We had an iam user got deleted and need to find out who did it. Is there a way to get this info from cloud logging?
If an IAM user (like a service account or any account with permissions) was deleted in Google Cloud, you can figure out who did it by checking the activity logs in Cloud Logging. Here’s how u can find
Steps to Find Out Who Deleted the IAM User:
- Open Cloud Logging:
Go to the Google Cloud Console Logs Explorer.
- Search for Deletion Events:
In the search box, type :protoPayload.methodName=“google.iam.admin.v1.DeleteServiceAccount”
This looks for any activity where a service account (a type of IAM user) was deleted.
- Set the Time Range:
Select the time period when you think the user was deleted.
- Check the Logs:
Once you see results, click on the log entry. It will show details like:
Who deleted the account: Look for actor.email (this is the person or service account that did it).
What was deleted: Check resourceName to confirm what was removed.
When it happened: The timestamp shows the exact time of the action.
What If You Use the Command Line?
You can also use a command to check logs. Just run this in the terminal:
gcloud logging read ‘protoPayload.methodName=“google.iam.admin.v1.DeleteServiceAccount”’ --limit=1 --format=json
It will show you the same details: who, what, and when.
Google Cloud keeps logs for about 400 days, so make sure the event is recent.
If it’s a regular user (like yo
ur Gmail), check if they were removed from the project