Requires authorization
Gets the access control policy for a resource. May be empty if no such policy or resource exists. Try it now.
Request
HTTP request
GET https://www.googleapis.com/deploymentmanager/v2beta/projects/project/global/deployments/resource/getIamPolicy
Parameters
Parameter name | Value | Description |
---|---|---|
Path parameters | ||
project |
string |
Project ID for this request. |
resource |
string |
Name of the resource for this request. |
Authorization
This request requires authorization with at least one of the following scopes (read more about authentication and authorization).
Scope |
---|
https://www.googleapis.com/auth/cloud-platform |
https://www.googleapis.com/auth/ndev.cloudman |
Request body
Do not supply a request body with this method.
Response
If successful, this method returns a response body with the following structure:
{ "version": integer, "bindings": [ { "role": string, "members": [ string ] } ], "auditConfigs": [ { "service": string, "exemptedMembers": [ string ], "auditLogConfigs": [ { "logType": string, "exemptedMembers": [ string ] } ] } ], "rules": [ { "description": string, "permissions": [ string ], "action": string, "ins": [ string ], "notIns": [ string ], "conditions": [ { "iam": string, "sys": string, "svc": string, "op": string, "value": string, "values": [ string ] } ], "logConfigs": [ { "counter": { "metric": string, "field": string } } ] } ], "etag": bytes, "iamOwned": boolean }
Property name | Value | Description | Notes |
---|---|---|---|
version |
integer |
Version of the `Policy`. The default version is 0. |
|
bindings[] |
list |
Associates a list of `members` to a `role`. Multiple `bindings` must not be specified for the same `role`. `bindings` with no members will result in an error. | |
bindings[].role |
string |
Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. | |
bindings[].members[] |
list |
Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` or `joe@example.com`. * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain}`: A Google Apps domain name that represents all the users of that domain. For example, `google.com` or `example.com`. |
|
auditConfigs[] |
list |
Specifies cloud audit logging configuration for this policy. | |
auditConfigs[].service |
string |
Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. | |
auditConfigs[].exemptedMembers[] |
list |
||
auditConfigs[].auditLogConfigs[] |
list |
The configuration for logging of each type of permission. | |
auditConfigs[].auditLogConfigs[].logType |
string |
The log type that this config enables. | |
auditConfigs[].auditLogConfigs[].exemptedMembers[] |
list |
Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][]. | |
rules[] |
list |
If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied. | |
rules[].description |
string |
Human-readable description of the rule. | |
rules[].permissions[] |
list |
A permission is a string of form ' |
|
rules[].action |
string |
Required | |
rules[].ins[] |
list |
If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. | |
rules[].notIns[] |
list |
If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. | |
rules[].conditions[] |
list |
Additional restrictions that must be met | |
rules[].conditions[].iam |
string |
Trusted attributes supplied by the IAM system. | |
rules[].conditions[].sys |
string |
Trusted attributes supplied by any service that owns resources and uses the IAM system for access control. | |
rules[].conditions[].svc |
string |
Trusted attributes discharged by the service. | |
rules[].conditions[].op |
string |
An operator to apply the subject with. | |
rules[].conditions[].value |
string |
DEPRECATED. Use 'values' instead. | |
rules[].conditions[].values[] |
list |
The objects of the condition. This is mutually exclusive with 'value'. | |
rules[].logConfigs[] |
list |
The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action. | |
rules[].logConfigs[].counter |
nested object |
Counter options. | |
rules[].logConfigs[].counter.metric |
string |
The metric to update. | |
rules[].logConfigs[].counter.field |
string |
The field value to attribute. | |
etag |
bytes |
`etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly. |
|
iamOwned |
boolean |
Try it!
Use the APIs Explorer below to call this method on live data and see the response.