Viewing effective IAM policies

This topic shows how to view the effective Identity and Access Management (IAM) policies on a given resource.

In IAM, effective policy describes how all parent and ancestor policies in the resource hierarchy are inherited for a resource.

Scope and permissions

When you request effective IAM policies, you must specify a scope. It can be an organization, a folder, or a project. All IAM policies set on or under that scope are returned. The scope of the request does not have to be the same as the enabled project for the Cloud Asset API. Additionally, the enabled project and request scope require different permissions.

Supported policy types

Effective IAM policies only supports IAM allow policies. It doesn't support the following forms of access control:

Before you begin

Before you begin, complete the following steps.

  1. Enable the Cloud Asset Inventory API for your project.

    Enable the Cloud Asset Inventory API

    This project does not have to be the same as the scope of your requests. Learn more about setting a project when enabling a service.

  2. Install the Google Cloud SDK.

  3. Optional: To call the Cloud Asset Inventory API directly, confirm that you have access to the curl command.

  4. Set permissions.

    1. Configure permissions for the Cloud Asset API.

    2. Enable the following permissions for your request scope.

      • cloudasset.assets.analyzeIamPolicy

      • cloudasset.assets.searchAllResources

      • cloudasset.assets.searchAllIamPolicies

      These permissions are included in the following predefined roles:

      • Cloud Asset Owner (roles/cloudasset.owner)

      • Cloud Asset Viewer (roles/cloudasset.viewer)

      For more information about Cloud Asset API permissions and roles, see Access control.

Get effective IAM policies

gcloud

To get the effective IAM policies on a resource, you can call BatchGetEffectiveIamPolicies using the gcloud asset get-effective-iam-policy command. You must be running Google Cloud CLI version 399.0.0 or newer.

gcloud asset get-effective-iam-policy \
    --scope=SCOPE \
    --names=ASSET_NAME_1,ASSET_NAME_2,...

Provide the following values:

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • ASSET_NAME: A comma-separated list of asset full names to retrieve the effective IAM policies for.

    You can retrieve policies for a maximum of 20 assets in one batch.

The following code samples are example gcloud CLI commands:

  • For an organization ID of 123456:

    gcloud asset get-effective-iam-policy \
        --scope=organizations/123456 \
        --names=//cloudresourcemanager.googleapis.com/organizations/123456
    
  • For a folder ID of 1234567:

    gcloud asset get-effective-iam-policy \
        --scope=folders/1234567 \
        --names=//cloudresourcemanager.googleapis.com/folders/1234567
    
  • For two Cloud SQL instance resources in a project named my-project:

    gcloud asset get-effective-iam-policy \
        --scope=projects/my-project \
        --names=//cloudsql.googleapis.com/projects/my-project/instances/instance1,//cloudsql.googleapis.com/projects/my-project/instances/instance2
    

REST

To get the effective IAM policies on a resource using the Cloud Asset Inventory API, use the following curl command:

curl -X POST \
     -H "X-HTTP-Method-Override: GET" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "names": [
            "ASSET_NAME_1",
            "ASSET_NAME_2",
            "..."
          ]
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE/effectiveIamPolicies:batchGet

Provide the following values:

  • ASSET_NAME: A comma-separated list of asset full names to retrieve the effective IAM policies for.

    You can retrieve policies for a maximum of 20 assets in one batch.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"