Photo by Brett Jordan on Unsplash
Tracking Service Account Modifications in Google Cloud Platform (GCP)
It's quite common to see your important service account being modified by someone. Don't worry, my friend. Here is how you can track who did what.
Login to GCP and navigate to Logging
Set a proper timeline from the date-time picker (last X hour or last Y days)
Open up the Query Editor and paste the following code snippet
protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog"
resource.type="service_account"
protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"
Voila! Look for the principalEmail
field in the output, which will show the name of the person (or bot) who made the change.