basic gcp iam check

2018-09-26 14:39:20 -04:00
parent 9a961bd48c
commit b49df03312
3 changed files with 84 additions and 0 deletions
--- a/libs/gcp/gcp_iam.py
+++ b/libs/gcp/gcp_iam.py
@@ -0,0 +1,43 @@
+'''
+GCP IAM functions for WeirdAAL
+'''
+
+import google.auth
+import googleapiclient.discovery
+import os
+import sys
+
+from google.oauth2 import service_account
+
+from googleapiclient.errors import HttpError
+
+
+
+# [START iam_list_keys]
+def gcp_iam_list_keys(service_account_email,service):
+    """Lists all keys for a service account."""
+
+    # pylint: disable=no-member
+    keys = service.projects().serviceAccounts().keys().list(
+        name='projects/-/serviceAccounts/' + service_account_email).execute()
+
+    for key in keys['keys']:
+        print('Key: ' + key['name'])
+# [END iam_list_keys]
+
+
+# [START iam_list_service_accounts]
+def gcp_iam_list_service_accounts(project_id):
+    """Lists all service accounts for the current project."""
+
+    # pylint: disable=no-member
+    service_accounts = service.projects().serviceAccounts().list(
+        name='projects/' + project_id).execute()
+
+    for account in service_accounts['accounts']:
+        print('Name: ' + account['name'])
+        print('Email: ' + account['email'])
+        print(' ')
+    return service_accounts
+# [END iam_list_service_accounts]
+
--- a/modules/gcp/gcp_recon.py
+++ b/modules/gcp/gcp_recon.py
@@ -0,0 +1,38 @@
+'''
+This module handles the core GCP recon functionality by asking all the services
+that have functions that done have arguments if we can access them :-)
+'''
+
+
+
+from libs.gcp.gcp_iam import *
+#from libs.gcp.gcp_storage import *
+
+credentials = service_account.Credentials.from_service_account_file(
+    filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
+    scopes=['https://www.googleapis.com/auth/cloud-platform'])
+
+service = googleapiclient.discovery.build(
+    'iam', 'v1', credentials=credentials)
+
+def module_gcp_recon_all():
+    '''
+    Main gcp_recon_all module - attempt to connect to each of the services to see if we have some privs
+    python3 weirdAAL.py -m gcp_recon_all -t demo
+    '''
+    try:
+        print("IAM List Keys check")
+        #print(credentials)
+        gcp_iam_list_keys(credentials.service_account_email, service)
+        #list_service_accounts('best-indian-restaurant-691ad')
+    except HttpError as e:
+        # print(e)
+        if e.resp.status in [403, 500, 503]:
+            print("\tIAM access denied for {}".format(credentials.service_account_email))
+        else:
+            print(e)
+    except google.auth.exceptions.RefreshError as f:
+        print(f)
+        print("Service key is invalid exiting")
+        sys.exit()
+
--- a/weirdAAL.py
+++ b/weirdAAL.py
@@ -67,6 +67,9 @@ def perform_credential_check():
    except ClientError as e:
        print("The AWS Access Keys are not valid/active")
        sys.exit(1)
+    # excepetion to catch the lack of aws cred here - temp fix
+    except Exception as e:
+        print('\t {}'.format(e))

 def method_create():
    try: