GCP - Federation Abuse

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

OIDC - Github Actions Abuse

GCP

Ili kutoa ufikiaji kwa Github Actions kutoka kwa repo ya Github kwa akaunti ya huduma ya GCP hatua zifuatazo zinahitajika:

• Unda Akaunti ya Huduma ili kufikia kutoka kwa github actions ikiwa na idhini zinazohitajika:

projectId=FIXME
gcloud config set project $projectId

# Create the Service Account
gcloud iam service-accounts create "github-demo-sa"
saId="github-demo-sa@${projectId}.iam.gserviceaccount.com"

# Enable the IAM Credentials API
gcloud services enable iamcredentials.googleapis.com

# Give permissions to SA

gcloud projects add-iam-policy-binding $projectId \
--member="serviceAccount:$saId" \
--role="roles/iam.securityReviewer"

• Tengeneza maktaba mpya ya utambulisho wa kazi:

# Create a Workload Identity Pool
poolName=wi-pool

gcloud iam workload-identity-pools create $poolName \
--location global \
--display-name $poolName

poolId=$(gcloud iam workload-identity-pools describe $poolName \
--location global \
--format='get(name)')

• Tengeneza mto wa utambulisho wa kazi mpya OIDC ambao unatumia github actions (kwa jina la org/repo katika hali hii):

attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)

gcloud iam workload-identity-pools providers create-oidc $poolName \
--location global \
--workload-identity-pool $poolName \
--display-name $poolName \
--attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
--issuer-uri "https://token.actions.githubusercontent.com"

providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
--location global \
--workload-identity-pool $poolName \
--format='get(name)')

• Hatimaye, ruhusu mkuu kutoka kwa mtoa huduma kutumia mkuu wa huduma:

gitHubRepoName="repo-org/repo-name"
gcloud iam service-accounts add-iam-policy-binding $saId \
--role "roles/iam.workloadIdentityUser" \
--member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"

Warning

Kumbuka jinsi katika mwanachama wa awali tunavyobainisha org-name/repo-name kama masharti ya kuweza kufikia akaunti ya huduma (paramu nyingine zinazofanya iwe zaidi ya ukali kama tawi pia zinaweza kutumika).

Hata hivyo, inawezekana pia kuruhusu github yote kufikia akaunti ya huduma kwa kuunda mtoa huduma kama ifuatavyo kwa kutumia wildcard:

# Create a Workload Identity Pool
poolName=wi-pool2

gcloud iam workload-identity-pools create $poolName \
--location global \
--display-name $poolName

poolId=$(gcloud iam workload-identity-pools describe $poolName \
--location global \
--format='get(name)')

gcloud iam workload-identity-pools providers create-oidc $poolName \
--project="${projectId}" \
--location="global" \
--workload-identity-pool="$poolName" \
--display-name="Demo provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
--issuer-uri="https://token.actions.githubusercontent.com"

providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
--location global \
--workload-identity-pool $poolName \
--format='get(name)')

# CHECK THE WILDCARD
gcloud iam service-accounts add-iam-policy-binding "${saId}" \
--project="${projectId}" \
--role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${poolId}/*"

Warning

Katika kesi hii mtu yeyote anaweza kufikia akaunti ya huduma kutoka github actions, hivyo ni muhimu kila wakati kuangalia jinsi mwanachama anavyofafanuliwa.
Inapaswa kuwa kila wakati kitu kama hiki:

attribute.{custom_attribute}:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}

Github

Kumbuka kubadilisha ${providerId} na ${saId} kwa thamani zao zinazofaa:

name: Check GCP action
on:
workflow_dispatch:
pull_request:
branches:
- main

permissions:
id-token: write

jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
steps:
- id: "auth"
name: "Authenticate to GCP"
uses: "google-github-actions/auth@v2.1.3"
with:
create_credentials_file: "true"
workload_identity_provider: "${providerId}" # In the providerId, the numerical project ID (12 digit number) should be used
service_account: "${saId}" # instead of the alphanumeric project ID. ex:
activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
- id: "gcloud"
name: "gcloud"
run: |-
gcloud config set project <project-id>
gcloud config set account '${saId}'
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth list
gcloud projects list
gcloud secrets list

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.