When trying to secure access to a specific sensitive Google Cloud resource, you’re likely familiar with the process of going to the resource’s IAM permissions page in the Cloud Console. This view will show you principals with direct permissions to access the resource, including permissions inherited from parent resources.
However, this excludes a common security vulnerability in many Google Cloud configurations: transitive access via service accounts.