DEVHIDE
Login Or Sign up

GCP IAM Policy revoked all access

32 Views Asked by At

I was playing with an IAM policy which looks like as below,

{
  "bindings": [
    {
      "members": [
        "user:[email protected]"
      ],
      "role": "projects/PROJECT_ID/roles/CUSTOM_ROLE",
      "condition": {
          "title": "Bucket reader condition example",
          "description": "Grants role to user [email protected] for the specific condition.",
          "expression":
            "resource.name == \"projects/PROJECT_ID/locations/us-central1/buckets/LOG_BUCKET_ID/views/VIEW_ID\""
      }
    }
  ],
}

The custom role has only permissions related to the GCP pre-defined role "roles/logging.viewAccessor".

The gcloud command that I executed was, gcloud projects set-iam-policy PROJECT_ID viewPolicy.jsonn

I applied this policy and accidentally revoked all other users/service accounts access including owner as well. How do I get back the access, please suggest.

google-cloud-platform policy google-iam identity-management
Original Q&A
1

There are 1 best solutions below

0
lsalazar On

If your project is under an organization, the Organization admin can give project Owner roles back to the user and service accounts. Else, your only option is to contact Google Cloud Support.

FYI [1],

Terraform for GCP has 3 ‘levels’.

google_project_iam_member is a grant of a specific user (machine or human) to a role, so it doesn’t guarantee that no other users have that role, i.e. is non-authoritative.

google_project_iam_binding is authoritative for a role, so will stomp on any existing user->role memberships. Which can mean, if you’re using it to control a high level admin role and issue a destroy rather than an update, that you lock yourself out of the role.

google_project_iam_policy (which was used here) is the user->role mapping for every user/role in the entire project. So you can use it to be really sure of your IAM and lock stuff right down across the board, but of course if you messed it up (or issue a destroy/update that requires destroy+create), you lock every user out of the entire project. There is no ‘root’ user that can’t be locked out of admin like in AWS.

[1]. https://www.reddit.com/r/Terraform/comments/xs3xhi/locked_myself_out_of_project/

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in POLICY

Related Questions in GOOGLE-IAM

Related Questions in IDENTITY-MANAGEMENT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.