Cloud Logging Permissions for Google Cloud Functions

Risk Level: High (not acceptable risk)

Rule ID: CloudFunction-011

Ensure that Cloud Logging API has sufficient permissions to write logs for your Google Cloud functions. To allow writing logs using the Cloud Logging API, the service account associated with your function must be configured with the Logs Writer role (i.e. roles/logging.logWriter).

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Reliability

Operational
excellence

The Cloud Logging API must have adequate permissions to write logs for Google Cloud Functions because it is the essential service responsible for capturing and storing log information generated by the functions. Without these permissions, logs would not be recorded, making it impossible to monitor, debug, and analyze the behavior and performance of the functions effectively.

Audit

To determine if Cloud Logging API has sufficient permissions to write logs for your functions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.

05 Select the DETAILS tab and copy the service account identifier, listed next to Service account.

06 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

07 Select the PERMISSIONS tab and choose the VIEW BY ROLES tab to view all the roles attached to your IAM identities.

08 Click inside the Filter box, choose Role / Principal, paste the service account identitfier copied at step no. 5, and press Enter.

09 Check the name of each role attached to the selected service acocunt, listed in the Role / Principal column. If the Logs Writer role is not attached to the associated service account, Cloud Logging API can't write logs for the verified Google Cloud function due to insufficient permissions.

10 Repeat steps no. 4 - 9 for each Google Cloud function created for the selected GCP project.

11 Repeat steps no. 2 - 10 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s):

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project:

gcloud functions list
  --project cc-bigdata-project-123123
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions:

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the identifier (ID) of the service account associated with the selected function:

gcloud functions describe cc-web-app-function
  --region=us-central1
  --format="value(serviceConfig.serviceAccountEmail)"

06 The command output should return the requested service account ID:

123412341234-compute@developer.gserviceaccount.com

07 Run projects get-iam-policy command (Windows/macOS/Linux) to describe the IAM policy defined for the Google Cloud project used to managed your functions:

gcloud projects get-iam-policy cc-bigdata-project-123123

08 The command output should return the IAM policy configured for your GCP project:

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- serviceAccount:123412341234@cloudservices.gserviceaccount.com
		role: roles/editor
	- members:
		- user:email@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

Check the roles attached to the service account associated with your function, returned at step no. 6. If the roles/logging.logWriter role is not attached to the associated service account, Cloud Logging API can't write logs for the verified Google Cloud function due to insufficient permissions.

09 Repeat steps no. 5 - 8 for each Google Cloud function created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure Cloud Logging API has sufficient permissions to write logs for your Google Cloud functions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

04 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.

05 Click on the Edit pricipal (pencil icon) button available next to the service account associated with your function to modify the principal permission.

06 In the Assign roles section, choose + ADD ANOTHER ROLE, and select the Logs Writer role. After the Logs Writer is selected, choose SAVE to apply the permission changes.

07 Repeat steps no. 2 – 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign the Logs Writer (i.e. roles/logging.logWriter) role to the service account associated with your Google Cloud functions, in order to give the Cloud Logging API the necessary permission to write log entries for your functions:

gcloud projects add-iam-policy-binding cc-bigdata-project-123123
  --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com
  --role=roles/logging.logWriter

02 The command output should return the updated IAM policy in YAML format:

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- serviceAccount:123412341234@cloudservices.gserviceaccount.com
		role: roles/editor
	- members:
		- serviceAccount:461695253704-compute@developer.gserviceaccount.com
		role: roles/logging.logWriter
	- members:
		- user:email@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

03 Repeat steps no. 1 and 2 for each project deployed within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Monitor your Cloud Function
View and write Cloud Function logs
Access control with IAM
Method: entries.write

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud functions list
gcloud functions describe
gcloud projects get-iam-policy
gcloud projects add-iam-policy-binding

Publication date Oct 24, 2023

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudFunction rules