Did you know that, once you have authenticated using the Google Cloud Platform SDK, the credential is valid for all eternity? With the Google Cloud session control tool you can limit the validity to as little as an hour.
After you type
gcloud auth login , the credentials is stored under the directory
~/.config/gcloud. If this directory gets exfiltrated, the attacker can login using any of the accounts you ever logged in with.
To limit impact of such an event, navigate to Google Cloud session control, select the re-authentication option and choose the lifespan of the credentials. In the screenshot, I set the period to 1 hour. It drove my colleagues up the wall. Sorry.