gcp-iam-svcacct-allo-sudo

Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

In Resource Manager you can set certain IAM roles on Projects, Folders and Organization resources, in order to ensure the integrity of your cloud resources it is important not to assign certain powerful roles that would allow to impersonate all service accounts in the hierarchy.

Assigning any of the following roles on Projects, Folders and Organization resources is considered an unreasonable risk:

 roles/owner
 roles/editor
 roles/iam.securityAdmin
 roles/iam.serviceAccountAdmin
 roles/iam.serviceAccountKeyAdmin
 roles/iam.serviceAccountUser
 roles/iam.serviceAccountTokenCreator
 roles/iam.workloadIdentityUser
 roles/dataproc.editor
 roles/dataproc.admin
 roles/dataflow.developer
 roles/resourcemanager.folderAdmin
 roles/resourcemanager.folderIamAdmin
 roles/resourcemanager.projectIamAdmin
 roles/resourcemanager.organizationAdmin
 roles/serverless.serviceAgent
 roles/dataproc.serviceAgent

Examples

Insecure Example

resource "google_organization_iam_member" "svcacct-admin-project2" {
  project = "project2"
  role    = "roles/owner" # Owner role on a project all members of the group to manage any and all resources of the project
  member  = "group:developers@bigcorp.com"
}

resource "google_folder_iam_member" "folder-admin" {
  folder = "folders/12345"
  role    = "roles/iam.securityAdmin" # Granting Security IAM on a folder allows members of this group to modify IAM permissions of any downstream projects
  member  = "group:developers@bigcorp.com"
}

resource "google_project_iam_member" "project-editors" {
  org_id  = "an-org-id"
  role    = "roles/iam.serviceAccountUser" # Granting the ability to impersonate a service account to all users of the domain is very dangerous
  member  = "domain:bigcorp.com"
}

Secure Example

resource "google_organization_iam_member" "svcacct-admin-project2" {
  org_id  = "an-org-id"
  role    = "roles/resourcemanager.organizationViewer" # Be careful who you grant admin powers on the Organization resource
  member  = "domain:bigcorp.com"
}

resource "google_folder_iam_member" "folder-admin {
  folder = "folders/12345"
  role    = "roles/resourcemanager.folderAdmin" # Folder admin is more focused
  member  = "group:developers@bigcorp.com"
}

resource "google_project_iam_member" "project-editors" {
  project = "project2"
  role    = "roles/compute.admin" # Still a powerful role, but much more limited in scope
  member  = "group:developers@bigcorp.com"
}

More information

• GCP Docs
• Terraform Docs - Folder IAM
• Terraform Docs - Organization IAM
• Terraform Docs - Organization IAM