Manage service account insights

In addition to providing recommendations, Recommender uses machine learning (ML) to provide detailed insights. Insights are findings that highlight notable patterns in resource usage. For example, you can collect additional information about permission usage in your project, or identify unused service accounts. Some insights also link to recommendations, because the insights provide evidence for the recommendations.

IAM offers several different types of insights. This page shows how to manage service account insights (google.iam.serviceAccount.Insight), which are findings about which service accounts in your project have not been used in the past 90 days.

Before you begin

Optional: Read about Recommender insights.

Required permissions

The required permissions for using service account insights vary depending on what you want to do.

Permissions to view insights

To view service account insights, you need a role that includes the following permissions:

  • recommender.iamServiceAccountinsights.get
  • recommender.iamServiceAccountinsights.list

To gain these permissions while following the principle of least privilege, ask your administrator to grant you one of the following roles:

  • IAM Recommender Viewer (roles/recommender.iamViewer)
  • IAM Security Reviewer (roles/iam.securityReviewer)

Alternatively, your administrator can grant you a different role with the required permissions, such as a custom role or a more permissive predefined role.

Permissions to modify insights

To modify service account insights, you need a role that includes the following permissions:

  • recommender.iamServiceAccountinsights.get
  • recommender.iamServiceAccountinsights.list
  • recommender.iamServiceAccountinsights.update

To gain these permissions while following the principle of least privilege, ask your administrator to grant you the IAM Recommender Admin role (roles/recommender.iamAdmin).

Alternatively, your administrator can grant you a different role with the required permissions, such as a custom role or a more permissive predefined role.

List service account insights

To list all service account insights for your project, use one of the following methods:

gcloud

Use the gcloud recommender insights list command to view all service account insights for your project.

Before you run the command, replace the following values:

  • PROJECT_ID: The ID of the project that you want to list insights for.
gcloud recommender insights list --insight-type=google.iam.serviceAccount.Insight \
    --project=PROJECT_ID \
    --location=global

The output lists all of the service account insights for your project. For example:

INSIGHT_ID                            LOCATION  INSIGHT_TYPE                       CATEGORY  INSIGHT_STATE  LAST_REFRESH_TIME
446303ba-2a14-49cc-b9fa-e2d2499d4f82  global    google.iam.serviceAccount.Insight  SECURITY  ACTIVE         2021-04-18T07:00:00Z
4cfd82c3-7320-4dc6-9b67-ca0756bbd54c  global    google.iam.serviceAccount.Insight  SECURITY  ACTIVE         2021-04-18T07:00:00Z
52ce7097-6787-41cd-91e9-9248147ecfaf  global    google.iam.serviceAccount.Insight  SECURITY  ACTIVE         2021-04-18T07:00:00Z
54abdb81-a7d9-4733-988b-c0e499c6d715  global    google.iam.serviceAccount.Insight  SECURITY  ACTIVE         2021-04-18T07:00:00Z
a922dd59-df0a-422d-a2a4-096195e1dae5  global    google.iam.serviceAccount.Insight  SECURITY  ACTIVE         2021-04-18T07:00:00Z

REST

The Recommender API's insights.list method lists all service account insights for your project.

Before using any of the request data below, make the following replacements:

  • PROJECT_ID: The ID of the project that you want to list insights for.

HTTP method and URL:

GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights

To send your request, expand one of these options:

The response lists all of the service account insights in your project. For example:

{
  "insights": [
    {
      "name": "projects/123456789012/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/446303ba-2a14-49cc-b9fa-e2d2499d4f82",
      "description": "Service account my-service-account@my-project.iam.gserviceaccount.com was inactive.",
      "content": {
        "serviceAccountId": "103185812403937829397",
        "email": "my-service-account@my-project.iam.gserviceaccount.com",
        "lastAuthenticatedTime": "2020-09-11T07:00:00Z"
      },
      "lastRefreshTime": "2021-04-18T07:00:00Z",
      "observationPeriod": "19008000s",
      "stateInfo": {
        "state": "ACTIVE"
      },
      "category": "SECURITY",
      "targetResources": [
        "//cloudresourcemanager.googleapis.com/projects/123456789012"
      ],
      "insightSubtype": "SERVICE_ACCOUNT_USAGE",
      "etag": "\"9d797dd04263c855\""
    },
    {
      "name": "projects/123456789012/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/4cfd82c3-7320-4dc6-9b67-ca0756bbd54c",
      "description": "Service account my-service-account2@my-project.iam.gserviceaccount.com was inactive.",
      "content": {
        "serviceAccountId": "105496400997178042131",
        "email": "my-service-account2@my-project.iam.gserviceaccount.com"
      },
      "lastRefreshTime": "2021-04-18T07:00:00Z",
      "observationPeriod": "16070400s",
      "stateInfo": {
        "state": "ACTIVE"
      },
      "category": "SECURITY",
      "targetResources": [
        "//cloudresourcemanager.googleapis.com/projects/123456789012"
      ],
      "insightSubtype": "SERVICE_ACCOUNT_USAGE",
      "etag": "\"783a32b635d79a4e\""
    }
  ]
}

To learn more about the components of an insight, see Review service account insights on this page.

Get a single service account insight

To get more information about a single insight, including the insight's description, status, and any recommendations it's associated with, use one of the following methods:

gcloud

Use the gcloud recommender insights describe command with your insight ID to view information about a single insight.

  • INSIGHT_ID: The ID of the insight that you want to view. To find the ID, list the insights for your project.
  • PROJECT_ID: The ID of the project that you want to manage insights for.
gcloud recommender insights describe INSIGHT_ID \
    --insight-type=google.iam.serviceAccount.Insight \
    --project=PROJECT_ID \
    --location=global

The output shows the insight in detail. For example,the following insight indicates that the service account my-service-account@my-project.iam.gserviceaccount.com has not authenticated since October 11, 2020.

category: SECURITY
content:
  email: my-service-account@my-project.iam.gserviceaccount.com
  lastAuthenticatedTime: '2020-10-11T07:00:00Z'
  serviceAccountId: '103185812403937829397'
description: Service account my-service-account@my-project.iam.gserviceaccount.com
  was inactive.
etag: '"9d797dd04263c855"'
insightSubtype: SERVICE_ACCOUNT_USAGE
lastRefreshTime: '2021-04-18T07:00:00Z'
name: projects/123456789012/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/446303ba-2a14-49cc-b9fa-e2d2499d4f82
observationPeriod: 19008000s
stateInfo:
  state: ACTIVE
targetResources:
- //cloudresourcemanager.googleapis.com/projects/123456789012

To learn more about the components of an insight, see Review service account insights on this page.

REST

The Recommender API's insights.get method gets a single insight.

Before using any of the request data below, make the following replacements:

  • PROJECT_ID: The ID of the project that you want to manage insights for.
  • INSIGHT_ID: The ID of the insight that you want to view. If you don't know the insight ID, you can find it by listing the insights in your project. The ID of an insight is everything after insights/ in the name field for the insight.

HTTP method and URL:

GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/INSIGHT_ID

To send your request, expand one of these options:

The response contains the insight. For example,the following insight indicates that the service account my-service-account@my-project.iam.gserviceaccount.com has not authenticated since October 11, 2020.

{
  "name": "projects/123456789012/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/446303ba-2a14-49cc-b9fa-e2d2499d4f82",
  "description": "Service account my-service-account@my-project.iam.gserviceaccount.com was inactive.",
  "content": {
    "serviceAccountId": "103185812403937829397",
    "email": "my-service-account@my-project.iam.gserviceaccount.com",
    "lastAuthenticatedTime": "2020-09-11T07:00:00Z"
  },
  "lastRefreshTime": "2021-04-18T07:00:00Z",
  "observationPeriod": "19008000s",
  "stateInfo": {
    "state": "ACTIVE"
  },
  "category": "SECURITY",
  "targetResources": [
    "//cloudresourcemanager.googleapis.com/projects/123456789012"
  ],
  "insightSubtype": "SERVICE_ACCOUNT_USAGE",
  "etag": "\"9d797dd04263c855\""
}

To learn more about the components of an insight, see Review service account insights on this page.

Review service account insights

An insight's content is determined by its subtypes. Service account insights (google.iam.serviceAccount.Insight) support insights with the SERVICE_ACCOUNT_USAGE subtype.

SERVICE_ACCOUNT_USAGE insights have the following components, not necessarily in this order:

  • associatedRecommendations: The identifiers for any recommendations associated with the insight. If there are no recommendations associated with the insight, this field is empty.
  • category: The category for IAM insights is always SECURITY.
  • content: Reports the last time the service account was authenticated. This field contains the following components:

    • email: The email address of the service account.
    • lastAuthenticatedTime: The most recent time that the service account was authenticated. If the service account does not have any recorded authentications, this field is not included.
    • serviceAccountId: The unique numeric ID of the service account.
  • description: A human-readable summary of the insight.
  • etag: A unique identifier for the current state of an insight. Each time the insight changes, a new etag value is assigned.

    To change the state of an insight, you must provide the etag of the existing insight. Using the etag helps ensure that any operations are performed only if the insight has not changed since you last retrieved it.

  • insightSubtype: The insight subtype.
  • lastRefreshTime: The date when the insight was last refreshed, which indicates the freshness of the data used to generate the insight.
  • name: The name of the insight, in the following format:

    projects/PROJECT_ID/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/INSIGHT_ID

    The placeholders have the following values:

    • PROJECT_ID: The ID of the project where the insight was generated.
    • INSIGHT_ID: A unique ID for the insight.
  • observationPeriod: The time period leading up to the insight. The source data used to generate the insight ends at lastRefreshTime and begins at lastRefreshTime minus observationPeriod.
  • stateInfo: Insights go through multiple state transitions after they are proposed:

    • ACTIVE: The insight has been generated, but either no actions have been taken, or an action was taken without updating the insight's state. Active insights are updated when the underlying data changes.
    • ACCEPTED: Some action has been taken based on the insight. Insights become accepted when an associated recommendation was marked CLAIMED, SUCCEEDED, or FAILED, or the insight was accepted directly. When an insight is in the ACCEPTED state, the content of the insight cannot change. Accepted insights are retained for 90 days after they are accepted.
  • targetResources: The full resource name of the project that the insight is for. For example, //cloudresourcemanager.googleapis.com/projects/1234567890.

Mark a service account insight as ACCEPTED

If you take action based on an active insight, you can mark that insight as ACCEPTED. The ACCEPTED state tells the Recommender API that you have taken action based on this insight, which helps refine your recommendations.

Accepted insights are retained for 90 days after they are marked as ACCEPTED.

gcloud

Use the gcloud recommender insights mark-accepted command with your insight ID to mark an insight as ACCEPTED

  • INSIGHT_ID: The ID of the insight that you want to view. To find the ID, list the insights for your project.
  • PROJECT_ID: The ID of the project that you want to manage insights for.
  • ETAG: An identifier for a version of the insight. To get the etag, do the following:

    1. Get the insight using the gcloud recommender insights describe command.
    2. Find and copy the etag value from the output, including the enclosing quotes. For example, "d3cdec23cc712bd0".
gcloud recommender insights mark-accepted INSIGHT_ID \
    --insight-type=google.iam.serviceAccount.Insight \
    --project=PROJECT_ID \
    --location=global \
    --etag=ETAG

The output shows the insight, now with the state of ACCEPTED:

category: SECURITY
content:
  email: my-service-account@my-project.iam.gserviceaccount.com
  lastAuthenticatedTime: '2020-10-11T07:00:00Z'
  serviceAccountId: '103185812403937829397'
description: Service account my-service-account@my-project.iam.gserviceaccount.com
  was inactive.
etag: '"39c4199dcec92848"'
insightSubtype: SERVICE_ACCOUNT_USAGE
lastRefreshTime: '2021-04-18T07:00:00Z'
name: projects/123456789012/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/446303ba-2a14-49cc-b9fa-e2d2499d4f82
observationPeriod: 19008000s
stateInfo:
  state: ACCEPTED
targetResources:
- //cloudresourcemanager.googleapis.com/projects/123456789012

To learn more about the state info of an insight, see Review service account insights on this page.

REST

The Recommender API's insights.markAccepted method marks an insight as ACCEPTED.

Before using any of the request data below, make the following replacements:

  • PROJECT_ID: The ID of the project that you want to manage insights for.
  • INSIGHT_ID: The ID of the insight that you want to view. If you don't know the insight ID, you can find it by listing the insights in your project. The ID of an insight is everything after insights/ in the name field for the insight.
  • ETAG: An identifier for a version of the insight. To get the etag, do the following:
    1. Get the insight using the insights.get method.
    2. Find and copy the etag value from the response.

HTTP method and URL:

POST https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/INSIGHT_ID:markAccepted

Request JSON body:

{
  "etag": "ETAG"
}

To send your request, expand one of these options:

The response contains the insight, now with the state of ACCEPTED:

{
  "name": "projects/123456789012/locations/global/insightTypes/google.iam.serviceAccount.Insight/insights/446303ba-2a14-49cc-b9fa-e2d2499d4f82",
  "description": "Service account my-service-account@my-project.iam.gserviceaccount.com was inactive.",
  "content": {
    "serviceAccountId": "103185812403937829397",
    "email": "my-service-account@my-project.iam.gserviceaccount.com",
    "lastAuthenticatedTime": "2020-10-11T07:00:00Z"
  },
  "lastRefreshTime": "2021-04-18T07:00:00Z",
  "observationPeriod": "19008000s",
  "stateInfo": {
    "state": "ACCEPTED"
    },
  "category": "SECURITY",
  "targetResources": [
    "//cloudresourcemanager.googleapis.com/projects/123456789012"
  ],
  "insightSubtype": "SERVICE_ACCOUNT_USAGE",
  "etag": "\"39c4199dcec92848\""
}

To learn more about the state info of an insight, see Review service account insights on this page.

What's next