GatewayToHeaven is a vulnerability in Google Cloud’s Apigee that exposes sensitive cross-tenant access logs and analytics data, including plaintext access tokens. This flaw, assigned CVE-2025-13292, allows an attacker to impersonate users from other organizations using Apigee. The article targets cloud security researchers and software engineers, aiming to highlight vulnerabilities in multi-tenant architectures and provide insights into potential points of failure. Apigee functions as an API proxy layer, managing requests between backend services and clients. It operates within tenant projects, which are Google-managed GCP projects dedicated to a single service consumer. Despite the intended security boundaries, the architecture raises questions about what resources exist within these tenant projects and whether service accounts can access cross-tenant resources. The author details a method for gaining access to the Apigee service account’s token by exploiting the Kubernetes metadata endpoint, which could potentially allow an attacker to escalate privileges and access sensitive data. Once the attacker has the service account token, they can enumerate resources within the tenant project using tools like gcpwn to check permissions. Notable permissions include full access to compute disks and write access to PubSub topics. With these permissions, the attacker can list and read resources, enabling them to take snapshots of disks and migrate them to a project they control. This could lead to uncovering crucial information about the internal workings of the tenant project, exposing further vulnerabilities.