File: //snap/google-cloud-cli/current/help/man/man1/gcloud_asset_analyze-iam-policy-longrunning.1
.TH "GCLOUD_ASSET_ANALYZE\-IAM\-POLICY\-LONGRUNNING" 1
.SH "NAME"
.HP
gcloud asset analyze\-iam\-policy\-longrunning \- analyzes IAM policies that match a request asynchronously and writes the results to Google Cloud Storage or BigQuery destination
.SH "SYNOPSIS"
.HP
\f5gcloud asset analyze\-iam\-policy\-longrunning\fR (\fB\-\-folder\fR=\fIFOLDER_ID\fR\ |\ \fB\-\-organization\fR=\fIORGANIZATION_ID\fR\ |\ \fB\-\-project\fR=\fIPROJECT_ID\fR) (\fB\-\-gcs\-output\-path\fR=\fIGCS_OUTPUT_PATH\fR\ |\ [\fB\-\-bigquery\-dataset\fR=\fIBIGQUERY_DATASET\fR\ \fB\-\-bigquery\-table\-prefix\fR=\fIBIGQUERY_TABLE_PREFIX\fR\ :\ \fB\-\-bigquery\-partition\-key\fR=\fIBIGQUERY_PARTITION_KEY\fR\ \fB\-\-bigquery\-write\-disposition\fR=\fIBIGQUERY_WRITE_DISPOSITION\fR]) [\fB\-\-access\-time\fR=\fIACCESS_TIME\fR] [\fB\-\-full\-resource\-name\fR=\fIFULL_RESOURCE_NAME\fR] [\fB\-\-identity\fR=\fIIDENTITY\fR] [\fB\-\-analyze\-service\-account\-impersonation\fR\ \fB\-\-expand\-groups\fR\ \fB\-\-expand\-resources\fR\ \fB\-\-expand\-roles\fR\ \fB\-\-output\-group\-edges\fR\ \fB\-\-output\-resource\-edges\fR] [\fB\-\-permissions\fR=[\fIPERMISSIONS\fR,...]\ \fB\-\-roles\fR=[\fIROLES\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "DESCRIPTION"
Analyzes IAM policies that match a request asynchronously and writes the results
to Google Cloud Storage or BigQuery destination.
.SH "EXAMPLES"
To find out which users have been granted the iam.serviceAccounts.actAs
permission on a service account, and write analysis results to Google Cloud
Storage, run:
.RS 2m
$ gcloud asset analyze\-iam\-policy\-longrunning \e
\-\-organization=YOUR_ORG_ID \e
\-\-full\-resource\-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME \e
\-\-permissions='iam.serviceAccounts.actAs' \e
\-\-gcs\-output\-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
.RE
To find out which resources a user can access, and write analysis results to
Google Cloud Storage, run:
.RS 2m
$ gcloud asset analyze\-iam\-policy\-longrunning \e
\-\-organization=YOUR_ORG_ID \-\-identity='user:u1@foo.com' \e
\-\-gcs\-output\-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME'
.RE
To find out which roles or permissions a user has been granted on a project, and
write analysis results to BigQuery, run:
.RS 2m
$ gcloud asset analyze\-iam\-policy\-longrunning \e
\-\-organization=YOUR_ORG_ID \e
\-\-full\-resource\-name=YOUR_PROJECT_FULL_RESOURCE_NAME \e
\-\-identity='user:u1@foo.com' \e
\-\-bigquery\-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATAS\e
ET_ID' \-\-bigquery\-table\-prefix='YOUR_BIGQUERY_TABLE_PREFIX'
.RE
To find out which users have been granted the iam.serviceAccounts.actAs
permission on any applicable resources, and write analysis results to BigQuery,
run:
.RS 2m
$ gcloud asset analyze\-iam\-policy\-longrunning \e
\-\-organization=YOUR_ORG_ID \e
\-\-permissions='iam.serviceAccounts.actAs' \e
\-\-bigquery\-dataset='projects/YOUR_PROJECT_ID/datasets/YOUR_DATAS\e
ET_ID' \-\-bigquery\-table\-prefix='YOUR_BIGQUERY_TABLE_PREFIX'
.RE
.SH "REQUIRED FLAGS"
.RS 2m
.TP 2m
Exactly one of these must be specified:
.RS 2m
.TP 2m
\fB\-\-folder\fR=\fIFOLDER_ID\fR
Folder ID on which to perform the analysis. Only policies defined at or below
this folder will be targeted in the analysis.
.TP 2m
\fB\-\-organization\fR=\fIORGANIZATION_ID\fR
Organization ID on which to perform the analysis. Only policies defined at or
below this organization will be targeted in the analysis.
.TP 2m
\fB\-\-project\fR=\fIPROJECT_ID\fR
Project ID or number on which to perform the analysis. Only policies defined at
or below this project will be targeted in the analysis.
.RE
.sp
.TP 2m
The destination path for writing IAM policy analysis results.
Exactly one of these must be specified:
.RS 2m
.TP 2m
\fB\-\-gcs\-output\-path\fR=\fIGCS_OUTPUT_PATH\fR
Google Cloud Storage URI where the results will be written. URI must start with
"gs://". For example, "gs://bucket_name/object_name".
.TP 2m
BigQuery destination where the results will go.
.RS 2m
.TP 2m
\fB\-\-bigquery\-dataset\fR=\fIBIGQUERY_DATASET\fR
BigQuery dataset where the results will be written. Must be a dataset relative
name starting with "projects/". For example,
"projects/project_id/datasets/dataset_id".
This flag argument must be specified if any of the other arguments in this group
are specified.
.TP 2m
\fB\-\-bigquery\-table\-prefix\fR=\fIBIGQUERY_TABLE_PREFIX\fR
The prefix of the BigQuery tables to which the analysis results will be written.
A table name consists of letters, numbers and underscores".
This flag argument must be specified if any of the other arguments in this group
are specified.
.TP 2m
\fB\-\-bigquery\-partition\-key\fR=\fIBIGQUERY_PARTITION_KEY\fR
This enum determines the partition key column for the bigquery tables.
Partitioning can improve query performance and reduce query cost by filtering
partitions. Refer to https://cloud.google.com/bigquery/docs/partitioned\-tables
for details. \fIBIGQUERY_PARTITION_KEY\fR must be one of:
\fBPARTITION_KEY_UNSPECIFIED\fR, \fBREQUEST_TIME\fR.
.TP 2m
\fB\-\-bigquery\-write\-disposition\fR=\fIBIGQUERY_WRITE_DISPOSITION\fR
Specifies the action that occurs if the destination table or partition already
exists. The following values are supported: WRITE_TRUNCATE, WRITE_APPEND and
WRITE_EMPTY. The default value is WRITE_APPEND.
.RE
.RE
.RE
.sp
.SH "OPTIONAL FLAGS"
.RS 2m
.TP 2m
The hypothetical context to evaluate IAM conditions.
.RS 2m
.TP 2m
\fB\-\-access\-time\fR=\fIACCESS_TIME\fR
The hypothetical access timestamp to evaluate IAM conditions.
.RE
.sp
.TP 2m
Specifies a resource for analysis. Leaving it empty means ANY.
.RS 2m
.TP 2m
\fB\-\-full\-resource\-name\fR=\fIFULL_RESOURCE_NAME\fR
The full resource name.
.RE
.sp
.TP 2m
Specifies an identity for analysis. Leaving it empty means ANY.
.RS 2m
.TP 2m
\fB\-\-identity\fR=\fIIDENTITY\fR
The identity appearing in the form of principals in the IAM policy binding.
.RE
.sp
.TP 2m
The analysis options.
.RS 2m
.TP 2m
\fB\-\-analyze\-service\-account\-impersonation\fR
If true, the response will include access analysis from identities to resources
via service account impersonation. This is a very expensive operation, because
many derived queries will be executed. We highly recommend you use
AnalyzeIamPolicyLongrunning rpc instead. Default is false.
.TP 2m
\fB\-\-expand\-groups\fR
If true, the identities section of the result will expand any Google groups
appearing in an IAM policy binding. Default is false.
.TP 2m
\fB\-\-expand\-resources\fR
If true, the resource section of the result will expand any resource attached to
an IAM policy to include resources lower in the resource hierarchy. Default is
false.
.TP 2m
\fB\-\-expand\-roles\fR
If true, the access section of result will expand any roles appearing in IAM
policy bindings to include their permissions. Default is false.
.TP 2m
\fB\-\-output\-group\-edges\fR
If true, the result will output the relevant membership relationships between
groups. Default is false.
.TP 2m
\fB\-\-output\-resource\-edges\fR
If true, the result will output the relevant parent/child relationships between
resources. Default is false.
.RE
.sp
.TP 2m
Specifies roles or permissions for analysis. Leaving it empty means ANY.
.RS 2m
.TP 2m
\fB\-\-permissions\fR=[\fIPERMISSIONS\fR,...]
The permissions to appear in the result.
.TP 2m
\fB\-\-roles\fR=[\fIROLES\fR,...]
The roles to appear in the result.
.RE
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.
.SH "NOTES"
These variants are also available:
.RS 2m
$ gcloud alpha asset analyze\-iam\-policy\-longrunning
.RE
.RS 2m
$ gcloud beta asset analyze\-iam\-policy\-longrunning
.RE