# GCP - IAM, Principals & Org Policies Enum

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Service Accounts

For an intro about what is a service account check:

{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}

### Enumeration

A service account always belongs to a project:

```bash
gcloud iam service-accounts list --project <project>
```

## Users & Groups

For an intro about how Users & Groups work in GCP check:

{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}

### Enumeration

With the permissions **`serviceusage.services.enable`** and **`serviceusage.services.use`** it's possible to **enable services** in a project and use them.

{% hint style="danger" %}
Note that by default, Workspace users are granted the role **Project Creator**, giving them access to **create new projects**. When a user creates a project, he is granted the **`owner`** role over it. So, he could **enable these services over the project to be able to enumerate Workspace**.

However, notice that it's also needed to have **enough permissions in Workspace** to be able to call these APIs.
{% endhint %}

If you can **enable the `admin` service** and if your user has **enough privileges in workspace,** you could **enumerate all groups & users** with the following lines.\
Even if it says **`identity groups`**, it also returns **users without any groups**:

{% code overflow="wrap" %}
```bash
# Enable admin
gcloud services enable admin.googleapis.com
gcloud services enable cloudidentity.googleapis.com

# Using admin.googleapis.com
## List all users
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud beta identity groups preview --customer <workspace-id>

# Using cloudidentity.googleapis.com
## List groups of a user (you can list at least the groups you belong to)
gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum

## List Group Members (you can list at least the groups you belong to)
gcloud identity groups memberships list --group-email=<email>
### Make it transitive
gcloud identity groups memberships search-transitive-memberships --group-email=<email>

## Get a graph (if you have enough permissions)
gcloud identity groups memberships get-membership-graph --member-email=<email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
```
{% endcode %}

{% hint style="success" %}
In the previous examples the param `--labels` is required, so a generic value is used (it's not requires if you used the API directly like [**PurplePanda does in here**](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc_groups_users.py).
{% endhint %}

Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:

<figure><img src="../../../.gitbook/assets/image (193).png" alt=""><figcaption></figcaption></figure>

## IAM

Check [**this for basic information about IAM**](../gcp-basic-information/#iam-roles).

### Default Permissions

From the [**docs**](https://cloud.google.com/resource-manager/docs/default-access-control): When an organization resource is created, all users in your domain are granted the **Billing Account Creator** and **Project Creator** roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.

These **roles** grant the **permissions**:

* `billing.accounts.create` and `resourcemanager.organizations.get`
* `resourcemanager.organizations.get` and `resourcemanager.projects.create`

Moreover, when a user creates a project, he is **granted owner of that project automatically** according to the [docs](https://cloud.google.com/resource-manager/docs/access-control-proj). Therefore, by default, a user will be able to create a project and run any service on it (miners? Workspace enumeration? ...)

{% hint style="danger" %}
The highest privilege in a GCP Organization is the **Organization Administrator** role.
{% endhint %}

### set-iam-policy vs add-iam-policy-binding

In most of the services you will be able to change the permissions over a resource using the method **`add-iam-policy-binding`** or **`set-iam-policy`**. The main difference is that **`add-iam-policy-binding` adds a new role binding** to the existent IAM policy while **`set-iam-policy`** will **delete the previously** granted permissions and **set only the ones** indicated in the command.

### Enumeration

```bash
# Roles
## List roles
gcloud iam roles list --project $PROJECT_ID # List only custom roles
gcloud iam roles list --filter='etag:AA=='

## Get perms and description of role
gcloud iam roles describe roles/container.admin
gcloud iam roles describe --project <proj-name> <role-name>

# Policies
gcloud organizations get-iam-policy <org_id>
gcloud resource-manager folders get-iam-policy <folder-id>
gcloud projects get-iam-policy <project-id>

# MISC
## Testable permissions in resource
gcloud iam list-testable-permissions --filter "NOT apiDisabled: true" <resource>
## Grantable roles to a resource
gcloud iam list-grantable-roles <project URL>
```

### cloudasset IAM Enumeration

There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.

* The permission **`cloudasset.assets.searchAllIamPolicies`** can request **all the iam policies** inside a resource.

```bash
gcloud asset search-all-iam-policies #By default uses current configured project
gcloud asset search-all-iam-policies --scope folders/1234567
gcloud asset search-all-iam-policies --scope organizations/123456
gcloud asset search-all-iam-policies --scope projects/project-id-123123
```

* The permission **`cloudasset.assets.analyzeIamPolicy`** can request **all the iam policies** of a principal inside a resource.

```bash
# Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
gcloud asset analyze-iam-policy --organization=<org-id> \
            --identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --folder=<folder-id> \
            --identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --project=<project-name> \
            --identity='user:email@hacktricks.xyz'
```

* The permission **`cloudasset.assets.searchAllResources`** allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.

```bash
gcloud asset search-all-resources --scope projects/<proj-name>
gcloud asset search-all-resources --scope folders/1234567
gcloud asset search-all-resources --scope organizations/123456
```

* The permission **`cloudasset.assets.analyzeMove`** but be useful to also retrieve policies affecting a resource like a project

```bash
gcloud asset analyze-move --project=<proj-name> \
          --destination-organization=609216679593
```

* I suppose the permission **`cloudasset.assets.queryIamPolicy`** could also give access to find permissions of principals

```bash
# But, when running something like this
gcloud asset query --project=<proj> --statement='SELECT * FROM compute_googleapis_com_Instance'
# I get the error
ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing
```

### testIamPermissions enumeration

{% hint style="danger" %}
If you **cannot access IAM information** using the previous methods and you are in a Red Team. You could **use the tool**[ **https://github.com/carlospolop/bf\_my\_gcp\_perms**](https://github.com/carlospolop/bf_my_gcp_perms) **to brute-force your current permissions.**

However, note that the service **`cloudresourcemanager.googleapis.com`** needs to be enabled.
{% endhint %}

### Privesc

In the following page you can check how to **abuse IAM permissions to escalate privileges**:

{% content-ref url="../gcp-privilege-escalation/gcp-iam-privesc.md" %}
[gcp-iam-privesc.md](../gcp-privilege-escalation/gcp-iam-privesc.md)
{% endcontent-ref %}

### Unauthenticated Enum <a href="#service-account-impersonation" id="service-account-impersonation"></a>

{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md" %}
[gcp-iam-principals-and-org-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md)
{% endcontent-ref %}

### Post Exploitation <a href="#service-account-impersonation" id="service-account-impersonation"></a>

{% content-ref url="../gcp-post-exploitation/gcp-iam-post-exploitation.md" %}
[gcp-iam-post-exploitation.md](../gcp-post-exploitation/gcp-iam-post-exploitation.md)
{% endcontent-ref %}

### Persistence

If you have high privileges you could:

* Create new SAs (or users if in Workspace)
* Give principals controlled by yourself more permissions
* Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
* …

## Org Policies

For an intro about what Org Policies are check:

{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}

The IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies **restrict how those services can be used or which features are disabled**. This helps in order to improve the least privilege of each resource in the GCP environment.

```bash
gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
gcloud resource-manager org-policies list --folder=FOLDER_ID
gcloud resource-manager org-policies list --project=PROJECT_ID
```

### Privesc

In the following page you can check how to **abuse org policies permissions to escalate privileges**:

{% content-ref url="../gcp-privilege-escalation/gcp-orgpolicy-privesc.md" %}
[gcp-orgpolicy-privesc.md](../gcp-privilege-escalation/gcp-orgpolicy-privesc.md)
{% endcontent-ref %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}