View grants in Privileged Access Manager

You can view a grant's status and history, or revoke a grant for otherprincipals if it's active. Grant history is available for 30 days after a granthas ended.

Before you begin

Make sure you haveenabled Privileged Access Manager and set up permissions for it.

View grants using the Google Cloud console

To view a grant, complete the following instructions:

  1. Go to thePrivileged Access Manager page.

    Go to Privileged Access Manager

  2. Select the organization, folder, or project you want to view grants in.

  3. Click theGrants tab, followed by theGrants for all users tab. Thistab contains all grants, the requesters for those grants, and the grantstatus. Grants can have the following statuses:

    StatusDescription
    ActivatingThe grant is in the process of being activated.
    Activation failedPrivileged Access Manager couldn't grant the roles due to a non-retriable error.
    ActiveThe grant is active and the principal has access to the resources permitted by the roles.
    Approval awaitedThe grant request is waiting on a decision from an approver.
    DeniedThe grant request has been denied by an approver.
    EndedThe grant has ended and the roles have been removed from the principal.
    ExpiredThe grant request has expired, as approval wasn't given within 24 hours.
    RevokedThe grant is revoked, and the principal no longer has access to the resources permitted by the roles.
    RevokingThe grant is in the process of being revoked.
    WithdrawingThe grant is in the process of being withdrawn.
    WithdrawnThe grant is withdrawn, and the principal no longer has access to the resources permitted by the roles.

    Status Labels

    In addition to these statuses, grants can have the following statuslabels displayed next to their status, which indicate special conditions:

    Modified through IAM

    The IAM policy bindings associated with this grant have beenmodified directly through IAM. For details on modifiedbindings, see theIAM page in theGoogle Cloud console. When a modified grant is revoked or ends,Privileged Access Manager only removes the bindings it has created that haven'tbeen modified through IAM.

    Modifying the IAM condition title or expression, or removingthe requester's access to the granted role is treated as an externalmodification. Adding or modifying the IAM conditiondescription is not considered an external modification.

    Privileged Access Manager checks for external modifications to grants every 5minutes. It can take up to 5 minutes to reflect these changes. Transientchanges made and reverted within this 5-minute window might not be detectedby Privileged Access Manager.

    Note: Each binding created by Privileged Access Manager has a time-based conditionthat expires with the grant duration. As long as the time condition is notaltered, the requester's privileged access will end when the grant expires.

  4. In the table, clickMore options in the same row as an entitlement you want to inspect.

You can also view temporarily granted roles on theIAM pagein the Google Cloud console. On theView by principals tab, temporarilygranted roles have a condition ofCreated by: PAM.

View grants programmatically

To view grants programmatically, you can search, list, and get them.

Search grants

gcloud

Thegcloud alpha pam grants search command searches for a grant you have created, can approve or deny, or have already approved or denied. This method doesn't require specific Privileged Access Manager permissions to use.

Before using any of the command data below, make the following replacements:

  • ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to. You can retrieve the ID by viewing entitlements.

  • CALLER_RELATIONSHIP_TYPE: Use one of the following values:

    • had-created: Returns grants the caller has created.
    • had-approved: Returns grants the caller has approved or denied.
    • can-approve: Returns grants the caller can approve or deny.
  • RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.
  • RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudalphapamgrantssearch\--entitlement=ENTITLEMENT_ID\--caller-relationship=CALLER_RELATIONSHIP_TYPE\--location=global\--RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloudalphapamgrantssearch`--entitlement=ENTITLEMENT_ID`--caller-relationship=CALLER_RELATIONSHIP_TYPE`--location=global`--RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloudalphapamgrantssearch^--entitlement=ENTITLEMENT_ID^--caller-relationship=CALLER_RELATIONSHIP_TYPE^--location=global^--RESOURCE_TYPE=RESOURCE_ID

You should receive a response similar to the following:

additionalEmailRecipients:- bola@example.comcreateTime: '2024-03-07T00:34:32.557017289Z'justification:  unstructuredJustification: Renaming a file to mitigate issue #312name: projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_IDprivilegedAccess:  gcpIamAccess:    resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID    resourceType: cloudresourcemanager.googleapis.com/Project    roleBindings:    - role: roles/storage.admin      id: hwqrt_1requestedDuration: 3600srequestedPrivilegedAccess:  gcpIamAccess:    resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID    resourceType: cloudresourcemanager.googleapis.com/Project    roleBindings:    - role: roles/storage.admin      entitlementRoleBindingId: hwqrt_1requester: cruz@example.comstate: DENIEDtimeline:  events:  - eventTime: '2024-03-07T00:34:32.793769042Z'    requested:      expireTime: '2024-03-08T00:34:32.793769042Z'  - denied:      actor: alex@example.com      reason: Issue has already been resolved    eventTime: '2024-03-07T00:36:08.309116203Z'updateTime: '2024-03-07T00:34:32.926967128Z'

REST

The Privileged Access Manager API'ssearchGrants method searches for a grant you have created, can approve or deny, or have already approved or denied. This method doesn't require specific Privileged Access Manager permissions to use.

Before using any of the request data, make the following replacements:

  • SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
  • ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to. You can retrieve the ID by viewing entitlements.
  • RELATIONSHIP_TYPE: Valid values are:
    • HAD_CREATED: Returns grants the caller has created.
    • HAD_APPROVED: Returns grants the caller has previously approved or denied.
    • CAN_APPROVE: Returns grants the caller can approve or deny.
  • FILTER: Optional. Returns grants whose field values match an AIP-160 expression.
  • PAGE_SIZE: Optional. The number of items to return in a response.
  • PAGE_TOKEN: Optional. Which page to start the response from, using a page token returned in a previous response.

HTTP method and URL:

GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "grants": [    {      "name": "projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",      "createTime": "2024-03-06T03:08:49.330577625Z",      "updateTime": "2024-03-06T03:08:49.625874598Z",      "requester": "alex@example.com",      "requestedDuration": "3600s",      "justification": {        "unstructuredJustification": "Emergency service for outage"      },      "state": "APPROVAL_AWAITED",      "timeline": {        "events": [          {            "eventTime": "2024-03-06T03:08:49.462765846Z",            "requested": {              "expireTime": "2024-03-07T03:08:49.462765846Z"            }          }        ]      },      "privilegedAccess": {        "gcpIamAccess": {          "resourceType": "cloudresourcemanager.googleapis.com/Project",          "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",          "roleBindings": [            {              "role": "roles/storage.admin"              "id": "hwqrt_1"            }          ]        }      },      "requestedPrivilegedAccess": {        "gcpIamAccess": {          "resourceType": "cloudresourcemanager.googleapis.com/Project",          "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",          "roleBindings": [            {              "role": "roles/storage.admin",              "entitlementRoleBindingId": "hwqrt_1"            }          ]        }      },      "additionalEmailRecipients": [        "bola@google.com"      ]    }  ]}

List grants

gcloud

Thegcloud alpha pam grants list command lists grants that belong to a specificentitlement.

Before using any of the command data below, make the following replacements:

  • ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to. You can retrieve the ID by viewing entitlements.
  • RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.
  • RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudalphapamgrantslist\--entitlement=ENTITLEMENT_ID\--location=global\--RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloudalphapamgrantslist`--entitlement=ENTITLEMENT_ID`--location=global`--RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloudalphapamgrantslist^--entitlement=ENTITLEMENT_ID^--location=global^--RESOURCE_TYPE=RESOURCE_ID

You should receive a response similar to the following:

additionalEmailRecipients:- bola@example.comcreateTime: '2024-03-07T00:34:32.557017289Z'justification:  unstructuredJustification: Renaming a file to mitigate issue #312name: projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_IDprivilegedAccess:  gcpIamAccess:    resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID    resourceType: cloudresourcemanager.googleapis.com/Project    roleBindings:    - role: roles/storage.admin      id: hwqrt_1requestedDuration: 3600srequestedPrivilegedAccess:  gcpIamAccess:    resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID    resourceType: cloudresourcemanager.googleapis.com/Project    roleBindings:    - role: roles/storage.admin      entitlementRoleBindingId: hwqrt_1requester: cruz@example.comstate: DENIEDtimeline:  events:  - eventTime: '2024-03-07T00:34:32.793769042Z'    requested:      expireTime: '2024-03-08T00:34:32.793769042Z'  - denied:      actor: alex@example.com      reason: Issue has already been resolved    eventTime: '2024-03-07T00:36:08.309116203Z'updateTime: '2024-03-07T00:34:32.926967128Z'

REST

The Privileged Access Manager API'slistGrants method lists grants that belong to a specificentitlement.

Before using any of the request data, make the following replacements:

  • SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
  • ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to. You can retrieve the ID by viewing entitlements.
  • FILTER: Optional. Returns grants whose field values match an AIP-160 expression.
  • PAGE_SIZE: Optional. The number of items to return in a response.
  • PAGE_TOKEN: Optional. Which page to start the response from, using a page token returned in a previous response.

HTTP method and URL:

GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants?filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants?filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants?filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "grants": [    {      "name": "projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID",      "createTime": "2024-03-06T03:08:49.330577625Z",      "updateTime": "2024-03-06T03:08:49.625874598Z",      "requester": "alex@example.com",      "requestedDuration": "3600s",      "justification": {        "unstructuredJustification": "Emergency service for outage"      },      "state": "APPROVAL_AWAITED",      "timeline": {        "events": [          {            "eventTime": "2024-03-06T03:08:49.462765846Z",            "requested": {              "expireTime": "2024-03-07T03:08:49.462765846Z"            }          }        ]      },      "privilegedAccess": {        "gcpIamAccess": {          "resourceType": "cloudresourcemanager.googleapis.com/Project",          "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",          "roleBindings": [            {              "role": "roles/storage.admin",              "id": "hwqrt_1"            }          ]        }      },      "requestedPrivilegedAccess": {        "gcpIamAccess": {          "resourceType": "cloudresourcemanager.googleapis.com/Project",          "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",          "roleBindings": [            {              "role": "roles/storage.admin",              "entitlementRoleBindingId": "hwqrt_1"            }          ]        }      },      "additionalEmailRecipients": [        "bola@google.com"      ]    }  ]}

Get grants

gcloud

Thegcloud alpha pam grants describe command retrieves a specific grant.

Before using any of the command data below, make the following replacements:

  • GRANT_ID: The ID of the grant you want the details for.
  • ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.
  • RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.
  • RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudalphapamgrantsdescribe\GRANT_ID\--entitlement=ENTITLEMENT_ID\--location=global\--RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloudalphapamgrantsdescribe`GRANT_ID`--entitlement=ENTITLEMENT_ID`--location=global`--RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloudalphapamgrantsdescribe^GRANT_ID^--entitlement=ENTITLEMENT_ID^--location=global^--RESOURCE_TYPE=RESOURCE_ID

You should receive a response similar to the following:

additionalEmailRecipients:- bola@example.comcreateTime: '2024-03-07T00:34:32.557017289Z'justification:  unstructuredJustification: Renaming a file to mitigate issue #312name: projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_IDprivilegedAccess:  gcpIamAccess:    resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID    resourceType: cloudresourcemanager.googleapis.com/Project    roleBindings:    - role: roles/storage.admin      id: hwqrt_1requestedDuration: 3600srequestedPrivilegedAccess:  gcpIamAccess:    resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID    resourceType: cloudresourcemanager.googleapis.com/Project    roleBindings:    - role: roles/storage.admin      entitlementRoleBindingId: hwqrt_1requester: cruz@example.comstate: DENIEDtimeline:  events:  - eventTime: '2024-03-07T00:34:32.793769042Z'    requested:      expireTime: '2024-03-08T00:34:32.793769042Z'  - denied:      actor: alex@example.com      reason: Issue has already been resolved    eventTime: '2024-03-07T00:36:08.309116203Z'updateTime: '2024-03-07T00:34:32.926967128Z'

REST

The Privileged Access Manager API'sgetGrant method retrieves a specific grant.

Before using any of the request data, make the following replacements:

  • SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
  • ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.
  • GRANT_ID: The ID of the grant you want the details for.

HTTP method and URL:

GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "name": "projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID,  "createTime": "2024-03-06T03:08:49.330577625Z",  "updateTime": "2024-03-06T03:08:49.625874598Z",  "requester": "alex@example.com",  "requestedDuration": "3600s",  "justification": {    "unstructuredJustification": "Emergency service for outage"  },  "state": "APPROVAL_AWAITED",  "timeline": {    "events": [      {        "eventTime": "2024-03-06T03:08:49.462765846Z",        "requested": {          "expireTime": "2024-03-07T03:08:49.462765846Z"        }      }    ]  },  "privilegedAccess": {    "gcpIamAccess": {      "resourceType": "cloudresourcemanager.googleapis.com/Project",      "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",      "roleBindings": [        {          "role": "roles/storage.admin"          "id": "hwqrt_1"        }      ]    }  },  "requestedPrivilegedAccess": {    "gcpIamAccess": {      "resourceType": "cloudresourcemanager.googleapis.com/Project",      "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",      "roleBindings": [        {          "role": "roles/storage.admin",          "entitlementRoleBindingId": "hwqrt_1"        }      ]    }  },  "additionalEmailRecipients": [    "bola@google.com"  ]}

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.