Profile Applicability:
Level 1
Description:
Google Cloud Functions provide a serverless environment for running code in response to events. While environment variables can store sensitive information such as authentication credentials, these variables are stored in plaintext and accessible to anyone with access to the code. To enhance security, it is recommended to use Secret Manager for storing sensitive data instead of environment variables.
Rationale:
Storing secrets in environment variables poses the following risks:
Unencrypted Storage: Environment variables are stored in plaintext and can be easily accessed.
Broad Accessibility: Anyone with access to the Cloud Function code or configuration can view these secrets.
Secret Manager addresses these risks by:
Encrypting secrets at rest and in transit.
Providing granular access controls for managing who can view or access secrets.
Logging access requests for better auditing and monitoring.
Impact:
Cost: There is a minor cost associated with the Secret Manager API after 10,000 requests per month.
Functionality: Modifying Cloud Functions to use Secret Manager may temporarily disrupt services if not carefully implemented.
Default Value:
By default, Secret Manager is not enabled, and Cloud Functions do not use it for storing sensitive data
Audit Steps:
Check for Secrets in Environment Variables:
Using Google Cloud Console:
Go to Cloud Functions: .GCP Cloud Function console.
Select a function name from the list.
Open the Variables tab to review buildEnvironmentVariables and environmentVariables.
Check for sensitive information stored as environment variables.
Repeat for all Cloud Functions in the project.
Using Google Cloud CLI:GCP Cloud Functions Console.
List all Cloud Functions:
gcloud functions list
Describe each function to review its environment variables:
gcloud functions describe <FUNCTION_NAME>
Check if Secret Manager API is Enabled:
Using Google Cloud Console:
Go to APIs & Services > Enabled APIs & Services: GCP APIs Console.
Search for Secret Manager API.
Verify whether the API is enabled.
Using Google Cloud CLI:
List all enabled APIs:
gcloud services list
Confirm that Secret Manager API is in the list.
Remediation Steps:
Enable Secret Manager API:
Using Google Cloud Console:
Navigate to APIs & Services > Enabled APIs & Services: GCP APIs Console.
Search for Secret Manager API and click Enable.
Using Google Cloud CLI:
Enable Secret Manager API:
gcloud services enable secretmanager.googleapis.com
Migrate Secrets to Secret Manager:
Using Google Cloud Console:
Go to the Secret Manager page: GCP Secret Manager Console.
Click Create Secret.
Enter the Name of the secret and the Secret value (current environment variable value).
Click Create Secret.
Repeat for all sensitive environment variables.
Using Google Cloud CLI:
Create a secret:
gcloud secrets create <SECRET_NAME> --data-file="/path/to/file.txt"
Grant Cloud Function Access to Secrets:
Using Google Cloud Console:
Navigate to Secret Manager and select the secret.
Click Add Principal in the Info Panel.
Add the Service Account used by the Cloud Function.
Assign the role Secret Manager Secret Accessor.
Save changes.
Using Google Cloud CLI:
Add access for the service account:
gcloud secrets add-iam-policy-binding <SECRET_NAME> \
--member="serviceAccount:<SERVICE_ACCOUNT>" \
--role="roles/secretmanager.secretAccessor"
Modify Cloud Function Code to Use Secrets:
Use language-specific methods to fetch secrets at runtime. For example:
Python: Use the Google Cloud client library for Secret Manager.
Refer to Secret Manager Documentation for other languages.
Remove Secrets from Environment Variables:
Using Google Cloud Console:
Go to Cloud Functions and select the function.
Click Edit and navigate to Runtime Environment.
Remove sensitive environment variables.
Click Deploy to save changes.
Using Google Cloud CLI:
Deploy the function without the sensitive variables:
gcloud functions deploy <FUNCTION_NAME> --remove-env-vars <ENV_VARS>.