Results #1-2 MEDIUM Service account access is granted to a user at project level. (2 similar results) ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── iam.tf Line 18 ───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 9 │ resource "google_project_iam_member" "permissions" { 10 │ for_each = toset([ 11 │ "logging.logWriter", 12 │ "errorreporting.writer", 13 │ "iam.serviceAccountUser", 14 │ "iam.serviceAccountTokenCreator", 15 │ "workflows.invoker" 16 │ ]) 17 │ provider = google-beta 18 │ role = "roles/${each.key}" 19 │ member = "serviceAccount:${google_service_account.default.email}" 20 │ } ───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Individual Causes - /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions) - /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions) ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ID google-iam-no-project-level-service-account-impersonation Impact Privilege escalation, impersonation of any/all services Resolution Provide access at the service-level instead of project-level, if required More Information - https://aquasecurity.github.io/tfsec/v1.0.2/checks/google/iam/no-project-level-service-account-impersonation/ - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam
Can you help me on this issue please. I'm new to gcp and terraform. Thank you !
Granting this role "iam.serviceAccountTokenCreator" causes the warning.
That role allows users to use a service account for Privilege Escalation
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.