Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

2025-12-30 06:30:35 -08:00 · 2024-12-31 19:09:14 +00:00
parent 7770a50092
commit 388bdfdf0a
244 changed files with 7988 additions and 10827 deletions
--- a/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md
--- a/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
+++ b/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
@@ -6,10 +6,9 @@

 ### GCP

-In order to give **access to the Github Actions** from a Github repo to a GCP **service account** the following steps are needed:
-
- **Create the Service Account** to access from github actions with the **desired permissions:**
+GCP **सेवा खाते** को Github repo से **Github Actions** तक पहुँच देने के लिए निम्नलिखित चरणों की आवश्यकता है:

+- **सेवा खाता बनाएं** ताकि इच्छित अनुमतियों के साथ github actions से पहुँच प्राप्त हो:
 ```bash
 projectId=FIXME
 gcloud config set project $projectId
@@ -24,134 +23,121 @@ gcloud services enable iamcredentials.googleapis.com
 # Give permissions to SA

 gcloud projects add-iam-policy-binding $projectId \
-    --member="serviceAccount:$saId" \
-    --role="roles/iam.securityReviewer"
+--member="serviceAccount:$saId" \
+--role="roles/iam.securityReviewer"
 ```
-
- Generate a **new workload identity pool**:
-
+- एक **नया वर्कलोड आइडेंटिटी पूल** बनाएं:
 ```bash
 # Create a Workload Identity Pool
 poolName=wi-pool

 gcloud iam workload-identity-pools create $poolName \
-  --location global \
-  --display-name $poolName
+--location global \
+--display-name $poolName

 poolId=$(gcloud iam workload-identity-pools describe $poolName \
-  --location global \
-  --format='get(name)')
+--location global \
+--format='get(name)')
 ```
-
- Generate a new **workload identity pool OIDC provider** that **trusts** github actions (by org/repo name in this scenario):
-
+- एक नया **वर्कलोड आइडेंटिटी पूल OIDC प्रदाता** उत्पन्न करें जो **विश्वास करता है** github actions (इस परिदृश्य में org/repo नाम द्वारा):
 ```bash
 attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)

 gcloud iam workload-identity-pools providers create-oidc $poolName \
-  --location global \
-  --workload-identity-pool $poolName \
-  --display-name $poolName \
-  --attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
-  --issuer-uri "https://token.actions.githubusercontent.com"
+--location global \
+--workload-identity-pool $poolName \
+--display-name $poolName \
+--attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
+--issuer-uri "https://token.actions.githubusercontent.com"

 providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
-  --location global \
-  --workload-identity-pool $poolName \
-  --format='get(name)')
+--location global \
+--workload-identity-pool $poolName \
+--format='get(name)')
 ```
-
- Finally, **allow the principal** from the provider to use a service principal:
-
+- अंत में, **प्रदाता से प्रिंसिपल को सेवा प्रिंसिपल का उपयोग करने की अनुमति दें**:
 ```bash
 gitHubRepoName="repo-org/repo-name"
 gcloud iam service-accounts add-iam-policy-binding $saId \
-  --role "roles/iam.workloadIdentityUser" \
-  --member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"
+--role "roles/iam.workloadIdentityUser" \
+--member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"
 ```
-
 > [!WARNING]
-> Note how in the previous member we are specifying the **`org-name/repo-name`** as conditions to be able to access the service account (other params that makes it **more restrictive** like the branch could also be used).
+> ध्यान दें कि पिछले सदस्य में हम सेवा खाते तक पहुँचने के लिए **`org-name/repo-name`** को शर्तों के रूप में निर्दिष्ट कर रहे हैं (अन्य पैरामीटर जो इसे **अधिक प्रतिबंधात्मक** बनाते हैं जैसे शाखा का भी उपयोग किया जा सकता है)।
 >
-> However it's also possible to **allow all github to access** the service account creating a provider such the following using a wildcard:
+> हालाँकि, यह भी संभव है कि **सभी github को सेवा खाते तक पहुँचने की अनुमति दें** एक प्रदाता बनाकर जैसे कि निम्नलिखित एक वाइल्डकार्ड का उपयोग कर:

 <pre class="language-bash"><code class="lang-bash"># Create a Workload Identity Pool
 poolName=wi-pool2

 gcloud iam workload-identity-pools create $poolName \
-  --location global \
-  --display-name $poolName
+--location global \
+--display-name $poolName

 poolId=$(gcloud iam workload-identity-pools describe $poolName \
-  --location global \
-  --format='get(name)')
+--location global \
+--format='get(name)')

 gcloud iam workload-identity-pools providers create-oidc $poolName \
-  --project="${projectId}" \
-  --location="global" \
-  --workload-identity-pool="$poolName" \
-  --display-name="Demo provider" \
-  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
-  --issuer-uri="https://token.actions.githubusercontent.com"
+--project="${projectId}" \
+--location="global" \
+--workload-identity-pool="$poolName" \
+--display-name="Demo provider" \
+--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
+--issuer-uri="https://token.actions.githubusercontent.com"

 providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
-  --location global \
-  --workload-identity-pool $poolName \
-  --format='get(name)')
+--location global \
+--workload-identity-pool $poolName \
+--format='get(name)')

 <strong># CHECK THE WILDCARD
 </strong>gcloud iam service-accounts add-iam-policy-binding "${saId}" \
-  --project="${projectId}" \
-  --role="roles/iam.workloadIdentityUser" \
+--project="${projectId}" \
+--role="roles/iam.workloadIdentityUser" \
 <strong>  --member="principalSet://iam.googleapis.com/${poolId}/*"
 </strong></code></pre>

 > [!WARNING]
-> In this case anyone could access the service account from github actions, so it's important always to **check how the member is defined**.\
-> It should be always something like this:
+> इस मामले में कोई भी github actions से सेवा खाते तक पहुँच सकता है, इसलिए हमेशा **जांचना महत्वपूर्ण है कि सदस्य कैसे परिभाषित है**।\
+> यह हमेशा कुछ ऐसा होना चाहिए:
 >
 > `attribute.{custom_attribute}`:`principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`

 ### Github

-Remember to change **`${providerId}`** and **`${saId}`** for their respective values:
-
+याद रखें कि **`${providerId}`** और **`${saId}`** को उनके संबंधित मानों के लिए बदलें:
 ```yaml
 name: Check GCP action
 on:
-  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
+workflow_dispatch:
+pull_request:
+branches:
+- main

 permissions:
-  id-token: write
+id-token: write

 jobs:
-  Get_OIDC_ID_token:
-    runs-on: ubuntu-latest
-    steps:
-      - id: "auth"
-        name: "Authenticate to GCP"
-        uses: "google-github-actions/auth@v2.1.3"
-        with:
-          create_credentials_file: "true"
-          workload_identity_provider: "${providerId}" # In the providerId, the numerical project ID (12 digit number) should be used
-          service_account: "${saId}" # instead of the alphanumeric project ID. ex:
-          activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
-      - id: "gcloud"
-        name: "gcloud"
-        run: |-
-          gcloud config set project <project-id>
-          gcloud config set account '${saId}'
-          gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
-          gcloud auth list
-          gcloud projects list
-          gcloud secrets list
+Get_OIDC_ID_token:
+runs-on: ubuntu-latest
+steps:
+- id: "auth"
+name: "Authenticate to GCP"
+uses: "google-github-actions/auth@v2.1.3"
+with:
+create_credentials_file: "true"
+workload_identity_provider: "${providerId}" # In the providerId, the numerical project ID (12 digit number) should be used
+service_account: "${saId}" # instead of the alphanumeric project ID. ex:
+activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
+- id: "gcloud"
+name: "gcloud"
+run: |-
+gcloud config set project <project-id>
+gcloud config set account '${saId}'
+gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
+gcloud auth list
+gcloud projects list
+gcloud secrets list
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-