HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_policy-intelligence_troubleshoot-policy_iam.1
.TH "GCLOUD_POLICY\-INTELLIGENCE_TROUBLESHOOT\-POLICY_IAM" 1



.SH "NAME"
.HP
gcloud policy\-intelligence troubleshoot\-policy iam \- troubleshoot IAM allow and deny policies



.SH "SYNOPSIS"
.HP
\f5gcloud policy\-intelligence troubleshoot\-policy iam\fR \fIRESOURCE\fR \fB\-\-permission\fR=\fIPERMISSION\fR \fB\-\-principal\-email\fR=\fIEMAIL\fR [\fB\-\-destination\-ip\fR=\fIDESTINATION_IP\fR] [\fB\-\-destination\-port\fR=\fIDESTINATION_PORT\fR] [\fB\-\-request\-time\fR=\fIREQUEST_TIME\fR] [\fB\-\-resource\-name\fR=\fIRESOURCE_NAME\fR] [\fB\-\-resource\-service\fR=\fIRESOURCE_SERVICE\fR] [\fB\-\-resource\-type\fR=\fIRESOURCE_TYPE\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

Uses a resource's effective IAM allow policy and IAM deny policy to check
whether a principal has a specific permission on the resource.



.SH "EXAMPLES"

The following command checks whether the principal
\f5\fImy\-user@example.com\fR\fR has the permission
\f5\fIresourcemanager.projects.get\fR\fR on the project \f5\fImy\-project\fR\fR:

.RS 2m
$ gcloud policy\-intelligence troubleshoot\-policy iam \e
    //cloudresourcemanager.googleapis.com/projects/my\-project \e
    \-\-principal\-email=my\-user@example.com \e
    \-\-permission=resourcemanager.projects.get
.RE

The following command checks whether the principal
\f5\fImy\-user@example.com\fR\fR has the \f5\fIcompute.images.get\fR\fR
permission on the project \f5\fImy\-project\fR\fR. The command also provides
additional context that lets Troubleshooter evaluate conditional role bindings:

.RS 2m
$ gcloud policy\-intelligence troubleshoot\-policy iam \e
    //cloudresourcemanager.googleapis.com/projects/my\-project \e
    \-\-principal\-email=my\-user@example.com \e
    \-\-permission=compute.images.get \e
    \-\-resource\-name=//compute.googleapis.com/projects/my\-project/\e
zones/images/my\-image'
 \-\-resource\-service='compute.googleapis.com'         \e
    \-\-resource\-type='compute.googleapis.com/Image'         \e
    \-\-destination\-ip='192.2.2.2'\-\-destination\-port=8080 \e
    \-\-request\-time='2023\-01\-01T00:00:00Z'
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIRESOURCE\fR

Full resource name that access is checked against. For a list of full resource
name formats, see: https://cloud.google.com/iam/docs/resource\-names.


.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-permission\fR=\fIPERMISSION\fR

IAM permission to check. The permssion can be in the \f5v1\fR or \f5v2\fR
format. For example, \f5resourcemanager.projects.get\fR or
\f5cloudresourcemanager.googleapis.com/projects.get\fR. For a list of
permissions, see https://cloud.google.com/iam/docs/permissions\-reference and
https://cloud.google.com/iam/docs/deny\-permissions\-support

.TP 2m
\fB\-\-principal\-email\fR=\fIEMAIL\fR

Email address that identifies the principal to check. Only Google Accounts and
service accounts are supported.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-destination\-ip\fR=\fIDESTINATION_IP\fR

The request destination IP address to use when checking conditional bindings.
For example, \f5198.1.1.1\fR.

.TP 2m
\fB\-\-destination\-port\fR=\fIDESTINATION_PORT\fR

The request destination port to use when checking conditional bindings. For
example, 8080.

.TP 2m
\fB\-\-request\-time\fR=\fIREQUEST_TIME\fR

The request timestamp to use when checking conditional bindings. This string
must adhere to UTC format (RFC 3339). For example,2021\-01\-01T00:00:00Z. For
more information, see: https://tools.ietf.org/html/rfc3339

.TP 2m
\fB\-\-resource\-name\fR=\fIRESOURCE_NAME\fR

The resource name value to use when checking conditional bindings. For accepted
values, see:
https://cloud.google.com/iam/docs/conditions\-resource\-attributes#resource\-name.

.TP 2m
\fB\-\-resource\-service\fR=\fIRESOURCE_SERVICE\fR

The resource service value to use when checking conditional bindings. For
accepted values, see:
https://cloud.google.com/iam/docs/conditions\-resource\-attributes#resource\-service

.TP 2m
\fB\-\-resource\-type\fR=\fIRESOURCE_TYPE\fR

The resource type value to use when checking conditional bindings. For accepted
values, see:
https://cloud.google.com/iam/docs/conditions\-resource\-attributes#resource\-type


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.
@ Telegram