Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the risk in using project-id in GCS bucket names?

I've been using project-id as a prefix in my GCS bucket-names to easily get a unique name. When I read GCS-best practises

It says clearly not to use project-names or project-numbers (nothing about projectId:s) But on the other hand, when I spin up GAE, two buckets containing the project-id are automatically created.

Is Google not following their own best practices or did I miss something?

Are the greatest risk of having projectId in bucket name that I give clues to a potential attacker about the project since bucket-names are publicly visible?

like image 430
Calle Engene Avatar asked Dec 10 '19 07:12

Calle Engene


People also ask

What is the use of project ID in GCP?

The project ID is a unique identifier for a project and is used only within the console. When you first create a project, you can accept the default generated project ID or create your own.

What is bucket ID in Google Cloud?

Bucket id is nothing but your bucket name.

What point should be in consideration when we decide the name of the bucket?

Bucket names must be between 3 (min) and 63 (max) characters long. Bucket names can consist only of lowercase letters, numbers, dots (.), and hyphens (-). Bucket names must begin and end with a letter or number. Bucket names must not contain two adjacent periods.

What is the limit on bucket create Delete per project?

There is a per-project rate limit to bucket creation and deletion. This rate limit is approximately 1 request every 2 seconds, so plan on fewer buckets and more objects in most cases. For example, a common design choice is to use one bucket per user of your project.


2 Answers

It does appear, to some degree, that Google might not be following its best practices (as listed on that page, assuming that project names and numbers mean GCP names and numbers). The default bucket for Firebase projects layered on top of GCP does the same.

The documentation you linked states the reason to avoid using project names:

... because anyone can probe for the existence of a bucket ...

The idea is that if someone knows the name of your project, they could use that to build the full name of the bucket, and use that knowledge in an attack in order to gain its contents. However, if your security configuration is exactly what it should be, then knowing the name of the bucket won't be a problem. This is particularly true for Firebase projects, which use security rules to determine who should be able to access what objects.

I'd take the advice in the documentation as a measure of security through obscurity in order to prevent attackers from guessing the names of your buckets and any of its contents. But if that's not your concern, then ignore it.

like image 97
Doug Stevenson Avatar answered Oct 19 '22 02:10

Doug Stevenson


It looks like they're just worried about leaking PII. I'm not sure why they mentioned project names, unless it's because someone might include PII in their project name.

Don't use user IDs, email addresses, project names, project numbers, or any personally identifiable information (PII) in bucket names because anyone can probe for the existence of a bucket. Similarly, be very careful with putting PII in your object names, because object names appear in URLs for the object.

The two buckets I see created in my account have an appspot.com suffix. You cannot create arbitrary appspot.com buckets because they have a . in the name and thus are subject to verification:

Bucket names must contain only lowercase letters, numbers, dashes (-), underscores (_), and dots (.). Spaces are not allowed. Names containing dots require verification.

You are right though that the automatic bucket creation is inconsistent with their best practice guidelines.

like image 1
Doug Richardson Avatar answered Oct 19 '22 01:10

Doug Richardson