Searches all IAM policies within the specified scope, such as a project, folder, or organization. The caller must be granted the cloudasset.assets.searchAllIamPolicies
permission on the desired scope, otherwise the request will be rejected.
Scopes
You will need authorization for the https://www.googleapis.com/auth/cloud-platform scope to make a valid call.
If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform.
You can set the scope for this method like this: cloudasset1 --scope <scope> methods search-all-iam-policies ...
Required Scalar Argument
- <scope> (string)
- Required. A scope can be a project, a folder, or an organization. The search is limited to the IAM policies within the
scope
. The caller must be granted thecloudasset.assets.searchAllIamPolicies
permission on the desired scope. The allowed values are: * projects/{PROJECT_ID} (e.g., "projects/foo-bar") * projects/{PROJECT_NUMBER} (e.g., "projects/12345678") * folders/{FOLDER_NUMBER} (e.g., "folders/1234567") * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
- Required. A scope can be a project, a folder, or an organization. The search is limited to the IAM policies within the
Optional Output Flags
The method's return value a JSON encoded structure, which will be written to standard output by default.
- -o out
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
-
to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
Optional Method Properties
You may set the following properties to further configure the call. Please note that -p
is followed by one
or more key-value-pairs, and is called like this -p k1=v1 k2=v2
even though the listing below repeats the
-p
for completeness.
-
-p asset-types=string
- Optional. A list of asset types that the IAM policies are attached to. If empty, it will search the IAM policies that are attached to all the asset types supported by search APIs Regular expressions are also supported. For example: * "compute.googleapis.com." snapshots IAM policies attached to asset type starts with "compute.googleapis.com". * ".Instance" snapshots IAM policies attached to asset type ends with "Instance". * ".Instance." snapshots IAM policies attached to asset type contains "Instance". See RE2 for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned.
-
-p order-by=string
- Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add " DESC" after the field name to indicate descending order. Redundant space characters are ignored. Example: "assetType DESC, resource". Only singular primitive fields in the response are sortable: * resource * assetType * project All the other fields such as repeated fields (e.g.,
folders
) and non-primitive fields (e.g.,policy
) are not supported.
- Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add " DESC" after the field name to indicate descending order. Redundant space characters are ignored. Example: "assetType DESC, resource". Only singular primitive fields in the response are sortable: * resource * assetType * project All the other fields such as repeated fields (e.g.,
-
-p page-size=integer
- Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero or a negative value, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as
next_page_token
is returned.
- Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero or a negative value, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as
-
-p page-token=string
- Optional. If present, retrieve the next batch of results from the preceding call to this method.
page_token
must be the value ofnext_page_token
from the previous response. The values of all other method parameters must be identical to those in the previous call.
- Optional. If present, retrieve the next batch of results from the preceding call to this method.
-
-p query=string
- Optional. The query statement. See how to construct a query for more information. If not specified or empty, it will search all the IAM policies within the specified
scope
. Note that the query string is compared against each IAM policy binding, including its principals, roles, and IAM conditions. The returned IAM policies will only contain the bindings that match your query. To learn more about the IAM policy structure, see the IAM policy documentation. Examples: *policy:amy@gmail.com
to find IAM policy bindings that specify user "amy@gmail.com". *policy:roles/compute.admin
to find IAM policy bindings that specify the Compute Admin role. *policy:comp*
to find IAM policy bindings that contain "comp" as a prefix of any word in the binding. *policy.role.permissions:storage.buckets.update
to find IAM policy bindings that specify a role containing "storage.buckets.update" permission. Note that if callers don't haveiam.roles.get
access to a role's included permissions, policy bindings that specify this role will be dropped from the search results. *policy.role.permissions:upd*
to find IAM policy bindings that specify a role containing "upd" as a prefix of any word in the role permission. Note that if callers don't haveiam.roles.get
access to a role's included permissions, policy bindings that specify this role will be dropped from the search results. *resource:organizations/123456
to find IAM policy bindings that are set on "organizations/123456". *resource=//cloudresourcemanager.googleapis.com/projects/myproject
to find IAM policy bindings that are set on the project named "myproject". *Important
to find IAM policy bindings that contain "Important" as a word in any of the searchable fields (except for the included permissions). *resource:(instance1 OR instance2) policy:amy
to find IAM policy bindings that are set on resources "instance1" or "instance2" and also specify user "amy". *roles:roles/compute.admin
to find IAM policy bindings that specify the Compute Admin role. *memberTypes:user
to find IAM policy bindings that contain the principal type "user".
- Optional. The query statement. See how to construct a query for more information. If not specified or empty, it will search all the IAM policies within the specified
Optional General Properties
The following properties can configure any call, and are not specific to this method.
-
-p $-xgafv=string
- V1 error format.
-
-p access-token=string
- OAuth access token.
-
-p alt=string
- Data format for response.
-
-p callback=string
- JSONP
-
-p fields=string
- Selector specifying which fields to include in a partial response.
-
-p key=string
- API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
-
-p oauth-token=string
- OAuth 2.0 token for the current user.
-
-p pretty-print=boolean
- Returns response with indentations and line breaks.
-
-p quota-user=string
- Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
-
-p upload-type=string
- Legacy upload protocol for media (e.g. "media", "multipart").
-
-p upload-protocol=string
- Upload protocol for media (e.g. "raw", "multipart").