Service accounts should only be bound to non-administrative roles

Description

A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service’s Google API so that users aren’t directly involved. It’s recommended not to use admin roles for ServiceAccount.

Default value

User-managed (and not user-created) default service accounts have the Editor (roles/editor) role assigned to them to support GCP services they offer. By default, there are no roles assigned to user-managed, user-created service accounts.

Rationale

Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update, and change settings, etc. without user intervention. For this reason, Datadog recommends that service accounts not have an Admin role.

Impact

Removing *Admin or *admin, Editor, or Owner role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionality.

  • Note: This rule provides coverage for built in admin roles only and doesn’t address scenarios where a custom role which has admin permissions is assigned to a service account.

Remediation

From the console

  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Go to the Members
  3. Identify User-Managed user created service account(s) with roles containing *Admin or *admin, roles matching Editor, or roles matching Owner.
  4. Click the Delete bin icon to remove the role from the member (service account in this case)

From the command line

gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
  1. Using a text editor, Remove any Role which contains roles/ *Admin or roles/ *admin, or matches roles/editor or roles/owner. Add a role to the bindings array that defines the group members and the role for those members.

  2. Update the project’s IAM policy:

    gcloud projects set-iam-policy PROJECT_ID iam.json
    

References

  1. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/
  2. https://cloud.google.com/iam/docs/understanding-roles
  3. https://cloud.google.com/iam/docs/understanding-service-accounts