Skip to content

no-project-level-service-account-impersonation

Default Severity: medium

Explanation

Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required.

Possible Impact

Privilege escalation, impersonation of any/all services

Suggested Resolution

Provide access at the service-level instead of project-level, if required

Insecure Example

The following example will fail the google-iam-no-project-level-service-account-impersonation check.

 resource "google_project_iam_binding" "project-123" {
    project = "project-123"
    role    = "roles/iam.serviceAccountUser"
 }

Secure Example

The following example will pass the google-iam-no-project-level-service-account-impersonation check.

 resource "google_project_iam_binding" "project-123" {
    project = "project-123"
    role    = "roles/nothingInParticular"
 }