gcloud asset analyze-iam-policy-longrunning - analyzes IAM policies that match a request asynchronously and writes the results to Google Cloud Storage or BigQuery destination

gcloud asset analyze-iam-policy-longrunning(--folder=FOLDER_ID    |--organization=ORGANIZATION_ID    |--project=PROJECT_ID)(--gcs-output-path=GCS_OUTPUT_PATH    | [--bigquery-dataset=BIGQUERY_DATASET--bigquery-table-prefix=BIGQUERY_TABLE_PREFIX :--bigquery-partition-key=BIGQUERY_PARTITION_KEY--bigquery-write-disposition=BIGQUERY_WRITE_DISPOSITION])[--access-time=ACCESS_TIME][--full-resource-name=FULL_RESOURCE_NAME][--identity=IDENTITY][--analyze-service-account-impersonation--expand-groups--expand-resources--expand-roles--output-group-edges--output-resource-edges][--permissions=[PERMISSIONS,…]--roles=[ROLES,…]][GCLOUD_WIDE_FLAG …]

gcloudassetanalyze-iam-policy-longrunning--organization=YOUR_ORG_ID--full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME--permissions='iam.serviceAccounts.actAs'--gcs-output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'

To find out which resources a user can access, and write analysis results toGoogle Cloud Storage, run:

gcloudassetanalyze-iam-policy-longrunning--organization=YOUR_ORG_ID--identity='user:u1@foo.com'--gcs-output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'

To find out which roles or permissions a user has been granted on a project, andwrite analysis results to BigQuery, run:

gcloudassetanalyze-iam-policy-longrunning--organization=YOUR_ORG_ID--full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME--identity='user:u1@foo.com'--bigquery-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATASET_ID'--bigquery-table-prefix='YOUR_BIGQUERY_TABLE_PREFIX'

To find out which users have been granted the iam.serviceAccounts.actAspermission on any applicable resources, and write analysis results to BigQuery,run:

gcloudassetanalyze-iam-policy-longrunning--organization=YOUR_ORG_ID--permissions='iam.serviceAccounts.actAs'--bigquery-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATASET_ID'--bigquery-table-prefix='YOUR_BIGQUERY_TABLE_PREFIX'

Exactly one of these must be specified:

--folder=FOLDER_ID

Folder ID on which to perform the analysis. Only policies defined at or belowthis folder will be targeted in the analysis.

--organization=ORGANIZATION_ID

Organization ID on which to perform the analysis. Only policies defined at orbelow this organization will be targeted in the analysis.

--project=PROJECT_ID

Project ID or number on which to perform the analysis. Only policies defined ator below this project will be targeted in the analysis.

The destination path for writing IAM policy analysis results.

Exactly one of these must be specified:

--gcs-output-path=GCS_OUTPUT_PATH

Google Cloud Storage URI where the results will be written. URI must start with"gs://". For example, "gs://bucket_name/object_name".

BigQuery destination where the results will go.

--bigquery-dataset=BIGQUERY_DATASET

BigQuery dataset where the results will be written. Must be a dataset relativename starting with "projects/". For example,"projects/project_id/datasets/dataset_id".

This flag argument must be specified if any of the other arguments in this groupare specified.

--bigquery-table-prefix=BIGQUERY_TABLE_PREFIX

The prefix of the BigQuery tables to which the analysis results will be written.A table name consists of letters, numbers and underscores".

This flag argument must be specified if any of the other arguments in this groupare specified.

--bigquery-partition-key=BIGQUERY_PARTITION_KEY

This enum determines the partition key column for the bigquery tables.Partitioning can improve query performance and reduce query cost by filteringpartitions. Refer tohttps://cloud.google.com/bigquery/docs/partitioned-tablesfor details.BIGQUERY_PARTITION_KEY must be one of:PARTITION_KEY_UNSPECIFIED,REQUEST_TIME.

--bigquery-write-disposition=BIGQUERY_WRITE_DISPOSITION

Specifies the action that occurs if the destination table or partition alreadyexists. The following values are supported: WRITE_TRUNCATE, WRITE_APPEND andWRITE_EMPTY. The default value is WRITE_APPEND.

The hypothetical context to evaluate IAM conditions.

--access-time=ACCESS_TIME

The hypothetical access timestamp to evaluate IAM conditions.

Specifies a resource for analysis. Leaving it empty means ANY.

--full-resource-name=FULL_RESOURCE_NAME

The full resource name.

Specifies an identity for analysis. Leaving it empty means ANY.

--identity=IDENTITY

The identity appearing in the form of principals in the IAM policy binding.

The analysis options.

--analyze-service-account-impersonation

If true, the response will include access analysis from identities to resourcesvia service account impersonation. This is a very expensive operation, becausemany derived queries will be executed. We highly recommend you useAnalyzeIamPolicyLongrunning rpc instead. Default is false.

--expand-groups

If true, the identities section of the result will expand any Google groupsappearing in an IAM policy binding. Default is false.

--expand-resources

If true, the resource section of the result will expand any resource attached toan IAM policy to include resources lower in the resource hierarchy. Default isfalse.

--expand-roles

If true, the access section of result will expand any roles appearing in IAMpolicy bindings to include their permissions. Default is false.

--output-group-edges

If true, the result will output the relevant membership relationships betweengroups. Default is false.

--output-resource-edges

If true, the result will output the relevant parent/child relationships betweenresources. Default is false.

Specifies roles or permissions for analysis. Leaving it empty means ANY.

--permissions=[PERMISSIONS,…]

The permissions to appear in the result.

--roles=[ROLES,…]

The roles to appear in the result.

Run$gcloud help for details.