As a follow-up to, I want to share a way to detect the impersonation with Google Cloud Platform native tools.

Ensure sufficient logging is enabled, navigate to the “Audit Logs” configuration and enable “Admin Read” and “Data Read” for IAM logs.

Identity and Access Management (IAM) API


The above will allow the token generation events to be logged to Google Cloud logs.



Query logs

To find the events we are interested in, you can run the following query; this will find all occurrences, so you will most likely see more than you expect. Use this to have a look if there is anything out of the ordinary.



Focus on a single account

To focus on a single account event, add this to the query.


Detecting anomalies

If you can establish a list of service accounts that you know will use the impersonation, you can look for events triggered by service accounts not on your list.

To exclude a single account, you add the following to the query, note the “-” at the start.


Helpful script

You can use this script to generate the entries for the service accounts you want to exclude based on a list of service accounts (one per line, no quotes)

if [ -z "$1" ]
  echo "Missing service account list file"

SA_NAME_LIST=$(cat $1)

for name in $SA_NAME_LIST; do
  echo "-protoPayload.authenticationInfo.principalEmail=\"$name\"";

Final query

Below you can see an example of how your query should look with multiple exclusions. Save the query for future use; in the future, we will set up monitoring and alerting using our created query. So stick around for the next part.