Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does enabling the Cloud Run API create so many service accounts? Why do they have so many privileges?

Tags:

google-cloud-platform

google-cloud-run

Enabling the Cloud Run API (dev console→Cloud Run→Enable) creates five service accounts. I want to understand their purpose. I need to know if it's my responsibility to configure them for least privileged access.

The Default compute service account has the Editor role. This is the Cloud Run runtime service account. Its purpose is clear, and I know it's my responsibility to configure it for least privileged access.

The App Engine default service account has the Editor role. This matches the description of the Cloud Functions runtime service account. Its purpose is unclear, given the existence of the Cloud Run runtime service account. I don't know if it's my responsibility to configure it for least privileged access.

The Google Container Registry Service Agent (Editor role) and Google Cloud Run Service Agent (Cloud Run Service Agent role) are both Google-managed service accounts "used to access the APIs of Google Cloud Platform services":

I'd like to see Google-managed service accounts configured for least privileged access. I'd also like to be able to filter the Google-managed service accounts in the IAM section of the GCP console. That said, I know I should ignore them.

The unnamed {project-number}{at}cloudbuild.gserviceaccount.com service account has the Cloud Build Service Account role. This service account "can perform builds" but does not appear in the Cloud Run Building Containers docs. It's used for Continuous Deployment—but can't do that without additional user configuration. It's not a Google-managed service account, but it does not appear in the Service Accounts section of the GCP console like the runtime service accounts. Its purpose is unclear. I don't know if it's my responsibility to configure it for least privileged access.

like image 945
Brandon Barry Avatar asked Apr 11 '19 05:04

Brandon Barry

People also ask

What service account does Cloud Run use?

By default, Cloud Run services or jobs run as the default Compute Engine service account. However, Google recommends using a user-managed service account with the most minimal set of permissions.

Why do we need service account in GCP?

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).

How many types of service accounts does GCP offer?

Compute Engine uses two types of service accounts: User-managed service accounts. Google-managed service accounts.

What is cloud run API?

Cloud Run Admin API: Deploy and manage user provided container images that scale automatically based on incoming requests. The Cloud Run Admin API v1 follows the Knative Serving API specification, while v2 is aligned with Google Cloud AIP-based API standards, as described in https://google.aip.dev/.

Why are APIs in the cloud so important for developers?

Why are APIs in the cloud so important for developers? Modern developer teams are demanding one essential process: they need to synchronize their system infrastructures with the features of different service providers in the cloud. APIs make this integration possible, where interoperability is key.

Which User-Managed Service account should I use for cloud run?

However, Google recommends using a user-managed service account with the most minimal set of permissions. Learn how to deploy Cloud Run services with user-managed service accounts in the Cloud Run service identity documentation.

How do I access the API server?

Use the Default Service Account to access the API server. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace.

What is the process of enabling an API?

Note: The process of enabling an API varies depending on the API. Some APIs will prompt you to accept their Terms of Service before you can enable them. Some APIs are in preview mode, meaning that they require special signup and whitelisting before you can use them.

1 Answers

Cloud Run PM:

  1. Yep, exactly right.
  2. We should probably not create this if you're only using Run (and likely not enable the App Engine APIs, which is what created this). During Alpha, this was the runtime service account, and it's likely that it wasn't cleaned up.
  3. I have a feeling it's stuck as Editor because it accesses Cloud Storage, which is oddly broken for "non Editor access" (I'm still trying to track down the exact issue, but it looks like there's a connection to the legacy Editor role that requires it).
  4. Is already "least privileged" from it's perspective, as it only has the permissions to do the things that Run needs to do in order to set up resources on your behalf.
  5. This is the runtime service account equivalent for Cloud Build, and falls into the same category as 1,2. If you need a build to deploy to Cloud Run, you have to grant this account something like Cloud Run Deployer (plus to the additional step of allowing the build service account to act as your runtime service account, to prevent [or at least acknowledge] privilege escalation).

I too want better filtering of "Google created" and "Google managed" and have been talking with the Cloud IAM team about this.

like image 107
Mike McDonald Avatar answered Nov 16 '22 23:11

Mike McDonald
Sign in to Comment

Related questions

Google cloud sql authorize all IPs
Does gsutil support creating boto files with service account info?
How to configure maintenance or site down page
Expose MongoDB on Kubernetes with StatefulSets outside cluster
apache_beam.transforms.util.Reshuffle() not available for GCP Dataflow
Environment variables in Google Cloud Build
Rolling restarts are causing are app engine app to go offline. Is there a way to change the config to prevent that from happening?
Is it possible to configure the cloud function trigger be a on a folder level for GCS bucket? [duplicate]
GCP Dataproc custom image Python environment
Google Apps Script and Cloudbuild CI Login
HttpOperator or HttpHook for HTTPS in Airflow
App Engine Java 11 could not find or load main class on live server
startup-script not as root (google cloud compute, ubuntu 14.04 VM)
Session affinity for HTTP load balancing on Google Cloud
Where to find Google cloud platform id?
Why Google Cloud Compute Engine instance gives ssh connection refused after restart?
Google cloud builder - Java version
Google Cloud Function - ImportError: cannot import name 'pubsub' from 'google.cloud' (unknown location)
How can I release static internal IP address which I reserved by mistake?
How to enable Nested Virtualization on an existing Google cloud VM instance?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!