catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine managed instances

Create and alter managed instances.

Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms "instance" and "VM" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.

compute.​instances.​get

Allows access to a wide array of metadata including account public keys, network configuration, and service account permissions. Note that, although the Google API documentation suggests that access is also granted to secret material such as disk encryption keys or service-account tokens, these are not included in the API response returned by the API.

Risks

  1. Account discovery (LOW)
  2. Network discovery (LOW)
  3. Policy discovery (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​metadata/​default-​metadata-​values

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog