Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use IAM Policy Conditions

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the IAM policy associated with your Google Cloud Tasks queue uses IAM conditions to restrict access to specific operations or resources based on context (such as source IP, date, or time of day).

Reliability
Performance
efficiency

Defining IAM conditions within the IAM policies associated with your Cloud Tasks queues enhances security and compliance by enabling fine-grained access control. This restricts permissions based on attributes like time, location, IP address, or resource labels, minimizing unauthorized access and ensuring context-aware task execution.

Audit

To determine if your Cloud Tasks queue IAM policies are using IAM conditions, perform the following operations:

Getting the IAM policy for Cloud Tasks queues using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-123123
cc-iot-project-112233

03 Run tasks queues list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID (i.e., fully qualified identifier) of each Cloud Tasks queue created for the selected project, in the specified region: 

gcloud tasks queues list
	--project="cc-web-project-123123"
	--location="us-central1"
	--format="default(name)"

04 The command output should return the requested queue IDs: 

---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-generation-queue

05 Run tasks queues get-iam-policy command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to examine as the identifier parameter, to describe the IAM policy defined for the selected queue: 

gcloud tasks queues get-iam-policy projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--format="json"

06 The command output should return the requested IAM policy in JSON format: 

{
	"bindings": [
		{
			"members": [
				"user:username1@domain.com"
			],
			"role": "roles/cloudtasks.enqueuer"
		},
		{
			"members": [
				"user:username2@domain.com"
			],
			"role": "roles/cloudtasks.taskRunner"
		},
		{
			"members": [
				"user:username3@domain.com"
			],
			"role": "roles/cloudtasks.viewer"
		}
	],
	"etag": "ABCD1234ABCD",
	"version": 1
}

Check the IAM policy document returned by the get-iam-policy command output for "condition" elements. A "condition" element has the following format: "condition": {"title": "TITLE", "description": "DESCRIPTION", "expression": "EXPRESSION"}. If there are no "condition" elements defined for IAM policy bindings, the policy associated with the selected Cloud Tasks queue is not using IAM conditions fine-grained access control.

07 Repeat steps no. 5 and 6 for each Cloud Tasks queue available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud Tasks queues are protected with IAM policy conditions, perform the following operations:

Updating the IAM policy for Cloud Tasks queues using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 To add an IAM condition to a role binding, you must define the "condition" element, as shown in the policy example below. A "condition" element has the following format: "condition": {"title": "TITLE", "description": "DESCRIPTION", "expression": "EXPRESSION"}. For more details about the "condition" element structure, see the official documentation. Save the modified policy document to a JSON file named cc-iam-policy.json: 

{
	"bindings": [
		{
			"members": [
				"user:username1@domain.com"
			],
			"role": "roles/cloudtasks.enqueuer",
			"condition": {
				"title": "time-based-access-control",
				"description": "Allow access to create tasks only until June 1, 2025",
				"expression": "request.time < timestamp('2025-06-01T00:00:00.000Z')"
			}
		},
		{
			"members": [
				"user:username2@domain.com"
			],
			"role": "roles/cloudtasks.taskRunner"
		},
		{
			"members": [
				"user:username3@domain.com"
			],
			"role": "roles/cloudtasks.viewer"
		}
	],
	"etag": "ABCD1234ABCD",
	"version": 1
}

02 Run tasks queues set-iam-policy command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to configure as the identifier parameter, to set the IAM policy modified at the previous step (i.e., cc-iam-policy.json) to the selected queue: 

gcloud tasks queues set-iam-policy projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue cc-iam-policy.json

03 The command output should return the modified IAM policy: 

bindings:
	- members:
		- user:username1@domain.com
	role: roles/cloudtasks.enqueuer
	condition:
		title: time-based-access-control
		description: Allow access to create tasks only until June 1, 2025
		expression: request.time < timestamp('2025-06-01T00:00:00.000Z')
	- members:
		- user:username2@domain.com
	role: roles/cloudtasks.taskRunner
	- members:
		- user:username3@domain.com
	role: roles/cloudtasks.viewer
etag: ABCD1234ABCD
version: 1

04 Repeat steps no. 1 - 3 for each Cloud Tasks queue that you want to configure, available in the selected GCP project.

05 Repeat steps no. 1 – 4 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 27, 2025

Related CloudTasks rules