- NAME
-
- gcloud policy-troubleshoot iam - troubleshoot the IAM Policy
- SYNOPSIS
-
-
gcloud policy-troubleshoot iamRESOURCE--permission=PERMISSION--principal-email=PRINCIPAL_EMAIL[--destination-ip=DESTINATION_IP] [--destination-port=DESTINATION_PORT] [--request-time=REQUEST_TIME] [--resource-name=RESOURCE_NAME] [--resource-service=RESOURCE_SERVICE] [--resource-type=RESOURCE_TYPE] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
- Performs a check on whether a principal is granted a permission on a resource and how that access is determined according to the resource's effective IAM policy interpretation.
- EXAMPLES
- To troubleshoot a permission of a principal on a resource, run:
gcloud policy-troubleshoot iam //cloudresourcemanager.googleapis.com/projects/project-id --principal-email = my-iam-account@somedomain.com --permission = resourcemanager.projects.getSee https://cloud.google.com/iam/help/allow-policies/overview for more information about IAM policies.
- POSITIONAL ARGUMENTS
-
-
RESOURCE - Full resource name that access is checked against. See: https://cloud.google.com/iam/docs/resource-names .
-
- REQUIRED FLAGS
-
- Cloud IAM permission to check, e.g. "resourcemanager.projects.get".
-
--principal-email=PRINCIPAL_EMAIL - Email address that identifies the principal to check. Only Google Accounts and service accounts are supported.
- OPTIONAL FLAGS
-
-
--destination-ip=DESTINATION_IP - The request destination IP address to use when checking conditional bindings.
For example,
198.1.1.1. -
--destination-port=DESTINATION_PORT - The request destination port to use when checking conditional bindings. For example, 8080.
-
--request-time=REQUEST_TIME - The request timestamp to use when checking conditional bindings. This string must adhere to UTC format (RFC 3339). For example,2021-01-01T00:00:00Z. See: https://tools.ietf.org/html/rfc3339
-
--resource-name=RESOURCE_NAME - The resource name value to use when checking conditional bindings. See: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name .
-
--resource-service=RESOURCE_SERVICE - The resource service value to use when checking conditional bindings. See: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-service
-
--resource-type=RESOURCE_TYPE - The resource type value to use when checking conditional bindings. See: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-type
-
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - API REFERENCE
- This command uses the
policytroubleshooter/v2alpha1API. The full documentation for this API can be found at: https://cloud.google.com/iam/ - NOTES
- These variants are also available:
gcloud alpha policy-troubleshoot iamgcloud beta policy-troubleshoot iam
gcloud policy-troubleshoot iam
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
