Permissions granted to impersonate a service account
Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Audit Logs - Admin Activity
| BigQuery | Chronicle | Log Analytics |
|---|---|---|
| SQL | Contribute rule | SQL |
No event generation steps provided. Contribute emulation test to this use case.
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
},
"authenticationInfo": {
"principalEmail": "[email protected]",
"principalSubject": "user:[email protected]"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"callerSuppliedUserAgent": "<redacted>",
"requestAttributes": {
"time": "2022-05-02T21:52:50.576347902Z",
"auth": {
}
},
"destinationAttributes": {
}
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.SetIAMPolicy",
"authorizationInfo": [
{
"permission": "iam.serviceAccounts.setIamPolicy",
"granted": true,
"resourceAttributes": {
}
}
],
"resourceName": "projects/-/serviceAccounts/123456789",
"serviceData": {
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta": {
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/iam.serviceAccountTokenCreator",
"member": "user:[email protected]"
}
]
}
},
"request": {
"resource": "projects/my-project/serviceAccounts/123456789",
"policy": {
"bindings": [
{
"members": [
"user:[email protected]"
],
"role": "roles/iam.serviceAccountTokenCreator"
}
],
"etag": "BwXeDmj5wbY=",
"version": 3
},
"@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest"
},
"response": {
"etag": "BwXeDmndGQ4=",
"bindings": [
{
"role": "roles/iam.serviceAccountTokenCreator",
"members": [
"user:[email protected]"
]
}
],
"@type": "type.googleapis.com/google.iam.v1.Policy",
"version": 1
}
},
"insertId": "ivg77odhkvt",
"resource": {
"type": "service_account",
"labels": {
"project_id": "my-project",
"unique_id": "1234567890123456789",
"email_id": "[email protected]"
}
},
"timestamp": "2022-05-02T21:52:50.425669508Z",
"severity": "NOTICE",
"logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2022-05-02T21:52:51.172264363Z"
}