AWS IAM vs. GCP IAM
AWS IAM identity owner grants permissions for account at the identity level
GCP IAM account is called a "service account". Resource owner grants permissions at the resource level
GCP GKE nodes are VMs with service accounts attached.
Service accounts can be granted roles across projects.
Types of roles:
Primitive (predate IAM, e.g., Owner, Editor, Viewer)
Owner can set project-level role bindings
Editor gets excessive privs. Can't create new service accounts or role bindings, but can create keys for account that already exists or grant privs to resource. Gets assigned when you turn on some specific resource types (like compute or AppEngine) in a project, for a new service account assigned to that type. Compute account is associated to every VM and every service (like functions) that use underlying VMs; AppEngine service account assigned to every function.
Editor can always privesc to owner if a service account has owner, because it can create a function using ActAs attached to the owner SA
Predefined (grant access to a specific service predefined by GCP)
Custom
Scopes - Add-on permissions for service accounts
GCPLoit - needs an account or service account key with editor level role binding. Look on GitHub, exploit a service, etc.
Look at GCP Metadata API - BSidesSanFran
GCP hacking:
Look for dogfood, alpha, staging_dogfood, and staging_alpha versions of URIs.
Try protobuf as a protocol, Content-Type application/x-protobuf
Host: clients6.google.com may be an alternate to www.googleapis.com
Use X-Goog-Encode-Response-If-Executable: base64
protoc (protocol buffers decompiler) has a decoder. Pipe to base64 -d then protoc. Gives you gRPC field numbers.
https://www.youtube.com/watch?v=g-JgA1hvJzA
API Discovery:
IAM docs. Other services should have docs too.
Identity and Access Management documentation | Cloud IAM Documentation
E.g., compute docs: