Search code examples
google-cloud-platformgoogle-cloud-pubsubgoogle-iam

Google Cloud Resource created with user that is not in IAM

Situation:

  • I have a GCP project (owner) that is under a organization I do not have access to, so I see it in No Organization
  • a user (xyz@domain.com) has created a subscription for an existing pubsub topic, I see that under activity and the audit logs
  • this user is not visible for me in IAM (e.g. as editor, or with some pubsub specific role)
  • neither can I see this user in any pub/sub related topic/subscription, with a role, specifically not in the topic he created the subscription in

Summary:

  • xyz@domain.com created a subs.
  • I don't know where he got the role from (inherited?)

Question:

  1. Is it possible that this person has e.g. editor on the organization (or some folder above the project) but I don't see that role in my IAM section of the project?
  2. If not, where could the role be inherited from?
Solution

  • Creating a Subscribtion

    To subscribe to a Pub/Sub topic a user should be able to create a Subscription object. To do that, a permission pubsub.subscriptions.create on a Topic is needed. It could be assigned explicitly onto a Topic or inherited from the parent levels (Project, Folder, Org) via:

    • a Custom Role inherited from the Project level or above;
    • a Predefined Role pubsub.editor or pubsub.admin assigned at the Pub/Sub Topic level or inherited from a parent level;
    • a Primitive Role Editor or Owner inherited from the Project or Service Resource level or above; for example, the Compute Engine default service account freshly created VM Instances are working on behalf of has an Editor Role on the Project it is part of.

    Viewing role assignments

    To trace where effective rights are inherited from, one would need at list the following Permssions:

    • resourcemanager.organizations.getIamPolicy
    • resourcemanager.folders.getIamPolicy
    • resourcemanager.projects.getIamPolicy

    IAM Predefined Roles that contain that permissions are:

    • resourcemanager.organizationAdmin
    • iam.securityAdmin
    • iam.securityReviewer

    IAM Predefined Roles that can trace up to the Folder level are:

    • resourcemanager.folderAdmin
    • resourcemanager.folderEditor
    • resourcemanager.folderIamAdmin

    IAM Primitive Roles:

    • Viewer
    • Editor
    • Owner

    To obtain the comprehensive view of resulting permissions you should be granted the Roles listed above assigned as high as possible in the IAM hierarchy (ideally at the Org level) to get enough administrative scope for investigation.

    You can't see bindings that are located outside of the administrative scope you've got. Therefore you can't see the level where permissions are inherited from as well as security subject the permissions are granted for.

    Back to the questions

    1. Is it possible that this person has e.g. editor on the organization (or some folder above the project) but I don't see that role in my IAM section of the project?
      • Yes
    2. If not, where could the role be inherited from?
      • An Org level and all Folder levels (those could be nested) above your Project.

    Vendor documentation

    IAM Roles

    Cloud Pub/Sub | Access Control | Roles

    Support level for permissions in custom roles