尝试在GCP上执行此地形文件时遇到问题
尝试在GCP上执行此地形文件时遇到问题
Results #1-2 MEDIUM Service account access is granted to a user at project level. (2 similar results)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
iam.tf Line 18
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
9 │ resource "google_project_iam_member" "permissions" {
10 │ for_each = toset([
11 │ "logging.logWriter",
12 │ "errorreporting.writer",
13 │ "iam.serviceAccountUser",
14 │ "iam.serviceAccountTokenCreator",
15 │ "workflows.invoker"
16 │ ])
17 │ provider = google-beta
18 │ role = "roles/${each.key}"
19 │ member = "serviceAccount:${google_service_account.default.email}"
20 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Individual Causes
- /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
- /Users/oussamafathallah/git/btdp/modules/00-oauth2-relay/iac/iam.tf:9-20 (google_project_iam_member.permissions)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID google-iam-no-project-level-service-account-impersonation
Impact Privilege escalation, impersonation of any/all services
Resolution Provide access at the service-level instead of project-level, if required
More Information
- https://aquasecurity.github.io/tfsec/v1.0.2/checks/google/iam/no-project-level-service-account-impersonation/
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam
你能在这个问题上帮我吗。我是gcp和地形的新手。非常感谢。
授予此角色"iam.serviceAccountTokenCreator">导致警告。
该角色允许用户使用权限提升的服务帐户
防止特权升级威胁