You can search for IAM allow policies on your resources in a project, folder, or organization, and filter the returned results using a query.
Before you begin
Enable the Cloud Asset Inventory API in the project you're running Cloud Asset Inventory commands from.
Make sure your account has the correct role to call the Cloud Asset Inventory API. For individual permissions for each call type, see Permissions.
Construct a query
Before constructing a query, it can be useful to start with a search request that doesn't specify a query. Use the fields and values from the full response to create a query using the search query syntax, and refine it until the results you want are returned.
Fields that can be used in a query are detailed in the
IamPolicySearchResult
reference documentation.
Keep in mind the following limitations when constructing a query:
The
policy
field is a nested object, so can only be used with the:
operator.Not all asset types are searchable. See Resource types to confirm if a service isn't available in the search APIs.
The following additional fields can also be used to restrict your results to certain principal types, permissions, or roles:
Field | Description |
---|---|
memberTypes |
Contains one of the following IAM principal types:
ExamplememberTypes=user |
policy.role.permissions |
Contains specific IAM permissions. Examplepolicy.role.permissions=storage.buckets.create |
roles |
Contains specific IAM roles. Exampleroles=roles/storage.objectAdmin |
Search for IAM allow policies
Before constructing a query, it can be useful to start with a search request that doesn't specify a query. Use the fields and values from the full response to create a query using the search query syntax, and refine it until the results you want are returned.
Console
To search for IAM allow policy metadata, complete the following steps.
-
Go to the Asset Inventory page in the Google Cloud console.
- Change to the project, folder, or organization you want to search.
- Click the IAM policy tab.
-
To search allow policies, enter a query in the Filter field. See Search query syntax to learn how to write a search query.
To make constructing queries easier, you can click the Filter field to display and add the available searchable fields to your query.
After performing a search, the allow policies matching the query are listed in the Results table. Double-click your query to edit it, or use the Filter results pane to apply quick Query presets or retrict the search results by specific criteria.
To view the query as a Google Cloud CLI command, click View query.
To export the results, click Download CSV.
gcloud
gcloud asset search-all-iam-policies \ --scope=SCOPE_PATH \ --query="QUERY" \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --order-by="ORDER_BY"
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project that has assets with IAM allow policies you want to search for. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that has assets with IAM allow policies you want to search for.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that has assets with IAM allow policies you want to search for.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that has assets with IAM allow policies you want to search for.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
QUERY
: Optional. The query expression. If not specified or empty, all resources are searched for in the specified scope. To learn how to write a search query, see Search query syntax. ASSET_TYPE_#
: Optional. A comma-separated list of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. When--asset-types
isn't specified, all asset types are returned.-
ORDER_BY
: Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. AddDESC
after the field name to indicate descending order. See the reference documentation for what fields can be sorted.
You can use the --format
and
--flatten
flags to format the
gcloud CLI output.
See the gcloud CLI reference for all options.
Example
Run the following command to get a list of all the Compute Engine instances
(compute.googleapis.com/Instance
) in the my-project
project with an
IAM allow policy binding them to the user [email protected]
. The
results are in descending order by resource (resource DESC
).
gcloud asset search-all-iam-policies \ --scope=projects/my-project \ --query="policy:\"user:[email protected]\"" \ --asset-types=compute.googleapis.com/Instance \ --order-by="resource DESC"
Example response
--- assetType: compute.googleapis.com/Instance folders: - folders/0000000000000 organization: organizations/0000000000000 policy: bindings: - members: - user:[email protected] role: roles/compute.viewer - members: - user:[email protected] role: roles/editor - members: - user:[email protected] role: roles/owner project: projects/0000000000000 resource: //compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/debian
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:searchAllIamPolicies
Request JSON body:
{ "query": "QUERY", "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "orderBy": "ORDER_BY", "pageSize": "PAGE_SIZE", "pageToken": "PAGE_TOKEN" }
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project that has assets with IAM allow policies you want to search for. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that has assets with IAM allow policies you want to search for.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that has assets with IAM allow policies you want to search for.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that has assets with IAM allow policies you want to search for.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
QUERY
: Optional. The query expression. If not specified or empty, all resources are searched for in the specified scope. To learn how to write a search query, see Search query syntax. ASSET_TYPE_#
: Optional. An array of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. WhenassetTypes
isn't specified, all asset types are returned.-
ORDER_BY
: Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. AddDESC
after the field name to indicate descending order. See the reference documentation for what fields can be sorted. -
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 500. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results. -
PAGE_TOKEN
: Optional. Long request responses are separated over multiple pages. WhenpageToken
isn't specified, the first page is returned. Subsequent pages can be called by using the previous response'snextPageToken
as thepageToken
value.
See the REST reference for all options.
Command examples
Run one of the following commands to get a list of all the Compute Engine instances
(compute.googleapis.com/Instance
) in the my-project
project with an
IAM allow policy binding them to the user [email protected]
. The
results are in descending order by resource (resource DESC
).
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "query": "policy:\"user:[email protected]\"", "assetTypes": ["compute.googleapis.com/Instance"], "orderBy": "resource DESC" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "query": "policy:\"user:[email protected]\"", "assetTypes": ["compute.googleapis.com/Instance"], "orderBy": "resource DESC" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies" | Select-Object -Expand Content
Example response
{ "resource": "//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/debian", "project": "projects/0000000000000", "policy": { "bindings": [ { "role": "roles/compute.viewer", "members": [ "user:[email protected]" ] }, { "role": "roles/editor", "members": [ "user:[email protected]" ] }, { "role": "roles/owner", "members": [ "user:[email protected]" ] } ] }, "assetType": "compute.googleapis.com/Instance", "folders": [ "folders/0000000000000" ], "organization": "organizations/0000000000000" }
C#
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Additional search examples
The following code samples show specific search queries for both gcloud and REST to help you to construct your own searches.
Resources with IAM allow policies
The following sample shows how to search for all resources with
IAM allow policies in the my-project
project.
gcloud
gcloud asset search-all-iam-policies \ --scope=projects/my-project \ --flatten="policy.bindings[].members[]" \ --format="table(resource, policy.bindings.role, policy.bindings.members)"
REST
HTTP method and URL:
GET https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies" | Select-Object -Expand Content
Named resources with IAM allow policies
The following sample shows how to search for all resources with example
in
their name that have IAM allow policies.
gcloud
gcloud asset search-all-iam-policies \ --scope=projects/my-project \ --query="resource:example"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
Request JSON body:
{ "pageSize": 1, "query": "resource:example" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "pageSize": 1, "query": "resource:example" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "pageSize": 1, "query": "resource:example" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies" | Select-Object -Expand Content
IAM allow policies on projects, folders, and organizations
The following sample shows how to search for all IAM allow
policies on all projects and folders in the organization with the ID
my-organization-id
.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
gcloud
gcloud asset search-all-iam-policies \ --scope=organizations/my-organization-id \ --asset-types=cloudresourcemanager.*
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
Request JSON body:
{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, }' \ https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "cloudresourcemanager.*", "pageSize": 1, } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies" | Select-Object -Expand Content
Owners on a project
The following sample shows how to search for principals with the
Owner role (roles/owner
) on the project
my-project
.
This request only returns principals who have been granted the Owner role on the project. It doesn't include principals who inherit the Owner role through policy inheritance.
gcloud
gcloud asset search-all-iam-policies \ --scope=projects/my-project \ --query="roles:roles/owner" \ --asset-types=cloudresourcemanager.* \ --flatten="policy.bindings[].members[]" \ --format="table(policy.bindings.members)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
Request JSON body:
{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "roles:roles/owner" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "roles:roles/owner" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "roles:roles/owner" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies" | Select-Object -Expand Content
Projects where a principal has the owner role
The following sample shows how to search for projects where [email protected]
has the Owner role (roles/owner
), in
the organization with the ID my-organization-id
.
This request only returns the projects on which [email protected]
has been
granted the Owner role. It doesn't include projects that [email protected]
has
inherited the Owner role on.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
gcloud
gcloud asset search-all-iam-policies \ --scope=organizations/my-organization-id \ --query="policy:(roles/owner [email protected])" \ --asset-types=cloudresourcemanager.googleapis.com/Project \ --format="table(resource)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
Request JSON body:
{ "assetTypes": "cloudresourcemanager.googleapis.com/Project", "pageSize": 1, "query": "policy:(roles/owner [email protected])" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "cloudresourcemanager.googleapis.com/Project", "pageSize": 1, "query": "policy:(roles/owner [email protected])" }' \ https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "cloudresourcemanager.googleapis.com/Project", "pageSize": 1, "query": "policy:(roles/owner [email protected])" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies" | Select-Object -Expand Content
Roles a principal has on a project
The following sample shows how to search for the roles [email protected]
has on
the my-project
project.
This request only returns the roles that [email protected]
is granted on the
project. It doesn't include roles that [email protected]
inherited through
policy inheritance.
gcloud
gcloud asset search-all-iam-policies \ --scope=projects/my-project \ --query="policy:[email protected]" \ --asset-types=cloudresourcemanager.googleapis.com/Project \ --flatten="policy.bindings[]" \ --format="table(policy.bindings.role)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
Request JSON body:
{ "assetTypes": "cloudresourcemanager.googleapis.com/Project", "pageSize": 1, "query": "policy:[email protected]" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "cloudresourcemanager.googleapis.com/Project", "pageSize": 1, "query": "policy:[email protected]" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "cloudresourcemanager.googleapis.com/Project", "pageSize": 1, "query": "policy:[email protected]" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies" | Select-Object -Expand Content
Permissions a principal has on a project
The following sample shows how to search for the permissions [email protected]
has on the my-project
project.
This request only returns the permissions that [email protected]
has on the
project. It doesn't include permissions that [email protected]
inherited
through policy inheritance.
gcloud
gcloud asset search-all-iam-policies \ --scope=projects/my-project \ --query="policy:[email protected] policy.role.permissions:\"\"" \ --asset-types=cloudresourcemanager.* \ --format="default(explanation.matchedPermissions)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
Request JSON body:
{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "policy:[email protected] policy.role.permissions:\"\"" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "policy:[email protected] policy.role.permissions:\"\"" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "policy:[email protected] policy.role.permissions:\"\"" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies" | Select-Object -Expand Content
Principals who can access Cloud Storage buckets
The following sample shows how to search for principals who can access
Cloud Storage buckets in the my-project
project.
gcloud
gcloud asset search-all-iam-policies \ --scope=projects/my-project \ --query="policy.role.permissions:storage.buckets" \ --asset-types=cloudresourcemanager.* \ --flatten="policy.bindings[].members[]" \ --format="table(policy.bindings.members)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
Request JSON body:
{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "policy.role.permissions:storage.buckets" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "policy.role.permissions:storage.buckets" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "cloudresourcemanager.*", "pageSize": 1, "query": "policy.role.permissions:storage.buckets" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllIamPolicies" | Select-Object -Expand Content
Service accounts that have an owner role
The following sample shows how to search for service accounts with the
Owner role (roles/owner
) in the
organization with the my-organization-id
. You can use this query to help
reduce your risk profile.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
gcloud
This example makes use of the `grep` command, which is available in Cloud Shell and Unix-like operating systems.
gcloud asset search-all-iam-policies \ --scope=organizations/my-organization-id \ --query="policy:(roles/owner serviceAccount)" \ --flatten="policy.bindings[].members[]" \ --format="table(resource.segment(3):label=RESOURCE_TYPE, resource.basename():label=RESOURCE, policy.bindings.members)" | grep serviceAccount
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
Request JSON body:
{ "pageSize": 1, "query": "policy:(roles/owner serviceAccount)" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "pageSize": 1, "query": "policy:(roles/owner serviceAccount)" }' \ https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "pageSize": 1, "query": "policy:(roles/owner serviceAccount)" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies" | Select-Object -Expand Content
Resources with roles granted to a domain
The following sample shows how to search for resources with roles granted to the
example.com
domain, in the organization with the ID my-organization-id
.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
gcloud
gcloud asset search-all-iam-policies \ --scope=organizations/my-organization-id \ --query="policy:\"domain:example.com\"" \ --flatten="policy.bindings[]" \ --format="table(resource, policy.bindings.role)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
Request JSON body:
{ "pageSize": 1, "query": "policy:\"domain:DOMAIN_NAME\"" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "pageSize": 1, "query": "policy:\"domain:DOMAIN_NAME\"" }' \ https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "pageSize": 1, "query": "policy:\"domain:DOMAIN_NAME\"" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies" | Select-Object -Expand Content
Resources with roles granted to the public
The following sample shows how to search for resources with roles granted to the
the public, in the organization with the ID my-organization-id
.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
gcloud
gcloud asset search-all-iam-policies \ --scope=organizations/my-organization-id \ --query="memberTypes:(allUsers OR allAuthenticatedUsers)" \ --format="table(resource)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
Request JSON body:
{ "pageSize": 1, "query": "memberTypes:(allUsers OR allAuthenticatedUsers)" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "pageSize": 1, "query": "memberTypes:(allUsers OR allAuthenticatedUsers)" }' \ https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "pageSize": 1, "query": "memberTypes:(allUsers OR allAuthenticatedUsers)" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies" | Select-Object -Expand Content
Principals who can change IAM allow policies in an organization
The following sample shows how to search for principals who can change
IAM allow policies in the organization with the ID
my-organization-id
.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
gcloud
gcloud asset search-all-iam-policies \ --scope=organizations/my-organization-id \ --query="policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)" \ --format="json(resource, policy.bindings, explanation.matchedPermissions)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
Request JSON body:
{ "pageSize": 1, "query": "policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "pageSize": 1, "query": "policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)" }' \ https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "pageSize": 1, "query": "policy.role.permissions:(resourcemanager.organizations.setIamPolicy OR resourcemanager.folders.setIamPolicy OR resourcemanager.projects.setIamPolicy)" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/organizations/my-organization-id:searchAllIamPolicies" | Select-Object -Expand Content