Index
PolicyBindings
(interface)PrincipalAccessBoundaryPolicies
(interface)CreatePolicyBindingRequest
(message)CreatePrincipalAccessBoundaryPolicyRequest
(message)DeletePolicyBindingRequest
(message)DeletePrincipalAccessBoundaryPolicyRequest
(message)GetPolicyBindingRequest
(message)GetPrincipalAccessBoundaryPolicyRequest
(message)ListPolicyBindingsRequest
(message)ListPolicyBindingsResponse
(message)ListPrincipalAccessBoundaryPoliciesRequest
(message)ListPrincipalAccessBoundaryPoliciesResponse
(message)OperationMetadata
(message)PolicyBinding
(message)PolicyBinding.PolicyKind
(enum)PolicyBinding.Target
(message)PrincipalAccessBoundaryPolicy
(message)PrincipalAccessBoundaryPolicyDetails
(message)PrincipalAccessBoundaryPolicyRule
(message)PrincipalAccessBoundaryPolicyRule.Effect
(enum)SearchPrincipalAccessBoundaryPolicyBindingsRequest
(message)SearchPrincipalAccessBoundaryPolicyBindingsResponse
(message)SearchTargetPolicyBindingsRequest
(message)SearchTargetPolicyBindingsResponse
(message)UpdatePolicyBindingRequest
(message)UpdatePrincipalAccessBoundaryPolicyRequest
(message)
PolicyBindings
An interface for managing Identity and Access Management (IAM) policy bindings.
CreatePolicyBinding |
---|
Creates a policy binding and returns a long-running operation. Callers will need the IAM permissions on both the policy and target. Once the binding is created, the policy is applied to the target.
|
DeletePolicyBinding |
---|
Deletes a policy binding and returns a long-running operation. Callers will need the IAM permissions on both the policy and target. Once the binding is deleted, the policy no longer applies to the target.
|
GetPolicyBinding |
---|
Gets a policy binding.
|
ListPolicyBindings |
---|
Lists policy bindings.
|
SearchTargetPolicyBindings |
---|
Search policy bindings by target. Returns all policy binding objects bound directly to target.
|
UpdatePolicyBinding |
---|
Updates a policy binding and returns a long-running operation. Callers will need the IAM permissions on the policy and target in the binding to update, and the IAM permission to remove the existing policy from the binding. Target is immutable and cannot be updated. Once the binding is updated, the new policy is applied to the target.
|
PrincipalAccessBoundaryPolicies
Manages Identity and Access Management (IAM) principal access boundary policies.
CreatePrincipalAccessBoundaryPolicy |
---|
Creates a principal access boundary policy, and returns a long running operation.
|
DeletePrincipalAccessBoundaryPolicy |
---|
Deletes a principal access boundary policy.
|
GetPrincipalAccessBoundaryPolicy |
---|
Gets a principal access boundary policy.
|
ListPrincipalAccessBoundaryPolicies |
---|
Lists principal access boundary policies.
|
SearchPrincipalAccessBoundaryPolicyBindings |
---|
Returns all policy bindings that bind a specific policy if a user has searchPolicyBindings permission on that policy.
|
UpdatePrincipalAccessBoundaryPolicy |
---|
Updates a principal access boundary policy.
|
CreatePolicyBindingRequest
Request message for CreatePolicyBinding method.
Fields | |
---|---|
parent |
Required. The parent resource where this policy binding will be created. The binding parent is the closest Resource Manager resource (Project, Folder or Organization) to the binding target. Format:
|
policy_binding_id |
Required. The ID to use for the policy binding, which will become the final component of the policy binding's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /[a-z][a-z0-9-.]{2,62}/. |
policy_binding |
Required. The policy binding to create. |
validate_only |
Optional. If set, validate the request and preview the creation, but do not actually post it. |
CreatePrincipalAccessBoundaryPolicyRequest
Request message for CreatePrincipalAccessBoundaryPolicyRequest method.
Fields | |
---|---|
parent |
Required. The parent resource where this principal access boundary policy will be created. Only organization is supported now. Format: |
principal_access_boundary_policy_id |
Required. The ID to use for the principal access boundary policy, which will become the final component of the principal access boundary policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /[a-z][a-z0-9-.]{2,62}/. |
principal_access_boundary_policy |
Required. The principal access boundary policy to create. |
validate_only |
Optional. If set, validate the request and preview the creation, but do not actually post it. |
DeletePolicyBindingRequest
Request message for DeletePolicyBinding method.
Fields | |
---|---|
name |
Required. The name of the policy binding to delete. Format:
|
etag |
Optional. The etag of the policy binding. If this is provided, it must match the server's etag. |
validate_only |
Optional. If set, validate the request and preview the deletion, but do not actually post it. |
DeletePrincipalAccessBoundaryPolicyRequest
Request message for DeletePrincipalAccessBoundaryPolicy method.
Fields | |
---|---|
name |
Required. The name of the principal access boundary policy to delete. Format: |
etag |
Optional. The etag of the principal access boundary policy. If this is provided, it must match the server's etag. |
validate_only |
Optional. If set, validate the request and preview the deletion, but do not actually post it. |
force |
Optional. If set to true, the request will force the deletion of the Policy even if the Policy references PolicyBindings. |
GetPolicyBindingRequest
Request message for GetPolicyBinding method.
Fields | |
---|---|
name |
Required. The name of the policy binding to retrieve. Format:
|
GetPrincipalAccessBoundaryPolicyRequest
Request message for GetPrincipalAccessBoundaryPolicy method.
Fields | |
---|---|
name |
Required. The name of the principal access boundary policy to retrieve. Format: |
ListPolicyBindingsRequest
Request message for ListPolicyBindings method.
Fields | |||||||||
---|---|---|---|---|---|---|---|---|---|
parent |
Required. The parent resource, which owns the collection of policy bindings. Format:
|
||||||||
page_size |
Optional. The maximum number of policy bindings to return. The service may return fewer than this value. If unspecified, at most 50 policy bindings will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000. |
||||||||
page_token |
Optional. A page token, received from a previous When paginating, all other parameters provided to |
||||||||
filter |
Optional. An expression for filtering the results of the request. Filter rules are case insensitive. Some eligible fields for filtering are:
Some examples of filter queries:
|
ListPolicyBindingsResponse
Response message for ListPolicyBindings method.
Fields | |
---|---|
policy_bindings[] |
The policy bindings from the specified parent. |
next_page_token |
Optional. A token, which can be sent as |
ListPrincipalAccessBoundaryPoliciesRequest
Request message for ListPrincipalAccessBoundaryPolicies method.
Fields | |
---|---|
parent |
Required. The parent resource, which owns the collection of principal access boundary policies. Format: |
page_size |
Optional. The maximum number of principal access boundary policies to return. The service may return fewer than this value. If unspecified, at most 50 principal access boundary policies will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000. |
page_token |
Optional. A page token, received from a previous When paginating, all other parameters provided to |
ListPrincipalAccessBoundaryPoliciesResponse
Fields | |
---|---|
principal_access_boundary_policies[] |
The principal access boundary policies from the specified parent. |
next_page_token |
Optional. A token, which can be sent as |
OperationMetadata
Represents the metadata of the long-running operation.
Fields | |
---|---|
create_time |
Output only. The time the operation was created. |
end_time |
Output only. The time the operation finished running. |
target |
Output only. Server-defined resource path for the target of the |
verb |
Output only. Name of the verb executed by the operation. |
status_message |
Output only. Human-readable status of the operation, if any. |
requested_cancellation |
Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a |
api_version |
Output only. API version used to start the operation. |
PolicyBinding
IAM policy binding
Fields | |
---|---|
name |
Identifier. The name of the policy binding, in the format Format:
|
uid |
Output only. The globally unique ID of the policy binding. Assigned when the policy binding is created. |
etag |
Optional. The etag for the policy binding. If this is provided on update, it must match the server's etag. |
display_name |
Optional. The description of the policy binding. Must be less than or equal to 63 characters. |
annotations |
Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations |
target |
Required. Immutable. Target is the full resource name of the resource to which the policy will be bound. Immutable once set. |
policy_kind |
Immutable. The kind of the policy to attach in this binding. This field must be one of the following:
|
policy |
Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). |
policy_uid |
Output only. The globally unique ID of the policy to be bound. |
condition |
Optional. Condition can either be a principal condition or a resource condition. It depends on the type of target, the policy it is attached to, and/or the expression itself. When set, the
Allowed operations for principal.type:
Supported principal types are Workspace, Workforce Pool, Workload Pool and Service Account. Allowed string must be one of:
When the bound policy is a principal access boundary policy, the only supported attributes in any subexpression are |
create_time |
Output only. The time when the policy binding was created. |
update_time |
Output only. The time when the policy binding was most recently updated. |
PolicyKind
Different policy kinds supported in this binding.
Enums | |
---|---|
POLICY_KIND_UNSPECIFIED |
Unspecified policy kind; Not a valid state |
PRINCIPAL_ACCESS_BOUNDARY |
Principal access boundary policy kind |
Target
Target is the full resource name of the resource to which the policy will be bound. Immutable once set.
Fields | |
---|---|
Union field
|
|
principal_set |
Immutable. Full Resource Name used for principal access boundary policy bindings Examples:
|
PrincipalAccessBoundaryPolicy
An IAM principal access boundary policy resource.
Fields | |
---|---|
name |
Identifier. The resource name of the principal access boundary policy. The following format is supported: |
uid |
Output only. The globally unique ID of the principal access boundary policy. |
etag |
Optional. The etag for the principal access boundary. If this is provided on update, it must match the server's etag. |
display_name |
Optional. The description of the principal access boundary policy. Must be less than or equal to 63 characters. |
annotations |
Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations |
create_time |
Output only. The time when the principal access boundary policy was created. |
update_time |
Output only. The time when the principal access boundary policy was most recently updated. |
details |
Optional. The details for the principal access boundary policy. |
PrincipalAccessBoundaryPolicyDetails
Principal access boundary policy details
Fields | |
---|---|
rules[] |
Required. A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. |
enforcement_version |
Optional. The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released. |
PrincipalAccessBoundaryPolicyRule
Principal access boundary policy rule that defines the resource boundary.
Fields | |
---|---|
description |
Optional. The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. |
resources[] |
Required. A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported:
|
effect |
Required. The access relationship of principals to the resources in this rule. |
Effect
An effect to describe the access relationship.
Enums | |
---|---|
EFFECT_UNSPECIFIED |
Effect unspecified. |
ALLOW |
Allows access to the resources in this rule. |
SearchPrincipalAccessBoundaryPolicyBindingsRequest
Request message for SearchPrincipalAccessBoundaryPolicyBindings rpc.
Fields | |
---|---|
name |
Required. The name of the principal access boundary policy. Format: |
page_size |
Optional. The maximum number of policy bindings to return. The service may return fewer than this value. If unspecified, at most 50 policy bindings will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000. |
page_token |
Optional. A page token, received from a previous When paginating, all other parameters provided to |
SearchPrincipalAccessBoundaryPolicyBindingsResponse
Response message for SearchPrincipalAccessBoundaryPolicyBindings rpc.
Fields | |
---|---|
policy_bindings[] |
The policy bindings that reference the specified policy. |
next_page_token |
Optional. A token, which can be sent as |
SearchTargetPolicyBindingsRequest
Request message for SearchTargetPolicyBindings method.
Fields | |
---|---|
target |
Required. The target resource, which is bound to the policy in the binding. Format:
|
page_size |
Optional. The maximum number of policy bindings to return. The service may return fewer than this value. If unspecified, at most 50 policy bindings will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000. |
page_token |
Optional. A page token, received from a previous When paginating, all other parameters provided to |
parent |
Required. The parent resource where this search will be performed. This should be the nearest Resource Manager resource (project, folder, or organization) to the target. Format:
|
SearchTargetPolicyBindingsResponse
Response message for SearchTargetPolicyBindings method.
Fields | |
---|---|
policy_bindings[] |
The policy bindings bound to the specified target. |
next_page_token |
Optional. A token, which can be sent as |
UpdatePolicyBindingRequest
Request message for UpdatePolicyBinding method.
Fields | |
---|---|
policy_binding |
Required. The policy binding to update. The policy binding's |
validate_only |
Optional. If set, validate the request and preview the update, but do not actually post it. |
update_mask |
Optional. The list of fields to update |
UpdatePrincipalAccessBoundaryPolicyRequest
Request message for UpdatePrincipalAccessBoundaryPolicy method.
Fields | |
---|---|
principal_access_boundary_policy |
Required. The principal access boundary policy to update. The principal access boundary policy's |
validate_only |
Optional. If set, validate the request and preview the update, but do not actually post it. |
update_mask |
Optional. The list of fields to update |