Cloud Storage API - Class Google::Cloud::Storage::PolicyV3 (v1.41.0)

Reference documentation and code samples for the Cloud Storage API class Google::Cloud::Storage::PolicyV3.

A subclass of Policy that supports access to #bindings and #version=. Attempts to call #roles and relate helpers will raise a runtime error. This class may be used to update the Policy version and add bindings with a newer syntax. To obtain instances of this class, call Bucket#policy with requested_policy_version: 3.

Examples

Updating Policy version 1 to version 3:

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

bucket.uniform_bucket_level_access = true

bucket.policy requested_policy_version: 3 do |p|
  p.version # the value is 1
  p.version = 3

  expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
  p.bindings.insert({
                      role: "roles/storage.admin",
                      members: ["user:owner@example.com"],
                      condition: {
                        title: "my-condition",
                        description: "description of condition",
                        expression: expr
                      }
                    })
end

Using Policy version 3:

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

bucket.uniform_bucket_level_access? # true

bucket.policy requested_policy_version: 3 do |p|
  p.version = 3 # Must be explicitly set to opt-in to support for conditions.

  expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
  p.bindings.insert({
                      role: "roles/storage.admin",
                      members: ["user:owner@example.com"],
                      condition: {
                        title: "my-condition",
                        description: "description of condition",
                        expression: expr
                      }
                    })
end

Methods

#bindings

def bindings() -> Bindings

Returns the Policy's bindings object that associate roles with an array of members. Conditions can be configured on the Google::Cloud::Storage::Policy::Binding object. See Understanding Roles for a listing of primitive and curated roles. See Buckets: setIamPolicy for a listing of values and patterns for members.

Returns
  • (Bindings) — the current value of bindings

#bindings=

def bindings=(value) -> Bindings

Returns the Policy's bindings object that associate roles with an array of members. Conditions can be configured on the Google::Cloud::Storage::Policy::Binding object. See Understanding Roles for a listing of primitive and curated roles. See Buckets: setIamPolicy for a listing of values and patterns for members.

Parameter
  • value (Bindings) — the newly set value
Returns

#version=

def version=(new_version)

Updates the syntax schema version of the policy. Each version of the policy contains a specific syntax schema that can be used by bindings. The newer version may contain role bindings with the newer syntax schema that is unsupported by earlier versions. This field is not intended to be used for any purposes other than policy syntax schema control.

The following policy versions are valid:

  • 1 - The first version of Cloud IAM policy schema. Supports binding one role to one or more members. Does not support conditional bindings.
  • 3 - Introduces the condition field in the role binding, which further constrains the role binding via context-based and attribute-based rules. See Understanding policies and Overview of Cloud IAM Conditions for more information.
Parameter
  • new_version (Integer) — The syntax schema version of the policy.
Example

Updating Policy version 1 to version 3:

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

bucket.uniform_bucket_level_access = true

bucket.policy requested_policy_version: 3 do |p|
  p.version # the value is 1
  p.version = 3

  expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
  p.bindings.insert({
                      role: "roles/storage.admin",
                      members: ["user:owner@example.com"],
                      condition: {
                        title: "my-condition",
                        description: "description of condition",
                        expression: expr
                      }
                    })
end