App Engine

For more information about App Engine check:

appengine.applications.get, appengine.instances.get, appengine.instances.list, appengine.operations.get, appengine.operations.list, appengine.services.get, appengine.services.list, appengine.versions.create, appengine.versions.get, appengine.versions.list, cloudbuild.builds.get,iam.serviceAccounts.actAs, resourcemanager.projects.get, storage.objects.create, storage.objects.list

Those are the needed permissions to deploy an App using gcloud cli. Maybe the get and list ones could be avoided.

You can find python code examples in https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine

By default, the name of the App service is going to be default, and there can be only 1 instance with the same name. To change it and create a second App, in app.yaml, change the value of the root key to something like service: my-second-app

cd python-docs-samples/appengine/flexible/hello_world
gcloud app deploy #Upload and start application inside the folder

Give it at least 10-15min, if it doesn't work call deploy another of times and wait some minutes.

The URL of the application is something like https://<proj-name>.oa.r.appspot.com/ or https://<service_name>-dot-<proj-name>.oa.r.appspot.com

appengine.instances.enableDebug, appengine.instances.get, appengine.instances.list, appengine.operations.get, appengine.services.get, appengine.services.list, appengine.versions.get, appengine.versions.list, compute.projects.get

With these permissions, it's possible to login via ssh in App Engine instances of type flexible (not standard). Some of the list and get permissions could not be really needed.

gcloud app instances ssh --service <app-name> --version <version-id> <ID>

appengine.applications.update, appengine.operations.get

I think this just change the background SA google will use to setup the applications, so I don't think you can abuse this to steal the service account.

gcloud app update --service-account=<sa_email>

appengine.versions.getFileContents, appengine.versions.update

Not sure how to use these permissions or if they are useful (note that when you change the code a new version is created so I don't know if you can just update the code or the IAM role of one, but I guess you should be able to, maybe changing the code inside the bucket??).

Write Access over the buckets

Even with write access over the buckets where the source code is located it WASN'T possible to execute arbitrary code by modifying the source code and the manifest.json. Maybe if you are monitoring the bucket and detect the moment where a new version is created and the source code and manifest is uploaded, it might be possible to change them so the new version uses the backdoored ones??

It also looks like container layers are stored in the bucket, maybe changing those?