Roles impersonate or manage Service Accounts used at folder level
Description
The IAM role is an identity with specific permissions. An IAM role is similar to an IAM user: it has a Google identity with permission policies that determine what the identity can and cannot do in Google Cloud. Certain IAM roles contain permissions that enable a user with the role to impersonate or manage service accounts in a GCP folder through IAM inheritance from a higher resource, i.e., folder binding.
We recommend you do not set IAM role bindings with known dangerous roles that enable impersonation at the folder level.
The following roles enable identities to impersonate all service account identities within a project if the identity is granted the role at the project, folder, or organization level. The following list includes our _current _recommendations for dangerous roles, however, it is not exhaustive as permissions and roles change frequently.
Primitive Roles:
- roles/owner
- roles/editor
Predefined Roles:
- roles/iam.securityAdmin
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountKeyAdmin
- roles/iam.serviceAccountUser
- roles/iam.serviceAccountTokenCreator
- roles/iam.workloadIdentityUser
- roles/dataproc.editor
- roles/dataproc.admin
- roles/dataflow.developer
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/resourcemanager.projectIamAdmin
- roles/resourcemanager.organizationAdmin
- roles/cloudasset.viewer
- roles/cloudasset.owner
Service Agent Roles:
Service agent roles should not be used for any identities other than the Google managed service account they are associated with.
- roles/serverless.serviceAgent
- roles/dataproc.serviceAgent
Fix - Buildtime
Terraform
- Resources:
google_folder_iam_member
google_folder_iam_binding - Argument: role
```go google_folder_iam_member
resource "google_folder_iam_member" "example" {
folder = "folders/1234567"
- role =
```json google_folder_iam_binding
resource "google_folder_iam_binding" "example" {
folder = "folders/1234567"
- role = <ANY OF THE ROLES LISTED ABOVE>
members = [
"user:[email protected]",
]
}