This page explains how to analyze Identity and Access Management (IAM) policies asynchronously and write results to Cloud Storage. The functionality is mostly equivalent to analyzing IAM policies except the analysis result is written to a Cloud Storage bucket.
Before you begin
You must enable the Cloud Asset API for your project.
If you are using the API to run these queries, you need to set up your environment and
gcurl
.To set up a
gcurl
alias, complete the following steps.If you are on a Compute Engine instance, run the following command.
alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json" -X POST'
If you are not on a Compute Engine instance, run the following command.
alias gcurl='curl -H "$(oauth2l header --json CREDENTIALS cloud-platform)" \ -H "Content-Type: application/json" -X POST'
Where CREDENTIALS is your credentials file path, such as
~/credentials.json
.
Calling AnalyzeIamPolicyLongrunning
The
AnalyzeIamPolicyLongrunning
method allows you to issue an analysis request and get results in the specified
Cloud Storage bucket.
gcloud
You can call AnalyzeIamPolicyLongrunning
on your API-enabled project using
the
asset analyze-iam-policy-longrunning
gcloud command. You must be running Cloud SDK version 314.0.0 or later.
You can check your version with the gcloud version
command.
gcloud asset analyze-iam-policy-longrunning \ --organization="ORG_ID" \ --full-resource-name="FULL_RESOURCE_NAME" \ --permissions="COMMA_SEPARATED_PERMISSIONS" \ --gcs-output-path="GCS_OUTPUT_PATH"
For example, to write analysis results of who has compute.instances.get
and compute.instances.start
permissions on the Compute Engine instance
ipa-gce-instance-2
under organiazion 123456789 to the
Cloud Storage bucket gcs-bucket-01
with a file name as
analysis.json
:
gcloud asset analyze-iam-policy-longrunning --organization="123456789" \ --full-resource-name="//compute.googleapis.com/projects/project1/zones/us-central1-a/instances/ipa-gce-instance-2" \ --permissions="compute.instances.get,compute.instances.start" \ --gcs-output-path="gs://gcs-bucket-01/analysis.json"
Find more on help:
gcloud asset analyze-iam-policy-longrunning --help
REST
Analyze the IAM policies and write results using the
the gcurl
alias.
gcurl -d "$JSON_REQUEST" \ "https://cloudasset.googleapis.com/v1/organizations/${YOUR_ORG_ID}:analyzeIamPolicyLongrunning"
Where:
YOUR_ORG_ID is the organization id, such as:
123456789
JSON_REQUEST is the analysis request in JSON format. For example, to analyze who has
compute.instances.get
andcompute.instances.start
permissions on the Compute Engine instanceipa-gce-instance-2
under organiazion 123456789 to the Cloud Storage bucketgcs-bucket-01
with a file name asanalysis.json
:JSON_REQUEST='{ "analysisQuery":{ "scope":"organization/123456789", "resourceSelector":{ "fullResourceName":"//compute.googleapis.com/projects/project1/zones/us-central1-a/instances/ipa-gce-instance-2" }, "accessSelector":{ "permissions":[ "compute.instances.get", "compute.instances.start" ] } }, "outputConfig":{ "gcsDestination":{ "uri":"gs://gcs-bucket-01/analysis.json" } } }'
Viewing IAM policy analysis results
To view your IAM policy analysis results:
Go to the Cloud Storage Browser page.
Open the Cloud Storage Browser pageOpen the new file you wrote your analysis to.
The results lists tuples of {identity, role(s)/permission(s), resource}
together with IAM policies that generate those tuples.
Constructing a query
To learn about other use cases and options for queries, see analyzing IAM policy query samples.