Review IAM allow policy history

This page explains how to review the history of changes to your IAM allow policies.

You can review changes to your resource's allow policies by searching your audit logs for entries containing the SetIamPolicy method.

View allow policy changes with SetIamPolicy

You can view allow policy changes by reviewing your audit logs for entries that contain the SetIamPolicy method. You can review your audit logs using the Trusted Cloud console or the gcloud CLI.

Console

  1. In the Trusted Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. In the query editor, enter one of the following queries. These queries search your audit logs for entries that have SetIamPolicy in the methodName field of the protoPayload:

    • To get the logs of all allow policy changes made on a resource, use the following query:

      logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity"
      protoPayload.methodName:SetIamPolicy
      
    • To get the logs of allow policy changes that involve a specific user or service account, use the following query:

      logName="RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity"
      protoPayload.methodName:SetIamPolicy
      protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ADDRESS"
      

      Provide the following values:

      • RESOURCE_TYPE: The resource type that you are listing audit logs for. Use one of these values: projects, folders, or organizations.
      • RESOURCE_ID: Your Trusted Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.
      • EMAIL_ADDRESS: The email address of the user or service account. For example, example-service-account@example-project.s3ns-system.iam.gserviceaccount.com.
  3. To run the query, click Run query.

  4. Use the Timeline selector to specify the appropriate time range for the query. Alternatively, you can add a timestamp expression directly to the query editor. For more information, see View logs by time range.

gcloud

The gcloud logging read command reads log entries.

Before using any of the command data below, make the following replacements:

  • RESOURCE_TYPE: The resource type that you are listing audit logs for. Use the value projects, folders, or organizations.
  • RESOURCE_ID: Your Trusted Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
  • TIME_PERIOD: The time period that you are listing audit logs for. The entries returned are not older than this value. If left unspecified, the default value is 1d. For information about time formats, see gcloud topic datetimes.
  • RESOURCE_TYPE_SINGULAR: The resource type that you are listing audit logs for. Use the value project, folder, or organization.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud logging read \
    'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity
    AND protoPayload.methodName=SetIamPolicy' \
    --freshness=TIME_PERIOD \
    --RESOURCE_TYPE_SINGULAR=RESOURCE_ID

Windows (PowerShell)

gcloud logging read `
    'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity
    AND protoPayload.methodName=SetIamPolicy' `
    --freshness=TIME_PERIOD `
    --RESOURCE_TYPE_SINGULAR=RESOURCE_ID

Windows (cmd.exe)

gcloud logging read ^
    'logName:RESOURCE_TYPE/RESOURCE_ID/logs/cloudaudit.googleapis.com%2Factivity
    AND protoPayload.methodName=SetIamPolicy' ^
    --freshness=TIME_PERIOD ^
    --RESOURCE_TYPE_SINGULAR=RESOURCE_ID