An example of a threat scenario is when users can impersonate a service account that is more privileged than the user themselves, so, if a user gets the Service Account User role, they can use it to indirectly access all the resources to which the service account has access and can act as the service account to perform any tasks using its granted roles and permissions. In this link, you can see an example. Also, I'm adding this link with the best practices for securing service accounts.
--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/f93595fe-e5e0-4047-885c-f8e03b267324n%40googlegroups.com.
The Service account by default could have access at project level, giving access to all the resources in the project. It could lead to over-granting privileges, so it’s a best practice to avoid this behavior by not granting access to project level or folder level service accounts; instead, assign the ``iam.serviceAccountUser`` to individually manage access for each service account.
You can execute this command to get a list to help you audit how many service accounts you have in your project.
``gcloud iam service-accounts list``