All news with #gcp iam tag

Exposed GitHub PATs Enable Access to Cloud Secrets

🔒 Recent research from the Wiz Customer Incident Response Team shows attackers are using exposed GitHub Personal Access Tokens (PATs) to retrieve GitHub Action Secrets and pivot into cloud environments. A read-level PAT can leverage GitHub’s API code search to locate secret references like "${{ secrets.SECRET_NAME }}" — and because those search API calls are not logged, discovery is stealthy. Once obtained, cloud provider credentials let attackers spin up resources, exfiltrate data, install malware, or persist while often evading detection. Organizations should treat PATs as privileged credentials: enforce expiration and rotation, remove cloud secrets from workflows, apply least privilege, and improve monitoring and developer training.

Practical Guide to Google Cloud Parameter Manager Overview

🔒 Google Cloud's Parameter Manager centralizes application configuration to avoid hard-coded credentials and fragile config files, supporting validated JSON and YAML payloads as well as arbitrary unformatted data. It integrates with Secret Manager using a __REF__ syntax to keep confidential values separate and uses versioned, immutable parameter versions to prevent accidental changes. The post walks through storing an API key in Secret Manager, granting the Parameter Manager IAM principal access, and calling renderParameterVersion from a Node backend. A sample React/Node weather app demonstrates runtime configuration, fallback dummy data, and advanced patterns such as regional parameters and feature rollouts.

Securing Remote MCP Servers on Google Cloud Platform

🔒 A centralized proxy architecture on Google Cloud can secure remote Model Context Protocol (MCP) servers by intercepting tool calls and enforcing consistent policies across deployments. Author Lanre Ogunmola outlines five core MCP risks — unauthorized tool exposure, session hijacking, tool shadowing, token/theft and authentication bypass — and recommends an MCP proxy (Cloud Run, GKE, or Apigee) integrated with Cloud Armor, Secret Manager, and identity services for access control, secret scanning, and monitoring. The post emphasizes layered defenses including Model Armor for prompt/response screening and centralized logging to reduce blind spots and operational overhead.