Implementing Least Privilege IAM Policy Bindings in Cloud Run APPRUN

Overview The principle of least privilege states that a resource should only have access to the exact set of resources it needs in order to function. For example, if a service is performing an automated database backup, the service should be restricted to read-only permissions on exactly one database. Similarly, if a service is only responsible for encrypting data, it should not have permissions for decrypting data. In Cloud Run, if a service is deployed without specifying a service account, a default service account is used. The default service account used is the Compute Engine service account which has the broad Editor role on the project. Because of policy binding inheritance, this service account has read and write permissions on most resources in your project. While convenient, it's an inherent security risk as resources can be created, modified, or deleted with this service account. To mitigate this risk and implement the principle of least privilege, you should create a service account that serves as the service's identity, and grant the minimum set of permissions to the account that are required for the service's functionality. Objectives In this lab, you learn to: - Configure your environment and enable the Cloud Run API. - Create and deploy a public Cloud Run service. - Test the service with unauthenticated requests. - Create a service account with minimum permissions. - Use the gcloud CLI to authenticate with the service account, and invoke a Cloud Run service. - Implement least privilege by granting the minimum set of permissions required to invoke a service on Cloud Run. #gcp #googlecloud #qwiklabs #learntoearn