GCP + Terraform : Service account access is granted to a user at project level
Question
I have an issue when trying to execute this terraform file on GCP.
Results #1-2 MEDIUM Service account access is granted to a user at project level. (2 similar results) ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── iam.tf Line 18 ───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 9 │ resource "google_project_iam_member" "permissions" { 10 │ for_each = toset([ 11 │ "logging.logWriter", 12 │ "errorreporting.writer", 13 │ "iam.serviceAccountUser", 14 │ "iam.serviceAccountTokenCreator", 15 │ "workflows.invoker" 16 │ ]) 17 │ provider = google-beta 18 │ role = "roles/${each.key}" 19 │ member = "serviceAccount:${google_service_account.default.email}" 20 │ } ───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Individual Causes - /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions) - /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions) ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ID google-iam-no-project-level-service-account-impersonation Impact Privilege escalation, impersonation of any/all services Resolution Provide access at the service-level instead of project-level, if required More Information - https://aquasecurity.github.io/tfsec/v1.0.2/checks/google/iam/no-project-level-service-account-impersonation/ - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam
Can you help me on this issue please. I'm new to gcp and terraform. Thank you !
1 answers
solution1
0 2022-02-02 19:27:42
Granting this role "iam.serviceAccountTokenCreator" causes the warning.
That role allows users to use a service account for Privilege Escalation
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Terraform GCP service_account vs project vs org
Can a GCP service account with owner for a project grant rights to user account?
Terraform/GCP - "the user does not have permission to access Project"
Delete service account role in GCP using terraform
Terraform GCP Assign IAM roles to service account
On GCP, how to grant access to a service account in another project?
GCP Service account key management and usage in Terraform
Error: User is not authorized while creating GCP project using service account
Create project with service account in GCP
Is there a way to give a user/service account access to GCP projects they create?
Related Tags