Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] : IAM user with privileged roles at project level #1174

Closed
priyanshukumar397 opened this issue Sep 15, 2024 · 3 comments
Closed

[BUG] : IAM user with privileged roles at project level #1174

priyanshukumar397 opened this issue Sep 15, 2024 · 3 comments
Labels
bug Something isn't working internally-reviewed The issue has been reviewed internally.

Comments

@priyanshukumar397
Copy link

Component(s)

router

Component version

latest

wgc version

latest

controlplane version

latest

router version

latest

What happened?

Detailed paths

Introduced through: resource › google_project_iam_member[cosmo-service-account-permissions]

image

resource google_project_iam_member "cosmo-service-account-permissions" {
    role = "roles/iam.serviceAccountUser"
    project = var.project
    member = "serviceAccount:${google_service_account.cosmo-sa.email}"
}

https://github.com/cosmo/blob/main/infrastructure/router/modules/google-cloudrun/iam.tf

This issue is...

IAM user has Service Account User or Service Account Token Creator role assigned at project level
The impact of this is...

Users can impersonate service accounts and abuse the elevated permissions
You can resolve it by...

Remove roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator from project level bindings

Environment information

No response

Router configuration

No response

Router execution config

No response

Log output

No response

Additional context

No response

@priyanshukumar397 priyanshukumar397 added the bug Something isn't working label Sep 15, 2024
Copy link

WunderGraph commits fully to Open Source and we want to make sure that we can help you as fast as possible.
The roadmap is driven by our customers and we have to prioritize issues that are important to them.
You can influence the priority by becoming a customer. Please contact us here.

@AndreasZeissner
Copy link
Contributor

Hi @priyanshukumar397,

thanks for opening an issue,

this is necessary for cloud run to work properly in this scenario and no security concern.

It follows the official docs, please have a look at https://cloud.google.com/run/docs/configuring/services/service-identity

@AndreasZeissner AndreasZeissner added the internally-reviewed The issue has been reviewed internally. label Sep 16, 2024
@priyanshukumar397
Copy link
Author

Ok thanks for pointing out :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working internally-reviewed The issue has been reviewed internally.
Projects
None yet
Development

No branches or pull requests

2 participants