Ctrlk

GCP_CAN_TRIGGER_BUILD

Summary

FSProtect ACL Alias

GCP_CAN_TRIGGER_BUILD

GCP Alias

Compute Execution & Pipeline Pivots

Affected Object Types

Projects

Exploitation Certainty

Certain

Granting Roles

roles/cloudbuild.admin, roles/cloudbuild.builds.editor

Description

GCP_CAN_TRIGGER_BUILD indicates that an identity can submit and manage Cloud Build jobs in a GCP project. Cloud Build is GCP's managed CI/CD service, and build jobs run as the Default Cloud Build Service Account ([PROJECT_NUMBER][email protected]) by default. This SA is automatically granted roles/editor on the project, giving it broad write access.

An attacker with the ability to submit Cloud Build jobs can execute arbitrary code running as this highly privileged SA — without needing to create VMs or manage compute infrastructure. The attacker simply submits a build that reads and exfiltrates the SA's token from the build environment.

Key abuse scenarios:

  • Submit a Cloud Build job with a malicious cloudbuild.yaml → code runs as the Cloud Build SA (project editor by default).

  • Exfiltrate the Cloud Build SA token → use it as the SA for lateral movement.

  • Modify build triggers to inject malicious steps into the CI/CD pipeline (supply chain attack).

Identification

gcloud CLI

GCP Console

  1. Open GCP ConsoleCloud BuildTriggers.

  2. Review all existing build triggers — check for unexpected source repositories or build configurations.

  3. Open IAM & AdminIAM to find principals with Cloud Build Admin or Cloud Build Editor roles.

Exploitation

gcloud CLI

The Cloud Build SA token is valid for ~1 hour scoped to cloud-platform. Use the collected token to pivot:

Compound path: GCP_CAN_TRIGGER_BUILD → submit malicious build → extract Cloud Build SA token (default roles/editor) → create SA keys or grant IAM roles → persistent access.

Mitigation

  1. Restrict the Cloud Build SA's permissions — the default roles/editor assignment is overly broad. Replace with a purpose-specific custom role.

  2. Use custom SA for Cloud Build instead of the default SA.

  3. Restrict roles/cloudbuild.builds.editor — only CI/CD systems and authorized developers should be able to submit builds.

  4. Enable build approval gates for production build triggers.

  5. Audit build logs for unexpected operations (token exfiltration, secret access, lateral movement commands).

Detection

Log Type
Method
Key Fields

Admin Activity

CreateBuild

resource.type=build, methodName=google.devtools.cloudbuild.v1.CloudBuild.CreateBuild

Alert on:

  • Build submissions outside of known CI/CD service accounts.

  • Builds with inline cloudbuild.yaml (not from a tracked source repository).

  • Build steps containing gcloud auth print-access-token or metadata server requests.

  • Failed builds after unusual activity (attacker testing payloads).

References

  • https://cloud.google.com/build/docs/overview

  • https://cloud.google.com/build/docs/cloud-build-service-account

PreviousGCP_CAN_SSH_VMNextGCP_CAN_UNLINK_BILLING

Last updated

Was this helpful?