For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-gcp-service-account-with-improper-privileges.md. A documentation index is available at /llms.txt.

Service account with improper privileges

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-gcp-service-account-with-improper-privileges

Provider: GCP

Platform: Terraform

Severity: Medium

Category: Resource Management

Learn More

Description

Granting a service account excessive privileges such as roles/admin, roles/editor, roles/owner, or other write-level roles, can expose the environment to the risk of privilege escalation or unintended changes. In Terraform, this misconfiguration appears when a binding like the following is used:

binding {
  role = "roles/editor"
  members = [
    "serviceAccount:jane@example.com",
  ]
}

aThis allows the service account broad permissions across resources. To follow the principle of least privilege, grant only the specific roles required. For example:

binding {
  role = "roles/apigee.runtimeAgent"
  members = [
    "user:jane@example.com",
  ]
}

Failing to restrict service account privileges can enable attackers or compromised services to make unauthorized changes, potentially leading to data exposure or resource compromise.

Compliant Code Examples

data "google_iam_policy" "policy5" {
  binding {
    role = "roles/apigee.runtimeAgent"

    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_project_iam_binding" "project3" {
  project = "your-project-id"
  role    = "roles/apigee.runtimeAgent"

  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

resource "google_project_iam_member" "project4" {
  project = "your-project-id"
  role    = "roles/apigee.runtimeAgent"
  member  = "user:jane@example.com"
}

resource "google_project_iam_binding" "project5" {
  role = "roles/viewer"

  members = [
    "serviceAccount:jane@example.com",
  ]
}

data "google_iam_policy" "policy6" {
  binding {
    role = "roles/viewer"

    members = [
      "user:jane@example.com",
    ]
  }
}

Non-Compliant Code Examples

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "serviceAccount:jane@example.com",
    ]
  }
}

resource "google_project_iam_binding" "project1" {
  project = "your-project-id"
  role    = "roles/container.admin"

  members = [
    "serviceAccount:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

resource "google_project_iam_member" "project2" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "serviceAccount:jane@example.com"
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/compute.imageUser"

    members = [
      "serviceAccount:jane@example.com",
    ]
  }
  binding {
    role = "roles/owner"
    members = [
      "serviceAccount:john@example.com",
    ]
  }
}