Conditions should be set on workload identity pool providers
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | LOW | Google Cloud Provider | PERMISSION, SECRET |
Description
One way to authenticate to Google Cloud in Github actions is to provide a service account to the workload identity pool provider. If no conditions are set on the provider, any repository can use it in their own actions.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | True |
Anyone with access to the workload identity pool provider settings gains the same access level as the service account, in Github Actions. This includes the capacity to execute gcloud commands that the service account has access to. Some examples may be:
- Read/write access to containers
- Listing information about projects
Remediation guidelines
Add conditions to the allowed uses of the provider. One efficient way is to restrict it to a given repository owner.
Also note that:
- Access to the Terraform files or the Github Action is needed to exploit this.
- Suspicious usage of the service account can be detected in the corresponding activity logs.
- The service account can be further protected by storing part of/the entire workload identity provider as a Github secret.