Backdooring a Google Cloud service account through its IAM policy







June 29, 2023

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker with access to your Google Cloud project can persist by backdooring the IAM policy of an existing service account.

Understanding Impact

Business Impact

When an attacker backdoors a service account, they may continue to have access for an extended period of time even when the root cause of the breach is identified and fixed.

Technical Impact

An attacker can persist in the Google Cloud project by adding a binding to an existing service account's IAM policy that grants the attacker permissions to generate short-lived
credentials for this service account ("service account impersonation"). Any user that has the role iam.serviceAccountTokenCreator on a service account
can impersonate it, for instance using the gcloud CLI flag --impersonate-service-account.


The Google Cloud Admin logs event google.iam.admin.v1.SetIAMPolicy is generated when the IAM policy of a service account is updated. You can monitor for unusual changes,
such as service account impersonation permissions being granted on an external user.

After backdooring the service account IAM policy, when the attacker impersonates the service account, the Google Cloud Admin logs event GenerateAccessToken
is generated if IAM audit logs for data access activity are enabled in your project.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate gcp.persistence.backdoor-service-account-policy

See also the related documentation.


Backdoor a GCP Service Account through its IAM Policy

Create short-lived credentials for a service account

gcp documentation