# Enable admingcloudservicesenableadmin.googleapis.comgcloudservicesenablecloudidentity.googleapis.com# Using admin.googleapis.com## List all usersgcloudorganizationslist#The DIRECTORY_CUSTOMER_ID is the Workspace IDgcloudbetaidentitygroupspreview--customer<workspace-id># Using cloudidentity.googleapis.com## List groups of a user (you can list at least the groups you belong to)gcloudidentitygroupsmembershipssearch-transitive-groups--member-email<email>--labels=cloudidentity.googleapis.com/groups.discussion_forum## List Group Members (you can list at least the groups you belong to)gcloudidentitygroupsmembershipslist--group-email=<email>### Make it transitivegcloudidentitygroupsmembershipssearch-transitive-memberships--group-email=<email>## Get a graph (if you have enough permissions)gcloudidentitygroupsmembershipsget-membership-graph--member-email=<email>--labels=cloudidentity.googleapis.com/groups.discussion_forum
# Roles## List rolesgcloudiamroleslist--project $PROJECT_ID # List only custom rolesgcloudiamroleslist--filter='etag:AA=='## Get perms and description of rolegcloudiamrolesdescriberoles/container.admingcloudiamrolesdescribe--project<proj-name><role-name># Policiesgcloudorganizationsget-iam-policy<org_id>gcloudresource-managerfoldersget-iam-policy<folder-id>gcloudprojectsget-iam-policy<project-id># MISC## Testable permissions in resourcegcloudiamlist-testable-permissions--filter"NOT apiDisabled: true"<resource>## Grantable roles to a resourcegcloudiamlist-grantable-roles<projectURL>
cloudasset IAM Enumeration
有不同的方法可以检查用户在不同资源(如组织、文件夹、项目等)中的所有权限,使用此服务。
权限 cloudasset.assets.searchAllIamPolicies 可以请求 资源内的所有 iam 策略。
gcloudassetsearch-all-iam-policies#By default uses current configured projectgcloudassetsearch-all-iam-policies--scopefolders/1234567gcloudassetsearch-all-iam-policies--scopeorganizations/123456gcloudassetsearch-all-iam-policies--scopeprojects/project-id-123123
权限 cloudasset.assets.analyzeIamPolicy 可以请求资源内某个主体的 所有 iam 策略。
# Needs perm "cloudasset.assets.analyzeIamPolicy" over the assetgcloudassetanalyze-iam-policy--organization=<org-id> \--identity='user:email@hacktricks.xyz'gcloudassetanalyze-iam-policy--folder=<folder-id> \--identity='user:email@hacktricks.xyz'gcloudassetanalyze-iam-policy--project=<project-name> \--identity='user:email@hacktricks.xyz'
权限 cloudasset.assets.searchAllResources 允许列出一个组织、文件夹或项目的所有资源。包括与 IAM 相关的资源(如角色)。
# But, when running something like thisgcloudassetquery--project=<proj>--statement='SELECT * FROM compute_googleapis_com_Instance'# I get the errorERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing