Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time

Using Console

Using CLI

To remediate the misconfiguration of assigning both Service Accounts Admin and User permissions at the same time in GCP using GCP CLI, follow these steps:

Open the Google Cloud Shell from the GCP console.
Run the following command to list all the IAM policies of the project:

gcloud projects get-iam-policy <PROJECT_ID>

Replace <PROJECT_ID> with the actual project ID.

Identify the service account that has both Service Accounts Admin and User permissions assigned to it.
Run the following command to remove the Service Accounts Admin role from the service account:

gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SERVICE_ACCOUNT_EMAIL> --role=roles/iam.serviceAccountAdmin

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

Verify that the Service Accounts Admin role has been removed from the service account by running the following command:

gcloud projects get-iam-policy <PROJECT_ID> --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" --filter="bindings.members:<SERVICE_ACCOUNT_EMAIL>"

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

If the User role is still assigned to the service account, run the following command to remove it:

gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SERVICE_ACCOUNT_EMAIL> --role=roles/iam.serviceAccountUser

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

Verify that the User role has been removed from the service account by running the following command:

gcloud projects get-iam-policy <PROJECT_ID> --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" --filter="bindings.members:<SERVICE_ACCOUNT_EMAIL>"

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

Repeat steps 3-7 for any other service accounts that have both Service Accounts Admin and User permissions assigned to them.

By following these steps, you will successfully remediate the misconfiguration of assigning both Service Accounts Admin and User permissions at the same time for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” in GCP using Python, follow these steps:

Create a list of all the service accounts in your GCP project using the following code:

from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file(
    'path/to/your/credentials.json'
)

service = build('iam', 'v1', credentials=credentials)

response = service.projects().serviceAccounts().list(name='projects/your-project-id').execute()

service_account_emails = [account['email'] for account in response['accounts']]

For each service account in the list, check if it has both admin and user permissions assigned to it using the following code:

for email in service_account_emails:
    response = service.projects().serviceAccounts().get(name=f'projects/your-project-id/serviceAccounts/{email}').execute()
    for role in response['iam_roles']:
        if 'admin' in role.lower() and 'user' in role.lower():
            print(f'Service account {email} has both admin and user permissions assigned to it.')

If any service account has both admin and user permissions assigned to it, remove the user permissions using the following code:

for email in service_account_emails:
    response = service.projects().serviceAccounts().get(name=f'projects/your-project-id/serviceAccounts/{email}').execute()
    roles_to_remove = []
    for role in response['iam_roles']:
        if 'admin' in role.lower() and 'user' in role.lower():
            roles_to_remove.append(role)
    if roles_to_remove:
        body = {
            'updateMask': 'iam_roles',
            'iam_roles': [role for role in response['iam_roles'] if role not in roles_to_remove]
        }
        service.projects().serviceAccounts().patch(name=f'projects/your-project-id/serviceAccounts/{email}', body=body).execute()
        print(f'Removed user permissions from service account {email}.')

Note: Replace “your-project-id” with the ID of your GCP project and “path/to/your/credentials.json” with the path to your GCP service account credentials file. Also, make sure that the credentials have the necessary permissions to manage service accounts in your GCP project.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: