A configuration for an external workload identity pool provider should have conditions set
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | |
| Vulnerability Type | omission |
Description#
The configuration for the Google IAM Workload Identity Pool Provider lacks attribute conditions, allowing any external source, such as any GitHub Action, to assume the linked service account. This absence of restrictions means the identity pool is open to broader, unintended access.
Impact#
Without conditions set, external attackers could authenticate as the service account and use its permissions, potentially gaining unauthorized access to sensitive Google Cloud resources or performing actions on behalf of the organization, leading to data exposure or service disruption.
Resolution#
Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization