I want to configure a principal who can approve and revoke grant requests to preconfigured entitlements, but not be able modify those entitlements to sneak in a privilege escalation role.
There are only two predefined roles for GCP Privilege Access Manager (PAM)
In tests on the console, the PAM Admin role allows the principal to approve grants, while PAM Viewer only allows the principal to view but not approve grants even if they are an approver. [EDIT - see comments]
In the IAM Permissions Reference a search for privilegedaccessmanager.grants.*, returns:
I was expecting a role like PAM Grants Approver that would include a permission like
So I can't see if it is possible the achieve the objective with a custom role. I would have to give the approver the PAM admin role. Which is not following the least privilege principle. I missing something?
You can approve grants even though you only have a viewer role in PAM. Make sure to add the principal approver under your organization when creating the entitlement.