--- title: >- Google project IAM binding service account has token creator or account user role description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Google project IAM binding service account has token creator or account user role --- # Google project IAM binding service account has token creator or account user role {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-gcp-google-project-iam-binding-service-account-has-token-creator-or-account-user-role` **Provider:** GCP **Platform:** Terraform **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding) ### Description{% #description %} This check identifies if a Google Project IAM binding grants `serviceAccountTokenCreator` or `serviceAccountUser` roles, which provide excessive privileges to service accounts. These roles allow the specified members to impersonate service accounts, creating security risks through privilege escalation paths and potential lateral movement across your GCP environment. Members with the `serviceAccountTokenCreator` role can create OAuth2 access tokens, while those with `serviceAccountUser` role can use service accounts for their operations. To remediate this issue, assign more restrictive roles that follow the principle of least privilege instead, as shown in the following example: ``` resource "google_project_iam_binding" "secure_example" { project = "your-project-id" role = "roles/editor" members = [ "user:jane@example.com", ] } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "google_project_iam_binding" "negative1" { project = "your-project-id" role = "roles/editor" members = [ "user:jane@example.com", ] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "google_project_iam_binding" "positive1" { project = "your-project-id" role = "roles/iam.serviceAccountTokenCreator" members = [ "user:jane@example.com", "serviceAccount:my-other-app@appspot.gserviceacccount.com" ] } resource "google_project_iam_binding" "positive2" { project = "your-project-id" role = "roles/iam.serviceAccountTokenCreator" member = "serviceAccount:my-other-app@appspot.gserviceacccount.com" } resource "google_project_iam_binding" "positive3" { project = "your-project-id" role = "roles/iam.serviceAccountUser" members = [ "user:jane@example.com", "serviceAccount:my-other-app@appspot.gserviceacccount.com" ] } resource "google_project_iam_binding" "positive4" { project = "your-project-id" role = "roles/iam.serviceAccountUser" member = "serviceAccount:my-other-app@appspot.gserviceacccount.com" } ```