0

Imagine the following situation:

We have a gcp cloud run backend application running. Authentication is required and the ingress is set to "Internal + Load Balancing". Other services are accessing the application via REST. Each service has it's dedicated service account with the role "roles/run.invoker". The application is hidden behind the load balancer so that we don't have to inject the auto generated "*.run.app" url.

My issue here is that I always have to deploy my backend application first before I can assign the invoker role. I rather would not couple my backend application and other service accounts so tightly. Is there a better way without for example granting the invoker permission for example to allAuthenticatedUsers.

Mowee
  • 1
  • 1
  • Do you understand what `allAuthenticatedUsers` means? That IAM member would definitely not be part of a `Principle of Least Privilege` strategy. – John Hanley May 17 '23 at 18:50
  • @JohnHanley Do you understand that this was just an example? Of course, this is not a real solution for several reasons. Do you have any idea how to solve the problem? – Mowee May 22 '23 at 10:08
  • The `machine identity` (service account assigned to a service) is tightly coupled. One of the tenants of Least Privilege is to design, deploy and enforce the properties of the identity for each deployed service. – John Hanley May 22 '23 at 19:29
  • Your question states `My issue here is that I always have to deploy my backend application first before I can assign the invoker role.`. To which identity are you referring? The service account assigned to the service or the IAM policy bound to the backend resource? – John Hanley May 22 '23 at 19:31

0 Answers0