bolyachevets
commented
3 days ago Main point of the announcement: “Currently, the Cloud Run Admin and Cloud Run Developer IAM roles implicitly give permission to deploy container images from Artifact Registry repositories in the same project.”
I don’t think this is relevant for a number of reasons:
We are not deploying from the same project’s artifactory to Cloud Run: artifactory is in Common Tools Project and Cloud Run service accounts …@serverless-robot-prod.iam.gserviceaccount.com are granted at least 1 (usually 2) custom roles with permissions to access artifact repository in Common Tools.
https://github.com/bcgov/bcregistry-sre/blob/main/gcp/iam/role-api.yaml https://github.com/bcgov/bcregistry-sre/blob/main/gcp/iam/role-cdcloudrun.yaml
Both of these roles have artifact registry permissions:
- artifactregistry.repositories.downloadArtifacts
- artifactregistry.repositories.get
- artifactregistry.tags.get
I ran IAM role dump for Common Tools project: gcloud projects get-iam-policy c4hnrd-tools --format=json > iam-policy.jso
And verified that most client projects of Common Tools artifactory have …@serverless-robot-prod.iam.gserviceaccount.comRun service accounts assigned the above permissions in Common Tools.
Given a full list of projects, I labelled projects with a * that have no such roles assigned
PROJECT_ID NAME PROJECT_NUMBER a083gt-dev BCR Businesses 'Dev' 475224072965 a083gt-integration BCR Businesses 'Sandbox' 358864940488 a083gt-prod BCR Businesses 'Prod' 698952081000 a083gt-test BCR Businesses 'Test' 457237769279 a083gt-tools BCR Businesses 'Tools' 686661328018 bcrbk9-dev BCR STRR 'Dev' 382361722867 bcrbk9-prod BCR STRR 'Prod' 575122678722 bcrbk9-test BCR STRR 'Test' 166050292631 bcrbk9-tools BCR STRR 'Sandbox' 865508335279 c4hnrd-dev BCR Common Dev 366678529892 c4hnrd-prod BCR Common Prod 185633972304 c4hnrd-sandbox BCR Common Sandbox 332291120344 c4hnrd-test BCR Common Test 1032237216035 c4hnrd-tools BCR Common Tools 331250273634 eogruh-dev BCR-PPR 'Dev' 818160024412 eogruh-prod BCR-PPR 'Prod' 1060957300107 eogruh-sandbox BCR-PPR 'Sandbox' 846149845110 eogruh-test BCR-PPR 'Test' 560587715711 ggl-bcregistry-pathfinder GGL-BCREGISTRY-PATHFINDER 1073220695820 gtksf3-dev BCR BCOnline Dev 142173140222 gtksf3-prod BCR BCOnline Prod 758264625079 gtksf3-test BCR BCOnline Test 129641755850 gtksf3-tools BCR BCOnline Sandbox 178801140315 k973yf--tools BCR Search 'Integration' 854458797060 k973yf-dev BCR Search 'Dev' 952634948388 k973yf-prod BCR Search 'Prod' 357033077029 k973yf-test BCR Search 'Test' 107836257140 keee67-dev BCR Business Number Hub Dev 536029243194 keee67-prod BCR Business Number Hub Prod 747107125812 keee67-test BCR Business Number Hub Test 1013289453767 keee67-tools BCR Business Number Hub Tools 173123271401 mvnjri-dev BCR Analytics - Int 'DEV' 310969559535 mvnjri-prod BCR Analytics - Int 'PROD' 560428767344 mvnjri-train BCR Analytics - Int 'TRAIN' 273960618230 okagqp-dev BCR API Gateway 'DEV' 645347474116 okagqp-prod BCR API Gateway 'PROD' 957184123975 okagqp-sandbox BCR API Gateway 'SANDBOX' 400659071238 okagqp-test BCR API Gateway 'TEST' 562048480051 sbgmug-dev BCR Analytics - Ext 'DEV' 758399812794 sbgmug-prod BCR Analytics - Ext 'PROD' 46312851573 sbgmug-sandbox BCR Analytics - Ext 'SANDBOX' 7608402836 sbgmug-test BCR Analytics - Ext 'TEST' 600936397877 yfjq17-dev BCR BOR 'Dev' 155859513460 yfjq17-prod BCR BOR 'Prod' 291970782611 yfjq17-test BCR BOR 'Test' 74091792216 yfjq17-tools BCR BOR 'Tools' 351639370723 yfthig-dev BCR Web Presence 'DEV' 799136746742 yfthig-prod BCR Web Presence 'PROD' 961502758381 yfthig-test BCR Web Presence 'TEST' 441767189997 yfthig-tools BCR Web Presence 'Sandbox' 462048327212
The announcement mentions a way to verify whether action is necessary:
Query audit logs with:
resource.type = "cloud_run_revision" severity=ERROR SEARCH("User does not have access to image"
I ran this in a few projects mentioned as potentially problematic (after redeploying some services) and did not see any errors in the logs
Propose to monitor logs for now periodically during redeployments
Got a notification from GCP team:
Starting January 15, 2025, Cloud Run will begin explicitly verifying that users or service accounts creating or updating Cloud Run resources have the permission to access deployed container image(s).
We have provided additional information below to guide you through this change.
What you need to know
Currently, the Cloud Run Admin and Cloud Run Developer IAM roles implicitly give permission to deploy container images from Artifact Registry repositories in the same project.
However, starting January 15, 2025, users or service accounts creating or updating a Cloud Run resource will need explicit permission to access deployed container images.
What you need to do
Before January 15, 2025, after creating or updating your Cloud Run resources, use this link to look for "User does not have access to image" errors in audit logs.
If you see an error in audit logs after deploying, action is required: Ensure that the principal (user or service account) creating or updating Cloud Run resources has the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or container repository containing the container image to be deployed. Refer to our Artifact Registry documentation for detailed instructions.
No action is required in the following cases:
The person deploying to Cloud Run is a Project Owner or Editor. The person deploying to Cloud Run can already pull images from Artifact Registry in this project. You are deploying functions or sources to Cloud Run. You are using Cloud Functions for Firebase or Firebase App Hosting. You are deploying continuously using a Cloud Build Trigger in the same project. The Cloud Run audit logs do not contain any error after deploying. We’re here to help
We understand that making this change may require some planning, and we're here to support you during this process. If you have questions or need assistance, please contact Google Cloud Support.
Your affected projects, format project_id (project_number), are listed below:
bcrbk9-prod (575122678722) gtksf3-test (129641755850) c4hnrd-test (1032237216035) yfjq17-test (74091792216) eogruh-prod (1060957300107) k973yf-prod (357033077029) yfjq17-prod (291970782611) a083gt-dev (475224072965) bcrbk9-test (166050292631) gtksf3-dev (142173140222) eogruh-dev (818160024412) a083gt-prod (698952081000)