Cloud Functions/Run Unauthenticated

Description

Allowing unauthenticated invocation (allUsers invoker) exposes Cloud Functions or Cloud Run services publicly, enabling data leakage, abuse, or unintended execution. Additional risks include permissive ingress settings (ingress: all), missing authentication/authorization checks in code, and over‑privileged runtime service accounts.

Examples

Check IAM Policies

gcloud functions get-iam-policy <name>
gcloud run services get-iam-policy <service> --region <region>

Look for allUsers with roles/run.invoker or roles/cloudfunctions.invoker.

Review ingress and identity

gcloud run services describe <service> --region <region> \
  --format='value(spec.template.spec.serviceAccountName, spec.template.metadata.annotations, status.traffic)'

Remediation

Remove public invoker; require authenticated principals and IAP.
Use per‑service identities; validate auth in code; set ingress to internal/VPC when appropriate.
Restrict egress and inputs; rate‑limit and log requests; consider Cloud Armor on external HTTPS LB in front of Cloud Run.

Haxoris Wiki

Cloud Functions/Run Unauthenticated

Description

Examples

Check IAM Policies

Review ingress and identity

Remediation