Did you know that, once you have authenticated using the Google Cloud Platform SDK, the credential is valid for all eternity? With the Google Cloud session control tool you can limit the validity to as little as an hour.
After you type gcloud auth login , the credentials is stored under the directory ~/.config/gcloud. If this directory gets exfiltrated, the attacker can login using any of the accounts you ever logged in with.
To limit impact of such an event, navigate to Google Cloud session control, select the re-authentication option and choose the lifespan of the credentials. In the screenshot, I set the period to 1 hour. It drove my colleagues up the wall. Sorry.
Image by anncapictures from Pixabay
Written by
Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.