File: //snap/google-cloud-cli/394/help/man/man1/gcloud_policy-troubleshoot_iam.1
.TH "GCLOUD_POLICY\-TROUBLESHOOT_IAM" 1
.SH "NAME"
.HP
gcloud policy\-troubleshoot iam \- troubleshoot the IAM Policy
.SH "SYNOPSIS"
.HP
\f5gcloud policy\-troubleshoot iam\fR \fIRESOURCE\fR \fB\-\-permission\fR=\fIPERMISSION\fR \fB\-\-principal\-email\fR=\fIPRINCIPAL_EMAIL\fR [\fB\-\-destination\-ip\fR=\fIDESTINATION_IP\fR] [\fB\-\-destination\-port\fR=\fIDESTINATION_PORT\fR] [\fB\-\-request\-time\fR=\fIREQUEST_TIME\fR] [\fB\-\-resource\-name\fR=\fIRESOURCE_NAME\fR] [\fB\-\-resource\-service\fR=\fIRESOURCE_SERVICE\fR] [\fB\-\-resource\-type\fR=\fIRESOURCE_TYPE\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "DESCRIPTION"
Performs a check on whether a principal is granted a permission on a resource
and how that access is determined according to the resource's effective IAM
policy interpretation.
.SH "EXAMPLES"
To troubleshoot a permission of a principal on a resource, run:
.RS 2m
$ gcloud policy\-troubleshoot iam \e
//cloudresourcemanager.googleapis.com/projects/project\-id \e
\-\-principal\-email=my\-iam\-account@somedomain.com \e
\-\-permission=resourcemanager.projects.get
.RE
See https://cloud.google.com/iam/help/allow\-policies/overview for more
information about IAM policies.
.SH "POSITIONAL ARGUMENTS"
.RS 2m
.TP 2m
\fIRESOURCE\fR
Full resource name that access is checked against. See:
https://cloud.google.com/iam/docs/resource\-names.
.RE
.sp
.SH "REQUIRED FLAGS"
.RS 2m
.TP 2m
\fB\-\-permission\fR=\fIPERMISSION\fR
Cloud IAM permission to check, e.g. "resourcemanager.projects.get".
.TP 2m
\fB\-\-principal\-email\fR=\fIPRINCIPAL_EMAIL\fR
Email address that identifies the principal to check. Only Google Accounts and
service accounts are supported.
.RE
.sp
.SH "OPTIONAL FLAGS"
.RS 2m
.TP 2m
\fB\-\-destination\-ip\fR=\fIDESTINATION_IP\fR
The request destination IP address to use when checking conditional bindings.
For example, \f5198.1.1.1\fR.
.TP 2m
\fB\-\-destination\-port\fR=\fIDESTINATION_PORT\fR
The request destination port to use when checking conditional bindings. For
example, 8080.
.TP 2m
\fB\-\-request\-time\fR=\fIREQUEST_TIME\fR
The request timestamp to use when checking conditional bindings. This string
must adhere to UTC format (RFC 3339). For example,2021\-01\-01T00:00:00Z. See:
https://tools.ietf.org/html/rfc3339
.TP 2m
\fB\-\-resource\-name\fR=\fIRESOURCE_NAME\fR
The resource name value to use when checking conditional bindings. See:
https://cloud.google.com/iam/docs/conditions\-resource\-attributes#resource\-name.
.TP 2m
\fB\-\-resource\-service\fR=\fIRESOURCE_SERVICE\fR
The resource service value to use when checking conditional bindings. See:
https://cloud.google.com/iam/docs/conditions\-resource\-attributes#resource\-service
.TP 2m
\fB\-\-resource\-type\fR=\fIRESOURCE_TYPE\fR
The resource type value to use when checking conditional bindings. See:
https://cloud.google.com/iam/docs/conditions\-resource\-attributes#resource\-type
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.
.SH "API REFERENCE"
This command uses the \fBpolicytroubleshooter/v2alpha1\fR API. The full
documentation for this API can be found at: https://cloud.google.com/iam/
.SH "NOTES"
These variants are also available:
.RS 2m
$ gcloud alpha policy\-troubleshoot iam
.RE
.RS 2m
$ gcloud beta policy\-troubleshoot iam
.RE