Manage access policies

You can set or get the Identity and Access Management (IAM), or access control, policy for one or more Connectivity Tests. In addition, you can view the permissions that a user or service account has for a specific Connectivity Test.

This document shows access control examples that use the Network Management API. To follow these steps in the Google Cloud console or by using gcloud commands, see the IAM how-to guides.

For information about policy bindings and etags listed in the following commands, see the API reference for IAM policies.

For information about the IAM roles and permissions needed to run Connectivity Tests, see Roles and permissions.

Set an access control policy

This procedure sets the access control policy on the specified Connectivity Tests resource.

API

Use the networkmanagement.connectivitytests.setIamPolicy method to set the access control policy for a USER, ROLE, and TEST_ID.

The following example sets a policy that binds the role of networkmanagement.admin to username@yourcompany.com for mytest-1.

 POST https: //networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:setIamPolicy
   {
     "version": "VERSION",
     "etag": "ETAG",
     "bindings": [{
       "role": "ROLE",
       "members": [
         "PRINCIPAL"
       ]
     }]
   }

Replace the following values:

  • TEST_ID: the ID of the Connectivity Tests object (test) that you are running
  • VERSION: specifies the format of the policy; valid values are 0, 1, and 3—any operation that affects conditional role bindings must specify version 3
  • ETAG: used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other (an example etag is BwWbrqiZFRs=)
  • ROLE: a role that is assigned to principals (for example, roles/networkmanagement.admin)
  • PRINCIPAL: specifies the identities requesting access for a Google Cloud resource (for example, user:username@yourcompany.com); for a list of principal, or member, types, see the API reference for IAM policies

Get an access control policy

This procedure gets the access control policy for the specified Connectivity Tests resource.

API

Use the networkmanagement.connectivitytests.getIamPolicy method to set the access control policy for a PRINCIPAL, ROLE, and TEST_ID.

The following example gets a policy that binds the role of networkmanagement.admin to username@yourcompany.com for mytest-1.

  GET https: //networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:getIamPolicy
    {
      "version": "VERSION",
      "etag": "ETAG",
      "bindings": [{
        "role": "ROLE",
        "members": [
          "PRINCIPAL"
        ]
      }]
    }

Replace the following values:

  • TEST_ID: the ID of the Connectivity Tests object (test) that you are running
  • VERSION: specifies the format of the policy; valid values are 0, 1, and 3—any operation that affects conditional role bindings must specify version 3
  • ETAG: used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other (an example etag is BwWbrqiZFRs=)
  • ROLE: a role that is assigned to principals (for example, roles/networkmanagement.admin)
  • PRINCIPAL: specifies the identities requesting access for a Google Cloud resource (for example, user:username@yourcompany.com); for a list of principal types, see the API reference for IAM policies

Test IAM permissions

This procedure returns permissions that a user or service account has for a Connectivity Tests resource.

API

Use the networkmanagement.connectivitytests.testIamPermissions method to return the permissions assigned to a TEST_ID.

The following example verifies that username@yourcompany.com has the networkmanagement.connectivitytests.get permission for mytest-1.

  POST https://networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:testIamPermissions
    {
      "permissions": [
        "networkmanagement.connectivitytests.get"
      ]
    }

Replace TEST_ID with the ID of the Connectivity Tests object (test) that you are running.

What's next