This page contains sample queries for various IAM policy search use cases.
Use Case: List IAM policies within your organization and format the output as tuples (RESOURCE, ROLE, MEMBER)
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(resource, policy.bindings.role, policy.bindings.members)'
You can change the --scope
to projects/12345678 or
folders/1234567 to search within a project or folder instead of an
organization.
You can add --query
restrictions to get more specific resource search
results.
You can remove the --flatten
and --format
, if you don't want to format the
results.
You can use csv
instead of table
to format the results into a csv.
You can add --limit
to only get a subset of the search results. Without this
flag, it will automatically page through all the search results.
Use Case: List IAM policies within your project
gcloud asset search-all-iam-policies \
--scope=projects/12345678
You can change the --scope
to organizations/123456 or
folders/1234567 to list all the IAM policies within
your organization or folder instead of a project.
You can add --query
restrictions to get more specific policy search results.
Use Case: List IAM policies that are set on organization/folder/project resources within your organization
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='resource:cloudresourcemanager'
You can change the --query
to
resource:(cloudresourcemanager projects) to only look at projects.
Use Case: List viewers of a project
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='resource:cloudresourcemanager policy:roles/viewer' \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(policy.bindings.members)'
Use Case: List projects where a user has the owner role
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='resource:(cloudresourcemanager projects) policy:(roles/owner user@mycompany.com)' \
--page-size=50 \
--format='table(resource)'
Use Case: List roles that a user has upon a project
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='resource:(cloudresourcemanager projects) policy:user@mycompany.com' \
--page-size=50 \
--flatten='policy.bindings[]' \
--format='table(policy.bindings.role)'
Use Case: List permissions that a user has upon a project
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='resource:cloudresourcemanager policy:user@mycompany.com policy.role.permissions:""' \
--page-size=50 \
--format='default(explanation.matchedPermissions)'
Use Case: List users that can access bigstore bucket
gcloud asset search-all-iam-policies \
--scope=projects/12345678 \
--query='resource:cloudresourcemanager policy.role.permissions:storage.buckets' \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(policy.bindings.members)'
Use Case: List service accounts that have owner role in order to detect risky policy settings
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:(roles/owner serviceAccount)' \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='table(resource.segment(3):label=RESOURCE_TYPE, resource.basename():label=RESOURCE, policy.bindings.members)' \
| grep serviceAccount
Use Case: List resources that can be accessed by Gmail users
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:gmail.com' \
--page-size=50 \
--flatten='policy.bindings[].members[]' \
--format='csv(resource, policy.bindings.role, policy.bindings.members)' \
| grep @gmail.com
Use Case: List resources that have roles granted to the whole domain
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:"domain:bigwhite.joonix.net"' \
--page-size=50 \
--flatten='policy.bindings[]' \
--format='table(resource, policy.bindings.role)'
Use Case: List resources that have roles granted to the public
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy:(allUsers OR allAuthenticatedUsers)' \
--page-size=50 \
--format='table(resource)'
Use Case: List users/groups who can change IAM policies on organization/folder/project
gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)' \
--page-size=50 \
--format='json(resource, policy.bindings, explanation.matchedPermissions)'