snowytoxa/gcpaimer

A script to enumerate GCP project permissions

GCPAimer

A script to enumerate GCP project permissions granted to the caller. Permissions are tested using the TestIamPermissions API with credentials provided as a command line argument --creds or default one used by Google Cloud libraries (through GOOGLE_APPLICATION_CREDENTIALS or gcloud)

WARNING: Your username can be disclosed in the access logs of project you are testing.

Installation

1. git clone https://github.com/snowytoxa/gcpaimer.git
2. cd gcpaimer/
3. python3 -m venv ./.venv
4. . ./.venv/bin/activate
5. python3 -m pip install -r requirements.txt

Usage

$ python3 gcpaimer.py --project my-project --creds ./my-project-service-account.json
Querying all testable permissions
Testing 2022 on project my-project
100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2022/2022 [00:13<00:00, 88.55it/s]
['iam.roles.create',
 'iam.roles.delete',
 'iam.roles.get',
 'iam.roles.list',
 'iam.roles.undelete',
 'iam.roles.update']

Reference

• https://cloud.google.com/iam/docs/permissions-reference
• https://cloud.google.com/resource-manager/reference/rest/v1/projects/testIamPermissions
• https://cloud.google.com/iam/reference/rest/v1/permissions/queryTestablePermissions