generateAccessToken
GCP
generateAccessToken
Event
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.
Log Source
Cloud Audit Logs
Sample Event
Draco mints a short-lived OAuth2 token for the high-privilege OCCAMY pipeline service account, escalating from his own user without ever needing a long-lived JSON key (T1078.004 / T1528). authenticationInfo.principalEmail is the human caller; request.name and resource.labels.email_id are the impersonated SA — defenders pivot on the mismatch. This event lives on the Data Access stream, which is not enabled by default for IAM and must be turned on in audit_config.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud", "principalSubject": "user:draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.auth.print-access-token invocation-id/90000000000000000000000000000101 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T16:24:57.998877665Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iamcredentials.googleapis.com", "methodName": "GenerateAccessToken", "authorizationInfo": [ { "resource": "projects/-/serviceAccounts/100000000000000000001", "permission": "iam.serviceAccounts.getAccessToken", "granted": true, "resourceAttributes": {} } ], "resourceName": "projects/-/serviceAccounts/100000000000000000001", "request": { "@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest", "name": "projects/-/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "scope": [ "https://www.googleapis.com/auth/cloud-platform" ], "lifetime": "3600s" }, "response": { "@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenResponse", "expireTime": "2026-04-15T17:24:57Z" }, "metadata": { "identityDelegationChain": [ "projects/-/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com" ] } }, "insertId": "evt0000000101", "resource": { "type": "service_account", "labels": { "email_id": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "project_id": "fantasticlogs-prod", "unique_id": "100000000000000000001" } }, "timestamp": "2026-04-15T16:24:57.887766554Z", "severity": "INFO", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2026-04-15T16:24:58.110099887Z"}MITRE ATT&CK Mapping
Tactics: Credential Access Privilege Escalation Stealth
Techniques:
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...