Use the Conformity Knowledge Base AI to help improve your Cloud Posture

GCP Function using Service Account with Basic Roles

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the service account associated with your Google Cloud functions is not configured to use basic roles for permissions in order to follow the Principle of Least Privilege (POLP) and grant only the specific permissions needed for the function to operate securely. In Google Cloud, basic roles are: "Viewer", "Editor", and "Owner" managed roles.

Security
Operational
excellence

Before IAM was introduced in Google Cloud, basic roles existed as highly permissive roles. Basic roles were designed to provide wide-ranging access to cloud resources. However, it's essential to exercise caution when using basic roles, as they encompass thousands of permissions across all Google Cloud services. In production environments, it's advisable to avoid granting basic roles unless absolutely necessary. Instead, opt for predefined roles with the most restricted permissions or create custom roles tailored to your specific requirements.


Audit

To determine if the service account associated with your Google Cloud functions is configured to use basic roles, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.

05 Select the DETAILS tab and copy the service account identifier, listed next to Service account.

06 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

07 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.

08 Click inside the Filter box, choose Principal, paste the service account identitfier copied at step no. 5, and press Enter.

09 Check the name of each role attached to the selected service acocunt, listed in the Role column to determine if the selected identity is using basic roles. If one of the following managed roles: Owner, Editor, and Viewer is assigned to the service account associated with your function, the selected Google Cloud function is configured with basic roles.

10 Repeat steps no. 4 - 9 for each Google Cloud function created for the selected GCP project.

11 Repeat steps no. 2 - 10 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s):

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project:

gcloud functions list 
  --project cc-bigdata-project-123123 
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions:

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the identifier (ID) of the service account associated with the selected function:

gcloud functions describe cc-web-app-function 
  --region=us-central1 
  --format="value(serviceConfig.serviceAccountEmail)"

06 The command output should return the requested service account ID:

123412341234-compute@developer.gserviceaccount.com

07 Run projects get-iam-policy command (Windows/macOS/Linux) to describe the IAM policy defined for the Google Cloud project used to managed your functions:

gcloud projects get-iam-policy cc-bigdata-project-123123

08 The command output should return the IAM policy configured for your GCP project:

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/editor
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/viewer
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- user:user@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

Check the roles attached to the service account associated with your function, returned at step no. 6, to determine if the selected identity is using basic roles. If one of the following managed roles: roles/owner, roles/editor, and roles/viewer is assigned to the service account associated with your function, the selected Google Cloud function is configured with basic roles.

09 Repeat steps no. 5 - 8 for each Google Cloud function created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Basic roles provide overly broad permissions that can lead to security risks and potential misuse of resources. To ensure that your Google Cloud functions are not using basic roles for permissions, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

04 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.

05 Click on the Edit pricipal (pencil icon) button available next to the service account associated with your Google Cloud function to modify the principal permission.

06 Choose the basic role (Owner, Editor, or Viewer) that you want to remove from the service account and click on the Remove (bin icon) button to delete the role assignment for your identity.

07 To assign a new role that follows the Principle of Least Privilege (POLP), choose + ADD ANOTHER ROLE and select the predefined or custom role that you want to attach to your service account.

08 Choose SAVE to apply the permission changes.

09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run remove-iam-policy-binding command (OSX/Linux/UNIX) to remove a basic role from the service account associated with your Google Cloud function. The following command request example removes the Editor role assignment from a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>":

gcloud projects remove-iam-policy-binding cc-bigdata-project-123123 
  --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com 
  --role=roles/editor

02 The command output should return the updated IAM policy in YAML format:

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/viewer
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- user:user@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

03 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign a predefined or a custom role to the service account associated with your Google Cloud functions. The following command request example adds the Cloud Functions Developer (i.e. roles/cloudfunctions.developer) role to a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>". The Cloud Functions Developer provides read and write access to all functions-related resources:

gcloud projects add-iam-policy-binding cc-bigdata-project-123123 
  --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com 
  --role=roles/cloudfunctions.developer

04 The command output should return the updated IAM policy:

bindings:
	- members:
		- serviceAccount:461695253704-compute@developer.gserviceaccount.com
		role: roles/cloudfunctions.developer
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/viewer
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- user:user@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

05 Repeat steps no. 1 - 4 for each project deployed within your Google Cloud account.

References

Publication date Oct 24, 2023

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

GCP Function using Service Account with Basic Roles

Risk Level: High