Skip to content

iam.roles.update

GCP

iam.roles.update

service: GCP - IAM
techniques:

Event

Updates an existing custom IAM role, modifying its set of permitted permissions.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco modifies the pipeline_break_glass custom role he created earlier (see gcp-createrole.md) to add the resourcemanager.projects.setIamPolicy permission. This permission, combined with the role’s existing iam.serviceAccounts.actAs, gives the role-bearer the ability to grant themselves any role on the project — a fully self-elevating “wildcard” role. Adding a single permission via UpdateRole is lower-noise than creating a brand-new role.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.roles.update invocation-id/90000000000000000000001111111000 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T15:38:11.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iam.googleapis.com",
"methodName": "google.iam.admin.v1.UpdateRole",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod/roles/pipeline_break_glass",
"permission": "iam.roles.update",
"granted": true,
"resourceAttributes": {
"service": "iam.googleapis.com",
"name": "projects/fantasticlogs-prod/roles/pipeline_break_glass",
"type": "iam.googleapis.com/Role"
}
}
],
"resourceName": "projects/fantasticlogs-prod/roles/pipeline_break_glass",
"request": {
"@type": "type.googleapis.com/google.iam.admin.v1.UpdateRoleRequest",
"name": "projects/fantasticlogs-prod/roles/pipeline_break_glass",
"role": {
"name": "projects/fantasticlogs-prod/roles/pipeline_break_glass",
"title": "Pipeline break-glass",
"description": "Emergency access for OCCAMY pipeline maintenance",
"includedPermissions": [
"iam.roles.update",
"iam.serviceAccounts.actAs",
"iam.serviceAccountKeys.create",
"logging.logs.delete",
"logging.exclusions.create",
"compute.instances.setMetadata",
"resourcemanager.projects.setIamPolicy"
],
"stage": "GA",
"etag": "BwSAMPLEetag1111="
},
"updateMask": "includedPermissions"
},
"response": {
"@type": "type.googleapis.com/google.iam.admin.v1.Role",
"name": "projects/fantasticlogs-prod/roles/pipeline_break_glass",
"title": "Pipeline break-glass",
"description": "Emergency access for OCCAMY pipeline maintenance",
"includedPermissions": [
"iam.roles.update",
"iam.serviceAccounts.actAs",
"iam.serviceAccountKeys.create",
"logging.logs.delete",
"logging.exclusions.create",
"compute.instances.setMetadata",
"resourcemanager.projects.setIamPolicy"
],
"stage": "GA",
"etag": "BwSAMPLEetag11000="
}
},
"insertId": "evt001111111000",
"resource": {
"type": "iam_role",
"labels": {
"project_id": "fantasticlogs-prod",
"role_name": "projects/fantasticlogs-prod/roles/pipeline_break_glass"
}
},
"timestamp": "2026-04-15T15:38:11.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T15:38:11.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...