GCP - Federation Abuse

Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
OIDC - Github Actions Abuse
GCP
In order to give access to the Github Actions from a Github repo to a GCP service account the following steps are needed:
Create the Service Account to access from github actions with the desired permissions:
projectId=FIXME
gcloud config set project $projectId
​
# Create the Service Account
gcloud iam service-accounts create "github-demo-sa"
saId="[email protected]${projectId}.iam.gserviceaccount.com"
​
# Enable the IAM Credentials API
gcloud services enable iamcredentials.googleapis.com
​
# Give permissions to SA
​
gcloud projects add-iam-policy-binding $projectId \
    --member="serviceAccount:$saId" \
    --role="roles/iam.securityReviewer"
Generate a new workload identity pool:
# Create a Workload Identity Pool
poolName=wi-pool
​
gcloud iam workload-identity-pools create $poolName \
  --location global \
  --display-name $poolName
​
poolId=$(gcloud iam workload-identity-pools describe $poolName \
  --location global \
  --format='get(name)')
Generate a new workload identity pool OIDC provider that trusts github actions (by org/repo name in this scenario):
attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)
​
gcloud iam workload-identity-pools providers create-oidc $poolName \
  --location global \
  --workload-identity-pool $poolName \
  --display-name $poolName \
  --attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
  --issuer-uri "https://token.actions.githubusercontent.com"
​
providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
  --location global \
  --workload-identity-pool $poolName \
  --format='get(name)')
Finally, allow the principal from the provider to use a service principal:
gitHubRepoName="repo-org/repo-name"
gcloud iam service-accounts add-iam-policy-binding $saId \
  --role "roles/iam.workloadIdentityUser" \
  --member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"
Note how in the previous member we are specifying the org-name/repo-name as conditions to be able to access the service account (other params that makes it more restrictive like the branch could also be used).
However it's also possible to allow all github to access the service account creating a provider such the following using a wildcard:
# Create a Workload Identity Pool
poolName=wi-pool2
​
gcloud iam workload-identity-pools create $poolName \
  --location global \
  --display-name $poolName
​
poolId=$(gcloud iam workload-identity-pools describe $poolName \
  --location global \
  --format='get(name)')
​
gcloud iam workload-identity-pools providers create-oidc $poolName \
  --project="${projectId}" \
  --location="global" \
  --workload-identity-pool="$poolName" \
  --display-name="Demo provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
  --issuer-uri="https://token.actions.githubusercontent.com"
​
providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
  --location global \
  --workload-identity-pool $poolName \
  --format='get(name)')
​
# CHECK THE WILDCARD
gcloud iam service-accounts add-iam-policy-binding "${saId}" \
  --project="${projectId}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${poolId}/*"
In this case anyone could access the service account from github actions, so it's important always to check how the member is defined.
It should be always something like this: 
attribute.{custom_attribute}:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Github
Remember to change ${providerId} and ${saId} for their respective values:
name: Check GCP action
on:
  workflow_dispatch:
  pull_request:
    branches:
      - main
​
permissions:
  id-token: write
​
jobs:
  Get_OIDC_ID_token:
    runs-on: ubuntu-latest
    steps:
    - id: 'auth'
      name: 'Authenticate to GCP'
      uses: 'google-github-actions/[email protected]'
      with:
          create_credentials_file: 'true'
          workload_identity_provider: '${providerId}'
          service_account: '${saId}'
    - id: 'gcloud'
      name: 'gcloud'
      run: |-
        gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
        gcloud auth list
        gcloud projects list
Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
GCP - Basic Information
GCP - Non-svc Persistance
Last modified 5mo ago