Link Search Menu Expand Document

IAM granted directly to user.

Explanation

Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user.

Granting permissions to users quickly become unwieldy and complex to make large scale changes to remove access to a particular resource.

Permissions should be granted on roles, groups, services accounts instead.

Insecure Example

The following example will fail the GCP011 check.

resource "google_project_iam_binding" "project-binding" {
	members = [
		"user:test@example.com",
		]
}

resource "google_project_iam_member" "project-member" {
	member = "user:test@example.com"
}

Secure Example

The following example will pass the GCP011 check.

resource "google_project_iam_binding" "project-binding" {
	members = [
		"group:test@example.com",
		]
}

resource "google_storage_bucket_iam_member" "bucket-member" {
	member = "serviceAccount:test@example.com"
}