github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/google/iam/AVD-GCP-0068/docs.md

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/google/iam/AVD-GCP-0068/docs.md (about)

     1  
     2  In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don't specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account.
     3  
     4  ### Impact
     5  Allows an external attacker to authenticate as the attached service account and act with its permissions
     6  
     7  <!-- DO NOT CHANGE -->
     8  {{ remediationActions }}
     9  
    10  ### Links
    11  - https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/
    12  
    13