Exporting IAM policy analysis to Google Cloud Storage

This page explains how to export Cloud IAM policy analysis. The functionality is mostly equivalent to analyzing Cloud IAM policies except the analysis result is written to a Cloud Storage bucket.

Before you begin

Calling ExportIamPolicyAnalysis

The ExportIamPolicyAnalysis method allows you to issue an analysis request and get results in the specified Cloud Storage bucket.


You can call ExportIamPolicyAnalysis on your API-enabled project using the asset export-iam-policy-analysis gcloud command. You must be running Cloud SDK version 288.0.0 or higher. You can check your version with the gcloud version command.

To use the gcloud asset export-iam-policy-analysis command, first sign in to the gcloud tool using the account that has been granted the appropriate permissions and can access the whitelisted project. You can verify the currently authenticated account and project with the gcloud info command:


To sign in with a different account, use the gcloud auth login command:

gcloud auth login YOUR_LOGIN_ACCOUNT

To set the project to the whitelisted project:

gcloud config set project YOUR_GCP_PROJECT_ID

After your account and project have been properly configured, use the command below to see how to use ExportIamPolicyAnalysis:

gcloud beta asset export-iam-policy-analysis --help


To call the ExportIamPolicyAnalysis method using the curl command:

  1. Set up your environment by following the guide here

  2. Set up an alias (gcurl) as shown below.

    If you are on a Compute Engine instance:

    alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
    -H "Content-Type: application/json" -X POST'


    alias gcurl='curl -H "$(oauth2l header --json ~/credentials.json cloud-platform)" \
    -H "Content-Type: application/json" -X POST'
  3. Export the Cloud IAM policies analysis using the following gcurl command:

    gcurl -d "$JSON_REQUEST" \


    • YOUR_ORG_ID is the organization id, such as:
    • JSON_REQUEST is the analysis request in JSON format, such as:
      "analysis_query": {
        "parent": "organization/123",
        "resourceSelector": {
      "output_config": {
        "gcs_destination": {

Viewing an Cloud IAM policy analysis

To view your Cloud IAM policy analysis:

  1. Go to the Cloud Storage Browser page.
    Open the Cloud Storage Browser page

  2. Open the new file you exported your analysis to.

The export lists tuples of {identity, role(s)/permission(s), resource} together with Cloud IAM policies that generate those tuples.