Console

1. In the Google Cloud console, go to thePolicy analyzer page.

   Go to the Policy analyzer page

2. In theAnalyze policies section, find the pane labeledCustom queryand clickCreate custom query in that pane.

3. In theSelect query scope field, select the project, folder, ororganization that you want to scope the query to. Policy Analyzerwill analyze access for that project, folder, or organization, as well as anyresources within that project, folder, or organization.

4. Choose the resource to check and the role or permission to check for:

   1. In theParameter 1 field, selectResource from the drop-downmenu.
   2. In theResource field, enter the full resource name of the resourcethat you want to analyze access for. If you don't know the full resourcename, start typing the display name of the resource, then select theresource from the list of resources provided.
   3. ClickaddAdd selector.
   4. In theParameter 2 field, select eitherRole orPermission.
   5. In theSelect a role orSelect a permission field, select therole or permission that you want to check for.
   6. Optional: To check for additional roles and permissions, continue addingRole andPermission selectors until all the roles and permissionsthat you want to check for are listed.

5. Optional: ClickContinue, then select anyadvanced optionsthat you want to enable for this query.

6. In theCustom query pane, clickAnalyze > Run query.The report page shows the query parameters you entered, and a results tableof all principals with the specified roles or permissions on the specifiedresource.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries,export the results to BigQuery.

gcloud

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueproject,folder, ororganization.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• FULL_RESOURCE_NAME:The full resource name of the resource that you want to analyze access for. For a list of fullresource name formats, seeResource nameformat.
• PERMISSIONS: Acomma-separated list of the permissions that you want to check for—for example,compute.instances.get,compute.instances.start. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.

Execute thegcloud asset analyze-iam-policy command:

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID\--full-resource-name=FULL_RESOURCE_NAME\--permissions='PERMISSIONS'

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID`--full-resource-name=FULL_RESOURCE_NAME`--permissions='PERMISSIONS'

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID^--full-resource-name=FULL_RESOURCE_NAME^--permissions='PERMISSIONS'

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result isCONDITIONAL.

The principals that have any of the specified permissions on the specified resource are listed in theidentities fields in the response. The following example shows a single analysis result with theidentities field highlighted.

...---ACLs:- accesses:  - permission: compute.instances.get  - permission: compute.instances.startidentities:  - name: user:my-user@example.com  resources:  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-projectpolicy:  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project  binding:    members:    - user: my-user@example.com    role: roles/compute.admin---...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyze-iam-policy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

REST

To determine which principals have certain permissions on aresource, use the Cloud Asset Inventory API'sanalyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• FULL_RESOURCE_NAME:The full resource name of the resource that you want to analyze access for. For a list of fullresource name formats, seeResource nameformat.
• PERMISSION_1,PERMISSION_2...PERMISSION_N: The permissions thatyou want to check for—for example,compute.instances.get. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{  "analysisQuery": {    "resourceSelector": {      "fullResourceName": "FULL_RESOURCE_NAME"    },    "accessSelector": {      "permissions": [        "PERMISSION_1",        "PERMISSION_2",        "PERMISSION_N"      ]    }  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed asCONDITIONAL.

The principals that have any of the specified permissions on the specified resource are listed in theidentities fields in the response. The following example shows a single analysis result with theidentities field highlighted.

...{  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",  "iamBinding": {    "role": "roles/compute.admin",    "members": [      "user:my-user@example.com"    ]  },  "accessControlLists": [    {      "resources": [        {          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"        }      ],      "accesses": [        {          "permission": "compute.instances.get"        },        {          "permission": "compute.instances.start"        }      ]    }  ],  "identityList": {"identities": [      {        "name": "user:my-user@example.com"      }    ]  },  "fullyExplored": true},...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyzeIamPolicy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

Console

1. In the Google Cloud console, go to thePolicy analyzer page.

   Go to the Policy analyzer page

2. In theAnalyze policies section, find the pane labeledCustom queryand clickCreate custom query in that pane.

3. In theSelect query scope field, select the project, folder, ororganization that you want to scope the query to. Policy Analyzerwill analyze access for that project, folder, or organization, as well as anyresources within that project, folder, or organization.

4. In theParameter 1 field, select eitherRole orPermission.

5. In theSelect a role orSelect a permission field, select the roleor permission that you want to check for.

6. Optional: To check for additional roles and permissions, do the following:

   1. ClickaddAdd selector.
   2. In theParameter 2 field, select eitherRole orPermission.
   3. In theSelect a role orSelect a permission field, select therole or permission that you want to check for.
   4. Continue addingRole andPermission selectors until all the rolesand permissions that you want to check for are listed.

7. Optional: ClickContinue, then select anyadvanced optionsthat you want to enable for this query.

8. In theCustom query pane, clickAnalyze > Run query.The report page shows the query parameters you entered, and a results tableof all principals with the specified roles or permissions on any in-scoperesource.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries,export the results to BigQuery.

gcloud

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueproject,folder, ororganization.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• ROLES: A comma-separated listof the roles that you want to check for—for example,roles/compute.admin,roles/compute.imageUser. If you list multiple roles, PolicyAnalyzer will check for any of the roles listed.
• PERMISSIONS: Acomma-separated list of the permissions that you want to check for—for example,compute.instances.get,compute.instances.start. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.

Execute thegcloud asset analyze-iam-policy command:

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID\--roles='ROLES'\--permissions='PERMISSIONS'

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID`--roles='ROLES'`--permissions='PERMISSIONS'

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID^--roles='ROLES'^--permissions='PERMISSIONS'

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed asCONDITIONAL.

The principals that have any of the specified roles or permissions are listed in theidentities fields in the response. The following example shows a single analysis result with theidentities field highlighted.

...---ACLs:- accesses:  - permission: compute.instances.get  - permission: compute.instances.start  - role: roles/compute.adminidentities:  - name: user:my-user@example.com  resources:  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-projectpolicy:  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project  binding:    members:    - user: my-user@example.com    role: roles/compute.admin---...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyze-iam-policy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

REST

To determine which principals have certain roles or permissions, use the Cloud Asset Inventory API'sanalyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• ROLE_1,ROLE_2...ROLE_N: The roles thatyou want to check for—for example,roles/compute.admin. If you list multipleroles, Policy Analyzer will check for any of the roles listed.
• PERMISSION_1,PERMISSION_2...PERMISSION_N: The permissions thatyou want to check for—for example,compute.instances.get. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{  "analysisQuery": {    "accessSelector": {      "roles": [        "ROLE_1",        "ROLE_2",        "ROLE_N"      ],      "permissions": [        "PERMISSION_1",        "PERMISSION_2",        "PERMISSION_N"      ]    }  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed asCONDITIONAL.

The principals that have any of the specified roles or permissions are listed in theidentities fields in the response. The following example shows a single analysis result with theidentities field highlighted.

...{  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",  "iamBinding": {    "role": "roles/compute.admin",    "members": [      "user:my-user@example.com"    ]  },  "accessControlLists": [    {      "resources": [        {          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"        }      ],      "accesses": [        {          "permission": "compute.instances.get"        },        {          "role": "roles/compute.admin"        }      ]    }  ],  "identityList": {"identities": [      {        "name": "user:my-user@example.com"      }    ]  },  "fullyExplored": true},...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyzeIamPolicy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

Console

1. In the Google Cloud console, go to thePolicy analyzer page.

   Go to the Policy analyzer page

2. In theAnalyze policies section, find the pane labeledCustom queryand clickCreate custom query in that pane.

3. In theSelect query scope field, select the project, folder, ororganization that you want to scope the query to. Policy Analyzerwill analyze access for that project, folder, or organization, as well as anyresources within that project, folder, or organization.

4. Choose the resource and principal to check:

   1. In theParameter 1 field, selectResource from the drop-downmenu.
   2. In theResource field, enter the full resource name of the resourcethat you want to analyze access for. If you don't know the full resourcename, start typing the display name of the resource, then select theresource from the list of resources provided.
   3. ClickaddAdd selector.
   4. In theParameter 2 field, selectPrincipal from the drop-downmenu.
   5. In thePrincipal field, start typing the name of a user, serviceaccount, or group. Then, select the user, service account, or group whoseaccess you want to analyze from the list of principals provided.

5. Optional: ClickContinue, then select anyadvanced optionsthat you want to enable for this query.

6. In theCustom query pane, clickAnalyze > Run query.The report page shows the query parameters you entered, and a results tableof all roles that the specified principal has on the specified resource.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries,export the results to BigQuery.

gcloud

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueproject,folder, ororganization.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• FULL_RESOURCE_NAME:The full resource name of the resource that you want to analyze access for. For a list of fullresource name formats, seeResource nameformat.
• PRINCIPAL: The principal whoseaccess you want to analyze, in the formPRINCIPAL_TYPE:ID—for example,user:my-user@example.com. For a full list of the principal types, seePrincipal identifiers.

Execute thegcloud asset analyze-iam-policy command:

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID\--full-resource-name=FULL_RESOURCE_NAME\--identity=PRINCIPAL

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID`--full-resource-name=FULL_RESOURCE_NAME`--identity=PRINCIPAL

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID^--full-resource-name=FULL_RESOURCE_NAME^--identity=PRINCIPAL

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result isCONDITIONAL.

The roles that the principal has on the specified resource are listed in theaccesses fields in the response. The following example shows a single analysis result with theaccesses field highlighted.

...---ACLs:- accesses:  - roles/iam.serviceAccountUser  identities:  - name: user:my-user@example.com  resources:  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-projectpolicy:  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project  binding:    members:    - user: my-user@example.com    role: roles/iam.serviceAccountUser---...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyze-iam-policy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

REST

To determine what access a principal has on a resource, use the Cloud Asset Inventory API'sanalyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• FULL_RESOURCE_NAME:The full resource name of the resource that you want to analyze access for. For a list of fullresource name formats, seeResource nameformat.
• PRINCIPAL: The principal whoseaccess you want to analyze, in the formPRINCIPAL_TYPE:ID—for example,user:my-user@example.com. For a full list of the principal types, seePrincipal identifiers.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{  "analysisQuery": {    "resourceSelector": {      "fullResourceName": "FULL_RESOURCE_NAME"    },    "identitySelector": {      "identity": "PRINCIPAL"    }  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed asCONDITIONAL.

The roles that the principal has on the specified resource are listed in theaccesses fields in the response. The following example shows a single analysis result with theaccesses field highlighted.

...{  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",  "iamBinding": {    "role": "roles/iam.serviceAccountUser",    "members": [      "user:my-user@example.com"    ]  },  "accessControlLists": [    {      "resources": [        {          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"        }      ],"accesses": [        {          "roles": "iam.serviceAccountUser"        }      ]    }  ],  "identityList": {    "identities": [      {        "name": "user:my-user@example.com"      }    ]  },  "fullyExplored": true},...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyzeIamPolicy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

Console

1. In the Google Cloud console, go to thePolicy analyzer page.

   Go to the Policy analyzer page

2. In theAnalyze policies section, find the pane labeledCustom queryand clickCreate custom query in that pane.

3. In theSelect query scope field, select the project, folder, ororganization that you want to scope the query to. Policy Analyzerwill analyze access for that project, folder, or organization, as well as anyresources within that project, folder, or organization.

4. Choose the principal to check and the role or permission to check for:

   1. In theParameter 1 field, selectPrincipal from the drop-downmenu.
   2. In thePrincipal field, start typing the name of a user, serviceaccount, or group. Then, select the user, service account, or group whoseaccess you want to analyze from the list of principals provided.
   3. ClickaddAdd selector.
   4. In theParameter 2 field, select eitherRole orPermission.
   5. In theSelect a role orSelect a permission field, select therole or permission that you want to check for.
   6. Optional: To check for additional roles and permissions, continue addingRole andPermission selectors until all the roles and permissionsthat you want to check forare listed.

5. Optional: ClickContinue, then select anyadvanced optionsthat you want to enable for this query.

6. In theCustom query pane, clickAnalyze > Run query.The report page shows the query parameters you entered, and a results tableof all the resources on which the specified principal has the specified rolesor permissions.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries,export the results to BigQuery.

gcloud

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueproject,folder, ororganization.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• PRINCIPAL: The principal whoseaccess you want to analyze, in the formPRINCIPAL_TYPE:ID—for example,user:my-user@example.com. For a full list of the principal types, seePrincipal identifiers.
• PERMISSIONS: Acomma-separated list of the permissions that you want to check for—for example,compute.instances.get,compute.instances.start. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.

Execute thegcloud asset analyze-iam-policy command:

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID\--identity=PRINCIPAL\--permissions='PERMISSIONS'

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID`--identity=PRINCIPAL`--permissions='PERMISSIONS'

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID^--identity=PRINCIPAL^--permissions='PERMISSIONS'

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result isCONDITIONAL.

The resources on which the specified principal has any of the specified permissions are listed in theresources fields in the response. The following example shows a single analysis result with theresources field highlighted.

...---ACLs:- accesses:  - permission: compute.instances.get  - permission: compute.instances.start  identities:  - name: user:my-user@example.comresources:  - fullResourceName: //compute.googleapis.com/projects/my-project/global/images/my-imagepolicy:  attachedResource: //compute.googleapis.com/projects/my-project/global/images/my-image  binding:    members:    - user: my-user@example.com    role: roles/compute.admin---...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyze-iam-policy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

REST

To determine which resources a principal can access, use the Cloud Asset Inventory API'sanalyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• PRINCIPAL: The principal whoseaccess you want to analyze, in the formPRINCIPAL_TYPE:ID—for example,user:my-user@example.com. For a full list of the principal types, seePrincipal identifiers.
• PERMISSION_1,PERMISSION_2...PERMISSION_N: The permissions thatyou want to check for—for example,compute.instances.get. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{  "analysisQuery": {    "identitySelector": {      "identity": "PRINCIPAL"    },    "accessSelector": {      "permissions": [        "PERMISSION_1",        "PERMISSION_2",        "PERMISSION_N"      ]    }  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed asCONDITIONAL.

The resources on which the specified principal has any of the specified permissions are listed in theresources fields in the response. The following example shows a single analysis result with theresources field highlighted.

...{  "attachedResourceFullName": "//compute.googleapis.com/projects/my-project/global/images/my-image",  "iamBinding": {    "role": "roles/compute.admin",    "members": [      "user:my-user@example.com"    ]  },  "accessControlLists": [    {"resources": [        {          "fullResourceName": "//compute.googleapis.com/projects/my-project/global/images/my-image"        }      ],      "accesses": [        {          "permission": "compute.instances.get"        },        {          "permission": "compute.instances.start"        }      ]    }  ],  "identityList": {    "identities": [      {        "name": "user:my-user@example.com"      }    ]  },  "fullyExplored": true},...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyzeIamPolicy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

gcloud

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueproject,folder, ororganization.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• PERMISSIONS:Optional. A comma-separated list of the permissions that you want to check for—for example,compute.instances.get,compute.instances.start. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.
• FULL_RESOURCE_NAME: Optional. The full resource name of the resource thatyou want to analyze access for. For a list of full resource name formats, seeResource name format.
• PERMISSIONS:Optional. A comma-separated list of the permissions that you want to check for—for example,compute.instances.get,compute.instances.start. If you list multiplepermissions, Policy Analyzer will check for any of the permissions listed.
• ACCESS_TIME: The time that you wantto check. This time must be in the future. Use a timestamp inRFC 3339format—forexample,2099-02-01T00:00:00Z.

Execute thegcloud asset analyze-iam-policy command:

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID\--identity=PRINCIPAL\--full-resource-name=FULL_RESOURCE_NAME\--permissions='PERMISSIONS'\--access-time=ACCESS_TIME

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID`--identity=PRINCIPAL`--full-resource-name=FULL_RESOURCE_NAME`--permissions='PERMISSIONS'`--access-time=ACCESS_TIME

gcloudassetanalyze-iam-policy--RESOURCE_TYPE=RESOURCE_ID^--identity=PRINCIPAL^--full-resource-name=FULL_RESOURCE_NAME^--permissions='PERMISSIONS'^--access-time=ACCESS_TIME

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result isCONDITIONAL.

When you include the access time in the request, Policy Analyzer can evaluate date/time conditions. If the condition evaluates to false, that role is not included in the response. If the condition evaluates to true, the result of the condition evaluation is listed asTRUE.

...---ACLs:- accesses:  - permission: compute.instances.get  - permission: compute.instances.start  conditionEvaluationValue: 'TRUE'  identities:  - name: user:my-user@example.com  resources:  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-projectpolicy:  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project  binding:    condition:      expression: request.time.getHours("America/Los_Angeles") >= 5      title: No access before 5am PST    members:    - user: my-user@example.com    role: roles/compute.admin---...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyze-iam-policy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

REST

To determine which principals will have certain permissions on a resource ata specific time, use the Cloud Asset Inventory API'sanalyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The typeof the resource that you want to scope your search to. Only IAM allow policiesattached to this resource and to its descendants will be analyzed. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: The ID of theGoogle Cloud project, folder, or organization that you want to scope your search to. OnlyIAM allow policies attached to this resource and to its descendants will be analyzed.ProjectIDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric,like123456789012.
• PERMISSION_1,PERMISSION_2...PERMISSION_N: Optional. Thepermissions that you want to check for—for example,compute.instances.get. If youlist multiple permissions, Policy Analyzer will check for any of the permissions listed.
• FULL_RESOURCE_NAME: Optional. The full resource name of the resource thatyou want to analyze access for. For a list of full resource name formats, seeResource name format.
• PERMISSION_1,PERMISSION_2...PERMISSION_N: Optional. Thepermissions that you want to check for—for example,compute.instances.get. If youlist multiple permissions, Policy Analyzer will check for any of the permissions listed.
• ACCESS_TIME: The time that you wantto check. This time must be in the future. Use a timestamp inRFC 3339format—forexample,2099-02-01T00:00:00Z.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{  "analysisQuery": {    "identitySelector": {      "identity": "PRINCIPAL"    },    "resourceSelector": {      "fullResourceName": "FULL_RESOURCE_NAME"    },    "accessSelector": {      "permissions": [        "PERMISSION_1",        "PERMISSION_2",        "PERMISSION_N"      ]    },    "conditionContext": {      "accessTime": "ACCESS_TIME"    }  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed asCONDITIONAL.

When you include the access time in the request, Policy Analyzer can evaluate date/time conditions. If the condition evaluates to false, that role is not included in the response. If the condition evaluates to true, the condition evaluation value in the analysis response isTRUE.

...{  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",  "iamBinding": {    "role": "roles/compute.admin",    "members": [      "user:my-user@example.com"    ],    "condition": {      "expression": "request.time.getHours(\"America/Los_Angeles\") \u003e= 5",      "title": "No access before 5am PST"    }  },  "accessControlLists": [    {      "resources": [        {          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"        }      ],      "accesses": [        {          "permission": "compute.instances.get"        },        {          "permission": "compute.instances.start"        }      ],      "conditionEvaluation": {        "evaluationValue": "TRUE"      }    }  ],  "identityList": {    "identities": [      {        "name": "user:my-user@example.com"      }    ]  },  "fullyExplored": true},...

If the request times out before the query finishes, you get aDEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version ofanalyzeIamPolicy. For instructions, seeWrite policy analysis to BigQuery orWrite policy analysis to Cloud Storage.

Console

gcloud

This section describes several common flags that you can add when you use thegcloud CLI to analyze allow policies. For a full list of options, seeOptional flags.

REST

To enable any options, first add anoptions field to your analysisquery. For example:

{"analysisQuery":{"resourceSelector":{"fullResourceName":"//cloudresourcemanager.googleapis.com/projects/my-project"},"accessSelector":{"permissions":["iam.roles.get","iam.roles.list"]},"options":{OPTIONS}}}

ReplaceOPTIONS with the options that you want toenable, in the form"OPTION": true. The following tabledescribes the available options: