Google Cloud Identity and Access Management (IAM) v2 API - Class DenyRule (1.3.0)

public sealed class DenyRule : IMessage<DenyRule>, IEquatable<DenyRule>, IDeepCloneable<DenyRule>, IBufferMessage, IMessage

Reference documentation and code samples for the Google Cloud Identity and Access Management (IAM) v2 API class DenyRule.

A deny rule in an IAM deny policy.

Inheritance

object > DenyRule

Namespace

Google.Cloud.Iam.V2

Assembly

Google.Cloud.Iam.V2.dll

Constructors

DenyRule()

public DenyRule()

DenyRule(DenyRule)

public DenyRule(DenyRule other)
Parameter
Name Description
other DenyRule

Properties

DenialCondition

public Expr DenialCondition { get; set; }

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

Property Value
Type Description
Expr

DeniedPermissions

public RepeatedField<string> DeniedPermissions { get; }

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

Property Value
Type Description
RepeatedFieldstring

DeniedPrincipals

public RepeatedField<string> DeniedPrincipals { get; }

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

Property Value
Type Description
RepeatedFieldstring

ExceptionPermissions

public RepeatedField<string> ExceptionPermissions { get; }

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

Property Value
Type Description
RepeatedFieldstring

ExceptionPrincipals

public RepeatedField<string> ExceptionPrincipals { get; }

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

Property Value
Type Description
RepeatedFieldstring