Verbosity Details of 'gcloud app deploy'

[Austin Siford]

Howdy all,

 

We’re trying to determine the sensitive information (if any) which is logged by various verbosity levels with the `gcloud app deploy` command, specifically the ‘debug’ verbosity level, like deploy or access keys. If any deploy logs were made available to less privileged individuals, say through a continuous integration/deployment system or task tracking software, would the overall security of the deployed applications (and their data) be compromised?

We’ve had some full (unredacted) deploy logs get posted publicly and are trying to determine how far back to review data or if that's even necessary. Service accounts and other keys have already been rotated for precautionary measures, and we’ve temporarily switched verbosity to ‘critical’.

Any information would be greatly appreciated.

Thanks,

Austin

--

/ Austin Siford

Security Researcher, Software Engineer

https://abs.ec

[Yasser Karout (Cloud Platform Support)]

The output of the `gcloud app deploy` command with verbosity set at 'debug' will reveal some potentially sensitive information such as the Google account you are authorized with, project ID and paths in your directory. So it is no ideal to include this information when making the output available to less privileged individuals. 

For the future, you can use the '--no-user-output-enabled' flag to remove file paths. It is best also to scrub through the output manually to remove any Google accounts and project ID's.