gcp-iam-test-resource-permissions
Test specific IAM permissions on Google Cloud resources to verify access rights for the current caller, ensuring secure and compliant resource management.
Instructions
Test which permissions the current caller has on specific Google Cloud resources
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| permissions | Yes | List of permissions to test on the resource | |
| resource | Yes | The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance") |
Implementation Reference
- src/services/iam/tools.ts:193-252 (handler)The core handler function for the 'gcp-iam-test-resource-permissions' tool. It tests the provided permissions on the specified resource using the Google Cloud ResourceManager's testIamPermissions method, formats the granted and denied permissions into a markdown report, and handles errors.async ({ resource, permissions }) => { try { const resourceManager = getResourceManagerClient(); const [response] = await resourceManager.testIamPermissions({ resource, permissions, }); const grantedPermissions = response.permissions || []; const deniedPermissions = permissions.filter( (p) => !grantedPermissions.includes(p), ); let result = `# Resource IAM Permissions Test\n\nResource: ${resource}\n\n`; result += `## ✅ Granted Permissions (${grantedPermissions.length})\n\n`; if (grantedPermissions.length > 0) { grantedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*No permissions granted*\n`; } result += `\n## ❌ Denied Permissions (${deniedPermissions.length})\n\n`; if (deniedPermissions.length > 0) { deniedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*All permissions granted*\n`; } result += `\n**Summary:** ${grantedPermissions.length}/${permissions.length} permissions granted on resource ${resource}\n`; return { content: [ { type: "text", text: result, }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : "Unknown error"; logger.error(`Error testing resource IAM permissions: ${errorMessage}`); return { content: [ { type: "text", text: `# Error Testing Resource IAM Permissions\n\nFailed to test IAM permissions on resource "${resource}": ${errorMessage}\n\nPlease ensure:\n- The resource name is correct and properly formatted\n- The resource exists and is accessible\n- You have the required permissions to test IAM permissions on this resource`, }, ], isError: true, }; } },
- src/services/iam/tools.ts:182-191 (schema)Zod input schema defining the parameters for the tool: 'resource' (full resource name) and 'permissions' (array of strings).inputSchema: { resource: z .string() .describe( 'The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance")', ), permissions: z .array(z.string()) .describe("List of permissions to test on the resource"), },
- src/services/iam/tools.ts:177-253 (registration)Registration of the 'gcp-iam-test-resource-permissions' tool using server.registerTool, including title, description, inputSchema, and the handler function."gcp-iam-test-resource-permissions", { title: "Test Resource-Specific IAM Permissions", description: "Test which permissions the current caller has on specific Google Cloud resources", inputSchema: { resource: z .string() .describe( 'The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance")', ), permissions: z .array(z.string()) .describe("List of permissions to test on the resource"), }, }, async ({ resource, permissions }) => { try { const resourceManager = getResourceManagerClient(); const [response] = await resourceManager.testIamPermissions({ resource, permissions, }); const grantedPermissions = response.permissions || []; const deniedPermissions = permissions.filter( (p) => !grantedPermissions.includes(p), ); let result = `# Resource IAM Permissions Test\n\nResource: ${resource}\n\n`; result += `## ✅ Granted Permissions (${grantedPermissions.length})\n\n`; if (grantedPermissions.length > 0) { grantedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*No permissions granted*\n`; } result += `\n## ❌ Denied Permissions (${deniedPermissions.length})\n\n`; if (deniedPermissions.length > 0) { deniedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*All permissions granted*\n`; } result += `\n**Summary:** ${grantedPermissions.length}/${permissions.length} permissions granted on resource ${resource}\n`; return { content: [ { type: "text", text: result, }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : "Unknown error"; logger.error(`Error testing resource IAM permissions: ${errorMessage}`); return { content: [ { type: "text", text: `# Error Testing Resource IAM Permissions\n\nFailed to test IAM permissions on resource "${resource}": ${errorMessage}\n\nPlease ensure:\n- The resource name is correct and properly formatted\n- The resource exists and is accessible\n- You have the required permissions to test IAM permissions on this resource`, }, ], isError: true, }; } }, );