Control: Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Description
It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.iam_user_not_assigned_service_account_user_role_project_levelSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.iam_user_not_assigned_service_account_user_role_project_level --shareSQL
This control uses a named query:
with unapproved_bindings as ( select project, p, entity from gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as entity where p ->> 'role' in ('roles/iam.serviceAccountTokenCreator','roles/iam.serviceAccountUser') and entity not like '%iam.gserviceaccount.com')select p.project as resource, case when entity is not null then 'alarm' else 'ok' end as status, case when entity is not null then 'IAM users associated with iam.serviceAccountTokenCreator or iam.serviceAccountUser role.' else 'No IAM users associated with iam.serviceAccountTokenCreator or iam.serviceAccountUser role.' end as reason , p.project as projectfrom gcp_iam_policy as p left join unapproved_bindings as b on p.project = b.project;