Policy: GCP > IAM > Service Account > Role Bindings > Approved

Configure Service Account Role Bindings checking. This policy defines whether to verify the service account role bindings are approved, as well as the subsequent action to take on unapproved items.

If set to Enforce: Delete unapproved, any unapproved role bindings will be removed from the service account while preserving the service account and their approved roles.

Targets

This policy targets the following resource types:

GCP > IAM > Service Account

Primary Policy

This policy is used with the following primary policy:

GCP > IAM > Service Account > Role Bindings

Rules

Controls

Setting this policy configures this control:

GCP > IAM > Service Account > Role Bindings > Approved

Policy Specification

Schema Type	`string`
Default	`Skip`
Valid Values [YAML]	`Skip` `Check: Approved` `Enforce: Delete unapproved`
Examples [YAML]	`Skip`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/resourceApproved

Policy Type URI

tmod:@turbot/gcp-iam#/policy/types/serviceAccountRoleBindingsApproved

GraphQL

query policyType(id: "tmod:@turbot/gcp-iam#/policy/types/serviceAccountRoleBindingsApproved") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/serviceAccountRoleBindingsApproved'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-iam#/policy/types/serviceAccountRoleBindingsApproved'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/gcp-iam#/policy/types/serviceAccountRoleBindingsApproved"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-iam#/policy/types/serviceAccountRoleBindingsApproved"