Obtén el nombre y la ETag de una política de acceso
Console
La consola Google Cloud no admite la administración de políticas de acceso. Si deseas administrar tu política de acceso, debes usar la herramienta de línea de comandos de gcloud o la API.
gcloud
Para obtener el nombre de tu política de acceso, usa el comando list. El nombre de la política de acceso es obligatorio para todos los comandos de nivel de acceso de la herramienta de línea de comandos de gcloud.
Establece la política de acceso predeterminada para la herramienta de línea de comandos de gcloud
Puedes establecer una política de acceso predeterminada cuando usas la herramienta de línea de comandos de gcloud. Cuando estableces una política predeterminada, ya no necesitas especificar una cada vez que usas un comando de Access Context Manager.
Para establecer una política de acceso predeterminada, usa el comando config.
POLICY_NUMBER es el nombre numérico de tu política de acceso.
Delega una política de acceso
Console
La consola Google Cloud no admite la administración de políticas de acceso. Si deseas administrar tu política de acceso, debes usar la herramienta de línea de comandos de gcloud o la API.
gcloud
Para delegar la administración mediante la vinculación de una principal y un rol a una política de acceso con alcance, usa el comando add-iam-policy-binding.
POLICY es el ID de la política o el identificador completamente calificado para la política.
PRINCIPAL es el principal al que se agregará la vinculación. Especifica en el siguiente formato: user|group|serviceAccount:email o domain:domain.
ROLE es el nombre del rol que se asignará al principal. El nombre del rol es la ruta completa de un rol predefinido, como roles/accesscontextmanager.policyEditor, o el ID de un rol personalizado, como organizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor.
API
Para delegar la administración de la política de acceso con alcance, haz lo siguiente:
Crea un cuerpo de solicitud.
{"policy":"IAM_POLICY",}
Aquí:
IAM_POLICY es una colección de vinculaciones. Una vinculación une uno o más miembros, o principales, a un solo rol. Los principales pueden ser cuentas de usuario, cuentas de servicio, grupos de Google y dominios. Un rol es una lista con nombre de permisos. Cada rol puede ser un rol predefinido de IAM o un rol personalizado creado por el usuario.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies
Cuerpo de la respuesta
Si se ejecuta de forma correcta, el cuerpo de la respuesta contiene una instancia de policy.
Describe una política de acceso
Console
La consola Google Cloud no admite la administración de políticas de acceso. Si deseas administrar tu política de acceso, debes usar la herramienta de línea de comandos de gcloud o la API.
gcloud
Para describir tu política de acceso, usa el comando describe.
GET https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NUMBER
Aquí:
POLICY_NUMBER es el nombre numérico de tu política.
Cuerpo de la solicitud
El cuerpo de la solicitud debe estar vacío.
Cuerpo de la respuesta
Si se ejecuta de forma correcta, el cuerpo de la respuesta contiene un objeto AccessPolicy.
Actualiza una política de acceso
Console
La consola Google Cloud no admite la administración de políticas de acceso. Si deseas administrar tu política de acceso, debes usar la herramienta de línea de comandos de gcloud o la API.
gcloud
Para actualizar tu política de acceso, usa el comando update. Por el momento, solo puedes cambiar el título de la política.
POLICY_NUMBER es el nombre numérico de tu política.
UPDATE_MASK es una string que representa el valor que deseas actualizar. Por ejemplo, title
Cuerpo de la respuesta
Si tiene éxito, el cuerpo de la respuesta de la llamada contendrá un recurso Operation que proporciona detalles sobre la operación PATCH.
Borra una política de acceso
Console
En este momento, la consola de Google Cloud no admite la administración de políticas de acceso. Si deseas administrar tu política de acceso, debes usar la herramienta de línea de comandos de gcloud o la API.
gcloud
Para borrar una política de acceso, haz lo siguiente:
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-04 (UTC)"],[[["\u003cp\u003eThis page details the management of existing access policies, including how to retrieve the policy name and etag for reference.\u003c/p\u003e\n"],["\u003cp\u003eYou can set a default access policy for the \u003ccode\u003egcloud\u003c/code\u003e command-line tool, streamlining command execution by eliminating the need to specify the policy each time.\u003c/p\u003e\n"],["\u003cp\u003eAccess policy administration can be delegated to others by binding a principal and role, granting them specified levels of control.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud\u003c/code\u003e command-line tool or API can be used to describe, update, or delete an access policy, whereas the Google Cloud console does not currently support these actions.\u003c/p\u003e\n"],["\u003cp\u003eDeleting an access policy is permanent and will also delete the access levels associated with it, so caution should be exercised.\u003c/p\u003e\n"]]],[],null,["# Manage an access policy\n\nThis page describes how to manage an existing access policy. You can do the following:\n\n- [Get the name and etag of an access policy](#get_the_name_of_an_access_policy)\n\n- [Set the default access policy for the `gcloud` command-line tool](#set-default)\n\n- [Describe an access policy](#describe_an_access_policy)\n\n- [Update an access policy](#update_an_access_policy)\n\n- [Delete an access policy](#delete_an_access_policy)\n\nGet the name and etag of an access policy\n-----------------------------------------\n\n### Console\n\nThe Google Cloud console does not support managing\naccess policies. If you want to manage your access policy, you must\nuse the `gcloud` command-line tool or the API.\n\n### gcloud\n\nTo get the name of your access policy, use the [`list`](/sdk/gcloud/reference/access-context-manager/policies/list)\ncommand. The access policy name is required for all access level commands\nfor the `gcloud` command-line tool. \n\n```bash\ngcloud access-context-manager policies list \\\n --organization ORGANIZATION_ID\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e is the numeric ID of your organization.\n\nYou should see output similar to: \n\n```\nNAME ORGANIZATION TITLE ETAG\n1034095178592 511928527926 Corp Policy 10bc3c76ca809ab2\n```\n\n### API\n\nTo get the name of your access policy, call [`accessPolicies.list`](/access-context-manager/docs/reference/rest/v1/accessPolicies/list). \n\n```\nGET https://accesscontextmanager.googleapis.com/v1/accessPolicies\n```\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nIf successful, the response body will look similar to: \n\n```json\n{\n \"accessPolicies\": [\n {\n object(AccessPolicy)\n }\n ],\n \"nextPageToken\": string\n}\n```\n\nWhere:\n\n- `accessPolicies` is a list of [`AccessPolicy` objects](/access-context-manager/docs/reference/rest/v1/accessPolicies#AccessPolicy).\n\nSet the default access policy for the `gcloud` command-line tool\n----------------------------------------------------------------\n\nWhen using the `gcloud` command-line tool, you can set a default access policy. When\nyou set a default policy, you no longer need to specify a policy each time you\nuse an Access Context Manager command.\n\nTo set a default access policy, use the `config` command. \n\n```bash\ngcloud config set access_context_manager/policy POLICY_NUMBER\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NUMBER\u003c/var\u003e is the [numeric name](#get_the_name_of_an_access_policy) of your access policy.\n\nDelegate an access policy\n-------------------------\n\n### Console\n\nThe Google Cloud console does not support managing\naccess policies. If you want to manage your access policy, you must\nuse the `gcloud` command-line tool or the API.\n\n### gcloud\n\nTo delegate administration by binding a principal and role with a scoped access policy, use the [`add-iam-policy-binding`](/sdk/gcloud/reference/access-context-manager/policies/add-iam-policy-binding)\ncommand. \n\n```bash\ngcloud access-context-manager policies add-iam-policy-binding \\\n[POLICY] --member=PRINCIPAL --role=ROLE\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY\u003c/var\u003e is ID of the policy or fully qualified identifier for the policy.\n\n- \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e is the principal to add the binding for. Specify in the\n following format: `user|group|serviceAccount:email` or `domain:domain`.\n\n- \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e is the role name to assign to the principal. The role name\n is the complete path of a predefined role, such as `roles/accesscontextmanager.policyEditor`,\n or the role ID for a custom role, such as\n `organizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor`.\n\n### API\n\nTo delegate administration of the scoped access policy, do the following:\n\n1. Create a request body.\n\n ```json\n {\n \"policy\": \"\u003cvar translate=\"no\"\u003eIAM_POLICY\u003c/var\u003e\",\n }\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003eIAM_POLICY\u003c/var\u003e is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.\n2. Delegate the access policy by\n calling [`accessPolicies.setIamPolicy`](/access-context-manager/docs/reference/rest/v1/accessPolicies/setIamPolicy).\n\n ```\n POST https://accesscontextmanager.googleapis.com/v1/accessPolicies\n ```\n\n#### Response body\n\nIf successful, the response body contains an instance of [`policy`](/access-context-manager/docs/reference/rest/Shared.Types/Policy).\n\nDescribe an access policy\n-------------------------\n\n### Console\n\nThe Google Cloud console does not support managing\naccess policies. If you want to manage your access policy, you must\nuse the `gcloud` command-line tool or the API.\n\n### gcloud\n\nTo describe your access policy, use the [`describe`](/sdk/gcloud/reference/access-context-manager/policies/describe)\ncommand. \n\n```bash\ngcloud access-context-manager policies describe POLICY_NUMBER\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NUMBER\u003c/var\u003e is the numeric name of your policy.\n\nThe following output appears: \n\n```\nname: accessPolicies/1034095178592\nparent: organizations/511928527926\ntitle: Corp Policy\n```\n\n### API\n\nTo describe your access policy, call [`accessPolicies.get`](/access-context-manager/docs/reference/rest/v1/accessPolicies/get) \n\n```\nGET https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NUMBER\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NUMBER\u003c/var\u003e is the numeric name of your policy.\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nIf successful, the response body contains an\n[`AccessPolicy` object](/access-context-manager/docs/reference/rest/v1/accessPolicies#AccessPolicy).\n\nUpdate an access policy\n-----------------------\n\n### Console\n\nThe Google Cloud console does not support managing\naccess policies. If you want to manage your access policy, you must\nuse the `gcloud` command-line tool or the API.\n\n### gcloud\n\nTo update your access policy, use the [`update`](/sdk/gcloud/reference/access-context-manager/policies/update)\ncommand. Currently, you can change only the title of the policy. \n\n```bash\ngcloud access-context-manager policies update POLICY_NUMBER \\\n --title=POLICY_TITLE\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NUMBER\u003c/var\u003e is the numeric name of your policy.\n\n- \u003cvar translate=\"no\"\u003ePOLICY_TITLE\u003c/var\u003e is a human-readable title for your policy.\n\nThe following output appears: \n\n```\nWaiting for PATCH operation [accessPolicies/POLICY_NUMBER/update/1542234231134882]...done.\n```\n\n### API\n\nCurrently, you can change only the title of your access policy.\n\nTo update your policy:\n\n1. Create a request body.\n\n ```json\n {\n \"parent\": \"\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e\",\n \"title\": \"\u003cvar translate=\"no\"\u003ePOLICY_TITLE\u003c/var\u003e\"\n }\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e is the numeric ID of your organization.\n\n - \u003cvar translate=\"no\"\u003ePOLICY_TITLE\u003c/var\u003e is a human-readable title for your policy.\n\n2. Call [`accessPolicies.patch`](/access-context-manager/docs/reference/rest/v1/accessPolicies/patch).\n\n ```\n PATCH https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NUMBER/UPDATE_MASK\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003ePOLICY_NUMBER\u003c/var\u003e is the numeric name of your policy.\n\n - \u003cvar translate=\"no\"\u003eUPDATE_MASK\u003c/var\u003e is a string that represents the value you want\n to update. For example, `title`.\n\n ### Response body\n\n If successful, the response body for the call contains an\n [`Operation`](/access-context-manager/docs/reference/rest/Shared.Types/Operation) resource that provides details about the\n `PATCH` operation.\n\nDelete an access policy\n-----------------------\n\n**Warning:** When you delete a policy, the levels that the policy contains are also deleted and cannot be recovered. \n\n### Console\n\nThe Google Cloud console does not currently support managing\naccess policies. If you want to manage your access policy, you must\nuse the `gcloud` command-line tool or the API.\n\n### gcloud\n\nTo delete an access policy:\n\n1. Use the [`delete`](/sdk/gcloud/reference/access-context-manager/policies/delete) command.\n\n ```bash\n gcloud access-context-manager policies delete POLICY_NUMBER\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003ePOLICY_NUMBER\u003c/var\u003e is the numeric name of your policy.\n2. Confirm that you want to delete the access policy.\n\n For example: \n\n ```\n You are about to delete policy [POLICY_NUMBER]\n\n Do you want to continue (Y/n)?\n ```\n\n The following output appears: \n\n ```\n Deleted policy [1034095178592].\n ```\n\n### API\n\nTo delete your access policy, call [`accessPolicies.delete`](/access-context-manager/docs/reference/rest/v1/accessPolicies/delete). \n\n```\nDELETE https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NUMBER\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NUMBER\u003c/var\u003e is the numeric name of your policy.\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nIf successful, the response body for the call contains an\n[`Operation`](/access-context-manager/docs/reference/rest/Shared.Types/Operation) resource that provides details about the\n`DELETE` operation.\n\nWhat's next\n-----------\n\n- [Managing access levels](/access-context-manager/docs/manage-access-levels)"]]
