HackTricks CloudGCP - 联邦滥用
Tip
学习和实践 AWS 黑客技术:
HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。
OIDC - Github Actions 滥用
GCP
为了从 Github 仓库向 GCP 服务账户 提供 Github Actions 的 访问权限,需要以下步骤:
- 创建服务账户 以便从 github actions 访问,并赋予 所需权限:
projectId=FIXME
gcloud config set project $projectId
# Create the Service Account
gcloud iam service-accounts create "github-demo-sa"
saId="github-demo-sa@${projectId}.iam.gserviceaccount.com"
# Enable the IAM Credentials API
gcloud services enable iamcredentials.googleapis.com
# Give permissions to SA
gcloud projects add-iam-policy-binding $projectId \
--member="serviceAccount:$saId" \
--role="roles/iam.securityReviewer"
- 生成一个 新的工作负载身份池:
# Create a Workload Identity Pool
poolName=wi-pool
gcloud iam workload-identity-pools create $poolName \
--location global \
--display-name $poolName
poolId=$(gcloud iam workload-identity-pools describe $poolName \
--location global \
--format='get(name)')
- 生成一个新的 workload identity pool OIDC 提供者,该提供者 信任 github actions(在此场景中按 org/repo 名称):
attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)
gcloud iam workload-identity-pools providers create-oidc $poolName \
--location global \
--workload-identity-pool $poolName \
--display-name $poolName \
--attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
--issuer-uri "https://token.actions.githubusercontent.com"
providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
--location global \
--workload-identity-pool $poolName \
--format='get(name)')
- 最后,允许提供者的主体使用服务主体:
gitHubRepoName="repo-org/repo-name"
gcloud iam service-accounts add-iam-policy-binding $saId \
--role "roles/iam.workloadIdentityUser" \
--member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"
Warning
注意在前面的成员中,我们将
org-name/repo-name作为访问服务账户的条件(其他使其 更严格 的参数,如分支,也可以使用)。然而,也可以通过创建如下使用通配符的提供者来 允许所有 github 访问 服务账户:
# 创建一个工作负载身份池
poolName=wi-pool2
gcloud iam workload-identity-pools create $poolName \
--location global \
--display-name $poolName
poolId=$(gcloud iam workload-identity-pools describe $poolName \
--location global \
--format='get(name)')
gcloud iam workload-identity-pools providers create-oidc $poolName \
--project="${projectId}" \
--location="global" \
--workload-identity-pool="$poolName" \
--display-name="Demo provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
--issuer-uri="https://token.actions.githubusercontent.com"
providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
--location global \
--workload-identity-pool $poolName \
--format='get(name)')
# 检查通配符
gcloud iam service-accounts add-iam-policy-binding "${saId}" \
--project="${projectId}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${poolId}/*"
Warning
在这种情况下,任何人都可以通过 github actions 访问服务账户,因此始终 检查成员的定义 是很重要的。
它应该始终是这样的:
attribute.{custom_attribute}:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Github
记得将 ${providerId} 和 ${saId} 替换为它们各自的值:
name: Check GCP action
on:
workflow_dispatch:
pull_request:
branches:
- main
permissions:
id-token: write
jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
steps:
- id: "auth"
name: "Authenticate to GCP"
uses: "google-github-actions/auth@v2.1.3"
with:
create_credentials_file: "true"
workload_identity_provider: "${providerId}" # In the providerId, the numerical project ID (12 digit number) should be used
service_account: "${saId}" # instead of the alphanumeric project ID. ex:
activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
- id: "gcloud"
name: "gcloud"
run: |-
gcloud config set project <project-id>
gcloud config set account '${saId}'
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth list
gcloud projects list
gcloud secrets list
Tip
学习和实践 AWS 黑客技术:
学习和实践 GCP 黑客技术:支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。