Ensure permissions to impersonate a service account are not granted at project level

Granting users or service accounts with one of the roles: roles/iam.workloadIdentityUser / roles/iam.serviceAccountUser / roles/iam.serviceAccountTokenCreator will in practice grant them with all of the permissions of the service accounts in the project, which violates the principle of least privilege. These roles needs to be granted at the service account level and not project level.

Risk Level: Critical
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.15
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.workloadIdentityUser', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]


From Portal
In order to add permissions for an identity to use a specific service account, follow these instructions:

  1. Go to IAM - Service accounts using https://console.cloud.google.com/iam-admin/serviceaccounts
  2. Select the service account that you want to allow to impersonate, click Permissions
  3. Under Members click Grant access
  4. Enter the user's / service account email and select the role to allow impersonating.
  5. Click Save to apply changes

From Command Line

  1. Get the policy that you want to modify, and write it to a yaml file:
gcloud iam service-accounts get-iam-policy SERVICE_ACCOUNT_ID PATH_TO_NEW_FILE
  1. In the created yaml, add new biding with the role and the member that should be granted with it.
  2. Set the new iam policy of the service account:
gcloud iam service-accounts set-iam-policy SERVICE_ACCOUNT_ID PATH_TO_NEW_FILE

In order to remove the project level permissions:

  1. Get the policy that you want to modify, and write it to a yaml file:
gcloud projects get-iam-policy PROJECT_ID PATH_TO_NEW_FILE
  1. In the created yaml, detect the member with the overly permissive roles and delete these roles.
  2. Set the new iam policy of the project:
gcloud projects set-iam-policy PROJECT_ID PATH_TO_NEW_FILE


  1. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/get-iam-policy
  2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/set-iam-policy
  3. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
  4. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
  5. https://cloud.google.com/iam/docs/impersonating-service-accounts#impersonate-sa-level
  6. https://cloud.google.com/iam/docs/impersonating-service-accounts#allow-impersonation

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP GDPR Readiness
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0