Managing an access policy

This page describes how to manage an existing access policy. You can:

Get the name of an access policy

Console

The Cloud Console does not currently support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To get the name of your access policy, use the list command. The access policy name is required for all access level commands for the gcloud command-line tool.

gcloud access-context-manager policies list \
    --organization ORGANIZATION_ID

Where:

  • ORGANIZATION_ID is the numeric ID of your organization.

You should see output similar to:

NAME           ORGANIZATION  TITLE
1034095178592  511928527926  Corp Policy

API

To get the name of your access policy, call accessPolicies.list.

GET https://accesscontextmanager.googleapis.com/v1/accessPolicies

Request body

The request body must be empty.

Response body

If successful, the response body will look similar to:

{
  "accessPolicies": [
    {
      object(AccessPolicy)
    }
  ],
  "nextPageToken": string
}

Where:

Set the default access policy for gcloud command-line tool

When using gcloud command-line tool, you can set a default access policy. When you set a default policy, you no longer need to specify a policy each time you use an Access Context Manager command.

To set a default access policy, use the config command.

gcloud config set access-context-manager/policy POLICY_NAME

Where:

Describe an access policy

Console

The Cloud Console does not currently support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To describe your access policy, use the describe command.

gcloud access-context-manager policies describe POLICY_NAME

Where:

  • POLICY_NAME is the numeric name of your policy.

You should see output similar to:

name: accessPolicies/1034095178592
parent: organizations/511928527926
title: Corp Policy

API

To describe your access policy, call accessPolicies.get

GET https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME

Where:

  • POLICY_NAME is the numeric name of your policy.

Request body

The request body must be empty.

Response body

If successful, the response body contains an AccessPolicy object.

Update an access policy

Console

The Cloud Console does not currently support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To update your access policy, use the update command. Currently, you can change only the title of the policy.

gcloud access-context-manager policies update POLICY_NAME \
    --title=POLICY_TITLE

Where:

  • POLICY_NAME is the numeric name of your policy.

  • POLICY_TITLE is a human-readable title for your policy.

You should see output similar to:

Waiting for PATCH operation [accessPolicies/POLICY_NAME/update/1542234231134882]...done.

API

Currently, you can change only the title of your access policy.

To update your policy:

  1. Craft a request body.

    {
 "parent": "ORGANIZATION_ID",
 "title": "POLICY_TITLE"
}

    Where:

    • ORGANIZATION_ID is the numeric ID of your organization.

    • POLICY_TITLE is a human-readable title for your policy.

  2. Call accessPolicies.patch.

    PATCH https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/UPDATE_MASK

    Where:

    • POLICY_NAME is the numeric name of your policy.

    • UPDATE_MASK is a string that represents the value you want to update. For example, title.

    Response body

    If successful, the response body for the call contains an Operation resource that provides details about the PATCH operation.

Delete an access policy

Console

The Cloud Console does not currently support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To delete an access policy:

  1. Use the delete command.

    gcloud access-context-manager policies delete POLICY_NAME

    Where:

    • POLICY_NAME is the numeric name of your policy.

  2. Confirm that you want to delete the access policy.

    For example:

    You are about to delete policy [POLICY_NAME]

Do you want to continue (Y/n)?

    You should see output similar to the following:

    Deleted policy [1034095178592].

API

To delete your access policy, call accessPolicies.delete.

DELETE https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME

Where:

  • POLICY_NAME is the numeric name of your policy.

Request body

The request body must be empty.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the DELETE operation.