app_connectors_iam_policies
Creates, updates, deletes, gets or lists a app_connectors_iam_policies
resource.
Overview
Name | app_connectors_iam_policies |
Type | Resource |
Id | google.beyondcorp.app_connectors_iam_policies |
Fields
Name | Datatype | Description |
---|---|---|
condition | object | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. |
members | array | Specifies the principals requesting access for a Google Cloud resource. members can have the following values: allUsers : A special identifier that represents anyone who is on the internet; with or without a Google account. allAuthenticatedUsers : A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. user:{emailid} : An email address that represents a specific Google account. For example, alice@example.com . serviceAccount:{emailid} : An email address that represents a Google service account. For example, my-other-app@appspot.gserviceaccount.com . serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}] : An identifier for a Kubernetes service account. For example, my-project.svc.id.goog[my-namespace/my-kubernetes-sa] . group:{emailid} : An email address that represents a Google group. For example, admins@example.com . domain:{domain} : The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com . principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value} : A single identity in a workforce identity pool. principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id} : All workforce identities in a group. principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value} : All workforce identities with a specific attribute value. `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/: All identities in a workforce identity pool. * principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}: A single identity in a workload identity pool. * principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}: A workload identity pool group. * principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}: All identities in a workload identity pool with a certain attribute. * principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/`: All identities in a workload identity pool. deleted:user:{emailid}?uid={uniqueid} : An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901 . If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. deleted:serviceAccount:{emailid}?uid={uniqueid} : An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901 . If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. deleted:group:{emailid}?uid={uniqueid} : An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901 . If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. * deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value} : Deleted single identity in a workforce identity pool. For example, deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value . |
role | string | Role that is assigned to the list of members , or principals. For example, roles/viewer , roles/editor , or roles/owner . For an overview of the IAM roles and permissions, see the IAM documentation. For a list of the available pre-defined roles, see here. |
Methods
Name | Accessible by | Required Params | Description |
---|---|---|---|
projects_locations_app_connectors_get_iam_policy | SELECT | appConnectorsId, locationsId, projectsId | Gets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set. |
projects_locations_app_connectors_set_iam_policy | REPLACE | appConnectorsId, locationsId, projectsId | Sets the access control policy on the specified resource. Replaces any existing policy. Can return NOT_FOUND , INVALID_ARGUMENT , and PERMISSION_DENIED errors. |
projects_locations_app_connectors_test_iam_permissions | EXEC | appConnectorsId, locationsId, projectsId | Returns permissions that a caller has on the specified resource. If the resource does not exist, this will return an empty set of permissions, not a NOT_FOUND error. Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning. |
SELECT
examples
Gets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set.
SELECT
condition,
members,
role
FROM google.beyondcorp.app_connectors_iam_policies
WHERE appConnectorsId = '{{ appConnectorsId }}'
AND locationsId = '{{ locationsId }}'
AND projectsId = '{{ projectsId }}';
REPLACE
example
Replaces all fields in the specified app_connectors_iam_policies
resource.
/*+ update */
REPLACE google.beyondcorp.app_connectors_iam_policies
SET
policy = '{{ policy }}',
updateMask = '{{ updateMask }}'
WHERE
appConnectorsId = '{{ appConnectorsId }}'
AND locationsId = '{{ locationsId }}'
AND projectsId = '{{ projectsId }}';