Open emilva opened 1 year ago
Thanks @emilva for reporting this problem. There is a flag to alter GCP Scanner behavior in such cases. You can force it to scan the project with -f <project_name> -p <project_name>
. I agree that you can just extract it from GCP SA but the issue is that it is not the only type of credentials we support. I still think this need to be implemented but we need to keep that in mind.
Describe the bug The scanner fails if the service account token does not have access to list projects via resources manager. When scanning service account keys json files, that includes
project_id
, this may lead to "false positives" as the SA may have access to other services in the current project.To Reproduce
Steps to reproduce the behavior:
keys/sa.json
:and run
python3 -m gcp_scanner --sa-key-path keys -o output -l INFO
Expected behavior When resource manager is disabled, the scanner should not abort enumerating resources in the current project. It still knows one project from the json file, and the impact in that project can be assessed.
Current behavior See steps to reproduce
Additional context