SecretManagerService.AccessSecretVersion
GCP
SecretManagerService.AccessSecretVersion
Event
Retrieves the plaintext value of a specific secret version from GCP Secret Manager.
Security Context
- Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — operating with the bowtruckle-secrets@ token he obtained from the prior GenerateAccessToken event — calls AccessSecretVersion against bowtruckle-prod-db-master-pass version latest. This is the moment the production database master password leaves Google’s vault into Draco’s hands. Note: Google has redacted response.payload.data since mid-2022 — only the resolved version name remains in the response. Data Access logs are not enabled by default for secretmanager.googleapis.com — without enablement, this read is silent.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com", "principalSubject": "serviceAccount:bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com", "serviceAccountDelegationInfo": [ { "firstPartyPrincipal": { "principalEmail": "draco@fantasticlogs.cloud" } } ] }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.secrets.versions.access invocation-id/90000000000000000000010000000010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T17:08:33.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "secretmanager.googleapis.com", "methodName": "google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "authorizationInfo": [ { "resource": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3", "permission": "secretmanager.versions.access", "granted": true, "resourceAttributes": { "service": "secretmanager.googleapis.com", "name": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3", "type": "secretmanager.googleapis.com/SecretVersion" } } ], "resourceName": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3", "request": { "@type": "type.googleapis.com/google.cloud.secretmanager.v1.AccessSecretVersionRequest", "name": "projects/fantasticlogs-prod/secrets/bowtruckle-prod-db-master-pass/versions/latest" }, "response": { "@type": "type.googleapis.com/google.cloud.secretmanager.v1.AccessSecretVersionResponse", "name": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3" } }, "insertId": "evt010000000010", "resource": { "type": "audited_resource", "labels": { "project_id": "fantasticlogs-prod", "method": "google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "service": "secretmanager.googleapis.com" } }, "timestamp": "2026-04-15T17:08:33.123456789Z", "severity": "INFO", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2026-04-15T17:08:33.567890123Z"}MITRE ATT&CK Mapping
Tactics: Credential Access Discovery
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
- T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...