GCP - Generic Permissions Privesc

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Generic Interesting Permissions

*.setIamPolicy

If you owns a user that has the setIamPolicy permission in a resource you can escalate privileges in that resource because you will be able to change the IAM policy of that resource and give you more privileges over it.
This permission can also allow to escalate to other principals if the resource allow to execute code and the iam.ServiceAccounts.actAs is not necessary.

cloudfunctions.functions.setIamPolicy
- Modify the policy of a Cloud Function to allow yourself to invoke it.

There are tens of resources types with this kind of permission, you can find all of them in https://cloud.google.com/iam/docs/permissions-reference searching for setIamPolicy.

.create, .update

These permissions can be very useful to try to escalate privileges in resources by creating a new one or updating a new one. These can of permissions are specially useful if you also has the permission iam.serviceAccounts.actAs over a Service Account and the resource you have .create/.update over can attach a service account.

ServiceAccount

This permission will usually let you access or modify a Service Account in some resource (e.g.: compute.instances.setServiceAccount). This could lead to a privilege escalation vector, but it will depend on each case.

tip