Permission escalation works by providing the caller with a time limited membership to a role the user is normally not a member of. The cloud function must be secured to be only invokable inside the VPC. Only groups explicitly white listed have permissions to call the cloud function, this is controlled by IAM. We assume you are running in GCP for this to work.
Create a Service Account for the cloud function with the lowest possible permissions where it is allowed to allocate a role to a user e.g. Project IAM Admin
Create a Service Account for the cloud function deployment with the lowest possible permissions. The role roles/cloudfunctions.admin is required as the permission cloudfunctions.functions.setIamPolicy is needed.
All callers of this function must be explicitly provided permissions. For example
gcloud functions add-iam-policy-binding escalate-permissions --member='user:[email protected]' --role='roles/cloudfunctions.invoker' --region us-central1
Callers of the function must provide a valid JWT token to authenticate themselves. For example in my-project:
curl 'https://us-central1-my-project.cloudfunctions.net/escalate-permissions' --header 'Authorization: bearer $(gcloud auth print-identity-token)' -I -s
We encourage and support an active, healthy community of contributors —
including you! Details are in the contribution guide and
the code of conduct. The escalate-permissions maintainers keep an eye on
issues and pull requests, but you can also report any negative conduct to
[email protected].
Apache 2.0, see LICENSE.md.