I created a brand new instance in a Google Compute Engine project, and I see in the logs where the instance creates new accounts-from-metadata. Some of the accounts created had been removed from the project permissions.
For example in project Permissions, I have:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
The log entries from instance creation shows it's creating user accounts in the instance for users who had been removed from the project. It also doesn't show realuser3 who was added to the project permissions.
(instance-name) accounts-from-metadata: INFO Creating account (deleted1 user account)
(instance-name) accounts-from-metadata: INFO Creating account (realuser1 user account)
(instance-name) accounts-from-metadata: INFO Creating account (myownacct user account)
(instance-name) accounts-from-metadata: INFO Creating account user
(instance-name) accounts-from-metadata: INFO Creating account ubuntu
(instance-name) accounts-from-metadata: INFO Creating account (deleted2 user account)
(instance-name) accounts-from-metadata: INFO Creating account (previous google support user)
I expect to see realuser3, and I don't expect deleted users with no project permission to have accounts created on a fresh image.
