REST Resource: projects.locations.authorizationPolicies

Resource: AuthorizationPolicy

AuthorizationPolicy is a resource that specifies how a server should authorize incoming connections. This resource in itself does not change the configuration unless it's attached to a target https proxy or endpoint config selector resource.

JSON representation
{
  "name": string,
  "description": string,
  "createTime": string,
  "updateTime": string,
  "labels": {
    string: string,
    ...
  },
  "action": enum (Action),
  "rules": [
    {
      object (Rule)
    }
  ]
}
Fields
name

string

Required. Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/<authorizationPolicy>.

description

string

Optional. Free-text description of the resource.

createTime

string (Timestamp format)

Output only. The timestamp when the resource was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The timestamp when the resource was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

labels

map (key: string, value: string)

Optional. Set of label tags associated with the AuthorizationPolicy resource.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

action

enum (Action)

Required. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".

rules[]

object (Rule)

Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.

Action

Possible values that define what action to take.

Enums
ACTION_UNSPECIFIED Default value.
ALLOW Grant access.
DENY Deny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback.

Rule

Specification of rules.

JSON representation
{
  "sources": [
    {
      object (Source)
    }
  ],
  "destinations": [
    {
      object (Destination)
    }
  ]
}
Fields
sources[]

object (Source)

Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ipBlocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.

destinations[]

object (Destination)

Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.

Source

Specification of traffic source attributes.

JSON representation
{
  "principals": [
    string
  ],
  "ipBlocks": [
    string
  ]
}
Fields
principals[]

string

Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/*") or a suffix match (example, "*/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.

ipBlocks[]

string

Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.

Destination

Specification of traffic destination attributes.

JSON representation
{
  "hosts": [
    string
  ],
  "ports": [
    integer
  ],
  "methods": [
    string
  ],
  "httpHeaderMatch": {
    object (HttpHeaderMatch)
  }
}
Fields
hosts[]

string

Required. List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.*") or a suffix match (example "*.myorg.com") or a presence (any) match "*".

ports[]

integer (uint32 format)

Required. List of destination ports to match. At least one port should match.

methods[]

string

Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.

httpHeaderMatch

object (HttpHeaderMatch)

Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.

HttpHeaderMatch

Specification of HTTP header match attributes.

JSON representation
{
  "headerName": string,

  // Union field type can be only one of the following:
  "regexMatch": string
  // End of list of possible types for union field type.
}
Fields
headerName

string

Required. The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".

Union field type.

type can be only one of the following:

regexMatch

string

Required. The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.

Methods

create

Creates a new AuthorizationPolicy in a given project and location.

delete

Deletes a single AuthorizationPolicy.

get

Gets details of a single AuthorizationPolicy.

getIamPolicy

Gets the access control policy for a resource.

list

Lists AuthorizationPolicies in a given project and location.

patch

Updates the parameters of a single AuthorizationPolicy.

setIamPolicy

Sets the access control policy on the specified resource.

testIamPermissions

Returns permissions that a caller has on the specified resource.