Exporting IAM policy analysis to Cloud Storage

This page explains how to export Identity and Access Management (IAM) policy analysis. The functionality is mostly equivalent to analyzing IAM policies except the analysis result is written to a Cloud Storage bucket.

Before you begin

Calling ExportIamPolicyAnalysis

The ExportIamPolicyAnalysis method allows you to issue an analysis request and get results in the specified Cloud Storage bucket.

gcloud

You can call ExportIamPolicyAnalysis on your API-enabled project using the asset export-iam-policy-analysis gcloud command. You must be running Cloud SDK version 288.0.0 or higher. You can check your version with the gcloud version command.

To use the gcloud asset export-iam-policy-analysis command, first sign in to the gcloud tool using the account that has been granted the appropriate permissions and can access the whitelisted project. You can verify the currently authenticated account and project with the gcloud info command:

...
Account: YOUR_LOGIN_ACCOUNT
Project: YOUR_GCP_PROJECT_ID
...

To sign in with a different account, use the gcloud auth login command:

gcloud auth login YOUR_LOGIN_ACCOUNT

To set the project to the whitelisted project:

gcloud config set project YOUR_GCP_PROJECT_ID

Examples:

To export who has compute.instances.get and compute.instances.start permissions on the Compute Engine instance ipa-gce-instance-2 under organiazion 1234567890 to the Cloud Storage bucket gcs-bucket-01 with a file name as exported_analysis.json:

gcloud beta asset export-iam-policy-analysis --organization=1234567890
  --full-resource-name="//compute.googleapis.com/projects/project1/zones/us-central1-a/instances/ipa-gce-instance-2"
  --permissions="compute.instances.get,compute.instances.start"
  --output-path="gs://gcs-bucket-01/exported_anlysis.json"

Find more on help:

gcloud beta asset export-iam-policy-analysis --help

Curl

To call the ExportIamPolicyAnalysis method using the curl command:

  1. Set up your environment by following the guide here

  2. Set up an alias (gcurl) as shown below.

    If you are on a Compute Engine instance:

    alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
    -H "Content-Type: application/json" -X POST'
    

    Otherwise:

    alias gcurl='curl -H "$(oauth2l header --json ~/credentials.json cloud-platform)" \
    -H "Content-Type: application/json" -X POST'
    
  3. Export the IAM policies analysis using the following gcurl command:

    gcurl -d "$JSON_REQUEST" \
    "https://cloudasset.googleapis.com/v1p4beta1/organizations/${YOUR_ORG_ID}:exportIamPolicyAnalysis"
    

    Where:

    • YOUR_ORG_ID is the organization id, such as:
    YOUR_ORG_ID='1234567890'
    
    • JSON_REQUEST is the analysis request in JSON format. For example, To export who has compute.instances.get and compute.instances.start permissions on the Compute Engine instance ipa-gce-instance-2 under organiazion 1234567890 to the Cloud Storage bucket gcs-bucket-01 with a file name as exported_analysis.json:
    JSON_REQUEST='{
      "analysis_query": {
        "parent": "organization/1234567890",
        "resourceSelector": {
          "fullResourceName":
            "//compute.googleapis.com/projects/project1/zones/us-central1-a/instances/ipa-gce-instance-2"
         }
        "accessSelector": {
          "permissions": "compute.instances.get",
          "permissions": "compute.instances.start",
        }
      }
      "output_config": {
        "gcs_destination": {
          "uri":"gs://gcs-bucket-01/exported_anlysis.json"
        }
      }
    }'
    

Viewing an IAM policy analysis

To view your IAM policy analysis:

  1. Go to the Cloud Storage Browser page.
    Open the Cloud Storage Browser page

  2. Open the new file you exported your analysis to.

The export lists tuples of {identity, role(s)/permission(s), resource} together with IAM policies that generate those tuples.