There was a recently patched Google Cloud vulnerability called Asset Key Thief that allowed Google Cloud principals with the Cloud Asset Viewer role to exfiltrate any user-managed Google Cloud Service Account private key for up to 24 hours after its creation.

This vulnerability could result in giving attackers a persistent and reliable method for abusing a Google Cloud environment. The vulnerability affected keys created using User-managed keys with private keys generated by Google and keys that were generated after July 5, 2021, and not deleted by March 14, 2023, or not rotated after March 14, 2023.

Google Cloud has fixed the vulnerability, but organizations are recommended to rotate their Service Account user-managed keys as an extra precaution.