Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” for GCP using GCP console, follow the below steps:
- Login to the GCP console (https://console.cloud.google.com/).
- Navigate to the IAM & Admin page by clicking on the hamburger menu on the top left corner and selecting “IAM & Admin” from the menu.
- Select “Service accounts” from the left-hand menu.
- Locate the service account that has both admin and user permissions assigned to it.
- Click on the service account to view its details.
- Click on the “Permissions” tab to view the permissions assigned to the service account.
- Remove the admin permissions from the service account by clicking on the “Edit” button next to the role that has admin permissions assigned to it.
- Deselect the admin role and click “Save” to remove the admin permissions.
- Verify that the service account now only has user permissions assigned to it.
Using CLI
Using CLI
To remediate the misconfiguration of assigning both Service Accounts Admin and User permissions at the same time in GCP using GCP CLI, follow these steps:Replace Replace Replace Replace Replace
- Open the Google Cloud Shell from the GCP console.
- Run the following command to list all the IAM policies of the project:
<PROJECT_ID> with the actual project ID.- Identify the service account that has both Service Accounts Admin and User permissions assigned to it.
- Run the following command to remove the Service Accounts Admin role from the service account:
<PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.- Verify that the Service Accounts Admin role has been removed from the service account by running the following command:
<PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.- If the User role is still assigned to the service account, run the following command to remove it:
<PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.- Verify that the User role has been removed from the service account by running the following command:
<PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.- Repeat steps 3-7 for any other service accounts that have both Service Accounts Admin and User permissions assigned to them.
Using Python
Using Python
To remediate the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” in GCP using Python, follow these steps:Note: Replace “your-project-id” with the ID of your GCP project and “path/to/your/credentials.json” with the path to your GCP service account credentials file. Also, make sure that the credentials have the necessary permissions to manage service accounts in your GCP project.
- Create a list of all the service accounts in your GCP project using the following code:
- For each service account in the list, check if it has both admin and user permissions assigned to it using the following code:
- If any service account has both admin and user permissions assigned to it, remove the user permissions using the following code: