Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Google Secret Manager is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data.
A secret can have different versions storing different data.
Secrets by default are encrypted using a Google managed key, but it's possible to select a key from KMS to use to encrypt the secret.
Regarding rotation, it's possible to configure messages to be sent to pub-sub every number of days, the code listening to those messages can rotate the secret.
It's possible to configure a day for automatic deletion, when the indicated day is reached, the secret will be automatically deleted.
In the following page you can check how to abuse secretmanager permissions to escalate privileges.
An attacker could update the secret to stop rotations (so it won't be modified), or make rotations much less often (so the secret won't be modified) or to publish the rotation message to a different pub/sub, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
