-
Notifications
You must be signed in to change notification settings - Fork 28
OpenGraph Overview and Usage
If you are new to GCPwn, read Getting Started first.
Use this section to build BloodHound-compatible OpenGraph output from enumerated GCP data.
You might notice edges go to role@location instead of going directly to the project. This preserves authorization fidelity in the graph.
If User A has compute.admin on Project A and User B has storage.admin on Project A, drawing both users directly to Project A and then Project A to all resources would incorrectly imply both users can reach the same resources, when User A can only get to compute and User B can only get to storage.
The correct model is to route each user through their specific role binding node at that location, and only then fan out to resources that role can actually affect.
Incorrect method (over-broad reach):
User A --> Project A --> Compute & Storage
User B --> Project A --> Compute & Storage
Correct method (binding-scoped reach):
User A --> compute_admin@project:A --> Compute Resources in Project A
User B --> storage_admin@project:A --> Storage Resources in Project A
Service-account principal sets are also expanded in resource expansion mode:
principalSet://cloudresourcemanager.googleapis.com/projects/<PROJECT_NUMBER>/type/ServiceAccount
-> GCP_PRINCIPAL_SET
-> serviceAccount:<email>
Equivalent principal-set membership expansion is emitted for folder and organization scopes as well.
Basic-role example:
Alice --> roles/owner@project:A --> ROLE_OWNER --> Target Resources
Rather than emitting a long list of separate CAN_* edges for that same owner binding, default mode collapses those into ROLE_OWNER and preserves matched edge detail in edge properties.
modules run enum_gcp_cloud_hound_data --expand-inherited --reset --out Bloodhound_Output.json| Flag | Purpose |
|---|---|
--out <path> |
Write exported OpenGraph JSON to a specific path |
--reset |
Clear existing OpenGraph rows before rebuild |
--include-all |
Keep broader IAM-derived edges (more complete, noisier output) |
--expand-inherited |
Expand inherited IAM scope fan-out across org/folder/project/resource hierarchy |
--cond-eval |
Conditional evaluation mode (currently pass-through behavior) |
If no step-selective flags are passed, all stages run.
| Flag | What It Runs |
|---|---|
--groups |
Users/groups mapping stage |
--iam-bindings |
IAM bindings stage |
--inferred-permissions |
Inferred-permissions stage |
--resource-expansion |
Resource-expansion stage |
- Authentication Reference
- Workspace Instructions
- CLI Module Reference
- Downloads to Disk
- Data View/Export
- IAM Enumeration and Analysis Workflow
- Troubleshooting and FAQ