- 1.56.0 (latest)
- 1.55.0
- 1.54.2
- 1.53.0
- 1.52.0
- 1.51.0
- 1.49.1
- 1.48.0
- 1.47.0
- 1.46.0
- 1.45.1
- 1.44.0
- 1.43.0
- 1.41.0
- 1.40.1
- 1.39.0
- 1.38.0
- 1.37.0
- 1.36.0
- 1.35.0
- 1.34.1
- 1.33.0
- 1.32.1
- 1.31.0
- 1.29.0
- 1.28.0
- 1.27.0
- 1.25.0
- 1.24.0
- 1.23.0
- 1.22.0
- 1.21.0
- 1.20.1
- 1.19.0
- 1.18.1
- 1.17.1
- 1.16.1
- 1.10.0
- 1.9.3
- 1.8.0
- 1.7.0
- 1.6.23
- 1.5.1
- 1.4.1
- 1.3.4
- 1.2.12
public
final
class
Policy
extends
GeneratedMessageV3
implements
PolicyOrBuilder
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more members
, or principals, to a single role
. Principals can be user
accounts, service accounts, Google groups, and domains (such as G Suite). A role
is a named list of permissions; each role
can be an IAM predefined
role or a user-created custom role.
For some types of Google Cloud resources, a binding
can also specify a condition
, which is a logical expression that allows access to a resource
only if the expression evaluates to true
. A condition can add constraints
based on attributes of the request, the resource, or both. To learn which
resources support conditions in their IAM policies, see the IAM
documentation
.
JSON example:
`
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": [
"user:eve@example.com"
],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time <
timestamp('2020-10-01T00:00:00.000Z')",
}
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
YAML example:
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin
-
members:
- user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3
For a description of IAM and its features, see the IAM documentation .
Protobuf type google.iam.v1.Policy
Inheritance
Object > AbstractMessageLite<MessageType,BuilderType> > AbstractMessage > GeneratedMessageV3 > PolicyImplements
PolicyOrBuilderStatic Fields
AUDIT_CONFIGS_FIELD_NUMBER
public
static
final
int
AUDIT_CONFIGS_FIELD_NUMBER
BINDINGS_FIELD_NUMBER
public
static
final
int
BINDINGS_FIELD_NUMBER
ETAG_FIELD_NUMBER
public
static
final
int
ETAG_FIELD_NUMBER
VERSION_FIELD_NUMBER
public
static
final
int
VERSION_FIELD_NUMBER
Static Methods
getDefaultInstance()
public
static
Policy
getDefaultInstance
()
getDescriptor()
public
static
final
Descriptors
.
Descriptor
getDescriptor
()
newBuilder()
public
static
Policy
.
Builder
newBuilder
()
newBuilder(Policy prototype)
public
static
Policy
.
Builder
newBuilder
(
Policy
prototype
)
parseDelimitedFrom(InputStream input)
public
static
Policy
parseDelimitedFrom
(
InputStream
input
)
parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
public
static
Policy
parseDelimitedFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(byte[] data)
public
static
Policy
parseFrom
(
byte
[]
data
)
data
byte
[]
parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
public
static
Policy
parseFrom
(
byte
[]
data
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(ByteString data)
public
static
Policy
parseFrom
(
ByteString
data
)
parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
public
static
Policy
parseFrom
(
ByteString
data
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(CodedInputStream input)
public
static
Policy
parseFrom
(
CodedInputStream
input
)
parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
public
static
Policy
parseFrom
(
CodedInputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(InputStream input)
public
static
Policy
parseFrom
(
InputStream
input
)
parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
public
static
Policy
parseFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(ByteBuffer data)
public
static
Policy
parseFrom
(
ByteBuffer
data
)
parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
public
static
Policy
parseFrom
(
ByteBuffer
data
,
ExtensionRegistryLite
extensionRegistry
)
parser()
public
static
Parser<Policy>
parser
()
Methods
equals(Object obj)
public
boolean
equals
(
Object
obj
)
getAuditConfigs(int index)
public
AuditConfig
getAuditConfigs
(
int
index
)
Specifies cloud audit logging configuration for this policy.
repeated .google.iam.v1.AuditConfig audit_configs = 6;
getAuditConfigsCount()
public
int
getAuditConfigsCount
()
Specifies cloud audit logging configuration for this policy.
repeated .google.iam.v1.AuditConfig audit_configs = 6;
getAuditConfigsList()
public
List<AuditConfig>
getAuditConfigsList
()
Specifies cloud audit logging configuration for this policy.
repeated .google.iam.v1.AuditConfig audit_configs = 6;
getAuditConfigsOrBuilder(int index)
public
AuditConfigOrBuilder
getAuditConfigsOrBuilder
(
int
index
)
Specifies cloud audit logging configuration for this policy.
repeated .google.iam.v1.AuditConfig audit_configs = 6;
getAuditConfigsOrBuilderList()
public
List
< ?
extends
AuditConfigOrBuilder
>
getAuditConfigsOrBuilderList
()
Specifies cloud audit logging configuration for this policy.
repeated .google.iam.v1.AuditConfig audit_configs = 6;
getBindings(int index)
public
Binding
getBindings
(
int
index
)
Associates a list of members
, or principals, with a role
. Optionally,
may specify a condition
that determines how and when the bindings
are
applied. Each of the bindings
must contain at least one principal.
The bindings
in a Policy
can refer to up to 1,500 principals; up to 250
of these principals can be Google groups. Each occurrence of a principal
counts towards these limits. For example, if the bindings
grant 50
different roles to user:alice@example.com
, and not to any other
principal, then you can add another 1,450 principals to the bindings
in
the Policy
.
repeated .google.iam.v1.Binding bindings = 4;
getBindingsCount()
public
int
getBindingsCount
()
Associates a list of members
, or principals, with a role
. Optionally,
may specify a condition
that determines how and when the bindings
are
applied. Each of the bindings
must contain at least one principal.
The bindings
in a Policy
can refer to up to 1,500 principals; up to 250
of these principals can be Google groups. Each occurrence of a principal
counts towards these limits. For example, if the bindings
grant 50
different roles to user:alice@example.com
, and not to any other
principal, then you can add another 1,450 principals to the bindings
in
the Policy
.
repeated .google.iam.v1.Binding bindings = 4;
getBindingsList()
public
List<Binding>
getBindingsList
()
Associates a list of members
, or principals, with a role
. Optionally,
may specify a condition
that determines how and when the bindings
are
applied. Each of the bindings
must contain at least one principal.
The bindings
in a Policy
can refer to up to 1,500 principals; up to 250
of these principals can be Google groups. Each occurrence of a principal
counts towards these limits. For example, if the bindings
grant 50
different roles to user:alice@example.com
, and not to any other
principal, then you can add another 1,450 principals to the bindings
in
the Policy
.
repeated .google.iam.v1.Binding bindings = 4;
getBindingsOrBuilder(int index)
public
BindingOrBuilder
getBindingsOrBuilder
(
int
index
)
Associates a list of members
, or principals, with a role
. Optionally,
may specify a condition
that determines how and when the bindings
are
applied. Each of the bindings
must contain at least one principal.
The bindings
in a Policy
can refer to up to 1,500 principals; up to 250
of these principals can be Google groups. Each occurrence of a principal
counts towards these limits. For example, if the bindings
grant 50
different roles to user:alice@example.com
, and not to any other
principal, then you can add another 1,450 principals to the bindings
in
the Policy
.
repeated .google.iam.v1.Binding bindings = 4;
getBindingsOrBuilderList()
public
List
< ?
extends
BindingOrBuilder
>
getBindingsOrBuilderList
()
Associates a list of members
, or principals, with a role
. Optionally,
may specify a condition
that determines how and when the bindings
are
applied. Each of the bindings
must contain at least one principal.
The bindings
in a Policy
can refer to up to 1,500 principals; up to 250
of these principals can be Google groups. Each occurrence of a principal
counts towards these limits. For example, if the bindings
grant 50
different roles to user:alice@example.com
, and not to any other
principal, then you can add another 1,450 principals to the bindings
in
the Policy
.
repeated .google.iam.v1.Binding bindings = 4;
getDefaultInstanceForType()
public
Policy
getDefaultInstanceForType
()
getEtag()
public
ByteString
getEtag
()
etag
is used for optimistic concurrency control as a way to help
prevent simultaneous updates of a policy from overwriting each other.
It is strongly suggested that systems make use of the etag
in the
read-modify-write cycle to perform policy updates in order to avoid race
conditions: An etag
is returned in the response to getIamPolicy
, and
systems are expected to put that etag in the request to setIamPolicy
to
ensure that their change will be applied to the same version of the policy.
Important:If you use IAM Conditions, you must include the etag
field
whenever you call setIamPolicy
. If you omit this field, then IAM allows
you to overwrite a version 3
policy with a version 1
policy, and all of
the conditions in the version 3
policy are lost.
bytes etag = 3;
getParserForType()
public
Parser<Policy>
getParserForType
()
getSerializedSize()
public
int
getSerializedSize
()
getVersion()
public
int
getVersion
()
Specifies the format of the policy.
Valid values are 0
, 1
, and 3
. Requests that specify an invalid value
are rejected.
Any operation that affects conditional role bindings must specify version 3
. This requirement applies to the following operations:
- Getting a policy that includes a conditional role binding
- Adding a conditional role binding to a policy
- Changing a conditional role binding in a policy
-
Removing any role binding, with or without a condition, from a policy that includes conditions
Important:If you use IAM Conditions, you must include the
etagfield whenever you callsetIamPolicy. If you omit this field, then IAM allows you to overwrite a version3policy with a version1policy, and all of the conditions in the version3policy are lost.If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
To learn which resources support conditions in their IAM policies, see the IAM documentation .
int32 version = 1;
hashCode()
public
int
hashCode
()
internalGetFieldAccessorTable()
protected
GeneratedMessageV3
.
FieldAccessorTable
internalGetFieldAccessorTable
()
isInitialized()
public
final
boolean
isInitialized
()
newBuilderForType()
public
Policy
.
Builder
newBuilderForType
()
newBuilderForType(GeneratedMessageV3.BuilderParent parent)
protected
Policy
.
Builder
newBuilderForType
(
GeneratedMessageV3
.
BuilderParent
parent
)
newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
protected
Object
newInstance
(
GeneratedMessageV3
.
UnusedPrivateParameter
unused
)
toBuilder()
public
Policy
.
Builder
toBuilder
()
writeTo(CodedOutputStream output)
public
void
writeTo
(
CodedOutputStream
output
)
