All tools
Free cloud-security tool

GCP IAM Least-Privilege Checker

Paste a Google Cloud IAM policy and instantly see over-privileged roles, public access and privilege-escalation risks — with a plain-English fix for each finding.

Runs 100% in your browser. Your IAM policy is never uploaded, stored, or logged.

How to get your policy

Run this in Cloud Shell or any terminal with the gcloud CLI — it auto-fills your active project — then paste the JSON above:

gcloud projects get-iam-policy "$(gcloud config get-value project)" --format=json
Nothing analyzed yetPaste a policy above (or load the example) and hit Analyze.

What this tool checks

  • Basic roles (Owner / Editor / Viewer) that grant far more than needed
  • Public access via allUsers and allAuthenticatedUsers
  • Privilege-escalation roles (token creator, key admin, IAM admin…)
  • Human users carrying broad admin or owner roles
  • Too many project Owners
  • Sensitive roles bound without an IAM Condition

Common questions

What is least privilege in GCP IAM?

Least privilege means every principal — user, group or service account — gets only the permissions it actually needs, and nothing more. In practice that means avoiding the Basic roles (Owner/Editor/Viewer), preferring Predefined or Custom roles scoped to the job, and adding IAM Conditions where possible. It shrinks the blast radius if any credential is ever compromised.

Why are allUsers and allAuthenticatedUsers dangerous?

allUsers grants a role to anyone on the internet, with no authentication at all. allAuthenticatedUsers grants it to every Google account in the world — not just yours. Both effectively make the resource public. Unless you are intentionally hosting something public, replace them with named users, groups or service accounts.

Basic vs Predefined vs Custom roles — which should I use?

Basic roles (Owner/Editor/Viewer) are broad and legacy — avoid them outside sandboxes. Predefined roles are curated by Google for a specific service and are the right default. Custom roles let you hand-pick permissions when no predefined role fits. Start with Predefined, drop to Custom only when you need a tighter set.

What is privilege escalation in IAM?

Certain roles let a principal grant themselves more power — for example Service Account Token Creator (impersonate other identities), Service Account Key Admin (mint long-lived keys), or any IAM admin role (edit the policy itself). A low-privileged account holding one of these can climb to full control. This tool flags those roles so you can gate them behind conditions or remove them.

Heuristic checks, not a substitute for a full audit. Uses no cookies and sends no data server-side.