SneakyDave Posted May 6, 2016 Posted May 6, 2016 Has TheSandman of TheAdminZone taken over Google Cloud development too? Sounds like something he'd do. Received this email: Dear Google Cloud Platform customer, We recently discovered that service account private keys created between March 11, 2016 and April 28, 2016 were inadvertently included in your audit logs. While the act of creating the key was correctly logged, and the audit logs are accessible only to users you have designated, key data should be redacted during logging. As of April 29 we have changed the audit logging behavior, and key data for service account private keys is redacted prior to logging. We recommend you rotate your service account private keys if (a) you created new service account keys between March 11 and April 28, and (b) users who have access to your audit logs should not have access to service account keys. As a precautionary measure we have created a filter which redacts the private keys from the log view, although any key information recorded in the audit logs remains in the file. Audit logs are retained for 30 days. If you have copied the log files be aware the copies may have the key data in them as well. The information below can be used to help you investigate your creation of service account private keys, and your audit logs. The script is attached to this email. We value your business and apologize for the inconvenience this issue may cause. If you have any questions or concerns, please do not hesitate to contact Google Cloud Support or your Account Manager. Instructions In order to ensure coverage of all your projects, please use the account of a Billing Administrator to run this script. If you have multiple billing accounts, you will need to run the script using a Billing Administrator in each account This script should work on any system that (a) has the Google Cloud SDK - including the Beta components - installed, and (b) supports the Bash shell. We have tested this using Google Cloud Shell and recommend that as the easiest way to use this script. Instructions for using Google Cloud Shell are here: https://cloud.google.com/shell/docs/quickstart 1. Create a file on the Cloud Shell machine using your preferred editor, e.g. nano findloggedkeys.sh 2. Paste the script (attached) into the file and save the file nano: CTRL-X then Y vi: Escape :wq 3. Make the file executable chmod u+x findloggedkeys.sh 4. Execute the script ./findloggedkeys.sh 5. Monitor the output. This script iterates through all the projects for which the authenticated user has permissions. This may include projects for which the user is not permitted to enumerate the service accounts. In this case, you will see an error “***Insufficient Permissions***”. Projects that include service accounts that have keys inadvertently included in your audit logs will be listed. The KeyID identifies the private key that appeared in the logs and that we recommend you rotate. You may also see this data using Google Cloud Console. Navigate to the following link and select the project using the dropdown: https://console.cloud.google.com/iam-admin/serviceaccounts/ Sample Output: ProjectID: my-project-id1 Service Account: my-service-account@my-project-id1@gserviceaccount.com Key Created: 2016-03-15T17:00:00.000z KeyID: 123456789abcdef123456789abcdef1234567890 ProjectID: my-project-id2 Service Account: ***Insufficient Permissions*** Quote "I wonder if wife Susie knows about the vile crap he posts on his site and how it fits in with her "youth ministry"?" - Dr. Howard Rosenzweig, former owner of TheAdminZone
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.