{
	"id": "a0740541-3434-4c4f-9fb6-61c8f2db97f3",
	"created_at": "2026-04-06T00:10:36.029108Z",
	"updated_at": "2026-04-10T03:22:12.352958Z",
	"deleted_at": null,
	"sha1_hash": "0489b337d71f9c1c7a87cd00cd83d23463d7946e",
	"title": "Monitor usage patterns for service accounts and keys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107264,
	"plain_text": "Monitor usage patterns for service accounts and keys\r\nArchived: 2026-04-05 14:22:17 UTC\r\nThis page explains how to use Cloud Monitoring to view usage metrics for your service accounts and service\r\naccount keys. These metrics let you view and track usage patterns, which can help you identify anomalies, either\r\nautomatically or manually.\r\nService accounts and service account keys appear in these metrics if they are used to call any Google API,\r\nincluding APIs that are not part of Google Cloud. The metrics include both successful and failed API calls. For\r\nexample, if an API call fails because the caller is not authorized to call that API, or because the request referred to\r\na resource that does not exist, the service account or key that was used for that API call appears in the metrics.\r\nService account keys also appear in these metrics if a system lists the keys while attempting to authenticate a\r\nrequest, even if the system doesn't use the key to authenticate the request. This behavior is most common when\r\nusing signed URLs for Cloud Storage or when authenticating to third-party applications. As a result it is possible\r\nto see usage metrics for keys that have not been used for authentication.\r\nThe following don't appear in either service account or service account key metrics:\r\nCloud Storage HMAC authentication keys\r\nRequests authenticated by API keys bound to service accounts\r\nMonitoring retains service account metrics for 6 weeks. If you need to access data for a longer time period, you\r\ncan periodically export the results to BigQuery. For more information, see Monitoring metric export in the\r\nSolutions documentation.\r\nAfter you use a service account or service account key, usage metrics are usually available within a few minutes.\r\nBefore you begin\r\nEnable the IAM and Cloud Monitoring APIs.\r\nRoles required to enable APIs\r\nTo enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ),\r\nwhich contains the serviceusage.services.enable permission. Learn how to grant roles.\r\nEnable the APIs\r\nRequired roles\r\nTo get the permissions that you need to view recent usage for service accounts and keys, ask your administrator to\r\ngrant you the Monitoring Viewer ( roles/monitoring.viewer ) IAM role on the project. For more information\r\nabout granting roles, see Manage access to projects, folders, and organizations.\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 1 of 9\n\nYou might also be able to get the required permissions through custom roles or other predefined roles.\r\nView usage metrics for all service accounts or keys\r\nTo view the usage metrics for your service accounts or service account keys, follow these steps:\r\nTo view the metrics for a monitored resource by using the Metrics Explorer, do the following:\r\n1. In the Google Cloud console, go to the  Metrics explorer page:\r\nGo to Metrics explorer\r\nIf you use the search bar to find this page, then select the result whose subheading is Monitoring.\r\n2. In the toolbar of the Google Cloud console, select your Google Cloud project. For App Hub configurations,\r\nselect the App Hub host project or the app-enabled folder's management project.\r\n3. In the Metric element, expand the Select a metric menu, enter IAM Service Account in the filter bar, and\r\nthen use the submenus to select a specific resource type and metric:\r\n1. In the Active resources menu, select IAM Service Account.\r\n2. In the Active metric categories menu, select Service_account.\r\n3. In the Active metrics menu, select a service account metric. The following metrics are available\r\nwithin your selected time interval:\r\nFor service account usage metrics, select Service account authentication events.\r\nFor service account key usage metrics, select Service account key authentication events.\r\n4. Click Apply.\r\n4. To add filters, which remove time series from the query results, use the Filter element.\r\n5. To combine time series, use the menus on the Aggregation element. For example, to display the CPU\r\nutilization for your VMs, based on their zone, set the first menu to Mean and the second menu to zone.\r\nAll time series are displayed when the first menu of the Aggregation element is set to Unaggregated. The\r\ndefault settings for the Aggregation element are determined by the metric type you selected.\r\n6. For quota and other metrics that report one sample per day, do the following:\r\n1. In the Display pane, set the Widget type to Stacked bar chart.\r\n2. Set the time period to at least one week.\r\nThe Cloud Monitoring API API's timeSeries.list method allows you to access usage metrics\r\nprogrammatically.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nMETRIC_TYPE : The type of metric you want to check. Use one of the following values:\r\nFor service account usage metrics, use\r\niam.googleapis.com%2Fservice_account%2Fauthn_events_count .\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 2 of 9\n\nFor service account key usage metrics, use\r\niam.googleapis.com%2Fservice_account%2Fkey%2Fauthn_events_count .\r\nEND_TIME : The end of the time interval that you want to check, in percent-encoded RFC 3339 format. For\r\nexample, 2020-06-12T00%3A00%3A00.00Z .\r\nSTART_TIME : The start of the time interval that you want to check, in percent-encoded RFC 3339 format.\r\nFor example, 2020-04-12T00%3A00%3A00.00Z .\r\nHTTP method and URL:\r\nGET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22METRI\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nExecute the following command:\r\ncurl -X GET \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n \"https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22MET\r\nPowerShell (Windows)\r\nExecute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method GET `\r\n -Headers $headers `\r\n -Uri \"https://monitoring.googleapis.com/v3/projects/\r\nPROJECT_ID/timeSeries?filter=metric.type%3D%22METRIC_TYPE%22\u0026interval.endTime=END_TIME\u0026interval.start\r\nAPIs Explorer (browser)\r\nOpen the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact\r\nwith this tool to send requests. Complete any required fields and click Execute.\r\nFor more information about programmatically reading usage metrics, see Reading metric data in the Monitoring\r\ndocumentation.\r\nView usage metrics for a single service account\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 3 of 9\n\nTo view usage metrics for a single service account, follow these steps:\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select the project that contains your service account.\r\n3. Click the email address of your service account.\r\n4. Click the Metrics tab. The Authentication traffic chart shows the usage metrics for the service account.\r\n5. Optional: To view the chart on the Metrics explorer page, which offers additional filtering and viewing\r\noptions, click  \u003e View in Metrics Explorer.\r\nThe Cloud Monitoring API's timeSeries.list method , when used with specific filters, allows you to get usage\r\nmetrics for a single service account. You can then use those metrics to determine when the account was last used.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nSERVICE_ACCOUNT_ID : The unique numeric ID of your service account. To find your service account's\r\nunique numeric ID, follow these steps:\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to the Service Accounts page\r\n2. Click the email address of your service account. Your service account's unique numeric ID is the\r\nvalue in the Unique ID field.\r\nEND_TIME : The end of the time interval that you want to check, in percent-encoded RFC 3339 format. For\r\nexample, 2020-06-12T00%3A00%3A00.00Z .\r\nSTART_TIME : The start of the time interval that you want to check, in percent-encoded RFC 3339 format.\r\nFor example, 2020-04-12T00%3A00%3A00.00Z .\r\nHTTP method and URL:\r\nGET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.g\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nExecute the following command:\r\ncurl -X GET \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 4 of 9\n\n\"https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam\r\nPowerShell (Windows)\r\nExecute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method GET `\r\n -Headers $headers `\r\n -Uri \"https://monitoring.googleapis.com/v3/projects/\r\nPROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fauthn_events_cou\r\nAPIs Explorer (browser)\r\nOpen the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact\r\nwith this tool to send requests. Complete any required fields and click Execute.\r\nThe response contains a timeSeries object with all of the recent authentication events for the specified service\r\naccount.\r\nView usage metrics for a single service account key\r\nTo view usage metrics for a single service account key, follow these steps:\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select the project that contains the service account associated with your key.\r\n3. Click the email address of the service account associated with your key.\r\n4. Click the Metrics tab. The Authentication traffic per key chart shows usage metrics for all keys\r\nassociated with the service account.\r\n5. In the chart legend, click the ID of the service account key that you want to view usage metrics for. The\r\nchart updates to show metrics for only that service account key.\r\n6. Optional: To view the chart on the Metrics explorer page, which offers additional filtering and viewing\r\noptions, click  \u003e View in Metrics Explorer.\r\nFirst, get the service account key's ID.\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 5 of 9\n\n1. List the service account keys:\r\nThe projects.serviceAccounts.keys.list method lists all of the service account keys for a service\r\naccount.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nSA_NAME : The name of the service account whose keys you want to list.\r\nKEY_TYPES : Optional. A comma-separated list of key types that you want to include in the\r\nresponse. The key type indicates whether a key is user-managed ( USER_MANAGED ) or system-managed ( SYSTEM_MANAGED ). If left blank, all keys are returned.\r\nHTTP method and URL:\r\nGET https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.g\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nExecute the following command:\r\ncurl -X GET \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam\r\nPowerShell (Windows)\r\nExecute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method GET `\r\n -Headers $headers `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES\"\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 6 of 9\n\nAPIs Explorer (browser)\r\nOpen the method reference page. The APIs Explorer panel opens on the right side of the page. You can\r\ninteract with this tool to send requests. Complete any required fields and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"keys\": [\r\n {\r\n \"name\": \"projects/my-project/serviceAccounts/my-service-account@my-project.iam.gservicea\r\n \"validAfterTime\": \"2020-03-04T17:39:47Z\",\r\n \"validBeforeTime\": \"9999-12-31T23:59:59Z\",\r\n \"keyAlgorithm\": \"KEY_ALG_RSA_2048\",\r\n \"keyOrigin\": \"GOOGLE_PROVIDED\",\r\n \"keyType\": \"USER_MANAGED\"\r\n },\r\n {\r\n \"name\": \"projects/my-project/serviceAccounts/my-service-account@my-project.iam.gservicea\r\n \"validAfterTime\": \"2020-03-31T23:50:09Z\",\r\n \"validBeforeTime\": \"9999-12-31T23:59:59Z\",\r\n \"keyAlgorithm\": \"KEY_ALG_RSA_2048\",\r\n \"keyOrigin\": \"GOOGLE_PROVIDED\",\r\n \"keyType\": \"USER_MANAGED\"\r\n },\r\n {\r\n \"name\": \"projects/my-project/serviceAccounts/my-service-account@my-project.iam.gservicea\r\n \"validAfterTime\": \"2020-05-17T18:58:13Z\",\r\n \"validBeforeTime\": \"9999-12-31T23:59:59Z\",\r\n \"keyAlgorithm\": \"KEY_ALG_RSA_2048\",\r\n \"keyOrigin\": \"GOOGLE_PROVIDED\",\r\n \"keyType\": \"USER_MANAGED\",\r\n \"disabled\": true\r\n \"disable_reason\": \"SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED\"\r\n \"extended_status\": \"SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED\"\r\n \"extended_status_message\": \"exposed at: https://www.github.com/SomePublicRepo\"\r\n }\r\n ]\r\n}\r\n2. Use the metadata in the response to identify the key you want to track. Then, copy the key's unique ID\r\nfrom the end of the name field.\r\nThe name field has the following format:\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 7 of 9\n\n\"name\": \"projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID\"\r\nThe key's unique ID is everything after keys/ .\r\nFor example, the unique ID in the following key name is 0f561cc41650ff521899de2fd653bd3de08e2da4 :\r\n\"name\": \"projects/my-project/serviceAccounts/my-account@my-project.iam.gserviceaccount.com/key\r\nThen, use the ID to view usage metrics for the service account key.\r\nThe Cloud Monitoring API's timeSeries.list method , when used with specific filters, allows you to get usage\r\nmetrics for a single service account key. You can then use those metrics to determine when the key was last used.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nKEY_ID : The unique ID of your service account key.\r\nEND_TIME : The end of the time interval that you want to check, in percent-encoded RFC 3339 format. For\r\nexample, 2020-06-12T00%3A00%3A00.00Z .\r\nSTART_TIME : The start of the time interval that you want to check, in percent-encoded RFC 3339 format.\r\nFor example, 2020-04-12T00%3A00%3A00.00Z .\r\nHTTP method and URL:\r\nGET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.g\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nExecute the following command:\r\ncurl -X GET \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n \"https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam\r\nPowerShell (Windows)\r\nExecute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 8 of 9\n\nInvoke-WebRequest `\r\n -Method GET `\r\n -Headers $headers `\r\n -Uri \"https://monitoring.googleapis.com/v3/projects/\r\nPROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fkey%2Fauthn_even\r\nAPIs Explorer (browser)\r\nOpen the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact\r\nwith this tool to send requests. Complete any required fields and click Execute.\r\nThe response contains a timeSeries object with all of the recent authentication events for the specified service\r\naccount key.\r\nExport metrics\r\nYou can use Monitoring to export your metrics to BigQuery. Exporting metrics is useful for performing long-term\r\nanalysis because Monitoring only retains metrics for a limited time.\r\nFor instructions, see Monitoring metric export in the Solutions documentation.\r\nWhat's next\r\nDiscover how to export metric data to BigQuery.\r\nUse Activity Analyzer to view only the most recent authentication events for your service accounts and\r\nkeys.\r\nUse service account insights to identify service accounts that have not been used in the past 90 days.\r\nLearn how to disable service accounts or delete service accounts.\r\nLearn how to delete service account keys.\r\nExplore the features offered by Monitoring.\r\nSource: https://cloud.google.com/iam/docs/service-account-monitoring\r\nhttps://cloud.google.com/iam/docs/service-account-monitoring\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cloud.google.com/iam/docs/service-account-monitoring"
	],
	"report_names": [
		"service-account-monitoring"
	],
	"threat_actors": [],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0489b337d71f9c1c7a87cd00cd83d23463d7946e.pdf",
		"text": "https://archive.orkl.eu/0489b337d71f9c1c7a87cd00cd83d23463d7946e.txt",
		"img": "https://archive.orkl.eu/0489b337d71f9c1c7a87cd00cd83d23463d7946e.jpg"
	}
}