Cyscale
Back to controls

Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

It is recommended to assign the `Service Account User` (iam.serviceAccountUser) and `Service Account Token Creator` (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

2 covered

Overview

It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.

Rationale

A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user. The application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.

Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.

Based on business needs, there could be multiple user-managed service accounts configured for a project. Granting the iam.serviceAccountUser or iam.serviceAccountTokenCreator roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. This can result in elevation of privileges by using service accounts and corresponding Compute Engine instances.

In order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.

Impact

After revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user account(s), these roles should be assigned to a user(s) for specific service account(s) according to business needs.

Remediation guidance

Google Cloud Remediation

Service-wide fix (recommended): remove project-level roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator grants, then re-grant them only on the specific service accounts that a user or automation actually needs.

Google Cloud console

  1. Open IAM for the project.
  2. Filter for Service Account User and Service Account Token Creator.
  3. Remove project-level bindings that grant those roles broadly.
  4. Re-grant the role on the specific service account resource instead of the whole project.

Google Cloud CLI

Export the project IAM policy:

gcloud projects get-iam-policy <project-id> > /tmp/project-policy.yaml

Remove any project-level bindings for roles/iam.serviceAccountUser or roles/iam.serviceAccountTokenCreator, then apply the updated project policy:

gcloud projects set-iam-policy <project-id> /tmp/project-policy.yaml

Re-grant the role on a specific service account only:

gcloud iam service-accounts add-iam-policy-binding <service-account-email> --member='user:<user-email>' --role='roles/iam.serviceAccountUser'

Or for token creation on one specific service account:

gcloud iam service-accounts add-iam-policy-binding <service-account-email> --member='user:<user-email>' --role='roles/iam.serviceAccountTokenCreator'

Operational notes

  • Project-level grants apply to all current and future service accounts in that project, which is the core risk this control is trying to remove.
  • Preserve the etag when editing IAM policy files so you do not overwrite concurrent changes.
  • Review CI/CD and deployment tooling before removing project-level grants; these roles are often buried in automation.

References

  • https://docs.cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
  • https://docs.cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding
  • https://docs.cloud.google.com/sdk/gcloud/reference/iam/service-accounts/get-iam-policy

Query logic

These are the stored checks tied to this control.

IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Connectors

Google Cloud

Covered asset types

IAMServiceAccountIAMUser

Expected check: eq []

GCP110IAM6{...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon