cloud-foundation-fabric icon indicating copy to clipboard operation
cloud-foundation-fabric copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Possibly over-privileged service account in scheduled-asset-inventory-export-bq

Open kbroughton opened this issue 2 years ago • 1 comments

On line 39 of the scheduled-asset-inventory-export-bq/main.tf the robot service account is granted projectIamAdmin.

"roles/resourcemanager.projectIamAdmin" = ["serviceAccount:${module.project.service_accounts.robots.cloudasset}"]

Granting project-wide admin is generally discouraged. Is such a high privilege really needed?

kbroughton avatar Nov 07 '22 14:11 kbroughton

@lcaggio can you take a look? if that's really needed, we might want to limit it via delegated role grants.

ludoo avatar Nov 07 '22 14:11 ludoo

@lcaggio can you tal?

juliocc avatar Feb 07 '23 12:02 juliocc

@lcaggio can you check this, or should we close it?

ludoo avatar Mar 16 '23 17:03 ludoo