compute.instances.setServiceAccount
compute.instances.setServiceAccount
Event
Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.
Security Context
- Swapping the service account on a Compute Engine instance immediately changes the credentials available via the metadata server, granting the instance — and any attacker on it — the permissions of the new service account.
- This is a direct privilege escalation technique where an adversary replaces a low-privilege service account with a high-privilege one to access resources beyond their original scope.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — having compute admin privileges on a low-value sandbox VM i-sandbox-decoy-001 — replaces its current attached SA (555123456789-compute@developer.gserviceaccount.com, the default Compute SA with roles/editor) with the high-privilege phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com (which has snapshot/restore rights on production volumes). After the swap, Draco only needs to land code on the VM (e.g., a backdoored startup script) — the metadata server will surface tokens for phoenix-backup@, which can then be used to read or copy production snapshot data. Compute LROs emit a paired last entry on completion; this is the first entry.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.instances.set-service-account invocation-id/90000000000000000000001111101101 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T14:48:27.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.setServiceAccount", "authorizationInfo": [ { "permission": "compute.instances.setServiceAccount", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod/zones/us-central1-a/instances/i-sandbox-decoy-001", "type": "compute.instances" } }, { "permission": "iam.serviceAccounts.actAs", "granted": true, "resourceAttributes": { "service": "iam.googleapis.com", "name": "projects/-/serviceAccounts/phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com", "type": "iam.googleapis.com/ServiceAccount" } } ], "resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/instances/i-sandbox-decoy-001", "request": { "@type": "type.googleapis.com/compute.instances.setServiceAccount", "email": "phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com", "scopes": [ "https://www.googleapis.com/auth/cloud-platform" ] }, "response": { "@type": "type.googleapis.com/operation", "id": "8200000000000001111101101", "name": "operation-1776268107000-62fa2ad07a201-ab001101-cd001101", "operationType": "setServiceAccount", "targetId": "6100000000000001111101101", "targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/instances/i-sandbox-decoy-001", "selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/operation-1776268107000-62fa2ad07a201-ab001101-cd001101", "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/8200000000000001111101101", "zone": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a", "user": "draco@fantasticlogs.cloud", "status": "RUNNING", "progress": "0", "insertTime": "2026-04-15T07:48:27.301-07:00", "startTime": "2026-04-15T07:48:27.318-07:00" }, "resourceLocation": { "currentLocations": [ "us-central1-a" ] } }, "insertId": "evt001111101101", "resource": { "type": "gce_instance", "labels": { "project_id": "fantasticlogs-prod", "zone": "us-central1-a", "instance_id": "6100000000000001111101101" } }, "timestamp": "2026-04-15T14:48:27.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "operation": { "id": "operation-1776268107000-62fa2ad07a201-ab001101-cd001101", "producer": "compute.googleapis.com", "first": true }, "receiveTimestamp": "2026-04-15T14:48:27.567890123Z"}MITRE ATT&CK Mapping
Tactics: Privilege Escalation
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...