NAME

gcloud asset get-effective-iam-policy - get effective IAM policies for a specified list of resources within accessible scope, such as a project, folder or organization

SYNOPSIS

gcloud asset get-effective-iam-policy --names=NAMES,[NAMES,...] --scope=SCOPE [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

Batch get effective IAM policies that match a request.

EXAMPLES

To list effective IAM policies of 1 resource in an organization, run:

$ gcloud asset get-effective-iam-policy \ --scope=organizations/YOUR_ORG_ID --names=RESOURCE_NAME1

To list effective IAM policies of 2 resources in a folder, run:

$ gcloud asset get-effective-iam-policy \ --scope=folders/YOUR_FOLDER_ID \ --names=RESOURCE_NAME1,RESOURCE_NAME2

To list effective IAM policies of 3 resources in a project using project ID, run:

$ gcloud asset get-effective-iam-policy \ --scope=projects/YOUR_PROJECT_ID \ --names=RESOURCE_NAME1,RESOURCE_NAME2,RESOURCE_NAME3

To list effective IAM policies of 2 resources in a project using project number, run:

$ gcloud asset get-effective-iam-policy \ --scope=projects/YOUR_PROJECT_NUMBER \ --names=RESOURCE_NAME1,RESOURCE_NAME2

REQUIRED FLAGS

--names=NAMES,[NAMES,...]

Names refer to a list of full resource names https://cloud.google.com/asset-inventory/docs/resource-name-format of searchable asset types https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types. For each batch call, total number of names provided is between 1 and 20.

The example value is:

//cloudsql.googleapis.com/projects/{PROJECT_ID}/instances/{INSTANCE} (e.g. //cloudsql.googleapis.com/projects/probe-per-rt-project/instances/instance1)

--scope=SCOPE

Scope can be a project, a folder, or an organization. The search is limited to the IAM policies within this scope. The caller must be granted the cloudasset.assets.analyzeIamPolicy, cloudasset.assets.searchAllResources, cloudasset.assets.searchAllIamPolicies permissions on the desired scope.

The allowed values are:

projects/{PROJECT_ID} (e.g. projects/foo-bar)

projects/{PROJECT_NUMBER} (e.g. projects/12345678)

folders/{FOLDER_NUMBER} (e.g. folders/1234567)

organizations/{ORGANIZATION_NUMBER} (e.g. organizations/123456)

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.