REST Resource: accessPolicies.accessZones

Resource: AccessZone

AccessZone describes a set of GCP resources which can freely import and export data amongst themselves, but not export outside of the AccessZone. If a request with a source within this AccessZone has a target outside of the AccessZone, the request will be blocked. Otherwise the request is allowed. Access Zones cannot overlap, a single GCP project can only belong to a single Access Zone. The restriction against overlapping zones may be lifted in the future.

JSON representation
{
  "name": string,
  "title": string,
  "description": string,
  "resources": [
    string
  ],
  "accessLevels": [
    string
  ],
  "unrestrictedServices": [
    string
  ],
  "createTime": string,
  "updateTime": string,
  "restrictedServices": [
    string
  ],
  "zoneType": enum (AccessZoneType)
}
Fields
name

string

Required. Resource name for the Access Zone. The short_name component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{policy_id}/accessZones/{short_name}

title

string

Human readable title. Must be unique within the Policy.

description

string

Description of the AccessZone and its use. Does not affect behavior.

resources[]

string

A list of GCP resources that are inside of the access zone. Currently only projects are allowed. Format: projects/{project_number}

accessLevels[]

string

A list of AccessLevel resource names that allow resources within the AccessZone to be accessed from the internet. AccessLevels listed must be in the same policy as this AccessZone. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the zone can only be accessed via GCP calls with request origins within the zone. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For bridge access zones, must be empty.

unrestrictedServices[]

string

GCP services exempt from the Access Zone restrictions. Deprecated. Must be the single wildcard "*". Services matching the unrestrictedServices are excluded from Access Zone restrictions. Wildcard means that unless explicitly specified by "restrictedServices" list, any service is treated as unrestricted.

For bridge access zones, must be empty.

createTime

string (Timestamp format)

Output only. Time the AccessZone was created in UTC.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. Time the AccessZone was updated in UTC.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

restrictedServices[]

string

GCP services that Access Zone restrictions will be applied to. Must contain list of services. Only resources for services matching the restrictedServices will be subject to access zone protection. For example, if storage.googleapis.com is specified, then storage buckets that belong to the access zone could be accessed through Storage service only if access conditions are met.

For bridge access zones, must be empty.

zoneType

enum (AccessZoneType)

Zone type indicator. A single project is allowed to be a member of single regular access zone, but multiple bridge access zones. A project cannot be a included in a bridge access zone without being included in regular access zone. For bridge access zones, restricted/unrestricted service lists as well as access lists must be empty.

AccessZoneType

Specifies the type of the zone. There are two types of zone: regular and bridge. Regular zones contain resources, access levels, and restricted/unrestricted services. Every resource can be in at most ONE regular zone.

In addition to being in a regular zone, a resource can also be in zero or more bridge zones. A bridge zone only contains resources. Cross project operations are permitted if all effected resources share some zone (whether bridge or regular). A bridge zone does not contain access levels or services: those are governed entirely by the regular zone that a resource is in.

Bridge zones are typically useful when building more complex zone toplogies with many independent zones that need to share some data with a common zone, but should not be able to share data among themselves.

Enums
ZONE_TYPE_REGULAR Regular zone.
ZONE_TYPE_BRIDGE Bridge zone.

Methods

create

[Deprecated] Create an Access Zone.

delete

[Deprecated] Delete an Access Zone by resource name.

get

[Deprecated] Get an Access Zone by resource name.

list

[Deprecated] List all Access Zones for an access policy.

patch

[Deprecated] Update an Access Zone.
Was this page helpful? Let us know how we did:

Send feedback about...

Access Context Manager