This page explains how to review the history of changes to your IAM allow policies.
You can review changes to your resource's allow policies by searching your audit
logs for entries containing the SetIamPolicy
method.
View allow policy changes with SetIamPolicy
You can view allow policy changes by reviewing your audit logs for entries that
contain the SetIamPolicy
method. You can review your audit logs using the
Trusted Cloud console or the gcloud CLI.
Console
In the Trusted Cloud console, go to the Logs Explorer page.
In the query editor, enter one of the following queries. These queries search your audit logs for entries that have
SetIamPolicy
in themethodName
field of theprotoPayload
:To get the logs of all allow policy changes made on a resource, use the following query:
logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity" protoPayload.methodName:SetIamPolicy
To get the logs of allow policy changes that involve a specific user or service account, use the following query:
logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity" protoPayload.methodName:SetIamPolicy protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ADDRESS"
Provide the following values:
RESOURCE_TYPE
: The resource type that you are listing audit logs for. Use one of these values:projects
,folders
, ororganizations
.RESOURCE_ID
: Your Trusted Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
.EMAIL_ADDRESS
: The email address of the user or service account. For example,example-service-account@example-project.s3ns-system.iam.gserviceaccount.com
.
To run the query, click Run query.
Use the Timeline selector to specify the appropriate time range for the query. Alternatively, you can add a timestamp expression directly to the query editor. For more information, see View logs by time range.
gcloud
The
gcloud logging read
command reads log entries.
Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE
: The resource type that you are listing audit logs for. Use the valueprojects
,folders
, ororganizations
. -
RESOURCE_ID
: Your Trusted Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
TIME_PERIOD
: The time period that you are listing audit logs for. The entries returned are not older than this value. If left unspecified, the default value is1d
. For information about time formats, see gcloud topic datetimes. -
RESOURCE_TYPE_SINGULAR
: The resource type that you are listing audit logs for. Use the valueproject
,folder
, ororganization
.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud logging read \ 'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=SetIamPolicy' \ --freshness=TIME_PERIOD \ --RESOURCE_TYPE_SINGULAR=RESOURCE_ID
Windows (PowerShell)
gcloud logging read ` 'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=SetIamPolicy' ` --freshness=TIME_PERIOD ` --RESOURCE_TYPE_SINGULAR=RESOURCE_ID
Windows (cmd.exe)
gcloud logging read ^ 'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=SetIamPolicy' ^ --freshness=TIME_PERIOD ^ --RESOURCE_TYPE_SINGULAR=RESOURCE_ID