Restrict Sensitive GCP IAM Role Assignments

This check ensures that sensitive IAM roles — roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator — are not assigned to IAM users at the project level in Google Cloud Platform (GCP).

These roles, when granted to individual users, allow impersonation of service accounts and unauthorised access to resources. Sprinto flags this as a violation of the principle of least privilege, which is a key requirement across SOC 2, ISO 27001, and other frameworks.

When is this check triggered?

This check is triggered if:

• An IAM user (non-service account) is assigned either of the following roles:

  • roles/iam.serviceAccountUser

  • roles/iam.serviceAccountTokenCreator

• These roles are assigned at the project level, not constrained to specific service accounts or groups

How to resolve

Follow these steps to audit and remove risky role assignments:

1. Log in to your GCP Console.

2. Navigate to IAM & Admin → IAM.

3. In the IAM member list, filter by role:

   • Service Account User

   • Service Account Token Creator

4. Review each IAM user assigned to these roles:

   • Ensure they are not individual users unless justified

   • Validate if they belong to a secure automation group (e.g. Terraform CI/CD pipelines)

5. If unjustified, click Edit for the user and remove the role assignment.

6. Click Save.

Provide evidence

To confirm resolution in Sprinto, provide one of the following:

• A screenshot showing these roles no longer assigned to IAM users

• A CSV or JSON export of IAM policy bindings with verified removal

• A link to an internal role audit script or process (if applicable)

Best practices

• Regularly review IAM policy bindings via automated scans or GCP Cloud Asset Inventory.

• Use custom roles with more limited permissions if full impersonation rights are not required.

• Apply resource-level role assignments wherever possible (avoid broad project-level grants).