GCP + Terraform:在项目级别向用户授予服务帐户访问权限
GCP + Terraform : Service account access is granted to a user at project level
尝试在 GCP 上执行此 terraform 文件时遇到问题。
Results #1-2 MEDIUM Service account access is granted to a user at project level. (2 similar results)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
iam.tf Line 18
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
9 │ resource "google_project_iam_member" "permissions" {
10 │ for_each = toset([
11 │ "logging.logWriter",
12 │ "errorreporting.writer",
13 │ "iam.serviceAccountUser",
14 │ "iam.serviceAccountTokenCreator",
15 │ "workflows.invoker"
16 │ ])
17 │ provider = google-beta
18 │ role = "roles/${each.key}"
19 │ member = "serviceAccount:${google_service_account.default.email}"
20 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Individual Causes
- /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
- /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID google-iam-no-project-level-service-account-impersonation
Impact Privilege escalation, impersonation of any/all services
Resolution Provide access at the service-level instead of project-level, if required
More Information
- https://aquasecurity.github.io/tfsec/v1.0.2/checks/google/iam/no-project-level-service-account-impersonation/
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam
你能帮我解决这个问题吗?我是 gcp 和 terraform 的新手。谢谢!
授予此角色 "iam.serviceAccountTokenCreator" 会导致警告。
该角色允许用户使用服务帐户进行权限升级
尝试在 GCP 上执行此 terraform 文件时遇到问题。
Results #1-2 MEDIUM Service account access is granted to a user at project level. (2 similar results)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
iam.tf Line 18
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
9 │ resource "google_project_iam_member" "permissions" {
10 │ for_each = toset([
11 │ "logging.logWriter",
12 │ "errorreporting.writer",
13 │ "iam.serviceAccountUser",
14 │ "iam.serviceAccountTokenCreator",
15 │ "workflows.invoker"
16 │ ])
17 │ provider = google-beta
18 │ role = "roles/${each.key}"
19 │ member = "serviceAccount:${google_service_account.default.email}"
20 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Individual Causes
- /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
- /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID google-iam-no-project-level-service-account-impersonation
Impact Privilege escalation, impersonation of any/all services
Resolution Provide access at the service-level instead of project-level, if required
More Information
- https://aquasecurity.github.io/tfsec/v1.0.2/checks/google/iam/no-project-level-service-account-impersonation/
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam
你能帮我解决这个问题吗?我是 gcp 和 terraform 的新手。谢谢!
授予此角色 "iam.serviceAccountTokenCreator" 会导致警告。
该角色允许用户使用服务帐户进行权限升级