Em aqui :
"All Linux user accounts in your project are granted root access to your instances. By default, new Linux user accounts are added to the following user groups upon account creation:
gce-sudoers- Gives root access
gce-users- General users groupThe
gce-sudoersgroup is automatically maintained by the Cloud User Accounts service and contains every Linux user account in your project. If you wanted to restrict root access to certain accounts, remove the default policy at:
/etc/sudoers.d/gcuaNext, create your own group and add a configuration similar to the
gcuafile in thesudoers.dfolder."