GCP - Cloud Run Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Cloud Run is a serverless managed compute platform that lets you run containers directly on top of Google's scalable infrastructure.
You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the source-based deployment option that builds the container for you.
Google has built Cloud Run to work well together with other services on Google Cloud, so you can build full-featured applications.
On Cloud Run, your code can either run continuously as a service or as a job. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud.
Cloud Run services. Used to run code that responds to web requests, or events.
Cloud Run jobs. Used to run code that performs work (a job) and quits when the work is done.
Google Cloud Run is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
By default, the access to the web server is public, but it can also be limited to internal traffic (VPC...) Moreover, the authentication to contact the web server can be allowing all or to require authentication via IAM.
By default, the encryption uses a Google managed key, but a CMEK (Customer Managed Encryption Key) from KMS can also be chosen.
By default, the service account used is the Compute Engine default one which has Editor access over the project and it has the scope cloud-platform
.
It's possible to define clear-text environment variables for the execution, and even mount cloud secrets or add cloud secrets to environment variables.
It's also possible to add connections with Cloud SQL and mount a file system.
The URLs of the services deployed are similar to https://<svc-name>-<random>.a.run.app
A Run Service can have more than 1 version or revision, and split traffic among several revisions.
Cloud Run jobs are be a better fit for containers that run to completion and don't serve requests. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.
In the following page, you can check how to abuse cloud run permissions to escalate privileges:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)