Asset Key Thief

Published Wed, Apr 19th, 2023


Asset Key Thief was a Google Cloud privilege escalation vulnerability that enabled principals with the "Cloud Asset Viewer" role (or other roles with the `cloudasset.assets.searchAllResources` permission) on the Cloud Asset Inventory API, at the Project, Folder, or Organization level to view and exfiltrate any user-managed Service Account private key under a project within the same Google Cloud environment that had been created or rotated up to a maximum of 12 hours ago. Access to Service Account private keys enable the full assumption of that Service Account's identity and privileges, which would have given attackers with existing access to a Google Cloud environment a persistent and reliable method of lateral movement and privilege escalation. Google has since fixed this vulnerability, but affected customers must rotate their keys manually.

Affected Services

Cloud Asset Inventory


Consider rotating user-managed Service Account keys created prior to 14/03/23. Search for anomalous Service Account activity. Audit principals with access to the "cloudasset.assets.searchAllResources" permission. Search for "" ADMIN_READ data access logs.

Tracked CVEs

No tracked CVEs


Disclosure Date
Tue, Feb 7th, 2023
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Jackson Reid, SADA