Creates an access policy. This method fails if the organization already has an access policy. The long-running operation has a successful status after the access policy propagates to long-lasting storage. Syntactic and basic semantic errors are returned inmetadataas a BadRequest proto.
HTTP request
POST https://accesscontextmanager.googleapis.com/v1alpha/accessPolicies
Identifier. Resource name of theAccessPolicy. Format:accessPolicies/{access_policy}
parent
string
Immutable. The parent of thisAccessPolicyin the Cloud Resource Hierarchy Format:organizations/{organizationId}
title
string
Required. Human readable title. Does not affect behavior.
scopes[]
string
The scopes of theAccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A withscopes=["folders/123"]has the following behavior:
ServicePerimeterwithin policy A can only reference access levels defined within policy A.
Only one policy can include a given scope; thus, attempting to create a second policy which includesfolders/123will result in an error.
If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list offolders/{folder_number}orprojects/{projectNumber}
etag
string
Output only. An opaque identifier for the current version of theAccessPolicy. This will always be a strongly validated etag, meaning that two Access Policies will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format.
Response body
If successful, the response body contains a newly created instance ofOperation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-17 UTC."],[[["\u003cp\u003eThis content outlines how to create an access policy using a POST request to the \u003ccode\u003eaccessPolicies\u003c/code\u003e endpoint in the Access Context Manager API.\u003c/p\u003e\n"],["\u003cp\u003eThe request body must contain a JSON representation with fields for \u003ccode\u003ename\u003c/code\u003e, \u003ccode\u003eparent\u003c/code\u003e, \u003ccode\u003etitle\u003c/code\u003e, \u003ccode\u003escopes\u003c/code\u003e, and \u003ccode\u003eetag\u003c/code\u003e, defining the new access policy's attributes.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003escopes\u003c/code\u003e field determines which resources the access policy can restrict, and only one policy can include a given scope, with valid formats including \u003ccode\u003efolders/{folder_number}\u003c/code\u003e or \u003ccode\u003eprojects/{projectNumber}\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eSuccessful creation of an access policy returns an \u003ccode\u003eOperation\u003c/code\u003e instance, indicating a long-running operation that propagates the policy to storage.\u003c/p\u003e\n"],["\u003cp\u003eAuthorization to create an access policy requires the \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e OAuth scope.\u003c/p\u003e\n"]]],[],null,["# Method: accessPolicies.create\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Request body](#body.request_body)\n - [JSON representation](#body.request_body.SCHEMA_REPRESENTATION)\n- [Response body](#body.response_body)\n- [Authorization scopes](#body.aspect)\n- [Try it!](#try-it)\n\nCreates an access policy. This method fails if the organization already has an access policy. The long-running operation has a successful status after the access policy propagates to long-lasting storage. Syntactic and basic semantic errors are returned in `metadata` as a BadRequest proto.\n\n### HTTP request\n\n`POST https://accesscontextmanager.googleapis.com/v1alpha/accessPolicies`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Request body\n\nThe request body contains data with the following structure:\n\n### Response body\n\nIf successful, the response body contains a newly created instance of [Operation](/access-context-manager/docs/reference/rest/Shared.Types/Operation).\n\n### Authorization scopes\n\nRequires the following OAuth scope:\n\n- `https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
