This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Synthetic monitors and Cloud functions and permissions to run, and deploy them

Posted on 02-26-2025 12:12 AM
d-ohuig
New Member
Reply posted on --/--/---- --:-- AM

I'm currently investigating the implementation of the monitoring of our web app using Synthetic monitors.
During testing, I noticed that I couldn't 1) attach a service account due to 'iam.serviceaccounts.actAs' on the service account and 2) add a new function due to, roles/iam.serviceAccountUser for the caller on the service account.

To set these up we need to grant certain roles that I've been told are too elevated to permit to developers due to our security policy. It would be great if someone with more knowledge could tell me why the service account needs roles/editor and the actAS. Does this allow people to run commands as admin and take down services, by impersonating the service account?  Being able to add the cloud functions specifically seems like something a common developer should be able to accomplish in their day-to-day without involving some sysadmin person to do the final commands to do an upload.

It would be great if someone with more extensive knowledge of GCP permissions could give me some background on if this is a valid concern, or if there is a way to do this more securely.

Thank you in advance.

0 1 45
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
greb
Staff
Reply posted on --/--/---- --:-- AM

Hi @d-ohuig,

Welcome to Google Cloud Community!

Deploying Cloud Functions still requires authentication using a service account, which is why these permissions are necessary. Given that the editor role doesn’t satisfy the principle of least privilege, it needs to be accurately scoped to prevent undue iam.serviceAccounts.ActAs privilege expansion.

Here are some more secure suggestions:

  • Do not allow roles/editor - Rather, use specific roles like roles/cloudfunctions.developer (to allow them to deploy functions) and roles/iam.serviceAccountUser (but only for the required service account, not project wide).
  • Scope Restriction – Do not enable iam.serviceAccounts.ActAs at the project level, do so only for the required accounts.
  • Track and Record – Configure Cloud Audit Logs to track the service account's activities.

This will help you deploy Cloud Functions without having to go through admins repeatedly while still having reasonable security policies. 

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes