访问权限级别的示例 YAML

以下示例包含为访问权限级别创建 .yaml 文件时可以指定的所有属性。仅当您正在使用 gcloud 命令行工具创建或修改访问权限级别时,才需要 .yaml 文件。

虽然您可以在 members 属性中添加身份信息,但 Google 我们建议您不要这样做请参阅入站流量和出站流量中的 identities 规则来说明 边界以相互通信。

# Attributes can be included in any order in the condition
- devicePolicy:
  # Must include at least one of the following:
    allowedEncryptionStatuses:
    # Must include at least one of the following:
      - ENCRYPTION_UNSUPPORTED
      - ENCRYPTED
      - UNENCRYPTED
    osConstraints:
    # Must include at least one of the following:
      - osType: DESKTOP_CHROME_OS
        minimumVersion: 11316.165.0
        # minimumVersion must be formatted as x.x.x
        requireVerifiedChromeOs: true
      - osType: DESKTOP_MAC
      - osType: DESKTOP_WINDOWS
        # minimumVersion is not required
    requireScreenlock: true
    # requireScreenlock defaults to false if not included
    requireAdminApproval: true
    # requireAdminApproval defaults to false if not included
    requireCorpOwned: true
    # requireCorpOwned defaults to false if not included
  ipSubnetworks:
  # Must include one or more IPv4 and IPv6 CIDRs
    - 252.0.2.0/24
    - 2001:db8::/32
  regions:
  # Must include one or more regions as ISO 3166-1 alpha-2 codes
    - US
    - CH
    - SG
  requiredAccessLevels:
  # Must include one or more existing access levels
  # Must be formatted as accessPolicies/policy-name/accessLevels/level-name
    - accessPolicies/247332951433/accessLevels/Device_Trust
  members:
  # Must include one or more valid IAM users or service accounts
    - user:exampleuser@example.com
    - serviceAccount:exampleaccount@example.iam.gserviceaccount.com
  negate: true
  # negate is not required and can only be included with other attributes
  # If negate is included, none of the attributes included in the condition
  # can be true for the condition to be met.

# You can include more than one condition in the .yaml file
- ipSubnetworks:
    - 176.0.2.0/24