Comment on page
GCP - IAM, Ppals & Org Policies Enum

Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Service Accounts
For an intro about what is a service account check:
GCP - Basic Information
Enumeration
A service account always belongs to a project:
gcloud iam service-accounts list --project <project>
Users & Groups
For an intro about how Users & Groups work in GCP check:
GCP - Basic Information
Enumeration
With the permissions serviceusage.services.enable and serviceusage.services.useit's possible to enable services in a project and use them.
If you can enable the admin service and if your user has enough privileges in workspace, you could enumerate all groups & users with the following lines.
Even if it says identity groups, it also returns users without any groups:
# Enable admin
gcloud services enable admin.googleapis.com
# List all users & groups
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud beta identity groups preview --customer <workspace-id>
## Group Members
gcloud identity groups memberships search-transitive-memberships --group-email=[email protected]
Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:
If you can enable the service cloudidentity.googleapli.com if disabled, you could use it to enumerate groups (like it's done in PurplePanda in here):
gcloud services enable cloudidentity.googleapis.com
IAM
Check this for basic information about IAM.
Default Permissions
From the docs: When an organization resource is created, all users in your domain are granted the Billing Account Creator and Project Creator roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.
These roles grant the permissions:
billing.accounts.create and resourcemanager.organizations.get
resourcemanager.organizations.get and resourcemanager.projects.create
The higest privilege in a GCP Organization is the Organization Administrator role.
Enumeration
# Roles
## List roles
gcloud iam roles list --project $PROJECT_ID # List only custom roles
gcloud iam roles list --filter='etag:AA=='
​
## Get permis and description of role
gcloud iam roles describe roles/container.admin
gcloud iam roles describe --project <proj-name> <role-name>
​
# Policies
gcloud organizations get-iam-policy <org_id>
gcloud resource-manager folders get-iam-policy <folder-id>
gcloud projects get-iam-policy <project-id>
​
# MISC
## Testable permissions in resource
gcloud iam list-testable-permissions --filter "NOT apiDisabled: true" <resource>
## Grantable roles to a resource
gcloud iam list-grantable-roles <project URL>
Enumeration via cloudasset
There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.
The permission cloudasset.assets.searchAllIamPolicies can request all the iam policies inside a resource.
gcloud asset search-all-iam-policies #By default uses current configured folder
gcloud asset search-all-iam-policies --scope folders/1234567
gcloud asset search-all-iam-policies --scope organizations/123456
The permission cloudasset.assets.analyzeIamPolicy can request all the iam policies of a principal inside a resource.
# Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
gcloud asset analyze-iam-policy --organization=<org-id> \
            --identity='user:[email protected]'
gcloud asset analyze-iam-policy --folder=<folder-id> \
            --identity='user:[email protected]'
gcloud asset analyze-iam-policy --project=<project-name> \
            --identity='user:[email protected]'
The permission cloudasset.assets.searchAllResources allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.
gcloud asset search-all-resources --scope projects/<proj-name>
gcloud asset search-all-resources --scope folders/1234567
gcloud asset search-all-resources --scope organizations/123456
The permission cloudasset.assets.analyzeMove but be useful to also retrieve policies affecting a resource like a project
gcloud asset analyze-move --project=<proj-name> \
          --destination-organization=609216679593
I suppose the permission cloudasset.assets.queryIamPolicy could also give access to find permissions of principals
# But, when running something like this
gcloud asset query --project=<proj> --statement='SELECT * FROM compute_googleapis_com_Instance'
# I get the error
ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing
If you cannot access IAM information using the previous methods and you are in a Red Team. You could use the tool https://github.com/carlospolop/my_gcp_perms to brute-force your current permissions.
Privesc
In the following page you can check how to abuse IAM permissions to escalate privileges:
GCP - IAM Privesc
Service account impersonation
Impersonating a service account can be very useful to obtain new and better privileges.
There are three ways in which you can impersonate another service account:
Authentication using RSA private keys (covered above)
Authorization using Cloud IAM policies (covered here)
Deploying jobs on GCP services (more applicable to the compromise of a user account)
Granting access to management console
Access to the GCP management console is provided to user accounts, not service accounts. To log in to the web interface, you can grant access to a Google account that you control. This can be a generic "@gmail.com" account, it does not have to be a member of the target organization.
To grant the primitive role of Owner to a generic "@gmail.com" account, though, you'll need to use the web console. gcloud will error out if you try to grant it a permission above Editor.
You can use the following command to grant a user the primitive role of Editor to your existing project:
gcloud projects add-iam-policy-binding [PROJECT] --member user:[EMAIL] --role roles/editor
If you succeeded here, try accessing the web interface and exploring from there.
This is the highest level you can assign using the gcloud tool.
Org Policies
For an intro about what Org Policies are check:
GCP - Basic Information
The IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies restrict how those services can be used or which features are disabled. This helps in order to improve the least privilege of each resource in the GCP environment.
gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
gcloud resource-manager org-policies list --folder=FOLDER_ID
gcloud resource-manager org-policies list --project=PROJECT_ID
Privesc
In the following page you can check how to abuse org policies permissions to escalate privileges:
GCP - Orgpolicy Privesc
Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
GCP - Filestore Enum
GCP - KMS Manager Enum
Last modified 8mo ago