GCP_CUSTOM_PRIVILEGED_ROLE

Summary

Description

GCP_CUSTOM_PRIVILEGED_ROLE represents an assignment of a GCP custom IAM role that is flagged as privileged and does not have an explicit, mapped attack path edge. Unlike predefined roles, custom roles are organization- or project-defined and can contain any combination of permissions. This makes them particularly dangerous because a custom role may appear innocuous by name but contain highly sensitive permissions, and the permissions are not covered by specific attack path mappings.

Custom privileged roles are often created during migrations, automation setups, or in attempts to implement least-privilege but inadvertently combine dangerous permissions. They are also a common persistence mechanism: an attacker who creates or modifies a custom role can hide high-privilege access behind a benign-sounding role name.

Identification

gcloud CLI

# List all custom roles in a project
PROJECT_ID="my-project"
gcloud iam roles list --project=$PROJECT_ID --format=json

# Inspect a specific custom role's permissions
CUSTOM_ROLE="projects/${PROJECT_ID}/roles/CustomProjectRole"
gcloud iam roles describe $(basename $CUSTOM_ROLE) --project=$PROJECT_ID --format=json | \
  jq '.includedPermissions[]'

# Find who is assigned custom roles in a project
gcloud projects get-iam-policy $PROJECT_ID --format=json | \
  jq '.bindings[] | select(.role | contains("/roles/")) | {role: .role, members: .members}'

GCP Console

1. Open GCP Console → IAM & Admin → Roles.

2. Select "Custom" tab.

3. Click each role and review Included Permissions.

4. Cross-reference against IAM page bindings.

Exploitation

The exact exploitation steps depend on the specific permissions present in the custom role.

Common dangerous permissions found in flagged custom roles and their attack vectors:

• resourcemanager.projects.setIamPolicy → privilege escalation via IAM policy manipulation → see GCP_CAN_SET_PROJECT_IAMPOLICY

• resourcemanager.folders.setIamPolicy → privilege escalation via IAM policy manipulation → see GCP_CAN_SET_FOLDER_IAMPOLICY

• resourcemanager.organizations.setIamPolicy → privilege escalation via IAM policy manipulation → see GCP_CAN_SET_ORG_IAMPOLICY

• iam.serviceAccounts.actAs → SA attachment to compute resources → see GCP_CAN_ACT_AS_SA.

• iam.serviceAccounts.getAccessToken → direct SA token generation → see GCP_CAN_IMPERSONATE_SA.

• compute.instances.create + SA attachment → vehicle for token extraction → see GCP_CAN_CREATE_COMPUTE + GCP_CAN_ACT_AS_SA.

Mitigation

1. Audit all custom roles flagged by this edge — identify what permissions each contains and whether they're necessary.

2. Remove or split roles containing dangerous permission combinations — do not allow a single custom role to include those permissions together.

3. Enforce naming conventions and documentation for custom roles so their purpose is transparent and auditable.

4. Restrict roles/iam.roleAdmin to dedicated automation accounts — this role controls custom role creation/modification.

5. Regularly review custom role bindings — custom roles should have a documented owner, business justification, and expiry policy.

Detection

Alert on:

• Any creation or update of a custom role (CreateRole, UpdateRole).

• Modifications to custom roles adding dangerous permissions (setIamPolicy, actAs, getAccessToken).

• New bindings assigning custom roles to human users or external identities.

• Custom role assignments at org or folder scope.

References

• https://cloud.google.com/iam/docs/creating-custom-roles

• https://cloud.google.com/iam/docs/understanding-custom-roles