- Source: GL_Branch
- Destination:
AZServicePrincipal(Microsoft Entra, from BloodHound)
The traversable GL_CanAssumeIdentity edge is a hybrid cross-subgraph edge connecting a GitLab branch to a Microsoft Entra service principal that is configured to trust GitLab OIDC tokens issued for that branch.
This edge represents a critical cross-cloud lateral movement path: an attacker who can push code to the branch can trigger a pipeline that requests a GitLab OIDC token for that branch. The Entra identity platform accepts the token (because the federated credential trusts project_path:group/projectt:ref_type:branch:ref:main) and issues an Entra access token for the service principal. The attacker then operates as the service principal with all of its Azure permissions.
graph LR
user("fa:fa-user GL_User alice")
devRole("fa:fa-user-tie GL_ProjectRole myproject/Developer")
branch("fa:fa-code-branch GL_Branch main")
sp("fa:fa-robot AZServicePrincipal deploy-prod")
user -->|GL_HasRole| devRole
devRole -->|GL_CanPush| branch
branch -->|GL_CanAssumeIdentity| sp