Hello? Whose service account keys are these?
Lee Livsey
fwd:cloudsec Europe 2025 · Day 2 · Main Room
Lee Livsey, a security consultant at Reverse Sec specializing in GCP assessments, presented a focused examination of **long-lived service account keys** in Google Cloud Platform and why they represent a significant but underappreciated security risk. The talk centers on a real-world case study where Livsey discovered a GCP service account private key—with **Storage Admin** privileges and no expiration date—being transmitted in plaintext within HTTP responses of a Google-managed service called **Contact Center AI (CCAI)**. The finding illustrates that even Google's own partners and managed service developers make fundamental mistakes with service account key management, and that GCP's default behavior of creating non-expiring keys, combined with an organization constraint that is routinely disabled, means long-lived credentials remain pervasive across GCP environments. The talk provides practical guidance for identifying, mitigating, and eliminating these keys through federated identity and workload identity federation.
AI review
A practical talk with a genuine finding — a GCP service account key with Storage Admin privileges exposed in a Google managed service's HTTP responses. The case study is the highlight; the surrounding content on GCP key management basics, while useful for orientation, is more educational than research-grade.