GCP Permissions for Cloud Functions Deployment

Question

I'm looking to onboard a new developer to my GCP project, assigning responsibilities such as deploying cloud functions and potentially granting access to others. However, after providing them with admin setIAMPolicy permissions, I observed that they can edit my role as the owner, which is undesirable.

Are there specific permission settings or role configurations that allow for necessary access while preventing the user from altering roles with Owner and Editor privileges? I'm seeking advice and best practices to strike a balance in access control. Any guidance on achieving this would be highly appreciated. Thank you!

Answer 1

If you want to let them freedom to grant permission (on service account for instance) they have also freedom to grant themselves the role they want!

The problem is not easy to solve. Up to now, I saw 2 solutions:

• Don't give the user the Security Admin role. Instead, create a side service where user can request role for SA or themselves. This service has a allow/block list of roles. And it's this service that grant, or not, the requested role.
• Give the user the full freedom but develop auto-remediation of overpowered roles. 2 Options:
  • Use SCC (Security Command Center) and the event on basic role detection. On that event get the project ID and the email, and remove the role
  • Use log sink: sink all the IAM audit logs in the same place. Then create a custom metric and send event everytime a Owner/Editor (or other) roles is granted and remove the role automatically.

Nothing magic, Prevent the role assignation (proactive) or auto remove the overpower roles after grant (reactive).

I implemented both, and the reactive is the easiest and fastest one to use. But you have to accept a few second delay between grant and removal of roles.