GCP Pentesting Notes
GCP Notes
These notes have been inspired from the amazing GCP Track at Hackfest 2025 created by Lutzenfried!
⚠️ Rules Of Engagement
GCP Security Testing Policy: GCP Acceptable Use Policy
- GCP allows security assessments on resources you control in your own GCP projects/account. Testing of Google’s underlying infrastructure, shared GCP control plane, or other users’ assets is prohibited.
- Testing must respect GCP’s Acceptable Use Policy; you are responsible for what you deploy/configure, and Google is responsible for the underlying cloud.
- There’s no pre-approval required for most in-scope resources, but any action that risks disruption or cross-tenant impact remains forbidden.
Prohibited activities
- Denial-of-service in any form: DoS/DDoS, protocol/port/request flooding, simulated DoS, or attacks against GCP infrastructure or management plane.
- Testing GCP-managed core services or attempting to access other tenants or Google’s internal systems/databases.
Allowed targets (your resources)
- Typical in-scope: your GCE VMs, GKE clusters, Cloud Storage buckets, App Engine services, Cloud Functions you own, networking resources within your project, IAM configuration, APIs/endpoints within your controlled environment.
- Common techniques if low impact: web app testing (SQLi/XSS), exploit validation, vulnerability and port scanning, cautious fuzzing of endpoints within your project boundary.
🔧 Technical Requirements
General Advices
- Always request viewer/iam.securityReviewer roles for complete recon and escalation checks.
- Use API tokens for custom Python/REST automation if traditional gcloud auth flows are unavailable.
Google Cloud SDK Installation
ìnfo Official Install Guid
Official Guide: https://cloud.google.com/sdk/docs/install
Linux
sudo apt-get update
sudo apt-get install google-cloud-climacOS
Download and extract .tar.gz from Google, run install.sh, initialize with gcloud init
GCP Attack Matrix
Tool Name: GCP_ATTACK_Matrix
An open-source, community-driven knowledge base of tactics, techniques, and procedures (TTPs) for attacking and defending Google Cloud Platform (GCP) and Google Workspace environments.
🔍 Outsider - Recon
Multi-Cloud Enumeration
Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
Tool Name: cloud_enum
pip3 install -r ./requirements.txt
./cloud_enum.py -k targetname -t 10👹 Initial Access - Reon
Public Secrets
The goal here is to search for secrets and password that may grant us an Initial Access.
- Google Dorking
- Look for sensitive documents
- Code Repositories
Public Code Repo
Tools:
#Scan a repo
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified
#Scan an organization
trufflehog github --org=trufflesecurity --results=verifiedAuthenticate with GCP
There are multiple user type and so, multiple ways to login using gcloud.
User
gcloud auth loginservice account
gcloud auth activate-service-account --key-file=service-account.jsonSet default project:
#List all projects you have access
gcloud projects list
#Set Default Project
gcloud config set project PROJECT_IDYou can also list the accounts you have used previously to authenticate with gcloud
gcloud auth listGet Access Token
You can use gcloud to ask for access token if you are authenticated.
#OAuth2
gcloud auth print-access-token
#Print ID token (JWT used for CloudRun & API Gateway)
gcloud auth print-identity-tokenPermission Limitation
If you only have limited permissions (example: resourcemanager.projects.get, run.services.list), you are restricted to basic project info and Cloud Run service enumeration.
Enumeration
You'll see below a bunch of usefull commands you can use to enumerate as much information as possible inside the GCP Tenant you just got initial access to.
Organization & Project Structure
# List all organizations
gcloud organizations list
# List all folders
gcloud resource-manager folders list --organization=ORG_ID
# List all projects you can see
gcloud projects list
# Project details, parent info
gcloud projects describe PROJECT_ID IAM & Permissions
# List project IAM policy
gcloud projects get-iam-policy PROJECT_ID
# Org-level IAM policy
gcloud organizations get-iam-policy ORG_ID
# Folder IAM
gcloud resource-manager folders get-iam-policy FOLDER_ID
# List service accounts
gcloud iam service-accounts list --project=PROJECT_ID
# List roles (custom/predefined)
gcloud iam roles list --project=PROJECT_ID Cloud Storage
# List buckets
gsutil ls -p PROJECT_ID
# Recursively list bucket contents
gsutil ls -r gs://BUCKET_NAME
# Bucket IAM policy
gsutil iam get gs://BUCKET_NAME Compute
# List VMs
gcloud compute instances list --project=PROJECT_ID
# List disks
gcloud compute disks list --project=PROJECT_ID
# List images
gcloud compute images list --project=PROJECT_ID You can try to login on the VMs using SSH if your user can
gcloud compute ssh [instance-name] --zone=[ZONE] Networking & Security
# List VPC networks
gcloud compute networks list --project=PROJECT_ID
# List subnets
gcloud compute networks subnets list --project=PROJECT_ID
# List firewalls
gcloud compute firewall-rules list --project=PROJECT_ID
# List SSL certs
gcloud compute ssl-certificates list --project=PROJECT_IDServerless / Managed
# List Cloud Run services
gcloud run services list --project=PROJECT_ID --region=REGION
# Describe Cloud Run
gcloud run services describe SERVICE_NAME --project=PROJECT_ID --region=REGION
# List Cloud Functions
gcloud functions list --project=PROJECT_ID --region=REGION
# Describe functions
gcloud functions describe FUNCTION_NAME --project=PROJECT_ID --region=REGIONDatabases
# List Cloud SQL
gcloud sql instances list --project=PROJECT_ID
# List Firestore
gcloud firestore databases list --project=PROJECT_ID
# List BigQuery datasets
gcloud bigquery datasets list --project=PROJECT_ID Org/Project Policies
# Project org policies
gcloud resource-manager org-policies list --project=PROJECT_ID
# Org org policies
gcloud resource-manager org-policies list --organization=ORG_ID APIs
# List enabled APIs
gcloud services list --project=PROJECT_ID Privilege Escalation & Enumeration Toolkits
Tool Name: RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
# Requires token with IAM Perms
enumerate_member_permissions.py -p PROJECT_ID
#Check Escalation PAth
check_for_privesc.pyTool Name: NetSPI/gcpwn
- Add auth (ADC, service account key, or raw access token)
- Use modules: enum, privesc, exploit etc.
🧙 Post Exploitation
Limited Permissions
If token/SA has very limited permissions (can only list Cloud Run, get basic project info), most enumeration and privilege escalation modules will fail until permissions are expanded.
How to Use Bearer Tokens in API Calls
If you acquire an OAuth2 access token (ya29...) and want to use it for direct API calls:
curl -H "Authorization: Bearer <your_access_token>" https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_IDFor JWT (eyJhbGciOi...) tokens, use when services require ID tokens, e.g. Cloud Run endpoints.
Using Access Tokens with Python
Example using requests
import requests
headers = {"Authorization": "Bearer <access_token>"}
resp = requests.get("https://run.googleapis.com/v1/projects/<PROJECT_ID>/locations/-/services", headers=headers)
print(resp.json())Example using google-auth (Only Access Token)
from google.auth.credentials import Credentials
from googleapiclient.discovery import build
creds = Credentials(token=<access_token>)
service = build("run", "v1", credentials=creds)
response = service.projects().locations().services().list(parent="projects/<PROJECT_ID>/locations/-").execute()
print(response)GCP Domain Wide Delegation
Tool Name: Lutzenfried/Delegate
A github Tool to perform GCP Domain Wide Delegation abuse and access Gmail and Drive data.
python delegate.py -k <SERVICE_ACCOUNT_KEY> -i <EMAIL_TO_IMPERSONATE> -m <MODULE> -a <ACTION> [OPTIONS]Check the README.md for more detailed commands.
⭐ More Resources
This section is dedicated to other wiki and notes available only regarding Google Cloud.
If you have notes, website related to this topic, feel free to contact me, i would be happy to share the links here :)