GCP Service Account Key Detection

Google Cloud service account keys are JSON files containing private keys that grant programmatic access to GCP resources. Unlike AWS keys which are short strings, GCP keys are full JSON documents — making them harder to detect with simple pattern matching but equally dangerous when exposed.

Verified by Precogs Threat Research
gcpgoogle-cloudservice-accountcredentialsUpdated: 2026-03-22

GCP Key Format Challenges

GCP service account keys are JSON files with fields like client_email, private_key, and project_id. They can be base64-encoded, stored as environment variables, or embedded in application configuration. The private key portion is a 1700+ character PEM-encoded RSA key, which is harder to detect than the 40-character AWS secret key.

Common Exposure Scenarios

GCP keys leak through: JSON key files committed to git, GOOGLE_APPLICATION_CREDENTIALS pointing to checked-in files, CI/CD secrets in GitHub Actions or GitLab CI, Docker images with keys baked into the filesystem, Terraform state files containing GCP credentials, and Kubernetes secrets without encryption at rest.

Precogs AI GCP Key Detection

Precogs AI detects GCP service account keys by parsing JSON structures for the characteristic field pattern (type, project_id, private_key_id, private_key, client_email). We also detect base64-encoded keys, GCP OAuth tokens (ya29.*), and API keys in source code and config files across all code surfaces.

Attack Scenario: The Cloud Storage Ransomware Pivot

1

A developer downloads a GCP Service Account JSON to their local machine to test a data pipeline script.

2

They place the `gcp-credentials.json` file in their active working directory, intending to use it locally via `GOOGLE_APPLICATION_CREDENTIALS`.

3

They run `git add .` without checking the `.gitignore` configuration.

4

The JSON key is committed and pushed to a public repository.

5

An attacker's scraper matches the standard GCP JSON schema and extracts the `private_key`.

6

The attacker authenticates as the Service Account (which has `roles/storage.admin`), lists all Cloud Storage buckets, downloads the sensitive customer data, and subsequently deletes the buckets off the cloud, leaving a ransom note.

Real-World Code Examples

Leaked GCP Service Account JSON (CWE-798)

Google Cloud Platform (GCP) heavily utilizes long-lived JSON keys for Service Account authentication outside of GCP boundaries. These files contain a permanent RSA private key. If this JSON file is accidentally pushed to Git, placed in a public Docker container layer, or left on a misconfigured web server, it grants the attacker permanent, un-expiring access to the associated GCP resources.

VULNERABLE PATTERN
// VULNERABLE: Service Account JSON checked into the repository
// Found in credentials/gcp-prod-sa.json
{
  "type": "service_account",
  "project_id": "production-cluster-9921",
  "private_key_id": "d04e1f...EXPOSED...a9b",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvA...EXPOSED...=\n-----END PRIVATE KEY-----\n",
  "client_email": "kubernetes-admin@production-cluster-9921.iam.gserviceaccount.com",
  "client_id": "1149...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token"
}
SECURE FIX
// SAFE: ADC (Application Default Credentials)
// No JSON files required. The application inherits permissions dynamically from the environment.
import { Storage } from '@google-cloud/storage';

// In Kubernetes (GKE), this utilizes Workload Identity
// On Compute Engine, it utilizes the attached Service Account
const storage = new Storage();
const [buckets] = await storage.getBuckets();

Detection & Prevention Checklist

  • Migrate entirely off static JSON Service Account keys in favor of GCP Workload Identity Federation for external access (e.g., GitHub Actions)
  • Enforce organizational policies constraint `constraints/iam.disableServiceAccountKeyCreation` at the GCP Organization root level
  • Deploy SAST tools that search strictly for specifically formatted JSON structures containing `type: "service_account"` and a `private_key` block
  • Audit existing keys in the GCP console, actively retiring any keys older than 90 days
  • Scan configuration files (e.g., Terraform, Ansible) to ensure JSON blocks are not being passed as literal strings into deployment pipelines
🛡️

How Precogs AI Protects You

Precogs AI detects GCP service account JSON keys, OAuth tokens, and API keys across source code, git history, Docker images, CI/CD pipelines, Terraform state, and Kubernetes secrets — preventing GCP credential exposure.

Start Free Scan

Related Weakness Types

CWE-798CWE-312CWE-538CWE-321CWE-200CWE-522CWE-540CWE-287CWE-22CWE-209

High Risk Industries

Financial Services SecurityRetail & eCommerce Security

Compliance Frameworks

PCI DSS 4.0SOX / GLBADORA (Digital Operational Resilience Act)SOC 2 / ISO 27001

How do you detect leaked GCP service account keys?

Precogs AI detects GCP service account JSON keys by parsing for characteristic field patterns, identifying base64-encoded keys, OAuth tokens, and API keys across source code, git history, Docker images, and CI/CD configs.

Scan for GCP Service Account Key Detection Issues

Precogs AI automatically detects gcp service account key detection vulnerabilities and generates AutoFix PRs.

Start Free Scan