1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-16 12:22:03 +00:00
gcloud-help/gcloud/beta/asset/export-iam-policy-analysis
2022-03-01 04:29:52 +00:00

138 lines
5.2 KiB
Text

NAME
gcloud beta asset export-iam-policy-analysis - export IAM policy analysis
that match a request to Google Cloud Storage
SYNOPSIS
gcloud beta asset export-iam-policy-analysis --output-path=OUTPUT_PATH
(--folder=FOLDER_ID | --organization=ORGANIZATION_ID
| --project=PROJECT_ID) [--full-resource-name=FULL_RESOURCE_NAME]
[--identity=IDENTITY]
[--analyze-service-account-impersonation --expand-groups
--expand-resources
--expand-roles --output-group-edges --output-resource-edges]
[--permissions=[PERMISSIONS,...] --roles=[ROLES,...]]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) Export IAM policy analysis that matches a request to Google Cloud
Storage.
EXAMPLES
To find out which users have been granted the iam.serviceAccounts.actAs
permission on a service account, run:
$ gcloud beta asset export-iam-policy-analysis \
--organization=YOUR_ORG_ID \
--full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \
--permissions='iam.serviceAccounts.actAs' \
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
To find out which resources a user can access, run:
$ gcloud beta asset export-iam-policy-analysis \
--organization=YOUR_ORG_ID --identity='user:u1@foo.com' \
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
To find out which roles or permissions a user has been granted on a
project, run:
$ gcloud beta asset export-iam-policy-analysis \
--organization=YOUR_ORG_ID \
--full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME \
--identity='user:u1@foo.com' \
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
To find out which users have been granted the iam.serviceAccounts.actAs
permission on any applicable resources, run:
$ gcloud beta asset export-iam-policy-analysis \
--organization=YOUR_ORG_ID \
--permissions='iam.serviceAccounts.actAs' \
--output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
REQUIRED FLAGS
The destination path for exporting IAM policy analysis.
This must be specified.
--output-path=OUTPUT_PATH
Google Cloud Storage URI where the results will go. URI must start
with "gs://". For example, "gs://bucket_name/object_name"
Exactly one of these must be specified:
--folder=FOLDER_ID
Folder ID on which to perform the analysis. Only policies defined at
or below this folder will be targeted in the analysis.
--organization=ORGANIZATION_ID
Organization ID on which to perform the analysis. Only policies
defined at or below this organization will be targeted in the
analysis.
--project=PROJECT_ID
Project ID or number on which to perform the analysis. Only policies
defined at or below this project will be targeted in the analysis.
OPTIONAL FLAGS
Specifies a resource for analysis. Leaving it empty means ANY.
--full-resource-name=FULL_RESOURCE_NAME
The full resource name.
Specifies an identity for analysis. Leaving it empty means ANY.
--identity=IDENTITY
The identity appearing in the form of principals in the IAM policy
binding.
The analysis options.
--analyze-service-account-impersonation
If true, the response will include access analysis from identities to
resources via service account impersonation. This is a very expensive
operation, because many derived queries will be executed. We highly
recommend you use AnalyzeIamPolicyLongrunning rpc instead. Default is
false.
--expand-groups
If true, the identities section of the result will expand any Google
groups appearing in an IAM policy binding. Default is false.
--expand-resources
If true, the resource section of the result will expand any resource
attached to an IAM policy to include resources lower in the resource
hierarchy. Default is false.
--expand-roles
If true, the access section of result will expand any roles appearing
in IAM policy bindings to include their permissions. Default is
false.
--output-group-edges
If true, the result will output the relevant membership relationships
between groups. Default is false.
--output-resource-edges
If true, the result will output the relevant parent/child
relationships between resources. Default is false.
Specifies roles or permissions for analysis. Leaving it empty means ANY.
--permissions=[PERMISSIONS,...]
The permissions to appear in the result.
--roles=[ROLES,...]
The roles to appear in the result.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice.