CyberCheatsheets

Google Cloud SDK (gcloud) Cheat Sheet

GCP command-line tool for project enumeration, IAM review, compute instances, and storage access testing.

Cloud & ContainersgcpgcsiamUpdated 2026-06-02

Overview

gcloud is the primary CLI for Google Cloud Platform. Use for listing projects, service accounts, GCS buckets, GCE metadata tokens, and IAM policies during cloud assessments.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

Debian

sudo apt install -y apt-transport-https ca-certificates gnupg
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
sudo apt update && sudo apt install -y google-cloud-cli
gcloud init
gcloud auth login

Essential commands

Active identity

gcloud auth list
gcloud config list

Projects

gcloud projects list

Set project

gcloud config set project PROJECT_ID

Common workflows

From compromised VM

curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/project-id
export CLOUDSDK_CORE_PROJECT=$(curl -s -H "Metadata-Flavor: Google"
http://metadata.google.internal/computeMetadata/v1/project/project-id)

GCS enumeration —

gsutil ls
gsutil ls gs://bucket-name/
gsutil cp gs://bucket-name/secret.txt .
gsutil iam get gs://bucket-name

IAM / service accounts —

gcloud iam service-accounts list
gcloud projects get-iam-policy PROJECT_ID
gcloud iam roles describe roles/owner
gcloud iam service-accounts keys list --iam-account SA@PROJECT.iam.gserviceaccount.com

Compute instances —

gcloud compute instances list
gcloud compute ssh INSTANCE --zone us-central1-a
gcloud compute instances describe INSTANCE --zone us-central1-a

Org-wide (if permitted) —

gcloud organizations list
gcloud resource-manager folders list --organization ORG_ID
gcloud asset search-all-resources --scope=projects/PROJECT_ID

Flags reference

--project PROJECT_ID

Override project

--format json

Machine-readable output

--filter EXPRESSION

List filtering

gcloud auth activate-service-account

Use JSON key file

bq / gsutil

BigQuery / Storage CLIs bundled

gcloud components install

Extra tools (kubectl, etc.)

Tips

  • Default SA on GCE often has broad scopes — check token scopes in metadata.
  • Public GCS: gsutil ls gs://bucket without auth sometimes works.
  • Use ScoutSuite / custom scripts for report-style misconfig after manual triage.
  • Service account key JSON: gcloud auth activate-service-account --key-file=key.json.

References

Chuletas relacionadas