IAM users should not have project-level ‘Service Account User’ or ‘Service Account Token Creator’ roles

Description

Assigning IAM users with project-level ‘Service Account User’ or ‘Service Account Token Creator’ roles means that they can potentially access resources across an entire project. To follow least privileges best practice, IAM users should be assigned to a specific service account with more scoped access.

Remediation Steps

Google Cloud Console

• Navigate to IAM.

• Select the filter icon and enter Role: Service Account User.

• Delete every user that is listed as a result for the filter.

• Delete Role: Service Account User from the search.

• Select the filter icon and enter Role: Service Account Token Creator.

• Delete every user that is listed as a result for the filter.

gcloud CLI

• In a text editor, remove the bindings with the roles/iam.serviceAccountUser or roles/iam.serviceAccountTokenCreator. For example, you can use the iam.json file shown below as follows:

{
  "bindings": [
    {
      "members": [
        "serviceAccount:our-project-123@appspot.gserviceaccount.com"
      ],
      "role": "roles/appengine.appViewer"
    },
    {
      "members": [
        "user:email1@gmail.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:our-project-123@appspot.gserviceaccount.com",
        "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "BwUjMhCsNvY="
}

• Update the project’s IAM policy:

  • gcloud projects set-iam-policy PROJECT_ID iam.json

Documentation Links

Runtime

• Service accounts

• Understanding roles

• CLI: gcloud projects set-iam-policy