Key Takeaways
- →Misconfigured IAM policies on Cloud Run services, such as `roles/run.invoker` granted to `allUsers`, can lead to unauthorized function execution.
- →Application-level authorization flaws, where internal API endpoints like `/admin` lack proper checks, expose sensitive functionality even with correct IAM.
- →runred.ai identifies these issues by correlating application code logic with live GCP IAM policies and service account permissions.
Common Broken Access Control Vectors in Cloud Run
OWASP A01:2021 Broken Access Control remains a pervasive and critical vulnerability, particularly within distributed architectures like Cloud Run microservices. In such environments, a single misconfiguration can propagate, granting unauthorized access across interconnected services or to sensitive data. runred.ai connects application source code with live GCP infrastructure context to discover vulnerabilities with contextual severity scoring, automatically generate integration tests, and generate immutable audit evidence. For Cloud Run, this means identifying where application logic fails to enforce authorization, or where IAM policies are overly permissive, leading to potential data exfiltration or unauthorized command execution. Common vectors for broken access control in Cloud Run often stem from a disconnect between application-level authorization and GCP IAM policies. For instance, a Cloud Run service might be designed for internal use, but if its `roles/run.invoker` binding is set to `allUsers` or `allAuthenticatedUsers`, it becomes publicly accessible. If this service then exposes an internal `/admin` endpoint without robust application-level role checks, an attacker can invoke it directly. Similarly, a service account assigned to a Cloud Run revision might possess excessive permissions, such as `roles/editor` or `roles/storage.admin`, when only `roles/storage.objectViewer` is required for a specific bucket. This over-privileging creates a critical lateral movement path if the service itself is compromised or has an application-level flaw. Consider a scenario where a Cloud Run service, `data-processor`, is intended to be invoked only by another internal service, `data-ingestor`. If `data-processor`'s IAM policy allows `allUsers` to invoke it, and its internal `/process` endpoint handles sensitive customer data without verifying the caller's identity or authorization claims, an attacker could directly invoke `data-processor` and potentially exfiltrate data. This represents a CVSS 9.8 Critical vulnerability if the data is highly sensitive and the endpoint lacks any authentication.Implementing Robust Access Controls for Cloud Run Microservices OWASP
Effective access control for Cloud Run microservices requires a layered approach, combining granular GCP IAM policies with rigorous application-level authorization. To mitigate OWASP A01 risks, engineering teams must ensure that both infrastructure and application layers enforce the principle of least privilege. At the GCP IAM layer:- Restrict Invocation: Grant `roles/run.invoker` only to specific service accounts, Google Groups, or authenticated users that require access. Avoid `allUsers` or `allAuthenticatedUsers` for services not intended for public consumption. For example, to allow a specific service account to invoke a Cloud Run service:
gcloud run services add-iam-policy-binding SERVICE_NAME \ --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \ --role="roles/run.invoker" \ --region=REGION - Least Privilege Service Accounts: Assign Cloud Run revisions service accounts with the absolute minimum necessary permissions. If a service only needs to read from a Cloud Storage bucket, grant `roles/storage.objectViewer` to that specific bucket, not `roles/storage.admin` or `roles/editor` at the project level.
- Workload Identity: For services running on GKE that need to invoke Cloud Run, use Workload Identity to bind Kubernetes service accounts to GCP service accounts, ensuring secure, auditable communication without long-lived keys.
- Validate Identity Tokens: For service-to-service communication, ensure your Cloud Run services validate the `id_token` provided in the `Authorization: Bearer` header. This token contains claims about the caller's identity (e.g., `email`, `aud`) which can be used for authorization decisions.
- Role-Based Access Control (RBAC): Implement RBAC within your application code to ensure users or services can only perform actions permitted by their assigned roles. For instance, an `/admin` endpoint should verify that the caller has an `admin` role before processing the request, even if the request is authenticated.
- Resource-Based Authorization: Ensure that users can only access or modify resources they own or are explicitly authorized for. A common flaw is allowing any authenticated user to modify any resource ID passed in the URL (e.g., `/api/v1/users/{id}`).
- API Gateways: Utilize GCP's API Gateway, Cloud Endpoints, or Apigee X to centralize authentication, authorization, and rate limiting before requests reach your Cloud Run microservices. This provides an additional layer of control and reduces the burden on individual services.
Automated Detection and Remediation with runred.ai
Manually auditing every Cloud Run service's IAM policy and reviewing application code for access control flaws is resource-intensive and prone to human error. runred.ai automates this process by continuously analyzing your application source code alongside your live GCP infrastructure context. For example, runred.ai can identify a Cloud Run service whose source code contains an `/admin` endpoint that lacks explicit role checks, while simultaneously detecting that its associated IAM policy grants `roles/run.invoker` to `allAuthenticatedUsers`. This correlation immediately flags a high-severity OWASP A01 vulnerability. Upon discovery, runred.ai automatically generates an integration test. This test first confirms the exploit, for instance, by attempting to invoke the `/admin` endpoint with a valid but unauthorized identity token. It then verifies that a proposed patch (e.g., adding an RBAC check in the application code or tightening the IAM policy) successfully closes the vulnerability. All findings, exploit confirmations, and patch verifications are logged as immutable audit evidence directly to Cloud Logging, streamlining compliance for frameworks like NIS2, SOC2 Type II, and ISO 27001. This ensures that your engineering teams can focus on building features, confident that critical access control vulnerabilities are being continuously monitored and remediated.Frequently Asked Questions
How does runred.ai differentiate between intended public access and a broken access control vulnerability for Cloud Run services?
runred.ai correlates the Cloud Run service's IAM policy with its application code. If a service has `roles/run.invoker` set to `allUsers` but its code contains sensitive endpoints (e.g., `/admin`, `/internal-metrics`) lacking application-level authorization, it's flagged. If the service is explicitly designed as a public API with robust internal authorization, it's not flagged as a broken access control issue.
Can runred.ai detect broken object-level authorization (BOLA) in Cloud Run APIs?
Yes, runred.ai analyzes application source code for common BOLA patterns, such as direct object references (e.g., `GET /api/v1/orders/{order_id}`) without corresponding checks to ensure the authenticated user is authorized to access that specific `order_id`. This is then correlated with the live Cloud Run deployment context.
What specific GCP IAM permissions does runred.ai require to perform its analysis on Cloud Run?
runred.ai requires read-only permissions to inspect Cloud Run service configurations, associated service accounts, and their IAM policies (e.g., `run.services.get`, `iam.serviceAccounts.getIamPolicy`). It also needs access to relevant source code repositories to perform its static and dynamic analysis.