Skip to content

GCP Service Account Key

Service Name: Google Cloud Platform

Service Description: Google Cloud Platform (GCP) is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products. Service account keys are JSON files that contain private keys used to authenticate to Google Cloud services.

Service Address: https://cloud.google.com/

Validation Type: API Auth, NHI Enriched

IP Allow list: IP restrictions can be configured at the service level using VPC Service Controls or IAM Conditions.

Secret Access Scope: Grants programmatic access to GCP resources and services based on the permissions assigned to the service account. Can be used to authenticate applications, services, or workloads to Google Cloud APIs.

Secret Revokement URL: https://console.cloud.google.com/iam-admin/serviceaccounts

Secret Example:

{
  "type": "service_account",
  "project_id": "example-project",
  "private_key_id": "1234567890abcdef1234567890abcdef12345678",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7VJTUt9Us8cKj\nMzEfYyjiWA4R4/M2bS1GB4t7NXp98C3SC6dVMvDuictGeurT8jNbvJZHtCSuYEvu\nNMoSfm76oqFvAp8Gy0iz5sxjZmSnXyCdPEovGhLa0VzMaQ8s+CLOyS56YyCFGeJZ\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account@example-project.iam.gserviceaccount.com",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account%40example-project.iam.gserviceaccount.com"
}

Suspicious Activity Investigation Instructions:

  • Review Cloud Audit Logs for unusual API calls or resource access
  • Check for unauthorized service usage or resource creation
  • Monitor for unusual geographic access patterns
  • Examine logs for API call activity made with the service account
  • Review IAM policy changes related to the service account
  • Check for data exfiltration or unusual data access patterns

Mitigation Instructions:

  • Navigate to the Google Cloud Console IAM & Admin > Service Accounts section
  • Locate the compromised service account
  • Click on the three dots menu next to the service account and select "Manage keys"
  • Identify the compromised key and click "Delete"
  • Create a new service account key if needed
  • Review and potentially restrict the permissions of the service account { "type": "service_account", "project_id": "example-project", "private_key_id": "1234567890abcdef1234567890abcdef12345678", "private_key": "-----BEGIN PRIVATE KEY----- \nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7VJTUt9Us8cKj\nMzE fYyjiWA4R4/M2bS1GB4t7NXp98C3SC6dVMvDuictGeurT8jNbvJZHtCSuYEvu\nNMoSfm76 oqFvAp8Gy0iz5sxjZmSnXyCdPEovGhLa0VzMaQ8s+CLOyS56YyCFGeJZ\n-----END PRIVATE KEY-----\n", "client_email": "service-account@example- project.iam.gserviceaccount.com", "client_id": "123456789012345678901", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service- account%40example-project.iam.gserviceaccount.com" }
  • Consider implementing VPC Service Controls to restrict API access
  • Enable Cloud Audit Logs for comprehensive monitoring
  • Consider implementing workload identity federation instead of service account keys for improved security