GCP - Federation Abuse

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

OIDC - Github Actions Abuse

GCP

Da bi se omogućio pristup Github Actions iz Github repozitorijuma GCP servisnom nalogu, potrebni su sledeći koraci:

Kreirajte servisni nalog za pristup iz github actions sa željеним dozvolama:

projectId=FIXME
gcloud config set project $projectId

# Create the Service Account
gcloud iam service-accounts create "github-demo-sa"
saId="github-demo-sa@${projectId}.iam.gserviceaccount.com"

# Enable the IAM Credentials API
gcloud services enable iamcredentials.googleapis.com

# Give permissions to SA

gcloud projects add-iam-policy-binding $projectId \
--member="serviceAccount:$saId" \
--role="roles/iam.securityReviewer"

Generišite novi identitetski bazen radnog opterećenja:

# Create a Workload Identity Pool
poolName=wi-pool

gcloud iam workload-identity-pools create $poolName \
--location global \
--display-name $poolName

poolId=$(gcloud iam workload-identity-pools describe $poolName \
--location global \
--format='get(name)')

Generišite novi workload identity pool OIDC provider koji veruje github akcijama (prema imenu org/repo u ovom scenariju):

attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)

gcloud iam workload-identity-pools providers create-oidc $poolName \
--location global \
--workload-identity-pool $poolName \
--display-name $poolName \
--attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
--issuer-uri "https://token.actions.githubusercontent.com"

providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
--location global \
--workload-identity-pool $poolName \
--format='get(name)')

Na kraju, dozvolite principalu od provajdera da koristi servisni principal:

gitHubRepoName="repo-org/repo-name"
gcloud iam service-accounts add-iam-policy-binding $saId \
--role "roles/iam.workloadIdentityUser" \
--member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"

Obratite pažnju kako u prethodnom članu specifikujemo org-name/repo-name kao uslove za pristup servisnom nalogu (drugi parametri koji ga čine strožim kao što je grana takođe mogu biti korišćeni).

Međutim, takođe je moguće dozvoliti svima na github-u da pristupe servisnom nalogu kreiranjem provajdera kao što je sledeći koristeći wildcard:

# Kreirajte Workload Identity Pool
poolName=wi-pool2

gcloud iam workload-identity-pools create $poolName \
--location global \
--display-name $poolName

poolId=$(gcloud iam workload-identity-pools describe $poolName \
--location global \
--format='get(name)')

gcloud iam workload-identity-pools providers create-oidc $poolName \
--project="${projectId}" \
--location="global" \
--workload-identity-pool="$poolName" \
--display-name="Demo provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
--issuer-uri="https://token.actions.githubusercontent.com"

providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
--location global \
--workload-identity-pool $poolName \
--format='get(name)')

# PROVERITE WILDCARD
gcloud iam service-accounts add-iam-policy-binding "${saId}" \
--project="${projectId}" \
--role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${poolId}/*"

U ovom slučaju, svako bi mogao da pristupi servisnom nalogu iz github akcija, tako da je važno uvek proveriti kako je član definisan. Treba da bude uvek nešto poput ovoga:

attribute.{custom_attribute}:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}

Github

Zapamtite da promenite ${providerId} i ${saId} za njihove odgovarajuće vrednosti:

name: Check GCP action
on:
workflow_dispatch:
pull_request:
branches:
- main

permissions:
id-token: write

jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
steps:
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/auth@v2.1.3'
with:
create_credentials_file: 'true'
workload_identity_provider: '${providerId}' # In the providerId, the numerical project ID (12 digit number) should be used
service_account: '${saId}'                  # instead of the alphanumeric project ID. ex:
activate_credentials_file: true             # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud config set project <project-id>
gcloud config set account '${saId}'
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth list
gcloud projects list
gcloud secrets list

Podržite HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

PreviousGCP - Basic Information NextGCP - Permissions for a Pentest

Last updated 3 days ago