ml
v1
|
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. More...
Properties | |
virtual System.Collections.Generic.IList< GoogleIamV1AuditConfig > | AuditConfigs [get, set] |
Specifies cloud audit logging configuration for this policy. More... | |
virtual System.Collections.Generic.IList< GoogleIamV1Binding > | Bindings [get, set] |
Associates a list of members to a role . Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one member. More... | |
virtual string | ETag [get, set] |
etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy , and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy. More... | |
virtual System.Nullable< int > | Version [get, set] |
Specifies the format of the policy. More... | |
Properties inherited from Google::Apis::Requests::IDirectResponseSchema | |
string | ETag |
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more members
to a single role
. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role
is a named list of permissions; each role
can be an IAM predefined role or a user-created custom role.
Optionally, a binding
can specify a condition
, which is a logical expression that allows access to a resource only if the expression evaluates to true
. A condition can add constraints based on attributes of the request, the resource, or both.
JSON example:
{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
YAML example:
bindings: - members: - user:mike@ - group: exam ple.c omadmin - domain:google.com - serviceAccount:my- s@ex ample .comproje role: roles/resourcemanager.organizationAdmin - members: - user: ct-i d@app spot .gser vice accou nt.c omeve@e role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3 xamp le.co m
For a description of IAM and its features, see the IAM documentation.
|
getset |
Specifies cloud audit logging configuration for this policy.
|
getset |
Associates a list of members
to a role
. Optionally, may specify a condition
that determines how and when the bindings
are applied. Each of the bindings
must contain at least one member.
|
getset |
etag
is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag
in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag
is returned in the response to getIamPolicy
, and systems are expected to put that etag in the request to setIamPolicy
to ensure that their change will be applied to the same version of the policy.
Important: If you use IAM Conditions, you must include the etag
field whenever you call setIamPolicy
. If you omit this field, then IAM allows you to overwrite a version 3
policy with a version 1
policy, and all of the conditions in the version 3
policy are lost.
|
getset |
Specifies the format of the policy.
Valid values are 0
, 1
, and 3
. Requests that specify an invalid value are rejected.
Any operation that affects conditional role bindings must specify version 3
. This requirement applies to the following operations:
Important: If you use IAM Conditions, you must include the etag
field whenever you call setIamPolicy
. If you omit this field, then IAM allows you to overwrite a version 3
policy with a version 1
policy, and all of the conditions in the version 3
policy are lost.
If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.