Policy Analyzer API

Name: Policy Analyzer API API
Brand: Google Cloud Policy Analyzer API
Availability: InStock

✓ Official Vendor SpecSecurityComplianceoauth21 EndpointsREST

For Agents

Query Cloud IAM activity data under an organisation, folder, or project to find unused permissions and service-account keys.

Quickstart

Get started with Policy Analyzer API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"find unused Google Cloud IAM permissions"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Policy Analyzer API API.

Query historical IAM activity under an organisation, folder, or project parent

Identify Cloud IAM permissions granted but never used during the lookback window

Detect service-account keys that have not been used to authenticate recently

Filter activity queries by activity type and time range

GET STARTED

Start building with Policy Analyzer API API

Explore with Jentic

View OpenAPI Document

The Google Cloud Policy Analyzer API surfaces activity data that helps organisations understand and right-size their Cloud IAM policies. The single endpoint runs an activities query under a parent organisation, folder, or project, returning records about how IAM permissions and service-account keys have actually been used over a configurable lookback window. Security and compliance teams use that activity data to find unused permissions, dormant service accounts, and over-broad role grants worth removing.

Use Cases

Patterns agents use Policy Analyzer API API for, with concrete tasks.

★ Least-Privilege IAM Right-Sizing

Cloud security teams query the Policy Analyzer activities endpoint at the organisation level to discover IAM permissions granted to identities but never exercised. The response feeds a quarterly review process that strips unused permissions from custom roles and bindings, shrinking the blast radius of compromised credentials. A typical organisation-wide query covering a 90-day lookback returns within minutes for medium-sized estates.

POST /v1/{parent=organizations/*/locations/*/activityTypes/*}/activities:query with parent set to the org-level resource and capture every activity with empty usage signals to flag for removal.

Dormant Service-Account Key Detection

Compliance programmes need to retire long-lived service-account keys that no longer authenticate any traffic. The activities query returns records keyed to service-account key activity, letting tools list keys with no recent use across a project or organisation. The output is fed into a key-rotation workflow that disables and then deletes dormant keys.

POST /v1/{parent=projects/*/locations/*/activityTypes/serviceAccountKeyLastAuthentication}/activities:query and disable any key whose lastAuthenticatedTime is older than 90 days.

Quarterly Compliance Audit Pack

Compliance teams build an evidence pack each quarter showing what IAM activity has occurred under each business-unit folder. The Policy Analyzer query produces the raw activity records, which a downstream report formats per ISO 27001 or SOC 2 control objective. The whole process runs unattended on a schedule and the pack is filed for audit review.

POST /v1/{parent=folders/*/locations/*/activityTypes/*}/activities:query for each business-unit folder over the last 90 days and export the JSON results into the compliance evidence bucket.

AI Agent IAM Reviews via Jentic

Security automation agents that close the loop between activity data and IAM remediation can call the Policy Analyzer through Jentic without managing OAuth scopes by hand. Jentic stores the audit principal's credentials in its vault and exposes the activities.query operation as a single search-load-execute call, turning a multi-day reporting pipeline into a same-day automation.

Search Jentic for 'find unused Google Cloud IAM permissions', load the activities.query schema, and execute it with the parent resource and a 90-day window.

Key Endpoints

1 endpoints — the google cloud policy analyzer api surfaces activity data that helps organisations understand and right-size their cloud iam policies.

METHOD

PATH

DESCRIPTION

POST

/v1/{parent}/activities:query

Query IAM activity records under an organisation, folder, or project

POST

/v1/{parent}/activities:query

Query IAM activity records under an organisation, folder, or project

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google Cloud service-account credentials are stored encrypted in the Jentic vault. Agents receive scoped, short-lived access tokens at call time so the service account JSON never enters agent context.

Intent-based discovery

Agents search Jentic with intents like 'find unused IAM permissions' and receive the activities.query operation with its full input schema, eliminating manual hunts for activity-type names.

Time to first call

Direct integration: 2-3 days for service-account audit roles, parent-resource pathing, and pagination. Through Jentic: under 1 hour.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Google Cloud Policy Simulator API

Replay past access against a proposed IAM change to predict its effect

Choose Policy Simulator after Policy Analyzer has identified candidate permissions to remove, to check no production access breaks.

Complementary

Google Cloud Policy Troubleshooter API

Explain why a specific principal got or was denied a specific permission

Choose Policy Troubleshooter to investigate a single denied request; use Policy Analyzer for bulk activity reviews.

Complementary

Google Cloud IAM API

Apply role and binding changes Policy Analyzer recommends

Choose IAM to actually remove or modify bindings flagged by Policy Analyzer queries.

FAQs

Specific to using Policy Analyzer API API through Jentic.

What authentication does the Policy Analyzer API use?

It uses OAuth 2.0 with the https://www.googleapis.com/auth/cloud-platform scope and is typically invoked with a service account that has org- or folder-level audit permissions. Through Jentic the credential is held encrypted in the Jentic vault and a scoped access token is injected at call time.

Can I find unused IAM permissions with this API?

Yes. POST /v1/{parent}/activities:query returns activity records under an org, folder, or project for activity types such as serviceAccountLastAuthentication and serviceAccountKeyLastAuthentication, which downstream tooling uses to flag bindings or keys that have not been used in the lookback window.

What are the rate limits for the Policy Analyzer API?

The API enforces standard Google Cloud project quotas measured in queries per minute. Org-wide queries are heavier than project-scoped queries, so audit pipelines should batch by folder or project and back off on 429 responses rather than hammering org scope from a single thread.

How do I run a least-privilege audit through Jentic?

Run jentic search 'find unused Google Cloud IAM permissions', load the schema for POST /v1/{parent}/activities:query, and execute it with the parent resource (organizations/.../locations/global/activityTypes/...) and an optional time-range filter. Jentic handles OAuth and pagination.

Is the Policy Analyzer API free?

There is no per-call charge for the Policy Analyzer activities query itself. Standard Google Cloud project quotas apply, and some advanced policy intelligence features in adjacent products may require Security Command Center Premium.

Can I scope queries to a single project rather than the whole organisation?

Yes. The {parent} path parameter accepts organizations/{org}/locations/{loc}, folders/{folder}/locations/{loc}, or projects/{project}/locations/{loc}, so a project-scoped query returns only activity recorded under that project.