Closed dinvlad closed 5 years ago
The default behavior for Berglas auto (and berglas exec
) is to look up the environment as set by the deploying user. Berglas queries the GCP API for Cloud Run and gets the list of envvars set on the service deployment. This protects against a threat where an attacker injects berglas references into environment variables.
I don't quite understand your point about Cloud Functions. Cloud Functions also need viewer permissions on themselves. If the GCF SA has no permissions, neither auto nor exec will work.
If you want to accept the risk of the environment being modified, you can use berglas exec --local
which will parse all local vars and won't need viewer permissions. However, even then, the GCF SA would still need permissions to talk to GCS and KMS.
I see, thanks - we’re using Berglas with a Python app in Cloud Run, so have to apply berglas exec --
form (in fact, the main reason for our jump from GCF to Run was so that we could use Berglas with Python). That being said, I’ve only tried Berglas in Go locally (which works great), not in a GCF.
The main reason I’m asking is I wanted to avoid granting project-wide Run Viewer to each Run SA. However, I understand that the risk of env injection is also not to be overlooked.
Yea if you run berglas exec --local -- CMD
then you won't need those viewer permissions.
Hi Team,
Cloud Run examples include step
Could you clarify why this is needed by Cloud Run? (I initially asked on the alpha-testers forum, but they suggested I'd ask here instead).
The reason I'm asking is, we'd like to limit the permissions for the Cloud Run SA as much as possible. However, when I attempt to grant this SA
run.viewer
role only on the service it is assigned to, then we run into an issue where the very first deployment of a service fails, because Berglas is unable to read its own service's env vars (since we can't grant the role until we deploy the service). We then grant it this role on the service, and have to re-deploy the service once again to make it work.Compare this e.g. to Cloud Functions, where env vars are automatically "passed" to the runtime, without having to grant any additional roles to read them (so a GCF SA could have literally 0 permissions if desired).
Thanks!