Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Google Cloud Scheduler is a fully managed cron job service that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to automate various tasks like updates or batch processing on a regular schedule.
Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code.
At the moment of this writing these are the actions this service allows to schedule:
HTTP: Send an HTTP request defining the headers and body of the request.
Pub/Sub: Send a message into an specific topic
App Engine HTTP: Send an HTTP request to an app built in App Engine
Workflows: Call a GCP Workflow.
A service account is not always required by each scheduler. The Pub/Sub and App Engine HTTP types don't require any service account. The Workflow does require a service account, but it'll just invoke the workflow. Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an OAuth token or an OIDC token to the sent HTTP request.
Therefore, it's possible to steal the OIDC token and abuse the OAuth token from service accounts abusing the HTTP type. More on this in the privilege escalation page.
Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be cloud-platform.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
