Restore previous GCloud IAM policy?
I accidentally replaced my current IAM Policy on a Google project (with GKE services) running the following python script:
def set_policy(project_id, email):
"""Assign role to a service account."""
credentials = service_account.Credentials.from_service_account_file(
filename=os.getenv('GOOGLE_APPLICATION_CREDENTIALS'),
scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
'cloudresourcemanager', 'v1', credentials=credentials)
policy = service.projects().setIamPolicy(
resource=project_id,
body={
'policy': {
'version': 3,
"bindings": [
{
"role": f"roles/storage.objectAdmin",
"members": [
f"serviceAccount:{email}"
],
"condition": {
"title": "TenantSpace",
"expression": f'resource.type == "storage.googleapis.com/Object" && resource.name.startsWith("projects/{project_id}/buckets/demo/")',
}
}
],
}
}
).execute()
return policy
I didn't think that it would have replaced my whole policy since I was actually trying to add a role to an existing service account. I'm the owner so fortunately I could restore my previous user roles but I'm not sure if there was some other important roles for default Google service accounts. So my questions are:
- This script should have changed only the roles inside this page right? https://console.cloud.google.com/iam-admin/iam
- Is there a way to view a history of recent activities involving IAM and therefore a way to restore a snapshot previous to this breaking change?
I was able to restore the previous roles by accessing the serviceData entry on the Logs Explorer. Running query with resource.type="project" and filtering the time range exactly to the period of interest, one can find the array of deleted bindings inside serviceData.policyDelta.bindingDeltas.
The forward process was a bit tedious but I managed to restore the bindings to the correct snapshot.
- Google Cloud Build Error: build step 0 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1
- Terraform - GCP - Import project IAM member
- Getting random "User not found in file /etc/passwd" error on Cloud Run Job
- Change time format in GCP Logs Explorer
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Deploying a pelican site to Google Cloud Run with Dockerfile not working
- Is there a good explanation of resource labels versus metric labels?
- Why do I set the resource type when writing the metric but not when creating a descriptor?
- google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)
- GA4 Data Not Retained for More Than 60 Days Despite BigQuery Table Expiration Set to 'Never
- How to list all enabled API services for Google Cloud Platform project
- Google Cloud calendar API connection error
- Downloading a folder from cloud storage in GitHub action and move it inside a docker container is not working
- How to fix CloudRun error 'The request was aborted because there was no available instance'
- Google Cloud Build with Dockerfile and copy files
- Firebase CLI console: Cannot find module @google-cloud/tasks
- Does Cloud SQL have a query console or is CLI the only option?
- How to use Google Cloud Shell with the new Windows Terminal
- Why does GKE kubernetes cluster need a version?
- Unable to Read Mounted GCSFuse Directory After Adding --implicit-dirs Option
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)
- Connection between Private GKE and Cloud SQL
- Kubernetes cluster architecture
- Validating PubSub message against AVRO JSON schema with multiple union types
- Can i run cloud run jobs locally
- How to log SSL/TLS Handshake details on Google Cloud Load Balancer
- Utilizing Gemini: Through Vertex AI or through Google/generative-ai?
- How to use Puppeteer in 2nd gen Cloud Functions?
- GCP Logging: who created a Project?
- Connection broken: IncompleteRead in Google Cloud Run