Google Cloud Platform
There are two ways to authenticate Scout against a GCP Organization or Project.
- User Account
- Configure the cloud shell to use the appropriate User Account credentials (
gcloud initcommand to use a new account orgcloud config set account <account>to use an existing account) - Obtain access credentials to run Scout with:
gcloud auth application-default login - Run Scout with the
--user-accountflag
- Configure the cloud shell to use the appropriate User Account credentials (
- Service Account
- Generate and download service account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys)
- Run Scout with the
--service-accountflag while providing the key file path
The following roles can be attached to the member used to run Scout in order to grant necessary permissions:
ViewerSecurity ReviewerStackdriver Account Viewer
NOTE: The Cloud Resource Manager API needs to be enabled for all the Projects in scope, otherwise ScoutSuite will not have visibility over any resources.
Using a computer already configured to use gcloud command-line tool, you may use Scout using the following command:
$ python scout.py gcp --user-accountTo run Scout using Service Account keys, using the following command:
$ python scout.py gcp --service-account </PATH/TO/KEY_FILE.JSON>By default, only the inferred default Project will be scanned.
To scan a GCP ...
- Organization, use the
--organization-id <ORGANIZATION ID>argument - Folder, use the
--folder-id <FOLDER ID>argument. - Project, use the
--project-id <PROJECT ID>argument - All projects that a user/service account has access to, use the
--all-projectsflags.