HackTricks Cloud
HackTricks Cloud
Ask or search…
⌃K
Links
Comment on page

GCP - Permissions for a Pentest

If you want to pentest a GCP environment you need to ask for enough permissions to check all or most of the services used in GCP. Ideally, you should ask the client to create:
  • Create a new project
  • Create a Service Account inside that project (get json credentials)
  • Give the Service account the permissions mentioned later in this post over the ORGANIZATION
  • Enable the APIs mentioned later in this post in the created project
Set of permissions to use the tools proposed later:
roles/bigquery.metadataViewer
roles/composer.user
roles/compute.viewer
roles/container.clusterViewer
roles/iam.securityReviewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.tagViewer
roles/secretmanager.viewer
roles/serviceusage.serviceUsageConsumer
​
# The following one can only be assigned if a service account is created
roles/websecurityscanner.serviceAgent
​
# The role roles/serviceusage.serviceUsageConsumer is needed to use gcloud asset
APIs to enable (from starbase):
gcloud services enable \
serviceusage.googleapis.com \
cloudfunctions.googleapis.com \
storage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
compute.googleapis.com \
cloudkms.googleapis.com \
sqladmin.googleapis.com \
bigquery.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
logging.googleapis.com \
monitoring.googleapis.com \
binaryauthorization.googleapis.com \
pubsub.googleapis.com \
appengine.googleapis.com \
run.googleapis.com \
redis.googleapis.com \
memcache.googleapis.com \
apigateway.googleapis.com \
spanner.googleapis.com \
privateca.googleapis.com \
cloudasset.googleapis.com \
accesscontextmanager.googleapis.com

Individual tools permissions

​PurplePanda​

From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration
​
roles/bigquery.metadataViewer
roles/composer.user
roles/compute.viewer
roles/container.clusterViewer
roles/iam.securityReviewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/secretmanager.viewer

​ScoutSuite​

From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions
​
roles/Viewer
roles/iam.securityReviewer
roles/stackdriver.accounts.viewer

​CloudSploit​

From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration
​
includedPermissions:
- cloudasset.assets.listResource
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- cloudsql.instances.list
- cloudsql.users.list
- compute.autoscalers.list
- compute.backendServices.list
- compute.disks.list
- compute.firewalls.list
- compute.healthChecks.list
- compute.instanceGroups.list
- compute.instances.getIamPolicy
- compute.instances.list
- compute.networks.list
- compute.projects.get
- compute.securityPolicies.list
- compute.subnetworks.list
- compute.targetHttpProxies.list
- container.clusters.list
- dns.managedZones.list
- iam.serviceAccountKeys.list
- iam.serviceAccounts.list
- logging.logMetrics.list
- logging.sinks.list
- monitoring.alertPolicies.list
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.hierarchyNodes.listTagBindings
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.resourceTagBindings.list
- resourcemanager.tagKeys.get
- resourcemanager.tagKeys.getIamPolicy
- resourcemanager.tagKeys.list
- resourcemanager.tagValues.get
- resourcemanager.tagValues.getIamPolicy
- resourcemanager.tagValues.list
- storage.buckets.getIamPolicy
- storage.buckets.list

​Cartography​

From https://lyft.github.io/cartography/modules/gcp/config.html
​
roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer

​Starbase​

From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
​
roles/iam.securityReviewer
roles/iam.organizationRoleViewer
roles/bigquery.metadataViewer