google_api_compute v0.11.0 GoogleApi.Compute.V1.Model.Policy View Source
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more members
to a single role
. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role
is a named list of permissions; each role
can be an IAM predefined role or a user-created custom role.
Optionally, a binding
can specify a condition
, which is a logical expression that allows access to a resource only if the expression evaluates to true
. A condition can add constraints based on attributes of the request, the resource, or both.
JSON example:
{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
YAML example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
For a description of IAM and its features, see the IAM documentation.
Attributes
auditConfigs
(type:list(GoogleApi.Compute.V1.Model.AuditConfig.t)
, default:nil
) - Specifies cloud audit logging configuration for this policy.bindings
(type:list(GoogleApi.Compute.V1.Model.Binding.t)
, default:nil
) - Associates a list ofmembers
to arole
. Optionally, may specify acondition
that determines how and when thebindings
are applied. Each of thebindings
must contain at least one member.etag
(type:String.t
, default:nil
) -etag
is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of theetag
in the read-modify-write cycle to perform policy updates in order to avoid race conditions: Anetag
is returned in the response togetIamPolicy
, and systems are expected to put that etag in the request tosetIamPolicy
to ensure that their change will be applied to the same version of the policy.Important: If you use IAM Conditions, you must include the
etag
field whenever you callsetIamPolicy
. If you omit this field, then IAM allows you to overwrite a version3
policy with a version1
policy, and all of the conditions in the version3
policy are lost.iamOwned
(type:boolean()
, default:nil
) -rules
(type:list(GoogleApi.Compute.V1.Model.Rule.t)
, default:nil
) - If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.version
(type:integer()
, default:nil
) - Specifies the format of the policy.Valid values are
0
,1
, and3
. Requests that specify an invalid value are rejected.Any operation that affects conditional role bindings must specify version
3
. This requirement applies to the following operations:- Getting a policy that includes a conditional role binding Adding a conditional role binding to a policy Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions
Important: If you use IAM Conditions, you must include the
etag
field whenever you callsetIamPolicy
. If you omit this field, then IAM allows you to overwrite a version3
policy with a version1
policy, and all of the conditions in the version3
policy are lost.If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
Link to this section Summary
Functions
Unwrap a decoded JSON object into its complex fields.
Link to this section Types
t()
View Sourcet() :: %GoogleApi.Compute.V1.Model.Policy{ auditConfigs: [GoogleApi.Compute.V1.Model.AuditConfig.t()], bindings: [GoogleApi.Compute.V1.Model.Binding.t()], etag: String.t(), iamOwned: boolean(), rules: [GoogleApi.Compute.V1.Model.Rule.t()], version: integer() }
Link to this section Functions
Unwrap a decoded JSON object into its complex fields.