no-project-level-service-account-impersonation
Explanation
Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
Possible Impact
Privilege escalation, impersonation of any/all services
Suggested Resolution
Provide access at the service-level instead of project-level, if required
Insecure Example
The following example will fail the google-iam-no-project-level-service-account-impersonation check.
resource "google_project_iam_binding" "project-123" {
project = "project-123"
role = "roles/iam.serviceAccountUser"
}
Secure Example
The following example will pass the google-iam-no-project-level-service-account-impersonation check.
resource "google_project_iam_binding" "project-123" {
project = "project-123"
role = "roles/nothingInParticular"
}