Viewing effective IAM policies

This topic shows how to view the effective Identity and Access Management (IAM) policies on a given resource.

In IAM, effective policy describes how all parent and ancestor policies in the resource hierarchy are inherited for a resource.

Scope and permissions

When you request effective IAM policies, you must specify a scope. It can be an organization, a folder, or a project. All IAM policies set on or under that scope are returned. The scope of the request does not have to be the same as the enabled project for the Cloud Asset API. Additionally, the enabled project and request scope require different permissions.

Before you begin

Before you begin, complete the following steps.

  1. Enable the Cloud Asset Inventory API for your project.
    Enable the Cloud Asset Inventory API

    This project does not have to be the same as the scope of your requests. Learn more about setting a project when enabling a service.

  2. Install the Google Cloud SDK.

  3. To set up your environment to call the Cloud Asset Inventory API with the Unix curl command, complete the following steps.

    1. Install oauth2l on your local machine so you can interact with the Google OAuth system.
    2. Confirm that you have access to the Unix curl command.
    3. Get an access token for authentication.

      TOKEN=$(gcloud auth print-access-token)
      
  4. Set permissions.

    1. Configure permissions for the Cloud Asset API.
    2. Enable the following permissions for your request scope.

      • cloudasset.assets.analyzeIamPolicy
      • cloudasset.assets.searchAllResources
      • cloudasset.assets.searchAllIamPolicies

      These permissions are included in the following predefined roles:

      • Cloud Asset Owner (roles/cloudasset.owner)
      • Cloud Asset Viewer (roles/cloudasset.viewer)

      For more information about Cloud Asset API permissions and roles, see Access control.

Get effective IAM policies

To get the effective IAM policies on a resource using the Cloud Asset Inventory API with the curl command, complete the following steps.

  1. Create a file request.json for the request body and set its contents to the request in JSON format.

    The following request body retrieves effective IAM policies for FULL_RESOURCE_NAME_1 and FULL_RESOURCE_NAME_2.

    {
     "names": [
       "FULL_RESOURCE_NAME_1",
       "FULL_RESOURCE_NAME_2",
     ]
    }
    

    FULL_RESOURCE_NAME requires a specifically formatted unique resource name. For a list of the full names for the asset types supported by Cloud Asset API, see Resource name format.

    You can retrieve effective IAM policies for a maximum of 10 resources in one batch.

  2. Get effective IAM policies using the following curl command to retrieve policies set on or under the SCOPE:

    SERVER_URL="https://cloudasset.googleapis.com";
    
    curl \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -H "X-Goog-User-Project: ENABLED_PROJECT" \
    -H "X-HTTP-Method-Override: GET" \
    -d @request.json \
    "${SERVER_URL}/v1/SCOPE/effectiveIamPolicies:batchGet"
    

    For SCOPE, the supported values are:

    • organizations/ORGANIZATION_NUMBER
    • folders/FOLDER_NUMBER
    • projects/PROJECT_NUMBER
    • projects/PROJECT_ID

    For ENABLED_PROJECT, the supported values are:

    • PROJECT_NUMBER
    • PROJECT_ID