Skip to content

Roles impersonate or manage Service Accounts used at folder level

Description

The IAM role is an identity with specific permissions. An IAM role is similar to an IAM user: it has a Google identity with permission policies that determine what the identity can and cannot do in Google Cloud. Certain IAM roles contain permissions that enable a user with the role to impersonate or manage service accounts in a GCP folder through IAM inheritance from a higher resource, i.e., folder binding.

We recommend you do not set IAM role bindings with known dangerous roles that enable impersonation at the folder level.

The following roles enable identities to impersonate all service account identities within a project if the identity is granted the role at the project, folder, or organization level. The following list includes our _current _recommendations for dangerous roles, however, it is not exhaustive as permissions and roles change frequently.

Primitive Roles:

  • roles/owner
  • roles/editor

Predefined Roles:

  • roles/iam.securityAdmin
  • roles/iam.serviceAccountAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/iam.serviceAccountUser
  • roles/iam.serviceAccountTokenCreator
  • roles/iam.workloadIdentityUser
  • roles/dataproc.editor
  • roles/dataproc.admin
  • roles/dataflow.developer
  • roles/resourcemanager.folderAdmin
  • roles/resourcemanager.folderIamAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/resourcemanager.organizationAdmin
  • roles/cloudasset.viewer
  • roles/cloudasset.owner

Service Agent Roles:
Service agent roles should not be used for any identities other than the Google managed service account they are associated with.

  • roles/serverless.serviceAgent
  • roles/dataproc.serviceAgent

Fix - Buildtime

Terraform

  • Resources:
    google_folder_iam_member
    google_folder_iam_binding
  • Argument: role

```go google_folder_iam_member resource "google_folder_iam_member" "example" { folder = "folders/1234567" - role = member = "user:[email protected]" }

```json google_folder_iam_binding
resource "google_folder_iam_binding" "example" {
  folder  = "folders/1234567"
- role    =  <ANY OF THE ROLES LISTED ABOVE>
  members  = [
  "user:[email protected]",
  ]
}