Skip to content

SecretManagerService.AccessSecretVersion

GCP

SecretManagerService.AccessSecretVersion

service: GCP - Secret Manager
techniques:

Event

Retrieves the plaintext value of a specific secret version from GCP Secret Manager.

Security Context

  • Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco — operating with the bowtruckle-secrets@ token he obtained from the prior GenerateAccessToken event — calls AccessSecretVersion against bowtruckle-prod-db-master-pass version latest. This is the moment the production database master password leaves Google’s vault into Draco’s hands. Note: Google has redacted response.payload.data since mid-2022 — only the resolved version name remains in the response. Data Access logs are not enabled by default for secretmanager.googleapis.com — without enablement, this read is silent.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com",
"principalSubject": "serviceAccount:bowtruckle-secrets@fantasticlogs-prod.iam.gserviceaccount.com",
"serviceAccountDelegationInfo": [
{
"firstPartyPrincipal": {
"principalEmail": "draco@fantasticlogs.cloud"
}
}
]
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.secrets.versions.access invocation-id/90000000000000000000010000000010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T17:08:33.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "secretmanager.googleapis.com",
"methodName": "google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion",
"authorizationInfo": [
{
"resource": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3",
"permission": "secretmanager.versions.access",
"granted": true,
"resourceAttributes": {
"service": "secretmanager.googleapis.com",
"name": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3",
"type": "secretmanager.googleapis.com/SecretVersion"
}
}
],
"resourceName": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3",
"request": {
"@type": "type.googleapis.com/google.cloud.secretmanager.v1.AccessSecretVersionRequest",
"name": "projects/fantasticlogs-prod/secrets/bowtruckle-prod-db-master-pass/versions/latest"
},
"response": {
"@type": "type.googleapis.com/google.cloud.secretmanager.v1.AccessSecretVersionResponse",
"name": "projects/555123456789/secrets/bowtruckle-prod-db-master-pass/versions/3"
}
},
"insertId": "evt010000000010",
"resource": {
"type": "audited_resource",
"labels": {
"project_id": "fantasticlogs-prod",
"method": "google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion",
"service": "secretmanager.googleapis.com"
}
},
"timestamp": "2026-04-15T17:08:33.123456789Z",
"severity": "INFO",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2026-04-15T17:08:33.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Credential Access Discovery

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
  • T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...