Defining conditions for the permissions granted to a Google Cloud service account helps to enforce our security policy. By defining conditions we can, for instance, specify not just that a given account can access to secrets, but also to what secrets.
This is really important since, in case an attacker could take control of a compute resource associated to an account with read access to secrets, he would literally be able to read all our secrets. However, if a condition is applied to that permission, just the secrets matching the condition would be exposed.
In order to define an IAM permission condition, it is necessary to access to the Google Cloud IAM administration console and editing the principal (service account) whose permissions must be conditioned.
Then by clicking the "ADD CONDITION" label of the role whose permissions must be conditioned, we access to the condition definition view, that contains both the Condition Builder that allows us defining conditions based on a visual interface, and the Condition Editor that allows the same but by writing CEL expressions.
Specifically, the CEL expression for restricting the access to a given secret is:
resource.name == "projects/<project number>/secrets/<secret name>/versions/latest"
... where <project number> is the number of our Google Cloud project and <secret name> is the name of the secret whose access is restricted by the condition (the number of our Google Cloud project can be obtained by running the gcloud CLI command gcloud projects list).
Therefore, the CEL expression matching a secret called MY_SECRET in a project with project number 1234567890 would be:
resource.name == "projects/1234567890/secrets/MY_SECRET/versions/latest"
CEL also allows simplifying the above definition by just checking the latest part of a resouce name, what is useful in case of not having (or not wanting to set) the project number. In that case, the expression would be:
resource.name.endsWith("/secrets/<secret name>/versions/latest")
Comentarios
Publicar un comentario