IAMAccessBoundaryPolicy
Use of IAMAccessBoundaryPolicy is restricted and is covered by the Pre-GA Offerings Terms of the Google Cloud Terms of Service. Pre-GA products and features might have limited support, and changes to pre-GA products and features might not be compatible with other pre-GA versions. For more information, see the launch stage descriptions.
| Property | Value |
|---|---|
| Google Cloud Service Name | IAM |
| Google Cloud Service Documentation | /iam/docs/ |
| Google Cloud REST Resource Name | |
| Google Cloud REST Resource Documentation | |
| Config Connector Resource Short Names | gcpiamaccessboundarypolicy gcpiamaccessboundarypolicies iamaccessboundarypolicy |
| Config Connector Service Name | iam.googleapis.com |
| Config Connector Resource Fully Qualified Name | iamaccessboundarypolicies.iam.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Custom Resource Definition Properties
Spec
Schema
displayName: string
projectRef:
external: string
name: string
namespace: string
resourceID: string
rules:
- accessBoundaryRule:
availabilityCondition:
description: string
expression: string
location: string
title: string
availablePermissions:
- string
availableResource: string
description: string
| Fields | |
|---|---|
|
Optional |
The display name of the rule. |
|
Required |
|
|
Optional |
Allowed value: string of the format `cloudresourcemanager.googleapis.com%2Fprojects%2F{{value}}`, where {{value}} is the `name` field of a `Project` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. |
|
Required |
Rules to be applied. |
|
Required |
|
|
Optional |
An access boundary rule in an IAM policy. |
|
Optional |
The availability condition further constrains the access allowed by the access boundary rule. |
|
Optional |
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. |
|
Required* |
Textual representation of an expression in Common Expression Language syntax. |
|
Optional |
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. |
|
Optional |
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. |
|
Optional |
A list of permissions that may be allowed for use on the specified resource. |
|
Optional |
|
|
Optional |
The full resource name of a Google Cloud resource entity. |
|
Optional |
The description of the rule. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
etag: string
observedGeneration: integer
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
etag |
The hash of the resource. Used internally during updates. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
Sample YAML(s)
Typical Use Case
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMAccessBoundaryPolicy
metadata:
name: accessboundary-sample
spec:
projectRef:
# Replace "${PROJECT_ID?}" below with your project ID
external: "cloudresourcemanager.googleapis.com%2Fprojects%2F${PROJECT_ID?}"
displayName: Access Boundary Sample
rules:
- description: "Sample access boundary rule"
accessBoundaryRule:
availableResource: "*"
availablePermissions:
- "*"
availabilityCondition:
title: "Access level expr"
# Replace "${ORG_ID?}" with the numeric ID for your organization and
# replace "${ACCESS_LEVEL?}" with the full name of your access level
expression: "request.matchAccessLevels('${ORG_ID?}', ['${ACCESS_LEVEL?}'])"