mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-11 23:49:35 +00:00
145 lines
5.7 KiB
Text
145 lines
5.7 KiB
Text
NAME
|
|
gcloud asset analyze-iam-policy - analyzes IAM policies that match a
|
|
request
|
|
|
|
SYNOPSIS
|
|
gcloud asset analyze-iam-policy
|
|
(--folder=FOLDER_ID | --organization=ORGANIZATION_ID
|
|
| --project=PROJECT_ID) [--access-time=ACCESS_TIME]
|
|
[--full-resource-name=FULL_RESOURCE_NAME] [--identity=IDENTITY]
|
|
[--saved-analysis-query=SAVED_ANALYSIS_QUERY]
|
|
[--analyze-service-account-impersonation
|
|
--execution-timeout=EXECUTION_TIMEOUT --expand-groups
|
|
--expand-resources --expand-roles
|
|
--output-group-edges --output-resource-edges --show-response]
|
|
[--permissions=[PERMISSIONS,...] --roles=[ROLES,...]]
|
|
[GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
Analyzes IAM policies that match a request.
|
|
|
|
EXAMPLES
|
|
To find out which users have been granted the iam.serviceAccounts.actAs
|
|
permission on a service account, run:
|
|
|
|
$ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
|
--full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \
|
|
--permissions='iam.serviceAccounts.actAs'
|
|
|
|
To find out which resources a user can access, run:
|
|
|
|
$ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
|
--identity='user:u1@foo.com'
|
|
|
|
To find out which roles or permissions a user has been granted on a
|
|
project, run:
|
|
|
|
$ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
|
--full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME \
|
|
--identity='user:u1@foo.com'
|
|
|
|
To find out which users have been granted the iam.serviceAccounts.actAs
|
|
permission on any applicable resources, run:
|
|
|
|
$ gcloud asset analyze-iam-policy --organization=YOUR_ORG_ID \
|
|
--permissions='iam.serviceAccounts.actAs'
|
|
|
|
REQUIRED FLAGS
|
|
Exactly one of these must be specified:
|
|
|
|
--folder=FOLDER_ID
|
|
Folder ID on which to perform the analysis. Only policies defined at
|
|
or below this folder will be targeted in the analysis.
|
|
|
|
--organization=ORGANIZATION_ID
|
|
Organization ID on which to perform the analysis. Only policies
|
|
defined at or below this organization will be targeted in the
|
|
analysis.
|
|
|
|
--project=PROJECT_ID
|
|
Project ID or number on which to perform the analysis. Only policies
|
|
defined at or below this project will be targeted in the analysis.
|
|
|
|
OPTIONAL FLAGS
|
|
The hypothetical context to evaluate IAM conditions.
|
|
|
|
--access-time=ACCESS_TIME
|
|
The hypothetical access timestamp to evaluate IAM conditions.
|
|
|
|
Specifies a resource for analysis. Leaving it empty means ANY.
|
|
|
|
--full-resource-name=FULL_RESOURCE_NAME
|
|
The full resource name.
|
|
|
|
Specifies an identity for analysis. Leaving it empty means ANY.
|
|
|
|
--identity=IDENTITY
|
|
The identity appearing in the form of principals in the IAM policy
|
|
binding.
|
|
|
|
Specifies the name of a saved analysis query.
|
|
|
|
--saved-analysis-query=SAVED_ANALYSIS_QUERY
|
|
The name of a saved query. When a saved_analysis_query is provided,
|
|
its query content will be used as the base query. Other flags' values
|
|
will override the base query to compose the final query to run. IDs
|
|
might be in one of the following formats:
|
|
▸ projects/project_number/savedQueries/saved_query_id
|
|
folders/folder_number/savedQueries/saved_query_id
|
|
organizations/organization_number/savedQueries/saved_query_id
|
|
|
|
The analysis options.
|
|
|
|
--analyze-service-account-impersonation
|
|
If true, the response will include access analysis from identities to
|
|
resources via service account impersonation. This is a very expensive
|
|
operation, because many derived queries will be executed. We highly
|
|
recommend you use AnalyzeIamPolicyLongrunning rpc instead. Default is
|
|
false.
|
|
|
|
--execution-timeout=EXECUTION_TIMEOUT
|
|
The amount of time the executable has to complete. See JSON
|
|
representation of Duration
|
|
(https://developers.google.com/protocol-buffers/docs/proto3#json).
|
|
Deafult is empty.
|
|
|
|
--expand-groups
|
|
If true, the identities section of the result will expand any Google
|
|
groups appearing in an IAM policy binding. Default is false.
|
|
|
|
--expand-resources
|
|
If true, the resource section of the result will expand any resource
|
|
attached to an IAM policy to include resources lower in the resource
|
|
hierarchy. Default is false.
|
|
|
|
--expand-roles
|
|
If true, the access section of result will expand any roles appearing
|
|
in IAM policy bindings to include their permissions. Default is
|
|
false.
|
|
|
|
--output-group-edges
|
|
If true, the result will output the relevant membership relationships
|
|
between groups. Default is false.
|
|
|
|
--output-resource-edges
|
|
If true, the result will output the relevant parent/child
|
|
relationships between resources. Default is false.
|
|
|
|
--show-response
|
|
If true, the response will be showed as-is in the command output.
|
|
|
|
Specifies roles or permissions for analysis. Leaving it empty means ANY.
|
|
|
|
--permissions=[PERMISSIONS,...]
|
|
The permissions to appear in the result.
|
|
|
|
--roles=[ROLES,...]
|
|
The roles to appear in the result.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|