Skip to content

iam.serviceAccounts.signJwt

GCP

iam.serviceAccounts.signJwt

service: GCP - IAM
techniques:

Event

Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.

Security Context

  • Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco has iam.serviceAccounts.signJwt (but not getAccessToken) on demiguise-inference@fantasticlogs-prod.iam.gserviceaccount.com. He calls SignJwt with a JWT payload claiming aud=https://oauth2.googleapis.com/token and scope=https://www.googleapis.com/auth/cloud-platform. Google signs it with the SA’s Google-managed key. Draco then exchanges this signed JWT at oauth2.googleapis.com/token (separate non-audit-logged endpoint) for a real OAuth access token — bypassing the getAccessToken permission check entirely. This is a direct privesc that detection rules looking only at getAccessToken will miss.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud",
"principalSubject": "user:draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.service-accounts.sign-jwt invocation-id/90000000000000000000001111111101 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T17:01:18.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iamcredentials.googleapis.com",
"methodName": "SignJwt",
"authorizationInfo": [
{
"resource": "projects/-/serviceAccounts/100000000000000000100",
"permission": "iam.serviceAccounts.signJwt",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/-/serviceAccounts/100000000000000000100",
"request": {
"@type": "type.googleapis.com/google.iam.credentials.v1.SignJwtRequest",
"name": "projects/-/serviceAccounts/demiguise-inference@fantasticlogs-prod.iam.gserviceaccount.com",
"payload": "{\"iss\":\"demiguise-inference@fantasticlogs-prod.iam.gserviceaccount.com\",\"sub\":\"demiguise-inference@fantasticlogs-prod.iam.gserviceaccount.com\",\"aud\":\"https://oauth2.googleapis.com/token\",\"scope\":\"https://www.googleapis.com/auth/cloud-platform\",\"iat\":1776272478,\"exp\":1776276078}"
},
"response": {
"@type": "type.googleapis.com/google.iam.credentials.v1.SignJwtResponse",
"keyId": "60000000000000000000000000000111"
}
},
"insertId": "evt001111111101",
"resource": {
"type": "service_account",
"labels": {
"email_id": "demiguise-inference@fantasticlogs-prod.iam.gserviceaccount.com",
"project_id": "fantasticlogs-prod",
"unique_id": "100000000000000000100"
}
},
"timestamp": "2026-04-15T17:01:18.123456789Z",
"severity": "INFO",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2026-04-15T17:01:18.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Credential Access Privilege Escalation Stealth

Techniques:
  • T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...