When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the logging.privateLogEntries.list IAM permission, which allowed the build to have access to list private logs by default. This permission has now been revoked from the Cloud Build service account to adhere to the security principle of least privilege.

What should I do?

No further user action is required. The logging.privateLogEntries.list IAM permission has been revoked from the Cloud Build service account and the fix has been rolled out.

What vulnerabilities are addressed by this patch?

This vulnerability granted builds the permission to access private logs. Since the logging.privateLogEntries.list IAM permission has now been revoked from the Cloud Build service account, builds no longer have access to list private logs by default.