Skip to content

GCP OAuth2 Client Secret

Service Name: Google Cloud Platform

Service Description: Google Cloud Platform (GCP) is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products. OAuth2 client secrets are used to authenticate applications that access Google APIs and services.

Service Address: https://cloud.google.com/

Validation Type: API Auth, NHI Enriched

IP Allow list: IP restrictions can be configured at the project level using VPC Service Controls or through IAM conditions.

Secret Access Scope: Grants programmatic access to Google Cloud resources and APIs based on the OAuth scopes requested. Can be used to authenticate applications and services to access Google Cloud resources.

Secret Revokement URL: https://console.cloud.google.com/apis/credentials

Secret Example: gocspx-ABCdefGHIjklMNOpqrSTUvwxYZ12345

Suspicious Activity Investigation Instructions:

  • Review Cloud Audit Logs for unusual API calls or resource access
  • Check the OAuth consent screen for unauthorized redirects
  • Monitor for unusual authentication patterns or geographic locations
  • Examine API usage metrics for spikes or anomalies
  • Review project activity for unauthorized service account creation or modification
  • Check for unexpected OAuth token exchanges

Mitigation Instructions:

  • Navigate to the Google Cloud Console and go to the API & Services > Credentials section
  • Locate the compromised OAuth client in the "OAuth 2.0 Client IDs" section
  • Click on the client ID to view its details
  • Click the "Regenerate Secret" button to invalidate the current secret
  • Update all legitimate applications with the new client secret
  • Consider implementing more restrictive OAuth scopes
  • Enable domain-wide delegation controls if applicable
  • Implement multi-factor authentication for Google Cloud accounts
  • Review and update IAM permissions to follow the principle of least privilege