### Install Cloudlist Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Commands to install the tool via Go or build from source, followed by a version verification check. ```bash # Install using Go go install github.com/projectdiscovery/cloudlist/cmd/cloudlist@latest # Or build from source git clone https://github.com/projectdiscovery/cloudlist.git cd cloudlist make build # Verify installation ./cloudlist -version ``` -------------------------------- ### Setup Service Account Permissions Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Create a service account and grant the necessary project-level IAM policy bindings for discovery. ```bash # Create service account gcloud iam service-accounts create cloudlist-sa \ --display-name="CloudList Individual Services" \ --description="Service account for individual service API discovery" SA_EMAIL="cloudlist-sa@YOUR-PROJECT-ID.iam.gserviceaccount.com" PROJECT_ID="YOUR-PROJECT-ID" # Grant project-level permissions gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SA_EMAIL" \ --role="roles/compute.viewer" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SA_EMAIL" \ --role="roles/dns.reader" # ... repeat for other services ``` -------------------------------- ### CLI Usage Examples Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Common command-line operations for filtering, formatting, and outputting discovered cloud assets. ```bash # Basic usage with provider config file cloudlist -pc ~/.config/cloudlist/provider-config.yaml # Filter by specific providers cloudlist -pc provider-config.yaml -p aws,gcp # Filter by specific services cloudlist -pc provider-config.yaml -s compute,dns,route53 # Output only DNS names (hostnames) cloudlist -pc provider-config.yaml -host # Output only IP addresses cloudlist -pc provider-config.yaml -ip # Exclude private IP addresses from output cloudlist -pc provider-config.yaml -ep # JSON output format cloudlist -pc provider-config.yaml -json # Write results to file cloudlist -pc provider-config.yaml -o assets.txt # Filter by provider ID cloudlist -pc provider-config.yaml -id staging # Verbose output with discovery details cloudlist -pc provider-config.yaml -v # Silent mode - only output results cloudlist -pc provider-config.yaml -silent ``` -------------------------------- ### Compare Assets Across Environments Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This example demonstrates comparing asset lists from two different environments (production and staging) to identify assets present in production but not in staging. ```bash # Compare assets across environments cloudlist -pc config.yaml -id production -host > prod.txt cloudlist -pc config.yaml -id staging -host > staging.txt comm -23 <(sort prod.txt) <(sort staging.txt) ``` -------------------------------- ### Cloudlist CLI Usage Examples Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Commands for discovering assets across single or multiple organizations and comparing environment outputs. ```bash # Discover assets from ALL organizations ./cloudlist -pc config.yaml -s all # Discover assets from specific organization ./cloudlist -pc config.yaml -id org-production -s compute # Discover assets from multiple specific organizations ./cloudlist -pc config.yaml -id org-production,org-staging -s compute # Compare production vs staging environments ./cloudlist -pc config.yaml -id org-production -s all > prod-assets.txt ./cloudlist -pc config.yaml -id org-staging -s all > staging-assets.txt diff prod-assets.txt staging-assets.txt ``` -------------------------------- ### Cloudlist GCP Configuration Example Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_SHORT_LIVED_CREDENTIALS.md Example Cloudlist configuration snippet demonstrating the use of short-lived credentials with an existing service account key. This is part of a testing phase. ```yaml - provider: gcp id: test-short-lived use_short_lived_credentials: true service_account_email: "cloudlist@project.iam.gserviceaccount.com" gcp_service_account_key: "existing-key.json" # Still using existing key ``` -------------------------------- ### Setup GCP Service Account for Organization Access Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This bash script outlines the steps to create a GCP service account, assign it necessary roles for organization-level asset viewing, and then use Cloudlist to discover assets. ```bash # Setup GCP service account for organization-level access gcloud iam service-accounts create cloudlist-sa \ --display-name="Cloudlist Asset Viewer" SA_EMAIL="cloudlist-sa@YOUR-PROJECT.iam.gserviceaccount.com" ORG_ID="YOUR-ORG-ID" # Grant organization-level permissions gcloud organizations add-iam-policy-binding $ORG_ID \ --member="serviceAccount:$SA_EMAIL" \ --role="roles/cloudasset.viewer" gcloud organizations add-iam-policy-binding $ORG_ID \ --member="serviceAccount:$SA_EMAIL" \ --role="roles/resourcemanager.viewer" # Discover all GCP assets in organization cloudlist -pc config.yaml -id org-scan -s all # Discover compute and DNS only cloudlist -pc config.yaml -id org-scan -s compute,dns ``` -------------------------------- ### Discover Kubernetes Services and Ingresses Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This command discovers Kubernetes services (LoadBalancer and NodePort) and ingress hostnames/IPs. The example output shows sample IPs and domain names. ```bash # Discover Kubernetes assets cloudlist -pc config.yaml -p kubernetes -s service,ingress # Example output: # 10.0.1.50 # api.example.com # web.example.com # 34.123.45.67 ``` -------------------------------- ### Implement a Custom Cloudlist Provider Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Create custom providers by implementing the schema.Provider interface. This example shows a basic structure for a custom provider that fetches assets from a custom API. ```go package customprovider import ( "context" "encoding/json" "net/http" "github.com/projectdiscovery/cloudlist/pkg/schema" ) // Services lists the service types this provider supports var Services = []string{"custom-api"} // Provider implements the schema.Provider interface type Provider struct { id string apiURL string apiKey string services schema.ServiceMap } // New creates a new custom provider instance func New(block schema.OptionBlock) (*Provider, error) { apiURL, ok := block.GetMetadata("api_url") if !ok { return nil, &schema.ErrNoSuchKey{Name: "api_url"} } apiKey, ok := block.GetMetadata("api_key") if !ok { return nil, &schema.ErrNoSuchKey{Name: "api_key"} } id, _ := block.GetMetadata("id") services := make(schema.ServiceMap) for _, s := range Services { services[s] = struct{}{} } return &Provider{ id: id, apiURL: apiURL, apiKey: apiKey, services: services, }, nil } // Name returns the provider name func (p *Provider) Name() string { return "custom-provider" } // ID returns the user-defined provider ID func (p *Provider) ID() string { return p.id } // Services returns the list of supported services func (p *Provider) Services() []string { return p.services.Keys() } // Resources fetches and returns cloud resources func (p *Provider) Resources(ctx context.Context) (*schema.Resources, error) { resources := schema.NewResources() // Make API request req, err := http.NewRequestWithContext(ctx, "GET", p.apiURL, nil) if err != nil { return nil, err } req.Header.Set("Authorization", "Bearer "+p.apiKey) resp, err := http.DefaultClient.Do(req) if err != nil { return nil, err } defer resp.Body.Close() // Parse response var apiResponse struct { Assets []struct { Name string `json:"name"` IP string `json:"ip"` Hostname string `json:"hostname"` IsPublic bool `json:"is_public"` } `json:"assets"` } if err := json.NewDecoder(resp.Body).Decode(&apiResponse); err != nil { return nil, err } // Convert to cloudlist resources for _, asset := range apiResponse.Assets { resource := &schema.Resource{ Provider: p.Name(), ID: p.id, Service: "custom-api", Public: asset.IsPublic, PublicIPv4: asset.IP, DNSName: asset.Hostname, Metadata: map[string]string{ "name": asset.Name, }, } resources.Append(resource) } return resources, nil } ``` -------------------------------- ### AWS Provider Configuration and Usage Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the AWS provider with access keys and specify services to discover. Examples show discovering specific services or all resources. ```yaml # Full AWS configuration with all supported services - provider: aws id: comprehensive aws_access_key: $AWS_ACCESS_KEY aws_secret_key: $AWS_SECRET_KEY # AWS services discovered: # - ec2/instance: EC2 instances (public/private IPs) # - route53: DNS hosted zones and records # - s3: S3 bucket endpoints # - ecs: ECS container services # - eks: EKS Kubernetes clusters # - lambda: Lambda function URLs # - apigateway: API Gateway endpoints # - alb: Application Load Balancer DNS names # - elb: Classic Load Balancer DNS names # - lightsail: Lightsail instances # - cloudfront: CloudFront distributions ``` ```bash # Discover only EC2 instances cloudlist -pc config.yaml -p aws -s ec2 # Discover Route53 DNS records and EKS clusters cloudlist -pc config.yaml -p aws -s route53,eks # Discover all AWS resources with JSON output cloudlist -pc config.yaml -p aws -json > aws-assets.json # Example JSON output: # { # "public": true, # "provider": "aws", # "service": "ec2", # "id": "production", # "public_ipv4": "52.1.2.3", # "private_ipv4": "10.0.1.5", # "dns_name": "ec2-52-1-2-3.compute-1.amazonaws.com", # "metadata": { ``` -------------------------------- ### Configure OVH Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md This configuration example shows how to set up Cloudlist to fetch DNS records from OVH. Required authentication includes application key, secret, and consumer key. The endpoint can be specified, defaulting to 'ovh-eu'. ```yaml - provider: ovh id: ovh-prod endpoint: ovh-ca application_key: $OVH_APP_KEY application_secret: $OVH_APP_SECRET consumer_key: $OVH_CONSUMER_KEY ``` -------------------------------- ### GCP CI/CD Short-lived Credentials Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_SHORT_LIVED_CREDENTIALS.md Configure Cloudlist for CI/CD pipelines using short-lived credentials. This example specifies a service account email and a source credentials file for minimal impersonation. ```yaml - provider: gcp id: ci-short-lived use_short_lived_credentials: true service_account_email: "powerful-sa@project.iam.gserviceaccount.com" source_credentials: "minimal-ci-sa.json" # Minimal impersonation key ``` -------------------------------- ### Initialize Cloud Providers in Go Source: https://github.com/projectdiscovery/cloudlist/blob/dev/DESIGN.md This Go function demonstrates how to create and initialize different cloud service providers based on a given name. It includes cases for AWS, DigitalOcean, GCP, and Scaleway, returning an error for unknown provider names. ```go switch value { case "aws": return aws.New(block) case "do": return digitalocean.New(block) case "gcp": return gcp.New(block) case "scw": return scaleway.New(block) default: return nil, fmt.Errorf("invalid provider name found: %s", value) } ``` -------------------------------- ### Display Cloudlist Help Source: https://github.com/projectdiscovery/cloudlist/blob/dev/README.md Displays the help menu and available command-line flags for the tool. ```sh cloudlist -h ``` -------------------------------- ### Build Cloudlist Source: https://github.com/projectdiscovery/cloudlist/blob/dev/CLAUDE.md Commands to compile the Cloudlist binary from source. ```bash # Build the binary make build # or go build -v -o cloudlist cmd/cloudlist/main.go ``` -------------------------------- ### Run Cloudlist Source: https://github.com/projectdiscovery/cloudlist/blob/dev/CLAUDE.md Common CLI usage patterns for asset discovery, filtering, and output formatting. ```bash # Basic usage ./cloudlist -pc ~/.config/cloudlist/provider-config.yaml # Filter by provider ./cloudlist -pc provider-config.yaml -p aws,gcp # Filter by service ./cloudlist -pc provider-config.yaml -s compute,dns # Output formats ./cloudlist -pc provider-config.yaml -json > output.json ./cloudlist -pc provider-config.yaml -host # DNS names only ./cloudlist -pc provider-config.yaml -ip # IPs only ``` -------------------------------- ### Implement Provider Interface Source: https://github.com/projectdiscovery/cloudlist/blob/dev/CLAUDE.md Required method signatures for implementing a new cloud provider in Cloudlist. ```go func New(block schema.OptionBlock) (schema.Provider, error) func (p *Provider) Name() string func (p *Provider) ID() string func (p *Provider) Resources(ctx context.Context) (*schema.Resources, error) func (p *Provider) Services() []string ``` -------------------------------- ### Execute CloudList Discovery Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Run asset discovery commands using the specified configuration file and optional flags for filtering or output formatting. ```bash # Discover all assets across organization ./cloudlist -pc config.yaml -id org-discovery # Discover specific services only ./cloudlist -pc config.yaml -id org-discovery -s compute,dns,s3 # Verbose output with discovery details ./cloudlist -pc config.yaml -id org-discovery -v # Output only IP addresses ./cloudlist -pc config.yaml -id org-discovery | grep -E "^[0-9]+\." ``` -------------------------------- ### GCP Developer Short-lived Credentials Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_SHORT_LIVED_CREDENTIALS.md Configure Cloudlist to use short-lived credentials for developers. This setup relies on Application Default Credentials (ADC) from `gcloud auth login` and does not require a service account key file. ```yaml - provider: gcp id: dev-short-lived use_short_lived_credentials: true service_account_email: "cloudlist@project.iam.gserviceaccount.com" # No key - uses ADC from gcloud auth login ``` -------------------------------- ### Cloud Provider Options Handling in Go Source: https://github.com/projectdiscovery/cloudlist/blob/dev/DESIGN.md This Go code defines how configuration options for cloud providers are structured and accessed. It includes a map-based OptionBlock for key-value pairs and a helper function to safely retrieve metadata. ```go // Options contains configuration options for a provider type Options []OptionBlock // OptionBlock is a single option on which operation is possible type OptionBlock map[string]string // GetMetadata returns the value for a key if it exists. func (o OptionBlock) GetMetadata(key string) (string, bool) { data, ok := o[key] if !ok || data == "" { return "", false } return data, true } ``` -------------------------------- ### Go Library: Programmatic Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Define provider configurations programmatically in Go using schema.Options and schema.OptionBlock for AWS, GCP, and DigitalOcean. ```go package main import ( "context" "fmt" "log" "github.com/projectdiscovery/cloudlist/pkg/inventory" "github.com/projectdiscovery/cloudlist/pkg/schema" ) func main() { // Define provider configurations programmatically options := schema.Options{ // AWS Provider schema.OptionBlock{ "provider": "aws", "id": "production", "aws_access_key": "AKIAXXXXXXXXXX", "aws_secret_key": "your-secret-key", "services": "ec2,route53,s3", }, // GCP Provider schema.OptionBlock{ "provider": "gcp", "id": "gcp-prod", "gcp_service_account_key": `{"type":"service_account",...}`, }, // DigitalOcean Provider schema.OptionBlock{ "provider": "do", "id": "droplets", "digitalocean_token": "your-do-token", }, } // Create inventory from options inv, err := inventory.New(options) if err != nil { log.Fatalf("Failed to create inventory: %v", err) } // Enumerate resources from all configured providers ctx := context.Background() for _, provider := range inv.Providers { fmt.Printf("Enumerating %s (id: %s)... ", provider.Name(), provider.ID()) fmt.Printf("Services: %v\n", provider.Services()) resources, err := provider.Resources(ctx) if err != nil { log.Printf("Error fetching resources from %s: %v", provider.Name(), err) continue } // Process discovered resources for _, resource := range resources.Items { fmt.Printf("Provider: %s, Service: %s, ID: %s\n", resource.Provider, resource.Service, resource.ID) if resource.PublicIPv4 != "" { fmt.Printf(" Public IPv4: %s\n", resource.PublicIPv4) } if resource.PublicIPv6 != "" { fmt.Printf(" Public IPv6: %s\n", resource.PublicIPv6) } if resource.PrivateIpv4 != "" { fmt.Printf(" Private IPv4: %s\n", resource.PrivateIpv4) } if resource.DNSName != "" { fmt.Printf(" DNS Name: %s\n", resource.DNSName) } if resource.Public { fmt.Printf(" Exposure: Public\n") } // Access extended metadata for key, value := range resource.Metadata { fmt.Printf(" Metadata[%s]: %s\n", key, value) } } } } ``` -------------------------------- ### Troubleshoot Permission Errors Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Commands to verify IAM policies and ensure required APIs are enabled. ```bash # Verify organization-level permissions gcloud organizations get-iam-policy YOUR-ORG-ID \ --filter="bindings.members:serviceAccount:your-sa@project.iam.gserviceaccount.com" # Check if Cloud Asset API is enabled gcloud services list --enabled --filter="name:cloudasset.googleapis.com" ``` -------------------------------- ### Create GCP Service Account for Asset Discovery Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Command to create a new service account in a GCP project for Cloudlist's asset discovery. Includes setting a display name and description. ```bash # Create service account in a project gcloud iam service-accounts create asset-viewer-sa \ --display-name="CloudList Asset Viewer" \ --description="Service account for organization-level asset discovery" # Get the service account email SA_EMAIL="asset-viewer-sa@YOUR-PROJECT-ID.iam.gserviceaccount.com" ORG_ID="YOUR-ORGANIZATION-ID" ``` -------------------------------- ### Combine Cloudlist with subfinder and httpx for Domain Discovery Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This pipeline uses Cloudlist to discover hosts, pipes them to subfinder for subdomain enumeration, and then uses httpx to discover live web services. ```bash # Combine with subfinder for comprehensive domain discovery cloudlist -pc config.yaml -host -silent | subfinder -silent | httpx -silent ``` -------------------------------- ### Test Cloudlist Source: https://github.com/projectdiscovery/cloudlist/blob/dev/CLAUDE.md Commands to execute the test suite for the project or specific packages. ```bash # Run all tests make test # or go test -v ./... # Run tests for specific package go test -v ./pkg/providers/aws/ ``` -------------------------------- ### Provider Configuration File Source: https://context7.com/projectdiscovery/cloudlist/llms.txt YAML configuration structure for defining credentials and discovery settings across various cloud providers. ```yaml # ~/.config/cloudlist/provider-config.yaml # AWS Provider Configuration - provider: aws id: production aws_access_key: $AWS_ACCESS_KEY aws_secret_key: $AWS_SECRET_KEY # Optional: session token for temporary credentials aws_session_token: $AWS_SESSION_TOKEN # AWS with Role Assumption - provider: aws id: cross-account aws_access_key: $AWS_ACCESS_KEY aws_secret_key: $AWS_SECRET_KEY assume_role_name: CloudListRole account_ids: - "111111111111" - "222222222222" # Optional: exclude specific accounts exclude_account_ids: - "333333333333" # AWS Organization Discovery (auto-discover all accounts) - provider: aws id: org-wide aws_access_key: $AWS_ACCESS_KEY aws_secret_key: $AWS_SECRET_KEY org_discovery_role_arn: "arn:aws:iam::MANAGEMENT_ACCOUNT:role/OrgDiscoveryRole" assume_role_name: CloudListRole exclude_account_ids: - "444444444444" # GCP Provider - Individual Service APIs - provider: gcp id: project-discovery gcp_service_account_key: | { "type": "service_account", "project_id": "your-project-id", "private_key_id": "...", "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", "client_email": "cloudlist-sa@your-project-id.iam.gserviceaccount.com", "client_id": "...", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token" } # GCP Provider - Organization-Level Asset API - provider: gcp id: org-discovery organization_id: "123456789012" extended_metadata: true gcp_service_account_key: | { "type": "service_account", "project_id": "your-project-id", ... } # GCP with Short-lived Credentials (Enhanced Security) - provider: gcp id: secure-discovery use_short_lived_credentials: true service_account_email: "cloudlist@project.iam.gserviceaccount.com" token_lifetime: "3600s" # Optional: limit to specific projects project_ids: - security-project - infra-project # Azure Provider - provider: azure id: staging client_id: $AZURE_CLIENT_ID client_secret: $AZURE_CLIENT_SECRET tenant_id: $AZURE_TENANT_ID subscription_id: $AZURE_SUBSCRIPTION_ID # Azure with CLI Authentication - provider: azure id: dev use_cli_auth: true subscription_id: $AZURE_SUBSCRIPTION_ID # DigitalOcean Provider - provider: do id: production digitalocean_token: $DIGITALOCEAN_TOKEN # Cloudflare Provider - provider: cloudflare email: user@example.com api_key: $CF_API_KEY # Optional: scoped API token api_token: $CF_API_TOKEN ``` -------------------------------- ### Configure Developer Workflow for GCP Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_SHORT_LIVED_CREDENTIALS.md Use local Application Default Credentials for discovery without managing key files. ```yaml - provider: gcp id: dev-discovery use_short_lived_credentials: true service_account_email: "cloudlist@project.iam.gserviceaccount.com" ``` ```bash # One-time authentication gcloud auth application-default login # Grant your user account permission to impersonate the service account gcloud iam service-accounts add-iam-policy-binding \ cloudlist@project.iam.gserviceaccount.com \ --member="user:your-email@company.com" \ --role="roles/iam.serviceAccountTokenCreator" # Run cloudlist cloudlist -config config.yaml ``` -------------------------------- ### Handle Missing Resource Errors Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Note regarding expected behavior when specific asset types are missing. ```bash # Some asset types may not exist in your organization # This is normal and can be ignored - the tool continues with other types ``` -------------------------------- ### Filter Services for Discovery Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Specify individual services or use 'all' to control the scope of asset discovery. ```bash # Individual services ./cloudlist -pc config.yaml -id org-discovery -s compute,dns,gke # New services added ./cloudlist -pc config.yaml -id org-discovery -s tpu,filestore # All services (comprehensive discovery) ./cloudlist -pc config.yaml -id org-discovery -s all ``` -------------------------------- ### Cloudlist Configuration and Usage Flags Source: https://github.com/projectdiscovery/cloudlist/blob/dev/README.md Reference for all available configuration, filtering, update, and output flags supported by the cloudlist CLI. ```yaml Cloudlist is a tool for listing Assets from multiple cloud providers. Usage: ./cloudlist [flags] Flags: CONFIGURATION: -config string cloudlist flag config file (default "$HOME/.config/cloudlist/config.yaml") -pc, -provider-config string provider config file (default "$HOME/.config/provider-config.yaml") FILTERS: -p, -provider value display results for given providers (comma-separated) (default linode,fastly,heroku,terraform,digitalocean,consul,cloudflare,hetzner,nomad,do,scw,openstack,alibaba,aws,gcp,namecheap,kubernetes,azure, custom) -id string[] display results for given ids (comma-separated) -host display only hostnames in results -ip display only ips in results -s, -service value query and display results from given service (comma-separated)) (default cloudfront,gke,domain,compute,ec2,instance,cloud-function,app,eks,custom,consul,droplet,vm,ecs,fastly,alb,s3,lambda,elb,cloud-run,route53,publicip,dns,service,nomad,lightsail,ingress,apigateway) -ep, -exclude-private exclude private ips in cli output UPDATE: -up, -update update cloudlist to latest version -duc, -disable-update-check disable automatic cloudlist update check OUTPUT: -o, -output string output file to write results -json write output in json format -version display version of cloudlist -v display verbose output -silent display only results in output ``` -------------------------------- ### Manage Service Account Keys Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Commands for rotating and managing service account keys. ```bash # Rotate service account keys regularly gcloud iam service-accounts keys list --iam-account=$SA_EMAIL # Delete old keys gcloud iam service-accounts keys delete KEY-ID --iam-account=$SA_EMAIL # Generate new key gcloud iam service-accounts keys create new-key.json --iam-account=$SA_EMAIL ``` -------------------------------- ### Configure DNSSimple Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this configuration block to integrate with DNSSimple. Ensure the DNSSIMPLE_API_TOKEN environment variable is set. ```yaml - provider: dnssimple id: main dnssimple_api_token: $DNSSIMPLE_API_TOKEN ``` -------------------------------- ### Configure Alibaba Cloud Integration Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this configuration block to integrate with Alibaba Cloud. Ensure your Alibaba Cloud Access Key ID and Secret are correctly set. ```yaml - # provider is the name of the provider provider: alibaba # id is the name defined by user for filtering (optional) id: staging # alibaba_region_id is the region id of the resources alibaba_region_id: $ALIBABA_REGION_ID # alibaba_access_key is the access key ID for alibaba cloud account alibaba_access_key: $ALIBABA_ACCESS_KEY # alibaba_access_key_secret is the secret access key for alibaba cloud account alibaba_access_key_secret: $ALIBABA_ACCESS_KEY_SECRET ``` -------------------------------- ### Configure Kubernetes Integration Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Integrate with Kubernetes by providing either the path to your kubeconfig file or the base64 encoded kubeconfig content. The encoded content takes precedence if both are specified. An optional context can also be specified. ```yaml - # This identifies the provider in use provider: kubernetes # User-defined identifier for filtering (optional). id: staging # Path to the kubeconfig file. kubeconfig_file: path/to/kubeconfig # Base64 encoded kubeconfig, $ cat $KUBECONFIG | base64 kubeconfig_encoded: # The context to use from the kubeconfig (optional). If omitted, the default is the current-context as defined in the kubeconfig. context: ``` -------------------------------- ### Discover Azure Assets using Azure CLI Authentication Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This command demonstrates discovering Azure assets like VMs, public IPs, and DNS records after logging in with the Azure CLI. The output provides a list of discovered IPs and hostnames. ```bash # Azure CLI authentication setup az login # Discover Azure assets using CLI auth cloudlist -pc config.yaml -p azure -s vm,publicip,dns # Example output: # 52.168.1.100 # myapp.azurewebsites.net # myvm.eastus.cloudapp.azure.com ``` -------------------------------- ### Configure CI/CD with Minimal Permissions Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_SHORT_LIVED_CREDENTIALS.md Utilize a restricted service account key specifically for impersonation tasks in CI/CD pipelines. ```yaml - provider: gcp id: ci-discovery use_short_lived_credentials: true service_account_email: "powerful-sa@project.iam.gserviceaccount.com" source_credentials: "minimal-ci-sa.json" token_lifetime: "3600s" # 1 hour (max) ``` ```bash # Create minimal CI service account (only for impersonation) gcloud iam service-accounts create minimal-ci-sa \ --display-name="Minimal CI Service Account" # Grant impersonation permission gcloud iam service-accounts add-iam-policy-binding \ powerful-sa@project.iam.gserviceaccount.com \ --member="serviceAccount:minimal-ci-sa@project.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountTokenCreator" # Create key for CI gcloud iam service-accounts keys create minimal-ci-sa.json \ --iam-account=minimal-ci-sa@project.iam.gserviceaccount.com ``` -------------------------------- ### Lint Cloudlist Source: https://github.com/projectdiscovery/cloudlist/blob/dev/CLAUDE.md Commands to run static analysis and auto-fix linting issues. ```bash # Run golangci-lint (same as CI) golangci-lint run --timeout 5m # Auto-fix issues golangci-lint run --fix --timeout 5m ``` -------------------------------- ### Load Cloudlist Configuration from YAML Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Parses provider configuration from a YAML file for programmatic use. Ensure the CLOUDLIST_CONFIG environment variable is set or a default 'provider-config.yaml' exists. ```go package main import ( "context" "encoding/json" "fmt" "log" "os" "github.com/projectdiscovery/cloudlist/pkg/inventory" ) func main() { // Load configuration from YAML file configPath := os.Getenv("CLOUDLIST_CONFIG") if configPath == "" configPath = "provider-config.yaml" } options, err := inventory.ParseOptions(configPath) if err != nil { log.Fatalf("Failed to parse config: %v", err) } // Create inventory inv, err := inventory.New(options) if err != nil { log.Fatalf("Failed to create inventory: %v", err) } // Enumerate and output as JSON ctx := context.Background() allResources := make([]*schema.Resource, 0) for _, provider := range inv.Providers { resources, err := provider.Resources(ctx) if err != nil { log.Printf("Provider %s error: %v", provider.Name(), err) continue } allResources = append(allResources, resources.Items...) } // Output as JSON output, _ := json.MarshalIndent(allResources, "", " ") fmt.Println(string(output)) } ``` -------------------------------- ### Migrate Existing Keys to Short-lived Tokens Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_SHORT_LIVED_CREDENTIALS.md Transition existing static key configurations to use short-lived tokens without changing the underlying infrastructure. ```yaml - provider: gcp id: migrating-discovery use_short_lived_credentials: true service_account_email: "cloudlist@project.iam.gserviceaccount.com" gcp_service_account_key: '{ "type": "service_account", "project_id": "your-project-id", ... }' token_lifetime: "3600s" ``` -------------------------------- ### Configure Kubernetes Discovery using Kubeconfig Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure Kubernetes discovery by specifying the path to your kubeconfig file and the desired context. This allows Cloudlist to access cluster resources. ```yaml - provider: kubernetes id: production-cluster kubeconfig_file: ~/.kube/config context: production ``` -------------------------------- ### Integrate Cloudlist with nuclei for Vulnerability Scanning Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This command pipes discovered hosts to nuclei for vulnerability scanning using specified templates. Results are saved to a file. ```bash # Integrate with nuclei for vulnerability scanning cloudlist -pc config.yaml -host -silent | nuclei -t cves/ -o vulnerabilities.txt ``` -------------------------------- ### Hetzner Cloud Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the Hetzner Cloud provider with your authentication token. ```yaml - provider: hetzner id: cloud auth_token: $HETZNER_AUTH_TOKEN ``` -------------------------------- ### Debug Cloudlist Execution Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Commands for verbose logging and testing API connectivity. ```bash # Enable verbose logging ./cloudlist -pc config.yaml -id org-discovery -v # Test Asset API access directly gcloud asset list --organization=YOUR-ORG-ID --limit=5 # Verify service account permissions gcloud auth activate-service-account --key-file=service-account-key.json gcloud asset list --organization=YOUR-ORG-ID --limit=1 ``` -------------------------------- ### Define Cloud Provider Interface in Go Source: https://github.com/projectdiscovery/cloudlist/blob/dev/DESIGN.md This Go interface defines the minimum methods required for any cloud service provider to be integrated with Cloudlist. It includes methods for retrieving the provider's name, ID, and its resources. ```go package schema import "context" // Provider is an interface implemented by any cloud service provider. // // It provides the bare minimum of methods to allow complete overview of user // data. type Provider interface { // Name returns the name of the provider Name() string // ID returns the name of the provider id ID() string // Resources returns the provider for an resource deployment source. Resources(ctx context.Context) (*Resources, error) } ``` -------------------------------- ### Configure Hetzner Cloud Integration Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Integrate with Hetzner Cloud using your authentication token. This configuration block specifies the provider and the auth token. ```yaml - # provider is the name of the provider provider: hetzner # id is the name defined by user for filtering (optional) id: staging # auth_token is the is the hetzner authentication token auth_token: $HETZNER_AUTH_TOKEN ``` -------------------------------- ### Configure Scaleway Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this YAML block to integrate Scaleway. Access keys and tokens are generated via the Scaleway console. ```yaml - # provider is the name of the provider provider: scw # scaleway_access_key is the access key for scaleway API scaleway_access_key: $SCALEWAY_ACCESS_KEY # scaleway_access_token is the access token for scaleway API scaleway_access_token: $SCALEWAY_ACCESS_TOKEN ``` -------------------------------- ### Namecheap Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the Namecheap provider with your API key and username. ```yaml - provider: namecheap id: domains namecheap_api_key: $NAMECHEAP_API_KEY namecheap_user_name: $NAMECHEAP_USER_NAME ``` -------------------------------- ### GCP Short-lived Credentials (Migration) Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Migrate from existing static keys to short-lived credentials by providing the path to an existing key file. The token lifetime can be specified. ```yaml - provider: gcp id: migrating-discovery use_short_lived_credentials: true service_account_email: "cloudlist@project.iam.gserviceaccount.com" gcp_service_account_key: "existing-key.json" # Generates short-lived from static key token_lifetime: "3600s" # 1 hour (default) ``` -------------------------------- ### Generate GCP Service Account Key Source: https://github.com/projectdiscovery/cloudlist/blob/dev/docs/GCP_ASSET_API.md Creates a JSON key file for the specified service account, which can be used for authentication with GCP services. ```bash gcloud iam service-accounts keys create asset-viewer-key.json \ --iam-account=$SA_EMAIL ``` -------------------------------- ### Configure Azure Discovery with Service Principal Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure Azure discovery using a service principal. Ensure all required environment variables for client ID, secret, tenant ID, and subscription ID are set. ```yaml - provider: azure id: production client_id: $AZURE_CLIENT_ID client_secret: $AZURE_CLIENT_SECRET tenant_id: $AZURE_TENANT_ID subscription_id: $AZURE_SUBSCRIPTION_ID ``` -------------------------------- ### Docker container operations Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Commands for pulling, running, and building custom Docker images for Cloudlist. ```bash # Pull the Docker image docker pull projectdiscovery/cloudlist:latest # Run with mounted config file docker run -v ~/.config/cloudlist:/root/.config/cloudlist \ projectdiscovery/cloudlist:latest \ -pc /root/.config/cloudlist/provider-config.yaml # Run with environment variables for credentials docker run \ -e AWS_ACCESS_KEY=$AWS_ACCESS_KEY \ -e AWS_SECRET_KEY=$AWS_SECRET_KEY \ -v $(pwd)/config.yaml:/config.yaml \ projectdiscovery/cloudlist:latest \ -pc /config.yaml -p aws -json # Build custom image with config cat > Dockerfile <.pem # consul_cert_file is the path to consul Certificate file # consul_cert_file: .pem # consul_key_file is the path to consul Certificate Key file # consul_key_file: .pem # consul_http_token is the consul authentication token # consul_http_token: # consul_http_auth is the consul http auth value # consul_http_auth: ``` -------------------------------- ### Schedule Continuous Monitoring with Cron Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This cron job entry schedules Cloudlist to run every 6 hours, saving the discovered assets to a timestamped log file for continuous monitoring. ```bash # Continuous monitoring with cron # */6 * * * * cloudlist -pc /path/to/config.yaml -silent -o /var/log/cloudlist/assets-$(date +\%Y\%m\%d).txt ``` -------------------------------- ### Linode Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the Linode provider using your Linode personal access token. ```yaml - provider: linode id: servers linode_personal_access_token: $LINODE_PERSONAL_ACCESS_TOKEN ``` -------------------------------- ### Configure Linode Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this YAML block to integrate Linode. The token requires at least 'Read Only' scope for the Linodes resource. ```yaml - # provider is the name of the provider provider: linode # id is the name defined by user for filtering (optional) id: staging # linode_personal_access_token is the personal access token for Linode account linode_personal_access_token: $LINODE_PERSONAL_ACCESS_TOKEN ``` -------------------------------- ### Nomad Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the Nomad provider with its URL and token. ```yaml - provider: nomad id: scheduler nomad_url: https://nomad.example.com:4646/ nomad_token: $NOMAD_TOKEN ``` -------------------------------- ### Configure Namecheap Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this YAML block to integrate Namecheap. Ensure API access is enabled and your public IP is whitelisted in the Namecheap settings. ```yaml - # provider is the name of the provider provider: namecheap # id is the name defined by user for filtering (optional) id: staging # namecheap_api_key is the api key for namecheap account namecheap_api_key: $NAMECHEAP_API_KEY # namecheap_user_name is the username of the namecheap account namecheap_user_name: $NAMECHEAP_USER_NAME ``` -------------------------------- ### Feed Discovered Hosts to httpx for Web Discovery Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This command pipes the hostnames discovered by Cloudlist to httpx for efficient web service discovery, including status codes and titles. ```bash # Feed to httpx for web service discovery cloudlist -pc config.yaml -host -silent | httpx -silent -status-code -title ``` -------------------------------- ### Custom HTTP Endpoints Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the custom provider with a list of URLs and custom headers for authentication and content type. ```yaml - provider: custom id: internal-apis urls: - https://api.example.com/assets - https://cmdb.example.com/inventory headers: Authorization: $CUSTOM_AUTH_TOKEN Content-Type: application/json ``` -------------------------------- ### Configure ArvanCloud Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this YAML block to integrate ArvanCloud. The API key is generated from the Machine User manager. ```yaml - # provider is the name of the provider provider: arvancloud # or r1c # api_key is the api_key for arvancloud api_key: $R1C_API_KEY ``` -------------------------------- ### DNSSimple Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the DNSSimple provider with your API token. ```yaml - provider: dnssimple id: dns dnssimple_api_token: $DNSSIMPLE_API_TOKEN ``` -------------------------------- ### Configure Fastly Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this YAML block to integrate Fastly. Personal API tokens are managed in the Fastly account settings. ```yaml - # provider is the name of the provider provider: fastly # id is the name defined by user for filtering (optional) id: staging # fastly_api_key is the personal API token for fastly account fastly_api_key: $FASTLY_API_KEY ``` -------------------------------- ### Configure Hashicorp Nomad Integration Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Integrate with Hashicorp Nomad by specifying the Nomad server URL. Optional fields include CA file, certificate file, key file, and authentication token or HTTP auth value. ```yaml - # provider is the name of the provider provider: nomad # nomad_url is the url for nomad server nomad_url: http://127.0.0.1:4646/ # id is the name defined by user for filtering (optional) id: staging # nomad_ca_file is the path to nomad CA file # nomad_ca_file: .pem # nomad_cert_file is the path to nomad Certificate file # nomad_cert_file: .pem # nomad_key_file is the path to nomad Certificate Key file # nomad_key_file: .pem # nomad_token is the nomad authentication token # nomad_token: # nomad_http_auth is the nomad http auth value # nomad_http_auth: ``` -------------------------------- ### Configure Heroku Provider Source: https://github.com/projectdiscovery/cloudlist/blob/dev/PROVIDERS.md Use this YAML block to integrate Heroku. Tokens can be generated via the dashboard or the Heroku CLI. ```yaml - # provider is the name of the provider provider: heroku # id is the name defined by user for filtering (optional) id: staging # heroku_api_token is the authorization token for Heroku account heroku_api_token: $HEROKU_API_TOKEN ``` ```bash $ heroku authorizations:create -d "brief description of token" Creating OAuth Authorization... done Client: ID: a6e98151-f242-4592-b107-25fbac5ab410 Description: brief description of token Scope: global Token: cf0e05d9-4eca-4948-a012-b9xxxxxxxxxx Updated at: Fri Jun 16 2021 13:26:56 GMT-0700 (PDT) (less than a minute ago) ``` -------------------------------- ### Scan Discovered Assets with Nmap Source: https://context7.com/projectdiscovery/cloudlist/llms.txt This pipeline integrates Cloudlist with nmap to discover all cloud assets and then perform service and version detection scans on them. ```bash # Discover all assets and scan with nmap cloudlist -pc config.yaml -ip -silent | nmap -iL - -sV -oA cloud-scan ``` -------------------------------- ### Kubernetes Provider Configuration Source: https://context7.com/projectdiscovery/cloudlist/llms.txt Configure the Kubernetes provider by specifying the kubeconfig file path or base64 encoded kubeconfig and the context. ```yaml - provider: kubernetes id: production-cluster kubeconfig_file: /path/to/kubeconfig # Or use base64 encoded kubeconfig # kubeconfig_encoded: context: production-context ```