Google Cloud Service Account Key

ID

google_cloud_key

Severity

critical

Vendor

Google Cloud Platform

Family

Access key

Description

Google Cloud Platform (GCP) is a cloud provider. A service account in GCP is "a special kind of account used by an application or compute workload, rather than a person".

Keys for such service accounts are created in the Identity and Access Management (IAM) service from Google. The most common type is known as "user-managed key pair": it uses a public-private keypair generated at IAM, and the client authenticates to GCP services using the private key (Google says that the private key is generated at IAM but not stored, and only the public key is stored for confirming the identity of the part with the private key).

Security

The result of creating a service access key with the IAM is a sensitive JSON file, that should be stored securely, and for sure never be committed to a source repository.

Leaking that JSON access key file may enable an unauthorized party to authenticate as your service account with the granted privileges.

Examples

{
  "type": "service_account",
  "project_id": "test-project",
  "private_key_id": "3bc0efbba0dc104eb16949b4885912ae72ace8b2",
  "private_key": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n",
  "client_email": "depsdoc@xygeni.iam.gserviceaccount.com",
  "client_id": "22666904539010348066",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-project%40depsdoc@xygeni.iam.gserviceaccount.com"
}

Mitigation / Fix

  1. Remove the leaked JSON object (as file or hardcoded in source code).

  2. Follow your policy for handling leaked secrets, which typically require deleting the leaked service account keys in the GCP.

  3. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. GCP provides a Cloud Audit Logs facility for that.

Reference

https://cloud.google.com/iam/docs/