Granting highly privileged resource rights to users or groups can reduce an organization’s ability to protect against account or service theft. It
prevents proper segregation of duties and creates potentially critical attack vectors on affected resources.
If elevated access rights are abused or compromised, both the data that the affected resources work with and their access tracking are at risk.
Ask Yourself Whether
- This GCP resource is essential to the information system infrastructure.
- This GCP resource is essential to mission-critical functions.
- Compliance policies require that administrative privileges for this resource be limited to a small group of individuals.
There is a risk if you answered yes to any of these questions.
Recommended Secure Coding Practices
Grant IAM policies or members a less permissive role: In most cases, granting them read-only privileges is sufficient.
Separate tasks by creating multiple roles that do not use a full access role for day-to-day work.
If the predefined GCP roles do not include the specific permissions you need, create custom IAM roles.
Sensitive Code Example
For an IAM policy setup:
data "google_iam_policy" "admin" {
binding {
role = "roles/run.admin" # Sensitive
members = [
"user:name@example.com",
]
}
}
resource "google_cloud_run_service_iam_policy" "policy" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.admin.policy_data
}
For an IAM policy binding:
resource "google_cloud_run_service_iam_binding" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/run.admin" # Sensitive
members = [
"user:name@example.com",
]
}
For adding a member to a policy:
resource "google_cloud_run_service_iam_member" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/run.admin" # Sensitive
member = "user:name@example.com"
}
Compliant Solution
For an IAM policy setup:
data "google_iam_policy" "admin" {
binding {
role = "roles/viewer"
members = [
"user:name@example.com",
]
}
}
resource "google_cloud_run_service_iam_policy" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.admin.policy_data
}
For an IAM policy binding:
resource "google_cloud_run_service_iam_binding" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/viewer"
members = [
"user:name@example.com",
]
}
For adding a member to a policy:
resource "google_cloud_run_service_iam_member" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/viewer"
member = "user:name@example.com"
}
See
