Pattern: Use of project-level service account access for Google IAM
Issue: -
Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
Resolution: Provide access at the service-level instead of project-level, if required.
Example of incorrect code:
Example of correct code:
resource "google_project_iam_binding" "project-123" {
project = "project-123"
role = "roles/nothingInParticular"
}