Deployments: getIamPolicy

Gets the access control policy for a resource. May be empty if no such policy or resource exists. Try it now.

Request

HTTP request

GET https://www.googleapis.com/deploymentmanager/v2beta/projects/project/global/deployments/resource/getIamPolicy

Parameters

Parameter name	Value	Description
Path parameters
`project`	`string`	Project ID for this request.
`resource`	`string`	Name of the resource for this request.

Authorization

This request requires authorization with at least one of the following scopes (read more about authentication and authorization).

Scope
`https://www.googleapis.com/auth/cloud-platform`
`https://www.googleapis.com/auth/ndev.cloudman`

Request body

Do not supply a request body with this method.

Response

If successful, this method returns a response body with the following structure:

{
  "version": integer,
  "bindings": [
    {
      "role": string,
      "members": [
        string
      ]
    }
  ],
  "auditConfigs": [
    {
      "service": string,
      "exemptedMembers": [
        string
      ],
      "auditLogConfigs": [
        {
          "logType": string,
          "exemptedMembers": [
            string
          ]
        }
      ]
    }
  ],
  "rules": [
    {
      "description": string,
      "permissions": [
        string
      ],
      "action": string,
      "ins": [
        string
      ],
      "notIns": [
        string
      ],
      "conditions": [
        {
          "iam": string,
          "sys": string,
          "svc": string,
          "op": string,
          "value": string,
          "values": [
            string
          ]
        }
      ],
      "logConfigs": [
        {
          "counter": {
            "metric": string,
            "field": string
          }
        }
      ]
    }
  ],
  "etag": bytes,
  "iamOwned": boolean
}

Property name	Value	Description
`version`	`integer`	Version of the `Policy`. The default version is 0.
`bindings[]`	`list`	Associates a list of `members` to a `role`. Multiple `bindings` must not be specified for the same `role`. `bindings` with no members will result in an error.
`bindings[].role`	`string`	Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
`bindings[].members[]`	`list`	Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` or `joe@example.com`. * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain}`: A Google Apps domain name that represents all the users of that domain. For example, `google.com` or `example.com`.
`auditConfigs[]`	`list`	Specifies cloud audit logging configuration for this policy.
`auditConfigs[].service`	`string`	Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
`auditConfigs[].exemptedMembers[]`	`list`
`auditConfigs[].auditLogConfigs[]`	`list`	The configuration for logging of each type of permission.
`auditConfigs[].auditLogConfigs[].logType`	`string`	The log type that this config enables.
`auditConfigs[].auditLogConfigs[].exemptedMembers[]`	`list`	Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
`rules[]`	`list`	If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
`rules[].description`	`string`	Human-readable description of the rule.
`rules[].permissions[]`	`list`	A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '' matches all permissions, and a verb part of '' (e.g., 'storage.buckets.*') matches all verbs.
`rules[].action`	`string`	Required
`rules[].ins[]`	`list`	If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
`rules[].notIns[]`	`list`	If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
`rules[].conditions[]`	`list`	Additional restrictions that must be met
`rules[].conditions[].iam`	`string`	Trusted attributes supplied by the IAM system.
`rules[].conditions[].sys`	`string`	Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
`rules[].conditions[].svc`	`string`	Trusted attributes discharged by the service.
`rules[].conditions[].op`	`string`	An operator to apply the subject with.
`rules[].conditions[].value`	`string`	DEPRECATED. Use 'values' instead.
`rules[].conditions[].values[]`	`list`	The objects of the condition. This is mutually exclusive with 'value'.
`rules[].logConfigs[]`	`list`	The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
`rules[].logConfigs[].counter`	`nested object`	Counter options.
`rules[].logConfigs[].counter.metric`	`string`	The metric to update.
`rules[].logConfigs[].counter.field`	`string`	The field value to attribute.
`etag`	`bytes`	`etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
`iamOwned`	`boolean`

Try it!

Use the APIs Explorer below to call this method on live data and see the response.