I am paranoid about security and this makes no sense to me. I must be missing something here. I can get it working no problems. But I want to know why? What is the philosophy behind it? and how am I protected?
I wrote a google cloud function that receives a post request and publishes an event to a google pubsub topic. I've set up my topic pubsub resource and set up an iam binding so that only my functions service account can publish to that channel - that is all good.
However, it does not let me deploy (using gcloud functions deploy --service-account=...) my function with that service account. Says it does not have secretAccessor and and deploymentManager.editor and cloudfunctions.developer etc
My confusion is...why should it need development/deployment related permissions? I am deploying the function and I have those permissions. So it should use my permissions to deploy. But when the function is actually running, I dont want it to have those development/deployment management permissions in case there is some vulnerability that can be exploited. I want it to run as the service account I specify. It needs to be restricted to only the permissions related to receiving request and publishing to my topic. Otherwise it would break the principle of having least privileges.
When you create a service such as Functions, Run, or Compute Engine, you, as the deployer, need two types of permissions:
Permission to create the service
Permission to assign an existing identity (aka service account) to the service.
The service typically needs an identity (service account) with appropriate permissions. The permissions are the ones required for the service to access other services and resources. This service runs independently of the identity that created the service.
Two identities and two sets of permissions to manage. That means your goal of least privilege can be achieved.
My confusion is...why should it need development/deployment related
permissions?
I do not know because your question does not have the details required to answer. The error you posted does not make sense in the context described. I am not aware of any instance where, for example, deploying a Function requires Deployment Manager Editor for the Function's identity. The function itself might need that IAM role, but the deployment command does not nor does the deployment command even know which permissions the function requires except for those derived by the command line flags.
If you need more help on this, edit your question to clearly describe both identities and IAM roles, the deployment, which resources are accessed, and how you are deploying. Include the actual commands and error messages.
Related
I am trying to add a service account to my cloud run service. However, there is a message that "No service account with required permissions available."
I'm not sure if this is related to my user's credentials, or something else. This project has the default compute service account, as well as additional service accounts.
I can't find anything related in the documentation regarding this.
Would appreciate any insight you have on this issue!
Yes, I think that's probably (!?) what's occurring.
I assume that you're using Cloud Console and trying to Create a Cloud Run service.
I was able to add a minimally-roled user to an existing project and, when trying to create a Cloud Run service, I observe the same behavior that you're seeing.
How do you know that the project contains Service Accounts? I assume that your permissions are similarly restricted in eumerating these.
The permissions required to set a service account are described here. You need service account user permissions on the project or specific service account in order to set it on a deploy.
I deployed a kotlin backend application that is utilizing google cloud pub/sub. I recently deployed that application with Cloud Run and it ran fine having full access to Pub/Sub.
Now because of reasons I have to deploy the application with GKE. However now the access to Pub/Sub seems not to work anymore.
I checked what service account my GKE Cluster is using and figured out it was the default one. Therefore I granted Permissions as Pub/Sub Editor to that service account.
I thought with this everything should work.
But still I see this error message in my logs:
com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: User not authorized to perform this action.
Any ideas what I have missed out?
That could be 2 things:
Either your pod use Workload Identity and doesn't use the default service account (with the editor role, thing to avoid by the way...). And so, the service account that you use hasn't the PubSub permissions
Or, because you use the default compute engine service account (with the editor role, thing to avoid by the way... I repeat myself, but it's really bad!), the Node pool scope are set by default (if you haven't override that parameters) and you can't access to the PubSub API because of credential scopes.
The best solution is to recreate your node pool, with a custom service account. Like that you can enforce the least privilege at node pool level, and you avoid the legacy compute engine scope definitions and limitations. If you use workload identity, you can go a level beyond in term of security and enforcing the least privilege at the pod level.
We have two projects in our GCP account; one for our Dev environment and one for our Test environment at the moment. Terraform manages most of our infrastructure, so we have minimal clicking around the GUI, or CLI commands.
I have assumed we enabled the Pub/Sub API by deploying to it with Terraform in both of our environments, although we may have needed to do this manually. We noticed that Google created a default Pub/Sub service account for us in our Dev environment, but not in our Test environment. This docs page suggests it should make this service account.
Additionally, we have noticed multiple Pub/Sub subscriptions working, apparently without any service account. We believe that the service account is only needed for this particular Subscription because it is a push to an e-mail server. Therefore, it needs a service account with the 'Service Account Token Creator' role.
We've attempted to redeploy the whole infrastructure and disable/re-enable the Pub/Sub API. Neither seemed to kick GCP into creating the Service Account. Further to this, we attempted to make the default service account manually. Still, GCP constrains the name a user can give a service account themselves, so we're unable to create a service account with the name that the Pub/Sub service would expect.
We wonder if there is some configuration of the project we may have missed or if anyone has seen this previously?
Does it not exist or does you not see it?
I'm pretty sure that it exists but without any role granted on it and you don't see it in the UI. Try to grant a role on this default service account, and it will appear in the IAM page!
When I try to create a job in the GCP Cloud Scheduler I get this error:
{"error":{"code":7,"message":"The principal (user or service account) lacks IAM permission \"iam.serviceAccounts.actAs\" for the resource \"[my service account]\" (or the resource may not exist)."}}
When I enabled the GCP Cloud Scheduler the service account was created (and I can see it in my accounts list). I have verified that it has the "Cloud Scheduler Service Agent" role.
I am logged in as an Owner of our project. It is when I try to create the job that I get this error. I tried to add the "Service Account User" to my principal account, but to no avail.
Does anyone know if I have to add any additional permissions? Or if I have to allow my principal to act (impersonate?) this service account in some way?
Many thanks.
Ben
Ok I figured this out. The documentation is (sort of, in my view) clear if you read it in a certain way / know how GCP IAM works.
You actually need two service accounts. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for Cloud Scheduler itself.
Don't confuse the two. And use the one that you created when specifying the service account to generate the OAuth / OICD tokens.
Some of my service accounts are getting 403 (user not authorized) errors trying to publish/subscribe to PubSub. It appears it's not honoring "Inherited" permissions from Project level IAM.
I have verified the service accounts have IAM permissions to PubSub Subscriber & Viewer; and when I check the topic and subscriptions, they list the service accounts as type "Inherited". If I manually add the service account to the same permission from PubSub Console the UI lists it as "Mixed" and then it works.
Background - It was working before!
What's strange is this was working fine before. I accidentally deleted these same service accounts yesterday. I recreated them the same way, setup permissions the same way and it won't work. Also, the accounts that weren't deleted still work using "Inherited" permissions.
Some other things I've tried:
Created service account with different name from what was deleted - didn't work
Re-created topics/subs after creating service accounts and giving them project-wide permissions- didn't work
Long term I guess I'd prefer to control permissions per Topic/Sub; but I'm still baffled why this isn't working or what I've done wrong.
There currently seems to be a limitation with project-level permissions when a service account is deleted and recreated. The permissions for the newly created service account will not be propagated as expected.
If the service account is created with a different name, inherited permissions should work correctly. Note that permission propagation is not immediate and can have a delay. You may have to wait a few minutes to see the changes reflected.
For further assistance, you may need to contact Cloud Support so they can look into the specifics of your situation.