User-managed service accounts should not have admin privileges¶
Description¶
A service account is a special Google account that belongs to an application or a VM instead of to an individual end-user. Service accounts should not have admin privileges as they give full access to an assigned application or a VM, and a service account can perform critical actions like delete, update, etc. without user intervention.
Remediation Steps¶
Google Cloud Console¶
Navigate to IAM.
Select to view by Members.
Delete any roles that contain
Admin
,Editor
, orOwner
.
gcloud CLI¶
In a text editor, remove any roles that contain
Admin
,Editor
, orOwner
. Add a role to the bindings array that defines the group members and the role for those members. Below is an example where you change theServiceAccount
to have roles/editor permissions:
{
"bindings": [
{
"members": [
"serviceAccount:our-project-123@appspot.gserviceaccount.com"
],
"role": "roles/appengine.appViewer"
},
{
"members": [
"user:email1@gmail.com"
],
"role": "roles/owner"
},
{
"members": [
"serviceAccount:our-project-123@appspot.gserviceaccount.com",
"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
],
"role": "roles/editor"
}
],
"etag": "BwUjMhCsNvY="
}
Update the project’s IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json