Description

Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.

Resolution: Provide access at the service-level instead of folder-level, if required.

Examples

Example of incorrect code:

Example of correct code:

resource "google_folder_iam_binding" "folder-123" {
	folder = "folder-123"
	role    = "roles/nothingInParticular"
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

google-iam-no-folder-level-service-account-impersonation.md

google-iam-no-folder-level-service-account-impersonation.md

Description

Examples

Files

google-iam-no-folder-level-service-account-impersonation.md

Latest commit

History

google-iam-no-folder-level-service-account-impersonation.md

File metadata and controls

Description

Examples