How to log all permissions an application is using in Google Cloud's SDK

Question

I have a sandbox project that I am currently in an owner role for. This gives me great freedom in development and I've written a bunch of python code that uses the following:

Storage
Security Center
Storage Notifications
Datastore
Secret Manager
Pub/Sub

I would like to log all of the permissions this application uses. Is there some way to do this in GCP? Perhaps in the Logging API, or similar?

I need this so I don't have to manually identify all of the permissions for a role I intend to create so the application follows the principle of least privilege.

Thanks!

Answer 1

Like what guillaume blaquiere suggested there are two or more factors to be considered when you are trying to get the permission related data of your application. In GCP all the activities performed or needs to be performed require service accounts or user accounts. If we have enabled audit logs for these service accounts and user accounts we can get the permissions that are being used, provided these logs have a retention period of 90 days as mentioned by guillaume blaquiere. Since you don’t want to use service accounts use Runtime configurator instead.

Runtime configurator can be used to provide runtime permissions to your application. This documentation helps you in understanding more about runtime configurators. There are many functions available and the runtime configurator supports multiple programming languages. In these functions there is a function called watch(), which gives you the details of the changes made to your gcp environment, you can write the data received from watch() function to log files and can work accordingly.