IAM- Container Registry Service Agent Role
What happens when you enable the Container Registry API? How it performs its service duties on your project? Ever seen “ service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com” service account appearing in security findings of scanning tool and wondered where to find it?
What are Service Agents?
Some Google Cloud services have Google-Managed service accounts that allow the services to access your resources. These service accounts are sometimes known as Service Agents.
Container Registry Service Account
Container Registry service account is one such service agent used by the Container Registry to interact with the Google Cloud services. It is not visible in the cloud console IAM section. For locating such service accounts and verifying privileges below command can be executed in cloud shell.
gcloud projects get-iam-policy PROJECT-ID \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com"Where PROJECT-ID is the Google Cloud project ID and PROJECT-NUMBER is Google Cloud project number.
Container Registry Service Agent Role
Earlier before October 2020, the Container Registry service account was granted the Editor role. Nowadays to enforce the security principle of least privilege, this service account is granted the Container Registry Service Agent Role in projects. This role has following permissions to perform its operations.
- Publish topics:
pubsub.topics.publish - Read storage object ACLs:
storage.objects.getIamPolicy - Read storage object data and metadata:
storage.objects.get - List storage objects in a bucket and read object metadata:
storage.objects.list
If your Container Registry service account is created before 5th October 2020, it will still be having Editor role which you can restrict the following below commands.
Granting the Container Registry Service Agent role-
gcloud projects add-iam-policy-binding PROJECT-ID \
--member=serviceAccount:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com --role=roles/containerregistry.ServiceAgentRevoking the Editor role-
gcloud projects remove-iam-policy-binding PROJECT-ID \
--member=serviceAccount:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com --role=roles/editorLeave a comment below for any questions. Happy reading !!
https://www.amazon.com/Hands-Penetration-Testing-Web-Applications-ebook/dp/B0917Q2LR8
