Skip to main content

lacework-global-759

Minimize user access to Google Container Registry (GCR) (Manual)

Description

Restrict user access to GCR, limiting interaction with build images to only authorized personnel and service accounts.

Remediation

Note: GCR is now deprecated, see the references for more details.

Using Google Cloud Console:

To modify roles granted at the GCR bucket level:

  1. Go to Storage Browser by visiting: https://console.cloud.google.com/storage/browser.
  2. From the list of storage buckets, select artifacts.<project_id>.appspot.com for the GCR bucket.
  3. Under the Permissions tab, modify permissions of the identified member via the drop-down role menu and change the Role to Storage Object Viewer for read-only access.

For a User or Service account with Project level permissions inherited by the GCR bucket, or the Service Account User Role:

  1. Go to Identity and Access Management (IAM) by visiting: https://console.cloud.google.com/iam-admin/iam.
  2. Find the User or Service account to modify and click the corresponding pencil icon.
  3. Remove the create/modify role (Storage Admin / Storage Object Admin / Storage Object Creator / Service Account User) on the user or service account.
  4. If required add the Storage Object Viewer role - note with caution that this permits the account to view all objects stored in Google Cloud Storage (GCS) for the project.

Using Command Line:

To change roles at the GCR bucket level:

Firstly, if you require read permissions, run the following:

gsutil iam ch <type>:<email_address>:objectViewer gs://artifacts.<project_id>.appspot.com

Then remove the excessively privileged role (Storage Admin / Storage Object Admin / Storage Object Creator) using:

gsutil iam ch -d <type>:<email_address>:<role> gs://artifacts.<project_id>.appspot.com

where:

  • <type> can be one of the following:
    • user, if the <email_address> is a Google Account.
    • serviceAccount, if <email_address> specifies a Service account.
    • <email_address> can be one of the following:
      • a Google Account (for example, someone@example.com).
      • a Cloud IAM service account.

To modify roles defined at the project level and subsequently inherited within the GCR bucket, or the Service Account User role, extract the IAM policy file, modify it accordingly and apply it using:

gcloud projects set-iam-policy <project_id> <policy_file>

References

https://cloud.google.com/container-registry/docs/
https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts
https://cloud.google.com/kubernetes-engine/docs/how-to/iam

Last updated on