Skip to content

google.iam.admin.v1.CreateServiceAccountKey

GCP

google.iam.admin.v1.CreateServiceAccountKey

service: GCP - IAM
techniques:

Event

Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication.

Security Context

  • Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
  • Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.

Log Source

Cloud Audit Logs

Sample Event

Draco — having compromised a session that already has iam.serviceAccountKeys.create on the high-privilege occamy-pipeline@ service account — mints a long-lived JSON key for offline persistence (T1098.001). Per Google’s design, the private key material is not in the log; response carries name, keyAlgorithm, and metadata only.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud",
"principalSubject": "user:draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.service-accounts.keys.create invocation-id/90000000000000000000000000000001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T13:42:11.123456789Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.CreateServiceAccountKey",
"authorizationInfo": [
{
"resource": "projects/-/serviceAccounts/100000000000000000001",
"permission": "iam.serviceAccountKeys.create",
"granted": true,
"resourceAttributes": {
"name": "projects/-/serviceAccounts/100000000000000000001",
"service": "iam.googleapis.com",
"type": "iam.googleapis.com/ServiceAccountKey"
}
}
],
"resourceName": "projects/-/serviceAccounts/100000000000000000001",
"request": {
"@type": "type.googleapis.com/google.iam.admin.v1.CreateServiceAccountKeyRequest",
"name": "projects/fantasticlogs-prod/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"private_key_type": 2,
"key_algorithm": 2
},
"response": {
"@type": "type.googleapis.com/google.iam.admin.v1.ServiceAccountKey",
"name": "projects/fantasticlogs-prod/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com/keys/60000000000000000000000000000001",
"validAfterTime": "2026-04-15T13:42:11Z",
"validBeforeTime": "9999-12-31T23:59:59Z",
"keyAlgorithm": "KEY_ALG_RSA_2048",
"keyOrigin": "GOOGLE_PROVIDED",
"keyType": "USER_MANAGED"
}
},
"insertId": "evt0000000001",
"resource": {
"type": "service_account",
"labels": {
"email_id": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"project_id": "fantasticlogs-prod",
"unique_id": "100000000000000000001"
}
},
"timestamp": "2026-04-15T13:42:11.098765432Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T13:42:11.456789012Z"
}

MITRE ATT&CK Mapping

Tactics: Persistence Credential Access

Techniques:
  • T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.