C-GCP-SA-IMPERSONATEPrivilege Escalation

GCP Service Account Impersonation

iam.serviceAccounts.getAccessToken on a higher-priv SA — exchange your identity for its access token.

§ Where this technique fits

C-GCP-SA-IMPERSONATE is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

GCP service account impersonation chain → project owner
Compromised low-priv SA has iam.serviceAccounts.getAccessToken on an intermediate SA; hop through 2-3 impersonations until you reach a project Owner.
step 3 / 6

§ What commonly comes next

01
GCP iam.serviceAccountKeys.create
C-GCP-SA-KEY-CREATE · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

GCP service account impersonation chain → project owner

§ What commonly comes next