- NAME
-
- gcloud policy-intelligence troubleshoot-policy iam - troubleshoot IAM allow and deny policies
- SYNOPSIS
-
-
gcloud policy-intelligence troubleshoot-policy iamRESOURCE--permission=PERMISSION--principal-email=EMAIL[--destination-ip=DESTINATION_IP] [--destination-port=DESTINATION_PORT] [--request-time=REQUEST_TIME] [--resource-name=RESOURCE_NAME] [--resource-service=RESOURCE_SERVICE] [--resource-type=RESOURCE_TYPE] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
- Uses a resource's effective IAM allow policy and IAM deny policy to check whether a principal has a specific permission on the resource.
- EXAMPLES
-
The following command checks whether the principal
my-user@example.comresourcemanager.projects.getmy-projectgcloud policy-intelligence troubleshoot-policy iam //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=resourcemanager.projects.getThe following command checks whether the principal
my-user@example.comcompute.images.getmy-projectgcloud policy-intelligence troubleshoot-policy iam //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=compute.images.get --resource-name=//compute.googleapis.com/projects/my-project/zones/images/my-image'--resource-service='compute.googleapis.com' \ --resource-type='compute.googleapis.com/Image' \ --destination-ip='192.2.2.2'--destination-port=8080 \ --request-time='2023-01-01T00:00:00Z' - POSITIONAL ARGUMENTS
-
RESOURCE- Full resource name that access is checked against. For a list of full resource name formats, see: https://cloud.google.com/iam/docs/resource-names.
- REQUIRED FLAGS
-
--permission=PERMISSION-
IAM permission to check. The permssion can be in the
v1orv2format. For example,resourcemanager.projects.getorcloudresourcemanager.googleapis.com/projects.get. For a list of permissions, see https://cloud.google.com/iam/docs/permissions-reference and https://cloud.google.com/iam/docs/deny-permissions-support --principal-email=EMAIL- Email address that identifies the principal to check. Only Google Accounts and service accounts are supported.
- OPTIONAL FLAGS
-
--destination-ip=DESTINATION_IP-
The request destination IP address to use when checking conditional bindings.
For example,
198.1.1.1. --destination-port=DESTINATION_PORT- The request destination port to use when checking conditional bindings. For example, 8080.
--request-time=REQUEST_TIME- The request timestamp to use when checking conditional bindings. This string must adhere to UTC format (RFC 3339). For example,2021-01-01T00:00:00Z. For more information, see: https://tools.ietf.org/html/rfc3339
--resource-name=RESOURCE_NAME- The resource name value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name.
--resource-service=RESOURCE_SERVICE- The resource service value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-service
--resource-type=RESOURCE_TYPE- The resource type value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-type
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-02-06 UTC.