Policy

JSON representation

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.

A Policy consists of a list of bindings. A binding binds a list of members to a role, where the members can be user accounts, Google groups, Google domains, and service accounts. A role is a named list of permissions defined by IAM.

JSON Example

{
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:mike@example.com",
        "group:admins@example.com",
        "domain:google.com",
        "serviceAccount:my-other-app@appspot.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/viewer",
      "members": ["user:sean@example.com"]
    }
  ]
}

YAML Example

bindings:
- members:
  - user:mike@example.com
  - group:admins@example.com
  - domain:google.com
  - serviceAccount:my-other-app@appspot.gserviceaccount.com
  role: roles/owner
- members:
  - user:sean@example.com
  role: roles/viewer

For a description of IAM and its features, see the IAM developer's guide.

JSON representation
{ "version": number, "bindings": [ { object(`Binding`) } ], "auditConfigs": [ { object(`AuditConfig`) } ], "etag": string }

Fields
`version (deprecated)`	`number` This item is deprecated! Deprecated.
`bindings[]`	`object(Binding)` Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
`auditConfigs[]`	`object(AuditConfig)` Specifies cloud audit logging configuration for this policy.
`etag`	`string (bytes format)` `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly. A base64-encoded string.