Skip to content
WebbinRoot edited this page Jul 10, 2026 · 10 revisions

GCPwn Wiki

GCPwn is a Google Cloud offensive security assessment framework for workspace-driven credential handling, service enumeration, artifact collection, and graph-based attack-path analysis. It covers 44 GCP services plus Google Workspace (Cloud Identity + Admin SDK Directory), with a Cloud Asset Inventory pipeline and a BloodHound OpenGraph generator.

Getting Started

  1. Getting Started
  2. Authentication Reference
  3. Common Use Cases
  4. Workspace Instructions
  5. CLI Module Reference
  6. Downloads to Disk
  7. Data View/Export

IAM + OpenGraph Workflows

Development and Operations

Module Layout

Modules live under gcpwn/modules/ in four top-level areas:

  • gcp/ — 40+ per-service directories (one folder per GCP service) holding enumeration, exploit, and unauthenticated modules.
  • workspace/ — Google Workspace modules split by API: cloud_identity/ (Cloud Identity groups/memberships/users), directory/ (Admin SDK Directory: admin roles, org units, domains, mobile devices, OAuth tokens), groups_settings/, data_transfer/, and apps/drive/ (the Google Drive data plane: enum_drive).
  • everything/ — cross-cutting modules: enum_all, enum_gcp, enum_google_workspace, enum_gcp_policy_bindings, exploit_gcp_setiampolicy, process_gcp_iam_bindings.
  • opengraph/ — the BloodHound OpenGraph generator (process_og_gcpwn_data, process_og_node_color_images).

These are Python namespace packages. Dotted module paths follow the folder layout, e.g. gcpwn.modules.gcp.<service>.enumeration.enum_<service>. The authoritative module list lives in gcpwn/mappings/module_mappings.json.

Service Coverage

Alongside long-standing services (Compute, Cloud Storage, IAM, Resource Manager, Cloud Functions, Cloud Run, BigQuery, Pub/Sub, KMS, Secret Manager, GKE, Cloud SQL, and more), recent additions include:

  • Cloud Scheduler, Cloud Workflows, Eventarc — surface the service account each job / workflow / trigger runs as (a priv-esc signal).
  • Cloud Spanner, AlloyDB — database instances and nested databases/instances.
  • Organization Policy — which guardrails (constraints) are enforced, so you can see which attack paths are blocked.
  • Cloud Asset Inventory — opt-in org/folder/project pull of resources + IAM policies into the shared workspace tables (force-multiplier + fallback).
  • Cloud Workstations, Cloud Billing, Cloud Shell.
  • Cloud Logging — sinks (export destinations + writer SA), buckets, log names, metrics, and on --download recent log entries.
  • Memorystore for Redis Cluster — a new --clusters component in the existing Memorystore module.

Recommended Baseline Run

modules run enum_gcp --iam
modules run enum_gcp_policy_bindings --ensure-tree
modules run process_gcp_iam_bindings
modules run process_og_gcpwn_data --expand-inherited --reset --out Bloodhound_Output

Export collected data:

data export csv
data export json
data export excel

If your goal is custom attack-path modeling, go directly to OpenGraph - Add Your Own Content.

Clone this wiki locally