Ensure roles do not impersonate or manage Service Accounts used at project level

Error: Roles impersonate or manage Service Accounts used at project level

Bridgecrew Policy ID: BC_GCP_IAM_10
Checkov Check ID: CKV_GCP_49
Severity: MEDIUM

Roles impersonate or manage Service Accounts used at project level

Description

The IAM role is an identity with specific permissions. An IAM role is similar to an IAM user: it has a Google identity with permission policies that determine what the identity can and cannot do in Google Cloud. Certain IAM roles contain permissions that enable a user with the role to impersonate or manage service accounts in a GCP project through IAM inheritance from a higher resource, i.e., project binding.

We recommend you do not set IAM role bindings with known dangerous roles that enable impersonation at the project level.

The following roles enable identities to impersonate all service account identities within a project if the identity is granted the role at the project, folder, or organization level. The following list includes our current recommendations for dangerous roles, however, it is not exhaustive as permissions and roles change frequently.

Primitive Roles:

  • roles/owner
  • roles/editor

Predefined Roles:

  • roles/iam.securityAdmin
  • roles/iam.serviceAccountAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/iam.serviceAccountUser
  • roles/iam.serviceAccountTokenCreator
  • roles/iam.workloadIdentityUser
  • roles/dataproc.editor
  • roles/dataproc.admin
  • roles/dataflow.developer
  • roles/resourcemanager.folderAdmin
  • roles/resourcemanager.folderIamAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/resourcemanager.organizationAdmin
  • roles/cloudasset.viewer
  • roles/cloudasset.owner

Service Agent Roles: Service agent roles should not be used for any identities other than the Google managed service account they are associated with.

  • roles/serverless.serviceAgent
  • roles/dataproc.serviceAgent

Fix - Buildtime

Terraform

  • Resources:
    google_project_iam_member
    google_project_iam_binding
  • Argument: role
resource "google_project_iam_member" "example" {
  project  = "project/1234567"
- role    =  <ANY OF THE ROLES LISTED ABOVE>
  member  = "user:[email protected]"
}
resource "google_project_iam_binding" "example" {
  project  = "project/1234567"
- role    =  <ANY OF THE ROLES LISTED ABOVE>
  members  = [
  "user:[email protected]",
  ]
}