HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_asset_search-all-iam-policies.1
.TH "GCLOUD_ASSET_SEARCH\-ALL\-IAM\-POLICIES" 1



.SH "NAME"
.HP
gcloud asset search\-all\-iam\-policies \- searches all IAM policies within the specified accessible scope, such as a project, folder or organization



.SH "SYNOPSIS"
.HP
\f5gcloud asset search\-all\-iam\-policies\fR [\fB\-\-asset\-types\fR=[\fIASSET_TYPES\fR,...]] [\fB\-\-order\-by\fR=\fIORDER_BY\fR] [\fB\-\-query\fR=\fIQUERY\fR] [\fB\-\-scope\fR=\fISCOPE\fR] [\fB\-\-filter\fR=\fIEXPRESSION\fR] [\fB\-\-limit\fR=\fILIMIT\fR] [\fB\-\-page\-size\fR=\fIPAGE_SIZE\fR] [\fB\-\-sort\-by\fR=[\fIFIELD\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

Searches all IAM policies within the specified scope, such as a project, folder
or organization. The caller must be granted the
\f5\fIcloudasset.assets.searchAllIamPolicies\fR\fR permission on the desired
scope.

Note: The query is compared against each IAM policy binding, including its
principals, roles and conditions. The returned IAM policies, will only contain
the bindings that match your query. To learn more about the IAM policy
structure, see the IAM policy documentation
(https://cloud.google.com/iam/help/allow\-policies/structure).



.SH "EXAMPLES"

To search all the IAM policies that specify \f5\fIamy@mycompany.com\fR\fR within
\f5\fIorganizations/123456\fR\fR, ensure the caller has been granted the
\f5\fIcloudasset.assets.searchAllIamPolicies\fR\fR permission on the
organization and run:

.RS 2m
$ gcloud asset search\-all\-iam\-policies \e
    \-\-scope='organizations/123456' \e
    \-\-query='policy:amy@mycompany.com'
.RE



.SH "FLAGS"

.RS 2m
.TP 2m
\fB\-\-asset\-types\fR=[\fIASSET_TYPES\fR,...]

List of asset types that the IAM policies are attached to. If empty, it will
search the IAM policies that are attached to all the searchable asset types
(https://cloud.google.com/asset\-inventory/docs/supported\-asset\-types).

Regular expressions are also supported. For example:

.RS 2m
.IP "\(em" 2m
\f5\fIcompute.googleapis.com.*\fR\fR snapshots IAM policies attached to asset
type starts with \f5\fIcompute.googleapis.com\fR\fR.
.IP "\(em" 2m
\f5\fI.*Instance\fR\fR snapshots IAM policies attached to asset type ends with
\f5\fIInstance\fR\fR.
.IP "\(em" 2m
\f5\fI.*Instance.*\fR\fR snapshots IAM policies attached to asset type contains
\f5\fIInstance\fR\fR.
.RE
.sp

See RE2 (https://github.com/google/re2/wiki/Syntax) for all supported regular
expression syntax. If the regular expression does not match any supported asset
type, an \f5\fIINVALID_ARGUMENT\fR\fR error will be returned.

.TP 2m
\fB\-\-order\-by\fR=\fIORDER_BY\fR

Comma\-separated list of fields specifying the sorting order of the results. The
default order is ascending. Add \f5\fI DESC\fR\fR after the field name to
indicate descending order. Redundant space characters are ignored. Example:
\f5\fIassetType DESC, resource\fR\fR. Only singular primitive fields in the
response are sortable:

.RS 2m
.IP "\(em" 2m
\f5resource\fR
.IP "\(em" 2m
\f5assetType\fR
.IP "\(em" 2m
\f5project\fR
.RE
.sp

All the other fields such as repeated fields (e.g., \f5folders\fR) and
non\-primitive fields (e.g., \f5policy\fR) are not supported.

Both \f5\-\-order\-by\fR and \f5\-\-sort\-by\fR flags can be used to sort the
output, with the following differences:

.RS 2m
.IP "\(em" 2m
The \f5\-\-order\-by\fR flag performs server\-side sorting (better performance),
while the \f5\-\-sort\-by\fR flag performs client\-side sorting.
.IP "\(em" 2m
The \f5\-\-sort\-by\fR flag supports all the fields in the output, while the
\f5\-\-order\-by\fR flag only supports limited fields as shown above.
.RE
.sp

.TP 2m
\fB\-\-query\fR=\fIQUERY\fR

Query statement. See how to construct a query
(https://cloud.google.com/asset\-inventory/docs/searching\-iam\-policies#how_to_construct_a_query)
for more information. If not specified or empty, it will search all the IAM
policies within the specified \f5scope\fR. Note that the query string is
compared against each Cloud IAM policy binding, including its principals, roles,
and Cloud IAM conditions. The returned Cloud IAM policies will only contain the
bindings that match your query. To learn more about the IAM policy structure,
see the IAM policy documentation
(https://cloud.google.com/iam/help/allow\-policies/structure).

Examples:

.RS 2m
.IP "\(em" 2m
\f5policy:amy@gmail.com\fR to find IAM policy bindings that specify user
\f5\fIamy@gmail.com\fR\fR.
.IP "\(em" 2m
\f5policy:roles/compute.admin\fR to find IAM policy bindings that specify the
Compute Admin role.
.IP "\(em" 2m
\f5policy:comp*\fR to find IAM policy bindings that contain \f5\fIcomp\fR\fR as
a prefix of any word in the binding.
.IP "\(em" 2m
\f5policy.role.permissions:storage.buckets.update\fR to find IAM policy bindings
that specify a role containing the \f5\fIstorage.buckets.update\fR\fR
permission. Note that if callers haven't been granted the
\f5\fIiam.roles.get\fR\fR permission for a role's included permissions, policy
bindings that specify this role will be dropped from the search results.
.IP "\(em" 2m
\f5policy.role.permissions:upd*\fR to find IAM policy bindings that specify a
role containing \f5\fIupd\fR\fR as a prefix of any word in the role permission.
Note that if callers haven't been granted the \f5\fIiam.roles.get\fR\fR
permission for a role's included permissions, policy bindings that specify this
role will be dropped from the search results.
.IP "\(em" 2m
\f5resource:organizations/123456\fR to find IAM policy bindings that are set on
\f5\fIorganizations/123456\fR\fR.
.IP "\(em" 2m
\f5resource=//cloudresourcemanager.googleapis.com/projects/myproject\fR to find
IAM policy bindings that are set on the project named \f5\fImyproject\fR\fR.
.IP "\(em" 2m
\f5Important\fR to find IAM policy bindings that contain \f5\fIImportant\fR\fR
as a word in any of the searchable fields (except for the included permissions).
.IP "\(em" 2m
\f5resource:(instance1 OR instance2) policy:amy\fR to find IAM policy bindings
that are set on resources \f5\fIinstance1\fR\fR or \f5\fIinstance2\fR\fR and
also specify user \f5\fIamy\fR\fR.
.IP "\(em" 2m
\f5roles:roles/compute.admin\fR to find IAM policy bindings that specify the
Compute Admin role.
.IP "\(em" 2m
\f5memberTypes:user\fR to find IAM policy bindings that contain the
\f5\fIuser\fR\fR principal type.
.RE
.sp

.TP 2m
\fB\-\-scope\fR=\fISCOPE\fR

Scope can be a project, a folder, or an organization. The search is limited to
the IAM policies within this scope. The caller must be granted the
\f5\fIcloudasset.assets.searchAllIamPolicies\fR\fR permission on the desired
scope. If not specified, the configured project property
(https://cloud.google.com//sdk/docs/configurations#setting_configuration_properties)
will be used. To find the configured project, run: \f5gcloud config get
project\fR. To change the setting, run: \f5gcloud config set project
PROJECT_ID\fR.

The allowed values are:

.RS 2m
.IP "\(em" 2m
\f5projects/{PROJECT_ID}\fR (e.g. \f5\fIprojects/foo\-bar\fR\fR)
.IP "\(em" 2m
\f5projects/{PROJECT_NUMBER}\fR (e.g. \f5\fIprojects/12345678\fR\fR)
.IP "\(em" 2m
\f5folders/{FOLDER_NUMBER}\fR (e.g. \f5\fIfolders/1234567\fR\fR)
.IP "\(em" 2m
\f5organizations/{ORGANIZATION_NUMBER}\fR (e.g.
\f5\fIorganizations/123456\fR\fR)
.RE
.sp


.RE
.sp

.SH "LIST COMMAND FLAGS"

.RS 2m
.TP 2m
\fB\-\-filter\fR=\fIEXPRESSION\fR

Apply a Boolean filter \fIEXPRESSION\fR to each resource item to be listed. If
the expression evaluates \f5True\fR, then that item is listed. For more details
and examples of filter expressions, run $ gcloud topic filters. This flag
interacts with other flags that are applied in this order: \fB\-\-flatten\fR,
\fB\-\-sort\-by\fR, \fB\-\-filter\fR, \fB\-\-limit\fR.

.TP 2m
\fB\-\-limit\fR=\fILIMIT\fR

Maximum number of resources to list. The default is \fBunlimited\fR. This flag
interacts with other flags that are applied in this order: \fB\-\-flatten\fR,
\fB\-\-sort\-by\fR, \fB\-\-filter\fR, \fB\-\-limit\fR.

.TP 2m
\fB\-\-page\-size\fR=\fIPAGE_SIZE\fR

Some services group resource list output into pages. This flag specifies the
maximum number of resources per page. The default is determined by the service
if it supports paging, otherwise it is \fBunlimited\fR (no paging). Paging may
be applied before or after \fB\-\-filter\fR and \fB\-\-limit\fR depending on the
service.

.TP 2m
\fB\-\-sort\-by\fR=[\fIFIELD\fR,...]

Comma\-separated list of resource field key names to sort by. The default order
is ascending. Prefix a field with ``~'' for descending order on that field. This
flag interacts with other flags that are applied in this order:
\fB\-\-flatten\fR, \fB\-\-sort\-by\fR, \fB\-\-filter\fR, \fB\-\-limit\fR.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This variant is also available:

.RS 2m
$ gcloud beta asset search\-all\-iam\-policies
.RE
@ Telegram