Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Do not stop enumerating project if resource manager is disabled in SA project. #266

Open
emilva opened this issue Aug 7, 2023 · 1 comment
Open

Bug: Do not stop enumerating project if resource manager is disabled in SA project. #266

emilva opened this issue Aug 7, 2023 · 1 comment

Comments

@emilva
Copy link

emilva commented Aug 7, 2023

Describe the bug
The scanner fails if the service account token does not have access to list projects via resources manager. When scanning service account keys json files, that includes project_id, this may lead to "false positives" as the SA may have access to other services in the current project.

To Reproduce

Steps to reproduce the behavior:

  1. Create a SA in a project that has Resource Manager disabled, save the credentials to:
    keys/sa.json:
{
  "type": "service_account",
  "project_id": "my-project-00",
  "private_key_id": "<hash here>",
  "private_key": "<priv key>",
  "client_email": "[email protected]",
  "client_id": "<id>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "<cert url>"
}

and run python3 -m gcp_scanner --sa-key-path keys -o output -l INFO

  1. This will give you this output:
2023-08-07 10:39:53 - INFO - >> current service account: [email protected]
2023-08-07 10:39:53 - INFO - Retrieving projects list
2023-08-07 10:39:53 - INFO - Failed to enumerate projects
2023-08-07 10:39:53 - INFO - (<class 'googleapiclient.errors.HttpError'>, <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects?alt=json 
returned "Cloud Resource Manager API has not been used in project ID before or it is disabled. 
Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=ID then retry. 
If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.". Details: "[{'@type': 'type.googleapis.com/google.rpc.Help', 'links': [{'description': 'Google developers console API activation', 'url': 'https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=ID'}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'SERVICE_DISABLED', 'domain': 'googleapis.com', 'metadata': {'service': 'cloudresourcemanager.googleapis.com', 'consumer': 'projects/ID'}}]">, <traceback object at 0x10895b980>)

Expected behavior
When resource manager is disabled, the scanner should not abort enumerating resources in the current project. It still knows one project from the json file, and the impact in that project can be assessed.

Current behavior
See steps to reproduce

Additional context
@mshudrak
Copy link
Collaborator

mshudrak commented Aug 9, 2023

Thanks @emilva for reporting this problem. There is a flag to alter GCP Scanner behavior in such cases. You can force it to scan the project with -f <project_name> -p <project_name>. I agree that you can just extract it from GCP SA but the issue is that it is not the only type of credentials we support. I still think this need to be implemented but we need to keep that in mind.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emilva @mshudrak