Back to all blog posts

The GCP Service Account That Could Read Everything

By Matthew Keeley | December 20, 2025
CloudRed Teaming

Introduction

I was reviewing a GCP project and found a service account that looked boring. No compute permissions. No IAM admin. No storage write.

It only had Artifact Registry Reader.

That was enough.

Why Artifact Registry Reader Matters

In Google Cloud, the role roles/artifactregistry.reader allows a principal to list container images, view metadata, and pull image layers. That means full read access to container images in scope. Not just the latest tag, but every historical digest that still exists.

Container images are not binaries. They are layered filesystems. Build outputs. Configuration files. Sometimes credentials that were never meant to ship.

If you can pull images, you can inspect them offline. You do not need to run them. You do not need GKE. You do not need Cloud Run. You just need patience.

Authenticate Docker to Artifact Registry

First, authenticate Docker to the registry:

gcloud auth configure-docker us-central1-docker.pkg.dev

This wires Docker directly to Artifact Registry using your current credentials.

Enumerate All Images and Digests

Listing images is trivial with gcloud:

gcloud artifacts docker images list us-central1-docker.pkg.dev/my-project-123456/containers

Example output:

IMAGE                                                              DIGEST        CREATE_TIME          UPDATE_TIME          TAGS
us-central1-docker.pkg.dev/my-project-123456/containers/app    sha256:abc123 2025-01-15T10:30:00  2025-01-15T10:30:00  latest,v1.2.3
us-central1-docker.pkg.dev/my-project-123456/containers/app    sha256:def456 2025-01-14T08:15:00  2025-01-14T08:15:00  v1.2.2
us-central1-docker.pkg.dev/my-project-123456/containers/app    sha256:789ghi 2025-01-13T14:20:00  2025-01-13T14:20:00  v1.2.1
us-central1-docker.pkg.dev/my-project-123456/containers/api    sha256:jkl012 2025-01-12T09:45:00  2025-01-12T09:45:00  latest,prod

The important field is the digest. Tags move. Digests do not. Each digest represents a historical build. Old mistakes live there.

Pull Images by Digest

You pull images one digest at a time:

docker pull us-central1-docker.pkg.dev/my-project-123456/containers/app@sha256:abc123def456789...

Example output:

sha256:abc123def456789: Pulling from my-project-123456/containers/app
a1b2c3d4e5f6: Pull complete
f6e5d4c3b2a1: Pull complete
...
Status: Downloaded newer image for us-central1-docker.pkg.dev/my-project-123456/containers/app@sha256:abc123def456789

Images can be large, but Docker layers make this manageable. Pulling sequentially avoids blowing disk and memory. You do not need to run the container. You are just downloading files.

Scan Images Without Running Them

Once an image is local, you scan it directly:

trufflehog docker --image us-central1-docker.pkg.dev/my-project-123456/containers/app@sha256:abc123def456789 --only-verified

Example output:

Found verified result 🐷🔑
Detector Type: AWS
Decoder: Plaintext
Raw result: AKIAIOSFODNN7EXAMPLE
File: /app/.env
Commit: N/A
Repository: N/A
Timestamp: 2025-01-13 14:20:00

TruffleHog reads the image layers. No entrypoint. No execution. No side effects. Repeat this for every digest.

Doing This at Scale

This works well at scale because images are layered, digests are immutable, scanning is offline, and you can go one by one. A simple loop lets you pull every historical build and scan it. No cleanup required. No orchestration required.

That is a lot of surface area.

What Shows Up in Practice

Things I have found in container images: cloud provider credentials, internal API tokens, TLS private keys, database passwords, third party service secrets, old secrets assumed to be rotated.

These often never appear in source control. They only exist in built artifacts.

Why This Is a Bounty Opportunity

Many teams treat Artifact Registry reader access as low risk. Many bug bounty programs agree.

They should not.

Reader scoped too broadly means anyone with that role can quietly download an organizations build history and search it for secrets. No alerts. No runtime signals. Just files.

Conclusion

The fix is simple. Scope reader to specific repositories. Avoid project wide reader unless required. Prune old images. Scan your own registry continuously.

Artifact Registry is not just storage. It is history. And history leaks.

# Stay Updated

terminal

$ subscribe_to_updates

Subscribe to access private blog posts, early vulnerability disclosures, and security insights not available to the public.