- NAME
-
- gcloud beta asset search-all-iam-policies - searches all IAM policies within the specified accessible scope, such as a project, folder or organization
- SYNOPSIS
-
-
gcloud beta asset search-all-iam-policies
[--query
=QUERY
] [--scope
=SCOPE
] [--filter
=EXPRESSION
] [--limit
=LIMIT
] [--page-size
=PAGE_SIZE
] [--sort-by
=[FIELD
,…]] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
(BETA)
Searches all IAM policies within the specified scope, such as a project, folder or organization. The caller must be granted the
permission on the desired scope.cloudasset.assets.searchAllIamPolicies
Note: The query is compared against each IAM policy binding, including its principals, roles and conditions. The returned IAM policies, will only contain the bindings that match your query. To learn more about the IAM policy structure, see the IAM policy documentation.
- EXAMPLES
-
To search all the IAM policies that specify
withinamy@mycompany.com
, ensure the caller has been granted theorganizations/123456
permission on the organization and run:cloudasset.assets.searchAllIamPolicies
gcloud beta asset search-all-iam-policies --scope='organizations/123456' --query='policy:amy@mycompany.com'
- FLAGS
-
--query
=QUERY
-
Query statement. See how
to construct a query for more information. If not specified or empty, it
will search all the IAM policies within the specified
scope
. Note that the query string is compared against each Cloud IAM policy binding, including its principals, roles, and Cloud IAM conditions. The returned Cloud IAM policies will only contain the bindings that match your query. To learn more about the IAM policy structure, see the IAM policy documentation.Examples:
-
policy:amy@gmail.com
to find IAM policy bindings that specify user
.amy@gmail.com
-
policy:roles/compute.admin
to find IAM policy bindings that specify the Compute Admin role. -
policy:comp*
to find IAM policy bindings that contain
as a prefix of any word in the binding.comp
-
policy.role.permissions:storage.buckets.update
to find IAM policy bindings that specify a role containing the
permission. Note that if callers haven't been granted thestorage.buckets.update
permission for a role's included permissions, policy bindings that specify this role will be dropped from the search results.iam.roles.get
-
policy.role.permissions:upd*
to find IAM policy bindings that specify a role containing
as a prefix of any word in the role permission. Note that if callers haven't been granted theupd
permission for a role's included permissions, policy bindings that specify this role will be dropped from the search results.iam.roles.get
-
resource:organizations/123456
to find IAM policy bindings that are set on
.organizations/123456
-
resource=//cloudresourcemanager.googleapis.com/projects/myproject
to find IAM policy bindings that are set on the project named
.myproject
-
Important
to find IAM policy bindings that contain
as a word in any of the searchable fields (except for the included permissions).Important
-
resource:(instance1 OR instance2) policy:amy
to find IAM policy bindings that are set on resources
orinstance1
and also specify userinstance2
.amy
-
roles:roles/compute.admin
to find IAM policy bindings that specify the Compute Admin role. -
memberTypes:user
to find IAM policy bindings that contain the
principal type.user
-
--scope
=SCOPE
-
Scope can be a project, a folder, or an organization. The search is limited to
the IAM policies within this scope. The caller must be granted the
permission on the desired scope. If not specified, the configured project property will be used. To find the configured project, run:cloudasset.assets.searchAllIamPolicies
gcloud config get project
. To change the setting, run:gcloud config set project PROJECT_ID
.The allowed values are:
-
projects/{PROJECT_ID}
(e.g.
)projects/foo-bar
-
projects/{PROJECT_NUMBER}
(e.g.
)projects/12345678
-
folders/{FOLDER_NUMBER}
(e.g.
)folders/1234567
-
organizations/{ORGANIZATION_NUMBER}
(e.g.
)organizations/123456
-
- LIST COMMAND FLAGS
-
--filter
=EXPRESSION
-
Apply a Boolean filter
EXPRESSION
to each resource item to be listed. If the expression evaluatesTrue
, then that item is listed. For more details and examples of filter expressions, run $ gcloud topic filters. This flag interacts with other flags that are applied in this order:--flatten
,--sort-by
,--filter
,--limit
. --limit
=LIMIT
-
Maximum number of resources to list. The default is
unlimited
. This flag interacts with other flags that are applied in this order:--flatten
,--sort-by
,--filter
,--limit
. --page-size
=PAGE_SIZE
-
Some services group resource list output into pages. This flag specifies the
maximum number of resources per page. The default is determined by the service
if it supports paging, otherwise it is
unlimited
(no paging). Paging may be applied before or after--filter
and--limit
depending on the service. --sort-by
=[FIELD
,…]-
Comma-separated list of resource field key names to sort by. The default order
is ascending. Prefix a field with ``~´´ for descending order on that
field. This flag interacts with other flags that are applied in this order:
--flatten
,--sort-by
,--filter
,--limit
.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
This command is currently in beta and might change without notice. This variant
is also available:
gcloud asset search-all-iam-policies
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-02-06 UTC.