VM Instance With Full Cloud Access
ID |
gcp_vm_with_full_cloud_access |
Severity |
high |
Vendor |
GCP |
Resource |
AIM |
Tags |
reachable |
Description
A gcp_compute_instance module is an Ansible module that creates a GCP instance, which is a Virtual Machine that runs on Google’s infrastructure.
service_accounts parameter is an option for the gcp_compute_instance module that specifies which service account to use for authentication and authorization.
Using a cloud-platform scope with a service_account parameter can be a security issue as it gives too much power to the service account, which can be exploited by attackers or compromised by errors.
To fix it, you must avoid to configure the service_account.scope property with cloud-platform value.
Learn more about this topic at Service accounts - Access scopes.
Examples
---
- name: create a instance
google.cloud.gcp_compute_instance:
name: test_object
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
source: "disk"
network_interfaces:
- network: "network"
access_configs:
- name: External NAT
nat_ip: "address"
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
service_accounts:
- email: test@test_project.iam.gserviceaccount.com
scopes:
- cloud-platform
register: resultMitigation / Fix
---
- name: create a instance
google.cloud.gcp_compute_instance:
name: test_object
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
source: "disk"
network_interfaces:
- network: "network"
access_configs:
- name: External NAT
nat_ip: "address"
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
service_accounts:
- email: test@test_project.iam.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/devstorage.read_only
register: result