Ensure that Service Account has no Admin privileges
1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
2. Go to the Principals
3. Identify the service account with over-permissive roles, click on the edit member icon.
4. Identify the over-permissive roles and click on the delete bin icon to remove role from the service account.
From Command Line:
1. Get the policy that you want to modify, and write it to a file:
gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE
2. In the created file, detect the overly permissive service account and delete any role containing 'admin', 'roles/owner' or 'roles/editor'
3. Set the new iam policy of the service account:
gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE
Getting Started with Authentication
A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.