services / Google Cloud / Service Accounts

Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed.

Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.


Implicit delegation allows you to chain service account access token requests. This permission on a service account gives the user access to creating access tokens on any service accounts that service account has access to.



This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.


  • https:​/​/​cloud.​google.​com/​iam/​docs/​service-​account-​overview
  • https:​/​/​rhinosecuritylabs.​com/​gcp/​privilege-​escalation-​google-​cloud-​platform-​part-​1
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog