You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are seeing that for each GCP Roleset that is configured, a backing service account is created in the target project, for example: vault-roleset-t-1612985739@org-roleset-test-poc-2d32.iam.gserviceaccount.com.
These backing SAs have all the IAM permissions defined in the GCP Roleset and therefore they are privileged SAs.
This is a show-stopper for us because there are many Terraform/GCP knowledgeable people in the Organization with access to the GCP Service Accounts in the destination project(s) who could very quickly find them, write a Terraform script that impersonates them and do something unauthorized like destroying a Virtual Machine or a bucket.
We understand GCP Rolesets in Vault require these privileged backing Service Accounts.
What would it take to make these backing service accounts short lived? ie. Create them, use them and remove them after being used?
The text was updated successfully, but these errors were encountered:
We are seeing that for each GCP Roleset that is configured, a backing service account is created in the target project, for example: vault-roleset-t-1612985739@org-roleset-test-poc-2d32.iam.gserviceaccount.com.
These backing SAs have all the IAM permissions defined in the GCP Roleset and therefore they are privileged SAs.
This is a show-stopper for us because there are many Terraform/GCP knowledgeable people in the Organization with access to the GCP Service Accounts in the destination project(s) who could very quickly find them, write a Terraform script that impersonates them and do something unauthorized like destroying a Virtual Machine or a bucket.
We understand GCP Rolesets in Vault require these privileged backing Service Accounts.
What would it take to make these backing service accounts short lived? ie. Create them, use them and remove them after being used?
The text was updated successfully, but these errors were encountered: