Skip to content

generateAccessToken

GCP

generateAccessToken

service: GCP - IAM
techniques:

Event

Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation.

Security Context

  • Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.

Log Source

Cloud Audit Logs

Sample Event

Draco mints a short-lived OAuth2 token for the high-privilege OCCAMY pipeline service account, escalating from his own user without ever needing a long-lived JSON key (T1078.004 / T1528). authenticationInfo.principalEmail is the human caller; request.name and resource.labels.email_id are the impersonated SA — defenders pivot on the mismatch. This event lives on the Data Access stream, which is not enabled by default for IAM and must be turned on in audit_config.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud",
"principalSubject": "user:draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.auth.print-access-token invocation-id/90000000000000000000000000000101 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T16:24:57.998877665Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iamcredentials.googleapis.com",
"methodName": "GenerateAccessToken",
"authorizationInfo": [
{
"resource": "projects/-/serviceAccounts/100000000000000000001",
"permission": "iam.serviceAccounts.getAccessToken",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/-/serviceAccounts/100000000000000000001",
"request": {
"@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
"name": "projects/-/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"scope": [
"https://www.googleapis.com/auth/cloud-platform"
],
"lifetime": "3600s"
},
"response": {
"@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenResponse",
"expireTime": "2026-04-15T17:24:57Z"
},
"metadata": {
"identityDelegationChain": [
"projects/-/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com"
]
}
},
"insertId": "evt0000000101",
"resource": {
"type": "service_account",
"labels": {
"email_id": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"project_id": "fantasticlogs-prod",
"unique_id": "100000000000000000001"
}
},
"timestamp": "2026-04-15T16:24:57.887766554Z",
"severity": "INFO",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2026-04-15T16:24:58.110099887Z"
}

MITRE ATT&CK Mapping

Tactics: Credential Access Privilege Escalation Stealth

Techniques:
  • T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...