GCP analyze

enterprise feature this feature is only available on trufflehog enterprise with analyze https //trufflesecurity com/contact to learn more prerequisites to integrate with the gcp analyze feature, we'll need a service account with the appropriate permissions to get started, create a role with the following org wide permissions https //console cloud google com/iam admin/roles gcp role permissions recommended workflow run this command to set up a role with the necessary permissions gcloud iam roles create trufflehog gcp analyze \\ \ organization=\<numerical org id> \\ \ title="trufflehog gcp analyze role" \\ \ description="custom role for trufflehog's gcp analyze with permissions for cloud asset, cloud resource manager, iam, recommender, and monitoring apis" \\ \ permissions="cloudasset assets searchalliampolicies,resourcemanager organizations get,resourcemanager folders get,resourcemanager folders list,resourcemanager projects get,resourcemanager projects list,iam roles get,recommender iampolicyinsights get,recommender iampolicyinsights list,recommender iampolicyrecommendations get,recommender iampolicyrecommendations list,monitoring timeseries list" \\ \ stage=ga if you want to manually set up the role in gcp, attach the following permissions to a role cloud asset api listing policies associated with service account name cloudasset assets searchalliampolicies resource manager api getting ids and parent info resourcemanager organizations get resourcemanager folders get resourcemanager folders list resourcemanager projects get resourcemanager projects list iam api get permissions for a role iam roles get recommender api searching and getting recommendations recommender iampolicyinsights get recommender iampolicyinsights list recommender iampolicyrecommendations get recommender iampolicyrecommendations list monitoring api retrieving key usage monitoring timeseries list attach the created role to your desired service account this is using the "manage access" button under the "permissions" tab for the service account https //console cloud google com/iam admin/serviceaccounts/ under the "keys" tab, create a new key with json formatting cloud integration setup in your trufflehog instance, create a cloud analyze integration for gcp paste in the json key you created earlier the next time a trufflehog scanner detects a live gcp credential, it will automatically attempt to analyze the secret if you prefer not to set up a trufflehog cloud integration, you can run trufflehog locally using an on prem scanner and configure it to use your local machine's gcp credentials on prem scanner setup (alternative) gcp credentials can be analyzed using a hosted scanner or an on prem scanner when using an on prem scanner, adc (application default credential) can be used instead of using a service account credential configured through the integrations tab if this feature is enabled in a scanner configuration, the scanner will only using the adc set up in the scanner environment note that the previous flag analyzeusingdefaultcredentials is now deprecated if you are using this flag, please update your config to use analyzegcpusingdefaultcredentials example configuration enabling adc using analyzegcpusingdefaultcredentials trufflehogaddress your truffle address 8443 trufflehogscannergroup scannergroup trufflehogscannertoken thog agent 64869d9e735b33f1f8586a09be50d7ca logjson true loglevel info analyzegcpusingdefaultcredentials true notifiers \ name stdout sendunverified true type notifier type stdout permissions viewer learn more about a credential's resource permission hierarchy and associated role bindings with our permission viewer the trufflehog permission viewer is based on the https //docs cloud google com/resource manager/docs/cloud platform resource hierarchy which contains the organization (root), folders, projects, and then actual service resources gcp resource tree with a project selected showing the legacy viewer permissions items with a badge in this resource tree indicate direct role bindings in which the service account was assigned if the node is selected, you can then drill down into the assigned roles and permissions table view & role analysis the table contains all direct role bindings in which this gcp key has access to clicking on a role binding will provide a detailed view on the selected role binding metadata search search through a key's resources, roles, and permissions to discover what sort of access the gcp key has key rotation while there is a https //howtorotate com/docs/tutorials/gcp/ , integrating with gcp allows us to provide a more guided experience to rotate your gcp secret clicking the "help me rotate" button on the secret will pull out a guided tutorial on how to rotate your gcp secret safely this includes the following links to project logs in which the gcp secret has role bindings to the key identifier for the particular leaked secret links to the google cloud console to revoke and generate a new secret credential insights & recommendations on a given gcp secret, we'll provide insights and recommendations to highlight usage and least privilege access patterns that may be of note in your remediation process limitations integrating gcp analyze on the web dashboard is limited to a single gcp organization currently does not handle conditional iam policies