When creating a GCP service account, the GCP IAM user will need specific rights in order to create the binding for the service account.
Scenario
When creating a service account through Vault, please ensure that the proper rights exist on the IAM custom project role for GCP. If these rights do not exist, the service account will be created, the roleset will be applied, but there will be no binding to the service account
Recommendation
Ensure all of the rights on the GCP IAM custom project role that is used to create service accounts has the following rights:
- iam.serviceAccountKeys.create
- iam.serviceAccountKeys.delete
- iam.serviceAccountKeys.get
- iam.serviceAccountKeys.list
- iam.serviceAccounts.create
- iam.serviceAccounts.delete
- iam.serviceAccounts.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy