Service accounts should only be bound to non-administrative roles
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
A service account is a special Google account that belongs to an application or a VM, instead
of to an individual end-user. The application uses the service account to call the service’s
Google API so that users aren’t directly involved. It’s recommended not to use admin roles for ServiceAccount.
Default value
User-managed (and not user-created) default service accounts have the Editor
(roles/editor
) role assigned to them to support GCP services they offer. By default, there are no roles assigned to user-managed, user-created service accounts.
Rationale
Service accounts represent service-level security of the Resources (application or a VM)
which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin
rights gives full access to an assigned application or a VM. A ServiceAccount Access holder
can perform critical actions like delete, update, and change settings, etc. without user
intervention. For this reason, Datadog recommends that service accounts not have an Admin role.
Impact
Removing *Admin or *admin
, Editor
, or Owner
role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionality.
- Note: This rule provides coverage for built in admin roles only and doesn’t address scenarios where a custom role which has admin permissions is assigned to a service account.
From the console
- Go to
IAM & admin/IAM
using https://console.cloud.google.com/iam-admin/iam - Go to the
Members
- Identify
User-Managed user created service account(s)
with roles containing *Admin or *admin
, roles matching Editor
, or roles matching Owner
. - Click the
Delete bin
icon to remove the role from the member (service account in this case)
From the command line
gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
Using a text editor, Remove any Role
which contains roles/ *Admin
or roles/ *admin
, or
matches roles/editor
or roles/owner
. Add a role to the bindings array that defines the group members and the role for those members.
Update the project’s IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json
References
- https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/
- https://cloud.google.com/iam/docs/understanding-roles
- https://cloud.google.com/iam/docs/understanding-service-accounts