Background: my client currently uses Terraform to apply changes to the GCP infrastructure, which sometimes includes granting IAM permissions to certain employees. My client wants to track all granted and removed permissions due to compliance. We wanted to achieve the following objectives:
- track which users were granted what IAM roles.
- track what bigquery datasets were affected by the roles as in objective 1.
What we did:
we first created a logging sink via the logs explorer. When creating the sink, we set a bigquery dataset as destination because we want to store the cloud audit logs there. Then we set the Build inclusion filter as the line below:
protoPayload.”@type”=”type.googleapis.com/google.cloud.audit.AuditLog”
With the setup above, the sink created 3 tables:
cloudaudit_googleapis_com_activity,
cloudaudit_googleapis_com_data_access,
cloudaudit_googleapis_com_system_event.
We queried the cloudaudit_googleapis_com_activity table.
Below is a sample of the query:
SELECT
timestamp,
resource.labels.project_id,
protopayload_auditlog.methodName,
protopayload_auditlog.authenticationInfo.principalEmail,
protopayload_auditlog.servicedata_v1_iam.policyDelta.bindingDeltas,
protopayload_auditlog.resourceName
FROM
`cloudaudit_googleapis_com_activity`
WHERE
protopayload_auditlog.methodName = 'SetIamPolicy'
Issue:
We managed to achieve objective 1, however we couldn’t see what datasets were affected by the granted roles (objective 2).
Using the ‘SetIamPolicy’ methodName, we expected to find the desired information within the protopayload_auditlog.resourceName field, which should have the bigquery path in the form of projects/<project name>/datasets/<dataset name>/..., however this field only had the GCP project name in it, no matter if a user was granted a role for a specific dataset only.
We tried changing the protopayload_auditlog.methodName field to ‘datasetservice.update’, and we could actually see the affected datasets for each role, but alas this filter didn’t provide information about the users who got granted the roles, and the timestamps didn’t match with the ‘SetIamPolicy’ method so we couldn’t find a common field between these 2 different methodName fields to link users, roles, and datasets altogether.
Is there a way to solve this? Not sure if there is a way to log all this info together with the other 2 logging tables, or maybe we need to use certain settings in terraform?
Thank you in advance
FILIPPO XAUSA is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.