This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to restrict/identify/notify sensitive data stored in project metadata of Compute Engine Settings

Posted on 08-23-2023 12:17 AM
gaurav_gupta
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Team,

As we know that we can store any kind of data in PROJECT METADATA(under Compute Engine -- Settings - Metadata) How do we ensure that no sensitive data is stored in project metadata? and even if sensitive data are stored in project metadata, How can we get notified?

Project metadata which are stored in plain-format is accessible to any user or service account with the necessary permissions. If unauthorised individuals gain access to the project or its metadata, they can retrieve the sensitive information, potentially leading to unauthorised access or misuse.

Potential Sensitive metadata can be: GCP SA keys, Certification, Application Password, API keys, ssh private key, Database/VM password etc.

for examplefor example

1 1 119
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
dionv
Staff
Reply posted on --/--/---- --:-- AM

Hello @gaurav_gupta ,

However, any process that can query the metadata URL, has access to all values in the metadata server. This includes any custom metadata values that were written to the server. Google recommends exercising caution when writing sensitive values to the metadata server or when running third-party processes. Attaching here the documentation as reference.