This topic describes how to add, modify, and remove conditional role bindings in your Identity and Access Management (IAM) allow policies.
Before you begin
Enable the IAM API.
Read the IAM Conditions overview to understand the basics of IAM conditional role bindings.
Review the attribute reference to learn about the different condition attributes that can be used in an expression.
Required roles
To manage conditional role bindings in a resource's allow policy, you need
permissions to get the resource, and to get and set the allow policy for the
resource. These permissions have the following form, where
SERVICE is the name of the service that owns the
resource and RESOURCE_TYPE is the name of the resource
type that you want to manage access to:
SERVICE.RESOURCE_TYPE.getSERVICE.RESOURCE_TYPE.getIamPolicySERVICE.RESOURCE_TYPE.setIamPolicy
For example, to manage conditional role bindings in a project's allow policy, you need the following permissions:
resourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.setIamPolicy
To gain the required permissions, ask your administrator to grant you a
predefined or custom role that includes the permissions. For example, your
administrator could grant you the Security Admin role
(roles/iam.securityAdmin), which includes permissions to get almost all
Google Cloud resources and manage their allow policies.
Add a conditional role binding to a policy
Conditional role bindings can be added to new or existing allow policies to further control access to Google Cloud resources. This section shows you how to add a simple time-based condition to an existing allow policy using the Google Cloud console, the Google Cloud CLI, and the REST API.
To add a conditional role binding to an existing allow policy:
Console
In the Google Cloud console, go to the IAM page.
From the list of principals, locate the desired principal and click the button.
From the Edit permissions panel, locate the desired role to configure a condition for. Then under IAM condition (optional), click Add IAM condition.
In the Edit condition panel, enter a title and optional description for the condition.
You can add a condition expression using either the Condition builder or the Condition editor. The condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The condition editor provides a text-based interface to manually enter an expression using CEL syntax.
Condition builder:
- From the Condition type drop-down, select Expiring Access.
- From the Operator drop-down, select by.
- From the Time drop-down, click the button to select from a date and time range.
- Click Save to apply the condition.
- Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your allow policy.
Condition editor:
Click the Condition editor tab and enter the following expression (replacing the timestamp with your own):
request.time < timestamp("2019-12-31T12:00:00.000Z")After entering your expression, you can optionally choose to validate the CEL syntax by clicking Run Linter above the text box on the top-right.
Click Save to apply the condition.
Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your allow policy.
gcloud
Allow policies are set using the read-modify-write pattern.
Execute the gcloud projects get-iam-policy command to get
the current allow policy for the project. In the following example, the JSON
version of the allow policy is downloaded to a path on disk.
Command:
gcloud projects get-iam-policy project-id --format json > file-path
The JSON format of the allow policy is downloaded:
{
"bindings": [
{
"members": [
"user:project-owner@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:travis@example.com"
],
"role": "roles/iam.securityReviewer"
}
],
"etag": "BwWKmjvelug=",
"version": 1
}
Note the allow policy's current version, which is
1. To configure the allow policy with expirable
access, add the following highlighted condition expression (replacing the
timestamp with your own). The gcloud CLI updates the version
automatically:
{
"bindings": [
{
"members": [
"user:project-owner@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:travis@example.com"
],
"role": "roles/iam.securityReviewer",
"condition": {
"title": "Expires_2019",
"description": "Expires at noon on 2019-12-31",
"expression":
"request.time < timestamp('2019-12-31T12:00:00Z')"
}
}
],
"etag": "BwWKmjvelug=",
"version": 3
}
Next, set the new allow policy by executing the
gcloud projects set-iam-policy command:
gcloud projects set-iam-policy project-id file-path
The new allow policy is applied, and travis@example.com's role binding will
expire at the specified time.
REST
Use the read-modify-write pattern to allow access until a specific time.
First, read the allow policy for the project:
The Resource Manager API's
projects.getIamPolicy
method gets a project's allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project.POLICY_VERSION: The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. See Specifying a policy version when getting a policy for details.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Request JSON body:
{
"options": {
"requestedPolicyVersion": POLICY_VERSION
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"version": 1,
"etag": "BwWKmjvelug=",
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/iam.securityReviewer",
"members": [
"user:travis@example.com"
]
}
]
}
Note the allow policy's current version, which is
1.
Next, modify the allow policy so that it allows access until a specific
time. Make sure to change the version field to the value
3:
{
"etag": "BwWKmjvelug=",
"version": 3,
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/iam.securityReviewer",
"condition": {
"title": "Expires_2019",
"description": "Expires at noon on 2019-12-31",
"expression": "request.time < timestamp('2019-12-31T12:00:00Z')"
},
"members": [
"user:travis@example.com"
]
}
]
}
Finally, write the updated allow policy:
The Resource Manager API's
projects.setIamPolicy
method sets the allow policy in the request as the project's new allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Request JSON body:
{
"policy": {
"version": 3,
"etag": "BwWKmjvelug=",
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/iam.securityReviewer",
"members": [
"user:travis@example.com"
],
"condition": {
"title": "Expires_July_1_2020",
"description": "Expires on July 1, 2020",
"expression":
"request.time < timestamp('2020-07-01T00:00:00.000Z')"
}
}
]
}
}
To send your request, expand one of these options:
The response contains the updated allow policy.
Modify an existing conditional role binding
After you create a conditional role binding, you can change the condition expression at any time. This section shows you how to update a time-based condition in an existing allow policy using the Google Cloud console, the Google Cloud CLI, and the REST API.
To modify a conditional role binding in an existing allow policy:
Console
In the Google Cloud console, go to the IAM page.
From the list of principals, locate the desired principal and click the button.
From the Edit permissions panel, locate the desired role to configure a condition for. Then under IAM condition (optional), click the name of the existing condition to edit it.
In the Edit condition panel, you can either keep or update the existing title and description for the condition.
You can either edit the existing condition expression or add a new one using either the Condition builder or the Condition editor. The condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The condition editor provides a text-based interface to manually enter an expression using CEL syntax.
Condition builder:
- Add a new condition expression or modify the existing condition expression.
- Click Save to apply the condition.
- Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your allow policy.
Condition editor:
- Click the Condition editor tab and either add a new condition expression or modify the existing condition expression.
- After entering your expression, you can optionally choose to validate the CEL syntax by clicking Run Linter above the text box on the top-right.
- Click Save to apply the condition.
- Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your allow policy.
gcloud
Allow policies are set using the read-modify-write pattern.
Execute the gcloud projects get-iam-policy command to get
the current allow policy for the project. In the following example, the JSON
version of the allow policy is downloaded to a path on disk.
Command:
gcloud projects get-iam-policy project-id --format json > file-path
The JSON format of the allow policy is downloaded:
{
"bindings": [
{
"members": [
"user:project-owner@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:fatima@example.com"
],
"role": "roles/bigquery.dataViewer",
"condition": {
"title": "Duration_3_months",
"description": "Expires in 3 months on 2019-10-12",
"expression":
"request.time > timestamp(\"2019-07-12T07:00:00.000Z\") && request.time < timestamp(\"2019-10-12T07:00:00.000Z\")"
}
}
],
"etag": "BwWKmjvelug=",
"version": 3
}
In this example, we will update the title,
description, and timestamp values in the expression to change
the duration of the scheduled access condition. Update the following
highlighted portion of the condition (replacing the values with your own):
{
"bindings": [
{
"members": [
"user:project-owner@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:fatima@example.com"
],
"role": "roles/bigquery.dataViewer",
"condition": {
"title": "Duration_5_months",
"description": "Expires in 5 months on 2020-01-12",
"expression":
"request.time > timestamp('2019-07-12T07:00:00.000Z') && request.time < timestamp('2020-01-12T07:00:00.000Z')"
}
}
],
"etag": "BwWKmjvelug=",
"version": 3
}
Next, set the new allow policy by executing the
gcloud projects set-iam-policy command.
gcloud projects set-iam-policy project-id file-path
The updated allow policy is applied, and fatima@example.com's role binding
will expire at the new time.
REST
Use the read-modify-write pattern to modify the conditional role binding.
First, read the allow policy for the project:
The Resource Manager API's
projects.getIamPolicy
method gets a project's allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Request JSON body:
{
"options": {
"requestedPolicyVersion": 3
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"etag": "BwWKmjvelug=",
"version": 3,
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/bigquery.dataViewer",
"condition": {
"title": "Duration_3_months",
"description": "Expires in 3 months on 2019-10-12",
"expression":
"request.time > timestamp(\"2019-07-12T07:00:00.000Z\") && request.time < timestamp(\"2019-10-12T07:00:00.000Z\")"
},
"members": [
"user:fatima@example.com"
]
}
]
}
Next, modify the conditional role binding in the allow policy. In this example, we will update the timestamp values to change the duration of the scheduled access condition. Update the following highlighted portion of the condition expression (replacing the timestamp with your own):
{
"etag": "BwWKmjvelug=",
"version": 3,
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/bigquery.dataViewer",
"condition": {
"title": "Duration_5_months",
"description": "Expires in 5 months on 2020-01-12",
"expression":
"request.time > timestamp('2019-07-12T07:00:00.000Z') && request.time < timestamp('2020-01-12T07:00:00.000Z')"
},
"members": [
"user:fatima@example.com"
]
}
]
}
Finally, write the updated allow policy:
The Resource Manager API's
projects.setIamPolicy
method sets the allow policy in the request as the project's new allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Request JSON body:
{
"policy": {
"etag": "BwWKmjvelug=",
"version": 3,
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/bigquery.dataViewer",
"condition": {
"title": "Duration_5_months",
"description": "Expires in 5 months on 2020-01-12",
"expression":
"request.time > timestamp('2019-07-12T07:00:00.000Z') && request.time < timestamp('2020-01-12T07:00:00.000Z')"
},
"members": [
"user:fatima@example.com"
],
}
]
}
}
To send your request, expand one of these options:
The response contains the updated allow policy.
Remove a condition from a role binding
Removing a condition from a role binding doesn't revoke the role. Instead, it lets all principals in that role binding use the permissions in the role unconditionally.
This section shows you how to remove a time-based condition in an allow policy using the Google Cloud console, the Google Cloud CLI, and the REST API.
To remove a condition from a role binding in an allow policy:
Console
In the Google Cloud console, go to the IAM page.
From the list of principals, locate the desired principal and click the button.
From the Edit permissions panel, locate the desired role binding. Then under IAM condition (optional), click the name of an existing condition.
In the Edit condition panel, click the button to remove the condition. You will be prompted to confirm deletion of the condition.
Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your allow policy.
gcloud
Allow policies are set using the read-modify-write pattern.
Execute the gcloud projects get-iam-policy command to get
the current allow policy for the project. In the following example, the JSON
version of the allow policy is downloaded to a path on disk.
Command:
gcloud projects get-iam-policy project-id --format json > file-path
The JSON format of the allow policy is downloaded:
{
"bindings": [
{
"members": [
"user:project-owner@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:fatima@example.com"
],
"role": "roles/bigquery.dataViewer",
"condition": {
"title": "Duration_3_months",
"description": "Expires in 3 months on 2019-10-12",
"expression":
"request.time > timestamp(\"2019-07-12T07:00:00.000Z\") && request.time < timestamp(\"2019-10-12T07:00:00.000Z\")"
}
}
],
"etag": "BwWKmjvelug=",
"version": 3
}
To remove the conditional role binding from the allow policy, remove the
condition block as shown below:
{
"bindings": [
{
"members": [
"user:project-owner@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:fatima@example.com"
],
"role": "roles/bigquery.dataViewer",
}
],
"etag": "BwWKmjvelug=",
"version": 3
}
Note that the version is still set to 3, despite
the fact that unconditional role bindings only require a version
1 allow policy. We recommend that you always use the
highest version number when setting an allow policy, both for conditional role
bindings and unconditional role bindings. See
version requirements for more information. The
gcloud CLI updates the version number for the allow policy
automatically.
Next, set the updated allow policy by executing the
gcloud projects set-iam-policy command:
gcloud projects set-iam-policy project-id file-path
The updated allow policy is applied, removing the conditional role binding for
fatima@example.com. The role binding will no longer expire.
REST
Use the read-modify-write pattern to remove the conditional role binding.
First, read the allow policy for the project:
The Resource Manager API's
projects.getIamPolicy
method gets a project's allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Request JSON body:
{
"options": {
"requestedPolicyVersion": 3
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"etag": "BwWKmjvelug=",
"version": 3,
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/bigquery.dataViewer",
"condition": {
"title": "Duration_3_months",
"description": "Expires in 3 months on 2019-10-12",
"expression":
"request.time > timestamp(\"2019-07-12T07:00:00.000Z\") && request.time < timestamp(\"2019-10-12T07:00:00.000Z\")"
},
"members": [
"user:fatima@example.com"
]
}
]
}
Next, modify the allow policy by removing the conditional role binding:
{
"etag": "BwWKmjvelug=",
"version": 3,
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/bigquery.dataViewer",
"members": [
"user:fatima@example.com"
]
}
]
}
Note that the version is still set to 3, despite
the fact that unconditional role bindings only require a version
1 allow policy. We recommend that you always use the
highest version number when setting an allow policy, both for conditional role
bindings and unconditional role bindings. See
version requirements for more information.
Finally, write the updated allow policy:
The Resource Manager API's
projects.setIamPolicy
method sets the allow policy in the request as the project's new allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Request JSON body:
{
"policy": {
"etag": "BwWKmjvelug=",
"version": 3,
"bindings": [
{
"role": "roles/owner",
"members": [
"user:project-owner@example.com"
]
},
{
"role": "roles/bigquery.dataViewer",
"members": [
"user:fatima@example.com"
]
}
]
}
}
To send your request, expand one of these options:
The response contains the updated allow policy.