Service Account User Should Not Have Service Account Token Creator Role
More Info:
Ensures that no users have the Service Account User role. The Service Account User role gives users the access to all service accounts of a project. This can result in an elevation of privileges and is not recommended.Risk Level
MediumAddress
SecurityCompliance Standards
CISGCP, CBP, HIPAA, ISO27001Triage and Remediation
Remediation
Using Console
Using Console
To remediate the issue “Service Account User Should Not Have Service Account Token Creator Role” for GCP using GCP console, follow these steps:
- Login to your GCP console.
- Navigate to the IAM & admin page.
- Click on the “IAM” tab.
- Find the user account that has the “Service Account Token Creator” role assigned to it.
- Click on the edit icon (pencil) next to the user account.
- Scroll down to the “Service Account Actor” section.
- Find the service account that the user account is associated with.
- Click on the edit icon (pencil) next to the service account.
- Scroll down to the “Role” section.
- Find the “Service Account Token Creator” role and remove it from the list of assigned roles.
- Click on “Save” to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “Service Account User Should Not Have Service Account Token Creator Role” for GCP using GCP CLI, you can follow the below steps:Replace Replace
- Open the GCP Cloud Shell by clicking on the Activate Cloud Shell button on the top right corner of the GCP console.
- Run the following command to list all the service accounts in your GCP project:
- Select the service account that you want to remediate and note its email address.
- Run the following command to list all the roles assigned to the service account:
<project-id> with your GCP project ID and <service-account-email> with the email address of the service account that you want to remediate.-
Check if the service account has the
roles/iam.serviceAccountTokenCreatorrole assigned to it. If yes, then it needs to be removed. -
Run the following command to remove the
roles/iam.serviceAccountTokenCreatorrole from the service account:
<project-id> with your GCP project ID and <service-account-email> with the email address of the service account that you want to remediate.- Verify that the
roles/iam.serviceAccountTokenCreatorrole has been removed from the service account by running the command in step 4 again.
Using Python
Using Python
To remediate the misconfiguration “Service Account User Should Not Have Service Account Token Creator Role” for GCP using Python, follow these steps:
-
First, you need to identify the service account user who has the Service Account Token Creator role. You can do this by running the following command in the Cloud Shell:
-
Once you have identified the service account user, you need to remove the Service Account Token Creator role from the user. You can do this by running the following command in the Cloud Shell:
Note: Replace
<path_to_service_account_key_file>,<service_account_user_email>and<project_id>with the appropriate values. -
Once you have run the above command, verify that the Service Account Token Creator role has been removed from the service account user by running the following command in the Cloud Shell:
This should return an empty table, indicating that the user no longer has the Service Account Token Creator role.
- Finally, you should review your organization’s IAM policies and best practices to ensure that service account users are not granted unnecessary permissions in the future.