gcloud asset analyze-iam-policy-longrunning

NAME
gcloud asset analyze-iam-policy-longrunning - analyzes IAM policies that match a request asynchronously and writes the analysis results to Google Cloud Storage or BigQuery destination
SYNOPSIS
gcloud asset analyze-iam-policy-longrunning (--folder=FOLDER_ID     | --organization=ORGANIZATION_ID     | --project=PROJECT_ID) (--gcs-output-path=GCS_OUTPUT_PATH     | [--bigquery-dataset=BIGQUERY_DATASET --bigquery-table-prefix=BIGQUERY_TABLE_PREFIX : --bigquery-partition-key=BIGQUERY_PARTITION_KEY --bigquery-write-disposition=BIGQUERY_WRITE_DISPOSITION]) [--access-time=ACCESS_TIME] [--full-resource-name=FULL_RESOURCE_NAME] [--identity=IDENTITY] [--analyze-service-account-impersonation --expand-groups --expand-resources --expand-roles --output-group-edges --output-resource-edges] [--permissions=[PERMISSIONS,…] --roles=[ROLES,…]] [GCLOUD_WIDE_FLAG]
DESCRIPTION
Analyzes IAM policies that match a request asynchronously and writes the analysis results to Google Cloud Storage or BigQuery destination.
EXAMPLES
To find out which users have been granted the iam.serviceAccounts.actAs permission on a service account, and write analysis results to Google Cloud Storage, run:
gcloud asset analyze-iam-policy-longrunning  --organization=YOUR_ORG_ID  --full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME  --permissions='iam.serviceAccounts.actAs'  --gcs-output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'

To find out which resources a user can access, and write analysis results to Google Cloud Storage, run:

gcloud asset analyze-iam-policy-longrunning  --organization=YOUR_ORG_ID --identity='user:u1@foo.com'  --gcs-output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'

To find out which roles or permissions a user has been granted on a project, and write analysis results to BigQuery, run:

gcloud asset analyze-iam-policy-longrunning  --organization=YOUR_ORG_ID  --full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME  --identity='user:u1@foo.com'  --bigquery-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATASET_ID' --bigquery-table-prefix='YOUR_BIGQUERY_TABLE_PREFIX'

To find out which users have been granted the iam.serviceAccounts.actAs permission on any applicable resources, and write analysis results to BigQuery, run:

gcloud asset analyze-iam-policy-longrunning  --organization=YOUR_ORG_ID  --permissions='iam.serviceAccounts.actAs'  --bigquery-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATASET_ID' --bigquery-table-prefix='YOUR_BIGQUERY_TABLE_PREFIX'
REQUIRED FLAGS
Exactly one of these must be specified:
--folder=FOLDER_ID
The folder ID to perform the analysis.
--organization=ORGANIZATION_ID
The organization ID to perform the analysis.
--project=PROJECT_ID
The project ID or number to perform the analysis.
The destination path for writing IAM policy analysis results. Exactly one of these must be specified:
--gcs-output-path=GCS_OUTPUT_PATH
Google Cloud Storage URI where the results will be written. URI must start with "gs://". For example, "gs://bucket_name/object_name".
BigQuery destination where the results will go.
--bigquery-dataset=BIGQUERY_DATASET
BigQuery dataset where the results will be written. Must be a dataset relative name starting with "projects/". For example, "projects/project_id/datasets/dataset_id". This flag must be specified if any of the other arguments in this group are specified.
--bigquery-table-prefix=BIGQUERY_TABLE_PREFIX
The prefix of the BigQuery tables to which the analysis results will be written. A table name consists of letters, numbers and underscores". This flag must be specified if any of the other arguments in this group are specified.
--bigquery-partition-key=BIGQUERY_PARTITION_KEY
This enum determines the partition key column for the bigquery tables. Partitioning can improve query performance and reduce query cost by filtering partitions. Refer to https://cloud.google.com/bigquery/docs/partitioned-tables for details. BIGQUERY_PARTITION_KEY must be one of: PARTITION_KEY_UNSPECIFIED, REQUEST_TIME.
--bigquery-write-disposition=BIGQUERY_WRITE_DISPOSITION
Specifies the action that occurs if the destination table or partition already exists. The following values are supported: WRITE_TRUNCATE, WRITE_APPEND and WRITE_EMPTY. The default value is WRITE_APPEND.
OPTIONAL FLAGS
The hypothetical context to evaluate IAM conditions.
--access-time=ACCESS_TIME
The hypothetical access timestamp to evaluate IAM conditions.
Specifies a resource for analysis. Leaving it empty means ANY.
--full-resource-name=FULL_RESOURCE_NAME
The full resource name.
Specifies an identity for analysis. Leaving it empty means ANY.
--identity=IDENTITY
The identity appearing in the form of members in the IAM policy binding.
The analysis options.
--analyze-service-account-impersonation
If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AnalyzeIamPolicyLongrunning rpc instead. Default is false.
--expand-groups
If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. Default is false.
--expand-resources
If true, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. Default is false.
--expand-roles
If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. Default is false.
--output-group-edges
If true, the result will output group identity edges, starting from the binding's group members, to any expanded identities. Default is false.
--output-resource-edges
If true, the result will output resource edges, starting from the policy attached resource, to any expanded resources. Default is false.
Specifies roles or permissions for analysis. Leaving it empty means ANY.
--permissions=[PERMISSIONS,…]
The permissions to appear in the result.
--roles=[ROLES,…]
The roles to appear in the result.
GCLOUD WIDE FLAGS
These flags are available to all commands: --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.