GCP - Pub/Sub Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Google Cloud Pub/Sub is described as a service facilitating message exchange between independent applications. The core components include topics, to which applications can subscribe. Subscribed applications have the capability to send and receive messages. Each message comprises the actual content along with associated metadata.
The topic is the queue where messages are going to be sent, while the subscriptions are the objects users are going to use to access messages in the topics. There can be more than 1 subscription per topic and there are 4 types of subscriptions:
Pull: The user(s) of this subscription needs to pull for messages.
Push: An URL endpoint is indicated and messages will be sent immediately to it.
Big query table: Like push but setting the messages inside a Big query table.
Cloud Storage: Deliver messages directly to an existing bucket.
By default a subscription expires after 31 days, although it can be set to never expire.
By default, a message is retained for 7 days, but this time can be increased up to 31 days. Also, if it's not ACKed in 10s it goes back to the queue. It can also be set that ACKed messages should continue to be stored.
A topic is by default encrypted using a Google managed encryption key. But a CMEK (Customer Managed Encryption Key) from KMS can also be selected.
Dead letter: Subscriptions may configure a maximum number of delivery attempts. When a message cannot be delivered, it is republished to the specified dead letter topic.
A snapshot is a feature that captures the state of a subscription at a specific point in time. It is essentially a consistent backup of the unacknowledged messages in a subscription. By creating a snapshot, you preserve the message acknowledgment state of the subscription, allowing you to resume message consumption from the point the snapshot was taken, even after the original messages would have been otherwise deleted. If you are very lucky a snapshot could contain old sensitive information from when the snapshot was taken.
When creating a topic, you can indicate that the topic messages must follow a schema.
However, you may have better results asking for a larger set of data, including older messages. This has some prerequisites and could impact applications, so make sure you really know what you're doing.
Pub/Sub Lite is a messaging service with zonal storage. Pub/Sub Lite costs a fraction of Pub/Sub and is meant for high volume streaming (up to 10 million messages per second) pipelines and event-driven system where low cost is the primary consideration.
In PubSub Lite there are topics and subscriptions, there aren't snapshots and schemas and there are:
Reservations: Pub/Sub Lite Reservations is a feature that allows users to reserve capacity in a specific region for their message streams.
Operations: Refers to the actions and tasks involved in managing and administering Pub/Sub Lite.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)