services / Google Cloud / Service Accounts

Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed.

Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.


iam.​serviceAccounts.​getOpenIdToken

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​iam/​docs/​service-​account-​overview
  • https:​/​/​rhinosecuritylabs.​com/​gcp/​privilege-​escalation-​google-​cloud-​platform-​part-​1
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog