Skip to content

iam.serviceAccountKeys.implicitDelegation

GCP

iam.serviceAccountKeys.implicitDelegation

service: GCP - IAM
techniques:

Event

Records a token exchange where a service account implicitly delegates its authority to another identity.

Security Context

  • Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
  • Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco does not have direct iam.serviceAccounts.getAccessToken on the high-privilege phoenix-backup@ SA. He DOES have iam.serviceAccounts.implicitDelegation on bowtruckle-secrets@ (intermediate hop), and bowtruckle-secrets@ has iam.serviceAccounts.getAccessToken on phoenix-backup@ (terminal target). Draco calls GenerateAccessToken for phoenix-backup@ with delegates: ["bowtruckle-secrets@"]. The audit log shows the implicitDelegation permission grant rather than direct getAccessToken, and metadata.identityDelegationChain lists both SAs in the chain. This is a subtle privesc path that bypasses defenders only watching for direct getAccessToken grants.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud",
"principalSubject": "user:draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.auth.print-access-token invocation-id/90000000000000000000001111111010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T16:42:11.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iamcredentials.googleapis.com",
"methodName": "GenerateAccessToken",
"authorizationInfo": [
{
"resource": "projects/-/serviceAccounts/100000000000000000011",
"permission": "iam.serviceAccounts.implicitDelegation",
"granted": true,
"resourceAttributes": {}
},
{
"resource": "projects/-/serviceAccounts/100000000000000000010",
"permission": "iam.serviceAccounts.getAccessToken",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/-/serviceAccounts/100000000000000000010",
"request": {
"@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
"name": "projects/-/serviceAccounts/phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com",
"delegates": [
"projects/-/serviceAccounts/bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com"
],
"scope": [
"https://www.googleapis.com/auth/cloud-platform"
],
"lifetime": "3600s"
},
"response": {
"@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenResponse",
"expireTime": "2026-04-15T17:42:11Z"
},
"metadata": {
"identityDelegationChain": [
"projects/-/serviceAccounts/bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com",
"projects/-/serviceAccounts/phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com"
]
}
},
"insertId": "evt001111111010",
"resource": {
"type": "service_account",
"labels": {
"email_id": "phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com",
"project_id": "fantasticlogs-prod",
"unique_id": "100000000000000000010"
}
},
"timestamp": "2026-04-15T16:42:11.123456789Z",
"severity": "INFO",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2026-04-15T16:42:11.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Lateral Movement Stealth

Techniques:
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...