View principal access boundary policies

Principal access boundary (PAB) policies let you limit the resources that a setof principals are eligible to access. This page explains how to viewprincipal access boundary policies and policy bindings for principal access boundary policies.

Before you begin

  • Set up authentication.

    Select the tab for how you plan to use the samples on this page:

    gcloud

    In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

      gcloudinit

      If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.

  • Read theoverview of principal access boundary policies.

Roles required to view principal access boundary policies

To get the permissions that you need to view principal access boundary policies, ask your administrator to grant you thePrincipal Access Boundary Viewer (roles/iam.principalAccessBoundaryViewer) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

This predefined role contains the permissions required to view principal access boundary policies. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to view principal access boundary policies:

  • View a single principal access boundary policy: iam.principalaccessboundarypolicies.get
  • List principal access boundary policies in an organization: iam.principalaccessboundarypolicies.list

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Roles required to view policy bindings

To get the permissions that you need to view policy bindings, ask your administrator to grant you the following IAM roles on the policy bindings'parent resource:

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to view policy bindings. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to view policy bindings:

  • View a single policy binding: iam.policybindings.get
  • List policy bindings in a project, folder, or organization: iam.policybindings.list

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Roles required to view all policy bindings for a principal access boundary policy

To get the permission that you need to view all policy bindings for a principal access boundary policy, ask your administrator to grant you thePrincipal Access Boundary Viewer (roles/iam.principalAccessBoundaryViewer) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

This predefined role contains the iam.principalaccessboundarypolicies.searchIamPolicyBindings permission, which is required to view all policy bindings for a principal access boundary policy.

You might also be able to get this permission withcustom roles or otherpredefined roles.

Roles required to view policy bindings for a principal set

The permissions that you need in order to view all policy bindings for aprincipal set depend on the principal set that you want to view policies for.

To get the permissions that you need to view policy bindings, ask your administrator to grant you the following IAM roles:

  • View policy bindings for Workforce Identity Federation pools:IAM Workforce Pool Admin (roles/iam.workforcePoolAdmin) on the target Workforce Identity Federation pool
  • View policy bindings for Workload Identity Federation pools:IAM Workload Identity Pool Admin (roles/iam.workloadIdentityPoolAdmin) on the project that owns the target Workforce Identity Federation pool
  • View policy bindings for a Google Workspace domain:Workspace Pool IAM Admin (roles/iam.workspacePoolAdmin) on the organization
  • View policy bindings for a project's principal set:Project IAM Admin (roles/resourcemanager.projectIamAdmin) on the project
  • View policy bindings for a folder's principal set:Folder IAM Admin (roles/resourcemanager.folderIamAdmin) on the folder
  • View policy bindings for an organization's principal set:Organization Administrator (roles/resourcemanager.organizationAdmin) on the organization

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to view policy bindings. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to view policy bindings:

  • View policy bindings for Workforce Identity Federation pools: iam.workforcePools.searchPolicyBindings on the target Workforce Identity Federation pool
  • View policy bindings for Workload Identity Federation pools: iam.workloadIdentityPools.searchPolicyBindings on the project that owns the target Workforce Identity Federation pool
  • View policy bindings for a Google Workspace domain: iam.workspacePools.searchPolicyBindings on the organization
  • View policy bindings for a project's principal set: resourcemanager.projects.searchPolicyBindings on the project
  • View policy bindings for a folder's principal set: resourcemanager.folders.searchPolicyBindings on the folder
  • View policy bindings for an organization's principal set: resourcemanager.organizations.searchPolicyBindings on the organization

You might also be able to get these permissions withcustom roles or otherpredefined roles.

List principal access boundary policies for an organization

To view all principal access boundary policies created in an organization, list theprincipal access boundary policies in the organization.

You can list the principal access boundary policies in an organization using theGoogle Cloud console, the gcloud CLI or the IAM RESTAPI.

Console

  1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

    Go to Principal Access Boundary policies

  2. Select the organization that you want to create principal access boundary policiesfor.

The Google Cloud console lists all policies in the organization that youselect.

gcloud

Thegcloud iam principal-access-boundary-policies list command lists all principal access boundary policies in an organization.

Before using any of the command data below, make the following replacements:

  • ORG_ID: The ID of the Google Cloud organization that you want to listprincipal access boundary policies for. Organization IDs are numeric, like123456789012.
  • FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamprincipal-access-boundary-policieslist--organization=ORG_ID\--location=global--format=FORMAT

Windows (PowerShell)

gcloudiamprincipal-access-boundary-policieslist--organization=ORG_ID`--location=global--format=FORMAT

Windows (cmd.exe)

gcloudiamprincipal-access-boundary-policieslist--organization=ORG_ID^--location=global--format=FORMAT

The response contains the principal access boundary policies in the specified organization.

{  "principalAccessBoundaryPolicies": [    {      "createTime": "2024-05-07T00:05:48.295209Z",      "details": [        "enforcementVersion": 1,        "rules": {          [            "description": "Make principals eligible to access resources in example.com",            "effect": ALLOW,            "resources": {              "//cloudresourcemanager.googleapis.com/organizations/123456789012"            }          ]        }      ],      "displayName": "Example policy 1",      "etag": "W/\"Gh/PcTdJD/AWHUhPW45kdw==\"",      "name": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy-1",      "uid": "puid_13364150419245236225",      "updateTime": "2024-05-07T00:05:48.295209Z"    },    {      "createTime": "2024-02-29T23:25:01.606730Z",      "details": [        "enforcementVersion": 1,        "rules": {          [            "description": "Make principals eligible to access resources in example-project",            "effect": ALLOW,            "resources": {              "//cloudresourcemanager.googleapis.com/projects/example-project"            }          ]        }      ],      "displayName": "Example policy 2",      "etag": "d6BJBTsk2+oDCygmr5ANxA==",      "name": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy-2",      "uid": "puid_13064942519001808897",      "updateTime": "2024-02-29T23:25:01.606730Z"    }  ]}

REST

TheprincipalAccessBoundaryPolicies.list method lists all principal access boundary policies in an organization.

Before using any of the request data, make the following replacements:

  • ORG_ID: The ID of the Google Cloud organization that you want to listprincipal access boundary policies for. Organization IDs are numeric, like123456789012.

HTTP method and URL:

GET https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies" | Select-Object -Expand Content

The response contains the principal access boundary policies in the specified organization.

{  "principalAccessBoundaryPolicies": [    {      "name": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy-1",      "uid": "puid_13364150419245236225",      "etag": "W/\"Gh/PcTdJD/AWHUhPW45kdw==\"",      "displayName": "Example policy 1",      "createTime": "2024-05-07T00:05:48.295209Z",      "updateTime": "2024-05-07T00:05:48.295209Z",      "details": [        "rules": {          [            "description": "Make principals eligible to access resources in example.com",            "resources": {              "//cloudresourcemanager.googleapis.com/organizations/123456789012"            },            "effect": ALLOW          ]        },        "enforcementVersion": 1,      ]    },    {      "name": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy-2",      "uid": "puid_13064942519001808897",      "etag": "d6BJBTsk2+oDCygmr5ANxA==",      "displayName": "Example policy 2",      "createTime": "2024-02-29T23:25:01.606730Z",      "updateTime": "2024-02-29T23:25:01.606730Z",      "details": [        "rules": {          [            "description": "Make principals eligible to access resources in example-project",            "resources": {              "//cloudresourcemanager.googleapis.com/projects/example-project"            },            "effect": ALLOW          ]        },        "enforcementVersion": 1      ]    }  ]}

Get a single principal access boundary policy

To view the details of a single principal access boundary policy, use the policy's IDto get the policy.

You can get a principal access boundary policy using the Google Cloud console, thegcloud CLI or the IAM REST API.

Console

  1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

    Go to Principal Access Boundary policies

  2. Select the organization that you want to create principal access boundary policiesfor.

  3. Click the policy ID of the principal access boundary policy that you want to view.

The Google Cloud console shows the details of the principal access boundary policythat you select.

gcloud

Thegcloud iam principal-access-boundary-policies describe command gets a single principal access boundary policy.

Before using any of the command data below, make the following replacements:

  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want toget—for example,example-policy.
  • ORG_ID: The ID of the organization that owns theprincipal access boundary policy. Organization IDs are numeric, like123456789012.
  • FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamprincipal-access-boundary-policiesdescribePAB_POLICY_ID\--organization=ORG_ID--location=global\--format=FORMAT

Windows (PowerShell)

gcloudiamprincipal-access-boundary-policiesdescribePAB_POLICY_ID`--organization=ORG_ID--location=global`--format=FORMAT

Windows (cmd.exe)

gcloudiamprincipal-access-boundary-policiesdescribePAB_POLICY_ID^--organization=ORG_ID--location=global^--format=FORMAT

The response contains the principal access boundary policy specified in the request.

{  "createTime": "2024-05-07T00:05:48.295209Z",  "details": [    "enforcementVersion": "1",    "rules": {      [        "description": "Make principals eligible to access example.com",        "effect": ALLOW,        "resources": {          "//cloudresourcemanager.googleapis.com/organizations/123456789012"        }      ]    },  ],  "displayName": "Example policy",  "etag": "W/\"Gh/PcTdJD/AWHUhPW45kdw==\"",  "name": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy",  "uid": "puid_13364150419245236225",  "updateTime": "2024-05-07T00:05:48.295209Z"}

REST

TheprincipalAccessBoundaryPolicies.get method gets a single principal access boundary policy.

Before using any of the request data, make the following replacements:

  • ORG_ID: The ID of the organization that owns theprincipal access boundary policy. Organization IDs are numeric, like123456789012.
  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want toget—for example,example-policy.

HTTP method and URL:

GET https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID" | Select-Object -Expand Content

The response contains the principal access boundary policy specified in the request.

{  "name": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy",  "uid": "puid_13364150419245236225",  "etag": "W/\"Gh/PcTdJD/AWHUhPW45kdw==\"",  "displayName": "Example policy",  "createTime": "2024-05-07T00:05:48.295209Z",  "updateTime": "2024-05-07T00:05:48.295209Z",  "details": [    "rules": {      [        "description": "Make principals eligible to access example.com"        "resources": {          "//cloudresourcemanager.googleapis.com/organizations/123456789012"        },        "effect": ALLOW      ]    },    "enforcementVersion": "1"  ]}

List policy bindings for principal access boundary policies

There are several ways that you can list policy bindings for principal access boundarypolicies:

List policy bindings for a principal access boundary policy

To view all policy bindings that include a certain principal access boundary policy,search the bindings for the principal access boundary policy.

You can view all policy bindings for a principal access boundary policy using theGoogle Cloud console, the gcloud CLI or the IAM RESTAPI.

Console

  1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

    Go to Principal Access Boundary policies

  2. Select the organization that owns the principal access boundary policy that you wantto view bindings for.

  3. Click the policy ID of the principal access boundary policy that you want to viewbindings for.

  4. Click theBindings tab.

TheBindings tab lists all principal access boundary policy bindings that includethe principal access boundary policy.

gcloud

Thegcloud iam principal-access-boundary-policies search-policy-bindings command lists all policy bindings for the specified principal access boundary policy.

Before using any of the command data below, make the following replacements:

  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want tolist policy bindings for—for example,example-policy.
  • ORG_ID: The ID of the organization that owns theprincipal access boundary policy. Organization IDs are numeric, like123456789012.
  • FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamprincipal-access-boundary-policiessearch-policy-bindingsPAB_POLICY_ID\--organization=ORG_ID--location=global\--format=FORMAT

Windows (PowerShell)

gcloudiamprincipal-access-boundary-policiessearch-policy-bindingsPAB_POLICY_ID`--organization=ORG_ID--location=global`--format=FORMAT

Windows (cmd.exe)

gcloudiamprincipal-access-boundary-policiessearch-policy-bindingsPAB_POLICY_ID^--organization=ORG_ID--location=global^--format=FORMAT

The response contains the policy bindings for the specified principal access boundary policy.

{  "policyBindings": [    {      "createTime": "2024-05-06T18:08:24.729843Z",      "displayName": "Example binding 1",      "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "name": "organizations/123456789012/locations/global/policyBindings/example-binding1",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_9519202237377675265",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "uid": "buid_9904260005517852673",       "updateTime": "2024-05-06T18:08:24.729843Z"    },    {      "createTime": "2024-05-07T07:05:06.203861Z",      "displayName": "Example binding 2",      "etag": "W/\"cRMdDXbT82aLuZlvoL9Gqg==\"",      "name": "organizations/123456789012/locations/global/policyBindings/example-binding2",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_9519202237377675265",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/projects/example-project"      },      "uid": "buid_4331055466646863873",       "updateTime": "2024-05-07T07:05:06.203861Z"    }  ]}

REST

TheprincipalAccessBoundaryPolicies.searchPolicyBindings method lists all policy bindings for the specified principal access boundary policy.

Before using any of the request data, make the following replacements:

  • ORG_ID: The ID of the organization that owns theprincipal access boundary policy. Organization IDs are numeric, like123456789012.
  • PAB_POLICY_ID: The ID of the principal access boundary policy that you want tolist policy bindings for—for example,example-policy.

HTTP method and URL:

GET https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID:searchPolicyBindings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID:searchPolicyBindings"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID:searchPolicyBindings" | Select-Object -Expand Content

The response contains the policy bindings for the specified principal access boundary policy.

{  "policyBindings": [    {      "name": "organizations/123456789012/locations/global/policyBindings/example-binding1",      "uid": "buid_9904260005517852673",       "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "displayName": "Example binding 1",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy",      "policyUid": "puid_9519202237377675265",      "createTime": "2024-05-06T18:08:24.729843Z",      "updateTime": "2024-05-06T18:08:24.729843Z"    },    {      "name": "organizations/123456789012/locations/global/policyBindings/example-binding2",      "uid": "buid_4331055466646863873",       "etag": "W/\"cRMdDXbT82aLuZlvoL9Gqg==\"",      "displayName": "Example binding 2",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/projects/example-project"      },      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy",      "policyUid": "puid_9519202237377675265",      "createTime": "2024-05-07T07:05:06.203861Z",      "updateTime": "2024-05-07T07:05:06.203861Z"    }  ]}

List policy bindings for a principal set

To view all policy bindings that include a certain principal set, searchthe bindings for the principal set.

These bindings contain the IDs of the principal access boundary policies that are boundto the principal set. To see the details of these policies, use the policy ID toget the principal access boundary policy.

You can view all policy bindings for a principal set using thegcloud CLI or the IAM REST API.

gcloud

Thegcloud iam policy-bindings search-target-policy-bindings command gets all principal access boundary policies bound to a principal set.

Before using any of the command data below, make the following replacements:

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the target principal set is a child of. Use the valueproject,folder, ororganization

    The resource type depends on the type of principal set you want to list the policy bindings of. To see which resource type to use, seeSupported principal types.

  • RESOURCE_ID: The ID of theproject, folder, or organization that the target principal set is a child of. Project IDs arealphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
  • PRINCIPAL_SET: The principal set whose principal access boundary policy bindings you want to view. For a list of valid principal types, seeSupported principal sets.
  • FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiampolicy-bindingssearch-target-policy-bindings\--RESOURCE_TYPE=RESOURCE_ID\--target=PRINCPAL_SET\--format=FORMAT

Windows (PowerShell)

gcloudiampolicy-bindingssearch-target-policy-bindings`--RESOURCE_TYPE=RESOURCE_ID`--target=PRINCPAL_SET`--format=FORMAT

Windows (cmd.exe)

gcloudiampolicy-bindingssearch-target-policy-bindings^--RESOURCE_TYPE=RESOURCE_ID^--target=PRINCPAL_SET^--format=FORMAT

The response contains all policy binidngs that are bound to the target principal set.

{  "policyBindings": [    {      "createTime": "2024-05-06T18:08:24.729843Z",      "displayName": "Example binding 1",      "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "name": "organizations/123456789012/locations/global/policyBindings/example-binding1",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy1",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_9519202237377675265",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "uid": "buid_9904260005517852673",       "updateTime": "2024-05-06T18:11:16.798841Z"    },    {      "createTime": "2024-05-06T18:08:24.729843Z",      "displayName": "Example binding 2",      "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "name": "organizations/123456789012/locations/global/policyBindings/example-binding2",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy2",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_10358560617928851457",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "uid": "buid_4331055466646863873",       "updateTime": "2024-05-06T18:11:16.798841Z"    }  ]}

REST

TheSearchTargetPolicyBindings.search method gets all principal access boundary policies bound to a principal set.

Before using any of the request data, make the following replacements:

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the target principal set is a child of. Use the valueprojects,folders, ororganizations

    The resource type depends on the type of principal set you want to list the policy bindings of. To see which resource type to use, seeSupported principal types.

  • RESOURCE_ID: The ID of theproject, folder, or organization that the target principal set is a child of. Project IDs arealphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

  • PRINCIPAL_SET: The principal set whose principal access boundary policy bindings you want to view. For a list of valid principal types, seeSupported principal sets.

HTTP method and URL:

GET https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings:searchTargetPolicyBindings?target=PRINCPAL_SET

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings:searchTargetPolicyBindings?target=PRINCPAL_SET"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings:searchTargetPolicyBindings?target=PRINCPAL_SET" | Select-Object -Expand Content

The response contains all policy binidngs that are bound to the target principal set.

{  "policyBindings": [    {      "name": "organizations/123456789012/locations/global/policyBindings/example-binding1",      "uid": "buid_9904260005517852673",       "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "displayName": "Example binding 1",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy1",      "createTime": "2024-05-06T18:08:24.729843Z",      "updateTime": "2024-05-06T18:11:16.798841Z",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_9519202237377675265"    },    {      "name": "organizations/123456789012/locations/global/policyBindings/example-binding2",      "uid": "buid_4331055466646863873",       "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "displayName": "Example binding 2",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy2",      "createTime": "2024-05-06T18:08:24.729843Z",      "updateTime": "2024-05-06T18:11:16.798841Z",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_10358560617928851457"    }  ]}

List policy bindings for a project, folder, or organization

To view all policy bindings that are children of a specific project, folder, ororganization, list the policy bindings for that project, folder, ororganization.

A policy binding's parent resource depends on the principal set in the policybinding. To learn more, seeSupported principaltypes.

You can view all policy bindings for a project, folder, or organization usingthe gcloud CLI or the IAM REST API.

gcloud

Thegcloud iam policy-bindings list command lists all policy binding that are children of a certain resource.

Before using any of the command data below, make the following replacements:

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the valueproject,folder, ororganization

    The resource type depends on the principal set in the policy binding. To see which resource type to use, seeSupported principal types.

  • RESOURCE_ID: The ID of the project,folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings,likemy-project. Folder and organization IDs are numeric, like123456789012.
  • FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiampolicy-bindingslist--RESOURCE_TYPE=RESOURCE_ID\--location=global\--format=FORMAT

Windows (PowerShell)

gcloudiampolicy-bindingslist--RESOURCE_TYPE=RESOURCE_ID`--location=global`--format=FORMAT

Windows (cmd.exe)

gcloudiampolicy-bindingslist--RESOURCE_TYPE=RESOURCE_ID^--location=global^--format=FORMAT

The response contains the policy bindings that are children of the resource in the command.

{  "policyBindings": [    {      "createTime": "2024-05-06T18:08:24.729843Z",      "displayName": "Example binding 1",      "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "name": "organizations/123456789012/locations/global/policyBindings/example-binding-1",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy-1",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_9519202237377675265",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "uid": "buid_9904260005517852673",       "updateTime": "2024-05-06T18:08:24.729843Z"    },    {      "createTime": "2024-05-07T07:05:06.203861Z",      "displayName": "Example binding 2",      "etag": "W/\"cRMdDXbT82aLuZlvoL9Gqg==\"",      "name": "organizations/123456789012/locations/global/policyBindings/example-binding-2",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy-2",      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policyUid": "puid_1566408245394800641",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "uid": "buid_4331055466646863873",       "updateTime": "2024-05-07T07:05:06.203861Z"    }  ]}

REST

ThepolicyBindings.list method lists all policy binding that are children of a certain resource.

Before using any of the request data, make the following replacements:

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the valueprojects,folders, ororganizations

    The resource type depends on the principal set in the policy binding. To see which resource type to use, seeSupported principal types.

  • RESOURCE_ID: The ID of the project,folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings,likemy-project. Folder and organization IDs are numeric, like123456789012.

HTTP method and URL:

GET https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings" | Select-Object -Expand Content

The response contains the policy bindings that are children of the resource in the request.

{  "policyBindings": [    {      "name": "organizations/123456789012/locations/global/policyBindings/example-binding-1",      "uid": "buid_9904260005517852673",       "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",      "displayName": "Example binding 1",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy-1",      "policyUid": "puid_9519202237377675265",      "createTime": "2024-05-06T18:08:24.729843Z",      "updateTime": "2024-05-06T18:08:24.729843Z"    },    {      "name": "organizations/123456789012/locations/global/policyBindings/example-binding-2",      "uid": "buid_4331055466646863873",       "etag": "W/\"cRMdDXbT82aLuZlvoL9Gqg==\"",      "displayName": "Example binding 2",      "target": {        "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"      },      "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",      "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy-2",      "policyUid": "puid_1566408245394800641",      "createTime": "2024-05-07T07:05:06.203861Z",      "updateTime": "2024-05-07T07:05:06.203861Z"    }  ]}

Get a policy binding for a principal access boundary policy

To view the details of a single policy binding, use the policy binding's ID toget the policy binding.

You can get a policy binding using the gcloud CLI or theIAM REST API.

gcloud

Thegcloud iam policy-bindings describe command gets a policy binding.

Before using any of the command data below, make the following replacements:

  • BINDING_ID: The ID of the policy binding that you want toget—for example,example-binding.

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the valueproject,folder, ororganization

    The resource type depends on the principal set in the policy binding. To see which resource type to use, seeSupported principal types.

  • RESOURCE_ID: The ID of the project,folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings,likemy-project. Folder and organization IDs are numeric, like123456789012.
  • FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiampolicy-bindingsdescribeBINDING_ID\--RESOURCE_TYPE=RESOURCE_ID--location=global\--format=FORMAT

Windows (PowerShell)

gcloudiampolicy-bindingsdescribeBINDING_ID`--RESOURCE_TYPE=RESOURCE_ID--location=global`--format=FORMAT

Windows (cmd.exe)

gcloudiampolicy-bindingsdescribeBINDING_ID^--RESOURCE_TYPE=RESOURCE_ID--location=global^--format=FORMAT

The response contains the policy binding.

{  "createTime": "2024-05-06T18:08:24.729843Z",  "displayName": "Example binding",  "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",  "name": "organizations/123456789012/locations/global/policyBindings/example-binding",  "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy",  "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",  "policyUid": "puid_9519202237377675265",  "target": {    "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"  },  "uid": "buid_9904260005517852673",   "updateTime": "2024-05-06T18:08:24.729843Z"}

REST

ThepolicyBindings.get method gets a policy binding.

Before using any of the request data, make the following replacements:

  • RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the valueprojects,folders, ororganizations

    The resource type depends on the principal set in the policy binding. To see which resource type to use, seeSupported principal types.

  • RESOURCE_ID: The ID of the project,folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings,likemy-project. Folder and organization IDs are numeric, like123456789012.
  • BINDING_ID: The ID of the policy binding that you want toget—for example,example-binding.

HTTP method and URL:

GET https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID" | Select-Object -Expand Content

The response contains the policy binding.

{  "name": "organizations/123456789012/locations/global/policyBindings/example-binding",  "uid": "buid_9904260005517852673",   "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",  "displayName": "Example binding",  "target": {    "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"  },  "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",  "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy",  "policyUid": "puid_9519202237377675265",  "createTime": "2024-05-06T18:08:24.729843Z",  "updateTime": "2024-05-06T18:08:24.729843Z"}

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.