Integrate Google Cloud IAM with Google SecOps
This document explains how to integrate Google Cloud Identity and Access Management with Google Security Operations.
Use cases
The Google Cloud IAMintegration supports the following use cases:
-
Automated service account lifecycle management: Automatically create, enable, or disable service accounts during onboarding and offboarding processes to ensure access is granted only when necessary.
-
Rapid identity incident response: Immediately delete or disable compromised service accounts and roles during a security incident to prevent unauthorized access to cloud resources.
-
Identity governance and enrichment: Enrich User entities in Google SecOps with detailed service account metadata, such as display names and project IDs, to provide analysts with immediate context during investigations.
-
Policy auditing and enforcement: Retrieve and audit access control policies to ensure they align with the principle of least privilege, and programmatically set new policies to remediate unauthorized changes.
-
Role-based access control (RBAC) management: Create and manage custom IAM roles with specific permission sets across your organization to maintain granular control over cloud environment access.
Before you begin
Before you configure the Google Cloud IAMintegration in Google SecOps, complete the following prerequisite steps:
-
Create a custom IAM role : Define a role with the specific permissions required to manage service accounts and roles.
-
Create a service account : Create the identity that the integration uses to perform actions.
-
Select an authentication method : Choose between the recommended Workload Identity or a service account JSON key.
Create and configure a custom IAM role
To maintain the principle of least privilege, complete the following steps to create a custom role containing only the specific permissions necessary for this integration:
-
In the Google Cloud console, go to IAM & Admin > Roles.
-
Click Create Role.
-
Provide a Title, Description, and ID.
-
Set the Role launch stageto
General Availability. -
Click Add Permissionsand add the following specific permissions:
-
iam.serviceAccounts.list -
iam.serviceAccounts.create -
iam.serviceAccounts.get -
iam.serviceAccounts.getIamPolicy -
iam.serviceAccounts.setIamPolicy -
iam.serviceAccounts.disable -
iam.serviceAccounts.enable -
iam.serviceAccounts.delete -
iam.roles.list -
iam.roles.get -
iam.roles.create -
iam.roles.delete
-
-
Click Create.
Create a service account
The integration uses a service account to authenticate and execute IAM actions within your project.
To create a service account, complete the following steps:
-
In the Google Cloud console, go to IAM & Admin > Service Accounts.
-
Click Create Service Account.
-
Enter a name and description, then click Create and Continue.
-
In the Grant this service account access to projectsection, assign the custom role you created in the previous step to this service account. Click Done.
Select an authentication method
Google SecOps supports two authentication paths for this integration:
-
Option 1: Workload Identity (recommended) : This method uses short-lived tokens using service account impersonation. It is more secure as it eliminates the need for long-lived JSON keys.
-
Option 2: Service account JSON key : This method uses a static key file. Use this only if a Workload Identity is not available in your environment.
Authenticate using a Workload Identity (recommended)
To use a Workload Identity, you must authorize your Google SecOps instance to impersonate the service account you created.
-
In Google SecOps, go to Content Hub > Response Integrations.
-
Select the Google Cloud IAMintegration.
-
Enter your service account email in the Workload Identity Emailfield.
-
Click Saveand then click Test. The test is expected to fail initially.
-
Click close_small next to the failed test to view the error message.
-
Search for the unique email address (formatted as
gke-init-python@...orsoar-python@...) found near the end of the error message. Copy this address.
Grant impersonation permissions
Once you have retrieved the unique identity for your Google SecOps instance, you must authorize it to access your Google Cloud resources. This step enables service account impersonation, allowing the platform to generate short-lived tokens and act on your behalf without the need for static keys.
-
In the Google Cloud console, go to IAM & Admin > Service Accounts.
-
Select the service account you created for this integration.
-
Go to the Permissionstab and click Grant Access.
-
Paste the unique email address you copied into the New principalsfield.
-
Assign the Service Account Token Creatorrole (
roles/iam.serviceAccountTokenCreator). Click Save.
Authenticate using a JSON key
If using a Workload Identity isn't available in your environment, you can authenticate the integration using a service account JSON key. This method relies on a static, long-lived secret file to establish the connection between the platform and your Google Cloud resources.
-
In the Google Cloud console, go to IAM & Admin > Service Accountsand select your service account.
-
Go to the Keystab.
-
Click Add Key > Create new key.
-
Select
JSONas the key type and click Create. The file downloads to your computer. -
Copy the entire content of the JSON file.
-
When you configure this integration in the platform, paste the content into the Service Account Json File Contentfield.
Integration parameters
The Google Cloud IAMintegration requires the following parameters:
| Parameter | Description |
|---|---|
API Root
|
Optional. The base URL of the Google Cloud IAM instance. The default value is |
Account Type
|
Optional. The type of the Google Cloud account. This value corresponds to the The default value is |
Project ID
|
Optional. The project ID of the Google Cloud account. This value corresponds to the |
Quota Project ID
|
Optional. The project ID used for quota and billing purposes when making API requests. |
Private Key ID
|
Optional. The private key ID of the Google Cloud account. This value corresponds to the |
Private Key
|
Optional. The private key of the Google Cloud account. This value corresponds to the |
Client Email
|
Optional. The client email of the Google Cloud account. This value corresponds to the |
Client ID
|
Optional. The client ID of the Google Cloud account. This value corresponds to the |
Auth URI
|
Optional. The authentication URI for the Google Cloud account. This value corresponds to the The default value is |
Token URI
|
Optional. The token URI for the Google Cloud account. This value corresponds to the The default value is |
Auth Provider X509 URL
|
Optional. The auth provider X.509 certificate URL. This value corresponds to the The default value is |
Client X509 URL
|
Optional. The client X.509 certificate URL. This value corresponds to the |
Organization ID
|
Optional. The unique identifier for your Google Cloud organization. |
Service Account Json File Content
|
Optional. The full JSON content of the service account key file. If this parameter is provided, individual connection parameters (such as |
Workload Identity Email
|
Optional. The email address associated with the Workload Identity service account. |
Verify SSL
|
Optional. If selected, the integration validates the SSL certificate when connecting to the Google Cloud IAM service. Enabled by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Create Role
Create an Identity and Access Management role.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Role ID
|
String | N/A | Yes | Specify role id for newly created Identity and Access Management role. |
|
Role Definition
|
String | N/A | Yes | Specify JSON policy document to use as the role definition. |
Run On
The action doesn't run on entities.
Example For Role Policy JSON
{
"name"
:
"projects/silver-shift-275007/roles/iam_test_role_api"
,
"title"
:
"iam_test_role_api"
,
"description"
:
"test role"
,
"includedPermissions"
:
[
"storagetransfer.projects.getServiceAccount"
],
"stage"
:
"GA"
,
"etag"
:
"BwXBu1RHiPw="
}
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"name"
:
"projects/[PROJECT_ID]/roles/[ROLE_NAME]"
,
"title"
:
"[ROLE_TITLE]"
,
"description"
:
"[ROLE_DESCRIPTION]"
,
"includedPermissions"
:
[
"storagetransfer.projects.getServiceAccount"
],
"stage"
:
"GA"
,
"etag"
:
"[ETAG_VALUE]"
}
Case Wall
The action should not fail nor stop a playbook execution:
-
If action run successfully:(is_success=true)
- Identity and Access Management <roleid> was created successfully.
-
If provided role_id already exists(is_success =false)
- Provided role id<role_id> already exists.
-
If provided role JSON is not valid (is_success =false)
- Provided role definition JSON document <role json> is not valid.
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Create Role". Reason: {0}''.format(error.Stacktrace)
Create Service Account
Create an Identity and Access Management Service Account.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Service Account ID
|
String | String | Yes | Specify service account id to create. |
|
Service Account Display Name
|
String | String | No | Specify service account display name to create. |
|
Service Account Description
|
String | String | No | Specify service account description to create. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"name"
:
"projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"
,
"projectId"
:
"PROJECT_ID"
,
"uniqueId"
:
"UNIQUE_ID"
,
"email"
:
"SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"
,
"displayName"
:
"SERVICE_ACCOUNT_DISPLAY_NAME"
,
"etag"
:
"ETAG_VALUE"
,
"description"
:
"SERVICE_ACCOUNT_DESCRIPTION"
,
"oauth2ClientId"
:
"UNIQUE_ID"
}
Case Wall
The action should not fail nor stop a playbook execution:
-
If action run successfully:(is_success=true)
- Google Cloud Service Account was created successfully <unique id>.
-
If action failed to run because provided service account already exists(is_success =false)
- Provided service account <unique id> already exists.
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Create Service Account". Reason: {0}''.format(error.Stacktrace)
Delete Role
Delete an Identity and Access Management Role.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Role ID
|
String | N/A | Yes | Specify role id for newly created Identity and Access Management role. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"name"
:
"projects/[PROJECT_ID]/roles/[ROLE_NAME]"
,
"title"
:
"[ROLE_TITLE]"
,
"description"
:
"[ROLE_DESCRIPTION]"
,
"includedPermissions"
:
[
"storagetransfer.projects.getServiceAccount"
],
"stage"
:
"GA"
,
"etag"
:
"[ETAG_VALUE]"
,
"deleted"
:
true
}
Case Wall
The action should not fail nor stop a playbook execution:
-
If action run successfully:(is_success=true)
- Identity and Access Management <roleid> was successfully deleted.
-
If provided role_id not exists(is_success =false)
- Provided role id<role_id> does not exist.
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Delete Role". Reason: {0}''.format(error.Stacktrace)
Delete Service Account
Delete service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
The action should not fail nor stop a playbook execution:
- if successful at least one of the provided entities:"Successfully deleted the following service accounts: {0}".format([entity.Identifier]).
- If fail to delete all of the provided entities:"No service accounts were deleted."
- If fail to find data in Identity and Access Management to delete specific entities:"Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Delete Service Account". Reason: {0}''.format(error.Stacktrace)
Disable Service Account
Disable service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
The action should not fail nor stop a playbook execution:
- if successful at least one of the provided entities:"Successfully disabled the following service accounts: {0}".format([entity.Identifier]).
- If fail to disable all of the provided entities:"No service accounts were disabled."
- If fail to find data in Google Cloud Identity and Access Management to disable specific entities:"Action was not able to find a match in Google Cloud Identity and Access Management for the provided entities: {0}".format([entity.identifier])
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Disable Service Account". Reason: {0}''.format(error.Stacktrace)
Enable Service Account
Enable service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
The action should not fail nor stop a playbook execution:
- if successful at least one of the provided entities:"Successfully enabled the following service accounts: {0}".format([entity.Identifier]).
- If fail to enable all of the provided entities:"No service accounts were enabled."
- If fail to find data in Identity and Access Management to enable specific entities:"Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Enable Service Account". Reason: {0}''.format(error.Stacktrace)
Enrich Entities
Enrich Google SecOps User entities with service accounts information from Identity and Access Management. Action expects Identity and Access Management service account email as a Google SecOps User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"name"
:
"projects/[PROJECT_ID]/serviceAccounts/[SERVICE_ACCOUNT_NAME]@[PROJECT_ID].iam.gserviceaccount.com"
,
"projectId"
:
"[PROJECT_ID]"
,
"uniqueId"
:
"[UNIQUE_ID]"
,
"email"
:
"[SERVICE_ACCOUNT_NAME]@[PROJECT_ID].iam.gserviceaccount.com"
,
"displayName"
:
"[DISPLAY_NAME]"
,
"etag"
:
"[ETAG]"
,
"description"
:
"[DESCRIPTION]"
,
"oauth2ClientId"
:
"[UNIQUE_ID]"
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Google_IAM_name | |
| Google_IAM_project_id | .. |
| Google_IAM_unique_id | |
| Google_IAM_email | |
| Google_IAM_display_name | |
| Google_IAM_description | |
| Google_IAM_oauth2_client_id |
Case Wall
The action should not fail nor stop a playbook execution:
- if successful and at least one of the provided entities were enriched:"Successfully enriched entities: {0}".format([entity.Identifier]).
- If fail to enrich all of the provided entities:"No entities were enriched."
- If fail to find data in Identity and Access Management to enrich specific entities:"Action was not able to find a match in Identity and Access Management to enrich provided entities: {0}".format([entity.identifier])
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)
Table Name:{entity} Enrichment Table
Columns:Key, Value
Get Service Account IAM Policy
Gets the access control policy for the service account. Action expects Identity and Access Management service account email as a Google SecOps User entity. Note that policy may be empty if no policy is assigned to the service account.
Run On
This action runs on the User entity.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"version"
:
1
,
"etag"
:
"[ETAG_VALUE]"
,
"bindings"
:
[
{
"role"
:
"roles/iam.securityReviewer"
,
"members"
:
[
"user:[USER_EMAIL]"
]
}
]
}
Case Wall
The action should not fail nor stop a playbook execution:
-
If action run successfully:(is_success=true)
- "Successfully fetched Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, email id 2...>
-
If action didnt find info for the entity (for example non existent in Google Identity and Access Management email provided:
- Action was not able to fetch Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, email id2 ..>
- If fail to find Identity and Access Management policy for all of the provided entities:"Identity and Access Management policy was not found for any of the provided entities."
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Get Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)
List Roles
List Identity and Access Management roles based on the specified search criteria. Note that action is not working on Google SecOps entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
View
|
DDL | Basic | No | Specify which view should be used to return role information. |
|
Max Rows to Return
|
Integer | 50 | No | Specify how many roles action should return. |
|
List Project Custom Roles Only?
|
Checkbox | Unchecked | No | If enabled action will return only custom roles defined for the current project id. |
|
Show Deleted
|
Checkbox | Unchecked | No | If enabled action will also return deleted roles. |
Run On
The action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"roles"
:
[
{
"name"
:
"roles/accessapproval.approver"
,
"title"
:
"Access Approval Approver"
,
"description"
:
"Ability to view or act on access approval requests and view configuration"
,
"stage"
:
"BETA"
,
"etag"
:
"[ETAG_VALUE]"
},
{
"name"
:
"roles/accessapproval.configEditor"
,
"title"
:
"Access Approval Config Editor"
,
"description"
:
"Ability update the Access Approval configuration"
,
"stage"
:
"BETA"
,
"etag"
:
"[ETAG_VALUE]"
}
]
}
Case Wall
The action should not fail nor stop a playbook execution:
- If successfully listed roles(is_success = true):"Successfully fetched Identity and Access Management roles."
- If no available values(is_success = false):"No roles were returned for the specified input parameters."
The action should fail and stop a playbook execution:
if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other:"Error executing action "List Roles". Reason: {0}''.format(error.Stacktrace)
Table Name:Google Cloud IAM Roles
Table Columns:
Role Name
Role Title
Role Description
Role Stage
Role Etag
Role Permissions
List Service Accounts
List Identity and Access Management service accounts based on the specified search criteria. Note that action is not working on Google SecOps entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Service Account Display Name
|
String | N/A | No | Specify service account display name to return. Parameter accepts multiple values as a comma separated string. |
|
Service Account Email
|
String | N/A | No | Specify service account email to return. Parameter accepts multiple values as a comma separated string. |
|
Max Rows to Return
|
Integer | 50 | No | Specify how many roles action should return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"accounts"
:
[
{
"name"
:
"projects/[PROJECT_ID]/serviceAccounts/[SERVICE_ACCOUNT_NAME]@[PROJECT_ID].iam.gserviceaccount.com"
,
"projectId"
:
"[PROJECT_ID]"
,
"uniqueId"
:
"[UNIQUE_ID]"
,
"email"
:
"[SERVICE_ACCOUNT_NAME]@[PROJECT_ID].iam.gserviceaccount.com"
,
"displayName"
:
"[DISPLAY_NAME]"
,
"etag"
:
"[ETAG_VALUE]"
,
"description"
:
"[SERVICE_ACCOUNT_DESCRIPTION]"
,
"oauth2ClientId"
:
"[UNIQUE_ID]"
}
]
}
Case Wall
The action should not fail nor stop a playbook execution:
- If successfully listed service accounts (is_success = true):
"Successfully fetched Google Cloud service accounts." - If no available values(is_success = false):"No service accounts were returned for the specified input parameters."
The action should fail and stop a playbook execution:
if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other:"Error executing action "List Service Accounts". Reason: {0}''.format(error.Stacktrace)
Table Name:Google Cloud Service Accounts
Table Columns:
Service Account Name
Service Account Unique ID
Service Account Email
Service Account Display Name
Service Account Description
Service Account Oauth2 Client ID
Ping
Test connectivity to the Identity and Access Management service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
The action should not fail nor stop a playbook execution:
- if successful:"Successfully connected to the Identity and Access Management service with the provided connection parameters!"
The action should fail and stop a playbook execution:
- if critical error, like wrong credentials or lost connectivity:"Failed to connect to the Identity and Access Management service! Error is {0}".format(exception.stacktrace)
Rotate Service Account Keys
Use the Rotate Service Account Keysaction to rotate user-managed keys associated with a service account. During rotation, all existing keys are deleted and a new key is created.
This action runs on the following Google SecOps entities:
-
Deployment -
Username
Action inputs
The Rotate Service Account Keysaction requires the following parameters:
| Parameter | Description |
|---|---|
Service Account
|
Optional. A comma-separated list of service accounts for which to rotate keys. This parameter works alongside entities. If provided, the action rotates keys for these specific accounts in addition to any service account entities identified in the action scope. |
Action outputs
The Rotate Service Account Keysaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Rotate Service Account Keysaction:
[
{
"Entity"
:
"123"
,
"EntityResult"
:
{
"name"
:
"projects/example-project/serviceAccounts/sample-sa@example-project.iam.gserviceaccount.com/keys/b333bbda7826af991a4d4cc4e3f83325103580ca"
,
"validAfterTime"
:
"2023-09-12T11:02:31Z"
,
"validBeforeTime"
:
"9999-12-31T23:59:59Z"
,
"keyAlgorithm"
:
"KEY_ALG_RSA_2048"
,
"keyOrigin"
:
"GOOGLE_PROVIDED"
,
"keyType"
:
"USER_MANAGED"
}
},
{
"Entity"
:
"1234"
,
"EntityResult"
:
{
"name"
:
"projects/example-project/serviceAccounts/sample-sa@example-project.iam.gserviceaccount.com/keys/b333bbda7826af991a4d4cc4e3f83325103580ca"
,
"validAfterTime"
:
"2023-09-12T11:02:31Z"
,
"validBeforeTime"
:
"9999-12-31T23:59:59Z"
,
"keyAlgorithm"
:
"KEY_ALG_RSA_2048"
,
"keyOrigin"
:
"GOOGLE_PROVIDED"
,
"keyType"
:
"USER_MANAGED"
}
}
]
Output messages
The Rotate Service Account Keysaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Rotate Service Account Keys". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Rotate Service Account Keysaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Set Service Account IAM Policy
Sets the access control policy on the specified service account. Action expects Identity and Access Management service account email as a Google SecOps account entity. Note that policy provided in action replaces any existing policy.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Policy
|
String | N/A | Yes | Specify JSON policy document to set for service account. |
Run On
This action runs on the Account entity.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"version"
:
1
,
"etag"
:
"[ETAG_VALUE]"
,
"bindings"
:
[
{
"role"
:
"roles/iam.securityReviewer"
,
"members"
:
[
"user:[USER_EMAIL]"
]
}
]
}
Case Wall
The action should not fail nor stop a playbook execution:
-
If some are successful (is_success=True):
- Successfully set Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, ...>
-
If some failed:
- Action was not able to set Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, ....>
-
If all failed:
- No Service Account Identity and Access Management policies were set.
-
If provided policy JSON is not valid (is_success =false)
- Provided policy JSON document <policy> is not valid.
The action should fail and stop a playbook execution:
if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Set Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)
Need more help? Get answers from Community members and Google SecOps professionals.
