storage.hmacKeys.create
storage.hmacKeys.create
Event
Creates HMAC keys for S3-compatible access to Cloud Storage, providing a persistent access mechanism often missed by defenders.
Security Context
- HMAC keys provide S3-compatible access to Cloud Storage using access key ID and secret pairs, creating a persistent credential that is separate from standard OAuth tokens and service account keys.
- Defenders often overlook HMAC keys during credential rotation and incident response because they exist outside the standard IAM key management workflow, making them an effective persistence mechanism.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco creates an HMAC key on occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com. This generates a 40-char access-key-id and a 40-char base64 secret — usable with any S3-compatible client (aws s3 --endpoint-url https://storage.googleapis.com ls s3://fantasticlogs-niffler-archive/) to read/write all buckets the SA has access to. The credential is opaque to GCP’s regular SA-key inventory; defenders running gcloud iam service-accounts keys list see nothing unusual. HMAC keys are durable, survive key rotation, and don’t expire. Note: response.secret is NOT logged — it is returned to the API caller exactly once at create time and never appears in the audit log.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.storage.hmac.create invocation-id/90000000000000000000010000000111 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T13:58:55.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "storage.googleapis.com", "methodName": "storage.hmacKeys.create", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod/hmacKeys", "permission": "storage.hmacKeys.create", "granted": true, "resourceAttributes": { "service": "storage.googleapis.com", "name": "projects/fantasticlogs-prod/hmacKeys", "type": "storage.googleapis.com/HmacKey" } } ], "resourceName": "projects/fantasticlogs-prod/hmacKeys/GOOG1EDRAC0M4LFOY666EXAMPLEACCESSID10000111", "request": { "@type": "type.googleapis.com/storage.hmacKeys.create", "projectId": "fantasticlogs-prod", "serviceAccountEmail": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com" }, "response": { "@type": "type.googleapis.com/storage.hmacKey", "metadata": { "accessId": "GOOG1EDRAC0M4LFOY666EXAMPLEACCESSID10000111", "id": "fantasticlogs-prod/GOOG1EDRAC0M4LFOY666EXAMPLEACCESSID10000111", "projectId": "fantasticlogs-prod", "serviceAccountEmail": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "state": "ACTIVE", "timeCreated": "2026-04-15T13:58:55.187654321Z", "updated": "2026-04-15T13:58:55.187654321Z", "etag": "BwSAMPLEetag10111=" } } }, "insertId": "evt010000000111", "resource": { "type": "gcs_bucket", "labels": { "project_id": "fantasticlogs-prod" } }, "timestamp": "2026-04-15T13:58:55.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T13:58:55.567890123Z"}MITRE ATT&CK Mapping
Tactics: Persistence
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.