mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-19 07:15:23 +00:00
gcloud: Wed Jul 20 08:59:31 UTC 2022
This commit is contained in:
parent
879929cbc6
commit
380c3aa29f
83 changed files with 1945 additions and 446 deletions
|
|
@ -1,135 +0,0 @@
|
|||
NAME
|
||||
gcloud beta asset analyze-iam-policy - analyzes IAM policies that match a
|
||||
request
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta asset analyze-iam-policy
|
||||
(--folder=FOLDER_ID | --organization=ORGANIZATION_ID
|
||||
| --project=PROJECT_ID) [--full-resource-name=FULL_RESOURCE_NAME]
|
||||
[--identity=IDENTITY]
|
||||
[--analyze-service-account-impersonation
|
||||
--execution-timeout=EXECUTION_TIMEOUT --expand-groups
|
||||
--expand-resources --expand-roles
|
||||
--output-group-edges --output-resource-edges --show-response]
|
||||
[--permissions=[PERMISSIONS,...] --roles=[ROLES,...]]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) Analyzes IAM policies that match a request.
|
||||
|
||||
EXAMPLES
|
||||
To find out which users have been granted the iam.serviceAccounts.actAs
|
||||
permission on a service account, run:
|
||||
|
||||
$ gcloud beta asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
||||
--full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \
|
||||
--permissions='iam.serviceAccounts.actAs'
|
||||
|
||||
To find out which resources a user can access, run:
|
||||
|
||||
$ gcloud beta asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
||||
--identity='user:u1@foo.com'
|
||||
|
||||
To find out which roles or permissions a user has been granted on a
|
||||
project, run:
|
||||
|
||||
$ gcloud beta asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
||||
--full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME \
|
||||
--identity='user:u1@foo.com'
|
||||
|
||||
To find out which users have been granted the iam.serviceAccounts.actAs
|
||||
permission on any applicable resources, run:
|
||||
|
||||
$ gcloud beta asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
||||
--permissions='iam.serviceAccounts.actAs'
|
||||
|
||||
REQUIRED FLAGS
|
||||
Exactly one of these must be specified:
|
||||
|
||||
--folder=FOLDER_ID
|
||||
Folder ID on which to perform the analysis. Only policies defined at
|
||||
or below this folder will be targeted in the analysis.
|
||||
|
||||
--organization=ORGANIZATION_ID
|
||||
Organization ID on which to perform the analysis. Only policies
|
||||
defined at or below this organization will be targeted in the
|
||||
analysis.
|
||||
|
||||
--project=PROJECT_ID
|
||||
Project ID or number on which to perform the analysis. Only policies
|
||||
defined at or below this project will be targeted in the analysis.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
Specifies a resource for analysis. Leaving it empty means ANY.
|
||||
|
||||
--full-resource-name=FULL_RESOURCE_NAME
|
||||
The full resource name.
|
||||
|
||||
Specifies an identity for analysis. Leaving it empty means ANY.
|
||||
|
||||
--identity=IDENTITY
|
||||
The identity appearing in the form of principals in the IAM policy
|
||||
binding.
|
||||
|
||||
The analysis options.
|
||||
|
||||
--analyze-service-account-impersonation
|
||||
If true, the response will include access analysis from identities to
|
||||
resources via service account impersonation. This is a very expensive
|
||||
operation, because many derived queries will be executed. We highly
|
||||
recommend you use AnalyzeIamPolicyLongrunning rpc instead. Default is
|
||||
false.
|
||||
|
||||
--execution-timeout=EXECUTION_TIMEOUT
|
||||
The amount of time the executable has to complete. See JSON
|
||||
representation of Duration
|
||||
(https://developers.google.com/protocol-buffers/docs/proto3#json).
|
||||
Deafult is empty.
|
||||
|
||||
--expand-groups
|
||||
If true, the identities section of the result will expand any Google
|
||||
groups appearing in an IAM policy binding. Default is false.
|
||||
|
||||
--expand-resources
|
||||
If true, the resource section of the result will expand any resource
|
||||
attached to an IAM policy to include resources lower in the resource
|
||||
hierarchy. Default is false.
|
||||
|
||||
--expand-roles
|
||||
If true, the access section of result will expand any roles appearing
|
||||
in IAM policy bindings to include their permissions. Default is
|
||||
false.
|
||||
|
||||
--output-group-edges
|
||||
If true, the result will output the relevant membership relationships
|
||||
between groups. Default is false.
|
||||
|
||||
--output-resource-edges
|
||||
If true, the result will output the relevant parent/child
|
||||
relationships between resources. Default is false.
|
||||
|
||||
--show-response
|
||||
If true, the response will be showed as-is in the command output.
|
||||
|
||||
Specifies roles or permissions for analysis. Leaving it empty means ANY.
|
||||
|
||||
--permissions=[PERMISSIONS,...]
|
||||
The permissions to appear in the result.
|
||||
|
||||
--roles=[ROLES,...]
|
||||
The roles to appear in the result.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud asset analyze-iam-policy
|
||||
|
||||
|
|
@ -1,138 +0,0 @@
|
|||
NAME
|
||||
gcloud beta asset export-iam-policy-analysis - export IAM policy analysis
|
||||
that match a request to Google Cloud Storage
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta asset export-iam-policy-analysis --output-path=OUTPUT_PATH
|
||||
(--folder=FOLDER_ID | --organization=ORGANIZATION_ID
|
||||
| --project=PROJECT_ID) [--full-resource-name=FULL_RESOURCE_NAME]
|
||||
[--identity=IDENTITY]
|
||||
[--analyze-service-account-impersonation --expand-groups
|
||||
--expand-resources
|
||||
--expand-roles --output-group-edges --output-resource-edges]
|
||||
[--permissions=[PERMISSIONS,...] --roles=[ROLES,...]]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) Export IAM policy analysis that matches a request to Google Cloud
|
||||
Storage.
|
||||
|
||||
EXAMPLES
|
||||
To find out which users have been granted the iam.serviceAccounts.actAs
|
||||
permission on a service account, run:
|
||||
|
||||
$ gcloud beta asset export-iam-policy-analysis \
|
||||
--organization=YOUR_ORG_ID \
|
||||
--full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \
|
||||
--permissions='iam.serviceAccounts.actAs' \
|
||||
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
|
||||
|
||||
To find out which resources a user can access, run:
|
||||
|
||||
$ gcloud beta asset export-iam-policy-analysis \
|
||||
--organization=YOUR_ORG_ID --identity='user:u1@foo.com' \
|
||||
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
|
||||
|
||||
To find out which roles or permissions a user has been granted on a
|
||||
project, run:
|
||||
|
||||
$ gcloud beta asset export-iam-policy-analysis \
|
||||
--organization=YOUR_ORG_ID \
|
||||
--full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME \
|
||||
--identity='user:u1@foo.com' \
|
||||
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
|
||||
|
||||
To find out which users have been granted the iam.serviceAccounts.actAs
|
||||
permission on any applicable resources, run:
|
||||
|
||||
$ gcloud beta asset export-iam-policy-analysis \
|
||||
--organization=YOUR_ORG_ID \
|
||||
--permissions='iam.serviceAccounts.actAs' \
|
||||
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
|
||||
|
||||
REQUIRED FLAGS
|
||||
The destination path for exporting IAM policy analysis.
|
||||
|
||||
This must be specified.
|
||||
|
||||
--output-path=OUTPUT_PATH
|
||||
Google Cloud Storage URI where the results will go. URI must start
|
||||
with "gs://". For example, "gs://bucket_name/object_name"
|
||||
|
||||
Exactly one of these must be specified:
|
||||
|
||||
--folder=FOLDER_ID
|
||||
Folder ID on which to perform the analysis. Only policies defined at
|
||||
or below this folder will be targeted in the analysis.
|
||||
|
||||
--organization=ORGANIZATION_ID
|
||||
Organization ID on which to perform the analysis. Only policies
|
||||
defined at or below this organization will be targeted in the
|
||||
analysis.
|
||||
|
||||
--project=PROJECT_ID
|
||||
Project ID or number on which to perform the analysis. Only policies
|
||||
defined at or below this project will be targeted in the analysis.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
Specifies a resource for analysis. Leaving it empty means ANY.
|
||||
|
||||
--full-resource-name=FULL_RESOURCE_NAME
|
||||
The full resource name.
|
||||
|
||||
Specifies an identity for analysis. Leaving it empty means ANY.
|
||||
|
||||
--identity=IDENTITY
|
||||
The identity appearing in the form of principals in the IAM policy
|
||||
binding.
|
||||
|
||||
The analysis options.
|
||||
|
||||
--analyze-service-account-impersonation
|
||||
If true, the response will include access analysis from identities to
|
||||
resources via service account impersonation. This is a very expensive
|
||||
operation, because many derived queries will be executed. We highly
|
||||
recommend you use AnalyzeIamPolicyLongrunning rpc instead. Default is
|
||||
false.
|
||||
|
||||
--expand-groups
|
||||
If true, the identities section of the result will expand any Google
|
||||
groups appearing in an IAM policy binding. Default is false.
|
||||
|
||||
--expand-resources
|
||||
If true, the resource section of the result will expand any resource
|
||||
attached to an IAM policy to include resources lower in the resource
|
||||
hierarchy. Default is false.
|
||||
|
||||
--expand-roles
|
||||
If true, the access section of result will expand any roles appearing
|
||||
in IAM policy bindings to include their permissions. Default is
|
||||
false.
|
||||
|
||||
--output-group-edges
|
||||
If true, the result will output the relevant membership relationships
|
||||
between groups. Default is false.
|
||||
|
||||
--output-resource-edges
|
||||
If true, the result will output the relevant parent/child
|
||||
relationships between resources. Default is false.
|
||||
|
||||
Specifies roles or permissions for analysis. Leaving it empty means ANY.
|
||||
|
||||
--permissions=[PERMISSIONS,...]
|
||||
The permissions to appear in the result.
|
||||
|
||||
--roles=[ROLES,...]
|
||||
The roles to appear in the result.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice.
|
||||
|
||||
|
|
@ -24,16 +24,9 @@ GROUPS
|
|||
COMMANDS
|
||||
COMMAND is one of the following:
|
||||
|
||||
analyze-iam-policy
|
||||
(BETA) Analyzes IAM policies that match a request.
|
||||
|
||||
export
|
||||
(BETA) Export the cloud assets to Google Cloud Storage/BigQuery.
|
||||
|
||||
export-iam-policy-analysis
|
||||
(BETA) Export IAM policy analysis that match a request to Google Cloud
|
||||
Storage.
|
||||
|
||||
get-history
|
||||
(BETA) Get the update history of assets that overlaps a time window.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue