gcloud policy-intelligence troubleshoot-policy iam

NAME: gcloud policy-intelligence troubleshoot-policy iam - troubleshoot IAM allow and deny policies
SYNOPSIS: gcloud policy-intelligence troubleshoot-policy iam RESOURCE --permission=PERMISSION --principal-email=EMAIL [--destination-ip=DESTINATION_IP] [--destination-port=DESTINATION_PORT] [--request-time=REQUEST_TIME] [--resource-name=RESOURCE_NAME] [--resource-service=RESOURCE_SERVICE] [--resource-type=RESOURCE_TYPE] [GCLOUD_WIDE_FLAG …]
DESCRIPTION: Uses a resource's effective IAM allow policy and IAM deny policy to check whether a principal has a specific permission on the resource.
EXAMPLES: The following command checks whether the principal my-user@example.com has the permission resourcemanager.projects.get on the project my-project:
gcloud policy-intelligence troubleshoot-policy iam //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=resourcemanager.projects.get

The following command checks whether the principal my-user@example.com has the compute.images.get permission on the project my-project. The command also provides additional context that lets Troubleshooter evaluate conditional role bindings:
gcloud policy-intelligence troubleshoot-policy iam //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=compute.images.get --resource-name=//compute.googleapis.com/projects/my-project/zones/images/my-image' --resource-service='compute.googleapis.com' \ --resource-type='compute.googleapis.com/Image' \ --destination-ip='192.2.2.2'--destination-port=8080 \ --request-time='2023-01-01T00:00:00Z'
POSITIONAL ARGUMENTS: RESOURCE

Full resource name that access is checked against. For a list of full resource name formats, see: https://cloud.google.com/iam/docs/resource-names.
REQUIRED FLAGS: --permission=PERMISSION

IAM permission to check. The permssion can be in the v1 or v2 format. For example, resourcemanager.projects.get or cloudresourcemanager.googleapis.com/projects.get. For a list of permissions, see https://cloud.google.com/iam/docs/permissions-reference and https://cloud.google.com/iam/docs/deny-permissions-support

--principal-email=EMAIL

Email address that identifies the principal to check. Only Google Accounts and service accounts are supported.
OPTIONAL FLAGS: --destination-ip=DESTINATION_IP

The request destination IP address to use when checking conditional bindings. For example, 198.1.1.1.

--destination-port=DESTINATION_PORT

The request destination port to use when checking conditional bindings. For example, 8080.

--request-time=REQUEST_TIME

The request timestamp to use when checking conditional bindings. This string must adhere to UTC format (RFC 3339). For example,2021-01-01T00:00:00Z. For more information, see: https://tools.ietf.org/html/rfc3339

--resource-name=RESOURCE_NAME

The resource name value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name.

--resource-service=RESOURCE_SERVICE

The resource service value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-service

--resource-type=RESOURCE_TYPE

The resource type value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-type
GCLOUD WIDE FLAGS: These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.