Resource: AuthorizationPolicy
AuthorizationPolicy is a resource that specifies how a server should authorize incoming connections. This resource in itself does not change the configuration unless it's attached to a target https proxy or endpoint config selector resource.
| JSON representation |
|---|
{ "name": string, "description": string, "createTime": string, "updateTime": string, "labels": { string: string, ... }, "action": enum ( |
| Fields | |
|---|---|
name |
Required. Name of the AuthorizationPolicy resource. It matches pattern |
description |
Optional. Free-text description of the resource. |
createTime |
Output only. The timestamp when the resource was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. The timestamp when the resource was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
labels |
Optional. Set of label tags associated with the AuthorizationPolicy resource. An object containing a list of |
action |
Required. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY". |
rules[] |
Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the |
Action
Possible values that define what action to take.
| Enums | |
|---|---|
ACTION_UNSPECIFIED |
Default value. |
ALLOW |
Grant access. |
DENY |
Deny access. Deny rules should be avoided unless they are used to provide a default "deny all" fallback. |
Rule
Specification of rules.
| JSON representation |
|---|
{ "sources": [ { object ( |
| Fields | |
|---|---|
sources[] |
Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ipBlocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source. |
destinations[] |
Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination. |
Source
Specification of traffic source attributes.
| JSON representation |
|---|
{ "principals": [ string ], "ipBlocks": [ string ] } |
| Fields | |
|---|---|
principals[] |
Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/*") or a suffix match (example, "*/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure. |
ipBlocks[] |
Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted. |
Destination
Specification of traffic destination attributes.
| JSON representation |
|---|
{
"hosts": [
string
],
"ports": [
integer
],
"methods": [
string
],
"httpHeaderMatch": {
object ( |
| Fields | |
|---|---|
hosts[] |
Required. List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.*") or a suffix match (example "*.myorg.com") or a presence (any) match "*". |
ports[] |
Required. List of destination ports to match. At least one port should match. |
methods[] |
Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services. |
httpHeaderMatch |
Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy. |
HttpHeaderMatch
Specification of HTTP header match attributes.
| JSON representation |
|---|
{ "headerName": string, "regexMatch": string } |
| Fields | |
|---|---|
headerName |
Required. The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method". |
regexMatch |
Required. The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier. |
Methods |
|
|---|---|
|
Creates a new AuthorizationPolicy in a given project and location. |
|
Deletes a single AuthorizationPolicy. |
|
Gets details of a single AuthorizationPolicy. |
|
Gets the access control policy for a resource. |
|
Lists AuthorizationPolicies in a given project and location. |
|
Updates the parameters of a single AuthorizationPolicy. |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |