Control: Ensure that Service Account has no Admin privileges
Description
A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.iam_service_account_without_admin_privilegeSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.iam_service_account_without_admin_privilege --shareSQL
This control uses a named query:
with user_roles as (select distinct split_part(entity, ':', 2) as user_namefrom gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as entitywhere p ->> 'role' like any (array ['%admin','%Admin','%Editor','%Owner','%editor','%owner']) and split_part(entity, ':', 2) like '%@' || project || '.iam.gserviceaccount.com')select 'https://iam.googleapis.com/v1/projects/' || project || '/serviceAccounts/' || name as resource, case when name not like '%@' || project || '.iam.gserviceaccount.com' then 'skip' when name in (select user_name from user_roles) then 'alarm' else 'ok' end as status, case when name not like '%@' || project || '.iam.gserviceaccount.com' then 'Google-created service account ' || title || ' excluded.' when name in (select user_name from user_roles) then title || ' has admin privileges.' else title || ' has no admin privileges.' end as reason , project as projectfrom gcp_service_account;