Get the IAM policy for a data policy

Get the IAM policy for a specified data policy resource from the BigQuery Data Policy API. This is useful for auditing which members have which roles on the policy.

Code sample

Node.js

Before trying this sample, follow the Node.js setup instructions in the BigQuery quickstart using client libraries . For more information, see the BigQuery Node.js API reference documentation .

To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  const 
  
 { 
 DataPolicyServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/bigquery-datapolicies 
' 
 ). 
 v2 
 ; 
 const 
  
 { 
 status 
 } 
  
 = 
  
 require 
 ( 
 '@grpc/grpc-js' 
 ); 
 const 
  
 client 
  
 = 
  
 new 
  
  DataPolicyServiceClient 
 
 (); 
 /** 
 * Get the IAM policy for a specified data policy resource from the BigQuery Data Policy API. 
 * This is useful for auditing which members have which roles on the policy. 
 * 
 * 
 * @param {string} projectId Google Cloud Project ID (For example, 'example-project-id') 
 * @param {string} location Google Cloud Location (For example, 'us-central1') 
 * @param {string} dataPolicyId The ID of the data policy (For example, 'example-data-policy-id') 
 */ 
 async 
  
 function 
  
 getIamPolicy 
 ( 
 projectId 
 , 
  
 location 
 , 
  
 dataPolicyId 
 ) 
  
 { 
  
 const 
  
 resourceName 
  
 = 
  
 client 
 . 
 dataPolicyPath 
 ( 
 projectId 
 , 
  
 location 
 , 
  
 dataPolicyId 
 ); 
  
 const 
  
 request 
  
 = 
  
 { 
  
 resource 
 : 
  
 resourceName 
 , 
  
 }; 
  
 try 
  
 { 
  
 const 
  
 [ 
 policy 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getIamPolicy 
 ( 
 request 
 ); 
  
 console 
 . 
 log 
 ( 
  
 'Successfully retrieved IAM policy for data policy %s:' 
 , 
  
 resourceName 
 , 
  
 ); 
  
 console 
 . 
 log 
 ( 
 JSON 
 . 
 stringify 
 ( 
 policy 
 , 
  
 null 
 , 
  
 2 
 )); 
  
 } 
  
 catch 
  
 ( 
 err 
 ) 
  
 { 
  
 if 
  
 ( 
 err 
 . 
 code 
  
 === 
  
 status 
 . 
 NOT_FOUND 
 ) 
  
 { 
  
 console 
 . 
 error 
 ( 
  
 `Error: Data Policy ' 
 ${ 
 dataPolicyId 
 } 
 ' not found in location ' 
 ${ 
 location 
 } 
 ' of project ' 
 ${ 
 projectId 
 } 
 '. ` 
  
 + 
  
 'Make sure the data policy exists and the resource name is correct.' 
 , 
  
 ); 
  
 } 
  
 else 
  
 { 
  
 console 
 . 
 error 
 ( 
  
 `Error getting IAM policy for data policy ' 
 ${ 
 dataPolicyId 
 } 
 ':` 
 , 
  
 err 
 , 
  
 ); 
  
 } 
  
 } 
 }

Python

Before trying this sample, follow the Python setup instructions in the BigQuery quickstart using client libraries . For more information, see the BigQuery Python API reference documentation .

To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  from 
  
 google.api_core 
  
 import 
 exceptions 
 from 
  
 google.cloud 
  
 import 
 bigquery_datapolicies_v2 
 from 
  
 google.iam.v1 
  
 import 
 iam_policy_pb2 
 client 
 = 
 bigquery_datapolicies_v2 
 . 
 DataPolicyServiceClient 
 () 
 def 
  
 get_data_policy_iam_policy 
 ( 
 project_id 
 : 
 str 
 , 
 location 
 : 
 str 
 , 
 data_policy_id 
 : 
 str 
 , 
 ) 
 - 
> None 
 : 
  
 """Get the IAM policy for a specified data policy resource from the BigQuery Data Policy API. 
 This is useful for auditing which members have which roles on the policy. 
 Args: 
 project_id: The Google Cloud project ID. 
 location: The geographic location of the data policy (for example, "us"). 
 data_policy_id: The ID of the data policy. 
 """ 
 resource_name 
 = 
 client 
 . 
  data_policy_path 
 
 ( 
 project 
 = 
 project_id 
 , 
 location 
 = 
 location 
 , 
 data_policy 
 = 
 data_policy_id 
 , 
 ) 
 request 
 = 
 iam_policy_pb2 
 . 
 GetIamPolicyRequest 
 ( 
 resource 
 = 
 resource_name 
 ) 
 try 
 : 
 policy 
 = 
 client 
 . 
  get_iam_policy 
 
 ( 
 request 
 = 
 request 
 ) 
 print 
 ( 
 f 
 "Successfully retrieved IAM policy for data policy: 
 { 
 resource_name 
 } 
 " 
 ) 
 print 
 ( 
 "Policy Version:" 
 , 
 policy 
 . 
 version 
 ) 
 if 
 policy 
 . 
 bindings 
 : 
 print 
 ( 
 "Policy Bindings:" 
 ) 
 for 
 binding 
 in 
 policy 
 . 
 bindings 
 : 
 print 
 ( 
 f 
 "  Role: 
 { 
 binding 
 . 
 role 
 } 
 " 
 ) 
 print 
 ( 
 f 
 "  Members: 
 { 
 ', ' 
 . 
 join 
 ( 
 binding 
 . 
 members 
 ) 
 } 
 " 
 ) 
 if 
 binding 
 . 
 condition 
 . 
 expression 
 : 
 print 
 ( 
 f 
 "  Condition: 
 { 
 binding 
 . 
 condition 
 . 
 expression 
 } 
 " 
 ) 
 else 
 : 
 print 
 ( 
 "No bindings found in the policy." 
 ) 
 except 
 exceptions 
 . 
 NotFound 
 : 
 print 
 ( 
 f 
 "Error: Data policy ' 
 { 
 resource_name 
 } 
 ' not found." 
 ) 
 print 
 ( 
 "Make sure the project ID, location, and data policy ID are correct." 
 ) 
 except 
 exceptions 
 . 
 GoogleAPIError 
 as 
 e 
 : 
 print 
 ( 
 f 
 "An API error occurred: 
 { 
 e 
 } 
 " 
 ) 
 except 
 Exception 
 as 
 e 
 : 
 print 
 ( 
 f 
 "An unexpected error occurred: 
 { 
 e 
 } 
 " 
 )

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .

Get the IAM policy for a data policy Stay organized with collections Save and categorize content based on your preferences.

Code sample

Node.js

Python

What's next

Get the IAM policy for a data policy