gcp-scanner


Namegcp-scanner JSON
Version 1.4.0 PyPI version JSON
download
home_page
SummaryGCP resource scanner that can help determine what level of access certain credentials possess on GCP
upload_time2024-01-25 05:21:51
maintainer
docs_urlNone
author
requires_python>=3.7
licenseApache License
keywords gcp scan access security-tool python
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            ![pytests](https://github.com/google/gcp_scanner/actions/workflows/python-app.yml/badge.svg)
[![GCP scanner version](https://img.shields.io/github/v/release/google/gcp_scanner?label=version&color=blue)](https://github.com/google/gcp_scanner/releases/latest)

### Disclaimer

This project is not an official Google project. It is not supported by
Google and Google specifically disclaims all warranties as to its quality,
merchantability, or fitness for a particular purpose.

### GCP Scanner

![Logo](misc/gcp_scanner_logo.png?raw=true "Logo of GCP Scanner")

This is a GCP resource scanner that can help determine what level of access certain credentials possess on GCP. The scanner is designed to help security engineers evaluate the impact of a certain VM/container compromise, GCP service account, or OAuth2 token key leak.

Currently, the scanner supports the following GCP resources:

- GCE
- GCS
- GKE
- App Engine
- Cloud SQL
- BigQuery
- Spanner
- Pub/Sub
- Cloud Functions
- BigTable
- CloudStore
- KMS
- Cloud Services
- The scanner supports SA [impersonation](https://cloud.google.com/iam/docs/impersonating-service-accounts)

The scanner supports extracting and using the following types of credentials:

- GCP VM instance metadata;
- User credentials stored in gcloud profiles;
- OAuth2 Refresh Token with cloud-platform scope granted;
- GCP service account key in JSON format.

The scanner does not rely on any third-party tool (e.g., gcloud). Thus, it can be compiled as a standalone tool and used on a machine with no GCP SDK installed (e.g. a Kubernetes pod). However, please keep in mind that the only OS that is currently supported is Linux.

Please note that GCP offers [Policy Analyzer](https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies) to find out which principals (users, service accounts, groups, and domains), have what access to which Google Cloud resources. However, it requires specific permissions on the GCP project and the Cloud Assets API needs to be enabled. If you just have a GCP SA key, access to a previously compromised VM, or an OAUth2 refresh token, gcp_scanner is the best option to use.

### Installation

To install the package, use `pip` (you must also have `git` installed):

```
pip install gcp_scanner
python3 -m gcp_scanner --help
```

Alternatively:

```
git clone https://github.com/google/gcp_scanner
cd gcp_scanner
pip install .
gcp-scanner --help
```

There is a docker build file if you want to run the scanner from a container:
`docker build -f Dockerfile -t sa_scanner .`

### Command-line options

```
usage: python3 scanner.py -o folder_to_save_results -g -

GCP Scanner

options:
  -h, --help            show this help message and exit
  -ls, --light-scan     Return only the most important GCP resource fields in the output.
  -k KEY_PATH, --sa-key-path KEY_PATH
                        Path to directory with SA keys in json format
  -g GCLOUD_PROFILE_PATH, --gcloud-profile-path GCLOUD_PROFILE_PATH
                        Path to directory with gcloud profile. Specify - to search for credentials in default gcloud config path
  -m, --use-metadata    Extract credentials from GCE instance metadata
  -at ACCESS_TOKEN_FILES, --access-token-files ACCESS_TOKEN_FILES
                        A list of comma separated files with access token and OAuth scopes.TTL limited. A token and scopes should be stored in JSON format.
  -rt REFRESH_TOKEN_FILES, --refresh-token-files REFRESH_TOKEN_FILES
                        A list of comma separated files with refresh_token, client_id,token_uri and client_secret stored in JSON format.
  -s KEY_NAME, --service-account KEY_NAME
                        Name of individual SA to scan
  -p TARGET_PROJECT, --project TARGET_PROJECT
                        Name of individual project to scan
  -f FORCE_PROJECTS, --force-projects FORCE_PROJECTS
                        Comma separated list of project names to include in the scan
  -c CONFIG_PATH, --config CONFIG_PATH
                        A path to config file with a set of specific resources to scan.
  -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --logging {DEBUG,INFO,WARNING,ERROR,CRITICAL}
                        Set logging level (INFO, WARNING, ERROR)
  -lf LOG_FILE, --log-file LOG_FILE
                        Save logs to the path specified rather than displaying in console
  -pwc PROJECT_WORKER_COUNT, --project-worker-count PROJECT_WORKER_COUNT
                        Set limit for project crawlers run in parallel.
  -rwc RESOURCE_WORKER_COUNT, --resource-worker-count RESOURCE_WORKER_COUNT
                        Set limit for resource crawlers run in parallel.

Required parameters:
  -o OUTPUT, --output-dir OUTPUT
                        Path to output directory
```

Option `-f` requires an additional explanation. In some cases, the service account does not have permissions to explicitly list project names. However, it still might have access to underlying resources if we provide the correct project name. This option is specifically designed to handle such cases.

### Building a standalone binary with PyInstaller

Please replace `google-api-python-client==2.80.0` with `google-api-python-client==1.8.0` in `pyproject.toml`. After that, navigate to the scanner source code directory and use pyinstaller to compile a standalone binary:

`pyinstaller -F --add-data 'roots.pem:grpc/_cython/_credentials/' scanner.py`

### Working with results

The GCP Scanner produces a standard JSON file that can be handled by any JSON Viewer or DB. We are providing a web-based tool that can help you visualize the results.
To run the tool, please use the following command:

```
usage: gcp-scanner-visualizer -p 8080

GCP Scanner Visualizer

options:
  -h, --help            show this help message and exit
  -p PORT, --port PORT  Port to listen on default 8080
```

To know more about how to use the tool, please visit [GCP Scanner Visualizer Usage Guide](./visualization_tool/docs/USAGE.md) page.

If you just need a convenient way to grep JSON results, we can recommend [gron](https://github.com/tomnomnom/gron).

### Contributing

See [`CONTRIBUTING.md`](CONTRIBUTING.md) for details.

### License

Apache 2.0; see [`LICENSE`](LICENSE) for details.

            

Raw data

            {
    "_id": null,
    "home_page": "",
    "name": "gcp-scanner",
    "maintainer": "",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "",
    "keywords": "gcp,scan,access,security-tool,python",
    "author": "",
    "author_email": "",
    "download_url": "https://files.pythonhosted.org/packages/92/43/24e6b2f120078c3e184df45ba9cf481b1be55b58f755a6a4417bba3c55b3/gcp-scanner-1.4.0.tar.gz",
    "platform": null,
    "description": "![pytests](https://github.com/google/gcp_scanner/actions/workflows/python-app.yml/badge.svg)\n[![GCP scanner version](https://img.shields.io/github/v/release/google/gcp_scanner?label=version&color=blue)](https://github.com/google/gcp_scanner/releases/latest)\n\n### Disclaimer\n\nThis project is not an official Google project. It is not supported by\nGoogle and Google specifically disclaims all warranties as to its quality,\nmerchantability, or fitness for a particular purpose.\n\n### GCP Scanner\n\n![Logo](misc/gcp_scanner_logo.png?raw=true \"Logo of GCP Scanner\")\n\nThis is a GCP resource scanner that can help determine what level of access certain credentials possess on GCP. The scanner is designed to help security engineers evaluate the impact of a certain VM/container compromise, GCP service account, or OAuth2 token key leak.\n\nCurrently, the scanner supports the following GCP resources:\n\n- GCE\n- GCS\n- GKE\n- App Engine\n- Cloud SQL\n- BigQuery\n- Spanner\n- Pub/Sub\n- Cloud Functions\n- BigTable\n- CloudStore\n- KMS\n- Cloud Services\n- The scanner supports SA [impersonation](https://cloud.google.com/iam/docs/impersonating-service-accounts)\n\nThe scanner supports extracting and using the following types of credentials:\n\n- GCP VM instance metadata;\n- User credentials stored in gcloud profiles;\n- OAuth2 Refresh Token with cloud-platform scope granted;\n- GCP service account key in JSON format.\n\nThe scanner does not rely on any third-party tool (e.g., gcloud). Thus, it can be compiled as a standalone tool and used on a machine with no GCP SDK installed (e.g. a Kubernetes pod). However, please keep in mind that the only OS that is currently supported is Linux.\n\nPlease note that GCP offers [Policy Analyzer](https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies) to find out which principals (users, service accounts, groups, and domains), have what access to which Google Cloud resources. However, it requires specific permissions on the GCP project and the Cloud Assets API needs to be enabled. If you just have a GCP SA key, access to a previously compromised VM, or an OAUth2 refresh token, gcp_scanner is the best option to use.\n\n### Installation\n\nTo install the package, use `pip` (you must also have `git` installed):\n\n```\npip install gcp_scanner\npython3 -m gcp_scanner --help\n```\n\nAlternatively:\n\n```\ngit clone https://github.com/google/gcp_scanner\ncd gcp_scanner\npip install .\ngcp-scanner --help\n```\n\nThere is a docker build file if you want to run the scanner from a container:\n`docker build -f Dockerfile -t sa_scanner .`\n\n### Command-line options\n\n```\nusage: python3 scanner.py -o folder_to_save_results -g -\n\nGCP Scanner\n\noptions:\n  -h, --help            show this help message and exit\n  -ls, --light-scan     Return only the most important GCP resource fields in the output.\n  -k KEY_PATH, --sa-key-path KEY_PATH\n                        Path to directory with SA keys in json format\n  -g GCLOUD_PROFILE_PATH, --gcloud-profile-path GCLOUD_PROFILE_PATH\n                        Path to directory with gcloud profile. Specify - to search for credentials in default gcloud config path\n  -m, --use-metadata    Extract credentials from GCE instance metadata\n  -at ACCESS_TOKEN_FILES, --access-token-files ACCESS_TOKEN_FILES\n                        A list of comma separated files with access token and OAuth scopes.TTL limited. A token and scopes should be stored in JSON format.\n  -rt REFRESH_TOKEN_FILES, --refresh-token-files REFRESH_TOKEN_FILES\n                        A list of comma separated files with refresh_token, client_id,token_uri and client_secret stored in JSON format.\n  -s KEY_NAME, --service-account KEY_NAME\n                        Name of individual SA to scan\n  -p TARGET_PROJECT, --project TARGET_PROJECT\n                        Name of individual project to scan\n  -f FORCE_PROJECTS, --force-projects FORCE_PROJECTS\n                        Comma separated list of project names to include in the scan\n  -c CONFIG_PATH, --config CONFIG_PATH\n                        A path to config file with a set of specific resources to scan.\n  -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --logging {DEBUG,INFO,WARNING,ERROR,CRITICAL}\n                        Set logging level (INFO, WARNING, ERROR)\n  -lf LOG_FILE, --log-file LOG_FILE\n                        Save logs to the path specified rather than displaying in console\n  -pwc PROJECT_WORKER_COUNT, --project-worker-count PROJECT_WORKER_COUNT\n                        Set limit for project crawlers run in parallel.\n  -rwc RESOURCE_WORKER_COUNT, --resource-worker-count RESOURCE_WORKER_COUNT\n                        Set limit for resource crawlers run in parallel.\n\nRequired parameters:\n  -o OUTPUT, --output-dir OUTPUT\n                        Path to output directory\n```\n\nOption `-f` requires an additional explanation. In some cases, the service account does not have permissions to explicitly list project names. However, it still might have access to underlying resources if we provide the correct project name. This option is specifically designed to handle such cases.\n\n### Building a standalone binary with PyInstaller\n\nPlease replace `google-api-python-client==2.80.0` with `google-api-python-client==1.8.0` in `pyproject.toml`. After that, navigate to the scanner source code directory and use pyinstaller to compile a standalone binary:\n\n`pyinstaller -F --add-data 'roots.pem:grpc/_cython/_credentials/' scanner.py`\n\n### Working with results\n\nThe GCP Scanner produces a standard JSON file that can be handled by any JSON Viewer or DB. We are providing a web-based tool that can help you visualize the results.\nTo run the tool, please use the following command:\n\n```\nusage: gcp-scanner-visualizer -p 8080\n\nGCP Scanner Visualizer\n\noptions:\n  -h, --help            show this help message and exit\n  -p PORT, --port PORT  Port to listen on default 8080\n```\n\nTo know more about how to use the tool, please visit [GCP Scanner Visualizer Usage Guide](./visualization_tool/docs/USAGE.md) page.\n\nIf you just need a convenient way to grep JSON results, we can recommend [gron](https://github.com/tomnomnom/gron).\n\n### Contributing\n\nSee [`CONTRIBUTING.md`](CONTRIBUTING.md) for details.\n\n### License\n\nApache 2.0; see [`LICENSE`](LICENSE) for details.\n",
    "bugtrack_url": null,
    "license": "Apache License",
    "summary": "GCP resource scanner that can help determine what level of access certain credentials possess on GCP",
    "version": "1.4.0",
    "project_urls": {
        "Homepage": "https://github.com/google/gcp_scanner"
    },
    "split_keywords": [
        "gcp",
        "scan",
        "access",
        "security-tool",
        "python"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "6599fbcd1d248904e47f8f6f156376b83f6eb0b67756f5ba364f67729e14918f",
                "md5": "a8fc6a1c9e677d50db95a03f629cbb75",
                "sha256": "45ba1083846f1317fb756d89fc746b928a264e5d1a5e9c1d83c30be549cad637"
            },
            "downloads": -1,
            "filename": "gcp_scanner-1.4.0-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "a8fc6a1c9e677d50db95a03f629cbb75",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.7",
            "size": 201825,
            "upload_time": "2024-01-25T05:21:50",
            "upload_time_iso_8601": "2024-01-25T05:21:50.432241Z",
            "url": "https://files.pythonhosted.org/packages/65/99/fbcd1d248904e47f8f6f156376b83f6eb0b67756f5ba364f67729e14918f/gcp_scanner-1.4.0-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "924324e6b2f120078c3e184df45ba9cf481b1be55b58f755a6a4417bba3c55b3",
                "md5": "df2f710df09a79651f33541d4322204e",
                "sha256": "c389f31c4486e7d133936ae1fc0a58058b0001ff8fcee265e52844ae38ba28a2"
            },
            "downloads": -1,
            "filename": "gcp-scanner-1.4.0.tar.gz",
            "has_sig": false,
            "md5_digest": "df2f710df09a79651f33541d4322204e",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.7",
            "size": 149605,
            "upload_time": "2024-01-25T05:21:51",
            "upload_time_iso_8601": "2024-01-25T05:21:51.988466Z",
            "url": "https://files.pythonhosted.org/packages/92/43/24e6b2f120078c3e184df45ba9cf481b1be55b58f755a6a4417bba3c55b3/gcp-scanner-1.4.0.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-01-25 05:21:51",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "google",
    "github_project": "gcp_scanner",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "requirements": [],
    "lcname": "gcp-scanner"
}
        
Elapsed time: 0.18531s