This page contains sample queries for various IAM policy search
use cases. Some examples on this page make use of commands like grep
and
sed
, which are available in Cloud Shell and Unix-like operating systems.
List IAM policies and format the output
gcloud
gcloud asset search-all-iam-policies \
--scope=SCOPE \
--flatten="policy.bindings[].members[]" \
--format="table(resource, policy.bindings.role, policy.bindings.members)"
Provide the following values:
SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
Other flags:
You can add
--query
to get more specific resource search results.You can add
--asset-types
to get more specific types of resources.You can remove
--flatten
and--format
if you don't want to format the results.You can use
csv
instead oftable
to output the results in CSV format.You can add
--limit
to only get a subset of the search results. Without this flag, Cloud Asset Inventory automatically pages through all the search results.
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"pageSize": PAGE_SIZE
}' \
https://cloudasset.googleapis.com/v1/SCOPE:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
Other parameters:
You can add a
query
key to the body to get more specific resource search results.You can add an
assetTypes
key to the body to get more specific types of resources.
List resources that have IAM policies with "example" in the policy name
gcloud
gcloud asset search-all-iam-policies \
--scope=SCOPE \
--query="resource:example"
Provide the following values:
SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"query": "resource:example"
}' \
https://cloudasset.googleapis.com/v1/SCOPE:searchAllIamPolicies
Provide the following values:
SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
List IAM policies that are set on project, folder, or organization resources in your organization
gcloud
gcloud asset search-all-iam-policies \
--scope=organizations/ORGANIZATION_ID \
--asset-types=cloudresourcemanager.*
Provide the following values:
ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
You can change the --asset-types
flag to
cloudresourcemanager.googleapis.com/Project
to scope the search for only
project resources, or cloudresourcemanager.googleapis.com/Folder
for
folder resources.
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": "cloudresourcemanager.*"
}' \
https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:searchAllIamPolicies
Provide the following values:
ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
You can change the assetTypes
value to
cloudresourcemanager.googleapis.com/Project
to scope the search for only
project resources, or cloudresourcemanager.googleapis.com/Folder
for
folder resources.
List viewers of a project, folder, or organization
This call returns the viewers from the IAM policies directly set on the project, but doesn't extend to searching the policies inherited from the project's parent resources.
gcloud
gcloud asset search-all-iam-policies \
--scope=SCOPE \
--query="roles:roles/viewer" \
--asset-types=cloudresourcemanager.* \
--flatten="policy.bindings[].members[]" \
--format="table(policy.bindings.members)"
Provide the following values:
SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": "cloudresourcemanager.*",
"pageSize": PAGE_SIZE,
"query": "roles:roles/viewer"
}' \
https://cloudasset.googleapis.com/v1/SCOPE:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
List projects where a user has the owner role
This call returns the projects whose direct IAM policies specify the user and the owner role, but doesn't extend to searching the policies inherited from the projects' parent resources.
gcloud
gcloud asset search-all-iam-policies \
--scope=SCOPE \
--query="policy:(roles/owner USER_EMAIL_ADDRESS)" \
--asset-types=cloudresourcemanager.googleapis.com/Project \
--format="table(resource)"
Provide the following values:
SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
USER_EMAIL_ADDRESS
: The email address of the Google Cloud account you're looking for.
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": "cloudresourcemanager.googleapis.com/Project",
"pageSize": PAGE_SIZE,
"query": "policy:(roles/owner USER_EMAIL_ADDRESS)"
}' \
https://cloudasset.googleapis.com/v1/SCOPE:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.USER_EMAIL_ADDRESS
: The email address of the Google Cloud account you're looking for.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
List roles that a user has on a project
This call returns the roles from the IAM policies directly set on the project, but doesn't extend to searching the policies inherited from the project's parent resources.
gcloud
gcloud asset search-all-iam-policies \
--scope=projects/PROJECT_ID \
--query="policy:USER_EMAIL_ADDRESS" \
--asset-types=cloudresourcemanager.googleapis.com/Project \
--flatten="policy.bindings[]" \
--format="table(policy.bindings.role)"
Provide the following values:
PROJECT_ID
: The ID of the project the user has access to.USER_EMAIL_ADDRESS
: The email address of the user whose roles you're querying.
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": "cloudresourcemanager.googleapis.com/Project",
"pageSize": PAGE_SIZE,
"query": "policy:USER_EMAIL_ADDRESS"
}' \
https://cloudasset.googleapis.com/v1/projects/PROJECT_ID:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.USER_EMAIL_ADDRESS
: The email address of the user whose roles you're querying.PROJECT_ID
: The ID of the project the user has access to.
List permissions that a user has on a project
This call returns the user's permissions obtained from the IAM policies directly set on the project, but doesn't extend to searching the policies inherited from the project's parent resources.
gcloud
gcloud asset search-all-iam-policies \
--scope=projects/PROJECT_ID \
--query="policy:USER_EMAIL_ADDRESS policy.role.permissions:\"\"" \
--asset-types=cloudresourcemanager.* \
--format="default(explanation.matchedPermissions)"
Provide the following values:
PROJECT_ID
: The ID of the project the user has access to.USER_EMAIL_ADDRESS
: The email address of th user whose permissions you're querying.
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": "cloudresourcemanager.*",
"pageSize": PAGE_SIZE,
"query": "policy:USER_EMAIL_ADDRESS policy.role.permissions:\"\""
}' \
https://cloudasset.googleapis.com/v1/projects/PROJECT_ID:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.USER_EMAIL_ADDRESS
: The email address of the user whose permissions you're querying.PROJECT_ID
: The ID of the project the user has access to.
List users that can access a Cloud Storage bucket
gcloud
gcloud asset search-all-iam-policies \
--scope=projects/PROJECT_ID \
--query="policy.role.permissions:storage.buckets" \
--asset-types=cloudresourcemanager.* \
--flatten="policy.bindings[].members[]" \
--format="table(policy.bindings.members)"
Provide the following values:
PROJECT_ID
: The ID of the project the user has access to.
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": "cloudresourcemanager.*",
"pageSize": PAGE_SIZE,
"query": "policy.role.permissions:storage.buckets"
}' \
https://cloudasset.googleapis.com/v1/projects/PROJECT_ID:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.PROJECT_ID
: The ID of the project the user has access to.
List service accounts that have an owner role in order to detect risky policy settings
gcloud
gcloud asset search-all-iam-policies \
--scope=organizations/ORGANIZATION_ID \
--query="policy:(roles/owner serviceAccount)" \
--flatten="policy.bindings[].members[]" \
--format="table(resource.segment(3):label=RESOURCE_TYPE, resource.basename():label=RESOURCE, policy.bindings.members)" |
grep serviceAccount
Provide the following values:
ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-s \
-d '{
"pageSize": PAGE_SIZE,
"query": "policy:(roles/owner serviceAccount)"
}' \
https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:searchAllIamPolicies |
sed 's/^\s*//' | grep serviceAccount
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
List resources that can be accessed by Gmail users
gcloud
gcloud asset search-all-iam-policies \
--scope=organizations/ORGANIZATION_ID \
--query="policy:gmail.com" \
--flatten="policy.bindings[].members[]" \
--format="csv(resource, policy.bindings.role, policy.bindings.members)" |
grep @gmail.com
Provide the following values:
ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-s \
-d '{
"pageSize": PAGE_SIZE,
"query": "policy:gmail.com"
}' \
https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:searchAllIamPolicies |
sed 's/^\s*//' | grep @gmail.com
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
List resources that have roles granted to the whole domain
gcloud
gcloud asset search-all-iam-policies \
--scope=organizations/ORGANIZATION_ID \
--query="policy:\"domain:DOMAIN_NAME\"" \
--flatten="policy.bindings[]" \
--format="table(resource, policy.bindings.role)"
Provide the following values:
ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
DOMAIN_NAME
: The domain name associated with your organization.
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-s \
-d '{
"pageSize": PAGE_SIZE,
"query": "policy:\"domain:DOMAIN_NAME\""
}' \
https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.DOMAIN_NAME
: The domain name associated with your organization.ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
List resources that have roles granted to the public
gcloud
gcloud asset search-all-iam-policies \
--scope=SCOPE \
--query="memberTypes:(allUsers OR allAuthenticatedUsers)" \
--format="table(resource)"
Provide the following values:
SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-s \
-d '{
"pageSize": PAGE_SIZE,
"query": "memberTypes:(allUsers OR allAuthenticatedUsers)"
}' \
https://cloudasset.googleapis.com/v1/SCOPE:searchAllIamPolicies |
sed 's/^\s*//' | grep \"resource\":
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
List users/groups who can change IAM policies on a project, folder, or organization
gcloud
gcloud asset search-all-iam-policies \
--scope=organizations/ORGANIZATION_ID \
--query="policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)" \
--format="json(resource, policy.bindings, explanation.matchedPermissions)"
Provide the following values:
ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
REST
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-s \
-d '{
"pageSize": PAGE_SIZE,
"query": "policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)"
}' \
https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_ID:searchAllIamPolicies
Provide the following values:
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 2000. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results.ORGANIZATION_ID
: The ID of the organization you're listing policies for.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-