Review IAM allow policy history

This page explains how to review the history of changes to your IAM allow policies.

You can review changes to your resource's allow policies by searching your audit logs for entries containing the SetIamPolicy method.

You can also review allow policy changes with Cloud Asset Inventory.

View allow policy changes with SetIamPolicy

You can view allow policy changes by reviewing your audit logs for entries that contain the SetIamPolicy method. You can review your audit logs using the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. In the query editor, enter one of the following queries. These queries search your audit logs for entries that have SetIamPolicy in the methodName field of the protoPayload:

    • To get the logs of all allow policy changes made on a resource, use the following query:

      logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity"
      protoPayload.methodName:SetIamPolicy
      
    • To get the logs of allow policy changes that involve a specific user or service account, use the following query:

      logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity"
      protoPayload.methodName:SetIamPolicy
      protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ADDRESS"
      

      Provide the following values:

      • RESOURCE_TYPE: The resource type that you are listing audit logs for. Use one of these values: projects, folders, or organizations.
      • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.
      • EMAIL_ADDRESS: The email address of the user or service account. For example, example-service-account@example-project.iam.gserviceaccount.com.
  3. To run the query, click Run query.

  4. Use the Timeline selector to specify the appropriate time range for the query. Alternatively, you can add a timestamp expression directly to the query editor. For more information, see View logs by time range.

gcloud

The gcloud logging read command reads log entries.

Before using any of the command data below, make the following replacements:

  • RESOURCE_TYPE: The resource type that you are listing audit logs for. Use the value projects, folders, or organizations.
  • RESOURCE_ID: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
  • TIME_PERIOD: The time period that you are listing audit logs for. The entries returned are not older than this value. If left unspecified, the default value is 1d. For information about time formats, see gcloud topic datetimes.
  • RESOURCE_TYPE_SINGULAR: The resource type that you are listing audit logs for. Use the value project, folder, or organization.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud logging read \
    'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity
    AND protoPayload.methodName=SetIamPolicy' \
    --freshness=TIME_PERIOD \
    --RESOURCE_TYPE_SINGULAR=RESOURCE_ID

Windows (PowerShell)

gcloud logging read `
    'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity
    AND protoPayload.methodName=SetIamPolicy' `
    --freshness=TIME_PERIOD `
    --RESOURCE_TYPE_SINGULAR=RESOURCE_ID

Windows (cmd.exe)

gcloud logging read ^
    'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity
    AND protoPayload.methodName=SetIamPolicy' ^
    --freshness=TIME_PERIOD ^
    --RESOURCE_TYPE_SINGULAR=RESOURCE_ID

View allow policy changes with Cloud Asset Inventory

You can also view allow policy changes using Cloud Asset Inventory in the Google Cloud console or the gcloud CLI.

Console

  1. In the Google Cloud console, go to the Asset Inventory page.

    Go to Asset Inventory

  2. Click the IAM Policy tab.

  3. Run the following query in the Filter field:

    Resource : RESOURCE_ID

    Replace RESOURCE_ID with your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.

  4. To view the change history of the resource's allow policy, click the resource's name, then select the Change History tab.

  5. To compare any changes to the allow policy for the resource, select two different timestamped records from the Select a record to compare menu.

gcloud

The gcloud asset get-history command gets the updated history of allow policies on an asset that overlaps a time window.

Before using any of the command data below, make the following replacements:

  • RESOURCE_TYPE: The resource type that you are listing audit logs for. Use the value project, folder, or organization.
  • RESOURCE_ID: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
  • ASSET_NAME: A comma-separated list of formatted resource names for the resources whose allow policy histories you want to view. For example, //cloudresourcemanager.googleapis.com/projects/my-project. These resources can be any of the resource types that accept allow policies.
  • START_TIME: The beginning of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. For information about time formats, see gcloud topic datetimes.
  • END_TIME: Optional. The finishing point of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information about time formats, see gcloud topic datetimes.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud asset get-history \
    --RESOURCE_TYPE=RESOURCE_ID \
    --asset-names=ASSET_NAME_1,ASSET_NAME_2,... \
    --content-type=iam-policy \
    --start-time=START_TIME \
    --end-time=END_TIME

Windows (PowerShell)

gcloud asset get-history `
    --RESOURCE_TYPE=RESOURCE_ID `
    --asset-names=ASSET_NAME_1,ASSET_NAME_2,... `
    --content-type=iam-policy `
    --start-time=START_TIME `
    --end-time=END_TIME

Windows (cmd.exe)

gcloud asset get-history ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --asset-names=ASSET_NAME_1,ASSET_NAME_2,... ^
    --content-type=iam-policy ^
    --start-time=START_TIME ^
    --end-time=END_TIME