You are viewing archived v1.22 Service Mesh documentation.

Available versions

Cloud Service Mesh latest
Cloud Service Mesh 1.26 archive
Cloud Service Mesh 1.24 archive
Cloud Service Mesh 1.24 archive
Cloud Service Mesh 1.23 archive
Cloud Service Mesh 1.22 archive
Cloud Service Mesh 1.21 archive
Cloud Service Mesh 1.20 archive
Anthos Service Mesh 1.19 archive

REST Resource: projects.locations.authorizationPolicies

Resource: AuthorizationPolicy
- JSON representation
Action
Rule
- JSON representation
Source
- JSON representation
Destination
- JSON representation
HttpHeaderMatch
- JSON representation
Methods

Resource: AuthorizationPolicy

AuthorizationPolicy is a resource that specifies how a server should authorize incoming connections. This resource in itself does not change the configuration unless it's attached to a target https proxy or endpoint config selector resource.

JSON representation
{ "name": string, "description": string, "createTime": string, "updateTime": string, "labels": { string: string, ... }, "action": enum (`Action`), "rules": [ { object (`Rule`) } ] }

Fields
`name`	`string` Required. Name of the AuthorizationPolicy resource. It matches pattern `projects/{project}/locations/{location}/authorizationPolicies/<authorizationPolicy>`.
`description`	`string` Optional. Free-text description of the resource.
`createTime`	`string (Timestamp format)` Output only. The timestamp when the resource was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`updateTime`	`string (Timestamp format)` Output only. The timestamp when the resource was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`labels`	`map (key: string, value: string)` Optional. Set of label tags associated with the AuthorizationPolicy resource. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`action`	`enum (Action)` Required. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".
`rules[]`	`object (Rule)` Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the `action` field will be applied on every request.

Action

Possible values that define what action to take.

Enums
`ACTION_UNSPECIFIED`	Default value.
`ALLOW`	Grant access.
`DENY`	Deny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.

Rule

Specification of rules.

JSON representation
{ "sources": [ { object (`Source`) } ], "destinations": [ { object (`Destination`) } ] }

Fields

Fields
`sources[]`	`object (Source)` Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ipBlocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.
`destinations[]`	`object (Destination)` Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.

sources[]

object (Source)

Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ipBlocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.

destinations[]

object (Destination)

Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.

Source

Specification of traffic source attributes.

JSON representation
{ "principals": [ string ], "ipBlocks": [ string ] }

Fields

Fields
`principals[]`	`string` Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/") or a suffix match (example, "/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.
`ipBlocks[]`	`string` Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.

principals[]

string

Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/*") or a suffix match (example, "*/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.

ipBlocks[]

string

Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.

Destination

Specification of traffic destination attributes.

JSON representation
{ "hosts": [ string ], "ports": [ integer ], "methods": [ string ], "httpHeaderMatch": { object (`HttpHeaderMatch`) } }

Fields
`hosts[]`	`string` Required. List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.") or a suffix match (example ".myorg.com") or a presence (any) match "*".
`ports[]`	`integer (uint32 format)` Required. List of destination ports to match. At least one port should match.
`methods[]`	`string` Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.
`httpHeaderMatch`	`object (HttpHeaderMatch)` Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.

HttpHeaderMatch

Specification of HTTP header match attributes.

JSON representation
{ "headerName": string, // Union field `type` can be only one of the following: "regexMatch": string // End of list of possible types for union field `type`. }

Fields

Fields
`headerName`	`string` Required. The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
Union field `type`. `type` can be only one of the following:
`regexMatch`	`string` Required. The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.

headerName

string

Required. The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".

Union field type.

type can be only one of the following:

regexMatch

string

Required. The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.

Methods
`create`	Creates a new AuthorizationPolicy in a given project and location.
`delete`	Deletes a single AuthorizationPolicy.
`get`	Gets details of a single AuthorizationPolicy.
`getIamPolicy`	Gets the access control policy for a resource.
`list`	Lists AuthorizationPolicies in a given project and location.
`patch`	Updates the parameters of a single AuthorizationPolicy.
`setIamPolicy`	Sets the access control policy on the specified resource.
`testIamPermissions`	Returns permissions that a caller has on the specified resource.

REST Resource: projects.locations.authorizationPolicies

Resource: AuthorizationPolicy

Action

Rule

Source

Destination

HttpHeaderMatch

Methods

`create`

`delete`

`get`

`getIamPolicy`

`list`

`patch`

`setIamPolicy`

`testIamPermissions`