> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gcp_builtin_privileged_role.md).

# GCP\_BUILTIN\_PRIVILEGED\_ROLE

## Summary

|                            |                                                                                                   |
| -------------------------- | ------------------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**    | GCP\_BUILTIN\_PRIVILEGED\_ROLE                                                                    |
| **GCP Alias**              | IAM & Hierarchy Control                                                                           |
| **Affected Object Types**  | Organizations, Folders, Projects                                                                  |
| **Exploitation Certainty** | Certain                                                                                           |
| **Granting Roles**         | Any GCP built-in role flagged as privileged that is not covered by a specific attack path mapping |

## Description

`GCP_BUILTIN_PRIVILEGED_ROLE` represents an assignment of a GCP **predefined (built-in) role** that is flagged as privileged and does **not** have an explicit, mapped attack path edge. This catch-all edge flags identities holding elevated built-in roles (such as service-specific admin roles) that carry significant permissions but are not covered by more specific attack path mappings.

Roles like `roles/owner`, `roles/editor`, `roles/iam.securityAdmin`, etc., have explicit mappings and do NOT trigger this edge. Only privileged built-in roles without specific mappings generate `GCP_BUILTIN_PRIVILEGED_ROLE`. GCP predefined roles are Google-managed and can be updated at any time — a role considered safe today may gain dangerous permissions in a future update. Identities with this edge should be reviewed to understand what specific permissions they hold and whether those permissions enable privilege escalation or lateral movement.

**Common examples of roles flagged by this edge:**

* Service-specific admin roles.
* Any built-in privileged role not explicitly mapped to a more specific attack path edge.

## Identification

### gcloud CLI

```bash
# Inspect a specific unflagged privileged role's permissions
ROLE_NAME="roles/storage.admin"
gcloud iam roles describe $ROLE_NAME --format=json | \
  jq '.includedPermissions[]'

# Find who holds potentially-flagged built-in roles at project level
PROJECT_ID="my-project"
gcloud projects get-iam-policy $PROJECT_ID --format=json | \
  jq '.bindings[] | select(.role | startswith("roles/")) | {role: .role, members: .members}'

# Find who holds potentially-flagged built-in roles at organization level
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud organizations get-iam-policy $ORG_ID --format=json | \
  jq '.bindings[] | select(.role | startswith("roles/")) | {role: .role, members: .members}'
```

### GCP Console

1. Open **GCP Console** → **IAM & Admin** → **IAM**.
2. Review all role assignments — focus on service-specific admin roles (e.g., `storage.admin`, `bigquery.admin`, `secretmanager.admin`).
3. For each flagged role, click **Roles** → search the role name → review its **Included Permissions** for dangerous entries (e.g., `setIamPolicy`, `actAs`, `getAccessToken`).

## Exploitation

The exploitation path depends on the specific permissions the unflagged role contains. Identify the role's permissions and map them to known attack paths:

**Common dangerous permissions in unmapped privileged roles and their attack vectors:**

* `resourcemanager.projects.setIamPolicy` → privilege escalation via IAM policy manipulation → see [GCP\_CAN\_SET\_PROJECT\_IAMPOLICY](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_set_project_iampolicy)
* `resourcemanager.folders.setIamPolicy` → privilege escalation via IAM policy manipulation → see [GCP\_CAN\_SET\_FOLDER\_IAMPOLICY](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_set_folder_iampolicy)
* `resourcemanager.organizations.setIamPolicy` → privilege escalation via IAM policy manipulation → see [GCP\_CAN\_SET\_ORG\_IAMPOLICY](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_set_org_iampolicy)
* `iam.serviceAccounts.actAs` → SA attachment to compute resources → see [GCP\_CAN\_ACT\_AS\_SA](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_act_as_sa).
* `iam.serviceAccounts.getAccessToken` → direct SA token generation → see [GCP\_CAN\_IMPERSONATE\_SA](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_impersonate_sa).
* `compute.instances.create` + SA attachment → vehicle for token extraction → see [GCP\_CAN\_CREATE\_COMPUTE](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_create_compute) + [GCP\_CAN\_ACT\_AS\_SA](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_act_as_sa).

## Mitigation

1. **Identify which permissions the flagged role grants** — not all privileged roles are equally dangerous.
2. **Replace with narrowly-scoped custom roles** if the built-in role grants unnecessary permissions.
3. **Scope assignments narrowly** — use folder/project scope instead of org scope where possible.
4. **Audit all role assignments flagged by this edge** — prioritize roles with `setIamPolicy`, `actAs`, or `getAccessToken` permissions.
5. **Monitor Google Cloud release notes** — built-in roles can gain new permissions without your control; watch for additions to roles assigned to your users.

## Detection

| Log Type       | Method         | Key Fields                                 |
| -------------- | -------------- | ------------------------------------------ |
| Admin Activity | `SetIamPolicy` | New role assignments flagged as privileged |

```bash
# Monitor for builtin role assignments in a project
PROJECT_ID="my-project"
gcloud logging read \
  'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.role:"roles/"' \
  --project=$PROJECT_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.serviceData.policyDelta)"

# Monitor for builtin role assignments in the organization
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud logging read \
  'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.role:"roles/"' \
  --organization=$ORG_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.serviceData.policyDelta)"
```

Alert on:

* New role assignments of privileged roles to users.
* Changes to built-in role permissions via Google Cloud release notes (external monitoring).

## References

* <https://cloud.google.com/iam/docs/understanding-roles>
* <https://cloud.google.com/iam/docs/roles-overview#predefined>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/gcp/gcp_builtin_privileged_role.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.