User with IAM Role
- Query id: 704fcc44-a58f-4af5-82e2-93f2a58ef918
- Query name: User with IAM Role
- Platform: Terraform
- Severity: Low
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
As a best practice, it is better to assign an IAM Role to a group than to a user
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "google_iam_policy" "positive" {
binding {
role = "roles/apigee.runtimeAgent"
members = [
"user:jane@example.com",
]
}
}
Positive test num. 2 - tf file
resource "google_project_iam_binding" "positive2" {
project = "your-project-id"
role = "roles/container.admin"
members = [
"user:jane@example.com",
]
condition {
title = "expires_after_2019_12_31"
description = "Expiring at midnight of 2019-12-31"
expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
}
}
resource "google_project_iam_member" "positive3" {
project = "your-project-id"
role = "roles/editor"
member = "user:jane@example.com"
}