Before you continue to YouTube

TikTok - Make Your Day

Service Agents and the Search for Transitive Access in GCP fwd:cloudsec Europe 2024

Service Agents are the ‘per-project, per-product’ machine identity in Google Cloud. When Cloud Build deploys a container or writes a container to a registry, it's the Service Agent that enables this service-to-service auth. In this talk, we'll hoist Service Agents on a lift and inspect their undercarriage, questioning why Google Cloud frequently sets their auto-assigned permissions to admin level yet positions them as inconsequential. We’ll challenge the perception that Service Agents are inherently safe, shattering the party line that their administrative power is without the potential for abuse by a malicious actor in the project. The audience will learn about transitive access techniques, revealing how Service Agents' permissions can be exploited to manipulate services and data, even without direct resource access. I will make these risks concrete by releasing a case of Service Agent abuse resulting in data exfiltration, bypassing the need for explicit Storage permissions. Using the transitivity principle, I will demonstrate how service functionality puts the end user in the driver's seat, directing a Service Agent's actions to achieve unauthorized data access. Attendees will ride to the underbelly of Google Cloud's machine identity ecosystem, where assumptions are confronted, and the security implications may reshape their understanding of Service Agents. Please keep all hands and feet inside the moving vehicle at all times.