Pattern: Use of org-level service account access for Google IAM
Issue: -
Users with service account access at organization level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
Resolution: Provide access at the service-level instead of organization-level, if required.
Example of incorrect code:
Example of correct code:
resource "google_organization_iam_binding" "organization-123" {
org_id = "org-123"
role = "roles/nothingInParticular"
}