Get Iam Policy

1 variables

15 variables

Returns the Cloud IAM access control policy for a ServiceAccount.

Note: Service accounts are both resources and identities. This method treats the service account as a resource. It returns the Cloud IAM policy that reflects what members have access to the service account.

This method does not return what resources the service account has access to. To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the projects.getIamPolicy method

Authorization

To use this building block you will have to grant access to at least one of the following scopes:

View and manage your data across Google Cloud Platform services

Input

This building block consumes 1 input parameters

Name	Format	Description
`resource` Required	`STRING`	REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field

= Parameter name
= Format

resource STRING Required

REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field

Output

This building block provides 15 output parameters

Name	Format	Description
`etag`	`BINARY`	`etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly
`version`	`INTEGER`	Deprecated
`auditConfigs[]`	`OBJECT`	Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: `{ "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:[email protected]" ] } ] } ] }` For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging
`auditConfigs[].service`	`STRING`	Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services
`auditConfigs[].auditLogConfigs[]`	`OBJECT`	Provides the configuration for logging a type of permissions. Example: `{ "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", } ] }` This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging
`auditConfigs[].auditLogConfigs[].exemptedMembers[]`	`STRING`
`auditConfigs[].auditLogConfigs[].logType`	`ENUMERATION`	The log type that this config enables
`bindings[]`	`OBJECT`	Associates `members` with a `role`
`bindings[].members[]`	`STRING`
`bindings[].role`	`STRING`	Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`
`bindings[].condition`	`OBJECT`	Represents an expression text. Example: `title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"`
`bindings[].condition.expression`	`STRING`	Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported
`bindings[].condition.title`	`STRING`	An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression
`bindings[].condition.location`	`STRING`	An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file
`bindings[].condition.description`	`STRING`	An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

= Parameter name
= Format

etag BINARY

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

If no etag is provided in the call to setIamPolicy, then the existing policy is overwritten blindly

version INTEGER

Deprecated

auditConfigs[] OBJECT

Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

Example Policy with multiple AuditConfigs:

{
  "audit_configs": [
    {
      "service": "allServices"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
          "exempted_members": [
            "user:[email protected]"
          ]
        },
        {
          "log_type": "DATA_WRITE",
        },
        {
          "log_type": "ADMIN_READ",
        }
      ]
    },
    {
      "service": "fooservice.googleapis.com"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
        },
        {
          "log_type": "DATA_WRITE",
          "exempted_members": [
            "user:[email protected]"
          ]
        }
      ]
    }
  ]
}

For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging

auditConfigs[].service STRING

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services

auditConfigs[].auditLogConfigs[] OBJECT

Provides the configuration for logging a type of permissions. Example:

{
  "audit_log_configs": [
    {
      "log_type": "DATA_READ",
      "exempted_members": [
        "user:[email protected]"
      ]
    },
    {
      "log_type": "DATA_WRITE",
    }
  ]
}

This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging

auditConfigs[].auditLogConfigs[].exemptedMembers[] STRING

auditConfigs[].auditLogConfigs[].logType ENUMERATION

The log type that this config enables

bindings[] OBJECT

Associates members with a role

bindings[].members[] STRING

bindings[].role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

bindings[].condition OBJECT

Represents an expression text. Example:

title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"

bindings[].condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

bindings[].condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

bindings[].condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

bindings[].condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

Projects / Service Accounts

Get Iam Policy

Authorization

Input

Output