basic gcp iam check
This commit is contained in:
carnal0wnage
43
libs/gcp/gcp_iam.py
Normal file
43
libs/gcp/gcp_iam.py
Normal file
@@ -0,0 +1,43 @@
|
|||||||
|
'''
|
||||||
|
GCP IAM functions for WeirdAAL
|
||||||
|
'''
|
||||||
|
|
||||||
|
import google.auth
|
||||||
|
import googleapiclient.discovery
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from google.oauth2 import service_account
|
||||||
|
|
||||||
|
from googleapiclient.errors import HttpError
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# [START iam_list_keys]
|
||||||
|
def gcp_iam_list_keys(service_account_email,service):
|
||||||
|
"""Lists all keys for a service account."""
|
||||||
|
|
||||||
|
# pylint: disable=no-member
|
||||||
|
keys = service.projects().serviceAccounts().keys().list(
|
||||||
|
name='projects/-/serviceAccounts/' + service_account_email).execute()
|
||||||
|
|
||||||
|
for key in keys['keys']:
|
||||||
|
print('Key: ' + key['name'])
|
||||||
|
# [END iam_list_keys]
|
||||||
|
|
||||||
|
|
||||||
|
# [START iam_list_service_accounts]
|
||||||
|
def gcp_iam_list_service_accounts(project_id):
|
||||||
|
"""Lists all service accounts for the current project."""
|
||||||
|
|
||||||
|
# pylint: disable=no-member
|
||||||
|
service_accounts = service.projects().serviceAccounts().list(
|
||||||
|
name='projects/' + project_id).execute()
|
||||||
|
|
||||||
|
for account in service_accounts['accounts']:
|
||||||
|
print('Name: ' + account['name'])
|
||||||
|
print('Email: ' + account['email'])
|
||||||
|
print(' ')
|
||||||
|
return service_accounts
|
||||||
|
# [END iam_list_service_accounts]
|
||||||
|
|
||||||
38
modules/gcp/gcp_recon.py
Normal file
38
modules/gcp/gcp_recon.py
Normal file
@@ -0,0 +1,38 @@
|
|||||||
|
'''
|
||||||
|
This module handles the core GCP recon functionality by asking all the services
|
||||||
|
that have functions that done have arguments if we can access them :-)
|
||||||
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
from libs.gcp.gcp_iam import *
|
||||||
|
#from libs.gcp.gcp_storage import *
|
||||||
|
|
||||||
|
credentials = service_account.Credentials.from_service_account_file(
|
||||||
|
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
|
||||||
|
scopes=['https://www.googleapis.com/auth/cloud-platform'])
|
||||||
|
|
||||||
|
service = googleapiclient.discovery.build(
|
||||||
|
'iam', 'v1', credentials=credentials)
|
||||||
|
|
||||||
|
def module_gcp_recon_all():
|
||||||
|
'''
|
||||||
|
Main gcp_recon_all module - attempt to connect to each of the services to see if we have some privs
|
||||||
|
python3 weirdAAL.py -m gcp_recon_all -t demo
|
||||||
|
'''
|
||||||
|
try:
|
||||||
|
print("IAM List Keys check")
|
||||||
|
#print(credentials)
|
||||||
|
gcp_iam_list_keys(credentials.service_account_email, service)
|
||||||
|
#list_service_accounts('best-indian-restaurant-691ad')
|
||||||
|
except HttpError as e:
|
||||||
|
# print(e)
|
||||||
|
if e.resp.status in [403, 500, 503]:
|
||||||
|
print("\tIAM access denied for {}".format(credentials.service_account_email))
|
||||||
|
else:
|
||||||
|
print(e)
|
||||||
|
except google.auth.exceptions.RefreshError as f:
|
||||||
|
print(f)
|
||||||
|
print("Service key is invalid exiting")
|
||||||
|
sys.exit()
|
||||||
|
|
||||||
@@ -67,6 +67,9 @@ def perform_credential_check():
|
|||||||
except ClientError as e:
|
except ClientError as e:
|
||||||
print("The AWS Access Keys are not valid/active")
|
print("The AWS Access Keys are not valid/active")
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
# excepetion to catch the lack of aws cred here - temp fix
|
||||||
|
except Exception as e:
|
||||||
|
print('\t {}'.format(e))
|
||||||
|
|
||||||
def method_create():
|
def method_create():
|
||||||
try:
|
try:
|
||||||
|
|||||||
Reference in New Issue
Block a user