NAME
    gcloud asset analyze-iam-policy - analyzes IAM policies that match a
        request

SYNOPSIS
    gcloud asset analyze-iam-policy
        (--folder=FOLDER_ID | --organization=ORGANIZATION_ID
          | --project=PROJECT_ID) [--access-time=ACCESS_TIME]
        [--full-resource-name=FULL_RESOURCE_NAME] [--identity=IDENTITY]
        [--saved-analysis-query=SAVED_ANALYSIS_QUERY]
        [--analyze-service-account-impersonation
          --execution-timeout=EXECUTION_TIMEOUT --expand-groups
          --expand-resources --expand-roles
          --output-group-edges --output-resource-edges --show-response]
        [--permissions=[PERMISSIONS,...] --roles=[ROLES,...]]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    Analyzes IAM policies that match a request.

EXAMPLES
    To find out which users have been granted the iam.serviceAccounts.actAs
    permission on a service account, run:

        $ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
            --full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \
            --permissions='iam.serviceAccounts.actAs'

    To find out which resources a user can access, run:

        $ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
            --identity='user:u1@foo.com'

    To find out which roles or permissions a user has been granted on a
    project, run:

        $ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
            --full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME \
            --identity='user:u1@foo.com'

    To find out which users have been granted the iam.serviceAccounts.actAs
    permission on any applicable resources, run:

        $ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
            --permissions='iam.serviceAccounts.actAs'

REQUIRED FLAGS
     Exactly one of these must be specified:

       --folder=FOLDER_ID
          Folder ID on which to perform the analysis. Only policies defined at
          or below this folder will be targeted in the analysis.

       --organization=ORGANIZATION_ID
          Organization ID on which to perform the analysis. Only policies
          defined at or below this organization will be targeted in the
          analysis.

       --project=PROJECT_ID
          Project ID or number on which to perform the analysis. Only policies
          defined at or below this project will be targeted in the analysis.

OPTIONAL FLAGS
     The hypothetical context to evaluate IAM conditions.

     --access-time=ACCESS_TIME
        The hypothetical access timestamp to evaluate IAM conditions.

     Specifies a resource for analysis. Leaving it empty means ANY.

     --full-resource-name=FULL_RESOURCE_NAME
        The full resource name.

     Specifies an identity for analysis. Leaving it empty means ANY.

     --identity=IDENTITY
        The identity appearing in the form of principals in the IAM policy
        binding.

     Specifies the name of a saved analysis query.

     --saved-analysis-query=SAVED_ANALYSIS_QUERY
        The name of a saved query. When a saved_analysis_query is provided, its
        query content will be used as the base query. Other flags' values will
        override the base query to compose the final query to run. IDs might be
        in one of the following formats:
        ◆ projects/project_number/savedQueries/saved_query_id
          folders/folder_number/savedQueries/saved_query_id
          organizations/organization_number/savedQueries/saved_query_id

     The analysis options.

     --analyze-service-account-impersonation
        If true, the response will include access analysis from identities to
        resources via service account impersonation. This is a very expensive
        operation, because many derived queries will be executed. We highly
        recommend you use AnalyzeIamPolicyLongrunning rpc instead. Default is
        false.

     --execution-timeout=EXECUTION_TIMEOUT
        The amount of time the executable has to complete. See JSON
        representation of Duration
        (https://developers.google.com/protocol-buffers/docs/proto3#json).
        Deafult is empty.

     --expand-groups
        If true, the identities section of the result will expand any Google
        groups appearing in an IAM policy binding. Default is false.

     --expand-resources
        If true, the resource section of the result will expand any resource
        attached to an IAM policy to include resources lower in the resource
        hierarchy. Default is false.

     --expand-roles
        If true, the access section of result will expand any roles appearing
        in IAM policy bindings to include their permissions. Default is false.

     --output-group-edges
        If true, the result will output the relevant membership relationships
        between groups. Default is false.

     --output-resource-edges
        If true, the result will output the relevant parent/child relationships
        between resources. Default is false.

     --show-response
        If true, the response will be showed as-is in the command output.

     Specifies roles or permissions for analysis. Leaving it empty means ANY.

     --permissions=[PERMISSIONS,...]
        The permissions to appear in the result.

     --roles=[ROLES,...]
        The roles to appear in the result.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    These variants are also available:

        $ gcloud alpha asset analyze-iam-policy

        $ gcloud beta asset analyze-iam-policy

