Using Default Service Account
- Query id: 2775e169-e708-42a9-9305-b58aadd2c4dd
- Query name: Using Default Service Account
- Platform: Ansible
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create a instance1
google.cloud.gcp_compute_instance:
name: test_object1
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
source: "{{ disk }}"
- auto_delete: 'true'
interface: NVME
type: SCRATCH
initialize_params:
disk_type: local-ssd
metadata:
startup-script-url: gs:://graphite-playground/bootstrap.sh
cost-center: '12345'
labels:
environment: production
network_interfaces:
- network: "{{ network }}"
access_configs:
- name: External NAT
nat_ip: "{{ address }}"
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
state: present
- name: create a instance2
google.cloud.gcp_compute_instance:
name: test_object2
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
source: "{{ disk }}"
- auto_delete: 'true'
interface: NVME
type: SCRATCH
initialize_params:
disk_type: local-ssd
metadata:
startup-script-url: gs:://graphite-playground/bootstrap.sh
cost-center: '12345'
labels:
environment: production
network_interfaces:
- network: "{{ network }}"
access_configs:
- name: External NAT
nat_ip: "{{ address }}"
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_email: ""
state: present
- name: create a instance3
google.cloud.gcp_compute_instance:
name: test_object3
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
source: "{{ disk }}"
- auto_delete: 'true'
interface: NVME
type: SCRATCH
initialize_params:
disk_type: local-ssd
metadata:
startup-script-url: gs:://graphite-playground/bootstrap.sh
cost-center: '12345'
labels:
environment: production
network_interfaces:
- network: "{{ network }}"
access_configs:
- name: External NAT
nat_ip: "{{ address }}"
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_email: "admin"
state: present
- name: create a instance4
google.cloud.gcp_compute_instance:
name: test_object4
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
source: "{{ disk }}"
- auto_delete: 'true'
interface: NVME
type: SCRATCH
initialize_params:
disk_type: local-ssd
metadata:
startup-script-url: gs:://graphite-playground/bootstrap.sh
cost-center: '12345'
labels:
environment: production
network_interfaces:
- network: "{{ network }}"
access_configs:
- name: External NAT
nat_ip: "{{ address }}"
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_email: "admin@developer.gserviceaccount.com"
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a instance
google.cloud.gcp_compute_instance:
name: test_object
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
source: '{{ disk }}'
- auto_delete: 'true'
interface: NVME
type: SCRATCH
initialize_params:
disk_type: local-ssd
metadata:
startup-script-url: gs:://graphite-playground/bootstrap.sh
cost-center: '12345'
labels:
environment: production
network_interfaces:
- network: '{{ network }}'
access_configs:
- name: External NAT
nat_ip: '{{ address }}'
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_email: admin@admin.com
state: present