catalog logoThe IAM Privilege Catalog

services / Google Cloud / Service Accounts

Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed.

Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.

iam.​serviceAccounts.​getAccessToken

By default, the generated access token only persists for an hour. Longer access times (up to 12 hours) can be configured via the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy.

Risks

  1. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​iam/​docs/​service-​account-​overview
  • https:​/​/​rhinosecuritylabs.​com/​gcp/​privilege-​escalation-​google-​cloud-​platform-​part-​1

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog