cloudscheduler

cloudscheduler.jobs.create , iam.serviceAccounts.actAs, (cloudscheduler.locations.list)

An attacker with these permissions could exploit Cloud Scheduler to authenticate cron jobs as a specific Service Account. By crafting an HTTP POST request, the attacker schedules actions, like creating a Storage bucket, to execute under the Service Account's identity. This method leverages the Scheduler's ability to target *.googleapis.com endpoints and authenticate requests, allowing the attacker to manipulate Google API endpoints directly using a simple gcloud command.

Example to create a new job that will use a specific Service Account to create a new Storage bucket on our behalf, we could run the following command:

gcloud scheduler jobs create http test –schedule='* * * * *' –uri='https://storage.googleapis.com/storage/v1/b?project=<PROJECT-ID>' --message-body "{'name':'new-bucket-name'}" --oauth-service-account-email 111111111111-compute@developer.gserviceaccount.com –headers Content-Type=application/json

To escalate privileges, an attacker merely crafts an HTTP request targeting the desired API, impersonating the specified Service Account

References

• https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/