  • Query id: 617ef6ff-711e-4bd7-94ae-e965911b1b40
  • Query name: Google Project IAM Binding Service Account has Token Creator or Account User Role
  • Platform: Terraform
  • Severity: High
  • Category: Access Control
Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_project_iam_binding" "positive1" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountTokenCreator"

  members = [

resource "google_project_iam_binding" "positive2" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountTokenCreator"
  member = ""

resource "google_project_iam_binding" "positive3" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountUser"

  members = [

resource "google_project_iam_binding" "positive4" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountUser"
  member = ""

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_project_iam_binding" "negative1" {
  project = "your-project-id"
  role    = "roles/editor"

  members = [