Inventory: GCP: View all resources an identity can access

Last updated: April 11, 2025

  1. Run an IAM Assessment first

    If you have not run assessment your data may not show properly

    Make sure you’ve connected P0 to GCP and run at least one IAM Assessment for your organization. This populates P0 with all principals, grants, privileges, and resources.

  2. Open the Inventory page
    In P0, go to Inventory.

    image.png

  3. Set “from” to your project
    Above the search box is the From control. Click it and pick your project.

    image.png

  4. Set “show” to your Resource
    Above the search box is the Show control. Click it and pick Resources this makes the results table list resource nodes (projects, buckets, etc.) instead of principals or grants.

    image.png

  5. Enter your “Where” query
    In the free‑form search bar, type:

    identity:"<ACCOUNT>" resource:

     identity:"…" must exactly match the accounts full account name as P0 knows it

  6. (Optional) target service accounts or users
    identity:type:"<TYPE>" resource:
    type can be user, group, service-agent

  7. Click graph to change to visualization
    this will change from table to visualization, for better understanding of your identity has access to.

    image.png

  8. Run the search
    Hit Enter or click the search icon. The table below now lists every GCP resource bound by those grants.

    image.png

  9. (Optional) Insert privileges
    To see which specific GCP permissions for a specific identity:

    identity:<ACCOUNT> grant:->privilege:

    The extra ->privilege: hop expands each grant into its contained Google‑Cloud privileges before landing on the resource. You will need to switch back to show: Identity in the drop down, as under resource this view will not display.

    You can replace identity:"<ACCOUNT>" with any other principal string—users, groups, service‑agents—to inventory their resource access the same way.