Tracking Service Account Modifications in Google Cloud Platform (GCP)

It's quite common to see your important service account being modified by someone. Don't worry, my friend. Here is how you can track who did what.

  1. Login to GCP and navigate to Logging

  2. Set a proper timeline from the date-time picker (last X hour or last Y days)

  3. Open up the Query Editor and paste the following code snippet

protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog"
resource.type="service_account"
protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"

Voila! Look for the principalEmail field in the output, which will show the name of the person (or bot) who made the change.