Leaked Google Cloud service-account key — treat as full GCP compromise

A service-account JSON grants the scopes of that service account — often broad (Storage Admin, BigQuery User, Firestore Admin). Leakage = full GCP compromise unless the SA was tightly scoped.

The next 60 seconds matter

The attacker authenticates with the key, enumerates the service-account's IAM permissions (`gcloud auth list` + `gcloud iam service-accounts get-iam-policy`), then moves laterally: read Cloud Storage buckets, query BigQuery, read Secret Manager values, impersonate other SAs if iam.serviceAccountTokenCreator is granted.

  • Enumerate the service account's full IAM scope
  • Read every Storage bucket the SA can see
  • Query BigQuery for PII
  • Read Secret Manager values
  • Impersonate other SAs if token-creator is granted

Rotation playbook

  1. Console → IAM → Service Accounts → (leaked SA) → Keys → Delete the specific key
  2. Review Audit Logs (Cloud Logging) for the SA in the past 24 hours
  3. If suspicious activity: disable the SA entirely, then remediate
  4. Regenerate a new key with the SAME JSON filename if downstream systems are hard-coded

Prevent the next one

  • Prefer Workload Identity Federation (short-lived tokens) over long-lived SA keys
  • Scope every SA to the minimum permissions — never grant roles/owner or roles/editor
  • Rotate SA keys every 90 days at most
  • Enable VPC Service Controls to limit exfiltration surface
Pattern we scan for
JSON object with private_key_id, private_key, client_email