Generic Interesting Permissions

*.setIamPolicy

If you owns a user that has the setIamPolicy permission in a resource you can escalate privileges in that resource because you will be able to change the IAM policy of that resource and give you more privileges over it. This permission can also allow to escalate to other principals if the resource allow to execute code and the iam.ServiceAccounts.actAs is not necessary.

• cloudfunctions.functions.setIamPolicy

  • Modify the policy of a Cloud Function to allow yourself to invoke it.

There are tens of resources types with this kind of permission, you can find all of them in https://cloud.google.com/iam/docs/permissions-reference searching for setIamPolicy.

*.create, *.update

These permissions can be very useful to try to escalate privileges in resources by creating a new one or updating a new one. These can of permissions are specially useful if you also has the permission iam.serviceAccounts.actAs over a Service Account and the resource you have .create/.update over can attach a service account.

*ServiceAccount*

This permission will usually let you access or modify a Service Account in some resource (e.g.: compute.instances.setServiceAccount). This could lead to a privilege escalation vector, but it will depend on each case.