Skip to content

compute.instances.setServiceAccount

GCP

compute.instances.setServiceAccount

service: GCP - Compute Engine
techniques:

Event

Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.

Security Context

  • Swapping the service account on a Compute Engine instance immediately changes the credentials available via the metadata server, granting the instance — and any attacker on it — the permissions of the new service account.
  • This is a direct privilege escalation technique where an adversary replaces a low-privilege service account with a high-privilege one to access resources beyond their original scope.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco — having compute admin privileges on a low-value sandbox VM i-sandbox-decoy-001 — replaces its current attached SA (555123456789-compute@developer.gserviceaccount.com, the default Compute SA with roles/editor) with the high-privilege phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com (which has snapshot/restore rights on production volumes). After the swap, Draco only needs to land code on the VM (e.g., a backdoored startup script) — the metadata server will surface tokens for phoenix-backup@, which can then be used to read or copy production snapshot data. Compute LROs emit a paired last entry on completion; this is the first entry.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.instances.set-service-account invocation-id/90000000000000000000001111101101 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T14:48:27.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.setServiceAccount",
"authorizationInfo": [
{
"permission": "compute.instances.setServiceAccount",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/fantasticlogs-prod/zones/us-central1-a/instances/i-sandbox-decoy-001",
"type": "compute.instances"
}
},
{
"permission": "iam.serviceAccounts.actAs",
"granted": true,
"resourceAttributes": {
"service": "iam.googleapis.com",
"name": "projects/-/serviceAccounts/phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com",
"type": "iam.googleapis.com/ServiceAccount"
}
}
],
"resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/instances/i-sandbox-decoy-001",
"request": {
"@type": "type.googleapis.com/compute.instances.setServiceAccount",
"email": "phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com",
"scopes": [
"https://www.googleapis.com/auth/cloud-platform"
]
},
"response": {
"@type": "type.googleapis.com/operation",
"id": "8200000000000001111101101",
"name": "operation-1776268107000-62fa2ad07a201-ab001101-cd001101",
"operationType": "setServiceAccount",
"targetId": "6100000000000001111101101",
"targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/instances/i-sandbox-decoy-001",
"selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/operation-1776268107000-62fa2ad07a201-ab001101-cd001101",
"selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/8200000000000001111101101",
"zone": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a",
"user": "draco@fantasticlogs.cloud",
"status": "RUNNING",
"progress": "0",
"insertTime": "2026-04-15T07:48:27.301-07:00",
"startTime": "2026-04-15T07:48:27.318-07:00"
},
"resourceLocation": {
"currentLocations": [
"us-central1-a"
]
}
},
"insertId": "evt001111101101",
"resource": {
"type": "gce_instance",
"labels": {
"project_id": "fantasticlogs-prod",
"zone": "us-central1-a",
"instance_id": "6100000000000001111101101"
}
},
"timestamp": "2026-04-15T14:48:27.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "operation-1776268107000-62fa2ad07a201-ab001101-cd001101",
"producer": "compute.googleapis.com",
"first": true
},
"receiveTimestamp": "2026-04-15T14:48:27.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...