Returns permissions that a caller has on the Identity-Aware Proxy protected resource. If the resource does not exist or the caller does not have Identity-Aware Proxy permissions agoogle.rpc.Code.PERMISSION_DENIEDwill be returned. More information about managing access via IAP can be found at:https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
HTTP request
POST https://iap.googleapis.com/v1beta1/{resource=**}:testIamPermissions
REQUIRED: The resource for which the policy detail is being requested. SeeResource namesfor the appropriate value for this field.
Request body
The request body contains data with the following structure:
JSON representation
{"permissions":[string]}
Fields
permissions[]
string
The set of permissions to check for theresource. Permissions with wildcards (such as*orstorage.*) are not allowed. For more information seeIAM Overview.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-06-17 UTC."],[[["\u003cp\u003eThis endpoint tests the permissions a caller has on an Identity-Aware Proxy (IAP) protected resource, returning a \u003ccode\u003egoogle.rpc.Code.PERMISSION_DENIED\u003c/code\u003e error if the resource doesn't exist or the caller lacks IAP permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe HTTP request uses the \u003ccode\u003ePOST\u003c/code\u003e method with a specific URL format that includes a required \u003ccode\u003eresource\u003c/code\u003e path parameter following \u003ca href=\"https://google.aip.dev/127\"\u003egRPC Transcoding\u003c/a\u003e syntax.\u003c/p\u003e\n"],["\u003cp\u003eThe request body must include a JSON object containing an array of specific permissions to check for the provided \u003ccode\u003eresource\u003c/code\u003e, and wildcard permissions are not allowed.\u003c/p\u003e\n"],["\u003cp\u003eA successful request will return a response body that is an instance of \u003ca href=\"/iap/docs/reference/rest/Shared.Types/TestIamPermissionsResponse\"\u003eTestIamPermissionsResponse\u003c/a\u003e.\u003c/p\u003e\n"],["\u003cp\u003eAuthorization for this endpoint requires the \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e OAuth scope, as detailed in the \u003ca href=\"https://cloud.google.com/docs/authentication/\"\u003eAuthentication Overview\u003c/a\u003e.\u003c/p\u003e\n"]]],[],null,["# Method: testIamPermissions\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Request body](#body.request_body)\n - [JSON representation](#body.request_body.SCHEMA_REPRESENTATION)\n- [Response body](#body.response_body)\n- [Authorization scopes](#body.aspect)\n- [Try it!](#try-it)\n\nReturns permissions that a caller has on the Identity-Aware Proxy protected resource. If the resource does not exist or the caller does not have Identity-Aware Proxy permissions a `google.rpc.Code.PERMISSION_DENIED` will be returned. More information about managing access via IAP can be found at: \u003chttps://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api\u003e\n\n### HTTP request\n\n`POST https://iap.googleapis.com/v1beta1/{resource=**}:testIamPermissions`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Request body\n\nThe request body contains data with the following structure:\n\n### Response body\n\nIf successful, the response body contains an instance of [TestIamPermissionsResponse](/iap/docs/reference/rest/Shared.Types/TestIamPermissionsResponse).\n\n### Authorization scopes\n\nRequires the following OAuth scope:\n\n- `https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
