From c48f85aab3253c10530fcb5e3452df92fea3762d Mon Sep 17 00:00:00 2001
From: Laiba Zaman <laiba.zaman@arcticwolf.com>
Date: Tue, 28 Mar 2023 14:48:45 +0000
Subject: [PATCH 1/4] added guide

---
 .../iam/service-account-token-creator.md      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 en/google/iam/service-account-token-creator.md

diff --git a/en/google/iam/service-account-token-creator.md b/en/google/iam/service-account-token-creator.md
new file mode 100644
index 000000000..bce4ae0de
--- /dev/null
+++ b/en/google/iam/service-account-token-creator.md
@@ -0,0 +1,27 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# GOOGLE / Compute / Service Account Token Creator
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Service Account Token Creator |
+| **Cloud** | GOOGLE |
+| **Category** | Compute |
+| **Description** | Ensures that no users have the Service Account Token Creator role. |
+| **More Info** | For best security practices, IAM users should not have Service Account Token Creator role. |
+| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks |
+| **Recommended Action** | Ensure that no IAM user have Service Account Token Creator Role at GCP project level.|
+
+## Detailed Remediation Steps
+1.  In the Google Cloud console, go to the IAM page.
+
+    [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId)
+
+2.  Select a project, folder, or organization (in this case the GCP project).
+
+    The Google Cloud console lists all the principals who have been granted roles on your project, folder, or organization. This list includes principals who have inherited roles on the resource from parent resources. For more information about policy inheritance, see [Policy inheritance and the resource hierarchy](https://cloud.google.com/iam/docs/policies#inheritance).
+Check to see if any have the Service Account Access Role.
+
+3.  Optional: To view role grants for [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#google-managed), select the Include Google-provided role grants checkbox.
\ No newline at end of file

From dd0fdc62b95f801d15265130a71e2daa502865c5 Mon Sep 17 00:00:00 2001
From: laiba-zaman <122311250+laiba-zaman@users.noreply.github.com>
Date: Fri, 31 Mar 2023 10:14:12 -0400
Subject: [PATCH 2/4] Update service-account-token-creator.md

---
 en/google/iam/service-account-token-creator.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/en/google/iam/service-account-token-creator.md b/en/google/iam/service-account-token-creator.md
index bce4ae0de..f5e5f1800 100644
--- a/en/google/iam/service-account-token-creator.md
+++ b/en/google/iam/service-account-token-creator.md
@@ -1,6 +1,6 @@
 [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
 
-# GOOGLE / Compute / Service Account Token Creator
+# GOOGLE / IAM / Service Account Token Creator
 
 ## Quick Info
 
@@ -8,7 +8,7 @@
 |-|-|
 | **Plugin Title** | Service Account Token Creator |
 | **Cloud** | GOOGLE |
-| **Category** | Compute |
+| **Category** | IAM |
 | **Description** | Ensures that no users have the Service Account Token Creator role. |
 | **More Info** | For best security practices, IAM users should not have Service Account Token Creator role. |
 | **GOOGLE Link** | https://cloud.google.com/compute/docs/disks |
@@ -24,4 +24,4 @@
     The Google Cloud console lists all the principals who have been granted roles on your project, folder, or organization. This list includes principals who have inherited roles on the resource from parent resources. For more information about policy inheritance, see [Policy inheritance and the resource hierarchy](https://cloud.google.com/iam/docs/policies#inheritance).
 Check to see if any have the Service Account Access Role.
 
-3.  Optional: To view role grants for [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#google-managed), select the Include Google-provided role grants checkbox.
\ No newline at end of file
+3.  Optional: To view role grants for [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#google-managed), select the Include Google-provided role grants checkbox.

From 100d6c28cdcaee33c986c55432c5b1a21cbfd675 Mon Sep 17 00:00:00 2001
From: laiba-zaman <122311250+laiba-zaman@users.noreply.github.com>
Date: Tue, 4 Apr 2023 14:09:32 -0400
Subject: [PATCH 3/4] Update service-account-token-creator.md

---
 en/google/iam/service-account-token-creator.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/en/google/iam/service-account-token-creator.md b/en/google/iam/service-account-token-creator.md
index f5e5f1800..fdb2c0f83 100644
--- a/en/google/iam/service-account-token-creator.md
+++ b/en/google/iam/service-account-token-creator.md
@@ -22,6 +22,6 @@
 2.  Select a project, folder, or organization (in this case the GCP project).
 
     The Google Cloud console lists all the principals who have been granted roles on your project, folder, or organization. This list includes principals who have inherited roles on the resource from parent resources. For more information about policy inheritance, see [Policy inheritance and the resource hierarchy](https://cloud.google.com/iam/docs/policies#inheritance).
-Check to see if any have the Service Account Access Role.
+3. Check to see if any have the Service Account Access Role.
 
-3.  Optional: To view role grants for [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#google-managed), select the Include Google-provided role grants checkbox.
+4.  Optional: To view role grants for [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#google-managed), select the Include Google-provided role grants checkbox.

From 0ddb7a1b0ce3333d2e37ba32dc96eafc32bcf4f2 Mon Sep 17 00:00:00 2001
From: Amanda Reed <96201528+areed42@users.noreply.github.com>
Date: Tue, 4 Apr 2023 14:18:52 -0400
Subject: [PATCH 4/4] Update service-account-token-creator.md

I made some changes based on documentation I found elsewhere. Also corrected the link to the document referenced in the plugin.
---
 en/google/iam/service-account-token-creator.md | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/en/google/iam/service-account-token-creator.md b/en/google/iam/service-account-token-creator.md
index fdb2c0f83..2804c5f1c 100644
--- a/en/google/iam/service-account-token-creator.md
+++ b/en/google/iam/service-account-token-creator.md
@@ -11,17 +11,20 @@
 | **Category** | IAM |
 | **Description** | Ensures that no users have the Service Account Token Creator role. |
 | **More Info** | For best security practices, IAM users should not have Service Account Token Creator role. |
-| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks |
+| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview |
 | **Recommended Action** | Ensure that no IAM user have Service Account Token Creator Role at GCP project level.|
 
 ## Detailed Remediation Steps
-1.  In the Google Cloud console, go to the IAM page.
+1. In the Google Cloud console, go to the IAM page.
 
-    [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId)
+    - [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId)
 
-2.  Select a project, folder, or organization (in this case the GCP project).
+2. Select a project by clicking on the project's name. 
 
-    The Google Cloud console lists all the principals who have been granted roles on your project, folder, or organization. This list includes principals who have inherited roles on the resource from parent resources. For more information about policy inheritance, see [Policy inheritance and the resource hierarchy](https://cloud.google.com/iam/docs/policies#inheritance).
-3. Check to see if any have the Service Account Access Role.
+3. Find the row containing the principal whose access you want to revoke. 
 
-4.  Optional: To view role grants for [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#google-managed), select the Include Google-provided role grants checkbox.
+4. Click Edit principal in that row.
+
+    - Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.
+
+5. Click the Delete delete button for the role that you want to revoke, and then click Save.