gcloud alpha asset analyze-iam-policy
- NAME
- gcloud alpha asset analyze-iam-policy - ALPHA version, Analyzes IAM policies that match a request
- SYNOPSIS
gcloud alpha asset analyze-iam-policy(--folder=FOLDER_ID|--organization=ORGANIZATION_ID|--project=PROJECT_ID)[--access-time=ACCESS_TIME][--full-resource-name=FULL_RESOURCE_NAME][--identity=IDENTITY][--saved-analysis-query=SAVED_ANALYSIS_QUERY][--analyze-service-account-impersonation--execution-timeout=EXECUTION_TIMEOUT--expand-groups--expand-resources--expand-roles--include-deny-policy-analysis--output-group-edges--output-resource-edges--show-response][--permissions=[PERMISSIONS,…]--roles=[ROLES,…]][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
(ALPHA)Analyzes IAM policies that match a request.- EXAMPLES
- To find out which users have been granted the iam.serviceAccounts.actAspermission on a service account, run:
gcloudalphaassetanalyze-iam-policy--organization=YOUR_ORG_ID--full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME--permissions='iam.serviceAccounts.actAs'To find out which resources a user can access, run:
gcloudalphaassetanalyze-iam-policy--organization=YOUR_ORG_ID--identity='user:u1@foo.com'To find out which roles or permissions a user has been granted on a project,run:
gcloudalphaassetanalyze-iam-policy--organization=YOUR_ORG_ID--full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME--identity='user:u1@foo.com'To find out which users have been granted the iam.serviceAccounts.actAspermission on any applicable resources, run:
gcloudalphaassetanalyze-iam-policy--organization=YOUR_ORG_ID--permissions='iam.serviceAccounts.actAs' - REQUIRED FLAGS
- Exactly one of these must be specified:
--folder=FOLDER_ID- Folder ID on which to perform the analysis. Only policies defined at or belowthis folder will be targeted in the analysis.
--organization=ORGANIZATION_ID- Organization ID on which to perform the analysis. Only policies defined at orbelow this organization will be targeted in the analysis.
--project=PROJECT_ID- Project ID or number on which to perform the analysis. Only policies defined ator below this project will be targeted in the analysis.
- Exactly one of these must be specified:
- OPTIONAL FLAGS
- The hypothetical context to evaluate IAM conditions.
--access-time=ACCESS_TIME- The hypothetical access timestamp to evaluate IAM conditions.
- Specifies a resource for analysis. Leaving it empty means ANY.
--full-resource-name=FULL_RESOURCE_NAME- The full resource name.
- Specifies an identity for analysis. Leaving it empty means ANY.
--identity=IDENTITY- The identity appearing in the form of principals in the IAM policy binding.
- Specifies the name of a saved analysis query.
--saved-analysis-query=SAVED_ANALYSIS_QUERY- The name of a saved query. When a
saved_analysis_queryis provided,its query content will be used as the base query. Other flags' values willoverride the base query to compose the final query to run. IDs might be in oneof the following formats:- projects/project_number/savedQueries/saved_query_id
folders/folder_number/savedQueries/saved_query_idorganizations/organization_number/savedQueries/saved_query_id
- projects/project_number/savedQueries/saved_query_id
- The analysis options.
--analyze-service-account-impersonation- If true, the response will include access analysis from identities to resourcesvia service account impersonation. This is a very expensive operation, becausemany derived queries will be executed. We highly recommend you useAnalyzeIamPolicyLongrunning rpc instead. Default is false.
--execution-timeout=EXECUTION_TIMEOUT- The amount of time the executable has to complete. See JSON representation ofDuration.Deafult is empty.
--expand-groups- If true, the identities section of the result will expand any Google groupsappearing in an IAM policy binding. Default is false.
--expand-resources- If true, the resource section of the result will expand any resource attached toan IAM policy to include resources lower in the resource hierarchy. Default isfalse.
--expand-roles- If true, the access section of result will expand any roles appearing in IAMpolicy bindings to include their permissions. Default is false.
--include-deny-policy-analysis- If true, the response will include analysis for deny policies.This is a veryexpensive operation, because many derived queries will be executed.
--output-group-edges- If true, the result will output the relevant membership relationships betweengroups. Default is false.
--output-resource-edges- If true, the result will output the relevant parent/child relationships betweenresources. Default is false.
--show-response- If true, the response will be showed as-is in the command output.
- Specifies roles or permissions for analysis. Leaving it empty means ANY.
--permissions=[PERMISSIONS,…]- The permissions to appear in the result.
--roles=[ROLES,…]- The roles to appear in the result.
- The hypothetical context to evaluate IAM conditions.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudassetanalyze-iam-policygcloudbetaassetanalyze-iam-policy
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-07 UTC.