Searching IAM policies samples

This page contains sample queries for various IAM policy search use cases.

Use Case: List IAM policies within your organization and format the output as tuples (RESOURCE, ROLE, MEMBER)

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456 \
  --page-size=50 \
  --flatten='policy.bindings[].members[]' \
  --format='table(resource, policy.bindings.role, policy.bindings.members)'

You can change the --scope to projects/12345678 or folders/1234567 to search within a project or folder instead of an organization.

You can add --query restrictions to get more specific resource search results.

You can add --asset-types restrictions to get more specific types of resources.

You can remove the --flatten and --format, if you don't want to format the results.

You can use csv instead of table to format the results into a csv.

You can add --limit to only get a subset of the search results. Without this flag, it will automatically page through all the search results.

Use Case: List IAM policies within your project

  gcloud asset search-all-iam-policies \
  --scope=projects/12345678

You can change the --scope to organizations/123456 or folders/1234567 to list all the IAM policies within your organization or folder instead of a project.

You can add --query restrictions to get more specific policy search results.

Use Case: List IAM policies that are set on resources with the word "foo" in the resource names

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456  \
  --query='resource:foo'

Use Case: List IAM policies that are set on organization/folder/project resources within your organization

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456  \
  --asset-types='cloudresourcemanager.*'

You can change the --asset-types flag to cloudresourcemanager.googleapis.com/Project to scope the search for only project resources.

Use Case: List viewers of a project

  gcloud asset search-all-iam-policies \
  --scope=projects/12345678 \
  --query='roles:roles/viewer' \
  --asset-types='cloudresourcemanager.*'
  --page-size=50 \
  --flatten='policy.bindings[].members[]' \
  --format='table(policy.bindings.members)'

Use Case: List projects where a user has the owner role

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456 \
  --query='policy:(roles/owner user@mycompany.com)' \
  --asset-types='cloudresourcemanager.googleapis.com/Project'
  --page-size=50 \
  --format='table(resource)'

Use Case: List roles that a user has upon a project

  gcloud asset search-all-iam-policies \
  --scope=projects/12345678 \
  --query='policy:user@mycompany.com' \
  --asset-types='cloudresourcemanager.googleapis.com/Project'
  --page-size=50 \
  --flatten='policy.bindings[]' \
  --format='table(policy.bindings.role)'

Use Case: List permissions that a user has upon a project

  gcloud asset search-all-iam-policies \
  --scope=projects/12345678 \
  --query='policy:user@mycompany.com policy.role.permissions:""' \
  --asset-types='cloudresourcemanager.*'
  --page-size=50 \
  --format='default(explanation.matchedPermissions)'

Use Case: List users that can access bigstore bucket

  gcloud asset search-all-iam-policies \
  --scope=projects/12345678 \
  --query='policy.role.permissions:storage.buckets' \
  --asset-types='cloudresourcemanager.*'
  --page-size=50 \
  --flatten='policy.bindings[].members[]' \
  --format='table(policy.bindings.members)'

Use Case: List service accounts that have owner role in order to detect risky policy settings

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456 \
  --query='policy:(roles/owner serviceAccount)' \
  --page-size=50 \
  --flatten='policy.bindings[].members[]' \
  --format='table(resource.segment(3):label=RESOURCE_TYPE, resource.basename():label=RESOURCE, policy.bindings.members)' \
  | grep serviceAccount

Use Case: List resources that can be accessed by Gmail users

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456 \
  --query='policy:gmail.com' \
  --page-size=50 \
  --flatten='policy.bindings[].members[]' \
  --format='csv(resource, policy.bindings.role, policy.bindings.members)' \
  | grep @gmail.com

Use Case: List resources that have roles granted to the whole domain

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456 \
  --query='policy:"domain:mydomain.example.com"' \
  --page-size=50 \
  --flatten='policy.bindings[]' \
  --format='table(resource, policy.bindings.role)'

Use Case: List resources that have roles granted to the public

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456 \
  --query='memberTypes:(allUsers OR allAuthenticatedUsers)' \
  --page-size=50 \
  --format='table(resource)'

Use Case: List users/groups who can change IAM policies on organization/folder/project

  gcloud asset search-all-iam-policies \
  --scope=organizations/123456 \
  --query='policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)' \
  --page-size=50 \
  --format='json(resource, policy.bindings, explanation.matchedPermissions)'