Troubleshoot allow policies

There are several methods you can use to troubleshoot Identity and Access Management (IAM) allow policies.

Use Policy Troubleshooter

The Policy Troubleshooter for IAM allow policies helps you understand why a user has access to a resource or doesn't have permission to call an API. Given an email address, resource, and permission, Policy Troubleshooter examines all allow policies that apply to the resource. It identifies all role bindings in those policies that include either the permission or principal. Then, it reports why these bindings do or don't grant the principal access to the resource.

Policy Troubleshooter is useful when you're trying to troubleshoot access for a specific principal.

To learn how to use Policy Troubleshooter to troubleshoot IAM allow policies, see Troubleshooting access.

Cloud Asset Inventory lets you search IAM policies for role bindings that match the specified parameters. You can use a variety of search parameters, including the following:

  • Resource type
  • Principal type
  • Role
  • Project
  • Folder
  • Organization

Searching IAM policies is helpful when you're trying to locate specific role bindings.

For more information, see Searching IAM policies.

View all allow policies affecting a resource

In Google Cloud, resources inherit allow policies from their ancestor resources through the resource hierarchy. The union of a resource's own allow policy and all inherited allow policies is called the effective policy.

When troubleshooting allow policies, you might want to understand the effective policy for a resource. There are a few ways that you can see the effective policy:

  • View the resource's IAM policy in the Google Cloud console. The Google Cloud console automatically shows each resource's effective policy.

    To learn how to view a resource's IAM policy in the Google Cloud console, see View current access.

  • Use the Cloud Asset API to get the resource's effective policy. To learn more, see Viewing effective IAM policies.