Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.18
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamUser should not have roleNames contain [ $ like 'roles/iam.serviceAccountAdmin' ] and roleNames contain [ $ in ('roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser', 'roles/iam.workloadIdentityUser') ]

REMEDIATION

From Portal

Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
Go to the Principals
Identify the Principal with both admin and user roles and remove one of: 'roles/iam.serviceAccountAdmin' or ('roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser', 'roles/iam.workloadIdentityUser').

From Command Line

Get the policy that you want to modify, and write it to a file:

gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE

In the created file, remove one of: 'roles/iam.serviceAccountAdmin' or ('roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser', 'roles/iam.workloadIdentityUser') of the member that contain both roles.
Set the new iam policy:

gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE

References

GCP IAM User

An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.0.0
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP GDPR Readiness
GCP LGPD regulation
GCP NIST 800-53 Rev 5