Query samples

This page provides sample queries to show you how to use the AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning methods for policy analysis.

Before you begin

AnalyzeIamPolicy

  • You must enable the Cloud Asset API for your project.

  • If you are using the API to run these queries, you need to set up your environment and gcurl.

  1. Set up your environment.

  2. To set up a gcurl alias, complete the following steps.

    If you are on a Compute Engine instance, run the following command.

    alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json" -X POST -H "X-HTTP-Method-Override: GET"'

    If you are not on a Compute Engine instance, run the following command.

    alias gcurl='curl -H "$(oauth2l header --json CREDENTIALS cloud-platform)" \
-H "Content-Type: application/json" -X POST -H "X-HTTP-Method-Override: GET"'

    Where CREDENTIALS is your credentials file path, such as ~/credentials.json.

AnalyzeIamPolicyLongrunning

  • You must enable the Cloud Asset API for your project.

  • If you are using the API to run these queries, you need to set up your environment and gcurl.

  1. Set up your environment.

  2. To set up a gcurl alias, complete the following steps.

    If you are on a Compute Engine instance, run the following command.

    alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json" -X POST'

    If you are not on a Compute Engine instance, run the following command.

    alias gcurl='curl -H "$(oauth2l header --json CREDENTIALS cloud-platform)" \
-H "Content-Type: application/json" -X POST'

    Where CREDENTIALS is your credentials file path, such as ~/credentials.json.

Finding identities with specific roles/permissions on a specific resource

To find identities that are granted the iam.serviceAccounts.actAs or the iam.serviceAccounts.get permission on a specified service account, run the following command.

gcloud 

gcloud asset GCLOUD_METHOD_NAME \
    --organization="ORG_ID" \
    --full-resource-name="FULL_RESOURCE_NAME" \
    --permissions="COMMA_SEPARATED_PERMISSIONS" \
    --expand-groups \
    --output-group-edges \
    --show-response

For example:

gcloud asset analyze-iam-policy --organization="123456789" \
    --full-resource-name="//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" \
    --permissions="iam.serviceAccounts.actAs,iam.serviceAccounts.get" \
    --expand-groups \
    --output-group-edges \
    --show-response

REST

  1. Create a file request.json for the request body and set its contents to the analysis request in JSON format.

    {
  "analysisQuery":{
    "scope":"organizations/ORG_ID",
    "resourceSelector":{
       "fullResourceName":"FULL_RESOURCE_NAME"
    },
    "accessSelector":{
       "permissions":[
          "iam.serviceAccounts.actAs",
          "iam.serviceAccounts.get"
       ]
    },
    "options":{
       "expandGroups":EXPAND_GROUPS,
       "outputGroupEdges":OUTPUT_GROUP_EDGES,
       "outputResourceEdges":OUTPUT_RESOURCE_EDGES,
       "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION
    }
  }
}

    For example:

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "resourceSelector":{
       "fullResourceName":"//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com"
    },
    "accessSelector":{
       "permissions":[
          "iam.serviceAccounts.actAs",
          "iam.serviceAccounts.get"
       ]
      },
    "options":{
       "expandGroups":true,
       "outputGroupEdges":true,
       "outputResourceEdges":false,
       "analyzeServiceAccountImpersonation":false
    }
  }
}

  2. After you create the request.json file, then you can run the request with the following command using the gcurl alias.

    gcurl -d @request.json  \
"https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"

    Where:

    • ORG_ID is your organization ID, such as 1234567890.
    • REST_ANALYZE_METHOD is the analysis method, either analyzeIamPolicy or analyzeIamPolicyLongrunning.

This method returns the identities that appear in the policy and the identities that are granted permissions through group membership. To return only the identities that appear in the policy, disable the --expand-groups and --output-group-edges options.

You can enable the --output-resource-edges option if you want to know how the specified resource inherits the policy from the policy attached resource. For example, suppose the policy is set on a folder f1, you will see f1-to-project1 and project1-to-sa1 resource edges.

You can enable the --analyze-service-account-impersonation option if you want to find identities who might indirectly access the specified resource through service account impersonation.

Finding identities with any roles/permissions on a specific resource

To find identities that are granted any roles or permissions on a specified service account, run the following command.

gcloud 

gcloud asset GCLOUD_METHOD_NAME \
    --organization="ORG_ID" \
    --full-resource-name="FULL_RESOURCE_NAME" \
    --expand-roles

For example:

gcloud asset analyze-iam-policy --organization="123456789" \
    --full-resource-name="//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" \
    --expand-roles

REST

  1. Create a file request.json for the request body and set its contents to the analysis request in JSON format.

    {
  "analysisQuery":{
    "scope":"organizations/ORG_ID",
    "resourceSelector":{
       "fullResourceName":"FULL_RESOURCE_NAME"
    },
    "options":{
       "expandRoles":EXPAND_ROLES,
       "expandGroups":EXPAND_GROUPS,
       "outputGroupEdges":OUTPUT_GROUP_EDGES,
       "outputResourceEdges":OUTPUT_RESOURCE_EDGES,
       "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION
    }
  }
}

    For example:

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "resourceSelector":{
       "fullResourceName":"//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com"
    },
    "options":{
       "expandRoles":true,
       "expandGroups":false,
       "outputGroupEdges":false,
       "outputResourceEdges":false,
       "analyzeServiceAccountImpersonation":false
    }
  }
}

  2. After you create the request.json file, then you can run the request with the following command using the gcurl alias.

    gcurl -d @request.json  \
"https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"

    Where:

    • ORG_ID is your organization ID, such as 1234567890.
    • REST_ANALYZE_METHOD is the analysis method, either analyzeIamPolicy or analyzeIamPolicyLongrunning.

This method returns the roles that appear in the policies and the permissions that are included in the policy-attached role. To only show the roles that appear in the policies, disable the --expand-roles option.

You can enable the --expand-groups and the --output-group-edges options to see identities who get permissions through group membership in the result.

You can enable the --output-resource-edges option if you want to know how the specified resource inherits the policy from the policy attached resource. For example, suppose the policy is set on a folder f1, you will see f1-to-project1 and project1-to-sa1 resource edges.

You can enable the --analyze-service-account-impersonation option if you want to find identities who might indirectly access the specified resource through service account impersonation.

Finding identities with specific roles/permissions under a project

To find identities that are granted the iam.serviceAccounts.actAs or the iam.serviceAccounts.get permission on any service account under a project, run the following command.

gcloud 

gcloud asset GCLOUD_METHOD_NAME \
    --organization="ORG_ID" \
    --full-resource-name="FULL_RESOURCE_NAME" \
    --permissions="COMMA_SEPARATED_PERMISSIONS" \
    --expand-resources

For example:

gcloud asset analyze-iam-policy --organization="123456789" \
    --full-resource-name="//cloudresourcemanager.googleapis.com/projects/project1" \
    --permissions="iam.serviceAccounts.actAs" \
    --expand-resources

REST

  1. Create a file request.json for the request body and set its contents to the analysis request in JSON format.

    {
  "analysisQuery":{
    "scope":"organizations/ORG_ID",
    "resourceSelector":{
       "fullResourceName":"FULL_RESOURCE_NAME"
    },
    "accessSelector":{
       "permissions":[
          "iam.serviceAccounts.actAs"
       ]
    },
    "options":{
       "expandResources":EXPAND_RESOURCES
    }
  }
}

    For example:

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "resourceSelector":{
       "fullResourceName":"//cloudresourcemanager.googleapis.com/projects/project1"
    },
    "accessSelector":{
       "permissions":[
          "iam.serviceAccounts.actAs"
       ]
    },
    "options":{
       "expandResources":true
    }
  }
}

  2. After you create the request.json file, then you can run the request with the following command using the gcurl alias.

    gcurl -d @request.json  \
"https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"

    Where:

    • ORG_ID is your organization ID, such as 1234567890.
    • REST_ANALYZE_METHOD is the analysis method, either analyzeIamPolicy or analyzeIamPolicyLongrunning.

Finding resources with specific roles/permissions to a specific identity

To find resources that are granted the iam.serviceAccounts.actAs or the iam.serviceAccounts.get permission to a specified user, run the following command.

gcloud 

gcloud asset GCLOUD_METHOD_NAME \
    --organization="ORG_ID" \
    --identity="IDENTITY" \
    --permissions="COMMA_SEPARATED_PERMISSIONS"

For example:

gcloud asset analyze-iam-policy --organization="123456789" \
    --identity="user:user1@example.com" \
    --permissions="iam.serviceAccounts.actAs,iam.serviceAccounts.get"

REST

  1. Create a file request.json for the request body and set its contents to the analysis request in JSON format.

    {
  "analysisQuery":{
    "scope":"organizations/ORG_ID",
    "identitySelector":{
       "identity":"IDENTITY"
    },
    "accessSelector":{
       "permissions":[
          "iam.serviceAccounts.actAs",
          "iam.serviceAccounts.get"
       ]
    },
    "options":{
       "outputGroupEdges":OUTPUT_GROUP_EDGES,
       "expandResources":EXPAND_RESOURCES,
       "outputResourceEdges":OUTPUT_RESOURCE_EDGES,
       "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION
    }
  }
}

    For example:

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "identitySelector":{
       "identity":"user:user1@example.com"
    },
    "accessSelector":{
       "permissions":[
          "iam.serviceAccounts.actAs",
          "iam.serviceAccounts.get"
       ]
    },
    "options":{
       "outputGroupEdges":false,
       "expandResources":false,
       "outputResourceEdges":false,
       "analyzeServiceAccountImpersonation":false
    }
  }
}

  2. After you create the request.json file, then you can run the request with the following command using the gcurl alias.

    gcurl -d @request.json  \
"https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"

    Where:

    • ORG_ID is your organization ID, such as 1234567890.
    • REST_ANALYZE_METHOD is the analysis method, either analyzeIamPolicy or analyzeIamPolicyLongrunning.

You can enable the --expand-resources and the --output-resource-edges options to see inherited resources that are granted the specified access to the specified identity.

You can enable the --output-group-edges option if you want to know how the specified identity inherits the access through group membership. For example, suppose the policy has a member Group g1 and user1 is its member, you will see g1-user1 group edge.

You can enable the --analyze-service-account-impersonation option if you want to find resources that might be indirectly accessed by the specified identity through service account impersonation.

Finding resources with any role/permission to a specified identity

To find resource that are granted any role/permission to a specified user, run the following command.

gcloud 

gcloud asset GCLOUD_METHOD_NAME \
    --organization="ORG_ID" \
    --identity="IDENTITY" \
    --expand-roles \
    --expand-resources \
    --output-resource-edges \
    --show-response

For example:

gcloud asset analyze-iam-policy --organization="123456789" \
    --identity="user:user1@example.com" \
    --expand-roles \
    --expand-resources \
    --output-resource-edges \
    --show-response

REST

  1. Create a file request.json for the request body and set its contents to the analysis request in JSON format.

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "identitySelector":{
       "identity":"user:user1@example.com"
    },
    "options":{
       "expandRoles":EXPAND_ROLES,
       "outputGroupEdges":OUTPUT_GROUP_EDGES,
       "expandResources":EXPAND_RESOURCES,
       "outputResourceEdges":OUTPUT_RESOURCE_EDGES,
       "analyzeServiceAccountImpersonation":ANALYZE_SERVICE_ACCOUNT_IMPERSONATION
    }
  }
}

    For example:

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "identitySelector":{
       "identity":"user:user1@example.com"
    },
    "options":{
       "expandRoles":true,
       "outputGroupEdges":false,
       "expandResources":true,
       "outputResourceEdges":true,
       "analyzeServiceAccountImpersonation":false
    }
  }
}

  2. After you create the request.json file, then you can run the request with the following command using the gcurl alias.

    gcurl -d @request.json  \
"https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"

    Where:

    • ORG_ID is your organization ID, such as 1234567890.
    • REST_ANALYZE_METHOD is the analysis method, either analyzeIamPolicy or analyzeIamPolicyLongrunning.

This method returns the roles that appear in the policies and the permissions that are included in the policy-attached role. To only show the roles that appear in the policies, disable the --expand-roles option.

This command returns the resources that appear in the policies and the inherited resources that are granted any access to the specified identity. To only show the resources that appear in the policies, disable the --expand-resources and the --output-resource-edges options.

You can enable the --output-group-edges option if you want to know how the specified identity inherits the access through group membership. For example, suppose the policy has a member Group g1 and user1 is its member, you will see g1-user1 group edge.

You can enable the --analyze-service-account-impersonation option if you want to find resources that might be indirectly accessed by the specified identity through service account impersonation.

Finding roles/permissions on a specified resource to a specific identity

To find roles or permissions that are granted to a specified user on a specified service account, run the following command.

gcloud 

gcloud asset GCLOUD_METHOD_NAME \
    --organization="ORG_ID" \
    --full-resource-name="FULL_RESOURCE_NAME" \
    --identity="IDENTITY" \
    --expand-roles

For example:

gcloud asset analyze-iam-policy --organization="123456789" \
    --full-resource-name="//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com" \
    --identity="user:user1@example.com" \
    --expand-roles

REST

  1. Create a file request.json for the request body and set its contents to the analysis request in JSON format.

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "resourceSelector":{
       "fullResourceName":"FULL_RESOURCE_NAME"
    },
    "identitySelector":{
       "identity":"IDENTITY"
    },
    "options":{
       "expandRoles":EXPAND_ROLES,
       "outputGroupEdges":OUTPUT_GROUP_EDGES,
       "outputResourceEdges":OUTPUT_RESOURCE_EDGES
    }
  }
}

    For example:

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "resourceSelector":{
       "fullResourceName":"//iam.googleapis.com/projects/project1/serviceAccounts/sa1@project1.iam.gserviceaccount.com"
    },
    "identitySelector":{
       "identity":"user:user1@example.com"
    },
    "options":{
       "expandRoles":true,
       "outputGroupEdges":false,
       "outputResourceEdges":false
    }
  }
}

  2. After you create the request.json file, then you can run the request with the following command using the gcurl alias.

    gcurl -d @request.json  \
"https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"

    Where:

    • ORG_ID is your organization ID, such as 1234567890.
    • REST_ANALYZE_METHOD is the analysis method, either analyzeIamPolicy or analyzeIamPolicyLongrunning.

This command returns the roles that appear in the policies and the permissions that are included in the policy-attached role. To only show the roles that appear in the policies, disable the --expand-roles option.

You can enable the --output-group-edges option if you want to know how the specified identity inherits the access through group membership. For example, suppose the policy has a member Group g1 and user1 is its member, you will see g1-user1 group edge.

You can enable the --output-resource-edges option if you want to know how the specified resource inherits the policy from the policy attached resource. For example, suppose the policy is set on a folder f1, you will see f1-to-project1 and project1-to-sa1 resource edges.

Finding identities and resources with specific roles/permissions

To find identities and resources that are granted the iam.serviceAccounts.actAs permission, run the following command.

gcloud 

gcloud asset GCLOUD_METHOD_NAME \
    --organization="ORG_ID" \
    --permissions="COMMA_SEPARATED_PERMISSIONS"

For example

gcloud asset analyze-iam-policy --organization="123456789" \
    --permissions="iam.serviceAccounts.actAs"

REST

  1. Create a file request.json for the request body and set its contents to the analysis request in JSON format.

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "resourceSelector":{
       "fullResourceName":"FULL_RESOURCE_NAME"
    },
    "identitySelector":{
       "identity":"IDENTITY"
    },
    "options":{
       "expandGroups":EXPAND_GROUPS,
       "outputGroupEdges":OUTPUT_GROUP_EDGES,
       "expandResources":EXPAND_RESOURCES,
       "outputResourceEdges":OUTPUT_RESOURCE_EDGES
    }
  }
}

    For example:

    {
  "analysisQuery":{
    "scope":"organizations/123456789",
    "accessSelector":{
       "permissions":[
          "iam.serviceAccounts.actAs"
       ]
    },
    "options":{
       "expandGroups":false,
       "outputGroupEdges":false,
       "expandResources":false,
       "outputResourceEdges":false
    }
  }
}

  2. After you create the request.json file, then you can run the request with the following command using the gcurl alias.

    gcurl -d @request.json  \
"https://cloudasset.googleapis.com/v1/organizations/ORG_ID:REST_ANALYZE_METHOD"

    Where:

    • ORG_ID is your organization ID, such as 1234567890.
    • REST_ANALYZE_METHOD is the analysis method, either analyzeIamPolicy or analyzeIamPolicyLongrunning.

You can enable the --expand-groups and the --output-group-edges options to see identities who get permissions through group membership in the result.

You can enable the --expand-resources and the --output-resource-edges options to see inherited resources that are granted any access to the specified identity.