More Info:

Ensures that no users have the Service Account User role. The Service Account User role gives users the access to all service accounts of a project. This can result in an elevation of privileges and is not recommended.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001

Remediation

Using Console

To remediate the issue “Service Account User Should Not Have Service Account Token Creator Role” for GCP using GCP console, follow these steps:

  1. Login to your GCP console.
  2. Navigate to the IAM & admin page.
  3. Click on the “IAM” tab.
  4. Find the user account that has the “Service Account Token Creator” role assigned to it.
  5. Click on the edit icon (pencil) next to the user account.
  6. Scroll down to the “Service Account Actor” section.
  7. Find the service account that the user account is associated with.
  8. Click on the edit icon (pencil) next to the service account.
  9. Scroll down to the “Role” section.
  10. Find the “Service Account Token Creator” role and remove it from the list of assigned roles.
  11. Click on “Save” to save the changes.

After completing these steps, the user account will no longer have the “Service Account Token Creator” role assigned to it, which will remediate the misconfiguration.

Using CLI

To remediate the misconfiguration “Service Account User Should Not Have Service Account Token Creator Role” for GCP using GCP CLI, you can follow the below steps:

  1. Open the GCP Cloud Shell by clicking on the Activate Cloud Shell button on the top right corner of the GCP console.

  2. Run the following command to list all the service accounts in your GCP project:

gcloud iam service-accounts list

  1. Select the service account that you want to remediate and note its email address.

  2. Run the following command to list all the roles assigned to the service account:

gcloud projects get-iam-policy <project-id> --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:<service-account-email>"

Replace <project-id> with your GCP project ID and <service-account-email> with the email address of the service account that you want to remediate.

  1. Check if the service account has the roles/iam.serviceAccountTokenCreator role assigned to it. If yes, then it needs to be removed.

  2. Run the following command to remove the roles/iam.serviceAccountTokenCreator role from the service account:

gcloud projects remove-iam-policy-binding <project-id> --member="serviceAccount:<service-account-email>" --role="roles/iam.serviceAccountTokenCreator"

Replace <project-id> with your GCP project ID and <service-account-email> with the email address of the service account that you want to remediate.

  1. Verify that the roles/iam.serviceAccountTokenCreator role has been removed from the service account by running the command in step 4 again.

By following these steps, you can remediate the misconfiguration “Service Account User Should Not Have Service Account Token Creator Role” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Service Account User Should Not Have Service Account Token Creator Role” for GCP using Python, follow these steps:

  1. First, you need to identify the service account user who has the Service Account Token Creator role. You can do this by running the following command in the Cloud Shell:

    gcloud iam service-accounts list

  2. Once you have identified the service account user, you need to remove the Service Account Token Creator role from the user. You can do this by running the following command in the Cloud Shell:

    from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
service = build('iam', 'v1', credentials=credentials)

user_email = '<service_account_user_email>'
project_id = '<project_id>'
role_name = 'roles/iam.serviceAccountTokenCreator'

policy = service.projects().getIamPolicy(resource=project_id, body={}).execute()

for binding in policy['bindings']:
    if binding['role'] == role_name and user_email in binding['members']:
        binding['members'].remove(user_email)

service.projects().setIamPolicy(resource=project_id, body={'policy': policy}).execute()

    Note: Replace <path_to_service_account_key_file>, <service_account_user_email> and <project_id> with the appropriate values.

  3. Once you have run the above command, verify that the Service Account Token Creator role has been removed from the service account user by running the following command in the Cloud Shell:

    gcloud projects get-iam-policy <project_id> --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:<service_account_user_email>"

    This should return an empty table, indicating that the user no longer has the Service Account Token Creator role.

  4. Finally, you should review your organization’s IAM policies and best practices to ensure that service account users are not granted unnecessary permissions in the future.

Additional Reading: