GCP - Workflows Privesc
Workflows
Basic Information:
pageGCP - Workflows EnumAbuse SA permissions in steps
Afaik it's not possible to get a shell with access to the metadata endpoint containing the SA credentials of the SA attacked to a Workflow. However, it's possible to abuse the permissions of the SA by adding the actions to perform inside the Workflow.
It's possible to find the documentation of the connectors. For example, this is the page of the Secretmanager connector. In the side bar it's possible to find several other connectors.
And here you can find an example of a connector that prints a secret:
Update from the CLI:
If you don't have web access it's possible to trigger and see the execution of a Workflow with:
You can also check the output of previous executions to look for sensitive information
Last updated