ScoutSuite
ScoutSuite copied to clipboard
nccgroup
Unable to list accessible Projects
I got this error when execute $python scout.py gcp --user-account
base.py L115: Unable to list accessible Projects: <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects?filter=id%3A[MY_PROJECT_NAME]&alt=json returned "Request had insufficient authentication scopes.">
but when I check my project list by execute this command $gcloud projects list,I can read all the project even I can read all the instances. because I have set the auth and config.
Anyone can help me to resolve this?
Did you follow https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#authentication? Did you run gcloud auth application-default login?
I am having a similar issue, the error is
base.py L126: Unable to list accessible Projects: 'RefreshError' object has no attribute 'content'
and the command to execute scout is:
> gcloud auth activate-service-account --key-file=<path to service account json>
> python scout.py gcp --project-id <test> -u
@estemendoza could you please share the contents of the error and exceptions result files under scoutsuite-report/scoutsuite-results/? The RefreshError could be due to a number of reasons from what I've seen.
Sure, errors file was empty, but exceptions file had this:
{
"additional_details": null,
"exception": "Unable to list accessible Projectsa: 'RefreshError' object has no attribute 'content'",
"file": "base.py",
"line": 125,
"traceback": "Traceback (most recent call last):\n File \"/scout/ScoutSuite/providers/gcp/facade/base.py\", line 114, in _get_projects_recursively\n project_response = await GCPFacadeUtils.get_all('projects', request, projects_group)\n File \"/scout/ScoutSuite/providers/gcp/facade/utils.py\", line 17, in get_all\n await GCPFacadeUtils._get_all(resources, resource_key, request, resources_group)\n File \"/scout/ScoutSuite/providers/gcp/facade/utils.py\", line 8, in _get_all\n response = request.execute()\n File \"lib/python3.6/site-packages/googleapiclient/_helpers.py\", line 134, in positional_wrapper\n return wrapped(*args, **kwargs)\n File \"lib/python3.6/site-packages/googleapiclient/http.py\", line 909, in execute\n headers=self.headers,\n File \"lib/python3.6/site-packages/googleapiclient/http.py\", line 177, in _retry_request\n resp, content = http.request(uri, method, *args, **kwargs)\n File \"lib/python3.6/site-packages/googleapiclient/http.py\", line 1844, in new_request\n connection_type=connection_type,\n File \"lib/python3.6/site-packages/google_auth_httplib2.py\", line 190, in request\n self._request, method, uri, request_headers)\n File \"lib/python3.6/site-packages/google/auth/credentials.py\", line 133, in before_request\n self.refresh(request)\n File \"lib/python3.6/site-packages/google/oauth2/credentials.py\", line 206, in refresh\n self._scopes,\n File \"lib/python3.6/site-packages/google/oauth2/_client.py\", line 248, in refresh_grant\n response_data = _token_endpoint_request(request, token_uri, body)\n File \"lib/python3.6/site-packages/google/oauth2/_client.py\", line 124, in _token_endpoint_request\n _handle_error_response(response_body)\n File \"lib/python3.6/site-packages/google/oauth2/_client.py\", line 60, in _handle_error_response\n raise exceptions.RefreshError(error_details, response_body)\ngoogle.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', '{\\n \"error\": \"invalid_grant\",\\n \"error_description\": \"Token has been expired or revoked.\"\\n}')\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/scout/ScoutSuite/providers/gcp/facade/base.py\", line 125, in _get_projects_recursively\n content = e.content.decode(\"utf-8\")\nAttributeError: 'RefreshError' object has no attribute 'content'\n"
},
In the traceback it does mention google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', so that could be the issue.
The thing is that this error doesn't appear when using --service-account
I can't replicate with issue you are running into following the same steps as you detailed above, I've tried both master and develop branches. The scan runs and finishes without any errors.
gcloud auth activate-service-account --key-file=<service_account>.json
python scout.py gcp --project-id <project_id> -u
2021-09-03 13:02:33 xxx scout[3324] INFO Launching Scout
2021-09-03 13:02:33 xxx scout[3324] INFO Authenticating to cloud provider
2021-09-03 13:02:41 xxx scout[3324] INFO Gathering data from APIs
2021-09-03 13:02:41 xxx scout[3324] INFO Fetching resources for the Cloud SQL service
Are you still having the same issue? The different authentication options and permissions for GCP are detailed in the following page: https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform.
@lowSoA Yeah, still having that issue but I haven't test it on develop or master branches, I am using the latest official release, so maybe something is fixed on those branches? Will do some other testing as well
I have the same issue :
$NUMBER == projectid
command line : scout gcp --debug --service-account GCP.json --project-id $NUMBER --report-dir gcpreport/
2022-03-24 14:53:11 ip-172-31-3-122 scout[3465905] ERROR base.py L115: Unable to list accessible Projects: Cloud Resource Manager API has not been used in project $NUMBER before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=$NUMBER then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
[ { "additional_details": null, "exception": "Unable to list accessible Projects: Cloud Resource Manager API has not been used in project $NUMBER before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=$NUMBER then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", "file": "base.py", "line": 115, "traceback": "Traceback (most recent call last):\n File "/home/ubuntu/venv/lib/python3.8/site-packages/ScoutSuite/providers/gcp/facade/base.py", line 115, in _get_projects_recursively\n project_response = await GCPFacadeUtils.get_all('projects', request, projects_group)\n File "/home/ubuntu/venv/lib/python3.8/site-packages/ScoutSuite/providers/gcp/facade/utils.py", line 17, in get_all\n await GCPFacadeUtils._get_all(resources, resource_key, request, resources_group)\n File "/home/ubuntu/venv/lib/python3.8/site-packages/ScoutSuite/providers/gcp/facade/utils.py", line 8, in _get_all\n response = request.execute()\n File "/home/ubuntu/venv/lib/python3.8/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper\n return wrapped(*args, **kwargs)\n File "/home/ubuntu/venv/lib/python3.8/site-packages/googleapiclient/http.py", line 937, in execute\n raise HttpError(resp, content, uri=self.uri)\ngoogleapiclient.errors.HttpError: <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects?filter=id%3A%22security-340615%22&alt=json returned "Cloud Resource Manager API has not been used in project $NUMBER before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=$NUMBER then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.". Details: "[{'@type': 'type.googleapis.com/google.rpc.Help', 'links': [{'description': 'Google developers console API activation', 'url': 'https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=$NUMBER'}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'SERVICE_DISABLED', 'domain': 'googleapis.com', 'metadata': {'consumer': 'projects/$NUMBER', 'service': 'cloudresourcemanager.googleapis.com'}}]">\n" }, {
@jplopezy It seems that you need to enable Cloud Resource Manager API before so scout or any script is able to query the project list
Closing this issue. As mentioned, Cloud Resource Manager API needs to be enabled for ScoutSuite to be able to query most services.
