- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IamPolicyAnalysis
- IamPolicyAnalysisResult
- AccessControlList
- Resource
- IamPolicyAnalysisState
- Code
- Access
- Edge
- IdentityList
- Identity
- Try it!
Analyzes IAM policies to answer which identities have what accesses on which resources.
HTTP request
GET https://cloudasset.googleapis.com/v1/{analysisQuery.scope=*/*}:analyzeIamPolicy
The URL uses gRPC Transcoding syntax.
Path parameters
Parameters | |
---|---|
analysisQuery.scope |
Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization ID, visit here . To know how to get folder or project ID, visit here . Authorization requires one or more of the following IAM permissions on the specified resource
|
Query parameters
Parameters | |
---|---|
analysisQuery.resourceSelector |
Optional. Specifies a resource for analysis. |
analysisQuery.identitySelector |
Optional. Specifies an identity for analysis. |
analysisQuery.accessSelector |
Optional. Specifies roles or permissions for analysis. This is optional. |
analysisQuery.options |
Optional. The query options. |
analysisQuery.conditionContext |
Optional. The hypothetical context for IAM conditions evaluation. |
savedAnalysisQuery |
Optional. The name of a saved query, which must be in the format of:
If both Note that you cannot override primitive fields with default value, such as 0 or empty string, etc., because we use proto3, which doesn't support field presence yet. |
executionTimeout |
Optional. Amount of time executable has to complete. See JSON representation of Duration. If this field is set with a value less than the RPC deadline, and the execution of your query hasn't finished in the specified execution timeout, you will get a response with partial result. Otherwise, your query's execution will continue until the RPC deadline. If it's not finished until then, you will get a DEADLINE_EXCEEDED error. Default is empty. A duration in seconds with up to nine fractional digits, ending with ' |
Request body
The request body must be empty.
Response body
A response message for AssetService.AnalyzeIamPolicy
.
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "mainAnalysis": { object ( |
Fields | |
---|---|
mainAnalysis |
The main analysis that matches the original request. |
serviceAccountImpersonationAnalysis[] |
The service account impersonation analysis if [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is enabled. |
fullyExplored |
Represents whether all entries in the |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IamPolicyAnalysis
An analysis message to group the query and results.
JSON representation |
---|
{ "analysisQuery": { object ( |
Fields | |
---|---|
analysisQuery |
The analysis query. |
analysisResults[] |
A list of |
fullyExplored |
Represents whether all entries in the |
nonCriticalErrors[] |
A list of non-critical errors happened during the query handling. |
IamPolicyAnalysisResult
IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists.
JSON representation |
---|
{ "attachedResourceFullName": string, "iamBinding": { object ( |
Fields | |
---|---|
attachedResourceFullName |
The full resource name of the resource to which the |
iamBinding |
The IAM policy binding under analysis. |
accessControlLists[] |
The access control lists derived from the |
identityList |
The identity list derived from members of the |
fullyExplored |
Represents whether all analyses on the |
AccessControlList
An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry.
NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations.
For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3;
This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3]
JSON representation |
---|
{ "resources": [ { object ( |
Fields | |
---|---|
resources[] |
The resources that match one of the following conditions: - The resourceSelector, if it is specified in request; - Otherwise, resources reachable from the policy attached resource. |
accesses[] |
The accesses that match one of the following conditions: - The accessSelector, if it is specified in request; - Otherwise, access specifiers reachable from the policy binding's role. |
resourceEdges[] |
Resource edges of the graph starting from the policy attached resource to any descendant resources. The |
conditionEvaluation |
Condition evaluation for this AccessControlList, if there is a condition defined in the above IAM policy binding. |
Resource
A Google Cloud resource under analysis.
JSON representation |
---|
{
"fullResourceName": string,
"analysisState": {
object ( |
Fields | |
---|---|
fullResourceName |
|
analysisState |
The analysis state of this resource. |
IamPolicyAnalysisState
Represents the detailed state of an entity under analysis, such as a resource, an identity or an access.
JSON representation |
---|
{
"code": enum ( |
Fields | |
---|---|
code |
The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
cause |
The human-readable description of the cause of failure. |
Code
The canonical error codes for gRPC APIs.
Sometimes multiple error codes may apply. Services should return the most specific error code that applies. For example, prefer OUT_OF_RANGE
over FAILED_PRECONDITION
if both codes apply. Similarly prefer NOT_FOUND
or ALREADY_EXISTS
over FAILED_PRECONDITION
.
Enums | |
---|---|
OK |
Not an error; returned on success. HTTP Mapping: 200 OK |
CANCELLED |
The operation was cancelled, typically by the caller. HTTP Mapping: 499 Client Closed Request |
UNKNOWN |
Unknown error. For example, this error may be returned when a HTTP Mapping: 500 Internal Server Error |
INVALID_ARGUMENT |
The client specified an invalid argument. Note that this differs from HTTP Mapping: 400 Bad Request |
DEADLINE_EXCEEDED |
The deadline expired before the operation could complete. For operations that change the state of the system, this error may be returned even if the operation has completed successfully. For example, a successful response from a server could have been delayed long enough for the deadline to expire. HTTP Mapping: 504 Gateway Timeout |
NOT_FOUND |
Some requested entity (e.g., file or directory) was not found. Note to server developers: if a request is denied for an entire class of users, such as gradual feature rollout or undocumented allowlist, HTTP Mapping: 404 Not Found |
ALREADY_EXISTS |
The entity that a client attempted to create (e.g., file or directory) already exists. HTTP Mapping: 409 Conflict |
PERMISSION_DENIED |
The caller does not have permission to execute the specified operation. HTTP Mapping: 403 Forbidden |
UNAUTHENTICATED |
The request does not have valid authentication credentials for the operation. HTTP Mapping: 401 Unauthorized |
RESOURCE_EXHAUSTED |
Some resource has been exhausted, perhaps a per-user quota, or perhaps the entire file system is out of space. HTTP Mapping: 429 Too Many Requests |
FAILED_PRECONDITION |
The operation was rejected because the system is not in a state required for the operation's execution. For example, the directory to be deleted is non-empty, an rmdir operation is applied to a non-directory, etc. Service implementors can use the following guidelines to decide between HTTP Mapping: 400 Bad Request |
ABORTED |
The operation was aborted, typically due to a concurrency issue such as a sequencer check failure or transaction abort. See the guidelines above for deciding between HTTP Mapping: 409 Conflict |
OUT_OF_RANGE |
The operation was attempted past the valid range. E.g., seeking or reading past end-of-file. Unlike There is a fair bit of overlap between HTTP Mapping: 400 Bad Request |
UNIMPLEMENTED |
The operation is not implemented or is not supported/enabled in this service. HTTP Mapping: 501 Not Implemented |
INTERNAL |
Internal errors. This means that some invariants expected by the underlying system have been broken. This error code is reserved for serious errors. HTTP Mapping: 500 Internal Server Error |
UNAVAILABLE |
The service is currently unavailable. This is most likely a transient condition, which can be corrected by retrying with a backoff. Note that it is not always safe to retry non-idempotent operations. See the guidelines above for deciding between HTTP Mapping: 503 Service Unavailable |
DATA_LOSS |
Unrecoverable data loss or corruption. HTTP Mapping: 500 Internal Server Error |
Access
An IAM role or permission under analysis.
JSON representation |
---|
{ "analysisState": { object ( |
Fields | |
---|---|
analysisState |
The analysis state of this access. |
Union field
|
|
role |
The role. |
permission |
The permission. |
Edge
A directional edge.
JSON representation |
---|
{ "sourceNode": string, "targetNode": string } |
Fields | |
---|---|
sourceNode |
The source node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
targetNode |
The target node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
IdentityList
The identities and group edges.
JSON representation |
---|
{ "identities": [ { object ( |
Fields | |
---|---|
identities[] |
Only the identities that match one of the following conditions will be presented: - The identitySelector, if it is specified in request; - Otherwise, identities reachable from the policy binding's members. |
groupEdges[] |
Group identity edges of the graph starting from the binding's group members to any node of the |
Identity
An identity under analysis.
JSON representation |
---|
{
"name": string,
"analysisState": {
object ( |
Fields | |
---|---|
name |
The identity of members, formatted as appear in an IAM policy binding. For example, they might be formatted like the following:
|
analysisState |
The analysis state of this identity. |