLE_PROJECT_ID}\" --member=\"serviceAccount:${SERVICE_ACCOUNT_EMAIL}\" --role=\"${SA_USER_ROLE}\" --condition=None"
+backoff "${CMD}"
+----
++
+* `SA_USER_ROLE`: The specific permission being taken away.	For example, `roles/iam.serviceAccountUser`.
+
+* `SERVICE_ACCOUNT_EMAIL`: The email address of the account losing the permission. For example, `[email protected]`.
+
+* `GOOGLE_PROJECT_ID`: The unique ID of the Google Cloud project where this is occurring. For example, `prod-data-789`.
diff --git a/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc b/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc
@@ -33,6 +33,8 @@ endif::openshift-dedicated[]
 
 include::modules/persistent-storage-csi-about.adoc[leveloffset=+1]
 
+include::modules/persistent-storage-csi-gcp-pd-reduce-permissions.adoc[leveloffset=+1]
+
 include::modules/persistent-storage-csi-gcp-pd-storage-class-ref.adoc[leveloffset=+1]
 
 [id="c3-instance-type-for-bare-metal-and-n4-machine-series"]