{"id":814,"date":"2026-04-16T06:19:12","date_gmt":"2026-04-16T06:19:12","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-policy-intelligence-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-16T06:19:12","modified_gmt":"2026-04-16T06:19:12","slug":"google-cloud-policy-intelligence-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-policy-intelligence-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Google Cloud Policy Intelligence Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p><strong>Policy Intelligence<\/strong> is a set of tools in <strong>Google Cloud Security<\/strong> that helps you understand, troubleshoot, and safely change access control policies\u2014primarily <strong>IAM policies<\/strong>\u2014across projects, folders, and organizations.<\/p>\n\n\n\n<p><strong>Simple explanation:<\/strong> Policy Intelligence helps you answer practical questions like \u201cWho can access this bucket?\u201d, \u201cWhy was access denied?\u201d, and \u201cWhat will happen if I change this IAM policy?\u201d without relying on guesswork or manual policy reading.<\/p>\n\n\n\n<p><strong>Technical explanation:<\/strong> Policy Intelligence combines policy analysis, policy evaluation, and simulation workflows (delivered via Google Cloud Console and APIs) to interpret effective access from IAM bindings (including inheritance), and in many cases explain results. It integrates closely with IAM, Cloud Resource Manager hierarchy, and analysis backends such as Cloud Asset Inventory for organization- and project-wide visibility.<\/p>\n\n\n\n<p><strong>What problem it solves:<\/strong> As cloud environments grow, IAM policies become hard to reason about\u2014especially with inheritance, groups, service accounts, conditional bindings, and many resource types. Policy Intelligence reduces security risk (over-permissioning), shortens incident resolution time (access-denied troubleshooting), and improves change safety (policy change validation).<\/p>\n\n\n\n<blockquote>\n<p>Service name note: <strong>Policy Intelligence<\/strong> is the current Google Cloud product grouping for IAM policy analysis\/troubleshooting\/simulation capabilities. Individual tools (for example, <strong>Policy Analyzer<\/strong> and <strong>Policy Troubleshooter<\/strong>) may appear as separate pages in the console and documentation, but they are commonly described under the Policy Intelligence umbrella. If any specific component name or UI location differs in your tenant, <strong>verify in official docs<\/strong> (links provided in Section 17).<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Policy Intelligence?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Policy Intelligence is designed to help you <strong>analyze<\/strong>, <strong>troubleshoot<\/strong>, and <strong>simulate<\/strong> access control policies in Google Cloud so you can:\n&#8211; Understand who has access to what\n&#8211; Investigate why access is allowed or denied\n&#8211; Test the impact of policy changes before applying them<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (what it does)<\/h3>\n\n\n\n<p>Policy Intelligence typically includes these core capabilities (terminology may vary slightly by UI\/API version\u2014<strong>verify in official docs<\/strong>):\n&#8211; <strong>Policy Analyzer<\/strong>: Finds principals with access to resources (and in some contexts, resources a principal can access), based on effective IAM policy.\n&#8211; <strong>Policy Troubleshooter<\/strong>: Evaluates whether a principal has a specific permission on a resource, and provides an explanation for the decision (when available).\n&#8211; <strong>Policy Simulator<\/strong>: Tests proposed IAM policy changes to understand their impact before rollout.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Component<\/th>\n<th>What it\u2019s for<\/th>\n<th>Typical interface<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Policy Analyzer<\/td>\n<td>\u201cWho has access?\u201d \/ \u201cWhere does access come from?\u201d<\/td>\n<td>Cloud Console UI; analysis APIs (commonly via Cloud Asset Inventory analysis)<\/td>\n<\/tr>\n<tr>\n<td>Policy Troubleshooter<\/td>\n<td>\u201cWhy was this denied?\u201d \/ \u201cShould this be granted?\u201d<\/td>\n<td>Cloud Console UI; Policy Troubleshooter API<\/td>\n<\/tr>\n<tr>\n<td>Policy Simulator<\/td>\n<td>\u201cWhat will happen if I change this policy?\u201d<\/td>\n<td>Cloud Console UI and\/or API depending on feature availability<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<p>Policy Intelligence is best understood as a <strong>security analysis and governance capability<\/strong> rather than a standalone data plane service. It uses:\n&#8211; Google Cloud Console experiences\n&#8211; Supporting APIs (for example, Policy Troubleshooter API)\n&#8211; Analysis backends that interpret IAM policies and resource hierarchy<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: global vs regional<\/h3>\n\n\n\n<p>Policy Intelligence concerns <strong>IAM policy evaluation and analysis<\/strong>, which is generally <strong>global in nature<\/strong> (not bound to a compute region like <code>us-central1<\/code>). Results depend on:\n&#8211; Your <strong>resource hierarchy<\/strong> (organization\/folders\/projects)\n&#8211; The <strong>resource type<\/strong> and its IAM model\n&#8211; The current and inherited IAM bindings<\/p>\n\n\n\n<p>For the most accurate statement of scope and availability, <strong>verify in official docs<\/strong>, because some components can have organization prerequisites or limited coverage by resource type.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n<p>Policy Intelligence sits at the intersection of:\n&#8211; <strong>Cloud IAM<\/strong> (bindings, roles, permissions, service accounts)\n&#8211; <strong>Cloud Resource Manager<\/strong> (organization\/folder\/project hierarchy and inheritance)\n&#8211; <strong>Cloud Asset Inventory<\/strong> (inventory and analysis of IAM policies across your environment)\n&#8211; <strong>Cloud Audit Logs<\/strong> (investigating when and by whom access changes occurred)\n&#8211; <strong>Security Command Center<\/strong> (broader security posture\u2014Policy Intelligence is often used during investigations or governance reviews)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Policy Intelligence?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce security risk<\/strong>: Identify unintended broad access (for example, <code>allUsers<\/code>, <code>allAuthenticatedUsers<\/code>, or large groups) before it becomes a breach.<\/li>\n<li><strong>Improve governance<\/strong>: Provide evidence and visibility for audits and access reviews.<\/li>\n<li><strong>Faster incident response<\/strong>: When an incident involves compromised identities or suspicious access, quickly assess reach and blast radius.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM policy complexity<\/strong> grows fast with:<\/li>\n<li>Many projects and teams<\/li>\n<li>Inheritance through folders\/organizations<\/li>\n<li>Group-based access<\/li>\n<li>Conditional bindings<\/li>\n<li>Service accounts and workload identities<\/li>\n<li>Policy Intelligence helps interpret effective access without manually traversing policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cut MTTR for access issues<\/strong>: When a pipeline fails with <code>403 PERMISSION_DENIED<\/code>, Policy Troubleshooter can pinpoint missing permissions or policy sources.<\/li>\n<li><strong>Standardize access investigations<\/strong>: Replace ad hoc scripts and tribal knowledge with repeatable workflows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Supports least-privilege initiatives by revealing where powerful roles are granted.<\/li>\n<li>Helps with controls such as access reviews, segregation of duties checks, and remediation tracking (often combined with audit logs and ticketing systems).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>As environments scale, manual IAM reviews do not.<\/li>\n<li>Analysis tools are designed to operate across many resources and principals (subject to API limits and product constraints).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Policy Intelligence<\/h3>\n\n\n\n<p>Choose Policy Intelligence when you need to:\n&#8211; Understand effective IAM access across many resources\n&#8211; Troubleshoot access-denied issues quickly and defensibly\n&#8211; Validate policy changes before deploying them broadly (where simulator is available)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Policy Intelligence is not the right tool when you need:\n&#8211; A full SIEM or threat detection platform (consider Security Command Center integrations, Chronicle, etc.)\n&#8211; Runtime request authorization inside your app (use app-layer auth, IAM Conditions, Identity Platform, IAP, etc.)\n&#8211; Policy enforcement for Kubernetes workloads (consider GKE controls, OPA\/Gatekeeper, Policy Controller, etc.)\n&#8211; Organization Policy constraint management (that\u2019s <strong>Organization Policy Service<\/strong>, which is separate from Policy Intelligence)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Policy Intelligence used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finance and fintech (access control audits, regulatory evidence)<\/li>\n<li>Healthcare (PHI access governance)<\/li>\n<li>Retail\/e-commerce (protecting customer data)<\/li>\n<li>SaaS and technology (multi-project governance at scale)<\/li>\n<li>Government\/public sector (compliance, least privilege, auditability)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud security engineering \/ IAM governance<\/li>\n<li>Platform engineering (landing zone owners)<\/li>\n<li>SRE \/ DevOps (debugging pipeline and runtime access)<\/li>\n<li>Internal audit and compliance teams (evidence gathering)<\/li>\n<li>Application teams (resource-level access troubleshooting)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-project organizations with shared networking and shared services<\/li>\n<li>Data platforms (BigQuery, Cloud Storage, Dataproc, Dataflow)<\/li>\n<li>CI\/CD systems using service accounts and federated identity<\/li>\n<li>Microservices with per-service identities<\/li>\n<li>Hybrid and multi-cloud identity setups (Workload Identity Federation)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: Access reviews, remediation, incident response, change control<\/li>\n<li><strong>Dev\/Test<\/strong>: Debugging permissions, validating IAM patterns, testing new roles\/conditions<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic, common ways teams use Policy Intelligence. Each use case is written to match how teams actually operate in Google Cloud.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Identify who can read a sensitive Cloud Storage bucket<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A bucket contains sensitive exports; you need to know exactly who can read objects.<\/li>\n<li><strong>Why Policy Intelligence fits:<\/strong> Policy Analyzer can reveal principals with effective access (including inherited roles).<\/li>\n<li><strong>Example:<\/strong> Before an audit, security runs analysis on <code>prod-pii-exports<\/code> and finds a broad group has viewer access inherited from a folder.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Troubleshoot a CI\/CD pipeline failing with <code>403 PERMISSION_DENIED<\/code><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A deploy job fails when writing to Artifact Registry or Cloud Storage.<\/li>\n<li><strong>Why it fits:<\/strong> Policy Troubleshooter can check whether the pipeline service account has the exact required permission.<\/li>\n<li><strong>Example:<\/strong> The service account has <code>roles\/storage.objectViewer<\/code> but needs write permissions; troubleshoot shows missing <code>storage.objects.create<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Validate a planned IAM refactor (group-based access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You want to replace many direct user bindings with groups.<\/li>\n<li><strong>Why it fits:<\/strong> Policy Simulator (where available) helps test changes without breaking production.<\/li>\n<li><strong>Example:<\/strong> Simulate removing direct bindings and confirm the group grants keep access intact.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Investigate unexpected access to a BigQuery dataset<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A user can query a dataset they shouldn\u2019t.<\/li>\n<li><strong>Why it fits:<\/strong> Policy Analyzer helps trace access grants and inherited roles.<\/li>\n<li><strong>Example:<\/strong> Access comes from a broad <code>roles\/bigquery.dataViewer<\/code> binding at the project level.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Confirm whether a third-party integration can access only intended resources<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A vendor connector uses a service account; you must enforce least privilege.<\/li>\n<li><strong>Why it fits:<\/strong> Troubleshooter verifies permissions; Analyzer checks broad reach.<\/li>\n<li><strong>Example:<\/strong> Vendor SA should only read one bucket; analysis shows it can list multiple buckets due to a folder-level viewer role.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Reduce risk from overly broad principals (<code>allUsers<\/code>, <code>allAuthenticatedUsers<\/code>)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Public exposure risk through IAM.<\/li>\n<li><strong>Why it fits:<\/strong> Policy Analyzer can highlight where broad principals have access.<\/li>\n<li><strong>Example:<\/strong> A static website bucket is public by design, but another internal bucket is mistakenly public.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Support an access review (quarterly recertification)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You need evidence for who has access to key resources.<\/li>\n<li><strong>Why it fits:<\/strong> Analyzer provides a repeatable method to review access.<\/li>\n<li><strong>Example:<\/strong> Run analysis for a set of projects tagged <code>env=prod<\/code> and compile outputs for review.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Debug cross-project access for shared services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A central monitoring project reads logs\/metrics from many projects; one project fails.<\/li>\n<li><strong>Why it fits:<\/strong> Troubleshooter pinpoints missing permissions and policy sources.<\/li>\n<li><strong>Example:<\/strong> One project lacks the binding granting log view permissions to the monitoring service account.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Prove that a security control change won\u2019t break workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You plan to remove <code>roles\/editor<\/code> from multiple identities.<\/li>\n<li><strong>Why it fits:<\/strong> Simulator can test the removal effects; Troubleshooter checks key permissions.<\/li>\n<li><strong>Example:<\/strong> Confirm that build systems still have the exact permissions needed post-change.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Incident response: quickly estimate blast radius of compromised identity<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A service account key may be leaked; you need to know what it could access.<\/li>\n<li><strong>Why it fits:<\/strong> Analyzer can reveal accessible resources; Troubleshooter checks critical permissions.<\/li>\n<li><strong>Example:<\/strong> Identify which buckets and projects the service account can access and rotate\/revoke accordingly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Verify conditional IAM bindings behavior<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A principal\u2019s access should be limited by time\/IP\/device attributes (depending on how you implement controls).<\/li>\n<li><strong>Why it fits:<\/strong> Troubleshooter can evaluate access decisions and, in many cases, explain condition evaluation (capability varies\u2014<strong>verify in official docs<\/strong>).<\/li>\n<li><strong>Example:<\/strong> A condition should prevent access after a date; troubleshoot indicates the condition is still true due to incorrect expression.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Pre-migration governance (folder\/project reorganization)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You\u2019re moving projects between folders and worry about inherited access changes.<\/li>\n<li><strong>Why it fits:<\/strong> Analyzer and simulator help evaluate impact before and after moving resources.<\/li>\n<li><strong>Example:<\/strong> Moving a project under a more permissive folder would unintentionally grant additional access.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: Policy Intelligence is a grouping; individual feature availability can depend on your organization setup, resource types, and permissions. Always <strong>verify in official docs<\/strong> for the latest coverage.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 1: Policy Analyzer (effective access discovery)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Helps you analyze IAM policies to determine which identities (users, groups, service accounts) have access to resources, and where that access is granted from (direct vs inherited).<\/li>\n<li><strong>Why it matters:<\/strong> Least privilege and audit readiness require knowing effective access\u2014not just what a single resource policy says.<\/li>\n<li><strong>Practical benefit:<\/strong> Quickly spot over-broad roles and unexpected inheritance paths.<\/li>\n<li><strong>Limitations\/caveats:<\/strong><\/li>\n<li>Coverage can vary by resource type and policy model.<\/li>\n<li>Analysis can be constrained by scope and API limits.<\/li>\n<li>Some results may be approximate or omit certain specialized authorization layers (for example, app-level permissions).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 2: Policy Troubleshooter (permission-level decision + explanation)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Evaluates whether a principal has a specific <strong>permission<\/strong> on a resource and returns an access decision, often with explanation of why it\u2019s granted\/denied.<\/li>\n<li><strong>Why it matters:<\/strong> Most outages and pipeline failures are caused by one missing permission; troubleshooting at permission granularity is faster than role guessing.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduce time spent iterating role bindings and redeploys.<\/li>\n<li><strong>Limitations\/caveats:<\/strong><\/li>\n<li>Explanations can vary; some cases may return \u201cunknown\u201d or partial reasoning.<\/li>\n<li>Correct inputs matter: principal format, permission name, and <strong>full resource name<\/strong> (common pitfall).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 3: Policy Simulator (test IAM changes before rollout)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Simulates the impact of IAM policy changes and evaluates whether access would change for specific principals\/permissions.<\/li>\n<li><strong>Why it matters:<\/strong> IAM changes are high-risk; simulation supports change management and safer deployments.<\/li>\n<li><strong>Practical benefit:<\/strong> Prevent production incidents caused by removing a role that a workload depended on.<\/li>\n<li><strong>Limitations\/caveats:<\/strong><\/li>\n<li>Simulator scope and supported resources can vary.<\/li>\n<li>Simulation is not a substitute for controlled rollout and monitoring.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 4: Organization-\/folder-\/project-scope analysis (hierarchy-aware)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Helps reason about inheritance across the resource hierarchy.<\/li>\n<li><strong>Why it matters:<\/strong> Many \u201cmystery access\u201d issues are inherited from folders or organization policies.<\/li>\n<li><strong>Practical benefit:<\/strong> Pinpoint the layer where access is granted.<\/li>\n<li><strong>Limitations\/caveats:<\/strong><\/li>\n<li>Requires appropriate permissions at the analysis scope.<\/li>\n<li>Some org-level features require an Organization resource.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 5: API access for automation (where available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows programmatic troubleshooting (and sometimes analysis\/simulation) via APIs.<\/li>\n<li><strong>Why it matters:<\/strong> Platform teams often need to integrate access checks into CI\/CD, guardrails, or internal portals.<\/li>\n<li><strong>Practical benefit:<\/strong> Consistent, repeatable checks; easier evidence capture for audits.<\/li>\n<li><strong>Limitations\/caveats:<\/strong><\/li>\n<li>APIs have quotas and may require additional enablement and IAM roles.<\/li>\n<li>Output formats and fields can evolve\u2014pin to official reference.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 6: Integration with audit and governance workflows (indirect)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Complements Cloud Audit Logs and change management to support investigation and compliance.<\/li>\n<li><strong>Why it matters:<\/strong> Knowing \u201cwho can\u201d is one side; knowing \u201cwho did and when\u201d requires audit logs.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster incident triage and more complete audit trails.<\/li>\n<li><strong>Limitations\/caveats:<\/strong><\/li>\n<li>Audit logs are configured separately; retention and sinks may add cost.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>Policy Intelligence does not sit in the data path of your applications. Instead, it:\n1. Reads\/evaluates IAM policies and hierarchy metadata.\n2. Computes effective access (analysis) or evaluates a specific access tuple (troubleshooting).\n3. Returns results via Console or API.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<p>Common flows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<p><strong>Policy Analyzer flow (typical):<\/strong>\n  1. You select a scope (project\/folder\/org) and a target (resource or principal).\n  2. The analysis backend gathers relevant IAM bindings (and inheritance).\n  3. It computes effective access relationships and returns a report of principals\/resources.<\/p>\n<\/li>\n<li>\n<p><strong>Policy Troubleshooter flow (typical):<\/strong>\n  1. You provide a principal, a full resource name, and a permission.\n  2. The backend evaluates effective permissions based on IAM policies and returns GRANTED \/ NOT_GRANTED (and details).<\/p>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Policy Intelligence commonly interacts with:\n&#8211; <strong>Cloud IAM<\/strong>: roles, permissions, principals, service accounts, bindings, conditions\n&#8211; <strong>Cloud Resource Manager<\/strong>: hierarchy and resource metadata\n&#8211; <strong>Cloud Asset Inventory<\/strong>: policy analysis at scale (Policy Analyzer commonly relies on it)\n&#8211; <strong>Cloud Audit Logs<\/strong>: investigate policy changes and access attempts (separate but complementary)\n&#8211; <strong>Security Command Center<\/strong>: posture and findings context (not required but often used together)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM policy storage\/evaluation systems<\/li>\n<li>Resource metadata services (hierarchy resolution)<\/li>\n<li>Analysis and simulation engines<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You access Policy Intelligence through:<\/li>\n<li>Google Cloud Console (authenticated user)<\/li>\n<li>APIs (authenticated via OAuth2 access tokens)<\/li>\n<li><strong>Authorization to run analyses\/troubleshooting<\/strong> is controlled by IAM. You must have permissions to view policies\/resources and call the relevant APIs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Console and API calls are made to Google-managed endpoints over HTTPS.<\/li>\n<li>There is no VPC-attached data plane component to deploy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API calls and IAM policy changes are recorded in <strong>Cloud Audit Logs<\/strong> (Admin Activity for policy changes; Data Access depends on service and configuration).<\/li>\n<li>For governance, pair Policy Intelligence with:<\/li>\n<li>IAM policy linting\/reviews in CI<\/li>\n<li>IAM change approvals<\/li>\n<li>Periodic access reviews and reporting<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Engineer \/ Security Analyst] --&gt; C[Google Cloud Console\\nPolicy Intelligence]\n  C --&gt; IAM[Cloud IAM\\nPolicies, Roles, Principals]\n  C --&gt; CRM[Cloud Resource Manager\\nOrg\/Folder\/Project Hierarchy]\n  C --&gt; CAI[Cloud Asset Inventory\\nPolicy Analysis Backend]\n  C --&gt; PT[Policy Troubleshooter API]\n  IAM --&gt; PT\n  CRM --&gt; PT\n  IAM --&gt; CAI\n  CRM --&gt; CAI\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Org[Google Cloud Organization]\n    F1[Folder: Shared Services]\n    F2[Folder: Prod Apps]\n    P1[Project: security-tools]\n    P2[Project: prod-app-1]\n    P3[Project: prod-data]\n    F1 --&gt; P1\n    F2 --&gt; P2\n    F2 --&gt; P3\n  end\n\n  subgraph Ops[Security &amp; Operations]\n    SIEM[SIEM \/ Case Mgmt]\n    AR[Access Review Process]\n    CICD[CI\/CD Pipelines]\n  end\n\n  subgraph PI[Policy Intelligence]\n    PA[Policy Analyzer]\n    PTAPI[Policy Troubleshooter API]\n    PSIM[Policy Simulator]\n  end\n\n  subgraph Core[Core Google Cloud Services]\n    IAM[Cloud IAM]\n    CAI[Cloud Asset Inventory]\n    AUD[Cloud Audit Logs]\n  end\n\n  Ops --&gt; PI\n  PI --&gt; IAM\n  PI --&gt; CAI\n  IAM --&gt; AUD\n  CAI --&gt; AUD\n  AUD --&gt; SIEM\n  AR --&gt; PA\n  CICD --&gt; PTAPI\n  CICD --&gt; PSIM\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/project requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Google Cloud account with access to create or use a <strong>Google Cloud project<\/strong>.<\/li>\n<li>For organization-wide analysis, you need a Google Cloud <strong>Organization<\/strong> resource and permissions at org\/folder level (optional for this lab).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>For the hands-on tutorial, the simplest requirement is:\n&#8211; <strong>Project Owner<\/strong> on a test project (recommended for beginners to avoid IAM friction)<\/p>\n\n\n\n<p>For real environments, use least privilege. Typical permissions you may need include:\n&#8211; Ability to view IAM policies on the target scope\/resources\n&#8211; Ability to call the Policy Troubleshooter API\n&#8211; Ability to run policy analysis (often through Cloud Asset Inventory permissions)<\/p>\n\n\n\n<p>Because roles and permissions can change over time, <strong>verify required roles in official docs<\/strong> for:\n&#8211; Policy Troubleshooter\n&#8211; Policy Analyzer \/ analysis APIs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A billing-enabled project is recommended, even if this lab is designed to be low-cost.<\/li>\n<li>Policy Intelligence features themselves often have no direct line-item charges, but enabling and using related services (logging sinks, exports) can incur costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cloud.google.com\/sdk\/docs\/install\">Google Cloud SDK (<code>gcloud<\/code>)<\/a><\/li>\n<li><code>curl<\/code> (for API calls)<\/li>\n<li>Optional: <code>jq<\/code> for readable JSON output<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Policy Intelligence is not a regional compute service, but availability and feature coverage can vary.<\/li>\n<li>Some resources referenced (like Cloud Storage buckets) require you to choose a location.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>APIs have request quotas and rate limits.<\/li>\n<li>Analysis scope may be limited by the number of resources, policies, or principals.<\/li>\n<li>Always check quotas and limits in the relevant API documentation (<strong>verify in official docs<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>For this lab, you will enable:\n&#8211; Cloud Resource Manager API (commonly required for project metadata)\n&#8211; IAM API\n&#8211; Cloud Asset API (for analysis workflows)\n&#8211; Policy Troubleshooter API<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (how costs typically work)<\/h3>\n\n\n\n<p>Policy Intelligence is primarily an analysis\/troubleshooting capability. In many Google Cloud setups:\n&#8211; The <strong>Policy Intelligence UI features<\/strong> do not appear as a separately billed product.\n&#8211; Costs, if any, generally come from:\n  &#8211; <strong>API usage<\/strong> (requests) for supporting APIs\n  &#8211; <strong>Downstream services<\/strong> you use with it (for example, exporting results to BigQuery, storing reports in Cloud Storage, sending logs to Pub\/Sub)\n  &#8211; <strong>Operational overhead<\/strong>: audit log retention, log sinks, and analysis automation<\/p>\n\n\n\n<p>Because Google Cloud pricing and SKUs can change, treat the following as guidance and <strong>verify in official docs and pricing pages<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions to consider<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Cost dimension<\/th>\n<th>What drives it<\/th>\n<th>Examples<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>API requests<\/td>\n<td>Number of analysis\/troubleshooting calls<\/td>\n<td>CI jobs calling Troubleshooter repeatedly<\/td>\n<\/tr>\n<tr>\n<td>Logging<\/td>\n<td>Volume of audit\/data logs retained\/exported<\/td>\n<td>Org-wide IAM change monitoring<\/td>\n<\/tr>\n<tr>\n<td>Storage<\/td>\n<td>Where you store reports\/exports<\/td>\n<td>BigQuery datasets, Cloud Storage reports<\/td>\n<\/tr>\n<tr>\n<td>Data transfer<\/td>\n<td>Export destinations and cross-region<\/td>\n<td>Sending logs to another region\/project<\/td>\n<\/tr>\n<tr>\n<td>Human time<\/td>\n<td>Manual investigations and role iteration<\/td>\n<td>Troubleshooter reduces this cost<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<p>Some IAM-related and inventory features have generous free usage or no direct charges, but this varies by API and usage type. <strong>Verify in official docs<\/strong> for:\n&#8211; Cloud Asset Inventory pricing (if any)\n&#8211; Policy Troubleshooter API pricing (if any)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>BigQuery<\/strong> costs if you export and query access reports.<\/li>\n<li><strong>Cloud Logging<\/strong> costs if you route and retain large volumes of logs beyond free allotments.<\/li>\n<li><strong>Automation loops<\/strong>: calling troubleshooting APIs at high frequency from CI can add request volume.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Console\/API calls are control-plane traffic over the public internet to Google APIs (typically negligible).<\/li>\n<li>Exports to other projects\/regions can incur data transfer and storage costs depending on destination.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid running organization-wide analyses on high frequency unless needed.<\/li>\n<li>Cache results for periodic access reviews rather than recalculating constantly.<\/li>\n<li>Use targeted troubleshooting: check only the specific permission needed instead of broad role guessing.<\/li>\n<li>If exporting to BigQuery, partition tables and limit query scan ranges.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated prices)<\/h3>\n\n\n\n<p>A typical beginner lab that:\n&#8211; Enables required APIs\n&#8211; Creates one Cloud Storage bucket and a few IAM bindings\n&#8211; Runs a small number of troubleshooting API calls<\/p>\n\n\n\n<p>\u2026usually results in <strong>minimal to negligible<\/strong> cost in most billing accounts. Any cost that does appear is more likely from <strong>Cloud Storage<\/strong> usage (small) and any logging\/export configurations you add.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, cost is primarily about scale and automation:\n&#8211; Running access reviews across thousands of resources\n&#8211; Continuous compliance tooling that calls analysis APIs frequently\n&#8211; Large audit log sinks and long retention policies\n&#8211; BigQuery-based reporting and dashboards<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing references<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud Pricing overview: https:\/\/cloud.google.com\/pricing<\/li>\n<li>Pricing calculator: https:\/\/cloud.google.com\/products\/calculator<\/li>\n<li>Policy Intelligence docs (start here): https:\/\/cloud.google.com\/policy-intelligence\/docs<\/li>\n<\/ul>\n\n\n\n<p>For any component-specific pricing (Cloud Asset Inventory, Cloud Logging, BigQuery), consult their official pricing pages.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create a small, safe Google Cloud environment and use <strong>Policy Intelligence<\/strong> (Policy Troubleshooter and Policy Analyzer workflows) to:\n1. Confirm that one service account <strong>can<\/strong> read objects from a bucket.\n2. Confirm that another service account <strong>cannot<\/strong> read objects from that bucket.\n3. Learn the correct inputs (principal, permission, full resource name) and how to validate results.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create a project (or reuse one), enable APIs, and configure <code>gcloud<\/code>.\n2. Create a Cloud Storage bucket and upload a test object.\n3. Create two service accounts and grant object read access to only one.\n4. Use <strong>Policy Troubleshooter API<\/strong> to evaluate access for each service account.\n5. Use <strong>Policy Analyzer<\/strong> in the Cloud Console to visually confirm bindings (UI workflow).\n6. Clean up resources.<\/p>\n\n\n\n<p>This lab is designed to be low-cost and reversible.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create or select a project and set variables<\/h3>\n\n\n\n<p>1) In Cloud Shell (recommended) or your terminal, set your project:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud auth login\ngcloud projects list\ngcloud config set project YOUR_PROJECT_ID\n<\/code><\/pre>\n\n\n\n<p>2) Set environment variables used in later steps:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"$(gcloud config get-value project)\"\nexport PROJECT_NUMBER=\"$(gcloud projects describe \"$PROJECT_ID\" --format=\"value(projectNumber)\")\"\nexport REGION=\"us-central1\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>PROJECT_ID<\/code> and <code>PROJECT_NUMBER<\/code> are set.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">echo \"$PROJECT_ID\"\necho \"$PROJECT_NUMBER\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Enable required APIs<\/h3>\n\n\n\n<p>Enable the APIs commonly used by Policy Intelligence workflows:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable \\\n  cloudresourcemanager.googleapis.com \\\n  iam.googleapis.com \\\n  cloudasset.googleapis.com \\\n  policytroubleshooter.googleapis.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> APIs enable successfully.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services list --enabled --format=\"value(config.name)\" | grep -E \\\n  \"cloudresourcemanager|iam|cloudasset|policytroubleshooter\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a Cloud Storage bucket and upload a test object<\/h3>\n\n\n\n<p>1) Create a unique bucket name:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export BUCKET_NAME=\"${PROJECT_ID}-pi-lab-$(date +%s)\"\n<\/code><\/pre>\n\n\n\n<p>2) Create the bucket (choose a location that matches your requirements):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage buckets create \"gs:\/\/${BUCKET_NAME}\" --location=\"${REGION}\"\n<\/code><\/pre>\n\n\n\n<p>3) Upload a test file:<\/p>\n\n\n\n<pre><code class=\"language-bash\">echo \"policy-intelligence-lab\" &gt; test.txt\ngcloud storage cp test.txt \"gs:\/\/${BUCKET_NAME}\/test.txt\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Bucket exists and contains <code>test.txt<\/code>.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage ls \"gs:\/\/${BUCKET_NAME}\"\ngcloud storage ls \"gs:\/\/${BUCKET_NAME}\/test.txt\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create two service accounts (one allowed, one denied)<\/h3>\n\n\n\n<p>1) Create two service accounts:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export SA_ALLOWED=\"sa-allowed\"\nexport SA_DENIED=\"sa-denied\"\n\ngcloud iam service-accounts create \"${SA_ALLOWED}\" \\\n  --display-name=\"Policy Intelligence Lab - Allowed\"\n\ngcloud iam service-accounts create \"${SA_DENIED}\" \\\n  --display-name=\"Policy Intelligence Lab - Denied\"\n<\/code><\/pre>\n\n\n\n<p>2) Capture their emails:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export SA_ALLOWED_EMAIL=\"${SA_ALLOWED}@${PROJECT_ID}.iam.gserviceaccount.com\"\nexport SA_DENIED_EMAIL=\"${SA_DENIED}@${PROJECT_ID}.iam.gserviceaccount.com\"\n\necho \"$SA_ALLOWED_EMAIL\"\necho \"$SA_DENIED_EMAIL\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Two service accounts exist.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud iam service-accounts list --filter=\"email:${PROJECT_ID}.iam.gserviceaccount.com\" \\\n  --format=\"table(email,displayName)\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Grant object read access on the bucket to only the allowed service account<\/h3>\n\n\n\n<p>Grant <code>roles\/storage.objectViewer<\/code> on the bucket to <code>sa-allowed<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage buckets add-iam-policy-binding \"gs:\/\/${BUCKET_NAME}\" \\\n  --member=\"serviceAccount:${SA_ALLOWED_EMAIL}\" \\\n  --role=\"roles\/storage.objectViewer\"\n<\/code><\/pre>\n\n\n\n<p>Do <strong>not<\/strong> grant anything to <code>sa-denied<\/code>.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>sa-allowed<\/code> can read objects in the bucket; <code>sa-denied<\/code> cannot.<\/p>\n\n\n\n<p><strong>Verification (view bucket IAM policy):<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage buckets get-iam-policy \"gs:\/\/${BUCKET_NAME}\"\n<\/code><\/pre>\n\n\n\n<p>Look for a binding like:\n&#8211; role: <code>roles\/storage.objectViewer<\/code>\n&#8211; member: <code>serviceAccount:sa-allowed@...<\/code><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Use Policy Troubleshooter API to evaluate access (programmatic)<\/h3>\n\n\n\n<p>Policy Troubleshooter evaluates an <strong>access tuple<\/strong>:\n&#8211; <code>principal<\/code> (who)\n&#8211; <code>fullResourceName<\/code> (what resource)\n&#8211; <code>permission<\/code> (what action)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">6.1 Determine the permission and full resource name<\/h4>\n\n\n\n<p>For reading a Cloud Storage object, a common permission is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>storage.objects.get<\/code><\/li>\n<\/ul>\n\n\n\n<p>For <code>fullResourceName<\/code>, Google APIs often use a double-slash format. For Cloud Storage, the canonical \u201cfull resource name\u201d format used by some APIs can differ across products and versions.<\/p>\n\n\n\n<p>To avoid guessing incorrectly:\n&#8211; Prefer the <strong>Policy Troubleshooter UI<\/strong> for resource selection, or\n&#8211; Use the latest official docs to confirm the correct <code>fullResourceName<\/code> format for Cloud Storage objects\/buckets in Policy Troubleshooter (<strong>verify in official docs<\/strong>).<\/p>\n\n\n\n<p>That said, a commonly used pattern for Cloud Storage resources in Google APIs is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bucket: <code>\/\/storage.googleapis.com\/projects\/_\/buckets\/BUCKET_NAME<\/code><\/li>\n<li>Object: <code>\/\/storage.googleapis.com\/projects\/_\/buckets\/BUCKET_NAME\/objects\/OBJECT_NAME<\/code><\/li>\n<\/ul>\n\n\n\n<p>Set the full resource name for the object:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export OBJECT_NAME=\"test.txt\"\nexport FULL_RESOURCE_NAME=\"\/\/storage.googleapis.com\/projects\/_\/buckets\/${BUCKET_NAME}\/objects\/${OBJECT_NAME}\"\necho \"$FULL_RESOURCE_NAME\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">6.2 Call the API for the allowed service account<\/h4>\n\n\n\n<pre><code class=\"language-bash\">ACCESS_TOKEN=\"$(gcloud auth print-access-token)\"\n\ncurl -s -X POST \\\n  -H \"Authorization: Bearer ${ACCESS_TOKEN}\" \\\n  -H \"Content-Type: application\/json\" \\\n  \"https:\/\/policytroubleshooter.googleapis.com\/v1\/iam:troubleshoot\" \\\n  -d \"{\n    \\\"accessTuple\\\": {\n      \\\"principal\\\": \\\"serviceAccount:${SA_ALLOWED_EMAIL}\\\",\n      \\\"fullResourceName\\\": \\\"${FULL_RESOURCE_NAME}\\\",\n      \\\"permission\\\": \\\"storage.objects.get\\\"\n    }\n  }\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The response indicates access is <strong>GRANTED<\/strong> (field names may vary). If you see <code>GRANTED<\/code>, the allowed service account has read access.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">6.3 Call the API for the denied service account<\/h4>\n\n\n\n<pre><code class=\"language-bash\">curl -s -X POST \\\n  -H \"Authorization: Bearer ${ACCESS_TOKEN}\" \\\n  -H \"Content-Type: application\/json\" \\\n  \"https:\/\/policytroubleshooter.googleapis.com\/v1\/iam:troubleshoot\" \\\n  -d \"{\n    \\\"accessTuple\\\": {\n      \\\"principal\\\": \\\"serviceAccount:${SA_DENIED_EMAIL}\\\",\n      \\\"fullResourceName\\\": \\\"${FULL_RESOURCE_NAME}\\\",\n      \\\"permission\\\": \\\"storage.objects.get\\\"\n    }\n  }\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The response indicates access is <strong>NOT_GRANTED<\/strong>.<\/p>\n\n\n\n<blockquote>\n<p>If either call returns an error about invalid resource name or permission, jump to <strong>Troubleshooting<\/strong> below. Resource naming is the most common issue when using the API directly.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Use Policy Analyzer (Console workflow) to confirm who has access<\/h3>\n\n\n\n<p>This step uses the Google Cloud Console UI. UI navigation can shift; if labels differ, <strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<p>1) Go to <strong>Google Cloud Console<\/strong>.\n2) Navigate to <strong>IAM &amp; Admin<\/strong> \u2192 <strong>Policy Intelligence<\/strong>.\n3) Open <strong>Policy Analyzer<\/strong>.\n4) Set the scope to your project (or the resource).\n5) Analyze access to the bucket and\/or object (depending on what the UI supports).\n6) Confirm you can see that <code>sa-allowed@...<\/code> has <code>roles\/storage.objectViewer<\/code> on the bucket.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can visually trace:\n&#8211; which principal has access\n&#8211; which policy binding granted it\n&#8211; whether it was direct on the bucket or inherited<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use these checks to confirm everything worked:<\/p>\n\n\n\n<p>1) Bucket has the IAM binding:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage buckets get-iam-policy \"gs:\/\/${BUCKET_NAME}\" \\\n  --format=\"json\" | sed -n '1,200p'\n<\/code><\/pre>\n\n\n\n<p>2) Policy Troubleshooter API shows:\n&#8211; <code>sa-allowed<\/code> \u2192 GRANTED for <code>storage.objects.get<\/code>\n&#8211; <code>sa-denied<\/code> \u2192 NOT_GRANTED for <code>storage.objects.get<\/code><\/p>\n\n\n\n<p>3) Policy Analyzer UI shows the binding and access path.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: <code>PERMISSION_DENIED<\/code> calling the Policy Troubleshooter API<\/h4>\n\n\n\n<p><strong>Symptoms:<\/strong> API returns 403 for your user.<\/p>\n\n\n\n<p><strong>Likely causes and fixes:<\/strong>\n&#8211; Your identity doesn\u2019t have permissions to troubleshoot policies in this project.\n  &#8211; Fix: Run the lab with a project where you have Owner, or ask for the documented Policy Troubleshooter roles.\n&#8211; API is not enabled.\n  &#8211; Fix: Re-run Step 2.\n&#8211; You are authenticated with the wrong account.\n  &#8211; Fix: <code>gcloud auth list<\/code> and <code>gcloud config set account<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: <code>INVALID_ARGUMENT<\/code> or \u201cresource name not recognized\u201d<\/h4>\n\n\n\n<p><strong>Symptoms:<\/strong> API call fails due to <code>fullResourceName<\/code>.<\/p>\n\n\n\n<p><strong>Likely causes and fixes:<\/strong>\n&#8211; The <code>fullResourceName<\/code> format differs for the resource type.\n  &#8211; Fix: Confirm the correct full resource name format in the latest Policy Troubleshooter docs for that resource type (<strong>verify in official docs<\/strong>).\n&#8211; You may need to troubleshoot against the <strong>bucket<\/strong> resource rather than the <strong>object<\/strong> resource (depending on what the API supports for Cloud Storage).\n  &#8211; Try bucket format:\n    <code>bash\n    export FULL_RESOURCE_NAME=\"\/\/storage.googleapis.com\/projects\/_\/buckets\/${BUCKET_NAME}\"<\/code>\n  &#8211; Then re-run the troubleshoot call.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: You used a role name instead of a permission name<\/h4>\n\n\n\n<p><strong>Symptoms:<\/strong> You entered <code>roles\/storage.objectViewer<\/code> into the <code>permission<\/code> field.<\/p>\n\n\n\n<p><strong>Fix:<\/strong> Use a permission like <code>storage.objects.get<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Results are unexpected due to inheritance<\/h4>\n\n\n\n<p><strong>Symptoms:<\/strong> Denied identity is still GRANTED.<\/p>\n\n\n\n<p><strong>Fix:<\/strong> Check if the denied identity is in a group with access, or has an inherited role at the project\/folder\/org level.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>Delete resources to avoid ongoing cost:<\/p>\n\n\n\n<p>1) Remove the bucket and its contents:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage rm -r \"gs:\/\/${BUCKET_NAME}\"\n<\/code><\/pre>\n\n\n\n<p>2) Delete the service accounts:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud iam service-accounts delete \"${SA_ALLOWED_EMAIL}\" --quiet\ngcloud iam service-accounts delete \"${SA_DENIED_EMAIL}\" --quiet\n<\/code><\/pre>\n\n\n\n<p>3) Optionally disable APIs (usually not necessary, but possible in strict environments):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services disable policytroubleshooter.googleapis.com --quiet\ngcloud services disable cloudasset.googleapis.com --quiet\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> No lab resources remain.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Design IAM by hierarchy<\/strong>: Put shared access at folder level; keep resource-level exceptions minimal.<\/li>\n<li><strong>Prefer groups over individuals<\/strong>: Bind roles to Google Groups (or Cloud Identity groups) to simplify reviews.<\/li>\n<li><strong>Use separate projects for environments<\/strong>: Dev\/test\/prod separation reduces blast radius.<\/li>\n<li><strong>Minimize primitive roles<\/strong>: Avoid <code>Owner\/Editor\/Viewer<\/code> except where justified; prefer predefined or custom roles.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege<\/strong>: Use Policy Analyzer to locate broad roles and reduce them.<\/li>\n<li><strong>Use service accounts correctly<\/strong>: One workload identity per workload; avoid shared service accounts across unrelated apps.<\/li>\n<li><strong>Avoid long-lived keys<\/strong>: Prefer Workload Identity Federation where possible.<\/li>\n<li><strong>Use IAM Conditions carefully<\/strong>: Add conditions only when you can test them; keep expressions readable and versioned.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t run large, continuous org-wide analyses without a reason.<\/li>\n<li>If exporting results to BigQuery:<\/li>\n<li>partition tables<\/li>\n<li>apply retention<\/li>\n<li>optimize queries to reduce scan costs<\/li>\n<li>Keep Cloud Logging sinks targeted (filter aggressively).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer targeted troubleshooting calls rather than bulk checks.<\/li>\n<li>If integrating into CI\/CD, rate-limit and cache where sensible.<\/li>\n<li>Use batching patterns where supported by APIs (not all tools support batching\u2014<strong>verify in official docs<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat IAM changes like production changes:<\/li>\n<li>code review<\/li>\n<li>change windows<\/li>\n<li>rollback plans<\/li>\n<li>Use simulator (when available) and canary rollouts for IAM modifications.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralize IAM investigations:<\/li>\n<li>Document the \u201caccess investigation runbook\u201d (Analyzer \u2192 Troubleshooter \u2192 Audit Logs)<\/li>\n<li>Standardize naming:<\/li>\n<li>service accounts: <code>sa-&lt;app&gt;-&lt;env&gt;-&lt;purpose&gt;<\/code><\/li>\n<li>groups: <code>gcp-&lt;team&gt;-&lt;env&gt;-&lt;role&gt;<\/code><\/li>\n<li>Automate periodic access reviews for critical projects.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use labels\/tags at project level to scope reviews (for example, <code>env=prod<\/code>, <code>data_class=restricted<\/code>).<\/li>\n<li>Maintain an inventory of \u201ccrown jewel\u201d resources and regularly analyze access to them.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Policy Intelligence access is governed by IAM:<\/li>\n<li>Who can run analyses or troubleshoot is controlled by roles\/permissions.<\/li>\n<li>Treat analysis outputs as sensitive:<\/li>\n<li>Access reports reveal security posture and who has access to what.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Policy Intelligence uses Google-managed control-plane services; data is handled within Google Cloud\u2019s security model.<\/li>\n<li>Any exports you create (BigQuery, Cloud Storage) must be protected with:<\/li>\n<li>CMEK where required<\/li>\n<li>least-privilege IAM<\/li>\n<li>retention controls<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access occurs via Google APIs over HTTPS.<\/li>\n<li>If your organization restricts API access, consider:<\/li>\n<li>VPC Service Controls (for supported services)<\/li>\n<li>organization policy constraints<\/li>\n<li>egress controls and proxy policies<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not store access tokens or service account keys in scripts.<\/li>\n<li>Use <code>gcloud auth print-access-token<\/code> only in controlled environments (like Cloud Shell).<\/li>\n<li>Prefer short-lived credentials and workload identity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure IAM Admin Activity logs are retained appropriately.<\/li>\n<li>For investigations:<\/li>\n<li>correlate Troubleshooter results with IAM policy change history<\/li>\n<li>verify when bindings changed and by whom<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Policy Intelligence supports compliance goals by providing:\n&#8211; Visibility into access paths (supports least-privilege controls)\n&#8211; Repeatable evidence for access review processes<\/p>\n\n\n\n<p>However, compliance usually requires additional controls:\n&#8211; ticketing approvals\n&#8211; documented access review sign-off\n&#8211; separation of duties\n&#8211; retention and immutable logging (as applicable)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using Policy Intelligence results as the only source of truth without checking:<\/li>\n<li>resource-specific ACLs (where applicable)<\/li>\n<li>application-layer authorization<\/li>\n<li>external identity providers and group membership<\/li>\n<li>Granting broad permissions to run org-wide analysis without need-to-know<\/li>\n<li>Exporting reports to unsecured buckets\/datasets<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict Policy Intelligence usage to security\/platform roles.<\/li>\n<li>Use separate \u201csecurity tooling\u201d projects for exports and dashboards.<\/li>\n<li>Use access boundaries:<\/li>\n<li>scoped groups<\/li>\n<li>conditional access (where applicable)<\/li>\n<li>VPC Service Controls for sensitive data services (verify applicability)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>These are common real-world pitfalls. For definitive, up-to-date limitations, <strong>verify in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Resource coverage varies<\/strong>: Not every Google Cloud resource type or permission is supported equally for analysis\/troubleshooting\/simulation.<\/li>\n<li><strong>Full resource name formats are strict<\/strong>: The Policy Troubleshooter API requires correct formatting; mistakes lead to <code>INVALID_ARGUMENT<\/code>.<\/li>\n<li><strong>Group membership and identity sources<\/strong>: Effective access may depend on group membership; ensure you account for identity provider sync and nested groups (behavior depends on your setup).<\/li>\n<li><strong>Conditions can complicate interpretation<\/strong>: Conditional bindings may evaluate differently depending on context attributes and time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API quotas and rate limits apply.<\/li>\n<li>Organization-wide analyses can hit limits faster than project-scoped checks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not regional in the compute sense, but some products have region-specific behaviors. Always validate for regulated environments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automation that calls APIs frequently can drive request volume.<\/li>\n<li>Exporting to BigQuery and running large scans can generate cost.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some authorization behaviors depend on the target service (Cloud Storage vs BigQuery vs Pub\/Sub).<\/li>\n<li>IAM Deny policies and other advanced policy types may have specific behaviors in tools\u2014<strong>verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Troubleshooting \u201cwhy denied\u201d sometimes requires checking:<\/li>\n<li>whether the service account is actually the caller<\/li>\n<li>whether the workload uses impersonation<\/li>\n<li>whether the permission is correct for the API method being called<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving projects between folders can change inherited access drastically; always run analysis before and after.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances (Google Cloud)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM is hierarchical and inheritance is central.<\/li>\n<li>Some services also have resource-specific access models; always validate end-to-end.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Policy Intelligence is purpose-built for IAM policy understanding and troubleshooting. It complements\u2014but does not replace\u2014other security and governance tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Policy Intelligence (Google Cloud)<\/strong><\/td>\n<td>IAM access analysis, troubleshooting, simulation<\/td>\n<td>Purpose-built for IAM questions; integrates with Google Cloud hierarchy and IAM evaluation<\/td>\n<td>Coverage varies by resource\/tool; requires correct resource naming and permissions<\/td>\n<td>When you need \u201cwho has access?\u201d, \u201cwhy denied?\u201d, \u201cwhat if I change policy?\u201d<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloud Asset Inventory (Google Cloud)<\/strong><\/td>\n<td>Inventory and search of assets and IAM policies<\/td>\n<td>Powerful org-wide inventory; supports exports<\/td>\n<td>Inventory\/search is not always a direct \u201cpermission decision\u201d tool<\/td>\n<td>When you need inventory + reporting at scale; pair with Policy Intelligence<\/td>\n<\/tr>\n<tr>\n<td><strong>IAM Recommender \/ Active Assist (Google Cloud)<\/strong><\/td>\n<td>Rightsizing permissions<\/td>\n<td>Suggests least-privilege changes based on usage<\/td>\n<td>Not a troubleshooting tool; recommendations require validation<\/td>\n<td>When optimizing permissions continuously<\/td>\n<\/tr>\n<tr>\n<td><strong>Security Command Center (Google Cloud)<\/strong><\/td>\n<td>Security posture management<\/td>\n<td>Central findings, misconfigurations, threat detection integrations<\/td>\n<td>Not focused on explaining individual IAM decisions<\/td>\n<td>When you want a broader security platform; use Policy Intelligence for IAM deep dives<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS IAM Access Analyzer (AWS)<\/strong><\/td>\n<td>Analyze access in AWS IAM<\/td>\n<td>Good for AWS policy analysis and resource sharing<\/td>\n<td>AWS-specific; different model<\/td>\n<td>Multi-cloud orgs: use equivalent per-cloud tools<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure \u201cWhat If\u201d \/ Access Reviews (Azure)<\/strong><\/td>\n<td>Azure authorization change impact and governance<\/td>\n<td>Strong governance workflows in Azure ecosystem<\/td>\n<td>Azure-specific<\/td>\n<td>Choose for Azure environments<\/td>\n<\/tr>\n<tr>\n<td><strong>Open Policy Agent (OPA) \/ Policy-as-code<\/strong><\/td>\n<td>Custom policy enforcement logic<\/td>\n<td>Highly flexible; works across environments<\/td>\n<td>Requires engineering effort; not IAM-native<\/td>\n<td>Choose when you need custom controls beyond cloud IAM<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated data platform with shared services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A large enterprise runs a data platform in Google Cloud with multiple business units. Auditors require proof that only approved groups can access restricted datasets and storage buckets.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Organization with folders per business unit and environment<\/li>\n<li>Central IAM governance group managing folder-level bindings<\/li>\n<li>Policy Intelligence used for:<ul>\n<li>periodic access reviews (Analyzer)<\/li>\n<li>troubleshooting access incidents (Troubleshooter)<\/li>\n<li>validating IAM refactors before rollout (Simulator where available)<\/li>\n<\/ul>\n<\/li>\n<li>Cloud Audit Logs routed to a centralized logging project for retention and investigations<\/li>\n<li><strong>Why Policy Intelligence was chosen:<\/strong><\/li>\n<li>It interprets IAM with hierarchy inheritance and returns practical answers.<\/li>\n<li>It reduces manual policy reviews and supports repeatable audit evidence workflows.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Faster audits (clear evidence of effective access)<\/li>\n<li>Reduced over-permissioning<\/li>\n<li>Lower incident MTTR for access problems<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS with strict least privilege<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A startup runs production on Google Cloud with a small team and frequent deployments. They want to remove primitive roles and avoid breaking CI\/CD.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Separate projects: <code>dev<\/code>, <code>staging<\/code>, <code>prod<\/code><\/li>\n<li>Service accounts per workload and per pipeline<\/li>\n<li>Policy Intelligence used for:<ul>\n<li>troubleshooting pipeline 403 errors quickly<\/li>\n<li>verifying that only the intended service account can read a production bucket<\/li>\n<\/ul>\n<\/li>\n<li><strong>Why Policy Intelligence was chosen:<\/strong><\/li>\n<li>Minimal overhead; direct answers to permission questions.<\/li>\n<li>Fits a small team that can\u2019t maintain custom IAM analysis tooling.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Safer IAM changes<\/li>\n<li>More predictable deployments<\/li>\n<li>Improved security posture without slowing delivery<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) What is Policy Intelligence in Google Cloud?<\/h3>\n\n\n\n<p>Policy Intelligence is a set of Google Cloud Security tools that helps analyze, troubleshoot, and simulate IAM access so you can understand who has access and why.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) Is Policy Intelligence the same as Organization Policy Service?<\/h3>\n\n\n\n<p>No. Organization Policy Service enforces organization constraints (like restricting external IPs). Policy Intelligence focuses on understanding and troubleshooting access policies, mainly IAM.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) Does Policy Intelligence change my policies automatically?<\/h3>\n\n\n\n<p>No. It helps you analyze and evaluate. You still apply IAM changes through IAM policy updates (Console, <code>gcloud<\/code>, Terraform, etc.).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) Do I need an Organization to use Policy Intelligence?<\/h3>\n\n\n\n<p>Not necessarily. Many workflows can be used at the project level. Organization-wide analysis typically requires an Organization and appropriate permissions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Can Policy Intelligence tell me why a user got <code>403<\/code>?<\/h3>\n\n\n\n<p>Often yes\u2014Policy Troubleshooter can evaluate whether the principal has the required permission on the resource and provide reasoning, depending on the case and service.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6) What input does Policy Troubleshooter require?<\/h3>\n\n\n\n<p>Typically: principal, permission, and the resource\u2019s full resource name. Exact formats and supported resource types should be verified in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7) What\u2019s the difference between a role and a permission?<\/h3>\n\n\n\n<p>A <strong>role<\/strong> is a bundle of <strong>permissions<\/strong>. Troubleshooter evaluates a single permission; Analyzer often reasons about bindings\/roles that grant permissions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8) Can I use Policy Intelligence for Kubernetes RBAC?<\/h3>\n\n\n\n<p>Not directly. It\u2019s designed for Google Cloud IAM policies. Kubernetes RBAC is separate (though GKE integrates with IAM in some ways).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9) Does it support IAM Conditions?<\/h3>\n\n\n\n<p>Policy tools can account for conditional bindings, but behavior and explanations vary. Always test conditions and verify with official documentation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10) Does Policy Intelligence cover service account impersonation scenarios?<\/h3>\n\n\n\n<p>It can help analyze effective permissions, but impersonation introduces additional layers (who can impersonate whom). You may need to troubleshoot both impersonation permissions and target permissions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">11) Can I automate access checks in CI\/CD?<\/h3>\n\n\n\n<p>Yes, commonly via APIs like Policy Troubleshooter where appropriate. Be mindful of quotas and avoid excessive calls.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12) Why do I get <code>INVALID_ARGUMENT<\/code> from the Troubleshooter API?<\/h3>\n\n\n\n<p>Usually due to an incorrect <code>fullResourceName<\/code> format or unsupported resource type\/permission combination.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">13) Is Policy Intelligence free?<\/h3>\n\n\n\n<p>Often there is no separate line-item billing for the UI, but costs may come from API usage and downstream services (Logging\/BigQuery exports). Verify current pricing in official sources.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">14) Does Policy Analyzer show inherited access?<\/h3>\n\n\n\n<p>That is one of its key values: it helps you understand access granted through hierarchy inheritance, depending on the scope and resource coverage.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">15) Should I rely only on Policy Intelligence for access governance?<\/h3>\n\n\n\n<p>No. Use it alongside:\n&#8211; IAM best practices (groups, least privilege)\n&#8211; audit logs and change management\n&#8211; periodic reviews and approvals\n&#8211; service-specific security controls<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Policy Intelligence<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Policy Intelligence docs \u2014 https:\/\/cloud.google.com\/policy-intelligence\/docs<\/td>\n<td>Primary entry point; explains Analyzer\/Troubleshooter\/Simulator concepts and how to use them<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Policy Troubleshooter overview \u2014 https:\/\/cloud.google.com\/policy-intelligence\/docs\/troubleshooter-overview<\/td>\n<td>Explains troubleshooting workflow and expected outputs<\/td>\n<\/tr>\n<tr>\n<td>Official API reference<\/td>\n<td>Policy Troubleshooter API (REST) \u2014 https:\/\/cloud.google.com\/policy-intelligence\/docs\/reference\/policytroubleshooter\/rest<\/td>\n<td>Authoritative API methods, request\/response fields, and formats<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Policy Analyzer overview \u2014 https:\/\/cloud.google.com\/policy-intelligence\/docs\/policy-analyzer-overview<\/td>\n<td>Explains analysis use cases and scope<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Cloud IAM overview \u2014 https:\/\/cloud.google.com\/iam\/docs\/overview<\/td>\n<td>Required IAM fundamentals: roles, permissions, policies, principals<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Cloud Asset Inventory docs \u2014 https:\/\/cloud.google.com\/asset-inventory\/docs<\/td>\n<td>Useful for org-wide inventory and analysis patterns used by Policy Analyzer<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Cloud Audit Logs \u2014 https:\/\/cloud.google.com\/logging\/docs\/audit<\/td>\n<td>Essential for tracing when policies changed and by whom<\/td>\n<\/tr>\n<tr>\n<td>Pricing<\/td>\n<td>Google Cloud Pricing \u2014 https:\/\/cloud.google.com\/pricing<\/td>\n<td>High-level pricing reference<\/td>\n<\/tr>\n<tr>\n<td>Pricing<\/td>\n<td>Pricing Calculator \u2014 https:\/\/cloud.google.com\/products\/calculator<\/td>\n<td>Estimate indirect costs (Logging, BigQuery, Storage)<\/td>\n<\/tr>\n<tr>\n<td>Tutorials\/labs<\/td>\n<td>Google Cloud Skills Boost \u2014 https:\/\/www.cloudskillsboost.google<\/td>\n<td>Hands-on labs (search for IAM, policy analysis, troubleshooting)<\/td>\n<\/tr>\n<tr>\n<td>Videos<\/td>\n<td>Google Cloud Tech (YouTube) \u2014 https:\/\/www.youtube.com\/googlecloudtech<\/td>\n<td>Architecture and product walkthroughs; search for IAM and policy troubleshooting<\/td>\n<\/tr>\n<tr>\n<td>Community (reputable)<\/td>\n<td>Google Cloud Architecture Center \u2014 https:\/\/cloud.google.com\/architecture<\/td>\n<td>Patterns for governance, landing zones, and security design (Policy Intelligence is often part of operations)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps, SRE, platform engineers, cloud engineers<\/td>\n<td>Google Cloud operations, DevOps practices, security\/IAM fundamentals (verify course listings)<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>DevOps tooling, cloud basics, process and governance topics (verify course listings)<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.scmgalaxy.com<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>Cloud ops practices, monitoring, security fundamentals (verify course listings)<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.cloudopsnow.in<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs and reliability-focused engineers<\/td>\n<td>SRE practices, reliability engineering, cloud operations (verify course listings)<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.sreschool.com<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams adopting AIOps<\/td>\n<td>AIOps concepts, operations automation, monitoring practices (verify course listings)<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.aiopsschool.com<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify current offerings)<\/td>\n<td>Individuals and teams seeking practical DevOps guidance<\/td>\n<td>https:\/\/rajeshkumar.xyz<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps coaching and training (verify current offerings)<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>https:\/\/www.devopstrainer.in<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps guidance (verify current offerings)<\/td>\n<td>Teams needing short-term coaching\/support<\/td>\n<td>https:\/\/www.devopsfreelancer.com<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement (verify current offerings)<\/td>\n<td>Teams needing operational support and knowledge transfer<\/td>\n<td>https:\/\/www.devopssupport.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify current offerings)<\/td>\n<td>Cloud architecture, DevOps implementation, operational practices<\/td>\n<td>IAM governance process design; CI\/CD hardening; cloud security reviews<\/td>\n<td>https:\/\/www.cotocus.com<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training (verify current offerings)<\/td>\n<td>Platform engineering, DevOps transformation, skill enablement<\/td>\n<td>Building IAM least-privilege rollout plans; operational runbooks for access troubleshooting<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting services (verify current offerings)<\/td>\n<td>DevOps process, tooling, cloud operations<\/td>\n<td>Incident response process improvements; access governance automation guidance<\/td>\n<td>https:\/\/www.devopsconsulting.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Policy Intelligence<\/h3>\n\n\n\n<p>To use Policy Intelligence effectively, learn:\n&#8211; Google Cloud resource hierarchy: organization, folders, projects\n&#8211; Cloud IAM fundamentals:\n  &#8211; principals (users, groups, service accounts)\n  &#8211; roles vs permissions\n  &#8211; IAM policy bindings and inheritance\n&#8211; Cloud Audit Logs basics (who changed what, when)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Policy Intelligence<\/h3>\n\n\n\n<p>To become strong in cloud security operations and governance:\n&#8211; IAM Conditions (and safe testing patterns)\n&#8211; Custom roles and least-privilege design\n&#8211; Service account impersonation and Workload Identity Federation\n&#8211; Security Command Center and org-wide posture management\n&#8211; Policy-as-code pipelines (Terraform + review\/approval workflows)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Security Engineer \/ IAM Engineer<\/li>\n<li>Platform Engineer \/ Cloud Architect<\/li>\n<li>SRE \/ DevOps Engineer (troubleshooting and guardrails)<\/li>\n<li>Governance, Risk, and Compliance (GRC) analyst (with technical support)<\/li>\n<li>Cloud Operations Engineer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Policy Intelligence is not typically a standalone certification topic, but it is relevant to:\n&#8211; Associate Cloud Engineer (IAM basics)\n&#8211; Professional Cloud Security Engineer (IAM governance, incident response)\n&#8211; Professional Cloud Architect (architecture and governance)<\/p>\n\n\n\n<p>Verify current certification tracks: https:\/\/cloud.google.com\/learn\/certification<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build an \u201cIAM troubleshooting runbook\u201d with examples for Storage, BigQuery, Pub\/Sub.<\/li>\n<li>Create a weekly access review workflow:<\/li>\n<li>identify top 20 sensitive resources<\/li>\n<li>analyze who has access<\/li>\n<li>open tickets for remediation<\/li>\n<li>Implement a CI check that runs Policy Troubleshooter for required permissions for a deployment service account (rate-limited and scoped).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM (Identity and Access Management):<\/strong> Google Cloud system for controlling who can do what on which resources.<\/li>\n<li><strong>Principal:<\/strong> The identity requesting access (user, group, service account, domain, etc.).<\/li>\n<li><strong>Role:<\/strong> A named collection of permissions. Can be predefined, custom, or primitive.<\/li>\n<li><strong>Permission:<\/strong> A specific allowed action (for example, <code>storage.objects.get<\/code>).<\/li>\n<li><strong>IAM policy binding:<\/strong> A mapping of <code>role<\/code> \u2192 <code>members<\/code> (principals), optionally with a condition.<\/li>\n<li><strong>Inheritance:<\/strong> IAM policies apply down the resource hierarchy (org \u2192 folder \u2192 project \u2192 resource).<\/li>\n<li><strong>Full resource name:<\/strong> A canonical string format used by Google APIs to uniquely identify a resource.<\/li>\n<li><strong>Policy Analyzer:<\/strong> Policy Intelligence component for analyzing who has access to what (and where access comes from).<\/li>\n<li><strong>Policy Troubleshooter:<\/strong> Policy Intelligence component for evaluating whether a principal has a permission on a resource and explaining why.<\/li>\n<li><strong>Policy Simulator:<\/strong> Policy Intelligence component for testing IAM policy changes before applying them.<\/li>\n<li><strong>Cloud Asset Inventory:<\/strong> Service for inventorying and analyzing Google Cloud resources and IAM policies across scopes.<\/li>\n<li><strong>Cloud Audit Logs:<\/strong> Logs that record administrative actions (like IAM changes) and, depending on configuration, data access events.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Policy Intelligence in <strong>Google Cloud Security<\/strong> helps you understand and control IAM access with less guesswork. It provides practical tooling\u2014most notably <strong>Policy Analyzer<\/strong> and <strong>Policy Troubleshooter<\/strong>\u2014to answer \u201cwho has access,\u201d \u201cwhy was access denied,\u201d and \u201cwhat happens if I change a policy\u201d (via simulation where available).<\/p>\n\n\n\n<p>It fits best as a <strong>governance and operations<\/strong> capability alongside Cloud IAM, Cloud Asset Inventory, and Cloud Audit Logs. Cost is usually driven less by Policy Intelligence itself and more by related services (exports, logging retention, BigQuery reporting) and by how frequently you automate checks.<\/p>\n\n\n\n<p>Use Policy Intelligence when you need reliable, hierarchy-aware IAM visibility and faster troubleshooting. Next step: deepen IAM fundamentals and practice permission-level troubleshooting across multiple Google Cloud services using the official documentation: https:\/\/cloud.google.com\/policy-intelligence\/docs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,10],"tags":[],"class_list":["post-814","post","type-post","status-publish","format-standard","hentry","category-google-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=814"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/814\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}