sethvargo
commented
5 years ago The default behavior for Berglas auto (and berglas exec) is to look up the environment as set by the deploying user. Berglas queries the GCP API for Cloud Run and gets the list of envvars set on the service deployment. This protects against a threat where an attacker injects berglas references into environment variables.
I don't quite understand your point about Cloud Functions. Cloud Functions also need viewer permissions on themselves. If the GCF SA has no permissions, neither auto nor exec will work.
If you want to accept the risk of the environment being modified, you can use berglas exec --local which will parse all local vars and won't need viewer permissions. However, even then, the GCF SA would still need permissions to talk to GCS and KMS.
dinvlad
Hi Team,
Cloud Run examples include step
Could you clarify why this is needed by Cloud Run? (I initially asked on the alpha-testers forum, but they suggested I'd ask here instead).
The reason I'm asking is, we'd like to limit the permissions for the Cloud Run SA as much as possible. However, when I attempt to grant this SA
run.viewerrole only on the service it is assigned to, then we run into an issue where the very first deployment of a service fails, because Berglas is unable to read its own service's env vars (since we can't grant the role until we deploy the service). We then grant it this role on the service, and have to re-deploy the service once again to make it work.Compare this e.g. to Cloud Functions, where env vars are automatically "passed" to the runtime, without having to grant any additional roles to read them (so a GCF SA could have literally 0 permissions if desired).
Thanks!