# GCP - Permissions for a Pentest If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create: * **Create** a new **project** * **Create** a **Service Account** inside that project (get **json credentials**) or create a **new user**. * **Give** the **Service account** or the **user** the **roles** mentioned later over the ORGANIZATION * **Enable** the **APIs** mentioned later in this post in the created project **Set of permissions** to use the tools proposed later: ```bash roles/viewer roles/resourcemanager.folderViewer roles/resourcemanager.organizationViewer ``` APIs to enable (from starbase): ``` gcloud services enable \ serviceusage.googleapis.com \ cloudfunctions.googleapis.com \ storage.googleapis.com \ iam.googleapis.com \ cloudresourcemanager.googleapis.com \ compute.googleapis.com \ cloudkms.googleapis.com \ sqladmin.googleapis.com \ bigquery.googleapis.com \ container.googleapis.com \ dns.googleapis.com \ logging.googleapis.com \ monitoring.googleapis.com \ binaryauthorization.googleapis.com \ pubsub.googleapis.com \ appengine.googleapis.com \ run.googleapis.com \ redis.googleapis.com \ memcache.googleapis.com \ apigateway.googleapis.com \ spanner.googleapis.com \ privateca.googleapis.com \ cloudasset.googleapis.com \ accesscontextmanager.googleapis.com ``` ## Individual tools permissions ### [PurplePanda](https://github.com/carlospolop/PurplePanda/tree/master/intel/google) ``` From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration roles/bigquery.metadataViewer roles/composer.user roles/compute.viewer roles/container.clusterViewer roles/iam.securityReviewer roles/resourcemanager.folderViewer roles/resourcemanager.organizationViewer roles/secretmanager.viewer ``` ### [ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions) ``` From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions roles/Viewer roles/iam.securityReviewer roles/stackdriver.accounts.viewer ``` ### [CloudSploit](https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration) ``` From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration includedPermissions: - cloudasset.assets.listResource - cloudkms.cryptoKeys.list - cloudkms.keyRings.list - cloudsql.instances.list - cloudsql.users.list - compute.autoscalers.list - compute.backendServices.list - compute.disks.list - compute.firewalls.list - compute.healthChecks.list - compute.instanceGroups.list - compute.instances.getIamPolicy - compute.instances.list - compute.networks.list - compute.projects.get - compute.securityPolicies.list - compute.subnetworks.list - compute.targetHttpProxies.list - container.clusters.list - dns.managedZones.list - iam.serviceAccountKeys.list - iam.serviceAccounts.list - logging.logMetrics.list - logging.sinks.list - monitoring.alertPolicies.list - resourcemanager.folders.get - resourcemanager.folders.getIamPolicy - resourcemanager.folders.list - resourcemanager.hierarchyNodes.listTagBindings - resourcemanager.organizations.get - resourcemanager.organizations.getIamPolicy - resourcemanager.projects.get - resourcemanager.projects.getIamPolicy - resourcemanager.projects.list - resourcemanager.resourceTagBindings.list - resourcemanager.tagKeys.get - resourcemanager.tagKeys.getIamPolicy - resourcemanager.tagKeys.list - resourcemanager.tagValues.get - resourcemanager.tagValues.getIamPolicy - resourcemanager.tagValues.list - storage.buckets.getIamPolicy - storage.buckets.list ``` ### [Cartography](https://lyft.github.io/cartography/modules/gcp/config.html) ``` From https://lyft.github.io/cartography/modules/gcp/config.html roles/iam.securityReviewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer ``` ### [Starbase](https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md) ``` From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md roles/iam.securityReviewer roles/iam.organizationRoleViewer roles/bigquery.metadataViewer ```