Exploring IAM for Effective Google Cloud Platform Pentesting (comprehensive guide)

ADIP
3 min readApr 21, 2024

--

To Conduct through a GCP pentest comprehensive understanding of identity and access management (IAM) is crucial.
So, let’s begin delving into IAM facilitates a meticulous evaluation of GCP’s security architecture.

IAM

IAM (Identity and Access Management) in Google Cloud Platform is a system that manages who has access to the resources and what actions they can perform within GCP. it controls permissions for users, groups, and service accounts, ensuring secure and controlled acess to GCP resources.

IAM has Primitive roles

  • Owner, Editor, and Viewer
  • !!!! default service account in every project is given the Editor role (insecure!!)

Predefined roles

  • roles managed by Google (e.g. compute.instanceAdmin)

Custom roles

  • provides admins the ability to create their own set of permissions for a role

To see roles assigned to each member of a project:

gcloud projects get-iam-policy <PROJECT_ID>

Enumeration

Enumeration in Google Cloud Platform (GCP) pentesting involves systematically discovering and gathering information about resources, services, and configurations within a GCP environment. This process helps identify potential attack vectors, misconfigurations, and vulnerabilities that could be exploited by malicious actors. It includes techniques such as scanning for open ports, enumerating cloud resources, querying metadata endpoints, and identifying weak access controls.

You can get organization ID by using this command: gcloud organizations list
You can view user permissions within organization using this command: gcloud organizations get-iam-policy

  • note that the permissions within an organization are applied to all projects within the organization, which are therefore applied to all resources within that project, etc.

Application Default Credentials

Application Default Credentials (ADC) in Google Cloud Platform (GCP) are a convenient way for applications to authenticate with GCP services without needing to manage credentials directly. During pentesting, ADC may be analyzed to ensure that applications are securely authenticating and accessing GCP resources. This includes verifying that ADC are properly scoped, managed, and rotated to prevent unauthorized access or misuse.

Now a pentester’s thoughts on ADC:

  • alternative to pulling a token from the metadata service
  • this method is used when implementing one of Google’s official GCP client libraries

following are the steps taken to search for credentials when using the GCP client libraries:

  1. Code will check source code
  2. The service account key file is checked
  3. The GOOGLE_APPLICATION_CREDENTIALS environment variable is checked
  4. This environment variable can be set to the location of a service account key file
  5. The default token in the metadata service is used.
  • the default token in the metadata service is used only if 1 or 2 is not found because the metadata service token is confined within access scopes and is temporary

Service Account Token:
Service Account Tokens in Google Cloud Platform (GCP) are short-lived cryptographic tokens issued to service accounts for authenticating and authorizing access to GCP resources. During pentesting, analyzing service account tokens involves examining their generation, usage, and expiration to ensure proper security controls are in place. This includes verifying token scope, access controls, and rotation policies to mitigate the risk of unauthorized access or token abuse.

Now a pentester’s thoughts on Service Account Token

Token can be retrieved from metadata service:

Request:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

Response:

{
"access_token":"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_QtAS08i85nHq39HE3C2LTrCARA",
"expires_in":3599,
"token_type":"Bearer"
}

Privilege Escalation

Privilege escalation in Google Cloud Platform (GCP) pentesting refers to the process of gaining higher levels of access or permissions than initially granted. This involves exploiting vulnerabilities, misconfigurations, or weaknesses in the GCP environment to elevate privileges and gain unauthorized access to sensitive resources or data. Pentesters aim to identify and mitigate privilege escalation paths to prevent potential security breaches.

Now a pentester’s thoughts on Privilege escalation
Always make sure to check if the principle of least-privilege is being applied throughout the environment.

--

--