- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization Scopes
- IamPolicyAnalysis
- IamPolicyAnalysisResult
- AccessControlList
- Resource
- IamPolicyAnalysisState
- Access
- Edge
- IdentityList
- Identity
- Try it!
Analyzes IAM policies to answer which identities have what accesses on which resources.
HTTP request
GET https://cloudasset.googleapis.com/v1/{analysisQuery.scope=*/*}:analyzeIamPolicy
The URL uses gRPC Transcoding syntax.
Path parameters
Parameters | |
---|---|
analysisQuery.scope |
Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here . Authorization requires the following IAM permission on the specified resource
|
Query parameters
Parameters | |
---|---|
analysisQuery.resourceSelector |
Optional. Specifies a resource for analysis. |
analysisQuery.identitySelector |
Optional. Specifies an identity for analysis. |
analysisQuery.accessSelector |
Optional. Specifies roles or permissions for analysis. This is optional. |
analysisQuery.options |
Optional. The query options. |
executionTimeout |
Optional. Amount of time executable has to complete. See JSON representation of Duration. If this field is set with a value less than the RPC deadline, and the execution of your query hasn't finished in the specified execution timeout, you will get a response with partial result. Otherwise, your query's execution will continue until the RPC deadline. If it's not finished until then, you will get a DEADLINE_EXCEEDED error. Default is empty. A duration in seconds with up to nine fractional digits, terminated by ' |
Request body
The request body must be empty.
Response body
If successful, the response body contains data with the following structure:
A response message for AssetService.AnalyzeIamPolicy
.
JSON representation | |
---|---|
{ "mainAnalysis": { object ( |
Fields | |
---|---|
mainAnalysis |
The main analysis that matches the original request. |
serviceAccountImpersonationAnalysis[] |
The service account impersonation analysis if [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is enabled. |
fullyExplored |
Represents whether all entries in the |
Authorization Scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IamPolicyAnalysis
An analysis message to group the query and results.
JSON representation | |
---|---|
{ "analysisQuery": { object ( |
Fields | |
---|---|
analysisQuery |
The analysis query. |
analysisResults[] |
A list of |
fullyExplored |
Represents whether all entries in the |
nonCriticalErrors[] |
A list of non-critical errors happened during the query handling. |
IamPolicyAnalysisResult
IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists.
JSON representation | |
---|---|
{ "attachedResourceFullName": string, "iamBinding": { object ( |
Fields | |
---|---|
attachedResourceFullName |
The full resource name of the resource to which the |
iamBinding |
The Cloud IAM policy binding under analysis. |
accessControlLists[] |
The access control lists derived from the |
identityList |
The identity list derived from members of the |
fullyExplored |
Represents whether all analyses on the |
AccessControlList
An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry.
NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations.
For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3;
This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3]
JSON representation | |
---|---|
{ "resources": [ { object ( |
Fields | |
---|---|
resources[] |
The resources that match one of the following conditions: - The resourceSelector, if it is specified in request; - Otherwise, resources reachable from the policy attached resource. |
accesses[] |
The accesses that match one of the following conditions: - The accessSelector, if it is specified in request; - Otherwise, access specifiers reachable from the policy binding's role. |
resourceEdges[] |
Resource edges of the graph starting from the policy attached resource to any descendant resources. The |
Resource
A Google Cloud resource under analysis.
JSON representation | |
---|---|
{
"fullResourceName": string,
"analysisState": {
object ( |
Fields | |
---|---|
fullResourceName |
|
analysisState |
The analysis state of this resource. |
IamPolicyAnalysisState
Represents the detailed state of an entity under analysis, such as a resource, an identity or an access.
JSON representation | |
---|---|
{
"code": enum ( |
Fields | |
---|---|
code |
The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
cause |
The human-readable description of the cause of failure. |
Access
An IAM role or permission under analysis.
JSON representation | |
---|---|
{ "analysisState": { object ( |
Fields | ||
---|---|---|
analysisState |
The analysis state of this access. |
|
Union field
|
||
role |
The role. |
|
permission |
The permission. |
Edge
A directional edge.
JSON representation | |
---|---|
{ "sourceNode": string, "targetNode": string } |
Fields | |
---|---|
sourceNode |
The source node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
targetNode |
The target node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
IdentityList
The identities and group edges.
JSON representation | |
---|---|
{ "identities": [ { object ( |
Fields | |
---|---|
identities[] |
Only the identities that match one of the following conditions will be presented: - The identitySelector, if it is specified in request; - Otherwise, identities reachable from the policy binding's members. |
groupEdges[] |
Group identity edges of the graph starting from the binding's group members to any node of the |
Identity
An identity under analysis.
JSON representation | |
---|---|
{
"name": string,
"analysisState": {
object ( |
Fields | |
---|---|
name |
The identity name in any form of members appear in IAM policy binding, such as: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers - etc. |
analysisState |
The analysis state of this identity. |