I accidentally replaced my current IAM Policy on a Google project (with GKE services) running the following python script:
def set_policy(project_id, email):
"""Assign role to a service account."""
credentials = service_account.Credentials.from_service_account_file(
filename=os.getenv('GOOGLE_APPLICATION_CREDENTIALS'),
scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
'cloudresourcemanager', 'v1', credentials=credentials)
policy = service.projects().setIamPolicy(
resource=project_id,
body={
'policy': {
'version': 3,
"bindings": [
{
"role": f"roles/storage.objectAdmin",
"members": [
f"serviceAccount:{email}"
],
"condition": {
"title": "TenantSpace",
"expression": f'resource.type == "storage.googleapis.com/Object" && resource.name.startsWith("projects/{project_id}/buckets/demo/")',
}
}
],
}
}
).execute()
return policy
I didn't think that it would have replaced my whole policy since I was actually trying to add a role to an existing service account. I'm the owner so fortunately I could restore my previous user roles but I'm not sure if there was some other important roles for default Google service accounts. So my questions are:
I was able to restore the previous roles by accessing the serviceData
entry on the Logs Explorer. Running query with resource.type="project"
and filtering the time range exactly to the period of interest, one can find the array of deleted bindings inside serviceData.policyDelta.bindingDeltas
.
The forward process was a bit tedious but I managed to restore the bindings to the correct snapshot.