HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_alpha_asset_analyze-iam-policy.1
.TH "GCLOUD_ALPHA_ASSET_ANALYZE\-IAM\-POLICY" 1



.SH "NAME"
.HP
gcloud alpha asset analyze\-iam\-policy \- ALPHA version, Analyzes IAM policies that match a request



.SH "SYNOPSIS"
.HP
\f5gcloud alpha asset analyze\-iam\-policy\fR (\fB\-\-folder\fR=\fIFOLDER_ID\fR\ |\ \fB\-\-organization\fR=\fIORGANIZATION_ID\fR\ |\ \fB\-\-project\fR=\fIPROJECT_ID\fR) [\fB\-\-access\-time\fR=\fIACCESS_TIME\fR] [\fB\-\-full\-resource\-name\fR=\fIFULL_RESOURCE_NAME\fR] [\fB\-\-identity\fR=\fIIDENTITY\fR] [\fB\-\-saved\-analysis\-query\fR=\fISAVED_ANALYSIS_QUERY\fR] [\fB\-\-analyze\-service\-account\-impersonation\fR\ \fB\-\-execution\-timeout\fR=\fIEXECUTION_TIMEOUT\fR\ \fB\-\-expand\-groups\fR\ \fB\-\-expand\-resources\fR\ \fB\-\-expand\-roles\fR\ \fB\-\-include\-deny\-policy\-analysis\fR\ \fB\-\-output\-group\-edges\fR\ \fB\-\-output\-resource\-edges\fR\ \fB\-\-show\-response\fR] [\fB\-\-permissions\fR=[\fIPERMISSIONS\fR,...]\ \fB\-\-roles\fR=[\fIROLES\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR Analyzes IAM policies that match a request.



.SH "EXAMPLES"

To find out which users have been granted the iam.serviceAccounts.actAs
permission on a service account, run:

.RS 2m
$ gcloud alpha asset analyze\-iam\-policy \-\-organization=YOUR_ORG_ID \e
    \-\-full\-resource\-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \e
    \-\-permissions='iam.serviceAccounts.actAs'
.RE

To find out which resources a user can access, run:

.RS 2m
$ gcloud alpha asset analyze\-iam\-policy \-\-organization=YOUR_ORG_ID \e
    \-\-identity='user:u1@foo.com'
.RE

To find out which roles or permissions a user has been granted on a project,
run:

.RS 2m
$ gcloud alpha asset analyze\-iam\-policy \-\-organization=YOUR_ORG_ID \e
    \-\-full\-resource\-name=YOUR_PROJECT_FULL_RESOURCE_NAME \e
    \-\-identity='user:u1@foo.com'
.RE

To find out which users have been granted the iam.serviceAccounts.actAs
permission on any applicable resources, run:

.RS 2m
$ gcloud alpha asset analyze\-iam\-policy \-\-organization=YOUR_ORG_ID \e
    \-\-permissions='iam.serviceAccounts.actAs'
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m

Exactly one of these must be specified:


.RS 2m
.TP 2m
\fB\-\-folder\fR=\fIFOLDER_ID\fR

Folder ID on which to perform the analysis. Only policies defined at or below
this folder will be targeted in the analysis.

.TP 2m
\fB\-\-organization\fR=\fIORGANIZATION_ID\fR

Organization ID on which to perform the analysis. Only policies defined at or
below this organization will be targeted in the analysis.

.TP 2m
\fB\-\-project\fR=\fIPROJECT_ID\fR

Project ID or number on which to perform the analysis. Only policies defined at
or below this project will be targeted in the analysis.


.RE
.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m

The hypothetical context to evaluate IAM conditions.


.RS 2m
.TP 2m
\fB\-\-access\-time\fR=\fIACCESS_TIME\fR

The hypothetical access timestamp to evaluate IAM conditions.

.RE
.sp
.TP 2m

Specifies a resource for analysis. Leaving it empty means ANY.


.RS 2m
.TP 2m
\fB\-\-full\-resource\-name\fR=\fIFULL_RESOURCE_NAME\fR

The full resource name.

.RE
.sp
.TP 2m

Specifies an identity for analysis. Leaving it empty means ANY.


.RS 2m
.TP 2m
\fB\-\-identity\fR=\fIIDENTITY\fR

The identity appearing in the form of principals in the IAM policy binding.

.RE
.sp
.TP 2m

Specifies the name of a saved analysis query.


.RS 2m
.TP 2m
\fB\-\-saved\-analysis\-query\fR=\fISAVED_ANALYSIS_QUERY\fR

The name of a saved query. When a \f5saved_analysis_query\fR is provided, its
query content will be used as the base query. Other flags' values will override
the base query to compose the final query to run. IDs might be in one of the
following formats:
.RS 2m
.IP "\(bu" 2m
projects/project_number/savedQueries/saved_query_id\fB
folders/folder_number/savedQueries/saved_query_id\fR
organizations/organization_number/savedQueries/saved_query_id
.RE
.sp

.RE
.sp
.TP 2m

The analysis options.


.RS 2m
.TP 2m
\fB\-\-analyze\-service\-account\-impersonation\fR

If true, the response will include access analysis from identities to resources
via service account impersonation. This is a very expensive operation, because
many derived queries will be executed. We highly recommend you use
AnalyzeIamPolicyLongrunning rpc instead. Default is false.

.TP 2m
\fB\-\-execution\-timeout\fR=\fIEXECUTION_TIMEOUT\fR

The amount of time the executable has to complete. See JSON representation of
Duration (https://developers.google.com/protocol\-buffers/docs/proto3#json).
Deafult is empty.

.TP 2m
\fB\-\-expand\-groups\fR

If true, the identities section of the result will expand any Google groups
appearing in an IAM policy binding. Default is false.

.TP 2m
\fB\-\-expand\-resources\fR

If true, the resource section of the result will expand any resource attached to
an IAM policy to include resources lower in the resource hierarchy. Default is
false.

.TP 2m
\fB\-\-expand\-roles\fR

If true, the access section of result will expand any roles appearing in IAM
policy bindings to include their permissions. Default is false.

.TP 2m
\fB\-\-include\-deny\-policy\-analysis\fR

If true, the response will include analysis for deny policies.This is a very
expensive operation, because many derived queries will be executed.

.TP 2m
\fB\-\-output\-group\-edges\fR

If true, the result will output the relevant membership relationships between
groups. Default is false.

.TP 2m
\fB\-\-output\-resource\-edges\fR

If true, the result will output the relevant parent/child relationships between
resources. Default is false.

.TP 2m
\fB\-\-show\-response\fR

If true, the response will be showed as\-is in the command output.

.RE
.sp
.TP 2m

Specifies roles or permissions for analysis. Leaving it empty means ANY.


.RS 2m
.TP 2m
\fB\-\-permissions\fR=[\fIPERMISSIONS\fR,...]

The permissions to appear in the result.

.TP 2m
\fB\-\-roles\fR=[\fIROLES\fR,...]

The roles to appear in the result.


.RE
.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud asset analyze\-iam\-policy
.RE

.RS 2m
$ gcloud beta asset analyze\-iam\-policy
.RE
@ Telegram