Writing policy analysis to Cloud Storage

This page explains how to analyze Identity and Access Management (IAM) policies asynchronously and write results to Cloud Storage. The functionality is mostly equivalent to analyzing IAM policies except the analysis result is written to a Cloud Storage bucket.

Before you begin

  • You must enable the Cloud Asset API for your project.

  • If you are using the API to run these queries, you need to set up your environment and gcurl.

    1. Set up your environment.

    2. To set up a gcurl alias, complete the following steps.

      If you are on a Compute Engine instance, run the following command.

      alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json" -X POST'

      If you are not on a Compute Engine instance, run the following command.

      alias gcurl='curl -H "$(oauth2l header --json CREDENTIALS cloud-platform)" \
-H "Content-Type: application/json" -X POST'

      Where CREDENTIALS is your credentials file path, such as ~/credentials.json.

Required permissions

The following permissions are required to run a policy analysis and write the analysis results to the specified Cloud Storage bucket:

  • Permissions to run a policy analysis

  • Permissions to write to a Cloud Storage bucket:

    • storage.objects.create

    This permission is included in the following predefined roles

    • Storage Object Creator (roles/storage.objectCreator)
    • Storage Legacy Bucket Writer (roles/storage.legacyBucketWriter)
    • Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner)

    See IAM roles for Cloud Storage for more information.

Calling AnalyzeIamPolicyLongrunning

The AnalyzeIamPolicyLongrunning method allows you to issue an analysis request and get results in the specified Cloud Storage bucket.

gcloud

You can call AnalyzeIamPolicyLongrunning on your API-enabled project using the asset analyze-iam-policy-longrunning gcloud command. You must be running Cloud SDK version 314.0.0 or later. You can check your version with the gcloud version command.

gcloud asset analyze-iam-policy-longrunning \
    --organization="ORG_ID" \
    --full-resource-name="FULL_RESOURCE_NAME" \
    --permissions="COMMA_SEPARATED_PERMISSIONS" \
    --gcs-output-path="GCS_OUTPUT_PATH"

For example, to write analysis results of who has compute.instances.get and compute.instances.start permissions on the Compute Engine instance ipa-gce-instance-2 under organiazion 123456789 to the Cloud Storage bucket gcs-bucket-01 with a file name as analysis.json:

gcloud asset analyze-iam-policy-longrunning --organization="123456789" \
    --full-resource-name="//compute.googleapis.com/projects/project1/zones/us-central1-a/instances/ipa-gce-instance-2" \
    --permissions="compute.instances.get,compute.instances.start" \
    --gcs-output-path="gs://gcs-bucket-01/analysis.json"

Find more on help: 

gcloud asset analyze-iam-policy-longrunning --help

REST

Analyze the IAM policies and write results using the the gcurl alias.

gcurl -d "$JSON_REQUEST" \
"https://cloudasset.googleapis.com/v1/organizations/${YOUR_ORG_ID}:analyzeIamPolicyLongrunning"

Where:

  • YOUR_ORG_ID is the organization id, such as: 123456789

  • JSON_REQUEST is the analysis request in JSON format. For example, to analyze who has compute.instances.get and compute.instances.start permissions on the Compute Engine instance ipa-gce-instance-2 under organiazion 123456789 to the Cloud Storage bucket gcs-bucket-01 with a file name as analysis.json:

    JSON_REQUEST='{
  "analysisQuery":{
    "scope":"organization/123456789",
    "resourceSelector":{
       "fullResourceName":"//compute.googleapis.com/projects/project1/zones/us-central1-a/instances/ipa-gce-instance-2"
    },
    "accessSelector":{
       "permissions":[
          "compute.instances.get",
          "compute.instances.start"
       ]
    }
  },
  "outputConfig":{
    "gcsDestination":{
       "uri":"gs://gcs-bucket-01/analysis.json"
    }
  }
}'

Viewing IAM policy analysis results

To view your IAM policy analysis results:

  1. Go to the Cloud Storage Browser page.
    Open the Cloud Storage Browser page

  2. Open the new file you wrote your analysis to.

The results lists tuples of {identity, role(s)/permission(s), resource} together with IAM policies that generate those tuples.

Constructing a query

To learn about other use cases and options for queries, see analyzing IAM policy query samples.