iam.roles.update
GCP
iam.roles.update
Event
Updates an existing custom IAM role, modifying its set of permitted permissions.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco modifies the pipeline_break_glass custom role he created earlier (see gcp-createrole.md) to add the resourcemanager.projects.setIamPolicy permission. This permission, combined with the role’s existing iam.serviceAccounts.actAs, gives the role-bearer the ability to grant themselves any role on the project — a fully self-elevating “wildcard” role. Adding a single permission via UpdateRole is lower-noise than creating a brand-new role.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.iam.roles.update invocation-id/90000000000000000000001111111000 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T15:38:11.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "iam.googleapis.com", "methodName": "google.iam.admin.v1.UpdateRole", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "permission": "iam.roles.update", "granted": true, "resourceAttributes": { "service": "iam.googleapis.com", "name": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "type": "iam.googleapis.com/Role" } } ], "resourceName": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.UpdateRoleRequest", "name": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "role": { "name": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "title": "Pipeline break-glass", "description": "Emergency access for OCCAMY pipeline maintenance", "includedPermissions": [ "iam.roles.update", "iam.serviceAccounts.actAs", "iam.serviceAccountKeys.create", "logging.logs.delete", "logging.exclusions.create", "compute.instances.setMetadata", "resourcemanager.projects.setIamPolicy" ], "stage": "GA", "etag": "BwSAMPLEetag1111=" }, "updateMask": "includedPermissions" }, "response": { "@type": "type.googleapis.com/google.iam.admin.v1.Role", "name": "projects/fantasticlogs-prod/roles/pipeline_break_glass", "title": "Pipeline break-glass", "description": "Emergency access for OCCAMY pipeline maintenance", "includedPermissions": [ "iam.roles.update", "iam.serviceAccounts.actAs", "iam.serviceAccountKeys.create", "logging.logs.delete", "logging.exclusions.create", "compute.instances.setMetadata", "resourcemanager.projects.setIamPolicy" ], "stage": "GA", "etag": "BwSAMPLEetag11000=" } }, "insertId": "evt001111111000", "resource": { "type": "iam_role", "labels": { "project_id": "fantasticlogs-prod", "role_name": "projects/fantasticlogs-prod/roles/pipeline_break_glass" } }, "timestamp": "2026-04-15T15:38:11.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T15:38:11.567890123Z"}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...