From 685db8b2295bce88ccdf725db93e22e85333c5d3 Mon Sep 17 00:00:00 2001 From: Taylor <28880387+tsmithv11@users.noreply.github.com> Date: Wed, 18 Sep 2024 14:28:32 -0700 Subject: [PATCH 1/2] Update service account roles --- .../bc-gcp-iam-5.adoc | 91 +++++++++++++++---- 1 file changed, 72 insertions(+), 19 deletions(-) diff --git a/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-5.adoc b/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-5.adoc index c209621d66..f3bc63d845 100644 --- a/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-5.adoc +++ b/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-5.adoc @@ -39,33 +39,86 @@ The following roles enable identities to impersonate all service account identit The following list includes our *current* recommendations for dangerous roles, however, it is not exhaustive as permissions and roles change frequently. *Primitive Roles*: + * roles/owner * roles/editor -*Predefined Roles*: +*Predefined Roles and Service Agent Roles*: + +Service agent roles should not be used for any identities other than the Google managed service account they are associated with. -* roles/iam.securityAdmin -* roles/iam.serviceAccountAdmin -* roles/iam.serviceAccountKeyAdmin * roles/iam.serviceAccountUser * roles/iam.serviceAccountTokenCreator +* roles/iam.serviceAccountKeyAdmin +* roles/iam.serviceAccountAdmin * roles/iam.workloadIdentityUser -* roles/dataproc.editor -* roles/dataproc.admin +* roles/deploymentmanager.editor +* roles/cloudbuild.builds.editor +* roles/aiplatform.customCodeServiceAgent +* roles/aiplatform.extensionServiceAgent +* roles/aiplatform.serviceAgent +* roles/apigateway.serviceAgent +* roles/apigee.serviceAgent +* roles/appengine.serviceAgent +* roles/appengineflex.serviceAgent +* roles/bigquerycontinuousquery.serviceAgent +* roles/bigquerydatatransfer.serviceAgent +* roles/bigqueryspark.serviceAgent +* roles/cloudbuild.serviceAgent +* roles/cloudconfig.serviceAgent +* roles/clouddeploy.serviceAgent +* roles/cloudfunctions.serviceAgent +* roles/cloudscheduler.serviceAgent +* roles/cloudtasks.serviceAgent +* roles/composer.serviceAgent +* roles/compute.serviceAgent +* roles/connectors.serviceAgent +* roles/dataflow.serviceAgent +* roles/dataproc.serviceAgent +* roles/eventarc.serviceAgent +* roles/integrations.serviceAgent +* roles/ml.serviceAgent +* roles/notebooks.serviceAgent +* roles/pubsub.serviceAgent +* roles/run.serviceAgent +* roles/serverless.serviceAgent +* roles/sourcerepo.serviceAgent +* roles/workflows.serviceAgent +* roles/iam.serviceAccountOpenIdTokenCreator +* roles/aiplatform.colabServiceAgent +* roles/backupdr.computeEngineOperator +* roles/backupdr.serviceAgent +* roles/batch.serviceAgent +* roles/clouddeploymentmanager.serviceAgent +* roles/cloudtpu.serviceAgent +* roles/compute.instanceGroupManagerServiceAgent +* roles/configdelivery.serviceAgent +* roles/container.serviceAgent +* roles/datapipelines.serviceAgent +* roles/dataplex.serviceAgent +* roles/dataprep.serviceAgent +* roles/dataproc.hubAgent +* roles/firebaseapphosting.serviceAgent +* roles/firebasemods.serviceAgent +* roles/gameservices.serviceAgent +* roles/genomics.serviceAgent +* roles/krmapihosting.anthosApiEndpointServiceAgent +* roles/krmapihosting.serviceAgent +* roles/lifesciences.serviceAgent +* roles/osconfig.serviceAgent +* roles/runapps.serviceAgent +* roles/securitycenter.securityResponseServiceAgent +* roles/workstations.serviceAgent +* roles/securesourcemanager.serviceAgent +* roles/assuredoss.admin +* roles/securitycenter.admin +* roles/vpcaccess.serviceAgent +* roles/cloudbuild.builds.builder +* roles/composer.worker +* roles/dataflow.admin * roles/dataflow.developer -* roles/resourcemanager.folderAdmin -* roles/resourcemanager.folderIamAdmin -* roles/resourcemanager.projectIamAdmin -* roles/resourcemanager.organizationAdmin -* roles/cloudasset.viewer -* roles/cloudasset.owner - -*Service Agent Roles*: +* roles/run.sourceDeveloper -Service agent roles should not be used for any identities other than the Google managed service account they are associated with. - -* roles/serverless.serviceAgent -* roles/dataproc.serviceAgent === Fix - Buildtime @@ -95,4 +148,4 @@ resource "google_folder_iam_binding" "example" { "user:test@example-project.iam.gserviceaccount.com", ] } ----- \ No newline at end of file +---- From 51403deb3f32664e2900ed9ed6936ea793e9ab36 Mon Sep 17 00:00:00 2001 From: Taylor <28880387+tsmithv11@users.noreply.github.com> Date: Wed, 18 Sep 2024 14:31:45 -0700 Subject: [PATCH 2/2] Update bc-gcp-iam-6.adoc --- .../bc-gcp-iam-6.adoc | 88 +++++++++++++++---- 1 file changed, 70 insertions(+), 18 deletions(-) diff --git a/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-6.adoc b/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-6.adoc index 62b5b7cb6e..b1ee0918cc 100644 --- a/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-6.adoc +++ b/docs/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-6.adoc @@ -42,30 +42,82 @@ The following list includes our *current* recommendations for dangerous roles, h * roles/owner * roles/editor -*Predefined Roles*: +*Predefined Roles and Service Agent Roles*: + +Service agent roles should not be used for any identities other than the Google managed service account they are associated with. -* roles/iam.securityAdmin -* roles/iam.serviceAccountAdmin -* roles/iam.serviceAccountKeyAdmin * roles/iam.serviceAccountUser * roles/iam.serviceAccountTokenCreator +* roles/iam.serviceAccountKeyAdmin +* roles/iam.serviceAccountAdmin * roles/iam.workloadIdentityUser -* roles/dataproc.editor -* roles/dataproc.admin +* roles/deploymentmanager.editor +* roles/cloudbuild.builds.editor +* roles/aiplatform.customCodeServiceAgent +* roles/aiplatform.extensionServiceAgent +* roles/aiplatform.serviceAgent +* roles/apigateway.serviceAgent +* roles/apigee.serviceAgent +* roles/appengine.serviceAgent +* roles/appengineflex.serviceAgent +* roles/bigquerycontinuousquery.serviceAgent +* roles/bigquerydatatransfer.serviceAgent +* roles/bigqueryspark.serviceAgent +* roles/cloudbuild.serviceAgent +* roles/cloudconfig.serviceAgent +* roles/clouddeploy.serviceAgent +* roles/cloudfunctions.serviceAgent +* roles/cloudscheduler.serviceAgent +* roles/cloudtasks.serviceAgent +* roles/composer.serviceAgent +* roles/compute.serviceAgent +* roles/connectors.serviceAgent +* roles/dataflow.serviceAgent +* roles/dataproc.serviceAgent +* roles/eventarc.serviceAgent +* roles/integrations.serviceAgent +* roles/ml.serviceAgent +* roles/notebooks.serviceAgent +* roles/pubsub.serviceAgent +* roles/run.serviceAgent +* roles/serverless.serviceAgent +* roles/sourcerepo.serviceAgent +* roles/workflows.serviceAgent +* roles/iam.serviceAccountOpenIdTokenCreator +* roles/aiplatform.colabServiceAgent +* roles/backupdr.computeEngineOperator +* roles/backupdr.serviceAgent +* roles/batch.serviceAgent +* roles/clouddeploymentmanager.serviceAgent +* roles/cloudtpu.serviceAgent +* roles/compute.instanceGroupManagerServiceAgent +* roles/configdelivery.serviceAgent +* roles/container.serviceAgent +* roles/datapipelines.serviceAgent +* roles/dataplex.serviceAgent +* roles/dataprep.serviceAgent +* roles/dataproc.hubAgent +* roles/firebaseapphosting.serviceAgent +* roles/firebasemods.serviceAgent +* roles/gameservices.serviceAgent +* roles/genomics.serviceAgent +* roles/krmapihosting.anthosApiEndpointServiceAgent +* roles/krmapihosting.serviceAgent +* roles/lifesciences.serviceAgent +* roles/osconfig.serviceAgent +* roles/runapps.serviceAgent +* roles/securitycenter.securityResponseServiceAgent +* roles/workstations.serviceAgent +* roles/securesourcemanager.serviceAgent +* roles/assuredoss.admin +* roles/securitycenter.admin +* roles/vpcaccess.serviceAgent +* roles/cloudbuild.builds.builder +* roles/composer.worker +* roles/dataflow.admin * roles/dataflow.developer -* roles/resourcemanager.folderAdmin -* roles/resourcemanager.folderIamAdmin -* roles/resourcemanager.projectIamAdmin -* roles/resourcemanager.organizationAdmin -* roles/cloudasset.viewer -* roles/cloudasset.owner - -*Service Agent Roles*: - -Service agent roles should not be used for any identities other than the Google managed service account they are associated with. +* roles/run.sourceDeveloper -* roles/serverless.serviceAgent -* roles/dataproc.serviceAgent === Fix - Buildtime