Bird
Raised Fist0
Terraformcloud~5 mins

Least privilege for Terraform service accounts - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does 'least privilege' mean for Terraform service accounts?
It means giving the service account only the permissions it needs to do its job, and nothing more. This reduces security risks.
Click to reveal answer
beginner
Why should Terraform service accounts avoid using overly broad permissions?
Because broad permissions can allow accidental or malicious changes beyond what Terraform needs, increasing risk of damage.
Click to reveal answer
intermediate
How can you implement least privilege for a Terraform service account in cloud providers?
By assigning only specific roles or permissions that match the Terraform tasks, such as managing compute instances or storage buckets, and nothing extra.
Click to reveal answer
intermediate
What is a best practice for managing Terraform service account credentials?
Store credentials securely using secret managers or environment variables, and rotate them regularly to reduce risk.
Click to reveal answer
beginner
How does least privilege improve Terraform infrastructure management?
It limits the chance of accidental or harmful changes, making infrastructure safer and easier to audit.
Click to reveal answer
What is the main goal of least privilege for Terraform service accounts?
AAssign only necessary permissions for Terraform tasks
BGive full admin access to speed up deployment
CAllow all permissions to avoid errors
DUse personal user accounts instead
Which of these is a good practice for Terraform service account permissions?
AShare credentials with multiple users
BUse broad roles like Owner or Admin
CAssign roles based on specific resource needs
DAvoid using service accounts
How should Terraform service account credentials be stored?
AIn plain text files on developer machines
BShared via email
CHardcoded in Terraform code
DIn secure secret managers or environment variables
What risk does giving excessive permissions to Terraform service accounts create?
AReduced auditability
BIncreased security
CFaster deployments
DNo risk at all
Which principle helps keep Terraform infrastructure safe?
ARandom privilege
BLeast privilege
CNo privilege
DMaximum privilege
Explain how to apply least privilege to a Terraform service account in a cloud environment.
Think about limiting permissions and protecting credentials.
You got /4 concepts.
    Describe why least privilege is important for Terraform service accounts and what risks it helps prevent.
    Consider security and control benefits.
    You got /4 concepts.

      Practice

      (1/5)
      1. What does the principle of least privilege mean for Terraform service accounts?
      easy
      A. Give only the permissions Terraform needs to do its job
      B. Give Terraform full admin access to all cloud resources
      C. Allow Terraform to access resources only during business hours
      D. Share Terraform service account credentials with all team members

      Solution

      1. Step 1: Understand least privilege concept

        Least privilege means giving only the minimum permissions needed to perform a task.

      2. Step 2: Apply to Terraform service accounts

        Terraform service accounts should have only the permissions required to manage infrastructure, nothing more.

      3. Final Answer:

        Give only the permissions Terraform needs to do its job -> Option A

      4. Quick Check:

        Least privilege = minimal needed permissions [OK]
      Hint: Least privilege means minimal permissions only [OK]
      Common Mistakes:
      • Giving Terraform full admin rights unnecessarily
      • Sharing credentials widely
      • Setting time-based access without need
      2. Which Terraform configuration snippet correctly assigns least privilege to a service account for managing only compute instances?
      easy
      A. resource "google_project_iam_member" "compute_admin" { project = var.project_id role = "roles/compute.admin" member = "serviceAccount:${var.service_account_email}" }
      B. resource "google_project_iam_member" "storage_admin" { project = var.project_id role = "roles/storage.admin" member = "serviceAccount:${var.service_account_email}" }
      C. resource "google_project_iam_member" "viewer" { project = var.project_id role = "roles/viewer" member = "serviceAccount:${var.service_account_email}" }
      D. resource "google_project_iam_member" "editor" { project = var.project_id role = "roles/editor" member = "serviceAccount:${var.service_account_email}" }

      Solution

      1. Step 1: Identify the role for compute instance management

        The role "roles/compute.admin" allows managing compute instances specifically.

      2. Step 2: Match the role to the service account in Terraform

        The snippet assigns "roles/compute.admin" to the service account, limiting permissions to compute resources only.

      3. Final Answer:

        The snippet assigning roles/compute.admin to the service account -> Option A

      4. Quick Check:

        Assign specific roles, not broad ones [OK]
      Hint: Match role to exact resource type needed [OK]
      Common Mistakes:
      • Using broad roles like editor or admin unnecessarily
      • Assigning unrelated roles like storage.admin
      • Using viewer role which is read-only
      3. Given this Terraform IAM binding snippet, what is the effective permission scope for the service account? 
      resource "google_project_iam_member" "sa_role" {
  project = "my-project"
  role    = "roles/storage.objectViewer"
  member  = "serviceAccount:terraform-sa@my-project.iam.gserviceaccount.com"
}
      medium
      A. Full access to all storage buckets and objects
      B. No access to storage resources
      C. Write access to storage buckets
      D. Read-only access to storage objects only

      Solution

      1. Step 1: Understand the role assigned

        The role "roles/storage.objectViewer" grants read-only access to storage objects.

      2. Step 2: Determine permission scope

        This role does not allow writing or bucket management, only viewing objects.

      3. Final Answer:

        Read-only access to storage objects only -> Option D

      4. Quick Check:

        roles/storage.objectViewer = read-only object access [OK]
      Hint: Check role name keywords: viewer means read-only [OK]
      Common Mistakes:
      • Confusing viewer with admin or editor roles
      • Assuming bucket write permissions
      • Thinking full storage access is granted
      4. You wrote this Terraform code to assign a role to a service account but get an error: 
      resource "google_project_iam_member" "sa_role" {
  project = var.project_id
  role    = "roles/compute.viewer"
  member  = "serviceAccount:${var.service_account_email}"
  member  = "serviceAccount:extra@domain.com"
}
      What is the problem?
      medium
      A. Role 'roles/compute.viewer' does not exist
      B. Duplicate 'member' keys cause a syntax error
      C. Service account email format is invalid
      D. Project ID variable is missing

      Solution

      1. Step 1: Check Terraform resource syntax

        Terraform resource blocks cannot have duplicate keys; 'member' is repeated twice here.

      2. Step 2: Understand correct way to assign multiple members

        To assign multiple members, use 'google_project_iam_binding' or multiple resources, not duplicate keys.

      3. Final Answer:

        Duplicate 'member' keys cause a syntax error -> Option B

      4. Quick Check:

        Duplicate keys in resource block = syntax error [OK]
      Hint: No duplicate keys in Terraform blocks [OK]
      Common Mistakes:
      • Using duplicate keys instead of lists or multiple resources
      • Assuming role name is invalid without checking
      • Ignoring variable definitions
      5. You want to create a Terraform service account with least privilege to manage only network resources in a Google Cloud project. Which approach is best?
      hard
      A. Assign the role 'roles/owner' to the service account temporarily
      B. Assign the role 'roles/editor' to the service account for all resources
      C. Assign the role 'roles/compute.networkAdmin' to the service account only
      D. Assign no roles and rely on default permissions

      Solution

      1. Step 1: Identify the role for network management

        The role 'roles/compute.networkAdmin' grants permissions to manage network resources only.

      2. Step 2: Apply least privilege principle

        Assigning only this role limits the service account to network tasks, avoiding broad permissions.

      3. Step 3: Avoid broad or no permissions

        Roles like 'editor' or 'owner' are too broad; no roles means no access.

      4. Final Answer:

        Assign the role 'roles/compute.networkAdmin' to the service account only -> Option C

      5. Quick Check:

        Least privilege = specific role only [OK]
      Hint: Pick the narrowest role matching needed tasks [OK]
      Common Mistakes:
      • Using broad roles like editor or owner
      • Not assigning any role and expecting access
      • Assigning multiple unrelated roles