CODEWITHSUNDEEP
google-cloud-platformpolicygoogle-iamidentity-management
Raj
Raj

Reputation: 55

GCP IAM Policy revoked all access

I was playing with an IAM policy which looks like as below,

{
  "bindings": [
    {
      "members": [
        "user:[email protected]"
      ],
      "role": "projects/PROJECT_ID/roles/CUSTOM_ROLE",
      "condition": {
          "title": "Bucket reader condition example",
          "description": "Grants role to user [email protected] for the specific condition.",
          "expression":
            "resource.name == \"projects/PROJECT_ID/locations/us-central1/buckets/LOG_BUCKET_ID/views/VIEW_ID\""
      }
    }
  ],
}

The custom role has only permissions related to the GCP pre-defined role "roles/logging.viewAccessor".

The gcloud command that I executed was, gcloud projects set-iam-policy PROJECT_ID viewPolicy.jsonn

I applied this policy and accidentally revoked all other users/service accounts access including owner as well. How do I get back the access, please suggest.

Upvotes: 1

Views: 143

Answers (1)

lsalazar
lsalazar

Reputation: 416

If your project is under an organization, the Organization admin can give project Owner roles back to the user and service accounts. Else, your only option is to contact Google Cloud Support.

FYI [1],

Terraform for GCP has 3 ‘levels’.

google_project_iam_member is a grant of a specific user (machine or human) to a role, so it doesn’t guarantee that no other users have that role, i.e. is non-authoritative.

google_project_iam_binding is authoritative for a role, so will stomp on any existing user->role memberships. Which can mean, if you’re using it to control a high level admin role and issue a destroy rather than an update, that you lock yourself out of the role.

google_project_iam_policy (which was used here) is the user->role mapping for every user/role in the entire project. So you can use it to be really sure of your IAM and lock stuff right down across the board, but of course if you messed it up (or issue a destroy/update that requires destroy+create), you lock every user out of the entire project. There is no ‘root’ user that can’t be locked out of admin like in AWS.

[1]. https://www.reddit.com/r/Terraform/comments/xs3xhi/locked_myself_out_of_project/

Upvotes: 0

Related Questions