Any permission granted to any principal over any service account, for example, to impersonate a service account or create keys for that service account. This includes predefined service account IAM roles granted at the parent project, folder or organization-level.
Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Audit Logs - Admin Activity
BigQuery | Log Analytics | Google SecOps |
---|---|---|
SQL | SQL | YARA-L |
Grant IAM role serviceAccountTokenCreator
to a principal over an existing service account
Name | Description | Type | Default Value |
---|---|---|---|
service-account | Email account of service account over which a role will be granted | String | my-service-account@my-project.iam.gserviceaccount.com |
principal | ID of principal (user, group or service account) to which a role will be granted | String | user:my-user@example.com |
gcloud iam service-accounts add-iam-policy-binding #{service-account} \
--member=#{principal} --role=roles/iam.serviceAccountTokenCreator
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
},
"authenticationInfo": {
"principalEmail": "admin@example.com",
"principalSubject": "user:admin@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"callerSuppliedUserAgent": "<redacted>",
"requestAttributes": {
"time": "2022-05-02T21:52:50.576347902Z",
"auth": {
}
},
"destinationAttributes": {
}
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.SetIAMPolicy",
"authorizationInfo": [
{
"permission": "iam.serviceAccounts.setIamPolicy",
"granted": true,
"resourceAttributes": {
}
}
],
"resourceName": "projects/-/serviceAccounts/123456789",
"serviceData": {
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta": {
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/iam.serviceAccountTokenCreator",
"member": "user:test-user@example.com"
}
]
}
},
"request": {
"resource": "projects/my-project/serviceAccounts/123456789",
"policy": {
"bindings": [
{
"members": [
"user:test-user@example.com"
],
"role": "roles/iam.serviceAccountTokenCreator"
}
],
"etag": "BwXeDmj5wbY=",
"version": 3
},
"@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest"
},
"response": {
"etag": "BwXeDmndGQ4=",
"bindings": [
{
"role": "roles/iam.serviceAccountTokenCreator",
"members": [
"user:test-user@example.com"
]
}
],
"@type": "type.googleapis.com/google.iam.v1.Policy",
"version": 1
}
},
"insertId": "ivg77odhkvt",
"resource": {
"type": "service_account",
"labels": {
"project_id": "my-project",
"unique_id": "1234567890123456789",
"email_id": "sa-100@1234.iam.gserviceaccount.com"
}
},
"timestamp": "2022-05-02T21:52:50.425669508Z",
"severity": "NOTICE",
"logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2022-05-02T21:52:51.172264363Z"
}