- Try some mitigation methods from the slide
- Try Webauthn
- Try Keyless (within Cloud)
- Assign temporary role via IAM Condition on Google Cloud
- (Optional) Try Least Privilege on Google Cloud
- Network Restriction to Google Cloud API via VPC Service Controls
- Caution: Org-level permission is required
- Caution: GitHub supports WebAuthn, so you can try WebAuthn
- Register your key
- Login via WebAuthn (Windows Hello, Touch/Face ID)
- You can make a new GCE instance from here
- Machine Type: e2-micro
- Service Account: any SA is fine
- SSH to the instance (
Open in browser window)
- Confirm Metadata (Ref: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications)
- You can get the SA's temporary token from metadata endpoint
- (SSRF attack steals this token)
# Confirm Token (expire: 3600sec)
$ curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
# Get the token info
$ curl "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.c.b0AXv0zTODIOa_oxONq..."
{
"issued_to": "*",
"audience": "*",
"scope": "*",
"expires_in": 3245,
"access_type": "online"
}- Service Account:
training-sa(You created it in 0.preparation) - IAM configuration: https://console.cloud.google.com/iam-admin/iam
- You use the SA later, so please don't set a close expiration date
- Google Compute Engine Instance has Identity on Google Cloud, so without a static key, it can get a temporary token through metadata service
- The purpose is to understand IAM
- Go to your project on Google Cloud
- https://console.cloud.google.com/iam-admin/serviceaccounts
- You can try to make
custom roleon https://console.cloud.google.com/iam-admin/roles
- You can try to make
- https://console.cloud.google.com/iam-admin/serviceaccounts