gcloud asset search-all-iam-policies

NAME
gcloud asset search-all-iam-policies - searches all IAM policies within the specified accessible scope, such as a project, folder or organization
SYNOPSIS
gcloud asset search-all-iam-policies [--asset-types=[ASSET_TYPES,…]] [--order-by=ORDER_BY] [--query=QUERY] [--scope=SCOPE] [--filter=EXPRESSION] [--limit=LIMIT] [--page-size=PAGE_SIZE] [--sort-by=[FIELD,…]] [GCLOUD_WIDE_FLAG]
DESCRIPTION
Searches all IAM policies within the specified scope, such as a project, folder or organization. The caller must be granted the cloudasset.assets.searchAllIamPolicies permission on the desired scope.

Note: The query is compared against each IAM policy binding, including its principals, roles and conditions. The returned IAM policies, will only contain the bindings that match your query. To learn more about the IAM policy structure, see the IAM policy documentation.

EXAMPLES
To search all the IAM policies that specify amy@mycompany.com within organizations/123456, ensure the caller has been granted the cloudasset.assets.searchAllIamPolicies permission on the organization and run:
gcloud asset search-all-iam-policies --scope='organizations/123456' --query='policy:amy@mycompany.com'
FLAGS
--asset-types=[ASSET_TYPES,…]
List of asset types that the IAM policies are attached to. If empty, it will search the IAM policies that are attached to all the searchable asset types.

Regular expressions are also supported. For example:

  • compute.googleapis.com.* snapshots IAM policies attached to asset type starts with compute.googleapis.com.
  • .*Instance snapshots IAM policies attached to asset type ends with Instance.
  • .*Instance.* snapshots IAM policies attached to asset type contains Instance.

See RE2 for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned.

--order-by=ORDER_BY
Comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add DESC after the field name to indicate descending order. Redundant space characters are ignored. Example: assetType DESC, resource. Only singular primitive fields in the response are sortable:
  • resource
  • assetType
  • project

All the other fields such as repeated fields (e.g., folders) and non-primitive fields (e.g., policy) are not supported.

Both --order-by and --sort-by flags can be used to sort the output, with the following differences:

  • The --order-by flag performs server-side sorting (better performance), while the --sort-by flag performs client-side sorting.
  • The --sort-by flag supports all the fields in the output, while the --order-by flag only supports limited fields as shown above.
--query=QUERY
Query statement. See how to construct a query for more information. If not specified or empty, it will search all the IAM policies within the specified scope. Note that the query string is compared against each Cloud IAM policy binding, including its principals, roles, and Cloud IAM conditions. The returned Cloud IAM policies will only contain the bindings that match your query. To learn more about the IAM policy structure, see the IAM policy documentation.

Examples:

  • policy:amy@gmail.com to find IAM policy bindings that specify user amy@gmail.com.
  • policy:roles/compute.admin to find IAM policy bindings that specify the Compute Admin role.
  • policy:comp* to find IAM policy bindings that contain comp as a prefix of any word in the binding.
  • policy.role.permissions:storage.buckets.update to find IAM policy bindings that specify a role containing the storage.buckets.update permission. Note that if callers haven't been granted the iam.roles.get permission for a role's included permissions, policy bindings that specify this role will be dropped from the search results.
  • policy.role.permissions:upd* to find IAM policy bindings that specify a role containing upd as a prefix of any word in the role permission. Note that if callers haven't been granted the iam.roles.get permission for a role's included permissions, policy bindings that specify this role will be dropped from the search results.
  • resource:organizations/123456 to find IAM policy bindings that are set on organizations/123456.
  • resource=//cloudresourcemanager.googleapis.com/projects/myproject to find IAM policy bindings that are set on the project named myproject.
  • Important to find IAM policy bindings that contain Important as a word in any of the searchable fields (except for the included permissions).
  • resource:(instance1 OR instance2) policy:amy to find IAM policy bindings that are set on resources instance1 or instance2 and also specify user amy.
  • roles:roles/compute.admin to find IAM policy bindings that specify the Compute Admin role.
  • memberTypes:user to find IAM policy bindings that contain the user principal type.
--scope=SCOPE
Scope can be a project, a folder, or an organization. The search is limited to the IAM policies within this scope. The caller must be granted the cloudasset.assets.searchAllIamPolicies permission on the desired scope. If not specified, the configured project property will be used. To find the configured project, run: gcloud config get project. To change the setting, run: gcloud config set project PROJECT_ID.

The allowed values are:

  • projects/{PROJECT_ID} (e.g. projects/foo-bar)
  • projects/{PROJECT_NUMBER} (e.g. projects/12345678)
  • folders/{FOLDER_NUMBER} (e.g. folders/1234567)
  • organizations/{ORGANIZATION_NUMBER} (e.g. organizations/123456)
LIST COMMAND FLAGS
--filter=EXPRESSION
Apply a Boolean filter EXPRESSION to each resource item to be listed. If the expression evaluates True, then that item is listed. For more details and examples of filter expressions, run $ gcloud topic filters. This flag interacts with other flags that are applied in this order: --flatten, --sort-by, --filter, --limit.
--limit=LIMIT
Maximum number of resources to list. The default is unlimited. This flag interacts with other flags that are applied in this order: --flatten, --sort-by, --filter, --limit.
--page-size=PAGE_SIZE
Some services group resource list output into pages. This flag specifies the maximum number of resources per page. The default is determined by the service if it supports paging, otherwise it is unlimited (no paging). Paging may be applied before or after --filter and --limit depending on the service.
--sort-by=[FIELD,…]
Comma-separated list of resource field key names to sort by. The default order is ascending. Prefix a field with ``~´´ for descending order on that field. This flag interacts with other flags that are applied in this order: --flatten, --sort-by, --filter, --limit.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
This variant is also available:
gcloud beta asset search-all-iam-policies