Creates an access policy. This method fails if the organization already has an access policy. The long-running operation has a successful status after the access policy propagates to long-lasting storage. Syntactic and basic semantic errors are returned in metadata as a BadRequest proto.
HTTP request
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies
Output only. Identifier. Resource name of the AccessPolicy. Format: accessPolicies/{access_policy}
parent
string
Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organizationId}
title
string
Required. Human readable title. Does not affect behavior.
scopes[]
string
The scopes of the AccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A with scopes=["folders/123"] has the following behavior:
ServicePerimeter within policy A can only reference access levels defined within policy A.
Only one policy can include a given scope; thus, attempting to create a second policy which includes folders/123 will result in an error.
If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of folders/{folder_number} or projects/{projectNumber}
etag
string
Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Policies will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format.
Response body
If successful, the response body contains a newly created instance of Operation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-17 UTC."],[[["\u003cp\u003eThis webpage outlines how to create an access policy using a POST request to \u003ccode\u003ehttps://accesscontextmanager.googleapis.com/v1/accessPolicies\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe request body for creating an access policy requires specifying the policy's \u003ccode\u003eparent\u003c/code\u003e (organization), \u003ccode\u003etitle\u003c/code\u003e, and optional \u003ccode\u003escopes\u003c/code\u003e, within a JSON structure, while the \u003ccode\u003ename\u003c/code\u003e and \u003ccode\u003eetag\u003c/code\u003e will be generated as outputs.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003escopes\u003c/code\u003e field in the request body defines which resources the policy can restrict, and each policy can only have a single scope, identified by either \u003ccode\u003efolders/{folder_number}\u003c/code\u003e or \u003ccode\u003eprojects/{projectNumber}\u003c/code\u003e, and it cannot be modified after creation.\u003c/p\u003e\n"],["\u003cp\u003eA successful access policy creation results in an \u003ccode\u003eOperation\u003c/code\u003e instance response, and authorization requires the \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e OAuth scope.\u003c/p\u003e\n"],["\u003cp\u003eCreating an access policy will fail if one already exists for the specified organization, with long-lasting storage propagation necessary after creation, and syntactic and semantic errors returned as a BadRequest proto in the metadata.\u003c/p\u003e\n"]]],[],null,[]]
