gcp-iam-svcacct-allo-sudo¶
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
In Resource Manager you can set certain IAM roles on Projects, Folders and Organization resources, in order to ensure the integrity of your cloud resources it is important not to assign certain powerful roles that would allow to impersonate all service accounts in the hierarchy.
Assigning any of the following roles on Projects, Folders and Organization resources is considered an unreasonable risk:
roles/owner
roles/editor
roles/iam.securityAdmin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountKeyAdmin
roles/iam.serviceAccountUser
roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUser
roles/dataproc.editor
roles/dataproc.admin
roles/dataflow.developer
roles/resourcemanager.folderAdmin
roles/resourcemanager.folderIamAdmin
roles/resourcemanager.projectIamAdmin
roles/resourcemanager.organizationAdmin
roles/serverless.serviceAgent
roles/dataproc.serviceAgent
Examples¶
Insecure Example
resource "google_organization_iam_member" "svcacct-admin-project2" {
project = "project2"
role = "roles/owner" # Owner role on a project all members of the group to manage any and all resources of the project
member = "group:developers@bigcorp.com"
}
resource "google_folder_iam_member" "folder-admin" {
folder = "folders/12345"
role = "roles/iam.securityAdmin" # Granting Security IAM on a folder allows members of this group to modify IAM permissions of any downstream projects
member = "group:developers@bigcorp.com"
}
resource "google_project_iam_member" "project-editors" {
org_id = "an-org-id"
role = "roles/iam.serviceAccountUser" # Granting the ability to impersonate a service account to all users of the domain is very dangerous
member = "domain:bigcorp.com"
}
Secure Example
resource "google_organization_iam_member" "svcacct-admin-project2" {
org_id = "an-org-id"
role = "roles/resourcemanager.organizationViewer" # Be careful who you grant admin powers on the Organization resource
member = "domain:bigcorp.com"
}
resource "google_folder_iam_member" "folder-admin {
folder = "folders/12345"
role = "roles/resourcemanager.folderAdmin" # Folder admin is more focused
member = "group:developers@bigcorp.com"
}
resource "google_project_iam_member" "project-editors" {
project = "project2"
role = "roles/compute.admin" # Still a powerful role, but much more limited in scope
member = "group:developers@bigcorp.com"
}