0

I have cloud run instances that runs users code and I was made aware that their code could access the instance's metadata just by querying the VM's metadata server from their code:

$ curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" \
    -H "Metadata-Flavor: Google"

While I believe the information this provides is not necessarily sensitive (am I wrong?), I still want to block that IP from my VMs.

I looked around in cloud run VM configuration dashboard but couldn't find network security rules. What is the recommended approach for blocking an IP on cloud run?

About Google metadata server: https://cloud.google.com/compute/docs/metadata/overview

The security issue documented: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#metadata-endpoint

Théo Champion
  • 101
  • Yes, there is very sensitive data in the metadata, such as authorization data and tokens. I do not know the answer but I think you must remove the assigned service account from the Cloud Run instance. Cloud Run then runs without credentials which makes it almost harmless. There are two IAM permissions required to read metadata: `compute.projects.get` and `compute.instances.get`. More details here: https://cloud.google.com/compute/docs/metadata/querying-metadata That link is for Compute Engine, but it is the same for Cloud Run. – John Hanley Jul 30 '22 at 22:47

0 Answers0