gcloud asset get-effective-iam-policy

gcloud asset get-effective-iam-policy - get effective IAM policies for a specified list of resources within accessible scope, such as a project, folder or organization

gcloud asset get-effective-iam-policy --names=NAMES,[NAMES,…] --scope=SCOPE [GCLOUD_WIDE_FLAG …]

gcloud asset get-effective-iam-policy --scope=organizations/YOUR_ORG_ID --names=RESOURCE_NAME1

To list effective IAM policies of 2 resources in a folder, run:

gcloud asset get-effective-iam-policy --scope=folders/YOUR_FOLDER_ID --names=RESOURCE_NAME1,RESOURCE_NAME2

To list effective IAM policies of 3 resources in a project using project ID, run:

gcloud asset get-effective-iam-policy --scope=projects/YOUR_PROJECT_ID --names=RESOURCE_NAME1,RESOURCE_NAME2,RESOURCE_NAME3

To list effective IAM policies of 2 resources in a project using project number, run:

gcloud asset get-effective-iam-policy --scope=projects/YOUR_PROJECT_NUMBER --names=RESOURCE_NAME1,RESOURCE_NAME2

--names=NAMES,[NAMES,…]

Names refer to a list of full resource names of searchable asset types. For each batch call, total number of names provided is between 1 and 20.

The example value is:

• //cloudsql.googleapis.com/projects/{PROJECT_ID}/instances/{INSTANCE} (e.g. //cloudsql.googleapis.com/projects/probe-per-rt-project/instances/instance1)

--scope=SCOPE

Scope can be a project, a folder, or an organization. The search is limited to the IAM policies within this scope. The caller must be granted the cloudasset.assets.analyzeIamPolicy, cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies permissions on the desired scope.

The allowed values are:

• projects/{PROJECT_ID} (e.g. projects/foo-bar)
• projects/{PROJECT_NUMBER} (e.g. projects/12345678)
• folders/{FOLDER_NUMBER} (e.g. folders/1234567)
• organizations/{ORGANIZATION_NUMBER} (e.g. organizations/123456)

Run $ gcloud help for details.