access_policies_iam_policies
Overview
Name | access_policies_iam_policies |
Type | Resource |
Id | google.accesscontextmanager.access_policies_iam_policies |
Fields
Name | Datatype | Description |
---|---|---|
condition | object | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. |
members | array | Specifies the principals requesting access for a Google Cloud resource. members can have the following values: allUsers : A special identifier that represents anyone who is on the internet; with or without a Google account. allAuthenticatedUsers : A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. user:{emailid} : An email address that represents a specific Google account. For example, alice@example.com . serviceAccount:{emailid} : An email address that represents a Google service account. For example, my-other-app@appspot.gserviceaccount.com . serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}] : An identifier for a Kubernetes service account. For example, my-project.svc.id.goog[my-namespace/my-kubernetes-sa] . group:{emailid} : An email address that represents a Google group. For example, admins@example.com . domain:{domain} : The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com . deleted:user:{emailid}?uid={uniqueid} : An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901 . If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. deleted:serviceAccount:{emailid}?uid={uniqueid} : An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901 . If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. deleted:group:{emailid}?uid={uniqueid} : An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901 . If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. |
role | string | Role that is assigned to the list of members , or principals. For example, roles/viewer , roles/editor , or roles/owner . |
Methods
Name | Accessible by | Required Params | Description |
---|---|---|---|
get_iam_policy | SELECT | accessPoliciesId | Gets the IAM policy for the specified Access Context Manager access policy. |
_get_iam_policy | EXEC | accessPoliciesId | Gets the IAM policy for the specified Access Context Manager access policy. |
set_iam_policy | EXEC | accessPoliciesId | Sets the IAM policy for the specified Access Context Manager access policy. This method replaces the existing IAM policy on the access policy. The IAM policy controls the set of users who can perform specific operations on the Access Context Manager access policy. |
test_iam_permissions | EXEC | accessPoliciesId | Returns the IAM permissions that the caller has on the specified Access Context Manager resource. The resource can be an AccessPolicy, AccessLevel, or ServicePerimeter. This method does not support other resources. |