Google Project IAM Binding Service Account has Token Creator or Account User Role
- Query id: 617ef6ff-711e-4bd7-94ae-e965911b1b40
- Query name: Google Project IAM Binding Service Account has Token Creator or Account User Role
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: 285
- URL: Github
Description¶
Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_project_iam_binding" "positive1" {
project = "your-project-id"
role = "roles/iam.serviceAccountTokenCreator"
members = [
"user:jane@example.com",
"serviceAccount:my-other-app@appspot.gserviceacccount.com"
]
}
resource "google_project_iam_binding" "positive2" {
project = "your-project-id"
role = "roles/iam.serviceAccountTokenCreator"
member = "serviceAccount:my-other-app@appspot.gserviceacccount.com"
}
resource "google_project_iam_binding" "positive3" {
project = "your-project-id"
role = "roles/iam.serviceAccountUser"
members = [
"user:jane@example.com",
"serviceAccount:my-other-app@appspot.gserviceacccount.com"
]
}
resource "google_project_iam_binding" "positive4" {
project = "your-project-id"
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:my-other-app@appspot.gserviceacccount.com"
}