Class Policy (1.36.0)

public final class Policy extends GeneratedMessageV3 implements PolicyOrBuilder

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.

A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation.

JSON example:

` { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }

YAML example:

bindings:

  • members:
    • user:mike@example.com
    • group:admins@example.com
    • domain:google.com
    • serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin
  • members:

    • user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3
`

For a description of IAM and its features, see the IAM documentation.

Protobuf type google.iam.v1.Policy

Implements

PolicyOrBuilder

Static Fields

AUDIT_CONFIGS_FIELD_NUMBER

public static final int AUDIT_CONFIGS_FIELD_NUMBER
Field Value
Type Description
int

BINDINGS_FIELD_NUMBER

public static final int BINDINGS_FIELD_NUMBER
Field Value
Type Description
int

ETAG_FIELD_NUMBER

public static final int ETAG_FIELD_NUMBER
Field Value
Type Description
int

VERSION_FIELD_NUMBER

public static final int VERSION_FIELD_NUMBER
Field Value
Type Description
int

Static Methods

getDefaultInstance()

public static Policy getDefaultInstance()
Returns
Type Description
Policy

getDescriptor()

public static final Descriptors.Descriptor getDescriptor()
Returns
Type Description
Descriptor

newBuilder()

public static Policy.Builder newBuilder()
Returns
Type Description
Policy.Builder

newBuilder(Policy prototype)

public static Policy.Builder newBuilder(Policy prototype)
Parameter
Name Description
prototype Policy
Returns
Type Description
Policy.Builder

parseDelimitedFrom(InputStream input)

public static Policy parseDelimitedFrom(InputStream input)
Parameter
Name Description
input InputStream
Returns
Type Description
Policy
Exceptions
Type Description
IOException

parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)

public static Policy parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
input InputStream
extensionRegistry ExtensionRegistryLite
Returns
Type Description
Policy
Exceptions
Type Description
IOException

parseFrom(byte[] data)

public static Policy parseFrom(byte[] data)
Parameter
Name Description
data byte[]
Returns
Type Description
Policy
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
data byte[]
extensionRegistry ExtensionRegistryLite
Returns
Type Description
Policy
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(ByteString data)

public static Policy parseFrom(ByteString data)
Parameter
Name Description
data ByteString
Returns
Type Description
Policy
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
data ByteString
extensionRegistry ExtensionRegistryLite
Returns
Type Description
Policy
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(CodedInputStream input)

public static Policy parseFrom(CodedInputStream input)
Parameter
Name Description
input CodedInputStream
Returns
Type Description
Policy
Exceptions
Type Description
IOException

parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
input CodedInputStream
extensionRegistry ExtensionRegistryLite
Returns
Type Description
Policy
Exceptions
Type Description
IOException

parseFrom(InputStream input)

public static Policy parseFrom(InputStream input)
Parameter
Name Description
input InputStream
Returns
Type Description
Policy
Exceptions
Type Description
IOException

parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
input InputStream
extensionRegistry ExtensionRegistryLite
Returns
Type Description
Policy
Exceptions
Type Description
IOException

parseFrom(ByteBuffer data)

public static Policy parseFrom(ByteBuffer data)
Parameter
Name Description
data ByteBuffer
Returns
Type Description
Policy
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)

public static Policy parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
data ByteBuffer
extensionRegistry ExtensionRegistryLite
Returns
Type Description
Policy
Exceptions
Type Description
InvalidProtocolBufferException

parser()

public static Parser<Policy> parser()
Returns
Type Description
Parser<Policy>

Methods

equals(Object obj)

public boolean equals(Object obj)
Parameter
Name Description
obj Object
Returns
Type Description
boolean
Overrides

getAuditConfigs(int index)

public AuditConfig getAuditConfigs(int index)

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Parameter
Name Description
index int
Returns
Type Description
AuditConfig

getAuditConfigsCount()

public int getAuditConfigsCount()

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Returns
Type Description
int

getAuditConfigsList()

public List<AuditConfig> getAuditConfigsList()

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Returns
Type Description
List<AuditConfig>

getAuditConfigsOrBuilder(int index)

public AuditConfigOrBuilder getAuditConfigsOrBuilder(int index)

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Parameter
Name Description
index int
Returns
Type Description
AuditConfigOrBuilder

getAuditConfigsOrBuilderList()

public List<? extends AuditConfigOrBuilder> getAuditConfigsOrBuilderList()

Specifies cloud audit logging configuration for this policy.

repeated .google.iam.v1.AuditConfig audit_configs = 6;

Returns
Type Description
List<? extends com.google.iam.v1.AuditConfigOrBuilder>

getBindings(int index)

public Binding getBindings(int index)

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Parameter
Name Description
index int
Returns
Type Description
Binding

getBindingsCount()

public int getBindingsCount()

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Returns
Type Description
int

getBindingsList()

public List<Binding> getBindingsList()

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Returns
Type Description
List<Binding>

getBindingsOrBuilder(int index)

public BindingOrBuilder getBindingsOrBuilder(int index)

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Parameter
Name Description
index int
Returns
Type Description
BindingOrBuilder

getBindingsOrBuilderList()

public List<? extends BindingOrBuilder> getBindingsOrBuilderList()

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

repeated .google.iam.v1.Binding bindings = 4;

Returns
Type Description
List<? extends com.google.iam.v1.BindingOrBuilder>

getDefaultInstanceForType()

public Policy getDefaultInstanceForType()
Returns
Type Description
Policy

getEtag()

public ByteString getEtag()

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.

bytes etag = 3;

Returns
Type Description
ByteString

The etag.

getParserForType()

public Parser<Policy> getParserForType()
Returns
Type Description
Parser<Policy>
Overrides

getSerializedSize()

public int getSerializedSize()
Returns
Type Description
int
Overrides

getVersion()

public int getVersion()

Specifies the format of the policy.

Valid values are 0, 1, and 3. Requests that specify an invalid value are rejected.

Any operation that affects conditional role bindings must specify version 3. This requirement applies to the following operations:

  • Getting a policy that includes a conditional role binding
  • Adding a conditional role binding to a policy
  • Changing a conditional role binding in a policy
  • Removing any role binding, with or without a condition, from a policy that includes conditions

    Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.

    If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.

    To learn which resources support conditions in their IAM policies, see the IAM documentation.

int32 version = 1;

Returns
Type Description
int

The version.

hashCode()

public int hashCode()
Returns
Type Description
int
Overrides

internalGetFieldAccessorTable()

protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
Returns
Type Description
FieldAccessorTable
Overrides

isInitialized()

public final boolean isInitialized()
Returns
Type Description
boolean
Overrides

newBuilderForType()

public Policy.Builder newBuilderForType()
Returns
Type Description
Policy.Builder

newBuilderForType(GeneratedMessageV3.BuilderParent parent)

protected Policy.Builder newBuilderForType(GeneratedMessageV3.BuilderParent parent)
Parameter
Name Description
parent BuilderParent
Returns
Type Description
Policy.Builder
Overrides

newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)

protected Object newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
Parameter
Name Description
unused UnusedPrivateParameter
Returns
Type Description
Object
Overrides

toBuilder()

public Policy.Builder toBuilder()
Returns
Type Description
Policy.Builder

writeTo(CodedOutputStream output)

public void writeTo(CodedOutputStream output)
Parameter
Name Description
output CodedOutputStream
Overrides
Exceptions
Type Description
IOException