0

I would like to monitor for Compute Engine service accounts that attempt API calls beyond their given Access Scope. This could be via the gcloud command or manual API interaction using the OAuth token from the metadata server.

Here is a specific example:

  • A Compute Instance is launched with the general GCP defaults, including the default service account and the default access scopes.
  • A user logs into a SSH session on that Compute Instance and gcloud auth list shows that the active account is the default service account.
  • The user runs gcloud compute instances list. This fails with Insufficient Permission: Request had insufficient authentication scopes due to the Access Scope limitation.

However, I can't find anything in StackDriver that relates to this attempt. I've configured Cloud Audit Logs for Admin Read, Data Read, and Data Write for all services.

I do see log events for successful API calls, for example if I remove the scope limitation and repeat the steps above.

I also see log events for failed API calls that had a proper access scope but lacked IAM permissions.

However, nothing for attempts that fail specifically due to access scope.

Does anyone know if this is possible?

initstring
  • 1
  • 2

1 Answers1

0

It's possible. Using advanced logs queries. Go to Logging > Logs Viewer and use this query: resource.type="api" to match the corresponding resource type.

Even though the information above is accurate is not related to your case. It was indeed a misunderstanding.

UPDATE:

I believe that if the user doesn't have permissions to execute gsutil command due to the scope limitation, the command will fail at a system level and that message won't be recorded (e.g. try running tail /var/log/auth.log with a regular user and find a record of that call). As stated here only specific information will be stored.

It might be a good idea using Anomaly Detection instead. Hope this help.

DuniX33
  • 56
  • 6
  • Thank you for the reply. However, this does not seem to discover any log entries of attempts to use a service account's OAuth token without proper access scope. Example: Create a compute instance with default service account. SSH into instance and run `gcloud compute instances list`. Receive error `Request had insufficient authentication scopes`. Nothing in Stackdriver. – initstring Feb 05 '20 at 10:00
  • I'd suggest you to find out [what roles does this service account has](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#viewing-roles). I think the problem is there. – DuniX33 Feb 05 '20 at 11:43
  • You can also be more specific and execute: `resource.type="api" protoPayload.serviceName="compute.googleapis.com" protoPayload.authorizationInfo.resourceAttributes.name="projects/some-project-name"` – DuniX33 Feb 05 '20 at 11:54
  • Thanks for the replies, but I'm not sure we are on the same page here. My comment is that API commands that specifically fail due to access scope limitations due not appear to add any entries to cloud audit logs. There is no issue with the roles assigned to the account. The access scope limitations are intentional. We are looking to monitor for accounts that have been compromised and an attacker is attempting to access APIs that are blocked by the OAuth token's access scope. – initstring Feb 06 '20 at 02:17
  • I see. Well I ran this query `"google-cloud-sdk gcloud" protoPayload.status.message="PERMISSION_DENIED"` and I was able to get that information. The first part will look for all the calls made to the API through the Cloud Shell and the second part for PERMISSION_DENIED error messages. – DuniX33 Feb 06 '20 at 09:51
  • I do see PERMISSION_DENIED for calls that fail due to IAM permissions lacking, but not due to access scope limitations. Access Scopes do not apply to a session in Cloud Shell, so you cannot test it that way. They apply only to OAuth tokens assigned to Compute Instances. You need to run the gcloud command from inside a compute instance using the assigned service account and access scope (not by activating a service account key file, which would negate the scope). A specific scenario for this is outline in my original post. – initstring Feb 07 '20 at 10:52
  • I also do not think this is a log filtering issue. I can clear all filters, listing everything, and literally see 0 log activity when I reproduce the failure. By the way, thank your for your replies - they are appreciated, but just working to make sure we are talking about the same thing. https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam – initstring Feb 07 '20 at 10:52
  • Please see new UPDATE ^ – DuniX33 Feb 07 '20 at 16:07
  • Thanks. As state in my original post, I have already enabled cloud audit logging. I still see no log entries created for failures that occur due to access scopes. Are you absolutely sure the failure you are seeing is access scope related? Are you able to share a redacted version of the log entry? – initstring Feb 07 '20 at 20:55
  • What I found was a log entry (INFO) in the logs with the executed command nothing more. See UPDATE. – DuniX33 Feb 12 '20 at 09:17
  • Thanks mate. Yep, it looks like this simply is not logged. – initstring Feb 13 '20 at 10:50