- Knowledge Base
- Google Cloud Platform
- GCP Cloud Tasks
- Implement Least Privilege for Cloud Tasks Queue Service Accounts
Ensure that the IAM service accounts associated with your Cloud Tasks queues are configured with least privilege access in order to minimize the potential impact of security breaches or misconfigurations by limiting the scope of unauthorized actions.
Security Using IAM service accounts with least privilege access ensures that Cloud Tasks queues only have the permissions necessary to perform their functions (i.e., adheres to the Principle of Least Privilege), reducing the risk of accidental or malicious actions and enhancing the overall security of your Google Cloud environment.
Audit
To determine if the associated IAM service accounts are configured with least privilege access, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.
03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.
04 Select the queue that you want to examine and choose SHOW INFO PANEL from the top-right menu to access the permissions defined for selected resource. The panel with the queue permissions opens.
05 Click inside the Filter box and perform the following actions:
- Select Role / Principal, type Owner, and press Enter to return the principals with the Owner role.
- Select OR, choose Role / Principal, type Editor, and press Enter to return the members with the Editor role.
- Select OR, choose Role / Principal, type Admin or admin, and press Enter to return the principals with administrator-based roles (i.e., roles containing Admin or admin in their name).
- Choose Show inherited roles in table to switch off the feature and return the principals that have non-inherited roles.
06 If the filtering process performed at the previous step returns one or more principals, click on the name of the IAM role that you want to examine to identify the principal type. If the verified principal is an IAM service account, e.g., service-\<project-number\>@gcp-sa-cloudtasks.iam.gserviceaccount.com, the service account associated with your Cloud Tasks queue is not configured with least privilege access.
07 Repeat steps no. 4 - 6 for each Cloud Tasks queue available within the selected GCP project.
08 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:
gcloud projects list --format="table(projectId)"
02 The command output should return the requested GCP project IDs:
PROJECT_ID cc-web-project-123123 cc-iot-project-112233
03 Run tasks queues list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID (i.e., fully qualified identifier) of each Cloud Tasks queue created for the selected project, in the specified region:
gcloud tasks queues list --project="cc-web-project-123123" --location="us-central1" --format="default(name)"
04 The command output should return the requested queue IDs:
--- name: projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-release-queue --- name: projects/cc-web-project-123123/locations/us-central1/queues/cc-app-notification-queue
05 Run tasks queues get-iam-policy command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to examine as the identifier parameter, to describe the IAM policy bindings available for the selected queue:
gcloud tasks queues get-iam-policy projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-release-queue --format="default(bindings)"
06 The command output should return the requested IAM policy bindings:
bindings: - members: - serviceAccount:service-123456789012@gcp-sa-cloudtasks.iam.gserviceaccount.com role: roles/cloudtasks.queueAdmin - members: - user:username1@domain.com role: roles/cloudtasks.taskRunner - members: - user:username2@domain.com role: roles/cloudtasks.serviceAgent
Check the name of each IAM role (i.e., role property value) returned by the get-iam-policy command output to determine the permissions granted to the principals (members) defined within the IAM policy. If one or more principals have the role property set to roles/owner, roles/editor, and/or roles/*admin (i.e., roles containing Admin or admin in their name), check the associated members property to identify the principal type. If the verified principal is an IAM service account, as shown in the example above (e.g.,<service-123456789012@gcp-sa-cloudtasks.iam.gserviceaccount.com>), the service account associated with your Cloud Tasks queue is not configured with least privilege access.
07 Repeat steps no. 5 and 6 for each Cloud Tasks queue available in the selected GCP project.
08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.
Remediation / Resolution
To ensure that Cloud Tasks queue service accounts are granted least privilege access, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.
03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.
04 Select the queue that you want to configure and choose SHOW INFO PANEL from the top-right menu to access the permissions defined for selected resource. The panel with the queue permissions opens.
05 Choose the principal (service account) with excessive privileges that you want to configure and click on the Edit principal button (i.e., pencil icon) to modify the member permissions. The panel with the principal permissions opens.
06 In the Assign roles section, perform the following actions:
- Identify the overly permissive access roles (i.e. *Admin, *admin, Editor, and Owner) assigned to the selected principal and click on the Delete role button (i.e., bin icon) next to each admin role to remove the role bindings.
- Choose ADD ANOTHER ROLE and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use ADD ANOTHER ROLE button to add as many roles as needed, according to the selected service account access requirements.
07 Choose SAVE to apply the permission changes.
08 Repeat steps no. 4 - 7 for each Cloud Tasks queue that you want to configure, available within the selected GCP project.
09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.
Using GCP CLI
01 Run tasks queues remove-iam-policy-binding command (OSX/Linux/UNIX) with the ID of the Cloud Tasks queue that you want to configure as the identifier parameter, to remove the overly permissive access role bindings from the IAM service account associated with selected queue:
gcloud tasks queues remove-iam-policy-binding projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-release-queue --location="us-central1" --member="serviceAccount:service-123456789012@gcp-sa-cloudtasks.iam.gserviceaccount.com" --role="roles/cloudtasks.queueAdmin"
02 The command output should return the modified IAM policy:
Updated IAM policy for queue [cc-invoice-release-queue]. bindings: - members: - user:username1@domain.com role: roles/cloudtasks.taskRunner - members: - user:username2@domain.com role: roles/cloudtasks.serviceAgent etag: ABCD1234ABCD version: 1
03 Run tasks queues add-iam-policy-binding command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to configure as the identifier parameter, to add a new role binding for the IAM service account associated with selected queue. Use the --role parameter to specify the IAM role required by the selected service account, that follows the Principle of Least Privilege (POLP). As an example, the following command assigns the Cloud Tasks Viewer role, i.e., roles/cloudtasks.viewer, to the specified principal:
gcloud tasks queues add-iam-policy-binding projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-release-queue --location="us-central1" --member="serviceAccount:service-123456789012@gcp-sa-cloudtasks.iam.gserviceaccount.com" --role="roles/cloudtasks.viewer"
04 The command output should return the modified IAM policy:
bindings: - members: - serviceAccount:service-123456789012@gcp-sa-cloudtasks.iam.gserviceaccount.com role: roles/cloudtasks.viewer - members: - user:username1@domain.com role: roles/cloudtasks.taskRunner - members: - user:username2@domain.com role: roles/cloudtasks.serviceAgent etag: 1234ABCD1234 version: 1
05 Repeat steps no. 1 - 4 for each Cloud Tasks queue that you want to configure, available in the selected GCP project.
06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.
References
- Google Cloud Platform (GCP) Documentation
- Understand Cloud Tasks
- Control access using IAM
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud tasks queues list
- gcloud tasks queues get-iam-policy
- gcloud tasks queues remove-iam-policy-binding
- gcloud tasks queues add-iam-policy-binding
Related CloudTasks rules
- Use Cloud Logging for Cloud Tasks Queues (Security, reliability, cost-optimisation, performance-efficiency, operational-excellence)
- Use VPC Service Controls for Cloud Tasks (Security)
- Enable Data Access Audit Logs for Cloud Tasks Resources (Security, reliability, cost-optimisation, performance-efficiency, operational-excellence)
- Implement Least Privilege for Cloud Tasks Queue Service Accounts (Security)