Project enforces separation of duties for Service Account Admin and Service Account User roles
iam_role_sa_enforce_separation_of_duties
Google Cloud IAM policies are evaluated to find principals granted both roles/iam.serviceAccountAdmin and roles/iam.serviceAccountUser within a project. Service-account related roles are expected to be segregated so that service account lifecycle management is distinct from their use or impersonation.
Risk
With both roles, a principal can create or modify service accounts and then use or attach them to workloads, enabling unchecked impersonation. This endangers confidentiality (expanded data access), integrity (policy/workload changes), and availability (persistence or sabotage via privileged automation).
prowler gcp --checks iam_role_sa_enforce_separation_of_duties
Recommendation
Enforce separation of duties: assign roles/iam.serviceAccountAdmin for lifecycle tasks and roles/iam.serviceAccountUser for attach/impersonate, never both to one principal.
- Apply least privilege with narrow scope and conditions
- Use temporary elevation/approvals
- Regularly audit IAM bindings and logs
Remediation
- In Google Cloud Console, go to IAM & Admin > IAM
- Click the View by Role tab
- Select the role Service Account Admin (roles/iam.serviceAccountAdmin)
- Remove all listed principals from this role and click Save
- Select the role Service Account User (roles/iam.serviceAccountUser)
- Remove all listed principals from this role and click Save
Source Code
Resource Type
cloudresourcemanager.googleapis.com/Project