Set Iam Policy

16 variables

15 variables

Sets the Cloud IAM access control policy for a ServiceAccount.

Note: Service accounts are both resources and identities. This method treats the service account as a resource. Use it to grant members access to the service account, such as when they need to impersonate it.

This method does not grant the service account access to other resources, such as projects. To grant a service account access to resources, include the service account in the Cloud IAM policy for the desired resource, then call the appropriate setIamPolicy method on the target resource. For example, to grant a service account access to a project, call the projects.setIamPolicy method

Authorization

To use this building block you will have to grant access to at least one of the following scopes:

View and manage your data across Google Cloud Platform services

Input

This building block consumes 16 input parameters

Name	Format	Description
`resource` Required	`STRING`	REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field
`updateMask`	`ANY`	OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used: paths: "bindings, etag" This field is only used by Cloud IAM
`policy`	`OBJECT`	Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM. JSON Example `{ "bindings": [ { "role": "roles/owner", "members": [ "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]" ] }, { "role": "roles/viewer", "members": ["user:[email protected]"] } ] }` YAML Example `bindings: - members: - user:[email protected] - group:[email protected] - domain:google.com - serviceAccount:[email protected] role: roles/owner - members: - user:[email protected] role: roles/viewer` For a description of IAM and its features, see the IAM developer's guide
`policy.etag`	`BINARY`	`etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly
`policy.version`	`INTEGER`	Deprecated
`policy.auditConfigs[]`	`OBJECT`	Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: `{ "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:[email protected]" ] } ] } ] }` For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging
`policy.auditConfigs[].service`	`STRING`	Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services
`policy.auditConfigs[].auditLogConfigs[]`	`OBJECT`	Provides the configuration for logging a type of permissions. Example: `{ "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", } ] }` This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging
`policy.bindings[]`	`OBJECT`	Associates `members` with a `role`
`policy.bindings[].members[]`	`STRING`
`policy.bindings[].role`	`STRING`	Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`
`policy.bindings[].condition`	`OBJECT`	Represents an expression text. Example: `title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"`
`policy.bindings[].condition.expression`	`STRING`	Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported
`policy.bindings[].condition.title`	`STRING`	An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression
`policy.bindings[].condition.location`	`STRING`	An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file
`policy.bindings[].condition.description`	`STRING`	An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

= Parameter name
= Format

resource STRING Required

REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field

updateMask ANY

OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used: paths: "bindings, etag" This field is only used by Cloud IAM

policy OBJECT

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.

A Policy consists of a list of bindings. A binding binds a list of members to a role, where the members can be user accounts, Google groups, Google domains, and service accounts. A role is a named list of permissions defined by IAM.

JSON Example

{
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:[email protected]",
        "group:[email protected]",
        "domain:google.com",
        "serviceAccount:[email protected]"
      ]
    },
    {
      "role": "roles/viewer",
      "members": ["user:[email protected]"]
    }
  ]
}

YAML Example

bindings:
- members:
  - user:[email protected]
  - group:[email protected]
  - domain:google.com
  - serviceAccount:[email protected]
  role: roles/owner
- members:
  - user:[email protected]
  role: roles/viewer

For a description of IAM and its features, see the IAM developer's guide

policy.etag BINARY

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

If no etag is provided in the call to setIamPolicy, then the existing policy is overwritten blindly

policy.version INTEGER

Deprecated

policy.auditConfigs[] OBJECT

Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

Example Policy with multiple AuditConfigs:

{
  "audit_configs": [
    {
      "service": "allServices"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
          "exempted_members": [
            "user:[email protected]"
          ]
        },
        {
          "log_type": "DATA_WRITE",
        },
        {
          "log_type": "ADMIN_READ",
        }
      ]
    },
    {
      "service": "fooservice.googleapis.com"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
        },
        {
          "log_type": "DATA_WRITE",
          "exempted_members": [
            "user:[email protected]"
          ]
        }
      ]
    }
  ]
}

For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging

policy.auditConfigs[].service STRING

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services

policy.auditConfigs[].auditLogConfigs[] OBJECT

Provides the configuration for logging a type of permissions. Example:

{
  "audit_log_configs": [
    {
      "log_type": "DATA_READ",
      "exempted_members": [
        "user:[email protected]"
      ]
    },
    {
      "log_type": "DATA_WRITE",
    }
  ]
}

This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging

policy.bindings[] OBJECT

Associates members with a role

policy.bindings[].members[] STRING

policy.bindings[].role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

policy.bindings[].condition OBJECT

Represents an expression text. Example:

title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"

policy.bindings[].condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

policy.bindings[].condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

policy.bindings[].condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

policy.bindings[].condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

Output

This building block provides 15 output parameters

Name	Format	Description
`etag`	`BINARY`	`etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly
`version`	`INTEGER`	Deprecated
`auditConfigs[]`	`OBJECT`	Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: `{ "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:[email protected]" ] } ] } ] }` For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging
`auditConfigs[].service`	`STRING`	Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services
`auditConfigs[].auditLogConfigs[]`	`OBJECT`	Provides the configuration for logging a type of permissions. Example: `{ "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", } ] }` This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging
`auditConfigs[].auditLogConfigs[].exemptedMembers[]`	`STRING`
`auditConfigs[].auditLogConfigs[].logType`	`ENUMERATION`	The log type that this config enables
`bindings[]`	`OBJECT`	Associates `members` with a `role`
`bindings[].members[]`	`STRING`
`bindings[].role`	`STRING`	Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`
`bindings[].condition`	`OBJECT`	Represents an expression text. Example: `title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"`
`bindings[].condition.expression`	`STRING`	Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported
`bindings[].condition.title`	`STRING`	An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression
`bindings[].condition.location`	`STRING`	An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file
`bindings[].condition.description`	`STRING`	An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

= Parameter name
= Format

etag BINARY

If no etag is provided in the call to setIamPolicy, then the existing policy is overwritten blindly

version INTEGER

Deprecated

auditConfigs[] OBJECT

Example Policy with multiple AuditConfigs:

{
  "audit_configs": [
    {
      "service": "allServices"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
          "exempted_members": [
            "user:[email protected]"
          ]
        },
        {
          "log_type": "DATA_WRITE",
        },
        {
          "log_type": "ADMIN_READ",
        }
      ]
    },
    {
      "service": "fooservice.googleapis.com"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
        },
        {
          "log_type": "DATA_WRITE",
          "exempted_members": [
            "user:[email protected]"
          ]
        }
      ]
    }
  ]
}

For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging

auditConfigs[].service STRING

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services

auditConfigs[].auditLogConfigs[] OBJECT

Provides the configuration for logging a type of permissions. Example:

{
  "audit_log_configs": [
    {
      "log_type": "DATA_READ",
      "exempted_members": [
        "user:[email protected]"
      ]
    },
    {
      "log_type": "DATA_WRITE",
    }
  ]
}

This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging

auditConfigs[].auditLogConfigs[].exemptedMembers[] STRING

auditConfigs[].auditLogConfigs[].logType ENUMERATION

The log type that this config enables

bindings[] OBJECT

Associates members with a role

bindings[].members[] STRING

bindings[].role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

bindings[].condition OBJECT

Represents an expression text. Example:

title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"

bindings[].condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

bindings[].condition.title STRING