- Knowledge Base
- Google Cloud Platform
- GCP Cloud Function
- GCP Function using Service Account with Basic Roles
Ensure that the service account associated with your Google Cloud functions is not configured to use basic roles for permissions in order to follow the Principle of Least Privilege (POLP) and grant only the specific permissions needed for the function to operate securely. In Google Cloud, basic roles are: "Viewer", "Editor", and "Owner" managed roles.
Security 
Operationalexcellence
Before IAM was introduced in Google Cloud, basic roles existed as highly permissive roles. Basic roles were designed to provide wide-ranging access to cloud resources. However, it's essential to exercise caution when using basic roles, as they encompass thousands of permissions across all Google Cloud services. In production environments, it's advisable to avoid granting basic roles unless absolutely necessary. Instead, opt for predefined roles with the most restricted permissions or create custom roles tailored to your specific requirements.
Audit
To determine if the service account associated with your Google Cloud functions is configured to use basic roles, perform the following actions:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the GCP project that you want to examine from the console top navigation bar.
03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.
04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.
05 Select the DETAILS tab and copy the service account identifier, listed next to Service account.
06 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.
07 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.
08 Click inside the Filter box, choose Principal, paste the service account identitfier copied at step no. 5, and press Enter.
09 Check the name of each role attached to the selected service acocunt, listed in the Role column to determine if the selected identity is using basic roles. If one of the following managed roles: Owner, Editor, and Viewer is assigned to the service account associated with your function, the selected Google Cloud function is configured with basic roles.
10 Repeat steps no. 4 - 9 for each Google Cloud function created for the selected GCP project.
11 Repeat steps no. 2 - 10 for each project deployed within your Google Cloud account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account:
gcloud projects list --format="table(projectId)"
02 The command output should return the requested GCP project ID(s):
PROJECT_ID cc-bigdata-project-123123 cc-iot-app-project-112233
03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project:
gcloud functions list --project cc-bigdata-project-123123 --format="(NAME,REGION)"
04 The command output should return the requested function names and their regions:
NAME REGION cc-web-app-function us-central1 cc-stream-function us-central1
05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the identifier (ID) of the service account associated with the selected function:
gcloud functions describe cc-web-app-function --region=us-central1 --format="value(serviceConfig.serviceAccountEmail)"
06 The command output should return the requested service account ID:
123412341234-compute@developer.gserviceaccount.com
07 Run projects get-iam-policy command (Windows/macOS/Linux) to describe the IAM policy defined for the Google Cloud project used to managed your functions:
gcloud projects get-iam-policy cc-bigdata-project-123123
08 The command output should return the IAM policy configured for your GCP project:
bindings: - members: - serviceAccount:123412341234-compute@developer.gserviceaccount.com role: roles/editor - members: - serviceAccount:123412341234-compute@developer.gserviceaccount.com role: roles/viewer - members: - serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com role: roles/pubsub.serviceAgent - members: - serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com role: roles/run.serviceAgent - members: - serviceAccount:123412341234-compute@developer.gserviceaccount.com - user:user@domain.com role: roles/owner - members: - serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com role: roles/vpcaccess.serviceAgent etag: ABCD1234ABCD version: 1
Check the roles attached to the service account associated with your function, returned at step no. 6, to determine if the selected identity is using basic roles. If one of the following managed roles: roles/owner, roles/editor, and roles/viewer is assigned to the service account associated with your function, the selected Google Cloud function is configured with basic roles.
09 Repeat steps no. 5 - 8 for each Google Cloud function created for the selected GCP project.
10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.
Remediation / Resolution
Basic roles provide overly broad permissions that can lead to security risks and potential misuse of resources. To ensure that your Google Cloud functions are not using basic roles for permissions, perform the following actions:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the GCP project that you want to access from the console top navigation bar.
03 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.
04 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.
05 Click on the Edit pricipal (pencil icon) button available next to the service account associated with your Google Cloud function to modify the principal permission.
06 Choose the basic role (Owner, Editor, or Viewer) that you want to remove from the service account and click on the Remove (bin icon) button to delete the role assignment for your identity.
07 To assign a new role that follows the Principle of Least Privilege (POLP), choose + ADD ANOTHER ROLE and select the predefined or custom role that you want to attach to your service account.
08 Choose SAVE to apply the permission changes.
09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.
Using GCP CLI
01 Run remove-iam-policy-binding command (OSX/Linux/UNIX) to remove a basic role from the service account associated with your Google Cloud function. The following command request example removes the Editor role assignment from a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>":
gcloud projects remove-iam-policy-binding cc-bigdata-project-123123 --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com --role=roles/editor
02 The command output should return the updated IAM policy in YAML format:
bindings: - members: - serviceAccount:123412341234-compute@developer.gserviceaccount.com role: roles/viewer - members: - serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com role: roles/pubsub.serviceAgent - members: - serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com role: roles/run.serviceAgent - members: - serviceAccount:123412341234-compute@developer.gserviceaccount.com - user:user@domain.com role: roles/owner - members: - serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com role: roles/vpcaccess.serviceAgent etag: ABCD1234ABCD version: 1
03 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign a predefined or a custom role to the service account associated with your Google Cloud functions. The following command request example adds the Cloud Functions Developer (i.e. roles/cloudfunctions.developer) role to a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>". The Cloud Functions Developer provides read and write access to all functions-related resources:
gcloud projects add-iam-policy-binding cc-bigdata-project-123123 --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com --role=roles/cloudfunctions.developer
04 The command output should return the updated IAM policy:
bindings: - members: - serviceAccount:461695253704-compute@developer.gserviceaccount.com role: roles/cloudfunctions.developer - members: - serviceAccount:123412341234-compute@developer.gserviceaccount.com role: roles/viewer - members: - serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com role: roles/pubsub.serviceAgent - members: - serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com role: roles/run.serviceAgent - members: - serviceAccount:123412341234-compute@developer.gserviceaccount.com - user:user@domain.com role: roles/owner - members: - serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com role: roles/vpcaccess.serviceAgent etag: ABCD1234ABCD version: 1
05 Repeat steps no. 1 - 4 for each project deployed within your Google Cloud account.
References
- Google Cloud Platform (GCP) Documentation
- Secure your Cloud Function
- Function Identity
- IAM basic and predefined roles reference
- Principal identifiers
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud functions list
- gcloud functions describe
- gcloud projects get-iam-policy
- gcloud projects remove-iam-policy-binding
- gcloud projects add-iam-policy-binding
Related CloudFunction rules
- Use Labels for Resource Management (Security, reliability, performance-efficiency, cost-optimisation)
- Check for Unrestricted Outbound Network Access (Security)
- GCP Function using Default Service Account (Security, operational-excellence)
- GCP Function Runtime Version (Security, reliability, operational-excellence, cost-optimisation, sustainability)