Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy below:

Analyze allow policies | Policy Intelligence

Stay organized with collections Save and categorize content based on your preferences.

This page shows how to use Policy Analyzer for allow policies to find out which principals (users, service accounts, groups, and domains), have what access to which Google Cloud resources.

The examples on this page show how to run a Policy Analysis query and immediately view the results. If you want to export the results for further analysis, you can use AnalyzeIamPolicyLongrunning to write query results to BigQuery or Cloud Storage.

• Enable the Cloud Asset API.

  Enable the API

  You must enable the API in the project you will use to send the query. This doesn't have to be the same resource that you scope your query to.

• Optional: Understand how Policy Analyzer works.

• Optional: If you want to execute more than 20 policy analysis queries per organization per day, ensure that you have an organization-level activation of the Premium or Enterprise tier of Security Command Center. For more information, see Billing questions.

The following roles and permissions are required to analyze allow policies.

To get the permissions that you need to analyze an allow policy, ask your administrator to grant you the following IAM roles on the project, folder, or organization that you will scope your query to:

• Cloud Asset Viewer (roles/cloudasset.viewer)
• To analyze policies with custom IAM roles: Role Viewer (roles/iam.roleViewer)
• To use the Google Cloud CLI to analyze policies: Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to analyze an allow policy. To see the exact permissions that are required, expand the Required permissions section:

The following permissions are required to analyze an allow policy:

• cloudasset.assets.analyzeIamPolicy
• cloudasset.assets.searchAllResources
• cloudasset.assets.searchAllIamPolicies
• To analyze policies with custom IAM roles: iam.roles.get
• To use the Google Cloud CLI to analyze policies: serviceusage.services.use

You might also be able to get these permissions with custom roles or other predefined roles.

If you want to expand groups in query results to see if a principal has certain roles or permissions as a result of their membership in a Google Workspace group, you need the groups.read Google Workspace permission. This permission is contained in the Groups Reader Admin role, and in more powerful roles such as the Groups Admin or Super Admin roles. To learn how to grant these roles, see Assign specific admin roles.

You can use Policy Analyzer to check which principals have certain roles or permissions on a specific resource in your project, folder, or organization. To get this information, create a query that includes the resource that you want to analyze access for and one or more roles or permissions to check for.

Note: Policy Analyzer only supports IAM allow policies. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types.

1. In the Google Cloud console, go to the Policy analyzer page.

   Go to the Policy analyzer page

2. In the Analyze policies section, find the pane labeled Custom query and click Create custom query in that pane.

3. In the Select query scope field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.

4. Choose the resource to check and the role or permission to check for:

   1. In the Parameter 1 field, select Resource from the drop-down menu.
   2. In the Resource field, enter the full resource name of the resource that you want to analyze access for. If you don't know the full resource name, start typing the display name of the resource, then select the resource from the list of resources provided.
   3. Click add Add selector.
   4. In the Parameter 2 field, select either Role or Permission.
   5. In the Select a role or Select a permission field, select the role or permission that you want to check for.
   6. Optional: To check for additional roles and permissions, continue adding Role and Permission selectors until all the roles and permissions that you want to check for are listed.

5. Optional: Click Continue, then select any advanced options that you want to enable for this query.

6. In the Custom query pane, click Analyze > Run query. The report page shows the query parameters you entered, and a results table of all principals with the specified roles or permissions on the specified resource.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, export the results to BigQuery.

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value project, folder, or organization.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• FULL_RESOURCE_NAME: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see Resource name format.
• PERMISSIONS: A comma-separated list of the permissions that you want to check for—for example, compute.instances.get,compute.instances.start. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.

Execute the gcloud asset analyze-iam-policy command:

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID \
    --full-resource-name=FULL_RESOURCE_NAME \
    --permissions='PERMISSIONS'

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID `
    --full-resource-name=FULL_RESOURCE_NAME `
    --permissions='PERMISSIONS'

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID ^
    --full-resource-name=FULL_RESOURCE_NAME ^
    --permissions='PERMISSIONS'

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is CONDITIONAL.

The principals that have any of the specified permissions on the specified resource are listed in the identities fields in the response. The following example shows a single analysis result with the identities field highlighted.

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start
  identities:
  - name: user:my-user@example.com
  resources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyze-iam-policy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

To determine which principals have certain permissions on a resource, use the Cloud Asset Inventory API's analyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value projects, folders, or organizations.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• FULL_RESOURCE_NAME: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see Resource name format.
• PERMISSION_1, PERMISSION_2... PERMISSION_N: The permissions that you want to check for—for example, compute.instances.get. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{
  "analysisQuery": {
    "resourceSelector": {
      "fullResourceName": "FULL_RESOURCE_NAME"
    },
    "accessSelector": {
      "permissions": [
        "PERMISSION_1",
        "PERMISSION_2",
        "PERMISSION_N"
      ]
    }
  }
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as CONDITIONAL.

The principals that have any of the specified permissions on the specified resource are listed in the identities fields in the response. The following example shows a single analysis result with the identities field highlighted.

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ],
      "accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "permission": "compute.instances.start"
        }
      ]
    }
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyzeIamPolicy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

You can use Policy Analyzer to check which principals have specific roles or permissions on any Google Cloud resource in your organization. To get this information, create a query that includes one or more roles or permissions to check for, but does not specify a resource.

Note: Policy Analyzer only supports IAM allow policies. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types.

1. In the Google Cloud console, go to the Policy analyzer page.

   Go to the Policy analyzer page

2. In the Analyze policies section, find the pane labeled Custom query and click Create custom query in that pane.

3. In the Select query scope field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.

4. In the Parameter 1 field, select either Role or Permission.

5. In the Select a role or Select a permission field, select the role or permission that you want to check for.

6. Optional: To check for additional roles and permissions, do the following:

   1. Click add Add selector.
   2. In the Parameter 2 field, select either Role or Permission.
   3. In the Select a role or Select a permission field, select the role or permission that you want to check for.
   4. Continue adding Role and Permission selectors until all the roles and permissions that you want to check for are listed.

7. Optional: Click Continue, then select any advanced options that you want to enable for this query.

8. In the Custom query pane, click Analyze > Run query. The report page shows the query parameters you entered, and a results table of all principals with the specified roles or permissions on any in-scope resource.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, export the results to BigQuery.

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value project, folder, or organization.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• ROLES: A comma-separated list of the roles that you want to check for—for example, roles/compute.admin,roles/compute.imageUser. If you list multiple roles, Policy Analyzer will check for any of the roles listed.
• PERMISSIONS: A comma-separated list of the permissions that you want to check for—for example, compute.instances.get,compute.instances.start. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.

Execute the gcloud asset analyze-iam-policy command:

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID \
    --roles='ROLES' \
    --permissions='PERMISSIONS'

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID `
    --roles='ROLES' `
    --permissions='PERMISSIONS'

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID ^
    --roles='ROLES' ^
    --permissions='PERMISSIONS'

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as CONDITIONAL.

The principals that have any of the specified roles or permissions are listed in the identities fields in the response. The following example shows a single analysis result with the identities field highlighted.

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start
  - role: roles/compute.admin
  identities:
  - name: user:my-user@example.com
  resources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyze-iam-policy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

To determine which principals have certain roles or permissions, use the Cloud Asset Inventory API's analyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value projects, folders, or organizations.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• ROLE_1, ROLE_2... ROLE_N: The roles that you want to check for—for example, roles/compute.admin. If you list multiple roles, Policy Analyzer will check for any of the roles listed.
• PERMISSION_1, PERMISSION_2... PERMISSION_N: The permissions that you want to check for—for example, compute.instances.get. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{
  "analysisQuery": {
    "accessSelector": {
      "roles": [
        "ROLE_1",
        "ROLE_2",
        "ROLE_N"
      ],
      "permissions": [
        "PERMISSION_1",
        "PERMISSION_2",
        "PERMISSION_N"
      ]
    }
  }
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as CONDITIONAL.

The principals that have any of the specified roles or permissions are listed in the identities fields in the response. The following example shows a single analysis result with the identities field highlighted.

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ],
      "accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "role": "roles/compute.admin"
        }
      ]
    }
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyzeIamPolicy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

You can use Policy Analyzer to check what roles or permissions a principal has on a resource in your organization. To get this information, create a query that includes the principal whose access you want to analyze and the resource that you want to analyze access for.

Note: Policy Analyzer only supports IAM allow policies. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types.

1. In the Google Cloud console, go to the Policy analyzer page.

   Go to the Policy analyzer page

2. In the Analyze policies section, find the pane labeled Custom query and click Create custom query in that pane.

3. In the Select query scope field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.

4. Choose the resource and principal to check:

   1. In the Parameter 1 field, select Resource from the drop-down menu.
   2. In the Resource field, enter the full resource name of the resource that you want to analyze access for. If you don't know the full resource name, start typing the display name of the resource, then select the resource from the list of resources provided.
   3. Click add Add selector.
   4. In the Parameter 2 field, select Principal from the drop-down menu.
   5. In the Principal field, start typing the name of a user, service account, or group. Then, select the user, service account, or group whose access you want to analyze from the list of principals provided.

5. Optional: Click Continue, then select any advanced options that you want to enable for this query.

6. In the Custom query pane, click Analyze > Run query. The report page shows the query parameters you entered, and a results table of all roles that the specified principal has on the specified resource.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, export the results to BigQuery.

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value project, folder, or organization.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• FULL_RESOURCE_NAME: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see Resource name format.
• PRINCIPAL: The principal whose access you want to analyze, in the form PRINCIPAL_TYPE:ID—for example, user:my-user@example.com. For a full list of the principal types, see Principal identifiers.

Execute the gcloud asset analyze-iam-policy command:

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID \
    --full-resource-name=FULL_RESOURCE_NAME \
    --identity=PRINCIPAL

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID `
    --full-resource-name=FULL_RESOURCE_NAME `
    --identity=PRINCIPAL

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID ^
    --full-resource-name=FULL_RESOURCE_NAME ^
    --identity=PRINCIPAL

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is CONDITIONAL.

The roles that the principal has on the specified resource are listed in the accesses fields in the response. The following example shows a single analysis result with the accesses field highlighted.

...
---
ACLs:
- accesses:
  - roles/iam.serviceAccountUser
  identities:
  - name: user:my-user@example.com
  resources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    members:
    - user: my-user@example.com
    role: roles/iam.serviceAccountUser
---
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyze-iam-policy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

To determine what access a principal has on a resource, use the Cloud Asset Inventory API's analyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value projects, folders, or organizations.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• FULL_RESOURCE_NAME: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see Resource name format.
• PRINCIPAL: The principal whose access you want to analyze, in the form PRINCIPAL_TYPE:ID—for example, user:my-user@example.com. For a full list of the principal types, see Principal identifiers.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{
  "analysisQuery": {
    "resourceSelector": {
      "fullResourceName": "FULL_RESOURCE_NAME"
    },
    "identitySelector": {
      "identity": "PRINCIPAL"
    }
  }
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as CONDITIONAL.

The roles that the principal has on the specified resource are listed in the accesses fields in the response. The following example shows a single analysis result with the accesses field highlighted.

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/iam.serviceAccountUser",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ],
      "accesses": [
        {
          "roles": "iam.serviceAccountUser"
        }
      ]
    }
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyzeIamPolicy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

You can use Policy Analyzer to check which resources within your organization a principal has a certain roles or permissions on. To get this information, create a query that includes the principal whose access you want to analyze and one or more permissions or roles that you want to check for.

Note: Policy Analyzer only supports IAM allow policies. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types.

1. In the Google Cloud console, go to the Policy analyzer page.

   Go to the Policy analyzer page

2. In the Analyze policies section, find the pane labeled Custom query and click Create custom query in that pane.

3. In the Select query scope field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.

4. Choose the principal to check and the role or permission to check for:

   1. In the Parameter 1 field, select Principal from the drop-down menu.
   2. In the Principal field, start typing the name of a user, service account, or group. Then, select the user, service account, or group whose access you want to analyze from the list of principals provided.
   3. Click add Add selector.
   4. In the Parameter 2 field, select either Role or Permission.
   5. In the Select a role or Select a permission field, select the role or permission that you want to check for.
   6. Optional: To check for additional roles and permissions, continue adding Role and Permission selectors until all the roles and permissions that you want to check for are listed.

5. Optional: Click Continue, then select any advanced options that you want to enable for this query.

6. In the Custom query pane, click Analyze > Run query. The report page shows the query parameters you entered, and a results table of all the resources on which the specified principal has the specified roles or permissions.

   Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, export the results to BigQuery.

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value project, folder, or organization.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• PRINCIPAL: The principal whose access you want to analyze, in the form PRINCIPAL_TYPE:ID—for example, user:my-user@example.com. For a full list of the principal types, see Principal identifiers.
• PERMISSIONS: A comma-separated list of the permissions that you want to check for—for example, compute.instances.get,compute.instances.start. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.

Execute the gcloud asset analyze-iam-policy command:

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID \
    --identity=PRINCIPAL \
    --permissions='PERMISSIONS'

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID `
    --identity=PRINCIPAL `
    --permissions='PERMISSIONS'

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID ^
    --identity=PRINCIPAL ^
    --permissions='PERMISSIONS'

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is CONDITIONAL.

The resources on which the specified principal has any of the specified permissions are listed in the resources fields in the response. The following example shows a single analysis result with the resources field highlighted.

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start
  identities:
  - name: user:my-user@example.com
  resources:
  - fullResourceName: //compute.googleapis.com/projects/my-project/global/images/my-image
policy:
  attachedResource: //compute.googleapis.com/projects/my-project/global/images/my-image
  binding:
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyze-iam-policy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

To determine which resources a principal can access, use the Cloud Asset Inventory API's analyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value projects, folders, or organizations.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• PRINCIPAL: The principal whose access you want to analyze, in the form PRINCIPAL_TYPE:ID—for example, user:my-user@example.com. For a full list of the principal types, see Principal identifiers.
• PERMISSION_1, PERMISSION_2... PERMISSION_N: The permissions that you want to check for—for example, compute.instances.get. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{
  "analysisQuery": {
    "identitySelector": {
      "identity": "PRINCIPAL"
    },
    "accessSelector": {
      "permissions": [
        "PERMISSION_1",
        "PERMISSION_2",
        "PERMISSION_N"
      ]
    }
  }
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as CONDITIONAL.

The resources on which the specified principal has any of the specified permissions are listed in the resources fields in the response. The following example shows a single analysis result with the resources field highlighted.

...
{
  "attachedResourceFullName": "//compute.googleapis.com/projects/my-project/global/images/my-image",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ]
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//compute.googleapis.com/projects/my-project/global/images/my-image"
        }
      ],
      "accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "permission": "compute.instances.start"
        }
      ]
    }
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyzeIamPolicy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

If given enough context, Policy Analyzer can analyze IAM conditional role bindings that only grant access at specific times. These conditions are called date/time conditions. For Policy Analyzer to accurately analyze role bindings with date/time conditions, you need to define the access time in the request.

Policy Analyzer can also analyze resource conditions with no additional user input. For more information about how Policy Analyzer works with conditions, see Conditional access.

Note: Policy Analyzer only supports IAM allow policies. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see Supported policy types.

Before using any of the command data below, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value project, folder, or organization.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• PERMISSIONS: Optional. A comma-separated list of the permissions that you want to check for—for example, compute.instances.get,compute.instances.start. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.
• FULL_RESOURCE_NAME: Optional. The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see Resource name format.
• PERMISSIONS: Optional. A comma-separated list of the permissions that you want to check for—for example, compute.instances.get,compute.instances.start. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.
• ACCESS_TIME: The time that you want to check. This time must be in the future. Use a timestamp in RFC 3339format—for example, 2099-02-01T00:00:00Z.

Execute the gcloud asset analyze-iam-policy command:

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID \
    --identity=PRINCIPAL \
    --full-resource-name=FULL_RESOURCE_NAME \
    --permissions='PERMISSIONS' \
    --access-time=ACCESS_TIME

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID `
    --identity=PRINCIPAL `
    --full-resource-name=FULL_RESOURCE_NAME `
    --permissions='PERMISSIONS' `
    --access-time=ACCESS_TIME

gcloud asset analyze-iam-policy --RESOURCE_TYPE=RESOURCE_ID ^
    --identity=PRINCIPAL ^
    --full-resource-name=FULL_RESOURCE_NAME ^
    --permissions='PERMISSIONS' ^
    --access-time=ACCESS_TIME

You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is CONDITIONAL.

When you include the access time in the request, Policy Analyzer can evaluate date/time conditions. If the condition evaluates to false, that role is not included in the response. If the condition evaluates to true, the result of the condition evaluation is listed as TRUE.

...
---
ACLs:
- accesses:
  - permission: compute.instances.get
  - permission: compute.instances.start
  conditionEvaluationValue: 'TRUE'
  identities:
  - name: user:my-user@example.com
  resources:
  - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project
policy:
  attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project
  binding:
    condition:
      expression: request.time.getHours("America/Los_Angeles") >= 5
      title: No access before 5am PST
    members:
    - user: my-user@example.com
    role: roles/compute.admin
---
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyze-iam-policy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

To determine which principals will have certain permissions on a resource at a specific time, use the Cloud Asset Inventory API's analyzeIamPolicy method.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value projects, folders, or organizations.
• RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• PERMISSION_1, PERMISSION_2... PERMISSION_N: Optional. The permissions that you want to check for—for example, compute.instances.get. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.
• FULL_RESOURCE_NAME: Optional. The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see Resource name format.
• PERMISSION_1, PERMISSION_2... PERMISSION_N: Optional. The permissions that you want to check for—for example, compute.instances.get. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.
• ACCESS_TIME: The time that you want to check. This time must be in the future. Use a timestamp in RFC 3339format—for example, 2099-02-01T00:00:00Z.

HTTP method and URL:

POST https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy

Request JSON body:

{
  "analysisQuery": {
    "identitySelector": {
      "identity": "PRINCIPAL"
    },
    "resourceSelector": {
      "fullResourceName": "FULL_RESOURCE_NAME"
    },
    "accessSelector": {
      "permissions": [
        "PERMISSION_1",
        "PERMISSION_2",
        "PERMISSION_N"
      ]
    },
    "conditionContext": {
      "accessTime": "ACCESS_TIME"
    }
  }
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudasset.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID:analyzeIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as CONDITIONAL.

When you include the access time in the request, Policy Analyzer can evaluate date/time conditions. If the condition evaluates to false, that role is not included in the response. If the condition evaluates to true, the condition evaluation value in the analysis response is TRUE.

...
{
  "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project",
  "iamBinding": {
    "role": "roles/compute.admin",
    "members": [
      "user:my-user@example.com"
    ],
    "condition": {
      "expression": "request.time.getHours(\"America/Los_Angeles\") \u003e= 5",
      "title": "No access before 5am PST"
    }
  },
  "accessControlLists": [
    {
      "resources": [
        {
          "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
        }
      ],
      "accesses": [
        {
          "permission": "compute.instances.get"
        },
        {
          "permission": "compute.instances.start"
        }
      ],
      "conditionEvaluation": {
        "evaluationValue": "TRUE"
      }
    }
  ],
  "identityList": {
    "identities": [
      {
        "name": "user:my-user@example.com"
      }
    ]
  },
  "fullyExplored": true
},
...

If the request times out before the query finishes, you get a DEADLINE_EXCEEDED error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of analyzeIamPolicy. For instructions, see Write policy analysis to BigQuery or Write policy analysis to Cloud Storage.

You can enable the following options to receive more detailed query results.

If you enable this option, any groups in the query results are expanded into individual members. If you have sufficient group permissions, nested groups will also be expanded. This expansion is capped at 1,000 members per group.

This option is only available if you don't specify a principal in your query.

If you enable this option, the query results list all permissions inside each role in addition to the role itself.

This option is only available if you don't specify any permissions or roles in your query.

This section describes several common flags that you can add when you use the gcloud CLI to analyze allow policies. For a full list of options, see Optional flags.

If this option is enabled, Policy Analyzer runs additional analysis queries to determine who can impersonate the service accounts that have the specified access to the specified resources. Policy Analyzer runs one query for each service account in query results. These queries analyze who has any of the following permissions on the service account:

• iam.serviceAccounts.actAs
• iam.serviceAccounts.getAccessToken
• iam.serviceAccounts.getOpenIdToken
• iam.serviceAccounts.implicitDelegation
• iam.serviceAccounts.signBlob
• iam.serviceAccounts.signJwt

This is a very expensive operation, because it automatically executes many queries. We highly recommend that you export to BigQuery or export to Cloud Storage using analyze-iam-policy-longrunning instead of using analyze-iam-policy.

If you enable this option, any groups in the query results are expanded into individual members. If you have sufficient group permissions, nested groups will also be expanded. This expansion is capped at 1,000 members per group.

This option is only effective if you don't specify a principal in your query.

If you enable this option, the query results list all permissions inside each role in addition to the role itself.

This option is only available if you don't specify any permissions or roles in your query.

To enable any options, first add an options field to your analysis query. For example:

{
  "analysisQuery": {
    "resourceSelector": {
      "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project"
    },
    "accessSelector": {
      "permissions": [
        "iam.roles.get",
        "iam.roles.list"
      ]
   },
   "options": {
     OPTIONS
   }
  }
}

Replace OPTIONS with the options that you want to enable, in the form "OPTION": true. The following table describes the available options:

If this option is enabled, Policy Analyzer runs additional analysis queries to determine who can impersonate the service accounts that have the specified access to the specified resources. Policy Analyzer runs one query for each service account in query results. These queries analyze who has any of the following permissions on the service account:

• iam.serviceAccounts.actAs
• iam.serviceAccounts.getAccessToken
• iam.serviceAccounts.getOpenIdToken
• iam.serviceAccounts.implicitDelegation
• iam.serviceAccounts.signBlob
• iam.serviceAccounts.signJwt

This is a very expensive operation, because it automatically executes many queries. We highly recommend that you export to BigQuery or export to Cloud Storage using AnalyzeIamPolicyLongrunning instead of using AnalyzeIamPolicy.

If you enable this option, any groups in the query results are expanded into individual members. If you have sufficient group permissions, nested groups will also be expanded. This expansion is capped at 1,000 members per group.

This option is only effective if you don't specify a principal in your query.

If you enable this option, the query results list all permissions inside each role in addition to the role itself.

This option is only available if you don't specify any permissions or roles in your query.

• Learn how to use AnalyzeIamPolicyLongrunning to write to BigQuery or write to Cloud Storage.
• See how you can use the REST API to save Policy Analysis queries.
• Explore the available access troubleshooting tools, which you can use to figure out why a principal doesn't have a certain type of access.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-02 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4