This page provides sample queries to show you how to use the
AnalyzeIamPolicy
and
AnalyzeIamPolicyLongrunning
methods for policy analysis.
Before you begin
AnalyzeIamPolicy
You must enable the Cloud Asset API for your project.
If you are using the API to run these queries, you need to set up your environment and
gcurl
.
To set up a
gcurl
alias, complete the following steps.If you are on a Compute Engine instance, run the following command.
alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json" -X POST -H "X-HTTP-Method-Override: GET"'
If you are not on a Compute Engine instance, run the following command.
alias gcurl='curl -H "$(oauth2l header --json CREDENTIALS cloud-platform)" \ -H "Content-Type: application/json" -X POST -H "X-HTTP-Method-Override: GET"'
Where CREDENTIALS is your credentials file path, such as
~/credentials.json
.
AnalyzeIamPolicyLongrunning
You must enable the Cloud Asset API for your project.
If you are using the API to run these queries, you need to set up your environment and
gcurl
.
To set up a
gcurl
alias, complete the following steps.If you are on a Compute Engine instance, run the following command.
alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json" -X POST'
If you are not on a Compute Engine instance, run the following command.
alias gcurl='curl -H "$(oauth2l header --json CREDENTIALS cloud-platform)" \ -H "Content-Type: application/json" -X POST'
Where CREDENTIALS is your credentials file path, such as
~/credentials.json
.
Finding identities with specific roles/permissions on a specific resource
To find identities that are granted the iam.serviceAccounts.actAs
or the
iam.serviceAccounts.get
permission on a specified service account, run the
following command.
gcloud
gcloud asset GCLOUD_METHOD_NAME \ --organization="ORG_ID" \ --full-resource-name="FULL_RESOURCE_NAME" \ --permissions="COMMA_SEPARATED_PERMISSIONS" \ --expand-groups \ --output-group-edges \ --show-response
For example:
gcloud asset analyze-iam-policy --organization="123456789" \ --full-resource-name="//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" \ --permissions="iam.serviceAccounts.actAs,iam.serviceAccounts.get" \ --expand-groups \ --output-group-edges \ --show-response
REST
Create a file
request.json
for the request body and set its contents to the analysis request in JSON format.{ "analysisQuery":{ "scope":"organizations/ORG_ID", "resourceSelector":{ "fullResourceName":"FULL_RESOURCE_NAME" }, "accessSelector":{ "permissions":[ "iam.serviceAccounts.actAs", "iam.serviceAccounts.get" ] }, "options":{ "expandGroups":EXPAND_GROUPS, "outputGroupEdges":OUTPUT_GROUP_EDGES, "outputResourceEdges":OUTPUT_RESOURCE_EDGES, "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION } } }
For example:
{ "analysisQuery":{ "scope":"organizations/123456789", "resourceSelector":{ "fullResourceName":"//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" }, "accessSelector":{ "permissions":[ "iam.serviceAccounts.actAs", "iam.serviceAccounts.get" ] }, "options":{ "expandGroups":true, "outputGroupEdges":true, "outputResourceEdges":false, "analyzeServiceAccountImpersonation":false } } }
After you create the
request.json
file, then you can run the request with the following command using thegcurl
alias.gcurl -d @request.json \ "https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"
Where:
- ORG_ID is your organization ID, such as
1234567890
. - REST_ANALYZE_METHOD is the analysis method, either
analyzeIamPolicy
oranalyzeIamPolicyLongrunning
.
- ORG_ID is your organization ID, such as
This method returns the identities that appear in the policy and the identities
that are granted permissions through group membership. To return only the
identities that appear in the policy, disable the --expand-groups
and
--output-group-edges
options.
You can enable the --output-resource-edges
option if you want to know how the
specified resource inherits the policy from the policy attached resource. For
example, suppose the policy is set on a folder f1, you will see f1-to-project1
and project1-to-sa1 resource edges.
You can enable the --analyze-service-account-impersonation
option if you want
to find identities who might indirectly access the specified resource through
service account impersonation.
Finding identities with any roles/permissions on a specific resource
To find identities that are granted any roles or permissions on a specified service account, run the following command.
gcloud
gcloud asset GCLOUD_METHOD_NAME \ --organization="ORG_ID" \ --full-resource-name="FULL_RESOURCE_NAME" \ --expand-roles
For example:
gcloud asset analyze-iam-policy --organization="123456789" \ --full-resource-name="//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" \ --expand-roles
REST
Create a file
request.json
for the request body and set its contents to the analysis request in JSON format.{ "analysisQuery":{ "scope":"organizations/ORG_ID", "resourceSelector":{ "fullResourceName":"FULL_RESOURCE_NAME" }, "options":{ "expandRoles":EXPAND_ROLES, "expandGroups":EXPAND_GROUPS, "outputGroupEdges":OUTPUT_GROUP_EDGES, "outputResourceEdges":OUTPUT_RESOURCE_EDGES, "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION } } }
For example:
{ "analysisQuery":{ "scope":"organizations/123456789", "resourceSelector":{ "fullResourceName":"//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" }, "options":{ "expandRoles":true, "expandGroups":false, "outputGroupEdges":false, "outputResourceEdges":false, "analyzeServiceAccountImpersonation":false } } }
After you create the
request.json
file, then you can run the request with the following command using thegcurl
alias.gcurl -d @request.json \ "https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"
Where:
- ORG_ID is your organization ID, such as
1234567890
. - REST_ANALYZE_METHOD is the analysis method, either
analyzeIamPolicy
oranalyzeIamPolicyLongrunning
.
- ORG_ID is your organization ID, such as
This method returns the roles that appear in the policies and the permissions
that are included in the policy-attached role. To only show the roles that
appear in the policies, disable the --expand-roles
option.
You can enable the --expand-groups
and the --output-group-edges
options to
see identities who get permissions through group membership in the result.
You can enable the --output-resource-edges
option if you want to know how the
specified resource inherits the policy from the policy attached resource. For
example, suppose the policy is set on a folder f1, you will see f1-to-project1
and project1-to-sa1 resource edges.
You can enable the --analyze-service-account-impersonation
option if you want
to find identities who might indirectly access the specified resource through
service account impersonation.
Finding identities with specific roles/permissions under a project
To find identities that are granted the iam.serviceAccounts.actAs
or the
iam.serviceAccounts.get
permission on any service account under a project, run
the following command.
gcloud
gcloud asset GCLOUD_METHOD_NAME \ --organization="ORG_ID" \ --full-resource-name="FULL_RESOURCE_NAME" \ --permissions="COMMA_SEPARATED_PERMISSIONS" \ --expand-resources
For example:
gcloud asset analyze-iam-policy --organization="123456789" \ --full-resource-name="//cloudresourcemanager.googleapis.com/projects/project1" \ --permissions="iam.serviceAccounts.actAs" \ --expand-resources
REST
Create a file
request.json
for the request body and set its contents to the analysis request in JSON format.{ "analysisQuery":{ "scope":"organizations/ORG_ID", "resourceSelector":{ "fullResourceName":"FULL_RESOURCE_NAME" }, "accessSelector":{ "permissions":[ "iam.serviceAccounts.actAs" ] }, "options":{ "expandResources":EXPAND_RESOURCES } } }
For example:
{ "analysisQuery":{ "scope":"organizations/123456789", "resourceSelector":{ "fullResourceName":"//cloudresourcemanager.googleapis.com/projects/project1" }, "accessSelector":{ "permissions":[ "iam.serviceAccounts.actAs" ] }, "options":{ "expandResources":true } } }
After you create the
request.json
file, then you can run the request with the following command using thegcurl
alias.gcurl -d @request.json \ "https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"
Where:
- ORG_ID is your organization ID, such as
1234567890
. - REST_ANALYZE_METHOD is the analysis method, either
analyzeIamPolicy
oranalyzeIamPolicyLongrunning
.
- ORG_ID is your organization ID, such as
Finding resources with specific roles/permissions to a specific identity
To find resources that are granted the iam.serviceAccounts.actAs
or the
iam.serviceAccounts.get
permission to a specified user, run the following
command.
gcloud
gcloud asset GCLOUD_METHOD_NAME \ --organization="ORG_ID" \ --identity="IDENTITY" \ --permissions="COMMA_SEPARATED_PERMISSIONS"
For example:
gcloud asset analyze-iam-policy --organization="123456789" \ --identity="user:user1@example.com" \ --permissions="iam.serviceAccounts.actAs,iam.serviceAccounts.get"
REST
Create a file
request.json
for the request body and set its contents to the analysis request in JSON format.{ "analysisQuery":{ "scope":"organizations/ORG_ID", "identitySelector":{ "identity":"IDENTITY" }, "accessSelector":{ "permissions":[ "iam.serviceAccounts.actAs", "iam.serviceAccounts.get" ] }, "options":{ "outputGroupEdges":OUTPUT_GROUP_EDGES, "expandResources":EXPAND_RESOURCES, "outputResourceEdges":OUTPUT_RESOURCE_EDGES, "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION } } }
For example:
{ "analysisQuery":{ "scope":"organizations/123456789", "identitySelector":{ "identity":"user:user1@example.com" }, "accessSelector":{ "permissions":[ "iam.serviceAccounts.actAs", "iam.serviceAccounts.get" ] }, "options":{ "outputGroupEdges":false, "expandResources":false, "outputResourceEdges":false, "analyzeServiceAccountImpersonation":false } } }
After you create the
request.json
file, then you can run the request with the following command using thegcurl
alias.gcurl -d @request.json \ "https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"
Where:
- ORG_ID is your organization ID, such as
1234567890
. - REST_ANALYZE_METHOD is the analysis method, either
analyzeIamPolicy
oranalyzeIamPolicyLongrunning
.
- ORG_ID is your organization ID, such as
You can enable the --expand-resources
and the --output-resource-edges
options to see inherited resources that are granted the specified access to the
specified identity.
You can enable the --output-group-edges
option if you want to know how the
specified identity inherits the access through group membership. For example,
suppose the policy has a member Group g1 and user1 is its member, you will see
g1-user1 group edge.
You can enable the --analyze-service-account-impersonation
option if you want
to find resources that might be indirectly accessed by the specified identity
through service account impersonation.
Finding resources with any role/permission to a specified identity
To find resource that are granted any role/permission to a specified user, run the following command.
gcloud
gcloud asset GCLOUD_METHOD_NAME \ --organization="ORG_ID" \ --identity="IDENTITY" \ --expand-roles \ --expand-resources \ --output-resource-edges \ --show-response
For example:
gcloud asset analyze-iam-policy --organization="123456789" \ --identity="user:user1@example.com" \ --expand-roles \ --expand-resources \ --output-resource-edges \ --show-response
REST
Create a file
request.json
for the request body and set its contents to the analysis request in JSON format.{ "analysisQuery":{ "scope":"organizations/123456789", "identitySelector":{ "identity":"user:user1@example.com" }, "options":{ "expandRoles":EXPAND_ROLES, "outputGroupEdges":OUTPUT_GROUP_EDGES, "expandResources":EXPAND_RESOURCES, "outputResourceEdges":OUTPUT_RESOURCE_EDGES, "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION } } }
For example:
{ "analysisQuery":{ "scope":"organizations/123456789", "identitySelector":{ "identity":"user:user1@example.com" }, "options":{ "expandRoles":true, "outputGroupEdges":false, "expandResources":true, "outputResourceEdges":true, "analyzeServiceAccountImpersonation":false } } }
After you create the
request.json
file, then you can run the request with the following command using thegcurl
alias.gcurl -d @request.json \ "https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"
Where:
- ORG_ID is your organization ID, such as
1234567890
. - REST_ANALYZE_METHOD is the analysis method, either
analyzeIamPolicy
oranalyzeIamPolicyLongrunning
.
- ORG_ID is your organization ID, such as
This method returns the roles that appear in the policies and the permissions
that are included in the policy-attached role. To only show the roles that
appear in the policies, disable the --expand-roles
option.
This command returns the resources that appear in the policies and the inherited
resources that are granted any access to the specified identity. To only show
the resources that appear in the policies, disable the --expand-resources
and
the --output-resource-edges
options.
You can enable the --output-group-edges
option if you want to know how the
specified identity inherits the access through group membership. For example,
suppose the policy has a member Group g1 and user1 is its member, you will see
g1-user1 group edge.
You can enable the --analyze-service-account-impersonation
option if you want
to find resources that might be indirectly accessed by the specified identity
through service account impersonation.
Finding roles/permissions on a specified resource to a specific identity
To find roles or permissions that are granted to a specified user on a specified service account, run the following command.
gcloud
gcloud asset GCLOUD_METHOD_NAME \ --organization="ORG_ID" \ --full-resource-name="FULL_RESOURCE_NAME" \ --identity="IDENTITY" \ --expand-roles
For example:
gcloud asset analyze-iam-policy --organization="123456789" \ --full-resource-name="//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" \ --identity="user:user1@example.com" \ --expand-roles
REST
Create a file
request.json
for the request body and set its contents to the analysis request in JSON format.{ "analysisQuery":{ "scope":"organizations/123456789", "resourceSelector":{ "fullResourceName":"FULL_RESOURCE_NAME" }, "identitySelector":{ "identity":"IDENTITY" }, "options":{ "expandRoles":EXPAND_ROLES, "outputGroupEdges":OUTPUT_GROUP_EDGES, "outputResourceEdges":OUTPUT_RESOURCE_EDGES } } }
For example:
{ "analysisQuery":{ "scope":"organizations/123456789", "resourceSelector":{ "fullResourceName":"//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" }, "identitySelector":{ "identity":"user:user1@example.com" }, "options":{ "expandRoles":true, "outputGroupEdges":false, "outputResourceEdges":false } } }
After you create the
request.json
file, then you can run the request with the following command using thegcurl
alias.gcurl -d @request.json \ "https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"
Where:
- ORG_ID is your organization ID, such as
1234567890
. - REST_ANALYZE_METHOD is the analysis method, either
analyzeIamPolicy
oranalyzeIamPolicyLongrunning
.
- ORG_ID is your organization ID, such as
This command returns the roles that appear in the policies and the permissions
that are included in the policy-attached role. To only show the roles that
appear in the policies, disable the --expand-roles
option.
You can enable the --output-group-edges
option if you want to know how the
specified identity inherits the access through group membership. For example,
suppose the policy has a member Group g1 and user1 is its member, you will see
g1-user1 group edge.
You can enable the --output-resource-edges
option if you want to know how the
specified resource inherits the policy from the policy attached resource. For
example, suppose the policy is set on a folder f1, you will see f1-to-project1
and project1-to-sa1 resource edges.
Finding identities and resources with specific roles/permissions
To find identities and resources that are granted the
iam.serviceAccounts.actAs
permission, run the following command.
gcloud
gcloud asset GCLOUD_METHOD_NAME \ --organization="ORG_ID" \ --permissions="COMMA_SEPARATED_PERMISSIONS"
For example
gcloud asset analyze-iam-policy --organization="123456789" \ --permissions="iam.serviceAccounts.actAs"
REST
Create a file
request.json
for the request body and set its contents to the analysis request in JSON format.{ "analysisQuery":{ "scope":"organizations/123456789", "resourceSelector":{ "fullResourceName":"FULL_RESOURCE_NAME" }, "identitySelector":{ "identity":"IDENTITY" }, "options":{ "expandGroups":EXPAND_GROUPS, "outputGroupEdges":OUTPUT_GROUP_EDGES, "expandResources":EXPAND_RESOURCES, "outputResourceEdges":OUTPUT_RESOURCE_EDGES } } }
For example:
{ "analysisQuery":{ "scope":"organizations/123456789", "accessSelector":{ "permissions":[ "iam.serviceAccounts.actAs" ] }, "options":{ "expandGroups":false, "outputGroupEdges":false, "expandResources":false, "outputResourceEdges":false } } }
After you create the
request.json
file, then you can run the request with the following command using thegcurl
alias.gcurl -d @request.json \ "https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"
Where:
- ORG_ID is your organization ID, such as
1234567890
. - REST_ANALYZE_METHOD is the analysis method, either
analyzeIamPolicy
oranalyzeIamPolicyLongrunning
.
- ORG_ID is your organization ID, such as
You can enable the --expand-groups
and the --output-group-edges
options to
see identities who get permissions through group membership in the result.
You can enable the --expand-resources
and the --output-resource-edges
options to see inherited resources that are granted any access to the specified
identity.