wundergraph / cosmo

The open-source solution to building, maintaining, and collaborating on GraphQL Federation at Scale. The alternative to Apollo Studio and GraphOS.
https://cosmo-docs.wundergraph.com/
Apache License 2.0
715 stars 103 forks source link

[BUG] : IAM user with privileged roles at project level #1174

Closed priyanshukumar397 closed 1 month ago

priyanshukumar397 commented 1 month ago

Component(s)

router

Component version

latest

wgc version

latest

controlplane version

latest

router version

latest

What happened?

Detailed paths

Introduced through: resource › google_project_iam_member[cosmo-service-account-permissions]

image

resource google_project_iam_member "cosmo-service-account-permissions" {
    role = "roles/iam.serviceAccountUser"
    project = var.project
    member = "serviceAccount:${google_service_account.cosmo-sa.email}"
}

https://github.com/cosmo/blob/main/infrastructure/router/modules/google-cloudrun/iam.tf

This issue is...

IAM user has Service Account User or Service Account Token Creator role assigned at project level The impact of this is...

Users can impersonate service accounts and abuse the elevated permissions You can resolve it by...

Remove roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator from project level bindings

Environment information

No response

Router configuration

No response

Router execution config

No response

Log output

No response

Additional context

No response

github-actions[bot] commented 1 month ago

WunderGraph commits fully to Open Source and we want to make sure that we can help you as fast as possible. The roadmap is driven by our customers and we have to prioritize issues that are important to them. You can influence the priority by becoming a customer. Please contact us here.

AndreasZeissner commented 1 month ago

Hi @priyanshukumar397,

thanks for opening an issue,

this is necessary for cloud run to work properly in this scenario and no security concern.

It follows the official docs, please have a look at https://cloud.google.com/run/docs/configuring/services/service-identity

priyanshukumar397 commented 1 month ago

Ok thanks for pointing out :)