catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud Run Jobs

A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow.

Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.

run.​jobs.​run

If combined with create permission and iam.serviceAccounts.actAs on the Cloud Run service account, includes a resource hijacking risk. Additionally, the environment variables may be abused to allow a reverse shell and dump the contents of the container, including the service account credentials.

Risks

  1. Lateral movement (BOOST)
  2. Resource hijacking (MEDIUM)
  3. Spend (MEDIUM)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​run/​docs/​resource-​model
  • https:​/​/​cloud.​google.​com/​run/​docs/​managing/​jobs
  • https:​/​/​cloud.​google.​com/​run/​docs/​reference/​rest/​v1/​namespaces.​jobs
  • https:​/​/​cloud.​google.​com/​run/​docs/​create-​jobs
  • https:​/​/​cloud.​hacktricks.​wiki/​en/​pentesting-​cloud/​gcp-​security/​gcp-​privilege-​escalation/​gcp-​run-​privesc.​html#​runjobsrun-​runjobsrunwithoverrides-​runjobsget

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog