Search code examples
google-cloud-platformterraformgoogle-iamtfsec

GCP + Terraform : Service account access is granted to a user at project level


I have an issue when trying to execute this terraform file on GCP. 
Results #1-2 MEDIUM Service account access is granted to a user at project level. (2 similar results)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
iam.tf Line 18
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   9  │ resource "google_project_iam_member" "permissions" {
  10  │   for_each = toset([
  11  │     "logging.logWriter",
  12  │     "errorreporting.writer",
  13  │     "iam.serviceAccountUser",
  14  │     "iam.serviceAccountTokenCreator",
  15  │     "workflows.invoker"
  16  │   ])
  17  │   provider = google-beta
  18  │   role     = "roles/${each.key}"
  19  │   member   = "serviceAccount:${google_service_account.default.email}"
  20  │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Individual Causes
 - /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
 - /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         ID google-iam-no-project-level-service-account-impersonation
     Impact Privilege escalation, impersonation of any/all services
 Resolution Provide access at the service-level instead of project-level, if required

 More Information
 - https://aquasecurity.github.io/tfsec/v1.0.2/checks/google/iam/no-project-level-service-account-impersonation/
 - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam

Can you help me on this issue please. I'm new to gcp and terraform. Thank you !

Solution

  • Granting this role "iam.serviceAccountTokenCreator" causes the warning.

    That role allows users to use a service account for Privilege Escalation

    Protecting against privilege-escalation threats