GCP - Permissions for a Pentest

If you want to pentest a GCP environment you need to ask for enough permissions to check all or most of the services used in GCP. Ideally, you should ask the client to create:

Create a new project
Create a Service Account inside that project (get json credentials) or create a new user.
Give the Service account or the user the roles mentioned later over the ORGANIZATION
Enable the APIs mentioned later in this post in the created project

Set of permissions to use the tools proposed later:

roles/viewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer

APIs to enable (from starbase):

gcloud services enable \
  serviceusage.googleapis.com \
  cloudfunctions.googleapis.com \
  storage.googleapis.com \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  compute.googleapis.com \
  cloudkms.googleapis.com \
  sqladmin.googleapis.com \
  bigquery.googleapis.com \
  container.googleapis.com \
  dns.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  binaryauthorization.googleapis.com \
  pubsub.googleapis.com \
  appengine.googleapis.com \
  run.googleapis.com \
  redis.googleapis.com \
  memcache.googleapis.com \
  apigateway.googleapis.com \
  spanner.googleapis.com \
  privateca.googleapis.com \
  cloudasset.googleapis.com \
  accesscontextmanager.googleapis.com

Individual tools permissions

PurplePanda

From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration

roles/bigquery.metadataViewer
roles/composer.user
roles/compute.viewer
roles/container.clusterViewer
roles/iam.securityReviewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/secretmanager.viewer

ScoutSuite

From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions

roles/Viewer
roles/iam.securityReviewer
roles/stackdriver.accounts.viewer

CloudSploit

From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration

includedPermissions:
  - cloudasset.assets.listResource
  - cloudkms.cryptoKeys.list
  - cloudkms.keyRings.list
  - cloudsql.instances.list
  - cloudsql.users.list
  - compute.autoscalers.list
  - compute.backendServices.list
  - compute.disks.list
  - compute.firewalls.list
  - compute.healthChecks.list
  - compute.instanceGroups.list
  - compute.instances.getIamPolicy
  - compute.instances.list
  - compute.networks.list
  - compute.projects.get
  - compute.securityPolicies.list
  - compute.subnetworks.list
  - compute.targetHttpProxies.list
  - container.clusters.list
  - dns.managedZones.list
  - iam.serviceAccountKeys.list
  - iam.serviceAccounts.list
  - logging.logMetrics.list
  - logging.sinks.list
  - monitoring.alertPolicies.list
  - resourcemanager.folders.get
  - resourcemanager.folders.getIamPolicy
  - resourcemanager.folders.list
  - resourcemanager.hierarchyNodes.listTagBindings
  - resourcemanager.organizations.get
  - resourcemanager.organizations.getIamPolicy
  - resourcemanager.projects.get
  - resourcemanager.projects.getIamPolicy
  - resourcemanager.projects.list
  - resourcemanager.resourceTagBindings.list
  - resourcemanager.tagKeys.get
  - resourcemanager.tagKeys.getIamPolicy
  - resourcemanager.tagKeys.list
  - resourcemanager.tagValues.get
  - resourcemanager.tagValues.getIamPolicy
  - resourcemanager.tagValues.list
  - storage.buckets.getIamPolicy
  - storage.buckets.list

Cartography

From https://lyft.github.io/cartography/modules/gcp/config.html

roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer

Starbase

From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md

roles/iam.securityReviewer
roles/iam.organizationRoleViewer
roles/bigquery.metadataViewer

PreviousGCP - Federation Abuse NextGCP - Post Exploitation

Last updated 5 months ago