Class: Google::Iam::V1::Policy

Inherits:

Object

• Object
• Google::Iam::V1::Policy

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/iam/v1/policy.rb

Overview

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.

A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation.

JSON example:

    {
      "bindings": [
        {
          "role": "roles/resourcemanager.organizationAdmin",
          "members": [
            "user:mike@example.com",
            "group:admins@example.com",
            "domain:google.com",
            "serviceAccount:my-project-id@appspot.gserviceaccount.com"
          ]
        },
        {
          "role": "roles/resourcemanager.organizationViewer",
          "members": [
            "user:eve@example.com"
          ],
          "condition": {
            "title": "expirable access",
            "description": "Does not grant access after Sep 2020",
            "expression": "request.time <
            timestamp('2020-10-01T00:00:00.000Z')",
          }
        }
      ],
      "etag": "BwWWja0YfJA=",
      "version": 3
    }

YAML example:

    bindings:
    - members:
      - user:mike@example.com
      - group:admins@example.com
      - domain:google.com
      - serviceAccount:my-project-id@appspot.gserviceaccount.com
      role: roles/resourcemanager.organizationAdmin
    - members:
      - user:eve@example.com
      role: roles/resourcemanager.organizationViewer
      condition:
        title: expirable access
        description: Does not grant access after Sep 2020
        expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
    etag: BwWWja0YfJA=
    version: 3

For a description of IAM and its features, see the IAM documentation.

Instance Attribute Summary

• #audit_configs ⇒ ::Array<::Google::Iam::V1::AuditConfig>

  Specifies cloud audit logging configuration for this policy.

• #bindings ⇒ ::Array<::Google::Iam::V1::Binding>

  Associates a list of members, or principals, with a role.

• #etag ⇒ ::String

  etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

• #version ⇒ ::Integer

  Specifies the format of the policy.

Instance Attribute Details

#audit_configs ⇒ ::Array<::Google::Iam::V1::AuditConfig>

# File 'proto_docs/google/iam/v1/policy.rb', line 152

class Policy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods
end

#bindings ⇒ ::Array<::Google::Iam::V1::Binding>

# File 'proto_docs/google/iam/v1/policy.rb', line 152

class Policy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods
end

#etag ⇒ ::String

# File 'proto_docs/google/iam/v1/policy.rb', line 152

class Policy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods
end

#version ⇒ ::Integer

# File 'proto_docs/google/iam/v1/policy.rb', line 152

class Policy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods
end