# Enable admingcloudservicesenableadmin.googleapis.comgcloudservicesenablecloudidentity.googleapis.com# Using admin.googleapis.com## List all usersgcloudorganizationslist#The DIRECTORY_CUSTOMER_ID is the Workspace IDgcloudbetaidentitygroupspreview--customer<workspace-id># Using cloudidentity.googleapis.com## List groups of a user (you can list at least the groups you belong to)gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
## List Group Members (you can list at least the groups you belong to)gcloudidentitygroupsmembershipslist--group-email=<email>### Make it transitivegcloudidentitygroupsmembershipssearch-transitive-memberships--group-email=<email>## Get a graph (if you have enough permissions)gcloud identity groups memberships get-membership-graph --member-email=<email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
在大多数服务中,您可以使用方法**add-iam-policy-binding或set-iam-policy更改资源上的权限。主要区别在于add-iam-policy-binding会向现有 IAM 策略添加新的角色绑定**,而**set-iam-policy将删除先前授予的权限,并仅设置**命令中指定的权限。
枚举
# Roles## List rolesgcloudiamroleslist--project $PROJECT_ID # List only custom rolesgcloudiamroleslist--filter='etag:AA=='## Get perms and description of rolegcloudiamrolesdescriberoles/container.admingcloudiamrolesdescribe--project<proj-name><role-name># Policiesgcloudorganizationsget-iam-policy<org_id>gcloudresource-managerfoldersget-iam-policy<folder-id>gcloudprojectsget-iam-policy<project-id># MISC## Testable permissions in resourcegcloudiamlist-testable-permissions--filter"NOT apiDisabled: true"<resource>## Grantable roles to a resourcegcloudiamlist-grantable-roles<projectURL>
gcloudassetsearch-all-iam-policies#By default uses current configured projectgcloudassetsearch-all-iam-policies--scopefolders/1234567gcloudassetsearch-all-iam-policies--scopeorganizations/123456gcloudassetsearch-all-iam-policies--scopeprojects/project-id-123123
权限 cloudasset.assets.analyzeIamPolicy 可以请求资源内特定主体的所有 IAM 策略。
# Needs perm "cloudasset.assets.analyzeIamPolicy" over the assetgcloudassetanalyze-iam-policy--organization=<org-id> \--identity='user:email@hacktricks.xyz'gcloudassetanalyze-iam-policy--folder=<folder-id> \--identity='user:email@hacktricks.xyz'gcloudassetanalyze-iam-policy--project=<project-name> \--identity='user:email@hacktricks.xyz'
权限 cloudasset.assets.searchAllResources 允许列出组织、文件夹或项目的所有资源,包括 IAM 相关资源(如角色)。
# But, when running something like thisgcloudassetquery--project=<proj>--statement='SELECT * FROM compute_googleapis_com_Instance'# I get the errorERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing