Granting highly privileged resource rights to users or groups can reduce an organization’s ability to protect against account or service theft. It prevents proper segregation of duties and creates potentially critical attack vectors on affected resources.
If elevated access rights are abused or compromised, both the data that the affected resources work with and their access tracking are at risk.
There is a risk if you answered yes to any of these questions.
Grant IAM policies or members a less permissive role: In most cases, granting them read-only privileges is sufficient.
Separate tasks by creating multiple roles that do not use a full access role for day-to-day work.
If the predefined GCP roles do not include the specific permissions you need, create custom IAM roles.
For an IAM policy setup:
data "google_iam_policy" "admin" {
binding {
role = "roles/run.admin" # Sensitive
members = [
"user:name@example.com",
]
}
}
resource "google_cloud_run_service_iam_policy" "policy" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.admin.policy_data
}
For an IAM policy binding:
resource "google_cloud_run_service_iam_binding" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/run.admin" # Sensitive
members = [
"user:name@example.com",
]
}
For adding a member to a policy:
resource "google_cloud_run_service_iam_member" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/run.admin" # Sensitive
member = "user:name@example.com"
}
For an IAM policy setup:
data "google_iam_policy" "admin" {
binding {
role = "roles/viewer"
members = [
"user:name@example.com",
]
}
}
resource "google_cloud_run_service_iam_policy" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.admin.policy_data
}
For an IAM policy binding:
resource "google_cloud_run_service_iam_binding" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/viewer"
members = [
"user:name@example.com",
]
}
For adding a member to a policy:
resource "google_cloud_run_service_iam_member" "example" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/viewer"
member = "user:name@example.com"
}