GCP IAM management screen. Is this a bug or my misunderstanding?
You can see Table A of permissions in GCP's IAM and Administration > IAM page.
Table A has an item called Analyzed Permissions (Extra / Total).
You can see more detailed Table B for that role by clicking on a value such as 2/4 of this item.
Normally this is fine, but the information in Table B appears to be inverted when all permissions for a role are extra or when there are no extra permissions. Is this a bug? Or is it my misunderstanding?
(I use the GCP management screen in the Japanese version, so it may not be reproduced in the English version.)
The explanation may be difficult to understand because it is abstract, so I will give a concrete example.
Suppose the role "Write Log" for a service account is listed as 0/1 in Table A.
This indicates that "Write Log" has no extra permissions (all permissions "Write Log" for that role have been used in the last 90 days).
However, all permissions are displayed in the "Extra Permissions" column on Table B, which is inconsistent (inverted) with Table A.
Conversely, if the permissions for a role look like 6/6 in Table A, it means that none of the permissions for that role are used,
If you open Table B for such a role, it will be treated as if there is no "extra permissions" field and everything is in use (inverted to Table A).
However, roles that are used halfway, such as 3/7 in Table A, are displayed correctly in Table B.
screen shot:
IAM recommender analyse the usage of permission over the last 90 days. It shows X/Y where X is the number of unused permission, and Y the total number of permissions granted.
- If there is X=0, the table B show you only the current used permission, not the ununsed, because they aren't
- If there is X=Y, the column for the "currently use permission" is empty and all the existing permissions are in the unused column
- If there is X>0 adn X<Y, the table B show a mix between the list of currently used permission, and the unused.
If you have a light bulb, it's because IAM recommander has found better roles, and you have propositions to increase your security.