IAMAccessBoundaryPolicy


Use of IAMAccessBoundaryPolicy is restricted and is covered by the Pre-GA Offerings Terms of the Google Cloud Terms of Service. Pre-GA products and features might have limited support, and changes to pre-GA products and features might not be compatible with other pre-GA versions. For more information, see the launch stage descriptions.

Property Value
Google Cloud Service Name IAM
Google Cloud Service Documentation /iam/docs/
Google Cloud REST Resource Name
Google Cloud REST Resource Documentation
Config Connector Resource Short Names gcpiamaccessboundarypolicy
gcpiamaccessboundarypolicies
iamaccessboundarypolicy
Config Connector Service Name iam.googleapis.com
Config Connector Resource Fully Qualified Name iamaccessboundarypolicies.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/state-into-spec

Spec

Schema

displayName: string
projectRef:
  external: string
  name: string
  namespace: string
resourceID: string
rules:
- accessBoundaryRule:
    availabilityCondition:
      description: string
      expression: string
      location: string
      title: string
    availablePermissions:
    - string
    availableResource: string
  description: string
Fields

displayName

Optional

string

The display name of the rule.

projectRef

Required

object

projectRef.external

Optional

string

Allowed value: string of the format `cloudresourcemanager.googleapis.com%2Fprojects%2F{{value}}`, where {{value}} is the `name` field of a `Project` resource.

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

rules

Required

list (object)

Rules to be applied.

rules[]

Required

object

rules[].accessBoundaryRule

Optional

object

An access boundary rule in an IAM policy.

rules[].accessBoundaryRule.availabilityCondition

Optional

object

The availability condition further constrains the access allowed by the access boundary rule.

rules[].accessBoundaryRule.availabilityCondition.description

Optional

string

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

rules[].accessBoundaryRule.availabilityCondition.expression

Required*

string

Textual representation of an expression in Common Expression Language syntax.

rules[].accessBoundaryRule.availabilityCondition.location

Optional

string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

rules[].accessBoundaryRule.availabilityCondition.title

Optional

string

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

rules[].accessBoundaryRule.availablePermissions

Optional

list (string)

A list of permissions that may be allowed for use on the specified resource.

rules[].accessBoundaryRule.availablePermissions[]

Optional

string

rules[].accessBoundaryRule.availableResource

Optional

string

The full resource name of a Google Cloud resource entity.

rules[].description

Optional

string

The description of the rule.

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
etag: string
observedGeneration: integer
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

etag

string

The hash of the resource. Used internally during updates.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

Sample YAML(s)

Typical Use Case

# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMAccessBoundaryPolicy
metadata:
  name: accessboundary-sample
spec:
  projectRef:
    # Replace "${PROJECT_ID?}" below with your project ID
    external: "cloudresourcemanager.googleapis.com%2Fprojects%2F${PROJECT_ID?}"
  displayName: Access Boundary Sample
  rules:
    - description: "Sample access boundary rule"
      accessBoundaryRule:
        availableResource: "*"
        availablePermissions:
          - "*"
        availabilityCondition:
          title: "Access level expr"
          # Replace "${ORG_ID?}" with the numeric ID for your organization and
          # replace "${ACCESS_LEVEL?}" with the full name of your access level
          expression: "request.matchAccessLevels('${ORG_ID?}', ['${ACCESS_LEVEL?}'])"