roles/owner に roles/iam.serviceAccountTokenCreator が入っていないことを確認する

#Cloud_IAM #GoogleCloud

from サービスアカウントのなりすまし

role は permission の集合

Method: roles.get | Cloud IAM のドキュメント | Google Cloud で確認する

code:roles/iam.serviceAccountTokenCreator

{

"name": "roles/iam.serviceAccountTokenCreator",

"title": "Service Account Token Creator",

"description": "Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).",

"includedPermissions": [

"iam.serviceAccounts.get",

"iam.serviceAccounts.getAccessToken",

"iam.serviceAccounts.getOpenIdToken",

"iam.serviceAccounts.implicitDelegation",

"iam.serviceAccounts.list",

"iam.serviceAccounts.signBlob",

"iam.serviceAccounts.signJwt",

"resourcemanager.projects.get",

"resourcemanager.projects.list"

"stage": "GA",

"etag": "AA=="

}

ついでに roles/iam.serviceAccountUser も

code:roles/iam.serviceAccountUser

{

"name": "roles/iam.serviceAccountUser",

"title": "Service Account User",

"description": "Run operations as the service account.",

"includedPermissions": [

"iam.serviceAccounts.actAs",

"iam.serviceAccounts.get",

"iam.serviceAccounts.list",

"resourcemanager.projects.get",

"resourcemanager.projects.list"

"stage": "GA",

"etag": "AA=="

}

入っていない

code:roles/owner

...

"includePermissions": [

...

"healthcare.userDataMappings.update",

"iam.googleapis.com/workloadIdentityPoolProviders.create",

"iam.googleapis.com/workloadIdentityPoolProviders.delete",

"iam.googleapis.com/workloadIdentityPoolProviders.get",

"iam.googleapis.com/workloadIdentityPoolProviders.list",

"iam.googleapis.com/workloadIdentityPoolProviders.undelete",

"iam.googleapis.com/workloadIdentityPoolProviders.update",

"iam.googleapis.com/workloadIdentityPools.create",

"iam.googleapis.com/workloadIdentityPools.delete",

"iam.googleapis.com/workloadIdentityPools.get",

"iam.googleapis.com/workloadIdentityPools.list",

"iam.googleapis.com/workloadIdentityPools.undelete",

"iam.googleapis.com/workloadIdentityPools.update",

"iam.roles.create",

"iam.roles.delete",

"iam.roles.get",

"iam.roles.list",

"iam.roles.undelete",

"iam.roles.update",

"iam.serviceAccountKeys.create",

"iam.serviceAccountKeys.delete",

"iam.serviceAccountKeys.get",

"iam.serviceAccountKeys.list",

"iam.serviceAccounts.actAs",

"iam.serviceAccounts.create",

"iam.serviceAccounts.delete",

"iam.serviceAccounts.disable",

"iam.serviceAccounts.enable",

"iam.serviceAccounts.get",

"iam.serviceAccounts.getIamPolicy",

"iam.serviceAccounts.list",

"iam.serviceAccounts.setIamPolicy",

"iam.serviceAccounts.undelete",

"iam.serviceAccounts.update",

"iap.projects.getSettings",

...

]