Google Project IAM Binding Service Account has Token Creator or Account User Role

• Query id: 617ef6ff-711e-4bd7-94ae-e965911b1b40
• Query name: Google Project IAM Binding Service Account has Token Creator or Account User Role
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• URL: Github

Description

Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "google_project_iam_binding" "positive1" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountTokenCreator"

  members = [
    "user:jane@example.com",
    "serviceAccount:my-other-app@appspot.gserviceacccount.com"
  ]
}

resource "google_project_iam_binding" "positive2" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountTokenCreator"
  member = "serviceAccount:my-other-app@appspot.gserviceacccount.com"
}

resource "google_project_iam_binding" "positive3" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountUser"

  members = [
    "user:jane@example.com",
    "serviceAccount:my-other-app@appspot.gserviceacccount.com"
  ]
}

resource "google_project_iam_binding" "positive4" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountUser"
  member = "serviceAccount:my-other-app@appspot.gserviceacccount.com"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "google_project_iam_binding" "negative1" {
  project = "your-project-id"
  role    = "roles/editor"

  members = [
    "user:jane@example.com",
  ]
}