Terraform Automount Token Enabled
Description
Detects when Kubernetes service account tokens are configured to automatically mount into pods/containers in Terraform configurations. Automatically mounting service account tokens can pose a security risk by giving unnecessary access credentials to containers, violating the principle of least privilege.
Detection Strategy
• Search for Kubernetes resource definitions (pods, deployments, etc.) in Terraform configuration files
• Check if the 'automount_service_account_token' attribute is explicitly enabled in pod or service account specifications
• Report a vulnerability when service account token auto-mounting is enabled, as this could grant unnecessary access credentials to containers
Vulnerable code example
resource "kubernetes_cron_job_v1" "demo" {
metadata {
name = "demo-job"
}
spec {
schedule = "*/5 * * * *"
job_template {
spec {...✅ Secure code example
resource "kubernetes_cron_job_v1" "demo" {
metadata {
name = "demo-job"
}
spec {
schedule = "*/5 * * * *"
job_template {
spec {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.