> For the complete documentation index, see [llms.txt](https://docs.sprinto.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sprinto.com/monitors/authentication-and-access-monitors/resolve-sprinto-check-restrict-service-account-roles-at-project-level.md). # Resolve Sprinto Check: Restrict Service Account Roles at Project Level ### About: Sprinto check: GCP service account user role/ token creator role should not be assigned at project level The above-mentioned Sprinto check in Sprinto verifies that no IAM users on the Google Cloud Platform (GCP) are assigned the "Service Account User" or "Service Account Token Creator" roles at the project level. ### Purpose: The purpose of this check is to enforce the principle of least privilege for IAM users. The "Service Account User" and "Service Account Token Creator" roles grant broad permissions to create and manage service account keys and tokens. Assigning these roles at the project level can grant excessive privileges to users, increasing the risk of unauthorized access or misuse of resources. ### How to fix this check: Follow these steps to resolve the check: #### Before you begin * Ensure you have administrator privileges on the GCP account where you want to make configuration changes. #### Updating via GCP Console 1. Log in to the [GCP Console](https://www.google.com/aclk?sa=l\&ai=DChcSEwjYmd2CiZ6GAxUqLIMDHX1UAfkYABAAGgJzZg\&ase=2\&gclid=Cj0KCQjw6auyBhDzARIsALIo6v8a4FI-x12LRVjGWHNBGptmX3i0kbcLnB3kXrWgHKx90qrK11xvQAsaAtl_EALw_wcB\&sig=AOD64_3Gmzi8N63mvfFy-YhRTybtDlQKRw\&q\&nis=4\&adurl\&ved=2ahUKEwiQv9aCiZ6GAxWOxzgGHepdA6YQ0Qx6BAgGEAE) using your credentials. 2. Navigate to the IAM & Admin service. 3. Review the accounts list and ensure there is no IAM user with roles like "Service Account User" or "Service Account Token Creator" assigned at the project level. Use the filter field and enter Role: Service Account User or Role: Service Account Token Creator for quick navigation.

4. If you find an IAM user with the abovementioned roles assigned, click on the edit icon next to the user.

5. Revoke the role from the IAM user and click **Save** to apply the changes.

6. If necessary, assign these roles at a more granular level (e.g., specific service accounts or resources) to ensure the principle of least privilege is followed. Sprinto will detect the configuration change and set the check status to "Passing." Contact [Sprinto support](mailto:www.support@sprinto.com) if you have any queries related to the check or need assistance. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sprinto.com/monitors/authentication-and-access-monitors/resolve-sprinto-check-restrict-service-account-roles-at-project-level.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.