This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Document AI API security

Posted on 01-27-2025 04:14 PM
kkaspszak
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We have been using document AI for about a year now doing model development and learning the ins and outs of how these models work. 

Currently we are doing a security review as we are about to go to production prototyping. 

There was a reported security issue that when running the models, the models were NOT run with the privileges of the initiator, but rather a google service account with excess privileges.   I cannot find any additional information on if this has been changed. 

Do the models run using the callers privileges or an internal google service account with excessive privileges?  

0 2 339
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ibaui
Staff
Reply posted on --/--/---- --:-- AM

Hi @kkaspszak,

Welcome to Google Cloud Community!

This is an important security concern, and it’s great that you're addressing it before going into production. You’re right to be cautious about a situation where your Document AI models are run with a Google service account that has excessive privileges. This is a valid concern that needs to be clarified, as it could pose a major security risk and violate the principle of least privilege.

Document AI is designed to use the credentials of the caller who initiated the document processing, which should be an end user or a service account specifically for your application.

Here’s a breakdown of possible approaches to ensure you’re not operating with excessive privileges:

Specific Identity Configuration:

  • Check Service Account: Ensure you are using a service account (or user) for Document AI API calls in your application that has the least privilege necessary.

Monitor Permissions:

  • IAM Roles: Thoroughly review the IAM roles granted to the service accounts and users you are using. You can also refer to the best practices when using IAM.

Test:

  • Controlled Environments: Create a new service account with minimal permissions and verify if you can process a document using only this account. Set up isolated testing environments to ensure that only the least privilege is being used.

Contact Support:

  • Clarification: If you're still unsure, contact Google Cloud Support for clarification and assistance with configuration. Provide details about your setup and any findings from your security review.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes

Posted on --/--/---- --:-- AM
kkaspszak
Bronze 1
Bronze 1
In response to ibaui
Reply posted on --/--/---- --:-- AM
I think you misunderstood the question, or more likely I was clear.

We are running the API with a service account.



There were several articles I found that mentioned, behind the scenes
Google was using a Google Service account to perform certain actions and
that service account represented a security risk as it did not inherit the
security settings of the custom service account that initiated the call.



Has that been issue been resolved.



Here is a link to the article.
https://www.theregister.com/2024/09/17/google_cloud_document_ai_flaw/



Kevin Kaspszak COO

602.918.0021

<>
0 Likes