services / Google Cloud / Cloud functions

Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google.


Creating a cloud function requires permissions on the cloud functions runtime service account. Includes a vulnerability where the user can export service account credentials, but exploiting this vulnerability requires the user to already have iam.serviceAccounts.actAs on the target service account.



This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.


  • https:​/​/​cloud.​google.​com/​functions/​docs/​reference/​iam/​permissions
  • https:​/​/​cloud.​google.​com/​functions/​docs/​reference/​rest/​v2/​projects.​locations.​functions
  • https:​/​/​rhinosecuritylabs.​com/​gcp/​privilege-​escalation-​google-​cloud-​platform-​part-​1/​
  • https:​/​/​cloud.​google.​com/​functions/​docs/​calling
  • https:​/​/​cloud.​google.​com/​functions/​docs/​reference/​iam/​roles#​additional-​configuration
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog