I wonder how Google authenticates default service accounts in user's projects.
For instance, I have default service account for compute in my project but it has no associated means for impersonation or authentication (no IAM policy bindings, like iam.ServiceAccounts.getAccessToken, and no keys):
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
Compute Engine default service account 502923505097-compute@developer.gserviceaccount.com False
$ gcloud iam service-accounts get-iam-policy 502923505097-compute@developer.gserviceaccount.com
etag: ACAB
There are some bindings inherited from project level. For example there is binding for Compute Engine Service Agent:
$ gcloud projects get-iam-policy cedar-lexicon-312307
bindings:
- members:
- serviceAccount:service-502923505097@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
Do I understand correctly that Compute Engine Service Agent is authorised to impersonate any service account in my project and is used to impersonate compute's default service account? Are there any other means (may be hidden to users) by which Google Services impersonate default service accounts?
You can see in the documentation the roles of the service agent. It's Google Managed service account, granted on your project, to let google automation services interact with your project. You can remove permission on these service account service agent to remove the permission to Google Platform product to interact with your project. Use at your own risk!
If you want to roll back your test, you can try to disable and then enable the related API.
You can also add manually the service account service agent email to your project, with the correct role.