Google Project IAM Member Service Account has Token Creator or Account User Role

• Query id: c68b4e6d-4e01-4ca1-b256-1e18e875785c
• Query name: Google Project IAM Member Service Account has Token Creator or Account User Role
• Platform: Terraform
• Severity: High
• Category: Access Control
• URL: Github

Description

Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "google_project_iam_member" "positive1" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountTokenCreator"
  member  = "serviceAccount:my-other-app@appspot.gserviceacccount.com"
}

resource "google_project_iam_member" "positive2" {
  project = "your-project-id"
  role    = "roles/iam.serviceAccountUser"
  members  = ["user:jane@example.com", "serviceAccount:my-other-app@appspot.gserviceacccount.com"]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "google_project_iam_member" "negative1" {
  project = "your-project-id"
  role    = "roles/editor"
  members  = "user:jane@example.com"
}