catalog logoThe IAM Privilege Catalog

services / Google Cloud / Dataproc clusters

Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs.

Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.

dataproc.​clusters.​create

Creating a Dataproc cluster provides access to the cluster's short-lived service account token. `serviceAccount.actAs` permission is necessary to create a cluster with this account.

Risks

  1. Spend (MEDIUM)

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​cloud.​google.​com/​dataproc/​docs/​concepts/​overview
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​dataproc/​clusters
  • https:​/​/​cloud.​google.​com/​dataproc/​docs/​reference/​rest/​v1/​projects.​regions.​clusters
  • https:​/​/​www.​youtube.​com/​watch?​v=​kyqeBGNSEIc
  • https:​/​/​www.​blackhat.​com/​us-​20/​briefings/​schedule/​#​lateral-​movement-​and-​privilege-​escalation-​in-​gcp-​compromise-​any-​organization-​without-​dropping-​an-​implant-​19435

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog