Using Access Context Manager, you can make bulk updates to resources that belong to your organization's access policy, such as access levels and service perimeters.
Changes to your resources are applied only if all parts of the bulk operation are successful. For example, if your bulk operation attempts to remove an access level that is in use by a service perimeter, an error is raised. Because an error is encountered, the entire operation fails and no resources are updated.
This topic describes only bulk replacement of access levels. For more information about bulk replacement of service perimeters, refer to the VPC Service Controls documentation.
Before you begin
Because bulk operations affect all access levels for your organization, you may want to obtain a complete list of your access levels. The list can be formatted as YAML, which may also make bulk changes to your access levels easier.
To get a formatted list of access levels, refer to List access levels (formatted).
Bulk replace access levels
The following section details how to bulk replace your access levels.
gcloud
To bulk replace all access levels, use the
replace-all command.
gcloud access-context-manager levels replace-all \ --source-file=FILE \ --etag=ETAG \ [--policy=POLICY_NAME]
Where:
FILE is the name of a .yaml file that defines the new conditions for your existing access levels.
For example:
- name: accessPolicies/11271009391/accessLevels/corpnet_access title: Corpnet Access description: Permit access to corpnet. basic: combiningFunction: AND conditions: - ipSubnetworks: - 252.0.2.0/24 - 2001:db8::/32 - name: accessPolicies/11271009391/accessLevels/prodnet_access title: Prodnet Access description: Permit access to prodnet. basic: combiningFunction: OR conditions: - members: - user:exampleuser@example.com - serviceAccount:exampleaccount@example.iam.gserviceaccount.com - ipSubnetworks: - 176.0.2.0/24For further examples of the YAML structure of conditions, refer to the example YAML file.
ETAG (optional) is a string that represents the target version of your organization's access policy. If you do not include an etag, the bulk operation targets the latest version of the your organization's access policy.
To obtain the latest etag of your access policy,
listyour access policies.POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
API
To bulk replace all access levels,
call accessLevels.replaceAll.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels.replaceAll?alt=json
Where:
- POLICY_NAME is the name of your organization's access policy.
Request body
The request body must include a list of AccessLevel
objects that specify the changes you want to make.
Optionally, to target a specific version of your organization's access policy, you can include an etag. If you do not include an etag, the bulk operation targets the latest version of your organization's access policy.
For example:
{
"accessLevels": [
object (AccessLevel),
object (AccessLevel),
...
]
"etag": string
}
Response body
If successful, the response body for the call contains an
Operation resource that provides details about the
post operation.
Example response:
{
"name": "operations/accessPolicies/11271009391/replaceLevels/1583523446234255",
"done": true,
"response": {
"@type": "type.googleapis.com/google.identity.accesscontextmanager.v1.ReplaceAccessLevelsResponse",
"accessLevels": [
{
"name": "accessPolicies/11271009391/accessLevels/corpnet_access",
"title": "Corpnet access",
"description": "Permit access to corpnet.",
"basic": {
"conditions": [
{
"ipSubnetworks": [
"252.0.2.0/24"
]
}
]
}
},
{
"name": "accessPolicies/11271009391/accessLevels/prodnet_access",
"title": "Prodnet access",
"description": "Permit access to prodnet.",
"basic": {
"conditions": [
{
"ipSubnetworks": [
"176.0.2.0/24"
]
}
]
}
}
]
}
}