gcp-iam-test-resource-permissions
Test which permissions the current caller has on specific Google Cloud resources to verify access before performing operations.
Instructions
Test which permissions the current caller has on specific Google Cloud resources
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| resource | Yes | The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance") | |
| permissions | Yes | List of permissions to test on the resource |
Implementation Reference
- src/services/iam/tools.ts:193-252 (handler)The async handler function that tests IAM permissions on a specific resource using the ResourceManagerClient.testIamPermissions API, categorizes granted and denied permissions, formats the results as structured Markdown, and handles errors.async ({ resource, permissions }) => { try { const resourceManager = getResourceManagerClient(); const [response] = await resourceManager.testIamPermissions({ resource, permissions, }); const grantedPermissions = response.permissions || []; const deniedPermissions = permissions.filter( (p) => !grantedPermissions.includes(p), ); let result = `# Resource IAM Permissions Test\n\nResource: ${resource}\n\n`; result += `## ✅ Granted Permissions (${grantedPermissions.length})\n\n`; if (grantedPermissions.length > 0) { grantedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*No permissions granted*\n`; } result += `\n## ❌ Denied Permissions (${deniedPermissions.length})\n\n`; if (deniedPermissions.length > 0) { deniedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*All permissions granted*\n`; } result += `\n**Summary:** ${grantedPermissions.length}/${permissions.length} permissions granted on resource ${resource}\n`; return { content: [ { type: "text", text: result, }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : "Unknown error"; logger.error(`Error testing resource IAM permissions: ${errorMessage}`); return { content: [ { type: "text", text: `# Error Testing Resource IAM Permissions\n\nFailed to test IAM permissions on resource "${resource}": ${errorMessage}\n\nPlease ensure:\n- The resource name is correct and properly formatted\n- The resource exists and is accessible\n- You have the required permissions to test IAM permissions on this resource`, }, ], isError: true, }; } },
- src/services/iam/tools.ts:182-191 (schema)Zod input schema defining the required 'resource' (full resource name) and 'permissions' (array of strings) parameters for the tool.inputSchema: { resource: z .string() .describe( 'The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance")', ), permissions: z .array(z.string()) .describe("List of permissions to test on the resource"), },
- src/services/iam/tools.ts:176-253 (registration)The server.registerTool call that registers the 'gcp-iam-test-resource-permissions' tool, including its name, title, description, input schema, and handler function.server.registerTool( "gcp-iam-test-resource-permissions", { title: "Test Resource-Specific IAM Permissions", description: "Test which permissions the current caller has on specific Google Cloud resources", inputSchema: { resource: z .string() .describe( 'The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance")', ), permissions: z .array(z.string()) .describe("List of permissions to test on the resource"), }, }, async ({ resource, permissions }) => { try { const resourceManager = getResourceManagerClient(); const [response] = await resourceManager.testIamPermissions({ resource, permissions, }); const grantedPermissions = response.permissions || []; const deniedPermissions = permissions.filter( (p) => !grantedPermissions.includes(p), ); let result = `# Resource IAM Permissions Test\n\nResource: ${resource}\n\n`; result += `## ✅ Granted Permissions (${grantedPermissions.length})\n\n`; if (grantedPermissions.length > 0) { grantedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*No permissions granted*\n`; } result += `\n## ❌ Denied Permissions (${deniedPermissions.length})\n\n`; if (deniedPermissions.length > 0) { deniedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*All permissions granted*\n`; } result += `\n**Summary:** ${grantedPermissions.length}/${permissions.length} permissions granted on resource ${resource}\n`; return { content: [ { type: "text", text: result, }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : "Unknown error"; logger.error(`Error testing resource IAM permissions: ${errorMessage}`); return { content: [ { type: "text", text: `# Error Testing Resource IAM Permissions\n\nFailed to test IAM permissions on resource "${resource}": ${errorMessage}\n\nPlease ensure:\n- The resource name is correct and properly formatted\n- The resource exists and is accessible\n- You have the required permissions to test IAM permissions on this resource`, }, ], isError: true, }; } }, );