How to find the least privileged IAM Role in Google Cloud Platform

by Mark van Holsteijn
on
mrt 06, 2022
in
Cloud Platform, Cloud Security, Google Cloud

In this blog I will show you how to find the least privileged IAM Role in Google Cloud Platform to perform a particular task.

The least privileged principle states that a user or program should be given the minimal amount of permissions required to perform his/her function. In Google Cloud Platform, permissions are grouped into a role. You grant the role to a user, and the user will have all of the associated permissions.

So a role contains one or more permissions. Google’s predefined role names follow the format roles/<servicename>.<roleName>, for instance roles/compute.admin. Permissions on the other hand have the format <servicename>.<resource-type>.<operation>, for instance compute.disk.delete.

Find all relevant IAM roles

So lets say you want to delete a compute disk. To find all of the available roles, type:

ROLES=$(gcloud iam roles list \
  --filter "name ~ roles/compute.*" \
  --format 'value(name)')

This returns more than twenty different pre-defined roles:

$ echo $ROLES
roles/compute.admin
roles/compute.imageUser
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
...
roles/compute.storageAdmin
roles/compute.viewer
roles/compute.xpnAdmin

Find all applicable IAM roles

To find all applicable IAM roles with the permission compute.disk.delete, type:

DELETE_ROLES=$(for role in $ROLES; do
    gcloud iam roles describe $role  --format json | \
      jq -r 'select(
               .includedPermissions[] | . == "compute.disks.delete"
              ) | .name'
done)

So, now we are down to four roles!

echo $DELETE_ROLES
roles/compute.admin
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
roles/compute.storageAdmin

Find least privileged IAM Role

To find the IAM role with the least amount of permissions, type:

for role in $DELETE_ROLES; do
    gcloud iam roles describe $role  --format json | \
    jq '{
         name: .name, 
         title: .title,
         description: .description,
         number_of_permissions : (.includedPermissions|length)
   }';
done | \
jq --slurp 'sort_by(.number_of_permissions)'

As you can see, this results in four potential roles:

[
  {
    "name": "roles/compute.storageAdmin",
    "title": "Compute Storage Admin",
    "description": "Full control of Compute Engine storage resources.",
    "number_of_permissions": 77
  },
  {
    "name": "roles/compute.instanceAdmin",
    "title": "Compute Instance Admin (beta)",
    "description": "Full control of Compute Engine instance resources.",
    "number_of_permissions": 162
  },
  {
    "name": "roles/compute.instanceAdmin.v1",
    "title": "Compute Instance Admin (v1)",
    "description": "Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.",
    "number_of_permissions": 278
  },
  {
    "name": "roles/compute.admin",
    "title": "Compute Admin",
    "description": "Full control of all Compute Engine resources.",
    "number_of_permissions": 587
  }
]

Clearly, roles/compute.storageAdmin is the least privileged IAM role, if you need to delete a disk.

Conclusion

To find the least privileged IAM role on Google Cloud Platform to perform a specific task, you can query the IAM Role definition API. The entire code is also available as a bash script: gcp-least-privileged

Photo by FLY:D on Unsplash

by Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
linkedin.com/in/mvanholsteijn @mvanholsteijn
Share this article: Tweet this post / Post on LinkedIn
Previous article Improve your pull request workflow using pull-request-codecommit
Next article Hosting a single page application or website on S3