This is an update to my previous blog post which documented a mechanism for GCP Org Policy Bypass using custom metadata on compute instances.»
Google makes use of custom metadata to authorize access to AI Notebooks and their web UIs.
Individuals granted access via custom metadata need not have any IAM permissions on the compute instance, on the service account running the Notebook or even be a member of the Organization. Authorization via custom metadata, bypasses a specific Organization Policy Constraint which restricts cross-domain resource sharing.
This vulnerability was awarded $1337.00 by the Google VRP Review Panel.
On January 27, 2021 a major, potentially breaking change is coming to GCP. If you’re using the default service account as the backing identity for several of GCP’s data science PaaS services, the end user will be required to have the
.actAs permission on the default service account.
Its ultimately Cloud IAM Permissions which grant access to resources. However, in GCP you do not and cannot assign individual permissions to an Identity. Instead, permissions are grouped together to form Roles. Its the Role, not the permission, that is granted to an Identity.
Sometimes, a Role will only contain a single permission, other times it will contain hunderds of permissions so that the Role can enable some broader functionality.
Users and Groups are two types of identities which can be assigned IAM Roles in GCP. When Users and Groups are members in IAM Policy, they are referenced by their email addresses.»
Service Accounts are non-human identities used for Infrastructure and Resources. Service Accounts do not have passwords. You can optionally generate and export a Private Key for a Service Account. But you’ll only want to do this when you need to enable an external integrations, that is, authenticated API calls to your Resources.»
Resources in Google Cloud are organized into a hierarchy with each level or node of this structure being called a Resource. At the top of the hierarchy is the Organization followed by any number of nested Folders which then house Projects. At the lowest level of the hierarchy are the widgets the compose a GCP Project, things like a Pub/Sub topic, Cloud Compute instance or Cloud Buckets.»
This GCP’s model for managing access to resources has three main parts: Who, What Role and the Resource.»