<!doctype html> <html lang="en" dir="ltr"> <head> <meta name="google-signin-client-id" content="721724668570-nbkv1cfusk7kk4eni4pjvepaus73b13t.apps.googleusercontent.com"> <meta name="google-signin-scope" content="profile email https://www.googleapis.com/auth/developerprofiles https://www.googleapis.com/auth/developerprofiles.award https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/webhistory"> <meta property="og:site_name" content="Google Cloud"> <meta property="og:type" content="website"><meta name="theme-color" content="#039be5"><meta charset="utf-8"> <meta content="IE=Edge" http-equiv="X-UA-Compatible"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="manifest" href="/_pwa/cloud/manifest.json" crossorigin="use-credentials"> <link rel="preconnect" href="//www.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.googleapis.com" crossorigin> <link rel="preconnect" href="//apis.google.com" crossorigin> <link rel="preconnect" href="//www.google-analytics.com" crossorigin><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Google+Sans:400,500,700|Google+Sans+Text:400,400italic,500,500italic,700,700italic|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"> <link rel="stylesheet" href="//fonts.googleapis.com/css2?family=Material+Icons&family=Material+Symbols+Outlined&display=block"><link rel="stylesheet" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/css/app.css"> <link rel="shortcut icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/favicon.ico"> <link rel="apple-touch-icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png"><link rel="canonical" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies"><link rel="search" type="application/opensearchdescription+xml" title="Google Cloud" href="https://cloud.google.com/s/opensearch.xml"> <link rel="alternate" hreflang="en" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies" /><link rel="alternate" hreflang="x-default" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies" /><link rel="alternate" hreflang="zh-Hans" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=zh-cn" /><link rel="alternate" hreflang="fr" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=fr" /><link rel="alternate" hreflang="de" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=de" /><link rel="alternate" hreflang="id" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=id" /><link rel="alternate" hreflang="it" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=it" /><link rel="alternate" hreflang="ja" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=ja" /><link rel="alternate" hreflang="ko" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=ko" /><link rel="alternate" hreflang="pt-BR" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=pt-br" /><link rel="alternate" hreflang="es-419" href="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies?hl=es-419" /><title>Analyze allow policies &nbsp;|&nbsp; Policy Intelligence &nbsp;|&nbsp; Google Cloud</title> <meta property="og:title" content="Analyze allow policies &nbsp;|&nbsp; Policy Intelligence &nbsp;|&nbsp; Google Cloud"><meta name="description" content="Instructions for using Policy Analyzer to find out which principals have what access to which Google Cloud resources."> <meta property="og:description" content="Instructions for using Policy Analyzer to find out which principals have what access to which Google Cloud resources."><meta property="og:url" content="https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies"><meta property="og:image" content="https://cloud.google.com/_static/cloud/images/social-icon-google-cloud-1200-630.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="630"><meta property="og:locale" content="en"><meta name="twitter:card" content="summary_large_image"><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "headline": "Analyze allow policies" } </script><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1, "name": "Policy Intelligence", "item": "https://cloud.google.com/policy-intelligence" },{ "@type": "ListItem", "position": 2, "name": "Documentation", "item": "https://cloud.google.com/policy-intelligence/docs" },{ "@type": "ListItem", "position": 3, "name": "Analyze allow policies", "item": "https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies" }] } </script> <link rel="stylesheet" href="/extras.css"></head> <body class="" template="page" theme="cloud-theme" type="article" layout="docs" free-trial display-toc pending> <devsite-progress type="indeterminate" id="app-progress"></devsite-progress> <section class="devsite-wrapper"> <devsite-cookie-notification-bar></devsite-cookie-notification-bar><cloudx-track userCountry="SG"></cloudx-track> <cloudx-utils-init></cloudx-utils-init> <devsite-header keep-tabs-visible> <div class="devsite-header--inner nocontent"> <div class="devsite-top-logo-row-wrapper-wrapper"> <div class="devsite-top-logo-row-wrapper"> <div class="devsite-top-logo-row"> <button type="button" id="devsite-hamburger-menu" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Navigation menu button" visually-hidden aria-label="Open menu"> </button> <div class="devsite-product-name-wrapper"> <a href="/" class="devsite-site-logo-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Site logo" track-type="globalNav" track-name="googleCloud" track-metadata-position="nav" track-metadata-eventDetail="nav"> <picture> <img src="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/cloud-logo.svg" class="devsite-site-logo" alt="Google Cloud"> </picture> </a> <span class="devsite-product-name"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> </li> </ul> </span> </div> <div class="devsite-top-logo-row-middle"> <div class="devsite-header-upper-tabs"> <cloudx-tabs-nav class="upper-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Upper tabs"> <tab class="devsite-active"> <a href="https://cloud.google.com/docs" track-metadata-eventdetail="https://cloud.google.com/docs" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - docs-home" track-metadata-module="primary nav" aria-label="Documentation, selected" data-category="Site-Wide Custom Events" data-label="Tab: Documentation" track-name="docs-home" track-link-column-type="single-column" > Documentation </a> </tab> <tab class="devsite-dropdown devsite-clickable "> <a href="https://cloud.google.com/docs/tech-area-overviews" track-metadata-eventdetail="https://cloud.google.com/docs/tech-area-overviews" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - technology-areas" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Technology areas" track-name="technology-areas" track-link-column-type="single-column" > Technology areas </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Technology areas" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/tech-area-overviews" track-metadata-position="nav - technology-areas" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Technology areas" track-name="technology-areas" track-link-column-type="single-column" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <button class="devsite-tabs-close-button material-icons button-flat gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close dropdown menu" aria-label="Close dropdown menu" track-type="nav" track-name="close" track-metadata-eventdetail="#" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav">close</button> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/ai-ml" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/ai-ml" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> AI and ML </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/application-development" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/application-development" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Application development </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/application-hosting" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/application-hosting" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Application hosting </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/compute-area" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/compute-area" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Compute </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/data" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/data" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Data analytics and pipelines </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/databases" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/databases" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Databases </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/dhm-cloud" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/dhm-cloud" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Distributed, hybrid, and multicloud </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/generative-ai" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/generative-ai" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Generative AI </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/industry" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/industry" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Industry solutions </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/networking" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/networking" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Networking </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/observability" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/observability" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Observability and monitoring </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/security" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/security" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Security </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/storage" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/storage" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Storage </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown devsite-clickable "> <a href="https://cloud.google.com/docs/cross-product-overviews" track-metadata-eventdetail="https://cloud.google.com/docs/cross-product-overviews" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - crossproduct" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Cross-product tools" track-name="crossproduct" track-link-column-type="single-column" > Cross-product tools </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Cross-product tools" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/cross-product-overviews" track-metadata-position="nav - crossproduct" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Cross-product tools" track-name="crossproduct" track-link-column-type="single-column" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <button class="devsite-tabs-close-button material-icons button-flat gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close dropdown menu" aria-label="Close dropdown menu" track-type="nav" track-name="close" track-metadata-eventdetail="#" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav">close</button> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/access-resources" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/access-resources" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Access and resources management </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/costs-usage" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/costs-usage" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Costs and usage management </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/devtools" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/devtools" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud SDK, languages, frameworks, and tools </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/iac" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/iac" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Infrastructure as code </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/migration" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/migration" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Migration </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown devsite-clickable "> <a href="https://cloud.google.com/" track-metadata-eventdetail="https://cloud.google.com/" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - related-sites" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Related sites" track-name="related-sites" track-link-column-type="single-column" > Related sites </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Related sites" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/" track-metadata-position="nav - related-sites" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Related sites" track-name="related-sites" track-link-column-type="single-column" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <button class="devsite-tabs-close-button material-icons button-flat gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close dropdown menu" aria-label="Close dropdown menu" track-type="nav" track-name="close" track-metadata-eventdetail="#" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav">close</button> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-item"> <a href="https://cloud.google.com/" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Home </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/free" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/free" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Free Trial and Free Tier </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/architecture" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/architecture" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Architecture Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/blog" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/blog" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Blog </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/contact" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/contact" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Contact Sales </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/developers" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/developers" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Developer Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/" track-type="nav" track-metadata-eventdetail="https://developers.google.com/" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Developer Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://console.cloud.google.com/marketplace" track-type="nav" track-metadata-eventdetail="https://console.cloud.google.com/marketplace" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Marketplace </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/marketplace/docs" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/marketplace/docs" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Marketplace Documentation </div> </a> </li> <li class="devsite-nav-item"> <a href="https://www.cloudskillsboost.google/paths" track-type="nav" track-metadata-eventdetail="https://www.cloudskillsboost.google/paths" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Skills Boost </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/solutions" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/solutions" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Solution Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/support-hub" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/support-hub" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Support </div> </a> </li> <li class="devsite-nav-item"> <a href="https://www.youtube.com/@googlecloudtech" track-type="nav" track-metadata-eventdetail="https://www.youtube.com/@googlecloudtech" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Tech Youtube Channel </div> </a> </li> </ul> </div> </div> </div> </tab> </nav> </cloudx-tabs-nav> </div> <devsite-search enable-signin enable-search enable-suggestions project-name="Policy Intelligence" tenant-name="Google Cloud" project-scope="/policy-intelligence/docs" url-scoped="https://cloud.google.com/s/results/policy-intelligence/docs" > <form class="devsite-search-form" action="https://cloud.google.com/s/results" method="GET"> <div class="devsite-search-container"> <button type="button" search-open class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Open search"></button> <div class="devsite-searchbox"> <input aria-activedescendant="" aria-autocomplete="list" aria-label="Search" aria-expanded="false" aria-haspopup="listbox" autocomplete="off" class="devsite-search-field devsite-search-query" name="q" placeholder="Search" role="combobox" type="text" value="" > <div class="devsite-search-image material-icons" aria-hidden="true"> </div> <div class="devsite-search-shortcut-icon-container" aria-hidden="true"> <kbd class="devsite-search-shortcut-icon">/</kbd> </div> </div> </div> </form> <button type="button" search-close class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Close search"></button> </devsite-search> </div> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> <devsite-user enable-profiles fp-auth id="devsite-user"> <span class="button devsite-top-button" aria-hidden="true" visually-hidden>Sign in</span> </devsite-user> </div> </div> </div> <div class="devsite-collapsible-section "> <div class="devsite-header-background"> <div class="devsite-product-id-row" hidden> <div class="devsite-product-description-row"> </div> </div> <div class="devsite-doc-set-nav-row"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item "> <a href="https://cloud.google.com/policy-intelligence" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Lower Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Policy Intelligence" > Policy Intelligence </a> </li> </ul> <cloudx-tabs-nav class="lower-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Lower tabs"> <tab > <a href="https://cloud.google.com/policy-intelligence/docs" track-metadata-eventdetail="https://cloud.google.com/policy-intelligence/docs" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - overview" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Overview" track-name="overview" > Overview </a> </tab> <tab class="devsite-active"> <a href="https://cloud.google.com/policy-intelligence/docs/overview" track-metadata-eventdetail="https://cloud.google.com/policy-intelligence/docs/overview" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - guides" track-metadata-module="primary nav" aria-label="Guides, selected" data-category="Site-Wide Custom Events" data-label="Tab: Guides" track-name="guides" > Guides </a> </tab> <tab > <a href="https://cloud.google.com/policy-intelligence/docs/apis" track-metadata-eventdetail="https://cloud.google.com/policy-intelligence/docs/apis" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - reference" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Reference" track-name="reference" > Reference </a> </tab> <tab > <a href="https://cloud.google.com/policy-intelligence/docs/resources" track-metadata-eventdetail="https://cloud.google.com/policy-intelligence/docs/resources" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - resources" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Resources" track-name="resources" > Resources </a> </tab> </nav> </cloudx-tabs-nav> <div class="devsite-product-button-row"> <a href="https://cloud.google.com/contact" class="cta-button-secondary button " track-name="sales" data-overflow="devsite-tabs-wrapper" track-metadata-position="nav" data-overflow-container="left" track-metadata-eventDetail="nav" track-type="contact" data-overflow-wrapper="tab" >Contact Us</a> <a href="//console.cloud.google.com/freetrial" class="cloud-free-trial-button cta-button-primary button-primary button cloud-button cloud-button--primary " track-name="gcpCta" track-metadata-eventDetail="nav" data-overflow-class="devsite-header-link devsite-top-button button cloud-free-trial-button cloud-free-trial-enabled cloud-button cloud-button--primary" referrerpolicy="no-referrer-when-downgrade" track-type="freeTrial" track-metadata-position="nav" data-overflow="devsite-top-logo-row" data-overflow-container="right" >Start free</a> </div> </div> </div> </div> </div> </devsite-header> <devsite-book-nav scrollbars > <div class="devsite-book-nav-filter" > <span class="filter-list-icon material-icons" aria-hidden="true"></span> <input type="text" placeholder="Filter" aria-label="Type to filter" role="searchbox"> <span class="filter-clear-button hidden" data-title="Clear filter" aria-label="Clear filter" role="button" tabindex="0"></span> </div> <nav class="devsite-book-nav devsite-nav nocontent" aria-label="Side menu"> <div class="devsite-mobile-header"> <button type="button" id="devsite-close-nav" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close navigation" aria-label="Close navigation"> </button> <div class="devsite-product-name-wrapper"> <a href="/" class="devsite-site-logo-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Site logo" track-type="globalNav" track-name="googleCloud" track-metadata-position="nav" track-metadata-eventDetail="nav"> <picture> <img src="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/cloud-logo.svg" class="devsite-site-logo" alt="Google Cloud"> </picture> </a> <span class="devsite-product-name"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> </li> </ul> </span> </div> </div> <div class="devsite-book-nav-wrapper"> <div class="devsite-mobile-nav-top"> <ul class="devsite-nav-list"> <li class="devsite-nav-item"> <a href="/docs" class="devsite-nav-title gc-analytics-event devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: Documentation" track-name="docs-home" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Documentation" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Documentation </span> </a> <ul class="devsite-nav-responsive-tabs"> <li class="devsite-nav-item"> <a href="/policy-intelligence/docs" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Overview" track-name="overview" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Overview" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Overview </span> </a> </li> <li class="devsite-nav-item"> <a href="/policy-intelligence/docs/overview" class="devsite-nav-title gc-analytics-event devsite-nav-has-children devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: Guides" track-name="guides" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Guides" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip menu="_book"> Guides </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="_book"> </span> </a> </li> <li class="devsite-nav-item"> <a href="/policy-intelligence/docs/apis" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Reference" track-name="reference" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Reference" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Reference </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> <li class="devsite-nav-item"> <a href="/policy-intelligence/docs/resources" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Resources" track-name="resources" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Resources" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Resources </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/docs/tech-area-overviews" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Technology areas" track-name="technology-areas" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Technology areas" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Technology areas </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Technology areas" track-name="technology-areas" track-link-column-type="single-column" > <span class="devsite-nav-text" tooltip menu="Technology areas"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Technology areas"> </span> </span> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/docs/cross-product-overviews" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Cross-product tools" track-name="crossproduct" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Cross-product tools" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Cross-product tools </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Cross-product tools" track-name="crossproduct" track-link-column-type="single-column" > <span class="devsite-nav-text" tooltip menu="Cross-product tools"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Cross-product tools"> </span> </span> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Related sites" track-name="related-sites" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Related sites" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Related sites </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Related sites" track-name="related-sites" track-link-column-type="single-column" > <span class="devsite-nav-text" tooltip menu="Related sites"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Related sites"> </span> </span> </li> </ul> </li> <li class="devsite-nav-item"> <a href="//console.cloud.google.com/" class="devsite-nav-title gc-analytics-event " track-metadata-position="nav" track-name="console" track-type="globalNav" track-metadata-eventDetail="nav" referrerpolicy="no-referrer-when-downgrade" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Console" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Console </span> </a> </li> <li class="devsite-nav-item"> <a href="/contact" class="cta-button-secondary button" track-name="sales" data-overflow="devsite-tabs-wrapper" track-metadata-position="nav" data-overflow-container="left" track-metadata-eventDetail="nav" track-type="contact" data-overflow-wrapper="tab" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Contact Us" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Contact Us </span> </a> </li> <li class="devsite-nav-item"> <a href="//console.cloud.google.com/freetrial" class="cloud-free-trial-button cta-button-primary button-primary button cloud-button cloud-button--primary" track-name="gcpCta" track-metadata-eventDetail="nav" data-overflow-class="devsite-header-link devsite-top-button button cloud-free-trial-button cloud-free-trial-enabled cloud-button cloud-button--primary" referrerpolicy="no-referrer-when-downgrade" track-type="freeTrial" track-metadata-position="nav" data-overflow="devsite-top-logo-row" data-overflow-container="right" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Start free" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Start free </span> </a> </li> </ul> </div> <div class="devsite-mobile-nav-bottom"> <ul class="devsite-nav-list" menu="_book"> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Discover</span> </div></li> <li class="devsite-nav-item"><a href="/policy-intelligence/docs/overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/overview" ><span class="devsite-nav-text" tooltip>Product overview</span></a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Understand policies and usage</span> </div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Analyze policies</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/policy-analyzer-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/policy-analyzer-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/policy-analyzer-overview" ><span class="devsite-nav-text" tooltip>Policy Analyzer for allow policies</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/analyze-iam-policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/analyze-iam-policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/analyze-iam-policies" ><span class="devsite-nav-text" tooltip>Analyze allow policies</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/analyze-organization-policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/analyze-organization-policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/analyze-organization-policies" ><span class="devsite-nav-text" tooltip>Analyze organization policies</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/policy-analyzer-saved-queries" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/policy-analyzer-saved-queries" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/policy-analyzer-saved-queries" ><span class="devsite-nav-text" tooltip>Manage saved queries</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/policy-analyzer-write-to-bigquery" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/policy-analyzer-write-to-bigquery" ><span class="devsite-nav-text" tooltip>Write policy analysis to BigQuery</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/policy-analyzer-write-to-gcs" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/policy-analyzer-write-to-gcs" ><span class="devsite-nav-text" tooltip>Write policy analysis to Cloud Storage</span></a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Troubleshoot access issues</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/access-troubleshooters" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/access-troubleshooters" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/access-troubleshooters" ><span class="devsite-nav-text" tooltip>Access-related troubleshooters</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/troubleshoot-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/troubleshoot-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/troubleshoot-access" ><span class="devsite-nav-text" tooltip>Troubleshoot IAM permissions</span></a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Understand service account usage and permissions</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/service-account-usage-tools" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/service-account-usage-tools" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/service-account-usage-tools" ><span class="devsite-nav-text" tooltip>Tools to understand service account usage</span></a></li><li class="devsite-nav-item devsite-nav-preview"><a href="/policy-intelligence/docs/activity-analyzer-service-account-authentication" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/activity-analyzer-service-account-authentication" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/activity-analyzer-service-account-authentication" ><span class="devsite-nav-text" tooltip>View recent usage for service accounts and keys</span><span class="devsite-nav-icon material-icons" data-icon="preview" data-title="Preview" aria-hidden="true"></span></a></li><li class="devsite-nav-item devsite-nav-preview"><a href="/policy-intelligence/docs/service-account-insights" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/service-account-insights" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/service-account-insights" ><span class="devsite-nav-text" tooltip>Find unused service accounts</span><span class="devsite-nav-icon material-icons" data-icon="preview" data-title="Preview" aria-hidden="true"></span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/lateral-movement-insights" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/lateral-movement-insights" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/lateral-movement-insights" ><span class="devsite-nav-text" tooltip>Find service accounts with lateral movement permissions</span></a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Improve your policies</span> </div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Reduce excess permissions</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/role-recommendations-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/role-recommendations-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/role-recommendations-overview" ><span class="devsite-nav-text" tooltip>Role recommendations overview</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/role-recommendations-best-practices" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/role-recommendations-best-practices" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/role-recommendations-best-practices" ><span class="devsite-nav-text" tooltip>Role recommendations best practices</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/configure-role-recommendations" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/configure-role-recommendations" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/configure-role-recommendations" ><span class="devsite-nav-text" tooltip>Configure role recommendation generation</span></a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Review and apply role recommendations</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/review-apply-role-recommendations" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/review-apply-role-recommendations" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/review-apply-role-recommendations" ><span class="devsite-nav-text" tooltip>Projects, folders, and organizations</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/review-apply-role-recommendations-buckets" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/review-apply-role-recommendations-buckets" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/review-apply-role-recommendations-buckets" ><span class="devsite-nav-text" tooltip>Cloud Storage buckets</span></a></li><li class="devsite-nav-item devsite-nav-preview"><a href="/policy-intelligence/docs/review-apply-role-recommendations-datasets" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/review-apply-role-recommendations-datasets" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/review-apply-role-recommendations-datasets" ><span class="devsite-nav-text" tooltip>BigQuery datasets</span><span class="devsite-nav-icon material-icons" data-icon="preview" data-title="Preview" aria-hidden="true"></span></a></li></ul></div></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Review policy insights</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/policy-insights" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/policy-insights" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/policy-insights" ><span class="devsite-nav-text" tooltip>Projects, folders, and organizations</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/policy-insights-buckets" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/policy-insights-buckets" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/policy-insights-buckets" ><span class="devsite-nav-text" tooltip>Cloud Storage buckets</span></a></li><li class="devsite-nav-item devsite-nav-preview"><a href="/policy-intelligence/docs/policy-insights-datasets" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/policy-insights-datasets" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/policy-insights-datasets" ><span class="devsite-nav-text" tooltip>BigQuery datasets</span><span class="devsite-nav-icon material-icons" data-icon="preview" data-title="Preview" aria-hidden="true"></span></a></li></ul></div></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Export recommendations and data</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/export-recommendations" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/export-recommendations" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/export-recommendations" ><span class="devsite-nav-text" tooltip>Export recommendations to BigQuery</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/export-role-recommendations-data" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/export-role-recommendations-data" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/export-role-recommendations-data" ><span class="devsite-nav-text" tooltip>Export data for role recommendations</span></a></li></ul></div></li></ul></div></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Prevent policy misconfigurations</span> </div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> <span class="devsite-nav-text" tooltip>Test IAM allow policy changes</span> </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/policy-intelligence/docs/iam-simulator-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/iam-simulator-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/iam-simulator-overview" ><span class="devsite-nav-text" tooltip>Policy Simulator for allow policies</span></a></li><li class="devsite-nav-item"><a href="/policy-intelligence/docs/simulate-iam-policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/simulate-iam-policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/simulate-iam-policies" ><span class="devsite-nav-text" tooltip>Test role changes with Policy Simulator</span></a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-preview"><a href="/policy-intelligence/docs/test-organization-policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/test-organization-policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/test-organization-policies" ><span class="devsite-nav-text" tooltip>Test organization policy changes with Policy Simulator</span><span class="devsite-nav-icon material-icons" data-icon="preview" data-title="Preview" aria-hidden="true"></span></a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Monitor</span> </div></li> <li class="devsite-nav-item"><a href="/policy-intelligence/docs/audit-logging/simulator-audit-logging" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /policy-intelligence/docs/audit-logging/simulator-audit-logging" track-type="bookNav" track-name="click" track-metadata-eventdetail="/policy-intelligence/docs/audit-logging/simulator-audit-logging" ><span class="devsite-nav-text" tooltip>Audit logging for Policy Simulator</span></a></li> </ul> <ul class="devsite-nav-list" menu="Technology areas" aria-label="Side menu" hidden> <li class="devsite-nav-item"> <a href="/docs/ai-ml" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: AI and ML" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > AI and ML </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/application-development" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Application development" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Application development </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/application-hosting" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Application hosting" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Application hosting </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/compute-area" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Compute" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Compute </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/data" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Data analytics and pipelines" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Data analytics and pipelines </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/databases" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Databases" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Databases </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/dhm-cloud" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Distributed, hybrid, and multicloud" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Distributed, hybrid, and multicloud </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/generative-ai" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Generative AI" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Generative AI </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/industry" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Industry solutions" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Industry solutions </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/networking" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Networking" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Networking </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/observability" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Observability and monitoring" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Observability and monitoring </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/security" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Security" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Security </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/storage" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Storage" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Storage </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Cross-product tools" aria-label="Side menu" hidden> <li class="devsite-nav-item"> <a href="/docs/access-resources" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Access and resources management" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Access and resources management </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/costs-usage" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Costs and usage management" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Costs and usage management </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/devtools" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud SDK, languages, frameworks, and tools" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud SDK, languages, frameworks, and tools </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/iac" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Infrastructure as code" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Infrastructure as code </span> </a> </li> <li class="devsite-nav-item"> <a href="/docs/migration" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Migration" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Migration </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Related sites" aria-label="Side menu" hidden> <li class="devsite-nav-item"> <a href="/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Home" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Home </span> </a> </li> <li class="devsite-nav-item"> <a href="/free" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Free Trial and Free Tier" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Free Trial and Free Tier </span> </a> </li> <li class="devsite-nav-item"> <a href="/architecture" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Architecture Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Architecture Center </span> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/blog" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Blog" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Blog </span> </a> </li> <li class="devsite-nav-item"> <a href="/contact" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Contact Sales" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Contact Sales </span> </a> </li> <li class="devsite-nav-item"> <a href="/developers" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Developer Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Developer Center </span> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Developer Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Developer Center </span> </a> </li> <li class="devsite-nav-item"> <a href="https://console.cloud.google.com/marketplace" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Marketplace" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Marketplace </span> </a> </li> <li class="devsite-nav-item"> <a href="/marketplace/docs" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Marketplace Documentation" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Marketplace Documentation </span> </a> </li> <li class="devsite-nav-item"> <a href="https://www.cloudskillsboost.google/paths" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Skills Boost" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Skills Boost </span> </a> </li> <li class="devsite-nav-item"> <a href="/solutions" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Solution Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Solution Center </span> </a> </li> <li class="devsite-nav-item"> <a href="/support-hub" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Support" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Support </span> </a> </li> <li class="devsite-nav-item"> <a href="https://www.youtube.com/@googlecloudtech" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Tech Youtube Channel" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Cloud Tech Youtube Channel </span> </a> </li> </ul> </div> </div> </nav> </devsite-book-nav> <section id="gc-wrapper"> <main role="main" class="devsite-main-content" has-book-nav has-sidebar > <div class="devsite-sidebar"> <div class="devsite-sidebar-content"> <devsite-toc class="devsite-nav" role="navigation" aria-label="On this page" depth="2" scrollbars ></devsite-toc> <devsite-recommendations-sidebar class="nocontent devsite-nav"> </devsite-recommendations-sidebar> </div> </div> <devsite-content> <article class="devsite-article"> <div class="devsite-article-meta nocontent" role="navigation"> <ul class="devsite-breadcrumb-list" aria-label="Breadcrumb"> <li class="devsite-breadcrumb-item "> <a href="https://cloud.google.com/" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Cloud" > Home </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://cloud.google.com/policy-intelligence" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="2" track-type="globalNav" track-name="breadcrumb" track-metadata-position="2" track-metadata-eventdetail="Policy Intelligence" > Policy Intelligence </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://cloud.google.com/policy-intelligence/docs" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="3" track-type="globalNav" track-name="breadcrumb" track-metadata-position="3" track-metadata-eventdetail="Policy Intelligence" > Documentation </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://cloud.google.com/policy-intelligence/docs/overview" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="4" track-type="globalNav" track-name="breadcrumb" track-metadata-position="4" track-metadata-eventdetail="" > Guides </a> </li> </ul> <devsite-thumb-rating position="header"> </devsite-thumb-rating> </div> <devsite-feedback position="header" project-name="Policy Intelligence" product-id="717553" bucket="Policy Intelligence Documentation" context="" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="header" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png" > <button> Send feedback </button> </devsite-feedback> <h1 class="devsite-page-title" tabindex="-1"> Analyze allow policies </h1> <devsite-feature-tooltip ack-key="AckCollectionsBookmarkTooltipDismiss" analytics-category="Site-Wide Custom Events" analytics-action-show="Callout Profile displayed" analytics-action-close="Callout Profile dismissed" analytics-label="Create Collection Callout" class="devsite-page-bookmark-tooltip nocontent" dismiss-button="true" id="devsite-collections-dropdown" dismiss-button-text="Dismiss" close-button-text="Got it"> <devsite-bookmark></devsite-bookmark> <span slot="popout-heading"> Stay organized with collections </span> <span slot="popout-contents"> Save and categorize content based on your preferences. </span> </devsite-feature-tooltip> <div class="devsite-page-title-meta"><devsite-view-release-notes></devsite-view-release-notes></div> <devsite-toc class="devsite-nav" depth="2" devsite-toc-embedded > </devsite-toc> <div class="devsite-article-body clearfix "> <p>This page shows how to use Policy Analyzer for allow policies to find out which principals (users, service accounts, groups, and domains), have what access to which Google Cloud resources.</p> <p>The examples on this page show how to run a Policy Analysis query and immediately view the results. If you want to export the results for further analysis, you can use <a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicyLongrunning"><code translate="no" dir="ltr">AnalyzeIamPolicyLongrunning</code></a> to write query results to <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Cloud Storage</a>.</p> <aside class="note"><strong>Note:</strong><span> Policy Analyzer uses the Cloud Asset API, which offers best-effort data freshness. While almost all policy updates appear in Policy Analyzer in minutes, it's possible that Policy Analyzer won't include the most recent policy updates. </span></aside> <h2 id="before-you-begin" data-text="Before you begin" tabindex="-1">Before you begin</h2> <ul> <li><p> <p> Enable the Cloud Asset API. </p><p><a href="https://console.cloud.google.com/flows/enableapi?apiid=cloudasset.googleapis.com&amp;redirect=https://console.cloud.google.com" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="enableAPI" class="button button-primary">Enable the API</a></p> <style> .henhouse-text { font-size:85%; padding:2px 4px; line-height:1; } </style> </p> <p>You must enable the API in the project or organization you will use to send the query. This doesn&#39;t have to be the same resource that you scope your query to.</p></li> <li><p>Optional: Understand <a href="/policy-intelligence/docs/policy-analyzer-overview">how Policy Analyzer works</a>.</p></li> <li><p>Optional: If you want to execute more than 20 policy analysis queries per organization per day, ensure that you have an <a href="/security-command-center/pricing#organization-level-activations">organization-level activation of the premium tier of Security Command Center</a>. For more information, see <a href="/policy-intelligence/docs/billing-questions">Billing questions</a>.</p></li> </ul> <h2 id="required-permissions" data-text="Required roles and permissions" tabindex="-1">Required roles and permissions</h2> <p>The following roles and permissions are required to analyze allow policies.</p> <p><a name="roles-permissions"></a></p> <h3 id="cloudasset-permissions" data-text="Required IAM roles" tabindex="-1">Required IAM roles</h3> <p> To get the permissions that you need to analyze an allow policy, ask your administrator to grant you the following IAM roles on the project, folder, or organization that you will scope your query to: </p> <ul> <li> <a href="https://cloud.google.com/iam/docs/understanding-roles#cloudasset.viewer">Cloud Asset Viewer </a> (<code translate="no" dir="ltr">roles/cloudasset.viewer</code>)</li> <li> To analyze policies with <a href="/iam/docs/understanding-custom-roles">custom IAM roles</a>: <a href="https://cloud.google.com/iam/docs/understanding-roles#iam.roleViewer">Role Viewer </a> (<code translate="no" dir="ltr">roles/iam.roleViewer</code>) </li> <li> To use the Google Cloud CLI to analyze policies: <a href="https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer">Service Usage Consumer </a> (<code translate="no" dir="ltr">roles/serviceusage.serviceUsageConsumer</code>) </li> </ul> <p> For more information about granting roles, see <a href="/iam/docs/granting-changing-revoking-access">Manage access to projects, folders, and organizations</a>. </p> <p> These predefined roles contain the permissions required to analyze an allow policy. To see the exact permissions that are required, expand the <strong>Required permissions</strong> section: </p> <devsite-expandable> <h4 class="showalways" id="required-permissions_1" data-text="Required permissions" tabindex="-1">Required permissions</h4> <p>The following permissions are required to analyze an allow policy:</p> <ul> <li> <code translate="no" dir="ltr"> cloudasset.assets.analyzeIamPolicy </code> </li> <li> <code translate="no" dir="ltr"> cloudasset.assets.searchAllResources </code> </li> <li> <code translate="no" dir="ltr"> cloudasset.assets.searchAllIamPolicies</code> </li> <li> To analyze policies with custom IAM roles: <code translate="no" dir="ltr"> iam.roles.get</code> </li> <li> To use the Google Cloud CLI to analyze policies: <code translate="no" dir="ltr"> serviceusage.services.use</code> </li> </ul> </devsite-expandable> <p> You might also be able to get these permissions with <a href="/iam/docs/creating-custom-roles">custom roles</a> or other <a href="/iam/docs/understanding-roles">predefined roles</a>. </p> <h3 id="gsuite-permissions" data-text="Required Google Workspace permissions" tabindex="-1">Required Google Workspace permissions</h3> <p>If you want to <a href="#options">expand groups in query results</a> to see if a principal has certain roles or permissions as a result of their membership in a Google Workspace group, you need the <code translate="no" dir="ltr">groups.read</code> Google Workspace permission. This permission is contained in the Groups Reader Admin role, and in more powerful roles such as the Groups Admin or Super Admin roles. To learn how to grant these roles, see <a href="https://support.google.com/a/answer/9807615">Assign specific admin roles</a>.</p> <h2 id="principal-query-resource" data-text="Determine which principals can access a resource" tabindex="-1">Determine which principals can access a resource</h2> <p>You can use Policy Analyzer to check which principals have certain roles or permissions on a specific resource in your project, folder, or organization. To get this information, create a query that includes the resource that you want to analyze access for and one or more roles or permissions to check for.</p> <p> <aside class="note"> <p><strong>Note:</strong> Policy Analyzer only supports <a href="/iam/docs/policies">IAM allow policies</a>. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see <a href="/policy-intelligence/docs/policy-analyzer-overview#supported-policy-types">Supported policy types</a>. </aside> </p> <div id="policy-analyzer-principal-resource-access-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="policy-analyzer-principal-resource-access-console" track-metadata-position="policy-analyzer-principal-resource-access" track-metadata-region-tag="policy-analyzer-principal-resource-access" data-text="Console" tabindex="-1">Console</h3> <ol> <li><p>In the Google Cloud console, go to the <strong>Policy analyzer</strong> page.</p> <p><a class="button button-primary" href="https://console.cloud.google.com/iam-admin/analyzer" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="queryOnPrincipalWithResource"> Go to the Policy analyzer page</a></p></li> <li><p>In the <strong>Analyze policies</strong> section, find the pane labeled <strong>Custom query</strong> and click <strong>Create custom query</strong> in that pane.</p></li> <li><p>In the <strong>Select query scope</strong> field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.</p></li> <li><p>Choose the resource to check and the role or permission to check for:</p> <ol> <li>In the <strong>Parameter 1</strong> field, select <strong>Resource</strong> from the drop-down menu.</li> <li>In the <strong>Resource</strong> field, enter the full resource name of the resource that you want to analyze access for. If you don&#39;t know the full resource name, start typing the display name of the resource, then select the resource from the list of resources provided.</li> <li>Click <span class="material-icons" aria-hidden="true" translate="no">add</span> <strong>Add selector</strong>.</li> <li>In the <strong>Parameter 2</strong> field, select either <strong>Role</strong> or <strong>Permission</strong>.</li> <li>In the <strong>Select a role</strong> or <strong>Select a permission</strong> field, select the role or permission that you want to check for.</li> <li>Optional: To check for additional roles and permissions, continue adding <strong>Role</strong> and <strong>Permission</strong> selectors until all the roles and permissions that you want to check for are listed.</li> </ol></li> <li><p>Optional: Click <strong>Continue</strong>, then select any <a href="#options">advanced options</a> that you want to enable for this query.</p></li> <li><p>In the <strong>Custom query</strong> pane, click <strong>Analyze&nbsp;<span aria-label="and then">></span> Run query</strong>. The report page shows the query parameters you entered, and a results table of all principals with the specified roles or permissions on the specified resource.</p> <p> Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">export the results to BigQuery</a>. </p></li> </ol> </section> <section> <h3 id="policy-analyzer-principal-resource-access-gcloud" track-metadata-position="policy-analyzer-principal-resource-access" track-metadata-region-tag="policy-analyzer-principal-resource-access" data-text="gcloud" tabindex="-1"><span class="notranslate">gcloud</span></h3> <p> Before using any of the command data below, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">project</code>, <code translate="no" dir="ltr">folder</code>, or <code translate="no" dir="ltr">organization</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">FULL_RESOURCE_NAME</var></code>: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see <a href="/asset-inventory/docs/resource-name-format">Resource name format</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSIONS</var></code>: A comma-separated list of the permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get,compute.instances.start</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> Execute the <a href="/sdk/gcloud/reference/asset/analyze-iam-policy">gcloud asset analyze-iam-policy</a> command: </p> <devsite-expandable expanded> <h4 class="showalways" id="linux,-macos,-or-cloud-shell" data-text="Linux, macOS, or Cloud Shell" tabindex="-1">Linux, macOS, or Cloud Shell</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="Linux command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-powershell" data-text="Windows (PowerShell)" tabindex="-1">Windows (PowerShell)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="PowerShell command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-cmd.exe" data-text="Windows (cmd.exe)" tabindex="-1">Windows (cmd.exe)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <aside class="note"><b>Note:</b> If this command uses <code translate="no" dir="ltr">'</code> for quoting content, replace these single quotes with double quotes. If quoting is nested, use <code translate="no" dir="ltr">\"</code> to escape the inner quotes. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="cmd.exe command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <p> You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The principals that have any of the specified permissions on the specified resource are listed in the <code translate="no" dir="ltr">identities</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">identities</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="response" translate="no" dir="ltr" is-upgraded> ... --- ACLs: - accesses: - permission: compute.instances.get - permission: compute.instances.start <strong>identities: - name: user:my-user@example.com</strong> resources: - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project policy: attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project binding: members: - user: my-user@example.com role: roles/compute.admin --- ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyze-iam-policy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> <section> <h3 id="policy-analyzer-principal-resource-access-rest" track-metadata-position="policy-analyzer-principal-resource-access" track-metadata-region-tag="policy-analyzer-principal-resource-access" data-text="REST" tabindex="-1"><span class="notranslate">REST</span></h3> <p> To determine which principals have certain permissions on a resource, use the Cloud Asset Inventory API's <code translate="no" dir="ltr"><a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy">analyzeIamPolicy</a></code> </code> method. </p> <p> Before using any of the request data, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">FULL_RESOURCE_NAME</var></code>: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see <a href="/asset-inventory/docs/resource-name-format">Resource name format</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSION_1</var></code>, <code translate="no" dir="ltr"><var translate="no">PERMISSION_2</var></code>... <code translate="no" dir="ltr"><var translate="no">PERMISSION_N</var></code>: The permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> HTTP method and URL: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy</pre></devsite-code> </section> <p> Request JSON body: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "analysisQuery": { "resourceSelector": { "fullResourceName": "<var translate="no">FULL_RESOURCE_NAME</var>" }, "accessSelector": { "permissions": [ "<var translate="no">PERMISSION_1</var>", "<var translate="no">PERMISSION_2</var>", "<var translate="no">PERMISSION_N</var>" ] } } } </pre></devsite-code> </section> <p>To send your request, expand one of these options:</p> <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \<br> -H "Authorization: Bearer $(gcloud auth print-access-token)" \<br> -H "X-HTTP-Method-Override: GET" \<br> -H "Content-Type: application/json; charset=utf-8" \<br> -d @request.json \<br> "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token<br>$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }<br><br>Invoke-WebRequest `<br> -Method POST `<br> -Headers $headers `<br> -ContentType: "application/json; charset=utf-8" `<br> -InFile request.json `<br> -Uri "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> <p> Copy the request body and open the <a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click <b>Execute</b>. </p> </section> <p> You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The principals that have any of the specified permissions on the specified resource are listed in the <code translate="no" dir="ltr">identities</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">identities</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="analyzeIamPolicy sample response" translate="no" dir="ltr" is-upgraded> ... { "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project", "iamBinding": { "role": "roles/compute.admin", "members": [ "user:my-user@example.com" ] }, "accessControlLists": [ { "resources": [ { "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project" } ], "accesses": [ { "permission": "compute.instances.get" }, { "permission": "compute.instances.start" } ] } ], "identityList": { <strong>"identities": [ { "name": "user:my-user@example.com" } ]</strong> }, "fullyExplored": true }, ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyzeIamPolicy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> </div> <h2 id="principal-query-all" data-text="Determine which principals have certain roles or permissions" tabindex="-1">Determine which principals have certain roles or permissions</h2> <p>You can use Policy Analyzer to check which principals have specific roles or permissions on any Google Cloud resource in your organization. To get this information, create a query that includes one or more roles or permissions to check for, but does not specify a resource.</p> <p> <aside class="note"> <p><strong>Note:</strong> Policy Analyzer only supports <a href="/iam/docs/policies">IAM allow policies</a>. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see <a href="/policy-intelligence/docs/policy-analyzer-overview#supported-policy-types">Supported policy types</a>. </aside> </p> <div id="policy-analyzer-principal-any-access-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="policy-analyzer-principal-any-access-console" track-metadata-position="policy-analyzer-principal-any-access" track-metadata-region-tag="policy-analyzer-principal-any-access" data-text="Console" tabindex="-1">Console</h3> <ol> <li><p>In the Google Cloud console, go to the <strong>Policy analyzer</strong> page.</p> <p><a class="button button-primary" href="https://console.cloud.google.com/iam-admin/analyzer" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="queryOnPrincipalWithResource"> Go to the Policy analyzer page</a></p></li> <li><p>In the <strong>Analyze policies</strong> section, find the pane labeled <strong>Custom query</strong> and click <strong>Create custom query</strong> in that pane.</p></li> <li><p>In the <strong>Select query scope</strong> field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.</p></li> <li><p>In the <strong>Parameter 1</strong> field, select either <strong>Role</strong> or <strong>Permission</strong>.</p></li> <li><p>In the <strong>Select a role</strong> or <strong>Select a permission</strong> field, select the role or permission that you want to check for.</p></li> <li><p>Optional: To check for additional roles and permissions, do the following:</p> <ol> <li>Click <span class="material-icons" aria-hidden="true" translate="no">add</span> <strong>Add selector</strong>.</li> <li>In the <strong>Parameter 2</strong> field, select either <strong>Role</strong> or <strong>Permission</strong>.</li> <li>In the <strong>Select a role</strong> or <strong>Select a permission</strong> field, select the role or permission that you want to check for.</li> <li>Continue adding <strong>Role</strong> and <strong>Permission</strong> selectors until all the roles and permissions that you want to check for are listed.</li> </ol></li> <li><p>Optional: Click <strong>Continue</strong>, then select any <a href="#options">advanced options</a> that you want to enable for this query.</p></li> <li><p>In the <strong>Custom query</strong> pane, click <strong>Analyze&nbsp;<span aria-label="and then">></span> Run query</strong>. The report page shows the query parameters you entered, and a results table of all principals with the specified roles or permissions on any in-scope resource.</p> <p> Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">export the results to BigQuery</a>. </p></li> </ol> </section> <section> <h3 id="policy-analyzer-principal-any-access-gcloud" track-metadata-position="policy-analyzer-principal-any-access" track-metadata-region-tag="policy-analyzer-principal-any-access" data-text="gcloud" tabindex="-1"><span class="notranslate">gcloud</span></h3> <p> Before using any of the command data below, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">project</code>, <code translate="no" dir="ltr">folder</code>, or <code translate="no" dir="ltr">organization</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">ROLES</var></code>: A comma-separated list of the roles that you want to check for&mdash;for example, <code translate="no" dir="ltr">roles/compute.admin,roles/compute.imageUser</code>. If you list multiple roles, Policy Analyzer will check for any of the roles listed.</li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSIONS</var></code>: A comma-separated list of the permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get,compute.instances.start</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> Execute the <a href="/sdk/gcloud/reference/asset/analyze-iam-policy">gcloud asset analyze-iam-policy</a> command: </p> <devsite-expandable expanded> <h4 class="showalways" id="linux,-macos,-or-cloud-shell_1" data-text="Linux, macOS, or Cloud Shell" tabindex="-1">Linux, macOS, or Cloud Shell</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="Linux command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--roles<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">ROLES</var>'</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-powershell_1" data-text="Windows (PowerShell)" tabindex="-1">Windows (PowerShell)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="PowerShell command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--roles<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">ROLES</var>'</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-cmd.exe_1" data-text="Windows (cmd.exe)" tabindex="-1">Windows (cmd.exe)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <aside class="note"><b>Note:</b> If this command uses <code translate="no" dir="ltr">'</code> for quoting content, replace these single quotes with double quotes. If quoting is nested, use <code translate="no" dir="ltr">\"</code> to escape the inner quotes. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="cmd.exe command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--roles<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">ROLES</var>'</span><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <p> You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The principals that have any of the specified roles or permissions are listed in the <code translate="no" dir="ltr">identities</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">identities</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="response" translate="no" dir="ltr" is-upgraded> ... --- ACLs: - accesses: - permission: compute.instances.get - permission: compute.instances.start - role: roles/compute.admin <strong>identities: - name: user:my-user@example.com</strong> resources: - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project policy: attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project binding: members: - user: my-user@example.com role: roles/compute.admin --- ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyze-iam-policy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> <section> <h3 id="policy-analyzer-principal-any-access-rest" track-metadata-position="policy-analyzer-principal-any-access" track-metadata-region-tag="policy-analyzer-principal-any-access" data-text="REST" tabindex="-1"><span class="notranslate">REST</span></h3> <p> To determine which principals have certain roles or permissions, use the Cloud Asset Inventory API's <code translate="no" dir="ltr"><a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy">analyzeIamPolicy</a></code> </code> method. </p> <p> Before using any of the request data, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">ROLE_1</var></code>, <code translate="no" dir="ltr"><var translate="no">ROLE_2</var></code>... <code translate="no" dir="ltr"><var translate="no">ROLE_N</var></code>: The roles that you want to check for&mdash;for example, <code translate="no" dir="ltr">roles/compute.admin</code>. If you list multiple roles, Policy Analyzer will check for any of the roles listed.</li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSION_1</var></code>, <code translate="no" dir="ltr"><var translate="no">PERMISSION_2</var></code>... <code translate="no" dir="ltr"><var translate="no">PERMISSION_N</var></code>: The permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> HTTP method and URL: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy</pre></devsite-code> </section> <p> Request JSON body: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "analysisQuery": { "accessSelector": { "roles": [ "<var translate="no">ROLE_1</var>", "<var translate="no">ROLE_2</var>", "<var translate="no">ROLE_N</var>" ], "permissions": [ "<var translate="no">PERMISSION_1</var>", "<var translate="no">PERMISSION_2</var>", "<var translate="no">PERMISSION_N</var>" ] } } } </pre></devsite-code> </section> <p>To send your request, expand one of these options:</p> <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell_1" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \<br> -H "Authorization: Bearer $(gcloud auth print-access-token)" \<br> -H "X-HTTP-Method-Override: GET" \<br> -H "Content-Type: application/json; charset=utf-8" \<br> -d @request.json \<br> "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows_1" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token<br>$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }<br><br>Invoke-WebRequest `<br> -Method POST `<br> -Headers $headers `<br> -ContentType: "application/json; charset=utf-8" `<br> -InFile request.json `<br> -Uri "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser_1" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> <p> Copy the request body and open the <a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click <b>Execute</b>. </p> </section> <p> You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The principals that have any of the specified roles or permissions are listed in the <code translate="no" dir="ltr">identities</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">identities</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="analyzeIamPolicy sample response" translate="no" dir="ltr" is-upgraded> ... { "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project", "iamBinding": { "role": "roles/compute.admin", "members": [ "user:my-user@example.com" ] }, "accessControlLists": [ { "resources": [ { "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project" } ], "accesses": [ { "permission": "compute.instances.get" }, { "role": "roles/compute.admin" } ] } ], "identityList": { <strong>"identities": [ { "name": "user:my-user@example.com" } ]</strong> }, "fullyExplored": true }, ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyzeIamPolicy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> </div> <h2 id="access-query" data-text="Determine what access a principal has on a resource" tabindex="-1">Determine what access a principal has on a resource</h2> <p>You can use Policy Analyzer to check what roles or permissions a principal has on a resource in your organization. To get this information, create a query that includes the principal whose access you want to analyze and the resource that you want to analyze access for.</p> <p> <aside class="note"> <p><strong>Note:</strong> Policy Analyzer only supports <a href="/iam/docs/policies">IAM allow policies</a>. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see <a href="/policy-intelligence/docs/policy-analyzer-overview#supported-policy-types">Supported policy types</a>. </aside> </p> <div id="policy-analyzer-what-access-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="policy-analyzer-what-access-console" track-metadata-position="policy-analyzer-what-access" track-metadata-region-tag="policy-analyzer-what-access" data-text="Console" tabindex="-1">Console</h3> <ol> <li><p>In the Google Cloud console, go to the <strong>Policy analyzer</strong> page.</p> <p><a class="button button-primary" href="https://console.cloud.google.com/iam-admin/analyzer" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="queryOnPrincipalWithResource"> Go to the Policy analyzer page</a></p></li> <li><p>In the <strong>Analyze policies</strong> section, find the pane labeled <strong>Custom query</strong> and click <strong>Create custom query</strong> in that pane.</p></li> <li><p>In the <strong>Select query scope</strong> field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.</p></li> <li><p>Choose the resource and principal to check:</p> <ol> <li>In the <strong>Parameter 1</strong> field, select <strong>Resource</strong> from the drop-down menu.</li> <li>In the <strong>Resource</strong> field, enter the full resource name of the resource that you want to analyze access for. If you don&#39;t know the full resource name, start typing the display name of the resource, then select the resource from the list of resources provided.</li> <li>Click <span class="material-icons" aria-hidden="true" translate="no">add</span> <strong>Add selector</strong>.</li> <li>In the <strong>Parameter 2</strong> field, select <strong>Principal</strong> from the drop-down menu.</li> <li>In the <strong>Principal</strong> field, start typing the name of a user, service account, or group. Then, select the user, service account, or group whose access you want to analyze from the list of principals provided.</li> </ol></li> <li><p>Optional: Click <strong>Continue</strong>, then select any <a href="#options">advanced options</a> that you want to enable for this query.</p></li> <li><p>In the <strong>Custom query</strong> pane, click <strong>Analyze&nbsp;<span aria-label="and then">></span> Run query</strong>. The report page shows the query parameters you entered, and a results table of all roles that the specified principal has on the specified resource.</p> <p> Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">export the results to BigQuery</a>. </p></li> </ol> </section> <section> <h3 id="policy-analyzer-what-access-gcloud" track-metadata-position="policy-analyzer-what-access" track-metadata-region-tag="policy-analyzer-what-access" data-text="gcloud" tabindex="-1"><span class="notranslate">gcloud</span></h3> <p> Before using any of the command data below, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">project</code>, <code translate="no" dir="ltr">folder</code>, or <code translate="no" dir="ltr">organization</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">FULL_RESOURCE_NAME</var></code>: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see <a href="/asset-inventory/docs/resource-name-format">Resource name format</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code>: The principal whose access you want to analyze, in the form <code translate="no" dir="ltr"><var translate="no">PRINCIPAL_TYPE</var>:<var translate="no">ID</var></code>&mdash;for example, <code translate="no" dir="ltr">user:my-user@example.com</code>. For a full list of the principal types, see <a href="/iam/docs/principal-identifiers">Principal identifiers</a>. </li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> Execute the <a href="/sdk/gcloud/reference/asset/analyze-iam-policy">gcloud asset analyze-iam-policy</a> command: </p> <devsite-expandable expanded> <h4 class="showalways" id="linux,-macos,-or-cloud-shell_2" data-text="Linux, macOS, or Cloud Shell" tabindex="-1">Linux, macOS, or Cloud Shell</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="Linux command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-powershell_2" data-text="Windows (PowerShell)" tabindex="-1">Windows (PowerShell)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="PowerShell command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-cmd.exe_2" data-text="Windows (cmd.exe)" tabindex="-1">Windows (cmd.exe)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="cmd.exe command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var></pre></devsite-code> </devsite-expandable> <p> You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The roles that the principal has on the specified resource are listed in the <code translate="no" dir="ltr">accesses</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">accesses</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="response" translate="no" dir="ltr" is-upgraded> ... --- ACLs: <strong>- accesses: - roles/iam.serviceAccountUser</strong> identities: - name: user:my-user@example.com resources: - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project policy: attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project binding: members: - user: my-user@example.com role: roles/iam.serviceAccountUser --- ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyze-iam-policy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> <section> <h3 id="policy-analyzer-what-access-rest" track-metadata-position="policy-analyzer-what-access" track-metadata-region-tag="policy-analyzer-what-access" data-text="REST" tabindex="-1"><span class="notranslate">REST</span></h3> <p> To determine what access a principal has on a resource, use the Cloud Asset Inventory API's <code translate="no" dir="ltr"><a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy">analyzeIamPolicy</a></code> </code> method. </p> <p> Before using any of the request data, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">FULL_RESOURCE_NAME</var></code>: The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see <a href="/asset-inventory/docs/resource-name-format">Resource name format</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code>: The principal whose access you want to analyze, in the form <code translate="no" dir="ltr"><var translate="no">PRINCIPAL_TYPE</var>:<var translate="no">ID</var></code>&mdash;for example, <code translate="no" dir="ltr">user:my-user@example.com</code>. For a full list of the principal types, see <a href="/iam/docs/principal-identifiers">Principal identifiers</a>. </li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> HTTP method and URL: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy</pre></devsite-code> </section> <p> Request JSON body: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "analysisQuery": { "resourceSelector": { "fullResourceName": "<var translate="no">FULL_RESOURCE_NAME</var>" }, "identitySelector": { "identity": "<var translate="no">PRINCIPAL</var>" } } } </pre></devsite-code> </section> <p>To send your request, expand one of these options:</p> <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell_2" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \<br> -H "Authorization: Bearer $(gcloud auth print-access-token)" \<br> -H "X-HTTP-Method-Override: GET" \<br> -H "Content-Type: application/json; charset=utf-8" \<br> -d @request.json \<br> "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows_2" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token<br>$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }<br><br>Invoke-WebRequest `<br> -Method POST `<br> -Headers $headers `<br> -ContentType: "application/json; charset=utf-8" `<br> -InFile request.json `<br> -Uri "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser_2" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> <p> Copy the request body and open the <a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click <b>Execute</b>. </p> </section> <p> You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The roles that the principal has on the specified resource are listed in the <code translate="no" dir="ltr">accesses</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">accesses</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="analyzeIamPolicy sample response" translate="no" dir="ltr" is-upgraded> ... { "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project", "iamBinding": { "role": "roles/iam.serviceAccountUser", "members": [ "user:my-user@example.com" ] }, "accessControlLists": [ { "resources": [ { "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project" } ], <strong>"accesses": [ { "roles": "iam.serviceAccountUser" } ]</strong> } ], "identityList": { "identities": [ { "name": "user:my-user@example.com" } ] }, "fullyExplored": true }, ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyzeIamPolicy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> </div> <h2 id="resource-query" data-text="Determine which resources a principal can access" tabindex="-1">Determine which resources a principal can access</h2> <p>You can use Policy Analyzer to check which resources within your organization a principal has a certain roles or permissions on. To get this information, create a query that includes the principal whose access you want to analyze and one or more permissions or roles that you want to check for.</p> <p> <aside class="note"> <p><strong>Note:</strong> Policy Analyzer only supports <a href="/iam/docs/policies">IAM allow policies</a>. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see <a href="/policy-intelligence/docs/policy-analyzer-overview#supported-policy-types">Supported policy types</a>. </aside> </p> <div id="policy-analyzer-principal-which-resources-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="policy-analyzer-principal-which-resources-console" track-metadata-position="policy-analyzer-principal-which-resources" track-metadata-region-tag="policy-analyzer-principal-which-resources" data-text="Console" tabindex="-1">Console</h3> <ol> <li><p>In the Google Cloud console, go to the <strong>Policy analyzer</strong> page.</p> <p><a class="button button-primary" href="https://console.cloud.google.com/iam-admin/analyzer" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="queryOnPrincipalWithResource"> Go to the Policy analyzer page</a></p></li> <li><p>In the <strong>Analyze policies</strong> section, find the pane labeled <strong>Custom query</strong> and click <strong>Create custom query</strong> in that pane.</p></li> <li><p>In the <strong>Select query scope</strong> field, select the project, folder, or organization that you want to scope the query to. Policy Analyzer will analyze access for that project, folder, or organization, as well as any resources within that project, folder, or organization.</p></li> <li><p>Choose the principal to check and the role or permission to check for:</p> <ol> <li>In the <strong>Parameter 1</strong> field, select <strong>Principal</strong> from the drop-down menu.</li> <li>In the <strong>Principal</strong> field, start typing the name of a user, service account, or group. Then, select the user, service account, or group whose access you want to analyze from the list of principals provided.</li> <li>Click <span class="material-icons" aria-hidden="true" translate="no">add</span> <strong>Add selector</strong>.</li> <li>In the <strong>Parameter 2</strong> field, select either <strong>Role</strong> or <strong>Permission</strong>.</li> <li>In the <strong>Select a role</strong> or <strong>Select a permission</strong> field, select the role or permission that you want to check for.</li> <li>Optional: To check for additional roles and permissions, continue adding <strong>Role</strong> and <strong>Permission</strong> selectors until all the roles and permissions that you want to check for are listed.</li> </ol></li> <li><p>Optional: Click <strong>Continue</strong>, then select any <a href="#options">advanced options</a> that you want to enable for this query.</p></li> <li><p>In the <strong>Custom query</strong> pane, click <strong>Analyze&nbsp;<span aria-label="and then">></span> Run query</strong>. The report page shows the query parameters you entered, and a results table of all the resources on which the specified principal has the specified roles or permissions.</p> <p> Policy analysis queries in the Google Cloud console run for up to one minute. After one minute, the Google Cloud console stops the query and displays all available results. If the query didn't finish in that time, the Google Cloud console displays a banner indicating that the results are incomplete. To get more results for these queries, <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">export the results to BigQuery</a>. </p></li> </ol> </section> <section> <h3 id="policy-analyzer-principal-which-resources-gcloud" track-metadata-position="policy-analyzer-principal-which-resources" track-metadata-region-tag="policy-analyzer-principal-which-resources" data-text="gcloud" tabindex="-1"><span class="notranslate">gcloud</span></h3> <p> Before using any of the command data below, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">project</code>, <code translate="no" dir="ltr">folder</code>, or <code translate="no" dir="ltr">organization</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code>: The principal whose access you want to analyze, in the form <code translate="no" dir="ltr"><var translate="no">PRINCIPAL_TYPE</var>:<var translate="no">ID</var></code>&mdash;for example, <code translate="no" dir="ltr">user:my-user@example.com</code>. For a full list of the principal types, see <a href="/iam/docs/principal-identifiers">Principal identifiers</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSIONS</var></code>: A comma-separated list of the permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get,compute.instances.start</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> Execute the <a href="/sdk/gcloud/reference/asset/analyze-iam-policy">gcloud asset analyze-iam-policy</a> command: </p> <devsite-expandable expanded> <h4 class="showalways" id="linux,-macos,-or-cloud-shell_3" data-text="Linux, macOS, or Cloud Shell" tabindex="-1">Linux, macOS, or Cloud Shell</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="Linux command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-powershell_3" data-text="Windows (PowerShell)" tabindex="-1">Windows (PowerShell)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="PowerShell command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-cmd.exe_3" data-text="Windows (cmd.exe)" tabindex="-1">Windows (cmd.exe)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <aside class="note"><b>Note:</b> If this command uses <code translate="no" dir="ltr">'</code> for quoting content, replace these single quotes with double quotes. If quoting is nested, use <code translate="no" dir="ltr">\"</code> to escape the inner quotes. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="cmd.exe command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span></pre></devsite-code> </devsite-expandable> <p> You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The resources on which the specified principal has any of the specified permissions are listed in the <code translate="no" dir="ltr">resources</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">resources</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="response" translate="no" dir="ltr" is-upgraded> ... --- ACLs: - accesses: - permission: compute.instances.get - permission: compute.instances.start identities: - name: user:my-user@example.com <strong>resources: - fullResourceName: //compute.googleapis.com/projects/my-project/global/images/my-image</strong> policy: attachedResource: //compute.googleapis.com/projects/my-project/global/images/my-image binding: members: - user: my-user@example.com role: roles/compute.admin --- ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyze-iam-policy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> <section> <h3 id="policy-analyzer-principal-which-resources-rest" track-metadata-position="policy-analyzer-principal-which-resources" track-metadata-region-tag="policy-analyzer-principal-which-resources" data-text="REST" tabindex="-1"><span class="notranslate">REST</span></h3> <p> To determine which resources a principal can access, use the Cloud Asset Inventory API's <code translate="no" dir="ltr"><a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy">analyzeIamPolicy</a></code> </code> method. </p> <p> Before using any of the request data, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code>: The principal whose access you want to analyze, in the form <code translate="no" dir="ltr"><var translate="no">PRINCIPAL_TYPE</var>:<var translate="no">ID</var></code>&mdash;for example, <code translate="no" dir="ltr">user:my-user@example.com</code>. For a full list of the principal types, see <a href="/iam/docs/principal-identifiers">Principal identifiers</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSION_1</var></code>, <code translate="no" dir="ltr"><var translate="no">PERMISSION_2</var></code>... <code translate="no" dir="ltr"><var translate="no">PERMISSION_N</var></code>: The permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> HTTP method and URL: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy</pre></devsite-code> </section> <p> Request JSON body: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "analysisQuery": { "identitySelector": { "identity": "<var translate="no">PRINCIPAL</var>" }, "accessSelector": { "permissions": [ "<var translate="no">PERMISSION_1</var>", "<var translate="no">PERMISSION_2</var>", "<var translate="no">PERMISSION_N</var>" ] } } } </pre></devsite-code> </section> <p>To send your request, expand one of these options:</p> <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell_3" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \<br> -H "Authorization: Bearer $(gcloud auth print-access-token)" \<br> -H "X-HTTP-Method-Override: GET" \<br> -H "Content-Type: application/json; charset=utf-8" \<br> -d @request.json \<br> "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows_3" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token<br>$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }<br><br>Invoke-WebRequest `<br> -Method POST `<br> -Headers $headers `<br> -ContentType: "application/json; charset=utf-8" `<br> -InFile request.json `<br> -Uri "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser_3" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> <p> Copy the request body and open the <a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click <b>Execute</b>. </p> </section> <p> You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> The resources on which the specified principal has any of the specified permissions are listed in the <code translate="no" dir="ltr">resources</code> fields in the response. The following example shows a single analysis result with the <code translate="no" dir="ltr">resources</code> field highlighted. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="analyzeIamPolicy sample response" translate="no" dir="ltr" is-upgraded> ... { "attachedResourceFullName": "//compute.googleapis.com/projects/my-project/global/images/my-image", "iamBinding": { "role": "roles/compute.admin", "members": [ "user:my-user@example.com" ] }, "accessControlLists": [ { <strong>"resources": [ { "fullResourceName": "//compute.googleapis.com/projects/my-project/global/images/my-image" } ],</strong> "accesses": [ { "permission": "compute.instances.get" }, { "permission": "compute.instances.start" } ] } ], "identityList": { "identities": [ { "name": "user:my-user@example.com" } ] }, "fullyExplored": true }, ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyzeIamPolicy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> </div> <h2 id="conditional-access" data-text="Determine access at a specific time" tabindex="-1">Determine access at a specific time</h2> <p>If given enough context, Policy Analyzer can analyze <a href="/iam/docs/conditions-overview">IAM conditional role bindings</a> that only grant access at specific times. These conditions are called <a href="/iam/docs/conditions-overview#example-date-time">date/time conditions</a>. For Policy Analyzer to accurately analyze role bindings with date/time conditions, you need to define the access time in the request.</p> <p>Policy Analyzer can also analyze <a href="/iam/docs/conditions-overview#resource_attributes">resource conditions</a> with no additional user input. For more information about how Policy Analyzer works with conditions, see <a href="/policy-intelligence/docs/policy-analyzer-overview#conditions">Conditional access</a>.</p> <p> <aside class="note"> <p><strong>Note:</strong> Policy Analyzer only supports <a href="/iam/docs/policies">IAM allow policies</a>. Results do not account for other access control mechanisms, like IAM deny policies. For more information, see <a href="/policy-intelligence/docs/policy-analyzer-overview#supported-policy-types">Supported policy types</a>. </aside> </p> <div id="policy-analyzer-principal-resource-access-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="policy-analyzer-principal-resource-access-gcloud" track-metadata-position="policy-analyzer-principal-resource-access" track-metadata-region-tag="policy-analyzer-principal-resource-access" data-text="gcloud" tabindex="-1"><span class="notranslate">gcloud</span></h3> <p> Before using any of the command data below, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">project</code>, <code translate="no" dir="ltr">folder</code>, or <code translate="no" dir="ltr">organization</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSIONS</var></code>: Optional. A comma-separated list of the permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get,compute.instances.start</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> <li> <code translate="no" dir="ltr"><var translate="no">FULL_RESOURCE_NAME</var></code>: Optional. The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see <a href="/asset-inventory/docs/resource-name-format">Resource name format</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSIONS</var></code>: Optional. A comma-separated list of the permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get,compute.instances.start</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed.</li> <li><code translate="no" dir="ltr"><var translate="no">ACCESS_TIME</var></code>: The time that you want to check. This time must be in the future. Use a timestamp in <a href="https://www.ietf.org/rfc/rfc3339.txt" class="external">RFC 3339</a>format&mdash;for example, <code translate="no" dir="ltr">2099-02-01T00:00:00Z</code>. </li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> Execute the <a href="/sdk/gcloud/reference/asset/analyze-iam-policy">gcloud asset analyze-iam-policy</a> command: </p> <devsite-expandable expanded> <h4 class="showalways" id="linux,-macos,-or-cloud-shell_4" data-text="Linux, macOS, or Cloud Shell" tabindex="-1">Linux, macOS, or Cloud Shell</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="Linux command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-se">\</span> <span class="devsite-syntax-w"> </span>--access-time<span class="devsite-syntax-o">=</span><var translate="no">ACCESS_TIME</var></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-powershell_4" data-text="Windows (PowerShell)" tabindex="-1">Windows (PowerShell)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="PowerShell command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-sb">`</span> <span class="devsite-syntax-w"> </span>--access-time<span class="devsite-syntax-o">=</span><var translate="no">ACCESS_TIME</var></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-cmd.exe_4" data-text="Windows (cmd.exe)" tabindex="-1">Windows (cmd.exe)</h4> <aside class="note"><b>Note:</b> Ensure you have initialized the Google Cloud CLI with authentication and a project by running either <a href="/sdk/gcloud/reference/init">gcloud init</a>; or <a href="/sdk/gcloud/reference/auth/login">gcloud auth login</a> and <a href="/sdk/gcloud/reference/config/set">gcloud config set project</a>. </aside> <aside class="note"><b>Note:</b> If this command uses <code translate="no" dir="ltr">'</code> for quoting content, replace these single quotes with double quotes. If quoting is nested, use <code translate="no" dir="ltr">\"</code> to escape the inner quotes. </aside> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="cmd.exe command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud<span class="devsite-syntax-w"> </span>asset<span class="devsite-syntax-w"> </span>analyze-iam-policy<span class="devsite-syntax-w"> </span>--<var translate="no">RESOURCE_TYPE</var><span class="devsite-syntax-o">=</span><var translate="no">RESOURCE_ID</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--identity<span class="devsite-syntax-o">=</span><var translate="no">PRINCIPAL</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--full-resource-name<span class="devsite-syntax-o">=</span><var translate="no">FULL_RESOURCE_NAME</var><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--permissions<span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'<var translate="no">PERMISSIONS</var>'</span><span class="devsite-syntax-w"> </span>^ <span class="devsite-syntax-w"> </span>--access-time<span class="devsite-syntax-o">=</span><var translate="no">ACCESS_TIME</var></pre></devsite-code> </devsite-expandable> <p> You receive a YAML response with analysis results. Each analysis result lists a set of accesses, identities, and resources that are relevant to your query, followed by the related IAM role binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> When you include the access time in the request, Policy Analyzer can evaluate date/time conditions. If the condition evaluates to false, that role is not included in the response. If the condition evaluates to true, the result of the condition evaluation is listed as <code translate="no" dir="ltr">TRUE</code>. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="response" translate="no" dir="ltr" is-upgraded> ... --- ACLs: - accesses: - permission: compute.instances.get - permission: compute.instances.start conditionEvaluationValue: 'TRUE' identities: - name: user:my-user@example.com resources: - fullResourceName: //cloudresourcemanager.googleapis.com/projects/my-project policy: attachedResource: //cloudresourcemanager.googleapis.com/projects/my-project binding: condition: expression: request.time.getHours("America/Los_Angeles") >= 5 title: No access before 5am PST members: - user: my-user@example.com role: roles/compute.admin --- ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyze-iam-policy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> <section> <h3 id="policy-analyzer-principal-resource-access-rest" track-metadata-position="policy-analyzer-principal-resource-access" track-metadata-region-tag="policy-analyzer-principal-resource-access" data-text="REST" tabindex="-1"><span class="notranslate">REST</span></h3> <p> To determine which principals will have certain permissions on a resource at a specific time, use the Cloud Asset Inventory API's <code translate="no" dir="ltr"><a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy">analyzeIamPolicy</a></code> </code> method. </p> <p> Before using any of the request data, make the following replacements: </p> <ul> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: The ID of the Google Cloud project, folder, or organization that you want to scope your search to. Only IAM allow policies attached to this resource and to its descendants will be analyzed. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSION_1</var></code>, <code translate="no" dir="ltr"><var translate="no">PERMISSION_2</var></code>... <code translate="no" dir="ltr"><var translate="no">PERMISSION_N</var></code>: Optional. The permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed. </li> <li> <code translate="no" dir="ltr"><var translate="no">FULL_RESOURCE_NAME</var></code>: Optional. The full resource name of the resource that you want to analyze access for. For a list of full resource name formats, see <a href="/asset-inventory/docs/resource-name-format">Resource name format</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">PERMISSION_1</var></code>, <code translate="no" dir="ltr"><var translate="no">PERMISSION_2</var></code>... <code translate="no" dir="ltr"><var translate="no">PERMISSION_N</var></code>: Optional. The permissions that you want to check for&mdash;for example, <code translate="no" dir="ltr">compute.instances.get</code>. If you list multiple permissions, Policy Analyzer will check for any of the permissions listed. </li> <li><code translate="no" dir="ltr"><var translate="no">ACCESS_TIME</var></code>: The time that you want to check. This time must be in the future. Use a timestamp in <a href="https://www.ietf.org/rfc/rfc3339.txt" class="external">RFC 3339</a>format&mdash;for example, <code translate="no" dir="ltr">2099-02-01T00:00:00Z</code>. </li> </ul> <aside class="note"> <b>Note:</b> If you want more detailed query results, you can <a href="#options">enable advanced options</a>. </aside> <p> HTTP method and URL: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy</pre></devsite-code> </section> <p> Request JSON body: </p> <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "analysisQuery": { "identitySelector": { "identity": "<var translate="no">PRINCIPAL</var>" }, "resourceSelector": { "fullResourceName": "<var translate="no">FULL_RESOURCE_NAME</var>" }, "accessSelector": { "permissions": [ "<var translate="no">PERMISSION_1</var>", "<var translate="no">PERMISSION_2</var>", "<var translate="no">PERMISSION_N</var>" ] }, "conditionContext": { "accessTime": "<var translate="no">ACCESS_TIME</var>" } } } </pre></devsite-code> </section> <p>To send your request, expand one of these options:</p> <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell_4" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \<br> -H "Authorization: Bearer $(gcloud auth print-access-token)" \<br> -H "X-HTTP-Method-Override: GET" \<br> -H "Content-Type: application/json; charset=utf-8" \<br> -d @request.json \<br> "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows_4" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note"><b>Note:</b> The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> <p> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: </p> <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="analyzeIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token<br>$headers = @{ "Authorization" = "Bearer $cred"; "X-HTTP-Method-Override" = "GET" }<br><br>Invoke-WebRequest `<br> -Method POST `<br> -Headers $headers `<br> -ContentType: "application/json; charset=utf-8" `<br> -InFile request.json `<br> -Uri "https://cloudasset.googleapis.com/v1/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:analyzeIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser_4" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> <p> Copy the request body and open the <a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click <b>Execute</b>. </p> </section> <p> You receive a JSON response with analysis results. Each analysis result describes a relevant IAM role binding, then lists the resource, accesses, and principals in that binding. If the role binding is conditional, the analysis result also includes the result of the condition evaluation. If the condition couldn't be evaluated, the result is listed as <code translate="no" dir="ltr">CONDITIONAL</code>. </p> <p> When you include the access time in the request, Policy Analyzer can evaluate date/time conditions. If the condition evaluates to false, that role is not included in the response. If the condition evaluates to true, the condition evaluation value in the analysis response is <code translate="no" dir="ltr">TRUE</code>. </p> <section> <div></div><devsite-code><pre class="readonly" data-label="analyzeIamPolicy sample response" translate="no" dir="ltr" is-upgraded> ... { "attachedResourceFullName": "//cloudresourcemanager.googleapis.com/projects/my-project", "iamBinding": { "role": "roles/compute.admin", "members": [ "user:my-user@example.com" ], "condition": { "expression": "request.time.getHours(\"America/Los_Angeles\") \u003e= 5", "title": "No access before 5am PST" } }, "accessControlLists": [ { "resources": [ { "fullResourceName": "//cloudresourcemanager.googleapis.com/projects/my-project" } ], "accesses": [ { "permission": "compute.instances.get" }, { "permission": "compute.instances.start" } ], "conditionEvaluation": { "evaluationValue": "TRUE" } } ], "identityList": { "identities": [ { "name": "user:my-user@example.com" } ] }, "fullyExplored": true }, ... </pre></devsite-code> </section> <p> If the request times out before the query finishes, you get a <code translate="no" dir="ltr">DEADLINE_EXCEEDED</code> error. To get more results for these queries, write the results to either BigQuery or Cloud Storage using the long-running version of <code translate="no" dir="ltr">analyzeIamPolicy</code>. For instructions, see <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">Write policy analysis to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">Write policy analysis to Cloud Storage</a>. </p> </section> </div> <h2 id="options" data-text="Enable options" tabindex="-1">Enable options</h2> <p>You can enable the following options to receive more detailed query results.</p> <div id="policy-analyzer-options-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="policy-analyzer-options-console" track-metadata-position="policy-analyzer-options" track-metadata-region-tag="policy-analyzer-options" data-text="Console" tabindex="-1">Console</h3> <table> <thead> <tr> <th>Option</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>List resources within resource(s) matching your query</td> <td> If you enable this option, the query results list up to 1,000 relevant <a href="/resource-manager/docs/cloud-platform-resource-hierarchy">descendant resources</a> for any parent resources (projects, folders, and organizations) in the query results. </td> </tr> <tr> <td>List individual users inside groups</td> <td> <p> If you enable this option, any groups in the query results are expanded into individual members. If you have sufficient group permissions, nested groups will also be expanded. This expansion is capped at 1,000 members per group. </p> <p> This option is only available if you don't specify a principal in your query. </p> </td> </tr> <tr> <td>List permissions inside roles</td> <td> <p> If you enable this option, the query results list all permissions inside each role in addition to the role itself. </p> <p> This option is only available if you don't specify any permissions or roles in your query. </p> </td> </tr> </tbody> </table> </section> <section> <h3 id="policy-analyzer-options-gcloud" track-metadata-position="policy-analyzer-options" track-metadata-region-tag="policy-analyzer-options" data-text="gcloud" tabindex="-1"><span class="notranslate">gcloud</span></h3> <p>This section describes several common flags that you can add when you use the gcloud CLI to analyze allow policies. For a full list of options, see <a href="/sdk/gcloud/reference/asset/analyze-iam-policy#OPTIONAL-FLAGS">Optional flags</a>.</p> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">--analyze-service-account-impersonation</code></td> <td> <p> If this option is enabled, Policy Analyzer runs additional analysis queries to determine who can impersonate the service accounts that have the specified access to the specified resources. Policy Analyzer runs one query for each service account in query results. These queries analyze who has any of the following permissions on the service account:</p> <ul> <li><code translate="no" dir="ltr">iam.serviceAccounts.actAs</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.getAccessToken</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.getOpenIdToken</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.implicitDelegation</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.signBlob</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.signJwt</code></li> </ul> </p> <p> This is a very expensive operation, because it automatically executes many queries. We highly recommend that you <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">export to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">export to Cloud Storage</a> using <code translate="no" dir="ltr">analyze-iam-policy-longrunning</code> instead of using <code translate="no" dir="ltr">analyze-iam-policy</code>. </p> </td> </tr> <tr> <td><code translate="no" dir="ltr">--expand-groups</code></td> <td> <p> If you enable this option, any groups in the query results are expanded into individual members. If you have sufficient group permissions, nested groups will also be expanded. This expansion is capped at 1,000 members per group. </p> <p> This option is only effective if you don't specify a principal in your query. </p> </td> </tr> <tr> <td><code translate="no" dir="ltr">--expand-resources</code></td> <td> If you enable this option, the query results list up to 1,000 relevant <a href="/resource-manager/docs/cloud-platform-resource-hierarchy">descendant resources</a> for any parent resources (projects, folders, and organizations) in the query results. </td> </tr> <tr> <td><code translate="no" dir="ltr">--expand-roles</code></td> <td> <p> If you enable this option, the query results list all permissions inside each role in addition to the role itself. </p> <p> This option is only available if you don't specify any permissions or roles in your query. </p> </td> </tr> <tr> <td><code translate="no" dir="ltr">--output-group-edges</code></td> <td> If you enable this option, the query results output the relevant membership relationships between groups. </td> </tr> <tr> <td><code translate="no" dir="ltr">--output-resource-edges</code></td> <td> If you enable this option, the query results output the relevant parent/child relationships between resources. </td> </tr> </tbody> </table> </section> <section> <h3 id="policy-analyzer-options-rest" track-metadata-position="policy-analyzer-options" track-metadata-region-tag="policy-analyzer-options" data-text="REST" tabindex="-1"><span class="notranslate">REST</span></h3> <p>To enable any options, first add an <code translate="no" dir="ltr">options</code> field to your analysis query. For example:</p> <div></div><devsite-code><pre class="devsite-click-to-copy devsite-code-highlight" translate="no" dir="ltr" is-upgraded syntax="JSON"><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-nt">"analysisQuery"</span><span class="devsite-syntax-p">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-nt">"resourceSelector"</span><span class="devsite-syntax-p">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-nt">"fullResourceName"</span><span class="devsite-syntax-p">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"//cloudresourcemanager.googleapis.com/projects/my-project"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">},</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-nt">"accessSelector"</span><span class="devsite-syntax-p">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-nt">"permissions"</span><span class="devsite-syntax-p">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">[</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iam.roles.get"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iam.roles.list"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">]</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">},</span> <span class="devsite-syntax-w"> </span><strong><span class="devsite-syntax-nt">"options"</span><span class="devsite-syntax-p">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><var translate="no"><span class="devsite-syntax-err">OPTIONS</span></var> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">}</span></strong> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">}</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> <p>Replace <code translate="no" dir="ltr"><var translate="no">OPTIONS</var></code> with the options that you want to enable, in the form <code translate="no" dir="ltr">&quot;<var translate="no">OPTION</var>&quot;: true</code>. The following table describes the available options:</p> <table> <thead> <tr> <th>Option</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">analyzeServiceAccountImpersonation</code></td> <td> <p> If this option is enabled, Policy Analyzer runs additional analysis queries to determine who can impersonate the service accounts that have the specified access to the specified resources. Policy Analyzer runs one query for each service account in query results. These queries analyze who has any of the following permissions on the service account:</p> <ul> <li><code translate="no" dir="ltr">iam.serviceAccounts.actAs</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.getAccessToken</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.getOpenIdToken</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.implicitDelegation</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.signBlob</code></li> <li><code translate="no" dir="ltr">iam.serviceAccounts.signJwt</code></li> </ul> </p> <p> This is a very expensive operation, because it automatically executes many queries. We highly recommend that you <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">export to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">export to Cloud Storage</a> using <code translate="no" dir="ltr">AnalyzeIamPolicyLongrunning</code> instead of using <code translate="no" dir="ltr">AnalyzeIamPolicy</code>. </p> </td> </tr> <tr> <td><code translate="no" dir="ltr">expandGroups</code></td> <td> <p> If you enable this option, any groups in the query results are expanded into individual members. If you have sufficient group permissions, nested groups will also be expanded. This expansion is capped at 1,000 members per group. </p> <p> This option is only effective if you don't specify a principal in your query. </p> </td> </tr> <tr> <td><code translate="no" dir="ltr">expandResources</code></td> <td> If you enable this option, the query results list up to 1,000 relevant <a href="/resource-manager/docs/cloud-platform-resource-hierarchy">descendant resources</a> for any parent resources (projects, folders, and organizations) in the query results. </td> </tr> <tr> <td><code translate="no" dir="ltr">expandRoles</code></td> <td> <p> If you enable this option, the query results list all permissions inside each role in addition to the role itself. </p> <p> This option is only available if you don't specify any permissions or roles in your query. </p> </td> </tr> <tr> <td><code translate="no" dir="ltr">outputGroupEdges</code></td> <td> If you enable this option, the query results output the relevant membership relationships between groups. </td> </tr> <tr> <td><code translate="no" dir="ltr">outputResourceEdges</code></td> <td> If you enable this option, the query results output the relevant parent/child relationships between resources. </td> </tr> </tbody> </table> </section> </div> <h2 id="whats-next" data-text="What's next" tabindex="-1">What's next</h2> <ul> <li>Learn how to use <a href="/asset-inventory/docs/reference/rest/v1/TopLevel/analyzeIamPolicyLongrunning"><code translate="no" dir="ltr">AnalyzeIamPolicyLongrunning</code></a> to <a href="/policy-intelligence/docs/policy-analyzer-write-to-bigquery">write to BigQuery</a> or <a href="/policy-intelligence/docs/policy-analyzer-write-to-gcs">write to Cloud Storage</a>.</li> <li>See how you can use the REST API to <a href="/policy-intelligence/docs/policy-analyzer-saved-queries">save Policy Analysis queries</a>.</li> <li>Explore the available <a href="/policy-intelligence/docs/access-troubleshooters">access troubleshooting tools</a>, which you can use to figure out why a principal doesn&#39;t have a certain type of access.</li> </ul> <devsite-hats-survey class="nocontent" hats-id="Nd7nTix2o0eU5NUYprb0ThtUc5jf" listnr-id="83405"></devsite-hats-survey> </div> <devsite-thumb-rating position="footer"> </devsite-thumb-rating> <devsite-feedback position="footer" project-name="Policy Intelligence" product-id="717553" bucket="Policy Intelligence Documentation" context="" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="footer" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png" > <button> Send feedback </button> </devsite-feedback> <div class="devsite-floating-action-buttons"> </div> </article> <devsite-content-footer class="nocontent"> <p>Except as otherwise noted, the content of this page is licensed under the <a href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 License</a>, and code samples are licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache 2.0 License</a>. For details, see the <a href="https://developers.google.com/site-policies">Google Developers Site Policies</a>. Java is a registered trademark of Oracle and/or its affiliates.</p> <p>Last updated 2024-11-26 UTC.</p> </devsite-content-footer> <devsite-notification > </devsite-notification> <div class="devsite-content-data"> <template class="devsite-thumb-rating-feedback"> <devsite-feedback position="thumb-rating" project-name="Policy Intelligence" product-id="717553" bucket="Policy Intelligence Documentation" context="" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="thumb-rating" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png" > <button> Need to tell us more? </button> </devsite-feedback> </template> <template class="devsite-content-data-template"> [[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-26 UTC."],[],[]] </template> </div> </devsite-content> </main> <devsite-footer-promos class="devsite-footer"> </devsite-footer-promos> <devsite-footer-linkboxes class="devsite-footer"> <nav class="devsite-footer-linkboxes nocontent" aria-label="Footer links"> <ul class="devsite-footer-linkboxes-list"> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Why Google</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/why-google-cloud/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-metadata-eventDetail="cloud.google.com/why-google-cloud/"track-metadata-child_headline="why google"track-type="footer link"track-metadata-module="footer"track-metadata-position="footer"track-name="choosing google cloud"> Choosing Google Cloud </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/trust-center/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-name="trust and security"track-metadata-child_headline="why google"track-type="footer link"track-metadata-module="footer"track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/security/"> Trust and security </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/modern-infrastructure/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-name="modern infrastructure cloud"track-type="footer link"track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/solutions/modern-infrastructure/"track-metadata-child_headline="why google"track-metadata-module="footer"> Modern Infrastructure Cloud </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/multicloud/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-metadata-position="footer"track-type="footer link"track-name="multicloud"track-metadata-child_headline="why google"track-metadata-module="footer"track-metadata-eventDetail="cloud.google.com/multicloud/"> Multicloud </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/infrastructure/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" track-metadata-eventDetail="cloud.google.com/infrastructure/"track-metadata-position="footer"track-name="global infrastructure"track-metadata-child_headline="why google"track-metadata-module="footer"track-type="footer link"> Global infrastructure </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/customers/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-metadata-eventDetail="cloud.google.com/customers/"track-metadata-position="footer"track-type="footer link"track-metadata-module="footer"track-metadata-child_headline="why google"track-name="customers and case studies"> Customers and case studies </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/analyst-reports/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-type="footer link"track-metadata-child_headline="why google"track-metadata-module="footer"track-name="analyst reports"track-metadata-eventDetail="cloud.google.com/analyst-reports/"track-metadata-position="footer"> Analyst reports </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/whitepapers/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" track-metadata-module="footer"track-metadata-child_headline="why google"track-type="footer link"track-metadata-eventDetail="cloud.google.com/whitepapers/"track-name="whitepapers"track-metadata-position="footer"> Whitepapers </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//cloud.google.com/blog/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-metadata-module="footer"track-metadata-child_headline="engage"track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/blog/"track-name="blog"track-type="footer link"> Blog </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Products and pricing</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/pricing/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-name="google cloud pricing"track-type="footer link"track-metadata-eventDetail="cloud.google.com/pricing/"track-metadata-child_headline="products and pricing"track-metadata-module="footer"track-metadata-position="footer"> Google Cloud pricing </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//workspace.google.com/pricing.html" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-name="google workspace pricing"track-metadata-position="footer"track-type="footer link"track-metadata-child_headline="products and pricing"target="_blank"track-metadata-eventDetail="workspace.google.com/pricing.html"track-metadata-module="footer"> Google Workspace pricing </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/products/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-metadata-eventDetail="cloud.google.com/products/"track-metadata-position="footer"track-metadata-module="footer"track-type="footer link"track-name="see all products"track-metadata-child_headline="products and pricing"> See all products </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Solutions</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/solutions/infrastructure-modernization/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-metadata-eventDetail="cloud.google.com/solutions/infrastructure-modernization/"track-metadata-position="footer"track-metadata-child_headline="solutions"track-name="infrastructure modernization"track-metadata-module="footer"track-type="footer link"> Infrastructure modernization </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/databases/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-metadata-position="footer"track-name="databases"track-metadata-module="footer"track-type="footer link"track-metadata-eventDetail="cloud.google.com/solutions/databases"track-metadata-child_headline="solutions"> Databases </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/application-modernization/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-name="application development"track-metadata-eventDetail="cloud.google.com/solutions/application-modernization/"track-metadata-position="footer"track-metadata-module="footer"track-metadata-child_headline="solutions"track-type="footer link"> Application modernization </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/smart-analytics/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-type="footer link"track-metadata-position="footer"track-name="smart analytics"track-metadata-child_headline="solutions"track-metadata-eventDetail="cloud.google.com/solutions/smart-analytics/"track-metadata-module="footer"> Smart analytics </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/ai/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" track-metadata-child_headline="solutions"track-metadata-module="footer"track-metadata-position="footer"track-type="footer link"track-name="artificial intelligence"track-metadata-eventDetail="cloud.google.com/solutions/ai/"> Artificial Intelligence </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/security/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/solutions/security/"track-metadata-module="footer"track-name="security"track-metadata-child_headline="solutions"track-type="footer link"> Security </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://workspace.google.com/enterprise/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-type="footer link"track-metadata-child_headline="solutions"track-metadata-module="footer"track-metadata-eventDetail="workspace.google.com/enterprise/"track-metadata-position="footer"target="_blank"track-name="productivity and work transformation"> Productivity & work transformation </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/#industry-solutions" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" track-metadata-eventDetail="cloud.google.com/solutions/#industry-solutions"track-metadata-position="footer"track-name="industry solutions"track-metadata-child_headline="solutions"track-type="footer link"track-metadata-module="footer"> Industry solutions </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/devops/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-name="devops solutions"track-metadata-position="footer"track-metadata-child_headline="solutions"track-type="footer link"track-metadata-module="footer"track-metadata-eventDetail="cloud.google.com/solutions/devops/"> DevOps solutions </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/#section-14" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 10)" track-metadata-child_headline="solutions"track-metadata-position="footer"track-metadata-module="footer"track-metadata-eventDetail="cloud.google.com/solutions/#section-14"track-type="footer link"track-name="small business solutions"> Small business solutions </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 11)" track-metadata-eventDetail="cloud.google.com/solutions/"track-metadata-child_headline="solutions"track-type="footer link"track-name="see all solutions"track-metadata-module="footer"track-metadata-position="footer"> See all solutions </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Resources</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/affiliate-program/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-type="footer link"track-name="google cloud affiliate program"track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/affiliate-program/"track-metadata-module="footer"track-metadata-child_headline="resources"> Google Cloud Affiliate Program </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/docs/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-metadata-position="footer"track-metadata-module="footer"track-type="footer link"track-metadata-eventDetail="cloud.google.com/docs/"track-name="google cloud documentation"track-metadata-child_headline="resources"> Google Cloud documentation </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/docs/get-started/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-metadata-position="footer"track-metadata-child_headline="resources"track-metadata-module="footer"track-type="footer link"track-name="google cloud quickstarts"track-metadata-eventDetail="cloud.google.com/docs/get-started/"> Google Cloud quickstarts </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/marketplace/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-metadata-eventDetail="cloud.google.com/marketplace/"track-type="footer link"track-metadata-module="footer"track-metadata-position="footer"track-metadata-child_headline="resources"track-name="google cloud marketplace"> Google Cloud Marketplace </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/discover/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" track-metadata-module="footer"track-metadata-position="footer"track-metadata-child_headline="resources"track-metadata-eventDetail="learn/"track-type="footer link"track-name="learn about cloud computing"> Learn about cloud computing </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/support-hub/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-metadata-eventDetail="cloud.google.com/support-hub/"track-type="footer link"track-metadata-child_headline="resources"track-metadata-position="footer"track-name="support"track-metadata-module="footer"> Support </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/docs/samples" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-type="footer link"track-name="code samples"track-metadata-eventDetail="cloud.google.com/docs/samples"track-metadata-module="footer"track-metadata-position="footer"track-metadata-child_headline="resources"> Code samples </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/architecture/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" track-name="cloud architecture center"track-metadata-eventDetail="cloud.google.com/architecture/"track-metadata-module="footer"track-metadata-position="footer"track-type="footer link"track-metadata-child_headline="resources"> Cloud Architecture Center </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/learn/training/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-metadata-eventDetail="cloud.google.com/training/"track-type="footer link"track-metadata-child_headline="resources"track-metadata-module="footer"track-metadata-position="footer"track-name="training"> Training </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/learn/certification/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 10)" track-type="footer link"track-name="certifications"track-metadata-child_headline="resources"track-metadata-eventDetail="cloud.google.com/certification"track-metadata-module="footer"track-metadata-position="footer"> Certifications </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//developers.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 11)" track-type="footer link"track-name="google developers"track-metadata-eventDetail="developers.google.com"track-metadata-module="footer"target="_blank"track-metadata-child_headline="resources"track-metadata-position="footer"> Google for Developers </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/startup/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 12)" track-metadata-position="footer"track-metadata-module="footer"track-name="google cloud for startups"track-metadata-child_headline="resources"track-type="footer link"track-metadata-eventDetail="cloud.google.com/startup/"> Google Cloud for Startups </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//status.cloud.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 13)" track-metadata-position="footer"track-metadata-child_headline="resources"track-name="system status"target="_blank"track-metadata-module="footer"track-type="footer link"track-metadata-eventDetail="status.cloud.google.com"> System status </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/release-notes" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 14)" track-metadata-child_headline="resources"track-metadata-eventDetail="cloud.google.com/release-notes/"track-metadata-position="footer"track-name="release notes"track-type="footer link"track-metadata-module="footer"> Release Notes </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Engage</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/contact/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-metadata-position="footer"track-metadata-module="footer"track-metadata-child_headline="engage"track-metadata-eventDetail="cloud.google.com/contact/"track-type="footer link"track-name="contact sales"> Contact sales </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//cloud.google.com/find-a-partner" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-name="find a partner"track-type="footer link"track-metadata-module="footer"track-metadata-child_headline="engage"track-metadata-position="footer"target="_blank"track-metadata-eventDetail="cloud.google.com/find-a-partner"> Find a Partner </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/partners/become-a-partner/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-metadata-child_headline="engage"track-metadata-module="footer"track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/partners/become-a-partner/"track-type="footer link"track-name="become a partner"> Become a Partner </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/events/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-metadata-eventDetail="cloud.withgoogle.com/events"track-name="events"track-metadata-child_headline="engage"track-metadata-position="footer"track-metadata-module="footer"track-type="footer link"> Events </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/podcasts/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" track-type="footer link"track-metadata-child_headline="engage"rel="noopener"track-metadata-eventDetail="cloud.google.com/podcasts/"track-name="podcasts"target="_blank"track-metadata-module="footer"track-metadata-position="footer"> Podcasts </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/developers/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-metadata-module="footer"track-name="developer center"track-metadata-eventDetail="cloud.google.com/developers/"track-metadata-position="footer"track-type="footer link"track-metadata-child_headline="engage"> Developer Center </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://www.googlecloudpresscorner.com/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-name="press corner"target="_blank"rel="noopener"track-type="footer link"track-metadata-child_headline="engage"track-metadata-module="footer"track-metadata-position="footer"track-metadata-eventDetail="www.googlecloudpresscorner.com"> Press Corner </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//www.youtube.com/googlecloud" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" target="_blank"track-metadata-module="footer"track-type="footer link"track-metadata-position="footer"track-name="google cloud on youtube"track-metadata-child_headline="engage"track-metadata-eventDetail="www.youtube.com/googlecloud"rel="noopener"> Google Cloud on YouTube </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//www.youtube.com/googlecloudplatform" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-metadata-module="footer"track-metadata-position="footer"track-metadata-eventDetail="www.youtube.com/googlecloudplatform"track-name="google cloud tech on youtube"rel="noopener"track-metadata-child_headline="engage"target="_blank"track-type="footer link"> Google Cloud Tech on YouTube </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//x.com/googlecloud" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 10)" target="_blank"track-metadata-module="footer"track-type="footer link"track-name="follow on x"rel="noopener"track-metadata-eventDetail="x.com/googlecloud"track-metadata-position="footer"track-metadata-child_headline="engage"> Follow on X </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//userresearch.google.com/?reserved=1&amp;utm_source=website&amp;Q_Language=en&amp;utm_medium=own_srch&amp;utm_campaign=CloudWebFooter&amp;utm_term=0&amp;utm_content=0&amp;productTag=clou&amp;campaignDate=jul19&amp;pType=devel&amp;referral_code=jk212693" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 11)" track-name="join user research"track-metadata-eventDetail="userresearch.google.com/?reserved=1&amp;utm_source=website&amp;Q_Language=en&amp;utm_medium=own_srch&amp;utm_campaign=CloudWebFooter&amp;utm_term=0&amp;utm_content=0&amp;productTag=clou&amp;campaignDate=jul19&amp;pType=devel&amp;referral_code=jk212693"target="_blank"track-metadata-position="footer"track-metadata-module="footer"track-type="footer link"track-metadata-child_headline="engage"> Join User Research </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//careers.google.com/cloud" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 12)" track-metadata-eventDetail="careers.google.com/cloud"track-metadata-position="footer"track-metadata-module="footer"track-metadata-child_headline="engage"track-name="we are hiring join google cloud"track-type="footer link"target="_blank"> We're hiring. Join Google Cloud! </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://www.googlecloudcommunity.com/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 13)" rel="noopener"target="_blank"track-name="google cloud community"track-metadata-eventDetail="www.googlecloudcommunity.com"track-metadata-position="footer"track-type="footer link"track-metadata-child_headline="engage"track-metadata-module="footer"> Google Cloud Community </a> </li> </ul> </li> </ul> </nav> </devsite-footer-linkboxes> <devsite-footer-utility class="devsite-footer"> <div class="devsite-footer-utility nocontent"> <nav class="devsite-footer-utility-links" aria-label="Utility links"> <ul class="devsite-footer-utility-list"> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="//about.google/" data-category="Site-Wide Custom Events" data-label="Footer About Google link" track-type="footer link" track-metadata-position="footer" track-metadata-module="utility footer" track-name="about google" target="_blank" track-metadata-eventDetail="//about.google/" > About Google </a> </li> <li class="devsite-footer-utility-item devsite-footer-privacy-link"> <a class="devsite-footer-utility-link gc-analytics-event" href="//policies.google.com/privacy" data-category="Site-Wide Custom Events" data-label="Footer Privacy link" track-type="footer link" track-metadata-eventDetail="//policies.google.com/privacy" track-metadata-position="footer" track-metadata-module="utility footer" track-name="privacy" target="_blank" > Privacy </a> </li> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="//www.google.com/intl/en/policies/terms/regional.html" data-category="Site-Wide Custom Events" data-label="Footer Site terms link" track-name="site terms" track-metadata-position="footer" target="_blank" track-metadata-module="utility footer" track-metadata-eventDetail="//www.google.com/intl/en/policies/terms/regional.html" track-type="footer link" > Site terms </a> </li> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="/product-terms/" data-category="Site-Wide Custom Events" data-label="Footer Google Cloud terms link" track-metadata-position="footer" track-name="google cloud terms" track-type="footer link" track-metadata-module="utility footer" track-metadata-eventDetail="/product-terms/" > Google Cloud terms </a> </li> <li class="devsite-footer-utility-item glue-cookie-notification-bar-control"> <a class="devsite-footer-utility-link gc-analytics-event" href="#" data-category="Site-Wide Custom Events" data-label="Footer Manage cookies link" track-metadata-eventDetail="#" track-type="footer link" track-name="Manage cookies" aria-hidden="true" track-metadata-module="utility footer" track-metadata-position="footer" > Manage cookies </a> </li> <li class="devsite-footer-utility-item devsite-footer-carbon-button"> <a class="devsite-footer-utility-link gc-analytics-event" href="/sustainability" data-category="Site-Wide Custom Events" data-label="Footer Our third decade of climate action: join us link" track-name="Our third decade of climate action: join us" track-metadata-position="footer" track-type="footer link" track-metadata-module="utility footer" track-metadata-eventDetail="/sustainability/" > Our third decade of climate action: join us </a> </li> <li class="devsite-footer-utility-item devsite-footer-utility-button"> <span class="devsite-footer-utility-description">Sign up for the Google Cloud newsletter</span> <a class="devsite-footer-utility-link gc-analytics-event" href="/newsletter/" data-category="Site-Wide Custom Events" data-label="Footer Subscribe link" track-type="footer link" track-name="subscribe" track-metadata-eventDetail="/newsletter/" track-metadata-position="footer" track-metadata-module="utility footer" > Subscribe </a> </li> </ul> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> </nav> </div> </devsite-footer-utility> <devsite-panel></devsite-panel> </section></section> <devsite-sitemask></devsite-sitemask> <devsite-snackbar></devsite-snackbar> <devsite-tooltip ></devsite-tooltip> <devsite-heading-link></devsite-heading-link> <devsite-analytics> <script type="application/json" analytics>[]</script> <script type="application/json" tag-management>{&#34;at&#34;: &#34;True&#34;, &#34;ga4&#34;: [], &#34;ga4p&#34;: [], &#34;gtm&#34;: [{&#34;id&#34;: &#34;GTM-5CVQBG&#34;, &#34;purpose&#34;: 1}], &#34;parameters&#34;: {&#34;internalUser&#34;: &#34;False&#34;, &#34;language&#34;: {&#34;machineTranslated&#34;: &#34;False&#34;, &#34;requested&#34;: &#34;en&#34;, &#34;served&#34;: &#34;en&#34;}, &#34;pageType&#34;: &#34;article&#34;, &#34;projectName&#34;: &#34;Policy Intelligence&#34;, &#34;signedIn&#34;: &#34;False&#34;, &#34;tenant&#34;: &#34;cloud&#34;, &#34;recommendations&#34;: {&#34;sourcePage&#34;: &#34;&#34;, &#34;sourceType&#34;: 0, &#34;sourceRank&#34;: 0, &#34;sourceIdenticalDescriptions&#34;: 0, &#34;sourceTitleWords&#34;: 0, &#34;sourceDescriptionWords&#34;: 0, &#34;experiment&#34;: &#34;&#34;}, &#34;experiment&#34;: {&#34;ids&#34;: &#34;&#34;}}}</script> </devsite-analytics> <devsite-badger></devsite-badger> <cloudx-user></cloudx-user> <cloudx-free-trial-eligible-store freeTrialEligible='true'></cloudx-free-trial-eligible-store> <cloudx-pricing-socket></cloudx-pricing-socket> <cloudx-experiments type="TestAACodivertedExperiment" path="/virtual/TestAACodivertedExperiment/configureExperiment" location="SG" variant="variant2" ></cloudx-experiments> <cloudx-experiment-ids userCountry="SG" devsiteExperimentIdList="[39300012, 39300021, 39300118, 39300195, 39300251, 39300317, 39300320, 39300325, 39300345, 39300354, 39300364, 39300373, 39300412, 39300421, 39300436, 39300473, 39300488, 39300496, 39300498]"> </cloudx-experiment-ids> <script nonce="9Zu3kxHlo1mhzy++nWKjkF3cOmALvn"> (function(d,e,v,s,i,t,E){d['GoogleDevelopersObject']=i; t=e.createElement(v);t.async=1;t.src=s;E=e.getElementsByTagName(v)[0]; E.parentNode.insertBefore(t,E);})(window, document, 'script', 'https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/js/app_loader.js', '[2,"en",null,"/js/devsite_app_module.js","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud","https://cloud-dot-devsite-v2-prod.appspot.com",null,null,["/_pwa/cloud/manifest.json","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/images/video-placeholder.svg","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/favicon.ico","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/cloud-logo.svg","https://fonts.googleapis.com/css?family=Google+Sans:400,500,700|Google+Sans+Text:400,400italic,500,500italic,700,700italic|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"],1,null,[1,6,8,12,14,17,21,25,50,52,63,70,75,76,80,87,91,92,93,97,98,100,101,102,103,104,105,107,108,109,110,112,113,117,118,120,122,124,125,126,127,129,130,131,132,133,134,135,136,138,140,141,147,148,149,151,152,156,157,158,159,161,163,164,168,169,170,179,180,182,183,186,191,193,196],"AIzaSyAP-jjEJBzmIyKR4F-3XITp8yM9T1gEEI8","AIzaSyB6xiKGDR5O3Ak2okS4rLkauxGUG7XP0hg","cloud.google.com","AIzaSyAQk0fBONSGUqCNznf6Krs82Ap1-NV6J4o","AIzaSyCCxcqdrZ_7QMeLCRY20bh_SXdAYqy70KY",null,null,null,["Cloud__enable_cloudx_experiment_ids","Cloud__enable_cloudx_ping","Profiles__enable_public_developer_profiles","Profiles__enable_completecodelab_endpoint","Cloud__enable_cloud_facet_chat","Profiles__enable_developer_profiles_callout","MiscFeatureFlags__enable_explain_this_code","Profiles__enable_recognition_badges","MiscFeatureFlags__enable_project_variables","Search__scope_to_project_tenant","DevPro__enable_cloud_innovators_plus","Cloud__enable_cloud_shell_fte_user_flow","TpcFeatures__enable_required_headers","Analytics__enable_clearcut_logging","Concierge__enable_pushui","Search__enable_page_map","Cloud__enable_free_trial_server_call","Search__enable_suggestions_from_borg","Cloud__enable_cloud_shell","Search__enable_dynamic_content_confidential_banner","TpcFeatures__enable_mirror_tenant_redirects","Profiles__enable_awarding_url","MiscFeatureFlags__emergency_css","CloudShell__cloud_shell_button","Search__enable_ai_search_summaries_restricted","BookNav__enable_tenant_cache_key","Search__enable_ai_search_summaries","Profiles__enable_complete_playlist_endpoint","MiscFeatureFlags__developers_footer_image","Profiles__enable_profile_collections","Search__enable_ai_eligibility_checks","Profiles__enable_page_saving","Profiles__enable_release_notes_notifications","MiscFeatureFlags__developers_footer_dark_image","MiscFeatureFlags__enable_view_transitions","Cloud__enable_llm_concierge_chat","Concierge__enable_concierge_restricted","DevPro__enable_developer_subscriptions","EngEduTelemetry__enable_engedu_telemetry","MiscFeatureFlags__enable_firebase_utm","Experiments__reqs_query_experiments","Profiles__require_profile_eligibility_for_signin","CloudShell__cloud_code_overflow_menu","Cloud__enable_cloud_dlp_service","MiscFeatureFlags__enable_variable_operator","Cloud__enable_legacy_calculator_redirect","Profiles__enable_dashboard_curated_recommendations"],null,null,"AIzaSyBLEMok-5suZ67qRPzx0qUtbnLmyT_kCVE","https://developerscontentserving-pa.clients6.google.com","AIzaSyCM4QpTRSqP5qI4Dvjt4OAScIN8sOUlO-k","https://developerscontentsearch-pa.clients6.google.com",1,4,1,"https://developerprofiles-pa.clients6.google.com",[2,"cloud","Google Cloud","cloud.google.com",null,"cloud-dot-devsite-v2-prod.appspot.com",null,null,[1,1,null,null,null,null,null,null,null,null,null,[1],null,null,null,null,null,1,[1],[null,null,null,[1,20],"/terms/recommendations"],[1],null,[1],[1,null,1],[1,1,null,null,1,null,["/vertex-ai/"]]],null,[22,null,null,null,null,null,"/images/cloud-logo.svg","/images/favicons/onecloud/apple-icon.png",null,null,null,null,1,1,1,[6,5],[],null,null,[[],[],[],[],[],[],[],[]],null,1,null,null,null,null,[]],[],null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,[6,1,14,15,22,23,29,37],null,[[null,null,null,null,null,null,[1,[["docType","Choose a content type",[["ApiReference",null,null,null,null,null,null,null,null,"API reference"],["Sample",null,null,null,null,null,null,null,null,"Code sample"],["ReferenceArchitecture",null,null,null,null,null,null,null,null,"Reference architecture"],["Tutorial",null,null,null,null,null,null,null,null,"Tutorial"]]],["category","Choose a topic",[["AiAndMachineLearning",null,null,null,null,null,null,null,null,"Artificial intelligence and machine learning (AI/ML)"],["ApplicationDevelopment",null,null,null,null,null,null,null,null,"Application development"],["BigDataAndAnalytics",null,null,null,null,null,null,null,null,"Big data and analytics"],["Compute",null,null,null,null,null,null,null,null,"Compute"],["Containers",null,null,null,null,null,null,null,null,"Containers"],["Databases",null,null,null,null,null,null,null,null,"Databases"],["HybridCloud",null,null,null,null,null,null,null,null,"Hybrid and multicloud"],["LoggingAndMonitoring",null,null,null,null,null,null,null,null,"Logging and monitoring"],["Migrations",null,null,null,null,null,null,null,null,"Migrations"],["Networking",null,null,null,null,null,null,null,null,"Networking"],["SecurityAndCompliance",null,null,null,null,null,null,null,null,"Security and compliance"],["Serverless",null,null,null,null,null,null,null,null,"Serverless"],["Storage",null,null,null,null,null,null,null,null,"Storage"]]]]]],[1],null,1],[[null,null,null,null,null,["GTM-5CVQBG"],null,null,null,null,null,[["GTM-5CVQBG",2]],1],null,null,null,null,null,1],"mwETRvWii0eU5NUYprb0Y9z5GVbc",4,null,null,null,null,null,null,null,null,null,null,null,null,null,"cloud.devsite.google"],null,"pk_live_5170syrHvgGVmSx9sBrnWtA5luvk9BwnVcvIi7HizpwauFG96WedXsuXh790rtij9AmGllqPtMLfhe2RSwD6Pn38V00uBCydV4m"]') </script> <devsite-a11y-announce></devsite-a11y-announce> </body> </html>