google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
GCP
google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Event
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
Security Context
- Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco grants roles/iam.serviceAccountTokenCreator on the high-privilege occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com SA to his external attacker-controlled Google account (draco-malfoy-666@gmail.com). After this binding lands, Draco can call GenerateAccessToken against occamy-pipeline@ from his personal-Gmail-authenticated session indefinitely — a stable persistence path that survives the deletion of his corp account. This is the canonical “backdoor an SA via its own IAM policy” technique.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.service-accounts.add-iam-policy-binding invocation-id/90000000000000000000001111110100 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T13:35:42.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.SetIAMPolicy", "authorizationInfo": [ { "resource": "projects/-/serviceAccounts/100000000000000000001", "permission": "iam.serviceAccounts.setIamPolicy", "granted": true, "resourceAttributes": { "service": "iam.googleapis.com", "name": "projects/-/serviceAccounts/100000000000000000001", "type": "iam.googleapis.com/ServiceAccount" } } ], "resourceName": "projects/-/serviceAccounts/100000000000000000001", "request": { "@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest", "resource": "projects/-/serviceAccounts/occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "policy": { "version": 1, "bindings": [ { "role": "roles/iam.serviceAccountTokenCreator", "members": [ "user:draco-malfoy-666@gmail.com" ] } ], "etag": "BwSAMPLEetag10100=" } }, "response": { "@type": "type.googleapis.com/google.iam.v1.Policy", "version": 1, "bindings": [ { "role": "roles/iam.serviceAccountTokenCreator", "members": [ "user:draco-malfoy-666@gmail.com" ] } ], "etag": "BwSAMPLEetag10101=" }, "serviceData": { "@type": "type.googleapis.com/google.iam.v1.logging.AuditData", "policyDelta": { "bindingDeltas": [ { "action": "ADD", "role": "roles/iam.serviceAccountTokenCreator", "member": "user:draco-malfoy-666@gmail.com" } ] } } }, "insertId": "evt001111110100", "resource": { "type": "service_account", "labels": { "email_id": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "project_id": "fantasticlogs-prod", "unique_id": "100000000000000000001" } }, "timestamp": "2026-04-15T13:35:42.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T13:35:42.567890123Z"}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...