An attacker may Attempts to impersonate several GCP service accounts. Service account impersonation in GCP allows to retrieve temporary credentials allowing to act as a service account.
Service account impersonation
There are three ways in which you can impersonate another service account:
- Authentication using RSA private keys (covered above)
- Authorization using Cloud IAM policies (covered below)
- Deploying jobs on GCP services (more applicable to the compromise of a user account)
It's possible that the service account you are currently authenticated as has permission to impersonate other accounts with more permissions and/or a less restrictive scope. This behavior is authorized by the predefined role called iam.serviceAccountTokenCreator.
A good example here is that you've compromised an instance running as a custom service account with this role, and the default service account still exists in the project. As the default service account has the primitive role of Project Editor, it is possibly even more powerful than the custom account.
Even better, you might find a service account with the primitive role of Owner. This gives you full permissions, and is a good target to then grant your own Google account rights to log in to the project using the web console.