google.iam.admin.v1.CreateServiceAccountKey

CSP: GCP

Tactics:

Persistence Credential Access

Techniques:

T1098.001

Tags:

GCP IAM

Event

Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication.

Security Context

• Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
• Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.

Log Source

Cloud Audit Logs

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence Credential Access

Techniques:

• T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azu...