Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

GCP Function using Default Service Account

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account managed by Google Cloud in order to follow the Principle of Least Privilege (POLP) and enhance the security posture of your functions.

Security
Operational
excellence

For production environments, Google Cloud recommends assigning each function a dedicated identity through a user-managed service account instead of using the default, managed service account. User-managed service accounts enable precise access control by granting only essential permissions through Identity and Access Management (IAM).

Audit

To determine the type of the service account associated with your Google Cloud functions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.

05 Select the DETAILS tab and check the identifier (ID) of the service account associated with your function, listed next to Service account. If the service account identifier has one of the following formats: [project-number]@appspot.gserviceaccount.com (1st gen functions) or [project-number]@developer.gserviceaccount.com (2nd gen functions), the selected Google Cloud function is using the default service account provided by GCP.

06 Repeat steps no. 4 and 5 for each Google Cloud function created for the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s): 

PROJECT_ID
  cc-bigdata-project-123123
  cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project: 

gcloud functions list
  --project cc-bigdata-project-123123
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions: 

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the identifier (ID) of the service account associated with the selected function: 

gcloud functions describe cc-web-app-function
  --region=us-central1
  --format="value(serviceConfig.serviceAccountEmail)"

06 The command output should return the requested service account ID: 

123412341234-compute@developer.gserviceaccount.com

Check the service account identifier (ID) returned by the functions describe command output at the previou step. If the service account ID has one of the following formats: [project-number]@appspot.gserviceaccount.com (1st gen functions) or [project-number]@developer.gserviceaccount.com (2nd gen functions), the selected Google Cloud function is using the default service account provided by GCP.

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to configure, listed in the Name column.

05 Choose EDIT from the top menu to modify the function configuration.

06 For Configuration, choose Runtime, build, connections and security settings, and select the RUNTIME tab to access the function settings.

07 In the Runtime service account section, choose the user-managed service account that will replace the default service account, from the Service account dropdown list.

08 Select NEXT and choose DEPLOY to redeploy your modified function.

09 Repeat steps no. 4 – 8 for each Google Cloud function that you want to configure, available for the selected GCP project.

10 Repeat steps no. 2 – 9 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run functions deploy command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to configure as the identifier parameter, to replace the default service account configured for the selected function with a user-managed service account. Replace [service-account-name] and [project-id] with your own project details: 

gcloud functions deploy cc-web-app-function
  --region=us-central1
  --entry-point=run_http
  --trigger-http
  --runtime=python311
  --service-account=[service-account-name]@[project-id].iam.gserviceaccount.com
  --format="value(serviceConfig.serviceAccountEmail)"

02 The command output should return the identifier (ID) of the user-managed service account associated with the selected function: 

[service-account-name]@[project-id].iam.gserviceaccount.com

03 Repeat steps no. 1 and 2 for each Google Cloud function that you want to configure, created for the selected GCP project.

04 Repeat steps no. 1 – 3 for each project deployed within your Google Cloud account.

References

Publication date Oct 24, 2023

Related CloudFunction rules