Skip to content

GCP Service Account Creds

Service Name: Google Cloud Platform

Service Description: Google Cloud Platform (GCP) is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products.

Service Address: https://cloud.google.com/

Validation Type: API Auth NHI Enriched

IP Allow list: Does not exist

Secret Access Scope: Grants access to Google Cloud resources based on the permissions assigned to the service account.

Secret Revokement URL: https://console.cloud.google.com/iam-admin/serviceaccounts

Secret Example: project-name-123456@project-name-123456.iam.gserviceaccount.com

Suspicious Activity Investigation Instructions:

  • Review Google Cloud Audit logs for unusual activity from the service account
  • Check for unauthorized API calls or resource access in Cloud Logging
  • Examine IAM policy changes related to the service account
  • Look for unusual geographic access patterns in the Security Command Center
  • Monitor for unexpected increases in billing or resource usage

Mitigation Instructions:

  • Immediately rotate the service account key by creating a new key and deleting the compromised one
  • Navigate to the Google Cloud Console IAM & Admin section
  • Select Service Accounts and locate the affected service account
  • Delete the compromised key under the Keys tab
  • Review and restrict IAM permissions assigned to the service account
  • Enable VPC Service Controls to restrict API access if applicable
  • Consider implementing Workload Identity Federation instead of service account keys