Profile Applicability:

Level 1

Description:

The roles Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) should be assigned to IAM users at the service account level, not at the project level, to follow the principle of least privilege.

Rationale:

Service accounts act as identities for applications or virtual machines (VMs) to interact with Google Cloud services. Granting Service Account User or Service Account Token Creator roles at the project level gives IAM users unrestricted access to all service accounts within the project, including those created in the future. This can lead to privilege escalation, as these roles allow:

  • Binding service accounts to jobs (via iam.serviceAccountUser).

  • Impersonating service accounts to perform actions on their behalf (via iam.serviceAccountTokenCreator).

To minimize risks and enforce least privilege, these roles should be granted only for specific service accounts.

Impact:

Revoking these roles at the project level may disrupt workflows or services that rely on broad permissions. Ensure that the roles are reassigned at the appropriate service account level based on business needs.

Default Value:

By default, IAM users do not have the Service Account User or Service Account Token Creator roles assigned at the project level.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to IAM & Admin > IAM at GCP IAM Console.

                                                         

  1. Use the filter bar and search for Role: Service Account User.

           

  1. Verify that no users are listed with this role at the project level.

  2. Repeat the process for Role: Service Account Token Creator.

Using Google Cloud CLI:

Check for users with the Service Account User role at the project level:

gcloud projects get-iam-policy <PROJECT_ID> --format json | jq '.bindings[].role' | grep "roles/iam.serviceAccountUser"

Check for users with the Service Account Token Creator role at the project level:

gcloud projects get-iam-policy <PROJECT_ID> --format json | jq '.bindings[].role' | grep "roles/iam.serviceAccountTokenCreator"
  1. No output should be returned from these commands.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to IAM & Admin > IAM at GCP IAM Console.

  2. Filter for Role: Service Account User and remove the role for all users listed.

  3. Repeat for Role: Service Account Token Creator.

  4. To assign these roles at the service account level:

    • Navigate to IAM & Admin > Service Accounts: Service Accounts Console.

                                                                 

  • Select the specific service account.

                     

  • Click Permissions and add the desired users with the required roles.

                                                       

Using Google Cloud CLI:
Retrieve the current IAM policy and save it to a file:

 gcloud projects get-iam-policy <PROJECT_ID> --format json > iam.json

Edit the iam.json file to remove roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator bindings at the project level. Example:

{

  "bindings": [

    {

      "role": "roles/appengine.appViewer",

      "members": [

        "serviceAccount:[email protected]"

      ]

    }

  ],

  "etag": "BwUjMhCsNvY="

}

Update the IAM policy with the modified file:

 gcloud projects set-iam-policy <PROJECT_ID> iam.json

References:

  1. Understanding Service Accounts

  2. Granting Roles to Service Accounts

  3. IAM Roles Documentation

  4. Granting, Changing, and Revoking Access

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Configure access control lists (ACLs) to enforce least privilege and grant access only as needed.

14.6 Protect Information through ACLs

Use ACLs to protect sensitive information and limit access to authorized users based on responsibilities.