1. Login to your GCP console.
2. Navigate to the IAM & admin page.
3. Click on the “IAM” tab.
4. Find the user account that has the “Service Account Token Creator” role assigned to it.
5. Click on the edit icon (pencil) next to the user account.
6. Scroll down to the “Service Account Actor” section.
7. Find the service account that the user account is associated with.
8. Click on the edit icon (pencil) next to the service account.
9. Scroll down to the “Role” section.
10. Find the “Service Account Token Creator” role and remove it from the list of assigned roles.
11. Click on “Save” to save the changes.

​

1. Open the GCP Cloud Shell by clicking on the Activate Cloud Shell button on the top right corner of the GCP console.
2. Run the following command to list all the service accounts in your GCP project:

gcloud iam service-accounts list

3. Select the service account that you want to remediate and note its email address.
4. Run the following command to list all the roles assigned to the service account:

gcloud projects get-iam-policy <project-id> --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:<service-account-email>"

5. Check if the service account has the roles/iam.serviceAccountTokenCreator role assigned to it. If yes, then it needs to be removed.
6. Run the following command to remove the roles/iam.serviceAccountTokenCreator role from the service account:

gcloud projects remove-iam-policy-binding <project-id> --member="serviceAccount:<service-account-email>" --role="roles/iam.serviceAccountTokenCreator"

7. Verify that the roles/iam.serviceAccountTokenCreator role has been removed from the service account by running the command in step 4 again.

1. First, you need to identify the service account user who has the Service Account Token Creator role. You can do this by running the following command in the Cloud Shell:
   Copy

   Ask AI

   gcloud iam service-accounts list
   

2. Once you have identified the service account user, you need to remove the Service Account Token Creator role from the user. You can do this by running the following command in the Cloud Shell:
   Copy

   Ask AI

   from google.oauth2 import service_account
   from googleapiclient.discovery import build
   
   credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
   service = build('iam', 'v1', credentials=credentials)
   
   user_email = '<service_account_user_email>'
   project_id = '<project_id>'
   role_name = 'roles/iam.serviceAccountTokenCreator'
   
   policy = service.projects().getIamPolicy(resource=project_id, body={}).execute()
   
   for binding in policy['bindings']:
       if binding['role'] == role_name and user_email in binding['members']:
           binding['members'].remove(user_email)
   
   service.projects().setIamPolicy(resource=project_id, body={'policy': policy}).execute()
   

   Note: Replace <path_to_service_account_key_file>, <service_account_user_email> and <project_id> with the appropriate values.
3. Once you have run the above command, verify that the Service Account Token Creator role has been removed from the service account user by running the following command in the Cloud Shell:
   Copy

   Ask AI

   gcloud projects get-iam-policy <project_id> --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:<service_account_user_email>"
   

   This should return an empty table, indicating that the user no longer has the Service Account Token Creator role.
4. Finally, you should review your organization’s IAM policies and best practices to ensure that service account users are not granted unnecessary permissions in the future.