Crée une règle de refus basée sur la configuration fournie.
En savoir plus
Pour obtenir une documentation détaillée incluant cet exemple de code, consultez les articles suivants :
Exemple de code
Go
Pour savoir comment installer et utiliser la bibliothèque cliente pour IAM, consultez la page Bibliothèques clientes IAM. Pour en savoir plus, consultez la documentation de référence de l'API Cloud IAM Go.
Pour vous authentifier auprès d'IAM, configurez le service Identifiants par défaut de l'application. Pour en savoir plus, consultez la page Configurer l'authentification pour un environnement de développement local.
import (
"context"
"fmt"
"io"
iam "cloud.google.com/go/iam/apiv2"
iampb "google.golang.org/genproto/googleapis/iam/v2"
"google.golang.org/genproto/googleapis/type/expr"
)
// createDenyPolicy creates a deny policy.
func createDenyPolicy(w io.Writer, projectID, policyID string) error {
// You can add deny policies to organizations, folders, and projects.
// Each of these resources can have up to 5 deny policies.
// Deny policies contain deny rules, which specify the following:
// 1. The permissions to deny and/or exempt.
// 2. The principals that are denied, or exempted from denial.
// 3. An optional condition on when to enforce the deny rules.
// projectID := "your_project_id"
// policyID := "your_policy_id"
ctx := context.Background()
policiesClient, err := iam.NewPoliciesClient(ctx)
if err != nil {
return fmt.Errorf("NewPoliciesClient: %w", err)
}
defer policiesClient.Close()
// Each deny policy is attached to an organization, folder, or project.
// To work with deny policies, specify the attachment point.
//
// Its format can be one of the following:
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
//
// The attachment point is identified by its URL-encoded resource name. Hence, replace
// the "/" with "%%2F".
attachmentPoint := fmt.Sprintf(
"cloudresourcemanager.googleapis.com%%2Fprojects%%2F%s",
projectID,
)
denyRule := &iampb.DenyRule{
// Add one or more principals who should be denied the permissions specified in this rule.
// For more information on allowed values,
// see: https://cloud.google.com/iam/help/deny/principal-identifiers
DeniedPrincipals: []string{"principalSet://goog/public:all"},
// Optionally, set the principals who should be exempted from the
// list of denied principals. For example, if you want to deny certain permissions
// to a group but exempt a few principals, then add those here.
// ExceptionPrincipals: []string{"principalSet://goog/group/project-admins@example.com"},
//
// Set the permissions to deny.
// The permission value is of the format: service_fqdn/resource.action
// For the list of supported permissions,
// see: https://cloud.google.com/iam/help/deny/supported-permissions
DeniedPermissions: []string{"cloudresourcemanager.googleapis.com/projects.delete"},
// Optionally, add the permissions to be exempted from this rule.
// Meaning, the deny rule will not be applicable to these permissions.
// ExceptionPermissions: []string{"cloudresourcemanager.googleapis.com/projects.create"},
//
// Set the condition which will enforce the deny rule.
// If this condition is true, the deny rule will be applicable.
// Else, the rule will not be enforced.
// The expression uses Common Expression Language syntax (CEL).
// Here we block access based on tags.
//
// Here, we create a deny rule that denies the
// cloudresourcemanager.googleapis.com/projects.delete permission
// to everyone except project-admins@example.com for resources that are tagged test.
// A tag is a key-value pair that can be attached to an organization, folder, or project.
// For more info, see: https://cloud.google.com/iam/docs/deny-access#create-deny-policy
DenialCondition: &expr.Expr{
Expression: "!resource.matchTag('12345678/env', 'test')",
},
}
// Add the deny rule and a description for it.
policyRule := &iampb.PolicyRule{
Description: "block all principals from deleting projects, unless the principal is a member of project-admins@example.com and the project being deleted has a tag with the value test",
Kind: &iampb.PolicyRule_DenyRule{
DenyRule: denyRule,
},
}
policy := &iampb.Policy{
DisplayName: "Restrict project deletion access",
Rules: [](*iampb.PolicyRule){policyRule},
}
req := &iampb.CreatePolicyRequest{
// Construct the full path of the resource's deny policies.
// Its format is: "policies/ATTACHMENT_POINT/denypolicies"
Parent: fmt.Sprintf("policies/%s/denypolicies", attachmentPoint),
Policy: policy,
PolicyId: policyID,
}
op, err := policiesClient.CreatePolicy(ctx, req)
if err != nil {
return fmt.Errorf("unable to create policy: %w", err)
}
policy, err = op.Wait(ctx)
if err != nil {
return fmt.Errorf("unable to wait for the operation: %w", err)
}
fmt.Fprintf(w, "Policy %s created\n", policy.GetName())
return nil
}
Java
Pour savoir comment installer et utiliser la bibliothèque cliente pour IAM, consultez la page Bibliothèques clientes IAM. Pour en savoir plus, consultez la documentation de référence de l'API Cloud IAM Java.
Pour vous authentifier auprès d'IAM, configurez le service Identifiants par défaut de l'application. Pour en savoir plus, consultez la page Configurer l'authentification pour un environnement de développement local.
import com.google.iam.v2.CreatePolicyRequest;
import com.google.iam.v2.DenyRule;
import com.google.iam.v2.PoliciesClient;
import com.google.iam.v2.Policy;
import com.google.iam.v2.PolicyRule;
import com.google.longrunning.Operation;
import com.google.type.Expr;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
public class CreateDenyPolicy {
public static void main(String[] args)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
// TODO(developer): Replace these variables before running the sample.
// ID or number of the Google Cloud project you want to use.
String projectId = "your-google-cloud-project-id";
// Specify the id of the Deny policy you want to create.
String policyId = "deny-policy-id";
createDenyPolicy(projectId, policyId);
}
// Create a deny policy.
// You can add deny policies to organizations, folders, and projects.
// Each of these resources can have up to 5 deny policies.
//
// Deny policies contain deny rules, which specify the following:
// 1. The permissions to deny and/or exempt.
// 2. The principals that are denied, or exempted from denial.
// 3. An optional condition on when to enforce the deny rules.
public static void createDenyPolicy(String projectId, String policyId)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
try (PoliciesClient policiesClient = PoliciesClient.create()) {
// Each deny policy is attached to an organization, folder, or project.
// To work with deny policies, specify the attachment point.
//
// Its format can be one of the following:
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
//
// The attachment point is identified by its URL-encoded resource name.
String urlEncodedResource =
URLEncoder.encode(
"cloudresourcemanager.googleapis.com/projects/", StandardCharsets.UTF_8);
String attachmentPoint = String.format("%s%s", urlEncodedResource, projectId);
// Construct the full path of the resource to which the policy is attached.
// Its format is: "policies/{attachmentPoint}/denypolicies/{policyId}"
String policyParent = String.format("policies/%s/denypolicies", attachmentPoint);
DenyRule denyRule =
DenyRule.newBuilder()
// Add one or more principals who should be denied the permissions specified in this
// rule.
// For more information on allowed values, see:
// https://cloud.google.com/iam/docs/principal-identifiers
.addDeniedPrincipals("principalSet://goog/public:all")
// Optionally, set the principals who should be exempted from the
// list of denied principals. For example, if you want to deny certain permissions
// to a group but exempt a few principals, then add those here.
// .addExceptionPrincipals(
// "principalSet://goog/group/project-admins@example.com")
// Set the permissions to deny.
// The permission value is of the format: service_fqdn/resource.action
// For the list of supported permissions, see:
// https://cloud.google.com/iam/help/deny/supported-permissions
.addDeniedPermissions("cloudresourcemanager.googleapis.com/projects.delete")
// Optionally, add the permissions to be exempted from this rule.
// Meaning, the deny rule will not be applicable to these permissions.
// .addExceptionPermissions("cloudresourcemanager.googleapis.com/projects.create")
// Set the condition which will enforce the deny rule. If this condition is true,
// the deny rule will be applicable. Else, the rule will not be enforced.
.setDenialCondition(
Expr.newBuilder()
// The expression uses Common Expression Language syntax (CEL).
// Here we block access based on tags.
//
// A tag is a key-value pair that can be attached to an organization, folder,
// or project. You can use deny policies to deny permissions based on tags
// without adding an IAM Condition to every role grant.
// For example, imagine that you tag all of your projects as dev, test, or
// prod. You want only members of project-admins@example.com to be able to
// perform operations on projects that are tagged prod.
// To solve this problem, you create a deny rule that denies the
// cloudresourcemanager.googleapis.com/projects.delete permission to everyone
// except project-admins@example.com for resources that are tagged test.
.setExpression("!resource.matchTag('12345678/env', 'test')")
.setTitle("Only for test projects")
.build())
.build();
// Add the deny rule and a description for it.
Policy policy =
Policy.newBuilder()
// Set the deny rule.
.addRules(
PolicyRule.newBuilder()
// Set a description for the rule.
.setDescription(
"block all principals from deleting projects, unless the principal"
+ " is a member of project-admins@example.com and the project"
+ " being deleted has a tag with the value test")
.setDenyRule(denyRule)
.build())
.build();
// Set the policy resource path, policy rules and a unique ID for the policy.
CreatePolicyRequest createPolicyRequest =
CreatePolicyRequest.newBuilder()
.setParent(policyParent)
.setPolicy(policy)
.setPolicyId(policyId)
.build();
// Build the create policy request.
Operation operation =
policiesClient
.createPolicyCallable()
.futureCall(createPolicyRequest)
.get(3, TimeUnit.MINUTES);
// Wait for the operation to complete.
if (operation.hasError()) {
System.out.println("Error in creating the policy " + operation.getError());
return;
}
// Retrieve the policy name.
Policy response = policiesClient.getPolicy(String.format("%s/%s", policyParent, policyId));
String policyName = response.getName();
System.out.println(
"Created the deny policy: " + policyName.substring(policyName.lastIndexOf("/") + 1));
}
}
}
Node.js
Pour savoir comment installer et utiliser la bibliothèque cliente pour IAM, consultez la page Bibliothèques clientes IAM. Pour en savoir plus, consultez la documentation de référence de l'API Cloud IAM Node.js.
Pour vous authentifier auprès d'IAM, configurez le service Identifiants par défaut de l'application. Pour en savoir plus, consultez la page Configurer l'authentification pour un environnement de développement local.
/**
* TODO(developer): Uncomment and replace these variables before running the sample.
*/
// const projectId = 'YOUR_PROJECT_ID';
// const policyID = 'YOUR_POLICY_ID';
const {PoliciesClient} = require('@google-cloud/iam').v2;
const iamClient = new PoliciesClient();
// Each deny policy is attached to an organization, folder, or project.
// To work with deny policies, specify the attachment point.
//
// Its format can be one of the following:
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
//
// The attachment point is identified by its URL-encoded resource name. Hence, replace
// the "/" with "%2F".
const attachmentPoint = `cloudresourcemanager.googleapis.com%2Fprojects%2F${projectId}`;
const denyRule = {
// Add one or more principals who should be denied the permissions specified in this rule.
// For more information on allowed values, see: https://cloud.google.com/iam/help/deny/principal-identifiers
deniedPrincipals: ['principalSet://goog/public:all'],
// Optionally, set the principals who should be exempted from the
// list of denied principals. For example, if you want to deny certain permissions
// to a group but exempt a few principals, then add those here.
// exceptionPrincipals: ['principalSet://goog/group/project-admins@example.com'],
// Set the permissions to deny.
// The permission value is of the format: service_fqdn/resource.action
// For the list of supported permissions, see: https://cloud.google.com/iam/help/deny/supported-permissions
deniedPermissions: ['cloudresourcemanager.googleapis.com/projects.delete'],
// Optionally, add the permissions to be exempted from this rule.
// Meaning, the deny rule will not be applicable to these permissions.
// exceptionPermissions: ['cloudresourcemanager.googleapis.com/projects.create']
//
// Set the condition which will enforce the deny rule.
// If this condition is true, the deny rule will be applicable. Else, the rule will not be enforced.
// The expression uses Common Expression Language syntax (CEL).
// Here we block access based on tags.
//
// Here, we create a deny rule that denies the cloudresourcemanager.googleapis.com/projects.delete permission to everyone except project-admins@example.com for resources that are tagged test.
// A tag is a key-value pair that can be attached to an organization, folder, or project.
// For more info, see: https://cloud.google.com/iam/docs/deny-access#create-deny-policy
denialCondition: {
expression: '!resource.matchTag("12345678/env", "test")',
},
};
async function createDenyPolicy() {
const request = {
parent: `policies/${attachmentPoint}/denypolicies`,
policy: {
displayName: 'Restrict project deletion access',
rules: [
{
description:
'block all principals from deleting projects, unless the principal is a member of project-admins@example.com and the project being deleted has a tag with the value test',
denyRule,
},
],
},
policyId,
};
const [operation] = await iamClient.createPolicy(request);
const [policy] = await operation.promise();
console.log(`Created the deny policy: ${policy.name}`);
}
createDenyPolicy();
Python
Pour savoir comment installer et utiliser la bibliothèque cliente pour IAM, consultez la page Bibliothèques clientes IAM. Pour en savoir plus, consultez la documentation de référence de l'API Cloud IAM Python.
Pour vous authentifier auprès d'IAM, configurez le service Identifiants par défaut de l'application. Pour en savoir plus, consultez la page Configurer l'authentification pour un environnement de développement local.
def create_deny_policy(project_id: str, policy_id: str) -> None:
from google.cloud import iam_v2
from google.cloud.iam_v2 import types
"""
Create a deny policy.
You can add deny policies to organizations, folders, and projects.
Each of these resources can have up to 5 deny policies.
Deny policies contain deny rules, which specify the following:
1. The permissions to deny and/or exempt.
2. The principals that are denied, or exempted from denial.
3. An optional condition on when to enforce the deny rules.
Params:
project_id: ID or number of the Google Cloud project you want to use.
policy_id: Specify the ID of the deny policy you want to create.
"""
policies_client = iam_v2.PoliciesClient()
# Each deny policy is attached to an organization, folder, or project.
# To work with deny policies, specify the attachment point.
#
# Its format can be one of the following:
# 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID
# 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID
# 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID
#
# The attachment point is identified by its URL-encoded resource name. Hence, replace
# the "/" with "%2F".
attachment_point = f"cloudresourcemanager.googleapis.com%2Fprojects%2F{project_id}"
deny_rule = types.DenyRule()
# Add one or more principals who should be denied the permissions specified in this rule.
# For more information on allowed values, see: https://cloud.google.com/iam/help/deny/principal-identifiers
deny_rule.denied_principals = ["principalSet://goog/public:all"]
# Optionally, set the principals who should be exempted from the
# list of denied principals. For example, if you want to deny certain permissions
# to a group but exempt a few principals, then add those here.
# deny_rule.exception_principals = ["principalSet://goog/group/project-admins@example.com"]
# Set the permissions to deny.
# The permission value is of the format: service_fqdn/resource.action
# For the list of supported permissions, see: https://cloud.google.com/iam/help/deny/supported-permissions
deny_rule.denied_permissions = [
"cloudresourcemanager.googleapis.com/projects.delete"
]
# Optionally, add the permissions to be exempted from this rule.
# Meaning, the deny rule will not be applicable to these permissions.
# deny_rule.exception_permissions = ["cloudresourcemanager.googleapis.com/projects.create"]
# Set the condition which will enforce the deny rule.
# If this condition is true, the deny rule will be applicable. Else, the rule will not be enforced.
# The expression uses Common Expression Language syntax (CEL).
# Here we block access based on tags.
#
# Here, we create a deny rule that denies the cloudresourcemanager.googleapis.com/projects.delete permission to everyone except project-admins@example.com for resources that are tagged test.
# A tag is a key-value pair that can be attached to an organization, folder, or project.
# For more info, see: https://cloud.google.com/iam/docs/deny-access#create-deny-policy
deny_rule.denial_condition = {
"expression": "!resource.matchTag('12345678/env', 'test')"
}
# Add the deny rule and a description for it.
policy_rule = types.PolicyRule()
policy_rule.description = "block all principals from deleting projects, unless the principal is a member of project-admins@example.com and the project being deleted has a tag with the value test"
policy_rule.deny_rule = deny_rule
policy = types.Policy()
policy.display_name = "Restrict project deletion access"
policy.rules = [policy_rule]
# Set the policy resource path, policy rules and a unique ID for the policy.
request = types.CreatePolicyRequest()
# Construct the full path of the resource's deny policies.
# Its format is: "policies/{attachmentPoint}/denypolicies"
request.parent = f"policies/{attachment_point}/denypolicies"
request.policy = policy
request.policy_id = policy_id
# Build the create policy request and wait for the operation to complete.
result = policies_client.create_policy(request=request).result()
print(f"Created the deny policy: {result.name.rsplit('/')[-1]}")
if __name__ == "__main__":
import uuid
# Your Google Cloud project ID.
project_id = "your-google-cloud-project-id"
# Any unique ID (0 to 63 chars) starting with a lowercase letter.
policy_id = f"deny-{uuid.uuid4()}"
# Test the policy lifecycle.
create_deny_policy(project_id, policy_id)
Terraform
Pour savoir comment appliquer ou supprimer une configuration Terraform, consultez la page Commandes Terraform de base. Pour en savoir plus, consultez la documentation de référence du fournisseur Terraform.
data "google_project" "default" {
}
# Create a service account
resource "google_service_account" "default" {
display_name = "IAM Deny Example - Service Account"
account_id = "example-sa"
project = data.google_project.default.project_id
}
# Create an IAM deny policy that denies a permission for the service account
resource "google_iam_deny_policy" "default" {
provider = google-beta
parent = urlencode("cloudresourcemanager.googleapis.com/projects/${data.google_project.default.project_id}")
name = "my-deny-policy"
display_name = "My deny policy."
rules {
deny_rule {
denied_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.default.email}"]
denied_permissions = ["iam.googleapis.com/roles.create"]
}
}
}
Étapes suivantes
Pour rechercher et filtrer des exemples de code pour d'autres produits Google Cloud, consultez l'explorateur d'exemples Google Cloud.