This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to prevent sidecar container from accessing service account?

Posted on 08-30-2024 05:05 PM
Untitled
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm implementing a service with Cloud Run that requires running untrusted code. More specifically, I need to build arbitrary user-provided Java projects. I plan to use a sidecar container as a security isolation to run the build. However, I also need to upload the artifacts to Cloud Storage, therefore, the ingestion container needs access to a service account.

The problem is, with the built-in settings in GCP console, I can only assign a service account to the entire service instead of the ingestion container only.

I have two workarounds:

  1. Do not assign any service account to the service running untrusted code at all. Instead, let the caller generate a signed URL for uploading artifacts, and pass that URL to the service when calling it.
  2. Manually create a service account and pass the service account JSON file to the ingestion container only.

Both approaches do not seem very elegant and requires extra management overhead. Specifically, the first approach loses idempotence because I also use Firestore to achieve idempotence. I wonder if there is already a better "official" solution as "building arbitrary projects" should be a fairly common task.

0 4 168
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
matthewnichols
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

Hi, thank you for your post and questions. It sounds like your question is more of a Google Cloud Products question. I would suggest checking out the Google Cloud Community page and asking your question there. Hope you are able to find the answers you're looking for. 

0 Likes

Posted on --/--/---- --:-- AM
Untitled
Bronze 1
Bronze 1
In response to matthewnichols
Reply posted on --/--/---- --:-- AM

I'm not sure what you see on your side, but I did search with keyword "sidecar service account" from the page you linked with no luck and posted this question in the "www.googlecloudcommunity.com" website. Maybe I have chosen the wrong topic/tag?

0 Likes

Posted on --/--/---- --:-- AM
matthewnichols
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

This post on Google Cloud Community might help provide some answers for you: https://www.googlecloudcommunity.com/gc/Serverless/Authentication-between-API-Gateway-and-Cloud-run/...

0 Likes

Posted on --/--/---- --:-- AM
Untitled
Bronze 1
Bronze 1
In response to matthewnichols
Reply posted on --/--/---- --:-- AM

Thanks for the reference! Unfortunately, my scenario has nothing to do with API gateway and the authentication setup between the gateway and the service. IAM isn't fine-grained enough in my case as the service account is either available to all containers in a service or none -- if the service account is assigned to the service via the built-in service settings.

0 Likes