gcp-iam-svcacct-admin-role¶
Ensure that Service Account has no Admin privileges
Inside Google Cloud, service accounts are used by code running in the cloud to access and manage other cloud resources. It is critical to limit the scope and permissions that those service accounts have. In the case of a compromise of the piece of software using this service account an attacker would try to escalate its privilege. In order to reduce the blast radius you should carefully pick the IAM roles that apply on those service accounts. Legacy "Basic roles" shall be avoided as they are overy simplistic and allow access to basically everything. In most services, "Admin" roles are also very powerful and should be reserved for system administrative users, not for service accounts.
Examples¶
Insecure Example
resource "google_project_iam_member" "svcacct-editor-project1" {
project = "project1"
role = "roles/editor"
member = "serviceAccount:bot@12345678.iam.gserviceaccount.com"
}
resource "google_project_iam_member" "svcacct-admin-project2" {
project = "project2"
role = "roles/pubsub.admin"
member = "serviceAccount:bot@12345678.iam.gserviceaccount.com"
}
Secure Example
resource "google_project_iam_member" "svcacct-editor-project1" {
project = "project1"
role = "roles/compute.storageAdmin" # More narrowly focused to resource type and limited access
member = "serviceAccount:bot@12345678.iam.gserviceaccount.com"
}
resource "google_project_iam_member" "svcacct-admin-project2" {
project = "project2"
role = "roles/pubsub.publisher" # Even more narrowly scoped and more precise access
member = "serviceAccount:bot@12345678.iam.gserviceaccount.com"
}