iam.serviceAccounts.actAs
iam.serviceAccounts.actAs
Event
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
- Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco creates a new Cloud Function that, on invocation, dumps the runtime metadata-server token (and exfils it to his C2). To attach the high-privilege phoenix-backup@ SA to this Cloud Function at deploy time, GCP runs an actAs permission check synchronously — emitting this audit log entry. The function deployment itself is a separate audit log event (google.cloud.functions.v2.FunctionService.CreateFunction), but the actAs check is the enabling step. Detection on actAs against high-privilege SAs catches the privesc attempt before the function is even live.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.functions.deploy invocation-id/90000000000000000000001111111011 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T16:51:08.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "iam.serviceAccounts.actAs", "authorizationInfo": [ { "resource": "projects/-/serviceAccounts/phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com", "permission": "iam.serviceAccounts.actAs", "granted": true, "permissionType": "ADMIN_WRITE" } ], "resourceName": "projects/-/serviceAccounts/phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com", "request": { "@type": "type.googleapis.com/CanActAsServiceAccountRequest", "name": "phoenix-backup@fantasticlogs-prod.iam.gserviceaccount.com", "project_number": "555123456789" }, "response": { "@type": "type.googleapis.com/CanActAsServiceAccountResponse", "success": true } }, "insertId": "evt001111111011", "resource": { "type": "audited_resource", "labels": { "project_id": "fantasticlogs-prod", "method": "iam.serviceAccounts.actAs", "service": "iam.googleapis.com" } }, "timestamp": "2026-04-15T16:51:08.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T16:51:08.567890123Z"}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Lateral Movement Stealth
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...