Reputation: 12808
GCP: how can i find in Cloud Logging permission / role changes for a specific user?
Which filter / query do I have to use in Cloud Logging to find role / permission changes for a specific user or service account?
Upvotes: 1
Views: 1189
Answers (1)
Reputation: 12808
You can use the following query settings in Cloud Logging to find role/permission changes for a specific user:
resource.type="project" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.bindingDeltas.member="user:FILL_IN_EMAIL_ADDRESS_OF_USER"
When you are looking for role / permission changes of a service account, you have to change the last line into:
protoPayload.serviceData.policyDelta.bindingDeltas.member="serviceAccount:FILL_IN_EMAIL_ADDRESS_OF_SERVICEACCOUNT"
The logs are quite extensive, but you find the actual iam changes under:
protoPayload -> serviceData -> policyDelta -> bindingDeltas
This also works by the way, but it is slower:
protoPayload.authorizationInfo.permission="resourcemanager.projects.setIamPolicy"
protoPayload.response.bindings.members="user:FILL_IN_EMAIL_ADDRESS_OF_USER"
protoPayload.serviceData.policyDelta.bindingDeltas.member="user:FILL_IN_EMAIL_ADDRESS_OF_USER"
This pointed me in the right direction:
https://serverfault.com/questions/1033795/how-to-find-out-who-added-a-user-or-modified-iam-roles-of-a-specific-user-in-gcp
Upvotes: 3
Related Questions
- GCP logging: Find all resources (recently) used by a specific user
- How to log all permissions an application is using in Google Cloud's SDK
- GCP Logging: who created service account?
- How can i get the logs of roles modifications on some specific IAM user in GCP
- Regarding GCP logging
- How to monitor the command lines that are executed in gcp at the logs level?
- How to audit and show which user made changes to a GKE node pool using Logs Explorer?
- GCP Service Account Permissions Query
- Authentication logs monitoring GCP
- GCP Storage Bucket Access Logs