Manage an access policy

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To get the name of your access policy, use the list command. The access policy name is required for all access level commands for the gcloud command-line tool.

gcloud access-context-manager policies list \
    --organization ORGANIZATION_ID

Where:

• ORGANIZATION_ID is the numeric ID of your organization.

You should see output similar to:

NAME           ORGANIZATION  TITLE        ETAG
1034095178592  511928527926  Corp Policy  10bc3c76ca809ab2

API

To get the name of your access policy, call accessPolicies.list.

GET https://accesscontextmanager.googleapis.com/v1/accessPolicies

Request body

The request body must be empty.

Response body

If successful, the response body will look similar to:

{
  "accessPolicies": [
    {
      object(AccessPolicy)
    }
  ],
  "nextPageToken": string
}

Where:

• accessPolicies is a list of AccessPolicy objects.

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To delegate administration by binding a principal and role with a scoped access policy, use the add-iam-policy-binding command.

gcloud access-context-manager policies add-iam-policy-binding \
[POLICY] --member=PRINCIPAL --role=ROLE

Where:

• POLICY is ID of the policy or fully qualified identifier for the policy.

• PRINCIPAL is the principal to add the binding for. Specify in the following format: user|group|serviceAccount:email or domain:domain.

• ROLE is the role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/accesscontextmanager.policyEditor, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor.

API

To delegate administration of the scoped access policy, do the following:

1. Create a request body.

   {
   "policy": "IAM_POLICY",
   }

   Where:

   • IAM_POLICY is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

2. Delegate the access policy by calling accessPolicies.setIamPolicy.

   POST https://accesscontextmanager.googleapis.com/v1/accessPolicies
   

Response body

If successful, the response body contains an instance of policy.

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To describe your access policy, use the describe command.

gcloud access-context-manager policies describe POLICY_NAME

Where:

• POLICY_NAME is the numeric name of your policy.

The following output appears:

name: accessPolicies/1034095178592
parent: organizations/511928527926
title: Corp Policy

API

To describe your access policy, call accessPolicies.get

GET https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME

Where:

• POLICY_NAME is the numeric name of your policy.

Request body

The request body must be empty.

Response body

If successful, the response body contains an AccessPolicy object.

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To update your access policy, use the update command. Currently, you can change only the title of the policy.

gcloud access-context-manager policies update POLICY_NAME \
    --title=POLICY_TITLE

Where:

• POLICY_NAME is the numeric name of your policy.

• POLICY_TITLE is a human-readable title for your policy.

The following output appears:

Waiting for PATCH operation [accessPolicies/POLICY_NAME/update/1542234231134882]...done.

API

Currently, you can change only the title of your access policy.

To update your policy:

1. Create a request body.

   {
    "parent": "ORGANIZATION_ID",
    "title": "POLICY_TITLE"
   }

   Where:

   • ORGANIZATION_ID is the numeric ID of your organization.

   • POLICY_TITLE is a human-readable title for your policy.

2. Call accessPolicies.patch.

   PATCH https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/UPDATE_MASK
   

   Where:

   • POLICY_NAME is the numeric name of your policy.

   • UPDATE_MASK is a string that represents the value you want to update. For example, title.

   Response body

   If successful, the response body for the call contains an Operation resource that provides details about the PATCH operation.

Console

The Google Cloud console does not currently support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To delete an access policy:

1. Use the delete command.

   gcloud access-context-manager policies delete POLICY_NAME

   Where:

   • POLICY_NAME is the numeric name of your policy.

2. Confirm that you want to delete the access policy.

   For example:

   You are about to delete policy [POLICY_NAME]
   
   Do you want to continue (Y/n)?
   

   The following output appears:

   Deleted policy [1034095178592].
   

API

To delete your access policy, call accessPolicies.delete.

DELETE https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME

Where:

• POLICY_NAME is the numeric name of your policy.

Request body

The request body must be empty.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the DELETE operation.