stratus-red-team icon indicating copy to clipboard operation
stratus-red-team copied to clipboard

Published 20 hours ago verified publisher icon DataDog

GCP: Impersonation of service accounts

Open christophetd opened this issue 2 years ago • 2 comments

Source: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#service-account-impersonation

Possibilities of what to implement:

  • Successfully impersonate a single service account
  • Fail to impersonate a single service account
  • Attempt to impersonate all service accounts in the project
for serviceaccount in $(gcloud iam service-accounts list --format="table[no-heading](email)"); do 
    gcloud compute instances list  --impersonate-service-account $serviceaccount; 
done

Sample event for a successful impersonation:

{
  "resource": {
    "labels": {
      "email_id": "[email protected]",
      "project_id": "sandbox",
      "unique_id": "..."
    },
    "type": "service_account"
  },
  "severity": "INFO",
  "receiveTimestamp": "2022-07-28T08:59:32.822473467Z",
  "insertId": "ktje26e5z6wg",
  "logName": "projects/sandbox/logs/cloudaudit.googleapis.com%2Fdata_access",
  "timestamp": "2022-07-28T08:59:32.539271531Z",
  "protoPayload": {
    "authorizationInfo": [
      {
        "granted": true,
        "permission": "iam.serviceAccounts.getAccessToken"
      }
    ],
    "request": {
      "@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
      "name": "projects/-/serviceAccounts/[email protected]"
    },
    "requestMetadata": {
      "requestAttributes": {
        "time": "2022-07-28T08:59:32.54741667Z"
      }
    },
    "resourceName": "projects/-/serviceAccounts/114334763556861354561",
    "authenticationInfo": {
      "principalSubject": "user:[email protected]",
      "principalEmail": "[email protected]"
    },
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "serviceName": "iamcredentials.googleapis.com",
    "metadata": {
      "identityDelegationChain": [
        "projects/-/serviceAccounts/[email protected]"
      ]
    }
  },
  "operation": {
    "last": true,
    "id": "14715799256875171930",
    "producer": "iamcredentials.googleapis.com",
    "first": true
  }
}

Sample event for an unsuccessful impersonation - interestingly enough, the principal who attempted to impersonate the service account isn't listed:

{
  "resource": {
    "labels": {
      "email_id": "[email protected]",
      "project_id": "sandbox",
      "unique_id": "..."
    },
    "type": "service_account"
  },
  "severity": "ERROR",
  "receiveTimestamp": "2022-07-28T09:02:58.909118806Z",
  "insertId": "ktje26e5zc7e",
  "logName": "projects/sandbox/logs/cloudaudit.googleapis.com%2Fdata_access",
  "timestamp": "2022-07-28T09:02:57.847091649Z",
  "protoPayload": {
    "status": {
      "code": 7
    },
    "authorizationInfo": [
      {
        "permission": "iam.serviceAccounts.getAccessToken"
      }
    ],
    "request": {
      "@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
      "name": "projects/-/serviceAccounts/[email protected]"
    },
    "requestMetadata": {
      "requestAttributes": {
        "time": "2022-07-28T09:02:57.859128848Z"
      }
    },
    "resourceName": "projects/-/serviceAccounts/....",
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "serviceName": "iamcredentials.googleapis.com",
    "metadata": {
      "identityDelegationChain": [
        "projects/-/serviceAccounts/[email protected]"
      ]
    }
  },
  "operation": {
    "last": true,
    "id": "2478110953621991013",
    "producer": "iamcredentials.googleapis.com",
    "first": true
  }
}

https://cloud.google.com/logging/docs/audit#user-id

For privacy reasons, the caller's principal email address is redacted from an audit log if the operation is read-only and fails with a "permission denied" error. The only exception is when the caller is a service account in the Google Cloud organization associated with the resource; in this case, the email address isn't redacted.

christophetd avatar Jul 28 '22 09:07 christophetd

Also include how to identify who has acces to create the token

christophetd avatar Aug 03 '22 12:08 christophetd

Note: We can use IP / user agent for potential detections even if no identity

christophetd avatar Aug 03 '22 12:08 christophetd

Addressed by #155

christophetd avatar Jan 31 '23 13:01 christophetd