# GCP IAM Permissions tracking
----
### WHAT?
`----`
- Google retires current permissions and adds new permissions
- they publish these permissions periodically
----
###
# Google Permission Tracker
#
[https://cloud.google.com/iam/docs/permissions-change-log
](https://cloud.google.com/iam/docs/permissions-change-log)
----
### WHY?
- Security blind spot
----
### HOW?
AUTOMATION
----
### Solution?
Using Github actions
##### Automation logic
- enumerate currently available custom, primitive and predefined roles
- dump this periodically (eg: two times a week)
- compare the change log with current roles
---
### Commit changes
</div>
----
Why is this particular permission removal so interesting?
*A few reasons:*
- It was’t immediately reflected on the IAM change log
- It was a removal of a permission from a predefined role
- It eliminated a direct privilege escalation path in GKE!
###
----
{"metaMigratedAt":"2023-06-16T19:43:54.902Z","metaMigratedFrom":"YAML","title":"GCP IAM Permissions tracking","breaks":true,"slideOptions":"{\"transition\":\"slide\"}","contributors":"[{\"id\":\"21f3bc1e-9890-4170-a134-e58d70ba967f\",\"add\":7266,\"del\":6242}]"}