project STRING Required

Project ID for this request

zone STRING Required

The name of the zone for this request

resource STRING Required

Name or id of the resource for this request

bindings[] OBJECT

Associates members with a role

bindings[].condition OBJECT

Represents an expression text. Example:

title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"

bindings[].condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

bindings[].condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

bindings[].condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

bindings[].condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

bindings[].members[] STRING

bindings[].role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

etag BINARY

Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag

policy OBJECT

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.

A Policy consists of a list of bindings. A binding binds a list of members to a role, where the members can be user accounts, Google groups, Google domains, and service accounts. A role is a named list of permissions defined by IAM.

JSON Example

{ "bindings": [ { "role": "roles/owner", "members": [ "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]" ] }, { "role": "roles/viewer", "members": ["user:[email protected]"] } ] }

YAML Example

bindings: - members: - user:[email protected] - group:[email protected] - domain:google.com - serviceAccount:[email protected] role: roles/owner - members: - user:[email protected] role: roles/viewer

For a description of IAM and its features, see the IAM developer's guide

policy.auditConfigs[] OBJECT

Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

Example Policy with multiple AuditConfigs:

{ "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:[email protected]" ] } ] } ] }

For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging

policy.auditConfigs[].auditLogConfigs[] OBJECT

Provides the configuration for logging a type of permissions. Example:

{ "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", } ] }

This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging

policy.auditConfigs[].exemptedMembers[] STRING

policy.auditConfigs[].service STRING

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services

policy.bindings[] OBJECT

Associates members with a role

policy.bindings[].condition OBJECT

Represents an expression text. Example:

title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"

policy.bindings[].condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

policy.bindings[].condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

policy.bindings[].condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

policy.bindings[].condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

policy.bindings[].members[] STRING

policy.bindings[].role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

policy.etag BINARY

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

If no etag is provided in the call to setIamPolicy, then the existing policy is overwritten blindly

policy.iamOwned BOOLEAN

policy.rules[] OBJECT

A rule to be applied in a Policy

policy.rules[].action ENUMERATION

Required

policy.rules[].conditions[] OBJECT

A condition to be met

policy.rules[].description STRING

Human-readable description of the rule

policy.rules[].ins[] STRING

policy.rules[].logConfigs[] OBJECT

Specifies what kind of log the caller must write

policy.rules[].notIns[] STRING

policy.rules[].permissions[] STRING

policy.version INTEGER

Deprecated

auditConfigs[] OBJECT

Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

Example Policy with multiple AuditConfigs:

{ "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:[email protected]" ] } ] } ] }

For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging

auditConfigs[].auditLogConfigs[] OBJECT

Provides the configuration for logging a type of permissions. Example:

{ "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", } ] }

This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging

auditConfigs[].auditLogConfigs[].exemptedMembers[] STRING

auditConfigs[].auditLogConfigs[].logType ENUMERATION

The log type that this config enables

auditConfigs[].exemptedMembers[] STRING

auditConfigs[].service STRING

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services

bindings[] OBJECT

Associates members with a role

bindings[].condition OBJECT

Represents an expression text. Example:

title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"

bindings[].condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

bindings[].condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

bindings[].condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

bindings[].condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

bindings[].members[] STRING

bindings[].role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

etag BINARY

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

If no etag is provided in the call to setIamPolicy, then the existing policy is overwritten blindly

iamOwned BOOLEAN

rules[] OBJECT

A rule to be applied in a Policy

rules[].action ENUMERATION

Required

rules[].conditions[] OBJECT

A condition to be met

rules[].conditions[].iam ENUMERATION

Trusted attributes supplied by the IAM system

rules[].conditions[].op ENUMERATION

An operator to apply the subject with

rules[].conditions[].svc STRING

Trusted attributes discharged by the service

rules[].conditions[].sys ENUMERATION

Trusted attributes supplied by any service that owns resources and uses the IAM system for access control

rules[].conditions[].values[] STRING

rules[].description STRING

Human-readable description of the rule

rules[].ins[] STRING

rules[].logConfigs[] OBJECT

Specifies what kind of log the caller must write

rules[].logConfigs[].cloudAudit OBJECT

Write a Cloud Audit log

rules[].logConfigs[].counter OBJECT

Increment a streamz counter with the specified metric and field names.

Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.

Field names correspond to IAM request parameters and field values are their respective values.

Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.

Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}

At this time we do not support multiple field names (though this may be supported in the future)

rules[].logConfigs[].dataAccess OBJECT

Write a Data Access (Gin) log

rules[].notIns[] STRING

rules[].permissions[] STRING

version INTEGER

Deprecated