google.iam.admin.v1.CreateServiceAccountKey
GCP
google.iam.admin.v1.CreateServiceAccountKey
Event
Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
Log Source
Cloud Audit Logs
Sample Event
Draco — having compromised a session that already has iam.serviceAccountKeys.create on the high-privilege occamy-pipeline@ service account — mints a long-lived JSON key for offline persistence (T1098.001). Per Google’s design, the private key material is not in the log; response carries name, keyAlgorithm, and metadata only.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud", "principalSubject": "user:draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.service-accounts.keys.create invocation-id/90000000000000000000000000000001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T13:42:11.123456789Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.CreateServiceAccountKey", "authorizationInfo": [ { "resource": "projects/-/serviceAccounts/100000000000000000001", "permission": "iam.serviceAccountKeys.create", "granted": true, "resourceAttributes": { "name": "projects/-/serviceAccounts/100000000000000000001", "service": "iam.googleapis.com", "type": "iam.googleapis.com/ServiceAccountKey" } } ], "resourceName": "projects/-/serviceAccounts/100000000000000000001", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.CreateServiceAccountKeyRequest", "name": "projects/fantasticlogs-prod/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "private_key_type": 2, "key_algorithm": 2 }, "response": { "@type": "type.googleapis.com/google.iam.admin.v1.ServiceAccountKey", "name": "projects/fantasticlogs-prod/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com/keys/60000000000000000000000000000001", "validAfterTime": "2026-04-15T13:42:11Z", "validBeforeTime": "9999-12-31T23:59:59Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED" } }, "insertId": "evt0000000001", "resource": { "type": "service_account", "labels": { "email_id": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "project_id": "fantasticlogs-prod", "unique_id": "100000000000000000001" } }, "timestamp": "2026-04-15T13:42:11.098765432Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T13:42:11.456789012Z"}MITRE ATT&CK Mapping
Tactics: Persistence Credential Access
Techniques:
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.