HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/394/lib/surface/asset/
Upload Files
File: //snap/google-cloud-cli/394/lib/surface/asset/analyze_iam_policy.py
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to analyze IAM policy in the specified root asset."""

from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals

from googlecloudsdk.api_lib.asset import client_util
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.asset import flags


# pylint: disable=line-too-long
DETAILED_HELP = {
    'DESCRIPTION': """\
      Analyzes IAM policies that match a request.
      """,
    'EXAMPLES': """\
      To find out which users have been granted the
      iam.serviceAccounts.actAs permission on a service account, run:

        $ {command} --organization=YOUR_ORG_ID --full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME --permissions='iam.serviceAccounts.actAs'

      To find out which resources a user can access, run:

        $ {command} --organization=YOUR_ORG_ID --identity='user:u1@foo.com'

      To find out which roles or permissions a user has been granted on a
      project, run:

        $ {command} --organization=YOUR_ORG_ID --full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME --identity='user:u1@foo.com'

      To find out which users have been granted the
      iam.serviceAccounts.actAs permission on any applicable resources, run:

        $ {command} --organization=YOUR_ORG_ID --permissions='iam.serviceAccounts.actAs'
      """,
}


@base.ReleaseTracks(base.ReleaseTrack.GA)
class AnalyzeIamPolicyGA(base.Command):
  """Analyzes IAM policies that match a request."""

  detailed_help = DETAILED_HELP

  _API_VERSION = client_util.DEFAULT_API_VERSION

  @classmethod
  def Args(cls, parser):
    flags.AddAnalyzerParentArgs(parser)
    flags.AddAnalyzerSelectorsGroup(parser)
    flags.AddAnalyzerOptionsGroup(parser, True)
    flags.AddAnalyzerConditionContextGroup(parser)
    flags.AddAnalyzerSavedAnalysisQueryArgs(parser)

  def Run(self, args):
    client = client_util.AnalyzeIamPolicyClient(self._API_VERSION)
    return client.Analyze(args)


@base.ReleaseTracks(base.ReleaseTrack.BETA)
class AnalyzeIamPolicyBETA(AnalyzeIamPolicyGA):
  """BETA version, Analyzes IAM policies that match a request."""

  @classmethod
  def Args(cls, parser):
    AnalyzeIamPolicyGA.Args(parser)


@base.ReleaseTracks(base.ReleaseTrack.ALPHA)
class AnalyzeIamPolicyALPHA(AnalyzeIamPolicyBETA):
  """ALPHA version, Analyzes IAM policies that match a request."""

  @classmethod
  def Args(cls, parser):
    AnalyzeIamPolicyBETA.Args(parser)
    # TODO(b/304841991): Move versioned field to common parsing function after
    # version label is removed.
    options_group = flags.GetOrAddOptionGroup(parser)
    flags.AddAnalyzerIncludeDenyPolicyAnalysisArgs(options_group)
@ Telegram