Google project IAM member service account has admin role
This product is not supported for your selected
Datadog site. (
).
Id: 84d36481-fd63-48cb-838e-635c44806ec2
Cloud Provider: gcp
Framework: Terraform
Severity: High
Category: Access Control
Learn More
Description
This query identifies when a service account is granted an administrative role in a Google Cloud project, which violates the principle of least privilege. Service accounts with administrative permissions such as roles/iam.serviceAccountAdmin can create and manage other service accounts, potentially leading to privilege escalation attacks and unauthorized access across your Google Cloud environment.
Instead of using administrative roles, assign more granular, limited roles that provide only the permissions required for the service account to function. For example:
// Insecure configuration - service account with admin role
resource "google_project_iam_member" "insecure" {
project = "your-project-id"
role = "roles/iam.serviceAccountAdmin"
member = "serviceAccount:my-app@appspot.gserviceacccount.com"
}
// Secure configuration - service account with limited role
resource "google_project_iam_member" "secure" {
project = "your-project-id"
role = "roles/editor"
member = "serviceAccount:my-app@appspot.gserviceacccount.com"
}
Compliant Code Examples
resource "google_project_iam_member" "negative1" {
project = "your-project-id"
role = "roles/editor"
members = "user:jane@example.com"
}
Non-Compliant Code Examples
resource "google_project_iam_member" "positive1" {
project = "your-project-id"
role = "roles/iam.serviceAccountAdmin"
member = "serviceAccount:my-other-app@appspot.gserviceacccount.com"
}
resource "google_project_iam_member" "positive2" {
project = "your-project-id"
role = "roles/iam.serviceAccountAdmin"
members = ["user:jane@example.com", "serviceAccount:my-other-app@appspot.gserviceacccount.com"]
}
