GCP Function using Service Account with Basic Roles

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.

05 Select the DETAILS tab and copy the service account identifier, listed next to Service account.

06 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

07 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.

08 Click inside the Filter box, choose Principal, paste the service account identitfier copied at step no. 5, and press Enter.

09 Check the name of each role attached to the selected service acocunt, listed in the Role column to determine if the selected identity is using basic roles. If one of the following managed roles: Owner, Editor, and Viewer is assigned to the service account associated with your function, the selected Google Cloud function is configured with basic roles.

10 Repeat steps no. 4 - 9 for each Google Cloud function created for the selected GCP project.

11 Repeat steps no. 2 - 10 for each project deployed within your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s):

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project:

gcloud functions list 
  --project cc-bigdata-project-123123 
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions:

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the identifier (ID) of the service account associated with the selected function:

gcloud functions describe cc-web-app-function 
  --region=us-central1 
  --format="value(serviceConfig.serviceAccountEmail)"

06 The command output should return the requested service account ID:

123412341234-compute@developer.gserviceaccount.com

07 Run projects get-iam-policy command (Windows/macOS/Linux) to describe the IAM policy defined for the Google Cloud project used to managed your functions:

gcloud projects get-iam-policy cc-bigdata-project-123123

08 The command output should return the IAM policy configured for your GCP project:

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/editor
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/viewer
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- user:user@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

09 Repeat steps no. 5 - 8 for each Google Cloud function created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

04 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.

05 Click on the Edit pricipal (pencil icon) button available next to the service account associated with your Google Cloud function to modify the principal permission.

06 Choose the basic role (Owner, Editor, or Viewer) that you want to remove from the service account and click on the Remove (bin icon) button to delete the role assignment for your identity.

07 To assign a new role that follows the Principle of Least Privilege (POLP), choose + ADD ANOTHER ROLE and select the predefined or custom role that you want to attach to your service account.

08 Choose SAVE to apply the permission changes.

09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.

01 Run remove-iam-policy-binding command (OSX/Linux/UNIX) to remove a basic role from the service account associated with your Google Cloud function. The following command request example removes the Editor role assignment from a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>":

gcloud projects remove-iam-policy-binding cc-bigdata-project-123123 
  --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com 
  --role=roles/editor

02 The command output should return the updated IAM policy in YAML format:

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/viewer
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- user:user@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

03 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign a predefined or a custom role to the service account associated with your Google Cloud functions. The following command request example adds the Cloud Functions Developer (i.e. roles/cloudfunctions.developer) role to a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>". The Cloud Functions Developer provides read and write access to all functions-related resources:

gcloud projects add-iam-policy-binding cc-bigdata-project-123123 
  --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com 
  --role=roles/cloudfunctions.developer

04 The command output should return the updated IAM policy:

bindings:
	- members:
		- serviceAccount:461695253704-compute@developer.gserviceaccount.com
		role: roles/cloudfunctions.developer
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/viewer
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- user:user@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

05 Repeat steps no. 1 - 4 for each project deployed within your Google Cloud account.