google.iam.admin.v1.UploadServiceAccountKey

CSP: GCP

Tactics:

Persistence

Techniques:

T1098.001

Tags:

GCP IAM

Event

Uploads an external key to a service account, enabling persistent access that survives credential rotation.

Security Context

• Uploading an externally generated key to a service account gives the attacker a credential they fully control — the private key never passes through GCP, making it invisible to key creation audit trails.
• This technique provides a stealthier persistence mechanism than creating keys through IAM, since the private key material is generated outside of GCP and never logged in Cloud Audit Logs.

Log Source

Cloud Audit Logs

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:

• T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azu...