NAME
    gcloud alpha asset analyze-iam-policy-longrunning - analyzes IAM policies
        that match a request asynchronously and writes the results to Google
        Cloud Storage or BigQuery destination

SYNOPSIS
    gcloud alpha asset analyze-iam-policy-longrunning
        (--folder=FOLDER_ID | --organization=ORGANIZATION_ID
          | --project=PROJECT_ID)
        (--gcs-output-path=GCS_OUTPUT_PATH
          | [--bigquery-dataset=BIGQUERY_DATASET
          --bigquery-table-prefix=BIGQUERY_TABLE_PREFIX
          : --bigquery-partition-key=BIGQUERY_PARTITION_KEY
          --bigquery-write-disposition=BIGQUERY_WRITE_DISPOSITION])
        [--access-time=ACCESS_TIME] [--full-resource-name=FULL_RESOURCE_NAME]
        [--identity=IDENTITY]
        [--analyze-service-account-impersonation --expand-groups
          --expand-resources --expand-roles --include-deny-policy-analysis
          --output-group-edges --output-resource-edges]
        [--permissions=[PERMISSIONS,...] --roles=[ROLES,...]]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) Analyzes IAM policies that match a request asynchronously and
    writes the results to Google Cloud Storage or BigQuery destination.

EXAMPLES
    To find out which users have been granted the iam.serviceAccounts.actAs
    permission on a service account, and write analysis results to Google Cloud
    Storage, run:

        $ gcloud alpha asset analyze-iam-policy-longrunning \
            --organization=YOUR_ORG_ID \
            --full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \
            --permissions='iam.serviceAccounts.actAs' \
            --gcs-output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'

    To find out which resources a user can access, and write analysis results
    to Google Cloud Storage, run:

        $ gcloud alpha asset analyze-iam-policy-longrunning \
            --organization=YOUR_ORG_ID --identity='user:u1@foo.com' \
            --gcs-output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'

    To find out which roles or permissions a user has been granted on a
    project, and write analysis results to BigQuery, run:

        $ gcloud alpha asset analyze-iam-policy-longrunning \
            --organization=YOUR_ORG_ID \
            --full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME \
            --identity='user:u1@foo.com' \
            --bigquery-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATAS\
        ET_ID' --bigquery-table-prefix='YOUR_BIGQUERY_TABLE_PREFIX'

    To find out which users have been granted the iam.serviceAccounts.actAs
    permission on any applicable resources, and write analysis results to
    BigQuery, run:

        $ gcloud alpha asset analyze-iam-policy-longrunning \
            --organization=YOUR_ORG_ID \
            --permissions='iam.serviceAccounts.actAs' \
            --bigquery-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATAS\
        ET_ID' --bigquery-table-prefix='YOUR_BIGQUERY_TABLE_PREFIX'

REQUIRED FLAGS
     Exactly one of these must be specified:

       --folder=FOLDER_ID
          Folder ID on which to perform the analysis. Only policies defined at
          or below this folder will be targeted in the analysis.

       --organization=ORGANIZATION_ID
          Organization ID on which to perform the analysis. Only policies
          defined at or below this organization will be targeted in the
          analysis.

       --project=PROJECT_ID
          Project ID or number on which to perform the analysis. Only policies
          defined at or below this project will be targeted in the analysis.

     The destination path for writing IAM policy analysis results.

     Exactly one of these must be specified:

       --gcs-output-path=GCS_OUTPUT_PATH
          Google Cloud Storage URI where the results will be written. URI must
          start with "gs://". For example, "gs://bucket_name/object_name".

       Or at least one of these can be specified:

         BigQuery destination where the results will go.

         --bigquery-dataset=BIGQUERY_DATASET
            BigQuery dataset where the results will be written. Must be a
            dataset relative name starting with "projects/". For example,
            "projects/project_id/datasets/dataset_id".

            This flag argument must be specified if any of the other arguments
            in this group are specified.

         --bigquery-table-prefix=BIGQUERY_TABLE_PREFIX
            The prefix of the BigQuery tables to which the analysis results
            will be written. A table name consists of letters, numbers and
            underscores".

            This flag argument must be specified if any of the other arguments
            in this group are specified.

         --bigquery-partition-key=BIGQUERY_PARTITION_KEY
            This enum determines the partition key column for the bigquery
            tables. Partitioning can improve query performance and reduce query
            cost by filtering partitions. Refer to
            https://cloud.google.com/bigquery/docs/partitioned-tables for
            details. BIGQUERY_PARTITION_KEY must be one of:
            PARTITION_KEY_UNSPECIFIED, REQUEST_TIME.

         --bigquery-write-disposition=BIGQUERY_WRITE_DISPOSITION
            Specifies the action that occurs if the destination table or
            partition already exists. The following values are supported:
            WRITE_TRUNCATE, WRITE_APPEND and WRITE_EMPTY. The default value is
            WRITE_APPEND.

OPTIONAL FLAGS
     The hypothetical context to evaluate IAM conditions.

     --access-time=ACCESS_TIME
        The hypothetical access timestamp to evaluate IAM conditions.

     Specifies a resource for analysis. Leaving it empty means ANY.

     --full-resource-name=FULL_RESOURCE_NAME
        The full resource name.

     Specifies an identity for analysis. Leaving it empty means ANY.

     --identity=IDENTITY
        The identity appearing in the form of principals in the IAM policy
        binding.

     The analysis options.

     --analyze-service-account-impersonation
        If true, the response will include access analysis from identities to
        resources via service account impersonation. This is a very expensive
        operation, because many derived queries will be executed. We highly
        recommend you use AnalyzeIamPolicyLongrunning rpc instead. Default is
        false.

     --expand-groups
        If true, the identities section of the result will expand any Google
        groups appearing in an IAM policy binding. Default is false.

     --expand-resources
        If true, the resource section of the result will expand any resource
        attached to an IAM policy to include resources lower in the resource
        hierarchy. Default is false.

     --expand-roles
        If true, the access section of result will expand any roles appearing
        in IAM policy bindings to include their permissions. Default is false.

     --include-deny-policy-analysis
        If true, the response will include analysis for deny policies.This is a
        very expensive operation, because many derived queries will be
        executed.

     --output-group-edges
        If true, the result will output the relevant membership relationships
        between groups. Default is false.

     --output-resource-edges
        If true, the result will output the relevant parent/child relationships
        between resources. Default is false.

     Specifies roles or permissions for analysis. Leaving it empty means ANY.

     --permissions=[PERMISSIONS,...]
        The permissions to appear in the result.

     --roles=[ROLES,...]
        The roles to appear in the result.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. These variants are also available:

        $ gcloud asset analyze-iam-policy-longrunning

        $ gcloud beta asset analyze-iam-policy-longrunning

