EDIT: Since I can't "trigger" Recommender to make this calculation, and I can't get at the source dataset, is there an automated way of finding the IAM permissions a service account would need to apply a Terraform plan? The original question was regarding if I could find out the permissions from the GCP Console, which it turns out I cannot.
In IAM, there is a column called "Over granted permissions". When you click on it, you get a table of the permissions this user/service account has used in the past, and what permissions have not been used. It also includes a mysterious "Last Analyzed" date.
I have a question: "What permissions are over-granted to a service account?" From what I understand, some background task will spit out an answer from Google's vast back end. I don't know when it will do this, and I don't know what triggers it. I'm not entirely sure how it does this, either.
Can I trigger this task "manually"? By an API call? With the gcloud CLI? Or am I stuck waiting for whenever Google decides to calculate this metric.
I'm setting up some automated infrastructure, and I want to make sure the account running the infrastructure setup has the least privilege necessary to do its job.