catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud Build

A Cloud build describes where to find source code, how to build it, and where to store built artifacts.

Code and artifacts are generally stored in other services, such as Cloud storage.

cloudbuild.​builds.​create

This permission allows users to run builds as the Cloud Build service account. This can allow the user to have escalated build-time privileges. Google explicitly cautions against granting this permission for that reason.

Risks

  1. Denial-of-service (HIGH)
  2. Lateral movement (BOOST)
  3. Spend (MEDIUM)

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​cloud.​google.​com/​build/​docs/​iam-​roles-​permissions
  • https:​/​/​cloud.​google.​com/​build/​docs/​overview#​how_​builds_​work
  • https:​/​/​cloud.​google.​com/​build/​docs/​cloud-​build-​service-​account#​default_​permissions_​of_​service_​account
  • https:​/​/​cloud.​google.​com/​build/​docs/​api/​reference/​rest/​v1/​projects.​builds#​Build

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog