Stay organized with collections Save and categorize content based on your preferences.
This page describes how to troubleshoot Identity and Access Management (IAM) allow, deny, and principal access boundary policies.
Use Policy TroubleshooterIf you need to troubleshoot access for a specific principal, use Policy Troubleshooter for IAM.
Policy Troubleshooter helps you understand whether a principal can access a resource. Given a principal, a resource, and a permission, Policy Troubleshooter examines the allow policies, deny policies, and principal access boundary (PAB) policies that impact the principal's access. Then, it tells you whether, based on those policies, the principal can use the specified permission to access the resource. It also lists the relevant policies and explains how they affect the principal's access.
To learn how to use Policy Troubleshooter to troubleshoot allow policies, deny policies, and principal access boundary policies, see Troubleshoot IAM permissions.
View all allow and deny policies that apply to a resourceIn Google Cloud, the following allow and deny policies affect access to a resource:
The allow and deny policies of parent projects, folders, and organizations affect access to a resource because of policy inheritance. When you attach an allow or deny policy to a project, folder, or organization, that policy also applies for all resources inside that project, folder, or organization.
For example, if a deny policy for an organization says that a principal can't use a specific permission, then the principal can't use that permission for any resource within the organization. This rule applies even if the folders and projects within that organization have more permissive deny policies, or allow policies that give the principal the permission.
Similarly, if an allow policy for a project gives a principal a specific permission, then the principal has that permission for any resource within the project, provided that they aren't denied that permission.
The union of all of these policies is called the applicable policy or effective policy for the resource.
In Google Cloud, you can get a list of all of the allow and deny policies that affect access to a project by using the gcloud beta projects get-ancestors-iam-policy command with the --include-deny flag. Together, these policies make up the applicable policy for the project. You can investigate each policy to see how it affects the principal's access.
Before using any of the command data below, make the following replacements:
PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project.Execute the gcloud beta projects get-ancestors-iam-policy command:
gcloud beta projects get-ancestors-iam-policy PROJECT_ID --include-deny --format=jsonWindows (PowerShell)
gcloud beta projects get-ancestors-iam-policy PROJECT_ID --include-deny --format=jsonWindows (cmd.exe)
gcloud beta projects get-ancestors-iam-policy PROJECT_ID --include-deny --format=json
The response contains the allow and deny policies for the project; any folders that are ancestors of the project; and the organization. The following example shows allow policies for the organization 1234567890123 and the project my-project, as well as a deny policy for the project my-project:
[
{
"id": "1234567890123",
"policy": {
"bindings": [
{
"members": [
"group:cloud-admins@example.com"
],
"role": "roles/iam.denyAdmin"
},
{
"members": [
"user:raha@example.com"
],
"role": "roles/iam.serviceAccountAdmin"
}
],
"etag": "BwXW6Eab7TI=",
"version": 1
},
"type": "organization"
},
{
"id": "my-project",
"policy": {
"bindings": [
{
"members": [
"group:cloud-admins@example.com"
],
"role": "roles/owner"
}
],
"etag": "BwXXjOM7L6M=",
"type": "project"
}
},
{
"id": "my-project",
"policy": {
"createTime": "2022-02-14T21:46:35.865279Z",
"displayName": "My deny policy",
"etag": "MTgyMzg2ODcwNTEyMjMxMTM3Mjg=",
"kind": "DenyPolicy",
"name": "policies/cloudresourcemanager.googleapis.com%2Fprojects%2F123456789012/denypolicies/my-deny-policy",
"rules": [
{
"denyRule": {
"deniedPermissions": [
"iam.googleapis.com/serviceAccounts.create"
],
"deniedPrincipals": [
"user:raha@example.com"
]
},
"description": "Prevent service account creation"
}
],
"uid": "c83e3dc3-d8a6-6f51-4018-814e9f200b05",
"updateTime": "2022-02-14T21:46:35.865279Z"
},
"type": "project"
}
]
In this example, Raha is granted the Service Account Admin role (roles/iam.serviceAccountAdmin) on the organization, but the project has a deny policy that prevents Raha from using the permission iam.googleapis.com/serviceAccounts.create. As a result, if Raha tries to create a service account in the project my-project, the request will be denied.
In some cases, you might only need to view the effective allow policy for a resource—for example, if your organization doesn't use deny policies. In these cases, you can use the following methods to view the effective allow policy:
View the resource's IAM allow policy in the Google Cloud console. The Google Cloud console automatically shows each resource's effective policy.
To learn how to view a resource's IAM allow policy in the Google Cloud console, see View current access.
Use the Cloud Asset API to get the resource's effective allow policy. To learn more, see Viewing effective IAM policies.
If you need to locate a specific role binding in an allow policy, you can search the allow policy.
Cloud Asset Inventory lets you search allow policies for role bindings that match the specified parameters. You can use a variety of search parameters, including the following:
For more information, see Searching IAM allow policies.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["Policy Troubleshooter for IAM helps determine if a principal can access a resource by examining allow policies, deny policies, and principal access boundary (PAB) policies, and it provides details on the relevant policies."],["Allow and deny policies at the resource, project, folder, and organization levels can affect access to a resource due to policy inheritance, where policies applied to parent entities are inherited by resources within them."],["The `gcloud beta projects get-ancestors-iam-policy` command with the `--include-deny` flag can be used to list all allow and deny policies that affect access to a project, collectively forming the effective policy."],["Even if a principal is granted a permission via an allow policy, a deny policy can override it, preventing the principal from using that permission on specific resources, as illustrated with the example of Raha and service account creation."],["Cloud asset inventory can be used to locate specific roles bindings through a search feature that uses parameters such as the resource type, principal type, role, project, folder, and organization."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4