Skip to content

A project open to the entire internet

An IAM binding to allUsers or allAuthenticatedUsers on a non-public role hands access to anyone on the internet, or anyone with any Google account, not the people you meant to grant.

see_it · fix_it

The misconfig, then the fix

Each verdict below is the actual GCP IAM Least-Privilege Analyzer run on the snippet, not a description of one.

before
{
  "bindings": [
    {
      "role": "roles/run.admin",
      "members": ["allUsers"]
    }
  ]
}

Fails · auditor verdictPublic principal(s) granted a non-public role: allUsers on roles/run.admin. allUsers exposes the resource to the entire internet and allAuthenticatedUsers to anyone with any Google account, so this hands real access to people you never named. Remove the binding and grant the specific users, groups, or service accounts that need it.

after
{
  "bindings": [
    {
      "role": "roles/run.admin",
      "members": ["user:ops@example.com"]
    }
  ]
}

Passes · auditor verdictNo allUsers or allAuthenticatedUsers bindings. Access is limited to named principals.

fix · Apply the change shown in the after snippet.

why_it_matters

IAM has two special members that mean "everyone": allUsers is the entire internet, and allAuthenticatedUsers is anyone signed into any Google account. On an invoker role for a service you meant to publish, that's intended. On anything else, a storage admin role, a project-wide role, a data role, it's a public exposure that no named principal in your policy reveals. These bindings are how buckets and endpoints end up open without anyone deciding to open them.

The fix is to remove the public member and grant the specific users, groups, or service accounts that need the role. The analyzer treats a public member on a role that isn't public-by-design (run.invoker and the function invokers are the exceptions) as a critical failure, because it's the single fastest way to lose control of who can reach a resource.

allUsers on roles/run.adminthe whole internet, not who you namedgrant the specific principals instead

faq

Questions & answers

What does allUsers mean in a GCP IAM policy?
allUsers is a special member that grants the role to everyone on the internet, with no authentication. allAuthenticatedUsers is slightly narrower: anyone signed into any Google account. Both are public exposure on any role that isn't meant to be public, so restrict them to invoker roles on resources you actually intend to publish.
How do I find public access in my GCP project?
Look for bindings whose members include allUsers or allAuthenticatedUsers on roles other than the invoker roles. Paste your policy from gcloud projects get-iam-policy --format=json into the analyzer and it flags every public binding on a non-public role as critical, with the exact role and member.

Fixing one binding is easy. Getting the whole project to least privilege is the work.

I review which principals hold primitive and escalation roles, how your workloads are scoped, secrets handling, and the Cloud Run defaults that widen the blast radius. Book a call, or leave your email.

Book a call

No spam. You'll get a reply from me.

Prefer proof first? See how this plays out in real case studies →