"The first time it broke was in May 2024, when Ayer tried to log in and saw a message stating he had used Google Cloud in a way that violated the company's policies. His post explains the "super frustrating" effort required to restore access, as Google asked him to provide information that was only accessible if he logged in - while the web giant prevented him from logging in."
""We create a service account for each customer under our Google Cloud project, and ask the customer to authorize this service account to access Cloud DNS and Cloud Domains," Ayer wrote. "When SSLMate needs to access a customer's Google Cloud account, it impersonates the corresponding service account." Ayer said he developed this system based on a suggestion in Google Cloud's own documentation on how to use cloud APIs. He says it "works really well" and is "both very easy for the customer to configure, and secure: there are no long-lived credentials or confused deputy vulnerabilities.""
SSLMate uses Google Cloud mainly to enable integrations with customers' Google Cloud accounts, creating a service account per customer that is authorized to access Cloud DNS and Cloud Domains. SSLMate impersonates those service accounts to publish certificate validation DNS records and discover domains, a workflow based on Google Cloud documentation that avoids long-lived credentials and confused-deputy vulnerabilities. Google Cloud suspended the SSLMate project three separate times, causing login blocks and a difficult restoration process that required information inaccessible while locked out. No clear reasons or preventive guidance were provided, and no suspension emails were sent, prompting SSLMate to add a health check and warn against using G-Cloud for critical workloads.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]