Query: iam_service_account_token_creator_role_assigned

with role_bindings as(
  select
    *,
    unnest(from_json((request -> 'policy' -> 'bindings'), '["JSON"]')) as bindings
  from
    gcp_audit_log
  where
    method_name ilike 'google.iam.admin.v%.setiampolicy'
)
select
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
*

from
  role_bindings
where
  (bindings ->> 'role') like '%roles/iam.serviceAccountTokenCreator%'
  and severity != 'Error'
-- TODO: Do we need to check operation?
-- and (operation_src is null or operation_src.last = true)

order by
  timestamp desc;