search

google / gcp_scanner

A comprehensive scanner for Google Cloud
Apache License 2.0
305 stars 95 forks source link

Bug: Do not stop enumerating project if resource manager is disabled in SA project. #266

Open emilva opened 1 year ago

emilva commented 1 year ago

Describe the bug The scanner fails if the service account token does not have access to list projects via resources manager. When scanning service account keys json files, that includes project_id, this may lead to "false positives" as the SA may have access to other services in the current project.

To Reproduce

Steps to reproduce the behavior:

  1. Create a SA in a project that has Resource Manager disabled, save the credentials to: keys/sa.json: 
    {
"type": "service_account",
"project_id": "my-project-00",
"private_key_id": "<hash here>",
"private_key": "<priv key>",
"client_email": "asdfasdf@my-project-00iam.gserviceaccount.com",
"client_id": "<id>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "<cert url>"
}

and run python3 -m gcp_scanner --sa-key-path keys -o output -l INFO

  1. This will give you this output: 
    2023-08-07 10:39:53 - INFO - >> current service account: asdfasdf@my-project-00.iam.gserviceaccount.com
2023-08-07 10:39:53 - INFO - Retrieving projects list
2023-08-07 10:39:53 - INFO - Failed to enumerate projects
2023-08-07 10:39:53 - INFO - (<class 'googleapiclient.errors.HttpError'>, <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects?alt=json 
returned "Cloud Resource Manager API has not been used in project ID before or it is disabled. 
Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=ID then retry. 
If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.". Details: "[{'@type': 'type.googleapis.com/google.rpc.Help', 'links': [{'description': 'Google developers console API activation', 'url': 'https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=ID'}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'SERVICE_DISABLED', 'domain': 'googleapis.com', 'metadata': {'service': 'cloudresourcemanager.googleapis.com', 'consumer': 'projects/ID'}}]">, <traceback object at 0x10895b980>)

Expected behavior When resource manager is disabled, the scanner should not abort enumerating resources in the current project. It still knows one project from the json file, and the impact in that project can be assessed.

Current behavior See steps to reproduce

Additional context

mshudrak commented 1 year ago

Thanks @emilva for reporting this problem. There is a flag to alter GCP Scanner behavior in such cases. You can force it to scan the project with -f <project_name> -p <project_name>. I agree that you can just extract it from GCP SA but the issue is that it is not the only type of credentials we support. I still think this need to be implemented but we need to keep that in mind.