Google Cloud Platform (GCP) Cloud Monitoring PE to Cloud Run Using Uptime Checks Service Agent Authentication

Tenable Research has identified and responsibly disclosed a privilege escalation vulnerability in Google Cloud Monitoring. This flaw allowed a low-privileged attacker to bypass Identity and Access Management (IAM) controls and invoke authenticated Cloud Run services despite lacking permissions.

Cloud Monitoring Uptime Checks can be configured to authenticate against HTTP targets using the Monitoring Service Agent’s ID token. The Monitoring Service Agent (service-PROJECT_NUMBER@gcp-sa-monitoring-notification.iam.gserviceaccount.com) is a Google-managed identity that, by default, is granted the run.routes.invoke permission. This permission allows the holder to call authenticated Cloud Run endpoints. By testing an Uptime Check on an authenticated Cloud Run endpoint, an attacker with the extremely limited monitoring.uptimeCheckConfigViewer role could invoke that endpoint with arbitrary parameters using the Service Agent’s identity.