Resource: AccessPolicy
An IAM access policy resource.
| JSON representation |
|---|
{
"name"
:
string
,
"uid"
:
string
,
"etag"
:
string
,
"displayName"
:
string
,
"annotations"
:
{
string
:
string
,
...
}
,
"createTime"
:
string
,
"updateTime"
:
string
,
"details"
:
{
object (
|
name
string
Identifier. The resource name of the access policy.
The following formats are supported:
-
projects/{projectId}/locations/{location}/accessPolicies/{policyId} -
projects/{projectNumber}/locations/{location}/accessPolicies/{policyId} -
folders/{folderId}/locations/{location}/accessPolicies/{policyId} -
organizations/{organizationId}/locations/{location}/accessPolicies/{policyId}
uid
string
Output only. The globally unique ID of the access policy.
etag
string
Optional. The etag for the access policy. If this is provided on update, it must match the server's etag.
displayName
string
Optional. The description of the access policy. Must be less than or equal to 63 characters.
annotations
map (key: string, value: string)
Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations
An object containing a list of "key": value
pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }
.
createTime
string (
Timestamp
format)
Output only. The time when the access policy was created.
Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z"
, "2014-10-02T15:01:23.045123456Z"
or "2014-10-02T15:01:23+05:30"
.
updateTime
string (
Timestamp
format)
Output only. The time when the access policy was most recently updated.
Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z"
, "2014-10-02T15:01:23.045123456Z"
or "2014-10-02T15:01:23+05:30"
.
details
object (
AccessPolicyDetails
)
Optional. The details for the access policy.
AccessPolicyDetails
Access policy details.
| JSON representation |
|---|
{
"rules"
:
[
{
object (
|
| Fields | |
|---|---|
rules[]
|
Required. A list of access policy rules. |
AccessPolicyRule
Access Policy Rule that determines the behavior of the policy.
| JSON representation |
|---|
{ "principals" : [ string ] , "excludedPrincipals" : [ string ] , "operation" : { object ( |
principals[]
string
Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
principalSet://goog/group/{groupId}: A Google group. For example,principalSet://goog/group/admins@example.com. -
principalSet://goog/cloudIdentityCustomerId/{customerId}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
-
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
deleted:principalSet://goog/group/{groupId}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.
excludedPrincipals[]
string
Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals
. For example, you could add a Google group to the principals
, then exclude specific users who belong to that group.
operation
object (
Operation
)
Required. Attributes that are used to determine whether this rule applies to a request.
conditions
map (key: string, value: object (
Expr
))
Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:
"conditions": {
"iam.googleapis.com": <cel expression>
}
Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:
-
eventarc.googleapis.com: Can useCELfunctions that evaluate resource fields. -
iam.googleapis.com: Can useCELfunctions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.
An object containing a list of "key": value
pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }
.
description
string
Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.
effect
enum (
Effect
)
Required. The effect of the rule.
Effect
An effect to describe the access relationship.
| Enums | |
|---|---|
EFFECT_UNSPECIFIED
|
The effect is unspecified. |
DENY
|
The policy will deny access if it evaluates to true. |
ALLOW
|
The policy will grant access if it evaluates to true. |
Operation
Attributes that are used to determine whether this rule applies to a request.
| JSON representation |
|---|
{ "permissions" : [ string ] , "excludedPermissions" : [ string ] } |
Methods |
|
|---|---|
|
Creates an access policy, and returns a long running operation. |
|
Deletes an access policy. |
|
Gets an access policy. |
|
Lists access policies. |
|
Updates an access policy. |
|
Returns all policy bindings that bind a specific policy if a user has searchPolicyBindings permission on that policy. |
