How do I determine the least privilege permissions for a service account applying Terraform plans?

Question

EDIT: Since I can't "trigger" Recommender to make this calculation, and I can't get at the source dataset, is there an automated way of finding the IAM permissions a service account would need to apply a Terraform plan? The original question was regarding if I could find out the permissions from the GCP Console, which it turns out I cannot.

---

In IAM, there is a column called "Over granted permissions". When you click on it, you get a table of the permissions this user/service account has used in the past, and what permissions have not been used. It also includes a mysterious "Last Analyzed" date.

I have a question: "What permissions are over-granted to a service account?" From what I understand, some background task will spit out an answer from Google's vast back end. I don't know when it will do this, and I don't know what triggers it. I'm not entirely sure how it does this, either.

Can I trigger this task "manually"? By an API call? With the gcloud CLI? Or am I stuck waiting for whenever Google decides to calculate this metric.

I'm setting up some automated infrastructure, and I want to make sure the account running the infrastructure setup has the least privilege necessary to do its job.

Answer 1

This is handled by the Cloud IAM Recommender. It compares Project IAM Roles against the permissions each member has used in the past 90 days. As this is a managed service by Google, you will not be able to trigger the Recommender. You can read more about how it works here.