Class Policy (1.17.1)

public final class Policy extends GeneratedMessageV3 implements PolicyOrBuilder

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.

A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation.

JSON example:

 {
   "bindings": [
     {
       "role": "roles/resourcemanager.organizationAdmin",
       "members": [
         "user:mike@example.com",
         "group:admins@example.com",
         "domain:google.com",
         "serviceAccount:my-project-id@appspot.gserviceaccount.com"
       ]
     },
     {
       "role": "roles/resourcemanager.organizationViewer",
       "members": [
         "user:eve@example.com"
       ],
       "condition": {
         "title": "expirable access",
         "description": "Does not grant access after Sep 2020",
         "expression": "request.time <
         timestamp('2020-10-01T00:00:00.000Z')",
       }
     }
   ],
   "etag": "BwWWja0YfJA=",
   "version": 3
 }

YAML example:

 bindings:
 - members:
   - user:mike@example.com
   - group:admins@example.com
   - domain:google.com
   - serviceAccount:my-project-id@appspot.gserviceaccount.com
   role: roles/resourcemanager.organizationAdmin
 - members:
   - user:eve@example.com
   role: roles/resourcemanager.organizationViewer
   condition:
     title: expirable access
     description: Does not grant access after Sep 2020
     expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
 etag: BwWWja0YfJA=
 version: 3

For a description of IAM and its features, see the IAM documentation.

Protobuf type google.iam.v1.Policy

Implements

PolicyOrBuilder

Static Fields

AUDIT_CONFIGS_FIELD_NUMBER

public static final int AUDIT_CONFIGS_FIELD_NUMBER
Field Value
TypeDescription
int

BINDINGS_FIELD_NUMBER

public static final int BINDINGS_FIELD_NUMBER
Field Value
TypeDescription
int

ETAG_FIELD_NUMBER

public static final int ETAG_FIELD_NUMBER
Field Value
TypeDescription
int

VERSION_FIELD_NUMBER

public static final int VERSION_FIELD_NUMBER
Field Value
TypeDescription
int

Static Methods

getDefaultInstance()

public static Policy getDefaultInstance()
Returns
TypeDescription
Policy

getDescriptor()

public static final Descriptors.Descriptor getDescriptor()
Returns
TypeDescription
Descriptor

newBuilder()

public static Policy.Builder newBuilder()
Returns
TypeDescription
Policy.Builder

newBuilder(Policy prototype)

public static Policy.Builder newBuilder(Policy prototype)
Parameter
NameDescription
prototypePolicy
Returns
TypeDescription
Policy.Builder

parseDelimitedFrom(InputStream input)

public static Policy parseDelimitedFrom(InputStream input)
Parameter
NameDescription
inputInputStream
Returns
TypeDescription
Policy
Exceptions
TypeDescription
IOException

parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)

public static Policy parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
NameDescription
inputInputStream
extensionRegistryExtensionRegistryLite
Returns
TypeDescription
Policy
Exceptions
TypeDescription
IOException

parseFrom(byte[] data)

public static Policy parseFrom(byte[] data)
Parameter
NameDescription
databyte[]
Returns
TypeDescription
Policy
Exceptions
TypeDescription
InvalidProtocolBufferException

parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
Parameters
NameDescription
databyte[]
extensionRegistryExtensionRegistryLite
Returns
TypeDescription
Policy
Exceptions
TypeDescription
InvalidProtocolBufferException

parseFrom(ByteString data)

public static Policy parseFrom(ByteString data)
Parameter
NameDescription
dataByteString
Returns
TypeDescription
Policy
Exceptions
TypeDescription
InvalidProtocolBufferException

parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
Parameters
NameDescription
dataByteString
extensionRegistryExtensionRegistryLite
Returns
TypeDescription
Policy
Exceptions
TypeDescription
InvalidProtocolBufferException

parseFrom(CodedInputStream input)

public static Policy parseFrom(CodedInputStream input)
Parameter
NameDescription
inputCodedInputStream
Returns
TypeDescription
Policy
Exceptions
TypeDescription
IOException

parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
NameDescription
inputCodedInputStream
extensionRegistryExtensionRegistryLite
Returns
TypeDescription
Policy
Exceptions
TypeDescription
IOException

parseFrom(InputStream input)

public static Policy parseFrom(InputStream input)
Parameter
NameDescription
inputInputStream
Returns
TypeDescription
Policy
Exceptions
TypeDescription
IOException

parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
NameDescription
inputInputStream
extensionRegistryExtensionRegistryLite
Returns
TypeDescription
Policy
Exceptions
TypeDescription
IOException

parseFrom(ByteBuffer data)

public static Policy parseFrom(ByteBuffer data)
Parameter
NameDescription
dataByteBuffer
Returns
TypeDescription
Policy
Exceptions
TypeDescription
InvalidProtocolBufferException

parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
Parameters
NameDescription
dataByteBuffer
extensionRegistryExtensionRegistryLite
Returns
TypeDescription
Policy
Exceptions
TypeDescription
InvalidProtocolBufferException

parser()

public static Parser<Policy> parser()
Returns
TypeDescription
Parser<Policy>

Methods

equals(Object obj)

public boolean equals(Object obj)
Parameter
NameDescription
objObject
Returns
TypeDescription
boolean
Overrides

getAuditConfigs(int index)

public AuditConfig getAuditConfigs(int index)

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Parameter
NameDescription
indexint
Returns
TypeDescription
AuditConfig

getAuditConfigsCount()

public int getAuditConfigsCount()

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Returns
TypeDescription
int

getAuditConfigsList()

public List<AuditConfig> getAuditConfigsList()

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Returns
TypeDescription
List<AuditConfig>

getAuditConfigsOrBuilder(int index)

public AuditConfigOrBuilder getAuditConfigsOrBuilder(int index)

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Parameter
NameDescription
indexint
Returns
TypeDescription
AuditConfigOrBuilder

getAuditConfigsOrBuilderList()

public List<? extends AuditConfigOrBuilder> getAuditConfigsOrBuilderList()

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Returns
TypeDescription
List<? extends com.google.iam.v1.AuditConfigOrBuilder>

getBindings(int index)

public Binding getBindings(int index)

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Parameter
NameDescription
indexint
Returns
TypeDescription
Binding

getBindingsCount()

public int getBindingsCount()

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Returns
TypeDescription
int

getBindingsList()

public List<Binding> getBindingsList()

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Returns
TypeDescription
List<Binding>

getBindingsOrBuilder(int index)

public BindingOrBuilder getBindingsOrBuilder(int index)

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Parameter
NameDescription
indexint
Returns
TypeDescription
BindingOrBuilder

getBindingsOrBuilderList()

public List<? extends BindingOrBuilder> getBindingsOrBuilderList()

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Returns
TypeDescription
List<? extends com.google.iam.v1.BindingOrBuilder>

getDefaultInstanceForType()

public Policy getDefaultInstanceForType()
Returns
TypeDescription
Policy

getEtag()

public ByteString getEtag()

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.

bytes etag = 3;

Returns
TypeDescription
ByteString

The etag.

getParserForType()

public Parser<Policy> getParserForType()
Returns
TypeDescription
Parser<Policy>
Overrides

getSerializedSize()

public int getSerializedSize()
Returns
TypeDescription
int
Overrides

getVersion()

public int getVersion()

Specifies the format of the policy.

Valid values are 0, 1, and 3. Requests that specify an invalid value are rejected.

Any operation that affects conditional role bindings must specify version 3. This requirement applies to the following operations:

  • Getting a policy that includes a conditional role binding
  • Adding a conditional role binding to a policy
  • Changing a conditional role binding in a policy
  • Removing any role binding, with or without a condition, from a policy that includes conditions

    Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.

    If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.

    To learn which resources support conditions in their IAM policies, see the IAM documentation.

int32 version = 1;

Returns
TypeDescription
int

The version.

hashCode()

public int hashCode()
Returns
TypeDescription
int
Overrides

internalGetFieldAccessorTable()

protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
Returns
TypeDescription
FieldAccessorTable
Overrides

isInitialized()

public final boolean isInitialized()
Returns
TypeDescription
boolean
Overrides

newBuilderForType()

public Policy.Builder newBuilderForType()
Returns
TypeDescription
Policy.Builder

newBuilderForType(GeneratedMessageV3.BuilderParent parent)

protected Policy.Builder newBuilderForType(GeneratedMessageV3.BuilderParent parent)
Parameter
NameDescription
parentBuilderParent
Returns
TypeDescription
Policy.Builder
Overrides

newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)

protected Object newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
Parameter
NameDescription
unusedUnusedPrivateParameter
Returns
TypeDescription
Object
Overrides

toBuilder()

public Policy.Builder toBuilder()
Returns
TypeDescription
Policy.Builder

writeTo(CodedOutputStream output)

public void writeTo(CodedOutputStream output)
Parameter
NameDescription
outputCodedOutputStream
Overrides
Exceptions
TypeDescription
IOException