Method: searchAllIamPolicies

Searches all IAM policies within the specified scope, such as a project, folder, or organization. The caller must be granted the cloudasset.assets.searchAllIamPolicies permission on the desired scope, otherwise the request will be rejected.

HTTP request

GET https://cloudasset.googleapis.com/v1/{scope=*/*}:searchAllIamPolicies

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
scope

string

Required. A scope can be a project, a folder, or an organization. The search is limited to the IAM policies within the scope. The caller must be granted the cloudasset.assets.searchAllIamPolicies permission on the desired scope.

The allowed values are:

  • projects/{PROJECT_ID} (e.g., "projects/foo-bar")
  • projects/{PROJECT_NUMBER} (e.g., "projects/12345678")
  • folders/{FOLDER_NUMBER} (e.g., "folders/1234567")
  • organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456")

Authorization requires the following IAM permission on the specified resource scope:

  • cloudasset.assets.searchAllIamPolicies

Query parameters

Parameters
query

string

Optional. The query statement. See how to construct a query for more information. If not specified or empty, it will search all the IAM policies within the specified scope.

Examples:

  • policy:amy@gmail.com to find IAM policy bindings that specify user "amy@gmail.com".
  • policy:roles/compute.admin to find IAM policy bindings that specify the Compute Admin role.
  • policy.role.permissions:storage.buckets.update to find IAM policy bindings that specify a role containing "storage.buckets.update" permission. Note that if callers don't have iam.roles.get access to a role's included permissions, policy bindings that specify this role will be dropped from the search results.
  • resource:organizations/123456 to find IAM policy bindings that are set on "organizations/123456".
  • Important to find IAM policy bindings that contain "Important" as a word in any of the searchable fields (except for the included permissions).
  • *por* to find IAM policy bindings that contain "por" as a substring in any of the searchable fields (except for the included permissions).
  • resource:(instance1 OR instance2) policy:amy to find IAM policy bindings that are set on resources "instance1" or "instance2" and also specify user "amy".
pageSize

integer

Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as nextPageToken is returned.

pageToken

string

Optional. If present, retrieve the next batch of results from the preceding call to this method. pageToken must be the value of nextPageToken from the previous response. The values of all other method parameters must be identical to those in the previous call.

Request body

The request body must be empty.

Response body

If successful, the response body contains data with the following structure:

Search all IAM policies response.

JSON representation
{
  "results": [
    {
      object (IamPolicySearchResult)
    }
  ],
  "nextPageToken": string
}
Fields
results[]

object (IamPolicySearchResult)

A list of IamPolicy that match the search query. Related information such as the associated resource is returned along with the policy.

nextPageToken

string

Set if there are more results than those appearing in this response; to get the next set of results, call this method again, using this value as the pageToken.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IamPolicySearchResult

A result of IAM Policy search, containing information of an IAM policy.

JSON representation
{
  "resource": string,
  "project": string,
  "policy": {
    object (Policy)
  },
  "explanation": {
    object (Explanation)
  }
}
Fields
resource

string

The full resource name of the resource associated with this IAM policy. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Cloud Asset Inventory Resource name Format for more information.

To search against the resource:

  • use a field query. Example: resource:organizations/123
project

string

The project that the associated GCP resource belongs to, in the form of projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM instance, Cloud Storage bucket), the project field will indicate the project that contains the resource. If an IAM policy is set on a folder or orgnization, the project field will be empty.

To search against the project:

  • specify the scope field as this project in your search request.
policy

object (Policy)

The IAM policy directly set on the given resource. Note that the original IAM policy can contain multiple bindings. This only contains the bindings that match the given query. For queries that don't contain a constrain on policies (e.g., an empty query), this contains all the bindings.

To search against the policy bindings:

  • use a field query:
    • query by the policy contained members. Example: policy:amy@gmail.com
    • query by the policy contained roles. Example: policy:roles/compute.admin
    • query by the policy contained roles' included permissions. Example: policy.role.permissions:compute.instances.create
explanation

object (Explanation)

Explanation about the IAM policy search result. It contains additional information to explain why the search result matches the query.

Explanation

Explanation about the IAM policy search result.

JSON representation
{
  "matchedPermissions": {
    string: {
      object (Permissions)
    },
    ...
  }
}
Fields
matchedPermissions

map (key: string, value: object (Permissions))

The map from roles to their included permissions that match the permission query (i.e., a query containing policy.role.permissions:). Example: if query policy.role.permissions:compute.disk.get matches a policy binding that contains owner role, the matchedPermissions will be {"roles/owner": ["compute.disk.get"]}. The roles can also be found in the returned policy bindings. Note that the map is populated only for requests with permission queries.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.