Create a scoped access policy

Console

1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

   Go to VPC Service Controls

2. If you are prompted, select your organization, folder, or project.

3. On the VPC Service Controlspage, select the access policy that is the parent of the scoped policy. For example, you can select the default policy organization policy.

4. Click Manage policies.

5. On the Manage VPC Service Controlspage, click Create.

6. On the Create access policypage, in the Access policy namebox, type a name for the scoped access policy.

   The scoped access policy name can have a maximum length of 50 characters, must start with a letter, and can contain only ASCII Latin letters (a-z, A-Z), numbers (0-9), or underscores ( _ ). The scoped access policy name is case sensitive and must be unique within an organization's access policy.

7. To specify a scope for the access policy, click Scopes.

8. Specify either a project or a folder as the scope of the access policy.

   • To select a project that you want to add to the scope of the access policy, do the following:

     1. In the Scopespane, click Add project.

     2. In the Add projectdialog, select that project's checkbox.

     3. Click Done. The added project appears in the Scopessection.

   • To select a folder that you want to add to the scope of the access policy, do the following:

     1. In the Scopespane, click Add folder.

     2. In the Add foldersdialog, select that folder's checkbox.

     3. Click Done. The added folder appears in the Scopessection.

9. To delegate administration of the scoped access policy, click Principals.

10. To specify the principal and the role that you want to bind to the access policy, do the following:

    1. In the Principalspane, click Add principals.

    2. In the Add principalsdialog, select a principal, such as a user name or service account.

    3. Select the role that you want to associate with the principal, such as editor and read roles.

    4. Click Save. The added principal and role appear in the Principalssection.

11. On the Create access policypage, click Create access policy.

gcloud

To create a scoped access policy, use the gcloud access-context-manager policies create command.

gcloud  
access-context-manager  
policies  
create  
 \ 
--organization  
 ORGANIZATION_ID 
  
 [ 
--scopes = 
 SCOPE 
 ] 
  
--title  
 POLICY_TITLE 

Where:

• ORGANIZATION_ID is the numeric ID of your organization.

• POLICY_TITLE is a human-readable title for your policy. The policy title can have a maximum length of 50 characters, must start with a letter, and can contain only ASCII Latin letters (a-z, A-Z), numbers (0-9), or underscores ( _ ). The policy title is case sensitive and must be unique within an organization's access policy.

• SCOPE is the folder or project on which this policy is applicable. You can specify only one folder or project as the scope, and the scope must exist within the specified organization. If you don't specify a scope, the policy applies to the entire organization.

The following output appears (where POLICY_NAME is a unique numeric identifier for the policy assigned by Google Cloud):

Create request issued
Waiting for operation [accessPolicies/ POLICY_NAME 
/create/1521580097614100] to complete...done.
Created.

To delegate administration by binding a principal and role with a scoped access policy, use the add-iam-policy-binding command.

gcloud  
access-context-manager  
policies  
add-iam-policy-binding  
 \ 
 [ 
POLICY ] 
  
--member = 
 PRINCIPAL 
  
--role = 
 ROLE 

Where:

• POLICY is ID of the policy or fully qualified identifier for the policy.

• PRINCIPAL is the principal to add the binding for. Specify in the following format: user|group|serviceAccount:email or domain:domain .

• ROLE is the role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/accesscontextmanager.policyEditor , or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor .

API

To create a scoped access policy, do the following:

1. Create a request body.

    { 
     
    "parent" 
    : 
     
    " ORGANIZATION_ID 
   " 
    , 
     
    "scope" 
    : 
     
    " SCOPE 
   " 
     
    "title" 
    : 
     
    " POLICY_TITLE 
   " 
    } 
   

   Where:

   • ORGANIZATION_ID is the numeric ID of your organization.

   • SCOPE is the folder or project on which this policy is applicable.

   • POLICY_TITLE is a human-readable title for your policy. The policy title can have a maximum length of 50 characters, must start with a letter, and can contain only ASCII Latin letters (a-z, A-Z), numbers (0-9), or underscores ( _ ). The policy title is case sensitive and must be unique within an organization's access policy.

2. Create the access policy by calling accessPolicies.create .

   POST https://accesscontextmanager.googleapis.com/v1/accessPolicies

Response body

If successful, the response body for the call contains an Operation resource that provides details about the POST operation.

To delegate administration of the scoped access policy, do the following:

1. Create a request body.

    { 
     
    "policy" 
    : 
     
    " IAM_POLICY 
   " 
    , 
    } 
   

   Where:

   • IAM_POLICY is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

2. Delegate the access policy by calling accessPolicies.setIamPolicy .

   POST https://accesscontextmanager.googleapis.com/v1/accessPolicies

Response body

If successful, the response body contains an instance of policy .