services / Google Cloud / Service Accounts

Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed.

Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.


Allows for signing of arbitrarily payloads. Can be used for escalation by signing an access token request.



This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.


  • https:​/​/​cloud.​google.​com/​iam/​docs/​service-​account-​overview
  • https:​/​/​rhinosecuritylabs.​com/​gcp/​privilege-​escalation-​google-​cloud-​platform-​part-​1
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog