This page contains sample queries for various IAM policy search use cases.
Use Case: List IAM policies within your organization and format the output as tuples (RESOURCE, ROLE, MEMBER)
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(resource, policy.bindings.role, policy.bindings.members)'
You can change the --scope
to projects/12345678 or
folders/1234567 to search within a project or folder instead of an
organization.
You can add --query
restrictions to get more specific resource search
results.
You can add --asset-types
restrictions to get more specific types of
resources.
You can remove the --flatten
and --format
, if you don't want to format the
results.
You can use csv
instead of table
to format the results into a csv.
You can add --limit
to only get a subset of the search results. Without this
flag, it will automatically page through all the search results.
Use Case: List IAM policies within your project
gcloud asset search-all-iam-policies \
--scope=projects/12345678
You can change the --scope
to organizations/123456 or
folders/1234567 to list all the IAM policies within
your organization or folder instead of a project.
You can add --query
restrictions to get more specific policy search results.
Use Case: List IAM policies that are set on resources with the word "foo" in the resource names
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='resource:foo'
Use Case: List IAM policies that are set on organization/folder/project resources within your organization
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--asset-types='cloudresourcemanager.*'
You can change the --asset-types
flag to
cloudresourcemanager.googleapis.com/Project to scope the search for
only project resources.
Use Case: List viewers of a project
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='roles:roles/viewer' \
--asset-types='cloudresourcemanager.*'
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(policy.bindings.members)'
Use Case: List projects where a user has the owner role
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:(roles/owner user@mycompany.com)' \
--asset-types='cloudresourcemanager.googleapis.com/Project'
--page-size=50 \
--format='table(resource)'
Use Case: List roles that a user has upon a project
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='policy:user@mycompany.com' \
--asset-types='cloudresourcemanager.googleapis.com/Project'
--page-size=50 \
--flatten='policy.bindings[]' \
--format='table(policy.bindings.role)'
Use Case: List permissions that a user has upon a project
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='policy:user@mycompany.com policy.role.permissions:""' \
--asset-types='cloudresourcemanager.*'
--page-size=50 \
--format='default(explanation.matchedPermissions)'
Use Case: List users that can access a Cloud Storage bucket
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='policy.role.permissions:storage.buckets' \
--asset-types='cloudresourcemanager.*'
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(policy.bindings.members)'
Use Case: List service accounts that have owner role in order to detect risky policy settings
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:(roles/owner serviceAccount)' \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(resource.segment(3):label=RESOURCE_TYPE, resource.basename():label=RESOURCE, policy.bindings.members)' \
| grep serviceAccount
Use Case: List resources that can be accessed by Gmail users
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:gmail.com' \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='csv(resource, policy.bindings.role, policy.bindings.members)' \
| grep @gmail.com
Use Case: List resources that have roles granted to the whole domain
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:"domain:mydomain.example.com"' \
--page-size=50 \
--flatten='policy.bindings[]' \
--format='table(resource, policy.bindings.role)'
Use Case: List resources that have roles granted to the public
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='memberTypes:(allUsers OR allAuthenticatedUsers)' \
--page-size=50 \
--format='table(resource)'
Use Case: List users/groups who can change IAM policies on organization/folder/project
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)' \
--page-size=50 \
--format='json(resource, policy.bindings, explanation.matchedPermissions)'