Cloud Run/Build artifacts buckets are created with Fine Grained access policy by default
When using Cloud Run Jobs (I'd assume any service running Cloud Build under the hood as well), dedicated artifact buckets are created. Their naming is usually something like: us.artifacts.project.appspot.com. With directory /containers/images/ and files like sha256:<checksum>.
Is there a way to prevent such buckets from having Access Policy set as Fine Grained by default? Instead they should use Uniform, which is the one recommended. (ref1-cis_v120_5_2, ref2, ref3) Not only such access policy is hard to manage on a larger scale (in my case at least), but SCC is reporting findings on such buckets.
Most preferably I would like to set a flag on org or folder level making such Cloud Build Buckets be always created with Uniform access policy. I have not attempted to update the access policy manually (neither I've considered automated update) as this does not sound like an optimal solution to a problem which shouldn't exist in the first place. A very insecure workaround would be muting SCC alerts from category 'BUCKET_POLICY_ONLY_DISABLED' related to appspot.com buckets (if that field would even be accessible for muting rules)
You can enforce this organization policy on your project (or your folder or the entire organization: Enforce uniform bucket-level access
- python 3: Using pisa for creating pdf with multiple image urls in html content, rendering images incorrectly
- schedule autoscaler in terraform for GCP?
- Multiple STRING_AGG in one query
- Why aren't nacked messages ending up in my dead letter topic?
- Handle 503 error when making jobs.insert call
- Use http Google Cloud Functions "Require Authentication" with Firebase
- Google App Engine slow cold boot time (Flask app)
- gcloud SSH in same terminal window
- Cannot enable API on GCP (User role=Owner && Billing account is linked)
- Select All Columns Except Some in Google BigQuery?
- Why does my flex env google app engine instance have a minimum of 2 instances running, even when there is no traffic?
- How Does GCP Global Application Load Balancer Select the Closest Backend?
- How to use Google Search Grounding with Dynamic Retrieval Configuration
- Google Stackdriver Logging add comments to advanced filter
- Exporting from Cloud SQL to CSV with column headers
- BigQuery Date-Partitioned Views
- Check TPU workload/utilization
- Google Forms API raises google.auth.exceptions.RefreshError: 'No access token in response.'
- How can I see request count (not rate) for a Google Cloud Run application?
- I can write to my Firebase Firestore database, but am unable to read from it (Android Studio using Java)
- How to get task count in GCP cloud task
- Programmatically get current Service Account on GCP
- How to Access GKE Private Master from VPN in Hub VPC with Peering
- My gcp service account with "artifact registry admin" account was not able to push the docker image to repo
- GCP API Gateway: Cannot use path params
- Flask api on gcloud's URL keeps on loading
- GCP CloudBuild substitution fails in pipeline
- Is it secure to use an .env file to store API keys in Firebase Cloud Functions instead of Google Secret Manager?
- How do I keep a long-running background task from stopping on Google Cloud Run?
- GCP Cloud SQL Proxy times out: connectex