In this blog I will show you how to find the least privileged IAM Role in Google Cloud Platform to perform a particular task. The least privileged principle states that a user or program should be given the minimal amount of permissions required to perform his/her function. In Google Cloud Platform, permissions are grouped into a role. You grant the role to a user, and the user will have all of the associated permissions. So a role contains one or more permissions. Google’s predefined role names follow the format roles/<servicename>.<roleName>
, for instance roles/compute.admin
. Permissions on the other hand have the format <servicename>.<resource-type>.<operation>
, for instance compute.disk.delete
.
Find all relevant IAM roles
So lets say you want to delete a compute disk. To find all of the available roles, type:
ROLES=$(gcloud iam roles list \
--filter "name ~ roles/compute.*" \
--format 'value(name)')
This returns more than twenty different pre-defined roles:
$ echo $ROLES
roles/compute.admin
roles/compute.imageUser
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
...
roles/compute.storageAdmin
roles/compute.viewer
roles/compute.xpnAdmin
Find all applicable IAM roles
To find all applicable IAM roles with the permission compute.disk.delete
, type:
DELETE_ROLES=$(for role in $ROLES; do
gcloud iam roles describe $role --format json | \
jq -r 'select(
.includedPermissions[] | . == "compute.disks.delete"
) | .name'
done)
So, now we are down to four roles!
echo $DELETE_ROLES
roles/compute.admin
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
roles/compute.storageAdmin
Find least privileged IAM Role
To find the IAM role with the least amount of permissions, type:
for role in $DELETE_ROLES; do
gcloud iam roles describe $role --format json | \
jq '{
name: .name,
title: .title,
description: .description,
number_of_permissions : (.includedPermissions|length)
}';
done | \
jq --slurp 'sort_by(.number_of_permissions)'
As you can see, this results in four potential roles:
[
{
"name": "roles/compute.storageAdmin",
"title": "Compute Storage Admin",
"description": "Full control of Compute Engine storage resources.",
"number_of_permissions": 77
},
{
"name": "roles/compute.instanceAdmin",
"title": "Compute Instance Admin (beta)",
"description": "Full control of Compute Engine instance resources.",
"number_of_permissions": 162
},
{
"name": "roles/compute.instanceAdmin.v1",
"title": "Compute Instance Admin (v1)",
"description": "Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.",
"number_of_permissions": 278
},
{
"name": "roles/compute.admin",
"title": "Compute Admin",
"description": "Full control of all Compute Engine resources.",
"number_of_permissions": 587
}
]
Clearly, roles/compute.storageAdmin
is the least privileged IAM role, if you need to delete a disk.
Conclusion
To find the least privileged IAM role on Google Cloud Platform to perform a specific task, you can query the IAM Role definition API. The entire code is also available as a bash script: gcp-least-privileged Photo by FLY:D on Unsplash