Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
A leaked service account key was used to authenticate an
action. In this context, a leaked service account key is one that was posted on
the public internet. For example, service account keys are often mistakenly
posted on public GitHub repository.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open theInitial Access: Leaked Service Account Key Usedfinding, as directed inReviewing findings.
In the finding details, on theSummarytab, note the values of
following fields.
UnderWhat was detected:
Principal email: the service account used in this action
Service name: the API name of the Google Cloud service that was accessed by the service account
Method name: the method name of the action
Service account key name: the leaked service account key used to authenticate this action
Description: the description of what was detected, including the location on the public internet where the service account key can be found
UnderAffected resource:
Resource display name: the resource involved in the action
Step 2: Check logs
In the Google Cloud console, go toLogs Explorerby clicking
the link inCloud Logging URI.
On the Google Cloud console toolbar, select your project or organization.
On the page that loads, find related logs by using the following filter:
ReplacePRINCIPAL_EMAILwith the value that you noted in thePrincipal emailfield in the finding details.
ReplaceSERVICE_ACCOUNT_KEY_NAMEwith the value that you noted in
theService account key namefield in the finding details.
Step 3: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Rotate and delete all service account access keys for the potentially compromised project. After
deletion, applications that use the service account for authentication lose
access. Before deleting, your security team should identify all impacted
applications and work with application owners to ensure business continuity.
Work with your security team to identify unfamiliar resources, including
Compute Engine instances, snapshots, service accounts, and IAM
users. Delete resources not created with authorized accounts.
Respond to any notifications from Cloud Customer Care.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nA leaked service account key was used to authenticate an\naction. In this context, a leaked service account key is one that was posted on\nthe public internet. For example, service account keys are often mistakenly\nposted on public GitHub repository.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Initial Access: Leaked Service Account Key Used` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. In the finding details, on the **Summary** tab, note the values of\n following fields.\n\n Under **What was detected**:\n - **Principal email**: the service account used in this action\n - **Service name**: the API name of the Google Cloud service that was accessed by the service account\n - **Method name**: the method name of the action\n - **Service account key name**: the leaked service account key used to authenticate this action\n - **Description**: the description of what was detected, including the location on the public internet where the service account key can be found\n\n Under **Affected resource**:\n - **Resource display name**: the resource involved in the action\n\nStep 2: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer** by clicking the link in **Cloud Logging URI**.\n2. On the Google Cloud console toolbar, select your project or organization.\n3. On the page that loads, find related logs by using the following filter:\n\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003ePRINCIPAL_EMAIL\u003c/var\u003e`\"`\n - `protoPayload.authenticationInfo.serviceAccountKeyName=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eSERVICE_ACCOUNT_KEY_NAME\u003c/var\u003e`\"`\n\n Replace \u003cvar translate=\"no\"\u003ePRINCIPAL_EMAIL\u003c/var\u003e with the value that you noted in the\n **Principal email** field in the finding details.\n Replace \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_KEY_NAME\u003c/var\u003e with the value that you noted in\n the **Service account key name** field in the finding details.\n\nStep 3: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Revoke the service account key immediately in the [Service Accounts page](https://console.cloud.google.com/iam-admin/serviceaccounts).\n- Take down the web page or GitHub repository where the service account key is posted.\n- Consider [deleting the compromised service account](/iam/docs/service-accounts-delete-undelete#deleting).\n- Rotate and delete all service account access keys for the potentially compromised project. After deletion, applications that use the service account for authentication lose access. Before deleting, your security team should identify all impacted applications and work with application owners to ensure business continuity.\n- Work with your security team to identify unfamiliar resources, including Compute Engine instances, snapshots, service accounts, and IAM users. Delete resources not created with authorized accounts.\n- Respond to any notifications from Cloud Customer Care.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
