Troubleshoot policies

This page describes how to troubleshootIdentity and Access Management (IAM) allow, deny, and principal access boundary policies.

Use Policy Troubleshooter

If you need to troubleshoot access for a specific principal, usePolicy Troubleshooter for IAM.

Policy Troubleshooter helps you understand whether a principalcan access a resource. Given a principal, a resource, and a permission,Policy Troubleshooter examines the allow policies, deny policies,and principal access boundary (PAB) policies that impact the principal's access.Then, it tells you whether, based on those policies, the principal can usethe specified permission to access the resource. It also lists the relevantpolicies and explains how they affect the principal's access.

To learn how to use Policy Troubleshooter to troubleshoot allowpolicies, deny policies, and principal access boundary policies, seeTroubleshootIAM permissions.

View all allow and deny policies that apply to a resource

In Google Cloud, the following allow and deny policies affect access to a resource:

  • The resource's allow policy
  • The resource's deny policies, if any
  • The allow policies of the resource's parent project, folder, and organization, if any
  • The deny policies of the resource's parent project, folder, and organization, if any

The allow and deny policies of parent projects, folders, and organizations affect access to a resource because ofpolicy inheritance. When you attach an allow or deny policy to a project, folder, or organization, that policy also applies for all resources inside that project, folder, or organization.

For example, if a deny policy for an organization says that a principal can't use a specific permission, then the principal can't use that permission for any resource within the organization. This rule applies even if the folders and projects within that organization have more permissive deny policies, or allow policies that give the principal the permission.

Similarly, if an allow policy for a project gives a principal a specific permission, then the principal has that permission for any resource within the project, provided that they aren't denied that permission.

The union of all of these policies is called theapplicable policy oreffective policy for the resource.

In Google Cloud, you can get a list of all of the allow and deny policiesthat affect access to a project by using thegcloud beta projectsget-ancestors-iam-policy command with the--include-deny flag. Together,these policies make up the applicable policy for the project. You caninvestigate each policy to see how it affects the principal's access.

gcloud

Before using any of the command data below, make the following replacements:

  • PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.

Execute thegcloud beta projects get-ancestors-iam-policy command:

Linux, macOS, or Cloud Shell

gcloudbetaprojectsget-ancestors-iam-policyPROJECT_ID--include-deny--format=json

Windows (PowerShell)

gcloudbetaprojectsget-ancestors-iam-policyPROJECT_ID--include-deny--format=json

Windows (cmd.exe)

gcloudbetaprojectsget-ancestors-iam-policyPROJECT_ID--include-deny--format=json

The response contains the allow and deny policies for the project; any folders that are ancestors of the project; and the organization. The following example shows allow policies for the organization1234567890123 and the projectmy-project, as well as a deny policy for the projectmy-project:

[  {    "id": "1234567890123",    "policy": {      "bindings": [        {          "members": [            "group:cloud-admins@example.com"          ],          "role": "roles/iam.denyAdmin"        },{          "members": [            "user:raha@example.com"          ],          "role": "roles/iam.serviceAccountAdmin"        }      ],      "etag": "BwXW6Eab7TI=",      "version": 1    },    "type": "organization"  },  {    "id": "my-project",    "policy": {      "bindings": [        {          "members": [            "group:cloud-admins@example.com"          ],          "role": "roles/owner"        }      ],      "etag": "BwXXjOM7L6M=",      "type": "project"    }  },  {    "id": "my-project",    "policy": {      "createTime": "2022-02-14T21:46:35.865279Z",      "displayName": "My deny policy",      "etag": "MTgyMzg2ODcwNTEyMjMxMTM3Mjg=",      "kind": "DenyPolicy",      "name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F123456789012/denypolicies/my-deny-policy",      "rules": [{          "denyRule": {            "deniedPermissions": [              "iam.googleapis.com/serviceAccounts.create"            ],            "deniedPrincipals": [              "user:raha@example.com"            ]          },          "description": "Prevent service account creation"        }      ],      "uid": "c83e3dc3-d8a6-6f51-4018-814e9f200b05",      "updateTime": "2022-02-14T21:46:35.865279Z"    },    "type": "project"  }]

In this example, Raha is granted the Service AccountAdmin role (roles/iam.serviceAccountAdmin) on the organization, but theproject has a deny policy that prevents Raha from using thepermissioniam.googleapis.com/serviceAccounts.create. As a result, ifRaha tries to create a service account in the projectmy-project, the request will be denied.

In some cases, you might only need to view the effective allow policy for aresource—for example, if your organization doesn't use deny policies. Inthese cases, you can use the following methods to view the effective allowpolicy:

  • View the resource's IAM allow policy in theGoogle Cloud console. The Google Cloud console automatically shows eachresource's effective policy.

    To learn how to view a resource's IAM allow policy in theGoogle Cloud console, seeView current access.

  • Use the Cloud Asset API to get the resource's effective allow policy. To learnmore, seeViewing effective IAM policies.

Search allow policies

If you need to locate a specific role binding in an allow policy, you cansearch the allow policy.

Cloud Asset Inventory lets you search allow policies for role bindingsthat match the specified parameters. You can use a variety of search parameters,including the following:

  • Resource type
  • Principal type
  • Role
  • Project
  • Folder
  • Organization

For more information, seeSearching IAM allow policies.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.