This page explains how to review the history of changes to your IAM allow policies.
You can review changes to your resource's allow policies by searching your audit
logs for entries containing the SetIamPolicy
method.
View allow policy changes with SetIamPolicy
You can view allow policy changes by reviewing your audit logs for entries that
contain the SetIamPolicy
method. You can review your audit logs using the
Google Cloud console or the gcloud CLI.
Console
In the Google Cloud console, go to the Logs Explorer page.
In the query editor, enter one of the following queries. These queries search your audit logs for entries that have
SetIamPolicy
in themethodName
field of theprotoPayload
:To get the logs of all allow policy changes made on a resource, use the following query:
logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity" protoPayload.methodName:SetIamPolicy
To get the logs of allow policy changes that involve a specific user or service account, use the following query:
logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity" protoPayload.methodName:SetIamPolicy protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ADDRESS"
Provide the following values:
RESOURCE_TYPE
: The resource type that you are listing audit logs for. Use one of these values:projects
,folders
, ororganizations
.RESOURCE_ID
: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
.EMAIL_ADDRESS
: The email address of the user or service account. For example,example-service-account@example-project.iam.gserviceaccount.com
.
To run the query, click Run query.
Use the Timeline selector to specify the appropriate time range for the query. Alternatively, you can add a timestamp expression directly to the query editor. For more information, see View logs by time range.
gcloud
The
gcloud logging read
command reads log entries.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE
: The resource type that you are listing audit logs for. Use the valueprojects
,folders
, ororganizations
. -
RESOURCE_ID
: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
TIME_PERIOD
: The time period that you are listing audit logs for. The entries returned are not older than this value. If left unspecified, the default value is1d
. For information about time formats, see gcloud topic datetimes. -
RESOURCE_TYPE_SINGULAR
: The resource type that you are listing audit logs for. Use the valueproject
,folder
, ororganization
.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud logging read \ 'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=SetIamPolicy' \ --freshness=TIME_PERIOD \ --RESOURCE_TYPE_SINGULAR=RESOURCE_ID
Windows (PowerShell)
gcloud logging read ` 'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=SetIamPolicy' ` --freshness=TIME_PERIOD ` --RESOURCE_TYPE_SINGULAR=RESOURCE_ID
Windows (cmd.exe)
gcloud logging read ^ 'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=SetIamPolicy' ^ --freshness=TIME_PERIOD ^ --RESOURCE_TYPE_SINGULAR=RESOURCE_ID
View allow policy changes with Cloud Asset Inventory
You can also view allow policy changes using Cloud Asset Inventory in the Google Cloud console or the gcloud CLI.
Console
In the Google Cloud console, go to the Asset Inventory page.
Click the IAM Policy tab.
Run the following query in the Filter field:
Resource :
RESOURCE_ID
Replace
RESOURCE_ID
with your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
.To view the change history of the resource's allow policy, click the resource's name, then select the Change History tab.
To compare any changes to the allow policy for the resource, select two different timestamped records from the Select a record to compare menu.
gcloud
The
gcloud asset get-history
command gets the updated history of allow policies on an asset that overlaps a
time window.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE
: The resource type that you are listing audit logs for. Use the valueproject
,folder
, ororganization
. -
RESOURCE_ID
: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
ASSET_NAME
: A comma-separated list of formatted resource names for the resources whose allow policy histories you want to view. For example,//cloudresourcemanager.googleapis.com/projects/my-project
. These resources can be any of the resource types that accept allow policies. -
START_TIME
: The beginning of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. For information about time formats, see gcloud topic datetimes. -
END_TIME
: Optional. The finishing point of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information about time formats, see gcloud topic datetimes.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud asset get-history \ --RESOURCE_TYPE=RESOURCE_ID \ --asset-names=ASSET_NAME_1,ASSET_NAME_2,... \ --content-type=iam-policy \ --start-time=START_TIME \ --end-time=END_TIME
Windows (PowerShell)
gcloud asset get-history ` --RESOURCE_TYPE=RESOURCE_ID ` --asset-names=ASSET_NAME_1,ASSET_NAME_2,... ` --content-type=iam-policy ` --start-time=START_TIME ` --end-time=END_TIME
Windows (cmd.exe)
gcloud asset get-history ^ --RESOURCE_TYPE=RESOURCE_ID ^ --asset-names=ASSET_NAME_1,ASSET_NAME_2,... ^ --content-type=iam-policy ^ --start-time=START_TIME ^ --end-time=END_TIME