{"id":13620983,"url":"https://github.com/securisec/cliam","last_synced_at":"2026-02-15T20:32:34.033Z","repository":{"id":45083996,"uuid":"480197950","full_name":"securisec/cliam","owner":"securisec","description":"Cloud agnostic IAM permissions enumerator","archived":false,"fork":false,"pushed_at":"2025-04-10T23:52:20.000Z","size":1041,"stargazers_count":156,"open_issues_count":0,"forks_count":10,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-10-24T23:40:54.153Z","etag":null,"topics":["aws","cloud","firebase","gcp","golang"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/securisec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-04-11T02:19:23.000Z","updated_at":"2025-10-03T22:27:18.000Z","dependencies_parsed_at":"2024-05-23T06:29:45.594Z","dependency_job_id":"63f93bed-b780-4b70-b691-75cb7f21b541","html_url":"https://github.com/securisec/cliam","commit_stats":{"total_commits":117,"total_committers":1,"mean_commits":117.0,"dds":0.0,"last_synced_commit":"b0384cf0c4f7422ed9eff8a2e12f338394d04f6b"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/securisec/cliam","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securisec%2Fcliam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securisec%2Fcliam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securisec%2Fcliam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securisec%2Fcliam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/securisec","download_url":"https://codeload.github.com/securisec/cliam/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securisec%2Fcliam/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29488560,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-15T19:29:10.908Z","status":"ssl_error","status_checked_at":"2026-02-15T19:29:10.419Z","response_time":118,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud","firebase","gcp","golang"],"created_at":"2024-08-01T21:01:01.450Z","updated_at":"2026-02-15T20:32:34.018Z","avatar_url":"https://github.com/securisec.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# cliam\nMulti cloud iam permissions enumeration tool. Currently covers:\n- [x] AWS\n- [x] GCP\n- [x] Azure\n- [] Oracle\n\n### 🚧 WIP\n\n[![asciicast](https://asciinema.org/a/goBHd7DlnoOb1x61ljkH2ywc1.png)](https://asciinema.org/a/goBHd7DlnoOb1x61ljkH2ywc1)\n\n## Description\nCliam is a simple cloud permissions identifier. There are two main components to the CLI. Most of the enumerated permissions are list, describe or get permissions. \n\n- `enumerate` which can be used to enumerate specific permissions (recommended)\n- Some service providers have service groups that can check for permissions for a specific subset of services/resources.\n\n## Installation\nDownload the latest [release](https://github.com/securisec/cliam/releases). DEV tags are current, but not stable.\n\nIn order to build the binary locally, cd into the `cli` directory and run `make dev`\n\n## Usage\nCliam works with credentials obtained from the services well known envars or from passing the commonly required flags from the cli.\n\n**It is highly recommond that command completions are set as most of the `enumerate` options have to be specific.** To generate completions, use `cliam completion [shell]` and set according to your shells completion directory.\n\n```\nUsage:\n  cliam [command]\n\nAvailable Commands:\n  aws         Enumerate AWS credentials for their permissions.\n  azure       Enumerate Azure credentials for their permissions.\n  completion  Generate the autocompletion script for the specified shell\n  firebase    Enumerate Firebase permissions.\n  gcp         Enumerate GCP service accounts for their permissions.\n  help        Help about any command\n  version     Show version and build info\n\nFlags:\n  -h, --help                  help for cliam\n      --max-threads int       Maximum number of threads to use. (default 5)\n      --request-timeout int   Timeout for each request in seconds. (default 5)\n      --save-output           Save output to file on success\n  -v, --verbose               Enable verbose output.\n```\n\n### AWS\nUses the AWS rest api to make a signed request using the passed in credentials. This greatly adds speed, but makes it a bit more challenging to keep up with adding new permissions. The issue of scale is that AWS uses 3 - 4 variety of requests at the service level\n\nSupports obtaining credentials from AWS profile, flags, or default AWS environment variables like `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and optionally `AWS_SESSION_TOKEN`.\n\n```\n❯❯ cliam aws                                                        \nEnumerate AWS credentials for their permissions.\n\nUsage:\n  cliam aws [command]\n\nAvailable Commands:\n  enumerate     Enumerate permissions for specified AWS resources.\n  service-group Enumerate permissions for groups of AWS resources.\n\nFlags:\n      --access-key-id string         AWS Access Key ID\n  -h, --help                         help for aws\n      --known-value stringToString   AWS Resource Name. When known-resource-name is set, additional permissions where a resource needs to be specified is enumerated. (default [])\n      --profile string               AWS Profile. When profile is set, access-key-id, secret-access-key, and session-token are ignored.\n      --region string                AWS Region (default \"us-east-1\")\n      --secret-access-key string     AWS Secret Access Key\n      --session-json string          AWS Session JSON file. This flag attempts to read session information from the specified file. Helpful with temporary credentials.\n      --session-token string         AWS Session Token\n\nGlobal Flags:\n      --max-threads int       Maximum number of threads to use. (default 5)\n      --request-timeout int   Timeout for each request in seconds. (default 5)\n  -v, --verbose               Enable verbose output.\n```\n\n### Known resources\nCliam for AWS also supports enumerating certain permissions which requires a known value. For instance, when using awscli, we can get a function using `aws lambda get-function --function-name \u003cfunction_name\u003e`.\n\nThis maps directly to cliam where we can use:\n\n```\ncliam aws enumerate lamda --known-value function-name=\u003cfunction_name\u003e\n```\nThis will enumerate all permissions for lambda which takes function-name as a valid argument. This will work with other AWS resources as well.\n\n#### Examples\nBruteforce all serverless resources from an AWS profile\n```\n❯❯ cliam aws service-group serverless --profile=my-profile\n```\n\nUse temporary session tokens obtained to check all ec2 permissions\n```\n❯❯ cliam aws enumerate ec2 --session-json=creds.json\n\nWhere creds.json has\n{\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIA...\",\n  \"SecretAccessKey\" : \"...\",\n  \"Token\" : \"...\",\n}\n```\n\nEnumerate permissions for s3, iam and ec2\n```\n❯❯ cliam aws enumerate s3 iam ec2\n```\n\n### GCP\nGCP supports enumerating from a specific service account json file. ~Credentials from the GCP environment variables `GOOGLE_APPLICATION_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` are also supported~.\n\nBecause there are two modes for GCP enumeration, use enumerate if `cloudresourcemanager` is enabled or use `rest` to enumerate specific permissions.\n\n\n```\ncliam gcp --help\nEnumerate GCP service accounts for their permissions.\n\nUsage:\n  cliam gcp [command]\n\nAvailable Commands:\n  bruteforce  Enumerate all GCP permissions\n  enumerate   Enumerate specified GCP permissions\n  rest        GCP permissions using the REST API\n\nFlags:\n  -h, --help                     help for gcp\n      --project-id string        GCP project id\n      --region string            GCP Region (default \"us-central1\")\n      --service-account string   GCP service account path\n      --zone string              GCP Zone (default \"us-central1-a\")\n\nGlobal Flags:\n      --max-threads int       Maximum number of threads to use. (default 5)\n      --request-timeout int   Timeout for each request in seconds. (default 10)\n\nUse \"cliam gcp [command] --help\" for more information about a command.\n```\n\n### Azure\nAzure enumeration supports various authentication methods inlcuding service principals (via client id and secret), certificate MSI (via MSI token), or default auth. It also supports all the common azure environment variables \n- AZURE_CLIENT_ID : client id or usrname\n- AZURE_CLIENT_SECRET : client secret\n- AZURE_SUBSCRIPTION_ID : subscription id\n- AZURE_CLIENT_CERTIFICATE_PATH : path to certificate\n- AZURE_TENANT_ID : tenant id\n- CLIAM_AZURE_OAUTH_TOKEN : existing oauth token\n\n```\n❯❯ cliam azure\nEnumerate Azure credentials for their permissions.\nIn most cases, a valid Azure Subscription ID is required. If one \nis not provided, the CLI will attempt to lookup available subscriptions \nand use the first one.\n\nUsage:\n  cliam azure [command]\n\nAvailable Commands:\n  access-token  Get access token to use with REST apis\n  enumerate     Enumerate permissions for specified azure resources.\n  service       Enumerate permissions for a specific group of azure services.\n  subscriptions List all subscriptions\n```\n\n## Debug\ncliam supports two environment variables to show debug output\n- DEBUG=true (shows status codes of requests)\n- VERBOSE=true (shows body of requests)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecurisec%2Fcliam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecurisec%2Fcliam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecurisec%2Fcliam/lists"}