GCP HMAC Keys are not discoverable or revokable other than for self

Published Mon, Jun 17th, 2024


GCP administrators face challenges in managing HMAC keys within their organizations, lacking visibility into which user accounts have generated these keys and whether they are actively being used to access storage objects. Additionally, there's a lack of functionality to revoke keys associated with other users, restricting their ability to enforce security policies effectively. Similarly, GCP incident response teams rely on Cloud Logging to monitor Cloud Storage object access, but they lack specific indicators to determine if HMAC keys are being utilized in these access attempts.

Affected Services

Google Cloud Storage XML API, Google Cloud IAM


No full remediation is possible at this time. While various containment actions, such as suspending or deleting compromised user accounts, may initially seem effective by rejecting previously created Sigv4 signed headers, reactivating or recreating the same user allows the reuse of credentials unless they have expired. Furthermore, removing Cloud IAM Roles can revoke access to affected storage resources. However, it's important to note that reassigning roles does not invalidate previously created Sigv4 signed headers, allowing them to continue functioning even after the role change.

Tracked CVEs

No tracked CVEs


Disclosure Date
Wed, Feb 7th, 2024
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Kat Traxler, Vectra AI