Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Google Cloud Build is a managed CI/CD platform that automates software build and release processes, integrating with source code repositories and supporting a wide range of programming languages. It allows developers to build, test, and deploy code automatically while providing flexibility to customize build steps and workflows.
Each Cloud Build Trigger is related to a Cloud Repository or directly connected with an external repository (Github, Bitbucket and Gitlab).
I couldn't see any way to steal the Github/Bitbucket token from here or from Cloud Repositories because when the repo is downloaded it's accessed via a https://source.cloud.google.com/ URL and Github is not accessed by the client.
The Cloud Build can be triggered if:
Push to a branch: Specify the branch
Push a new tag: Specify the tag
Pull request: Specify the branch that receives the PR
Manual Invocation
Pub/Sub message: Specify the topic
Webhook event: Will expose a HTTPS URL and the request must be authenticated with a secret
There are 3 options:
A yaml/json specifying the commands to execute. Usually: /cloudbuild.yaml
Only one that can be specified “inline” in the web console and in the cli
Most common option
Relevant for unauthenticated access
A Dockerfile to build
A Buildpack to build
The Service Account has the cloud-platform scope, so it can use all the privileges. If no SA is specified (like when doing submit) the default SA <proj-number>@cloudbuild.gserviceaccount.com will be used.
By default no permissions are given but it's fairly easy to give it some:
It's possible to config a Cloud Build to require approvals for build executions (disabled by default).
When the trigger is PR because anyone can perform PRs to public repositories it would be very dangerous to just allow the execution of the trigger with any PR. Therefore, by default, the execution will only be automatic for owners and collaborators, and in order to execute the trigger with other users PRs an owner or collaborator must comment /gcbrun.
Connections can be created over:
GitHub: It will show an OAuth prompt asking for permissions to get a Github token that will be stored inside the Secret Manager.
GitHub Enterprise: It will ask to install a GithubApp. An authentication token from your GitHub Enterprise host will be created and stored in this project as a Secret Manager secret.
GitLab / Enterprise: You need to provide the API access token and the Read API access token which will stored in the Secret Manager.
Once a connection is generated, you can use it to link repositories that the Github account has access to.
This option is available through the button:
Note that repositories connected with this method are only available in Triggers using 2nd generation.
This is not the same as a connection. This allows different ways to get access to a Github or Bitbucket repository but doesn't generate a connection object, but it does generate a repository object (of 1st generation).
This option is available through the button:
Sometimes Cloud Build will generate a new storage to store the files for the trigger. This happens for example in the example that GCP offers with:
A Storage bucket called security-devbox_cloudbuild is created to store a .tgz with the files to be used.
Install gcloud inside cloud build:
You could find sensitive info in build configs and logs.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
