tf

Author: carlospolop

src/pentesting-ci-cd/terraform-security.md

@@ -305,6 +305,35 @@ With these creds, attackers can create/modify/destroy resources directly using n
   - Detect exfiltration of `tfc-*` credential artifacts and alert on suspicious `external` program usage during plans.
 
 
+## Compromising Terraform Cloud
+
+### Using a token
+
+As **[explained in this post](https://www.pentestpartners.com/security-blog/terraform-token-abuse-speculative-plan/)**, terraform CLI stores tokens in plaintext at **`~/.terraform.d/credentials.tfrc.json`**. Stealing this token lets an attacker impersonate the user within the token’s scope.
+
+Using this token it's possible to get the org/workspace with:
+
+```bash
+GET https://app.terraform.io/api/v2/organizations/acmecorp/workspaces/gcp-infra-prod
+Authorization: Bearer <TF_TOKEN>
+```
+
+Then it's possible to run arbitrary code using **`terraform plan`** as explained in the previous chapter.
+
+### Escaping to the cloud
+
+Then, if the runner is located in some cloud environment, it's possible to obtain a token of the principal attached to the runner and use it out of band.
+
+- **GCP files (present in current run working directory)**
+  - `tfc-google-application-credentials` — JSON config for Workload Identity Federation(WIF) that tells Google how to exchange the external identity.
+  - `tfc-gcp-token` — short‑lived (≈1 hour) GCP access token referenced by the above
+
+- **AWS files**
+  - `tfc-aws-shared-config` — JSON for web identity federation/OIDC role assumption
+(preferred over static keys).
+  - `tfc-aws-token` — short‑lived token, or potentially static IAM keys if misconfigured.
+
+
 ## Automatic Audit Tools
 
 ### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)