Using Access Context Manager, you can make bulk updates to resources that belong to your organization's access policy, such as access levels and service perimeters. Changes to your resources are applied only if all parts of the bulk operation are successful.
This topic describes only bulk replacement of service perimeters. For more information about bulk replacement of access levels, refer to the Access Context Manager documentation.
Before you begin
Because bulk operations affect all service perimeters for your organization, you may want to obtain a complete list of your perimeters. The list can be formatted as YAML, which may also make bulk changes to your perimeters easier.
To get a formatted list of access levels, refer to List service perimeters (formatted).
Bulk replace service perimeters
The following section details how to bulk replace your service perimeters.
gcloud
To bulk replace all service perimeters, use the
replace-all command.
gcloud beta access-context-manager perimeters replace-all \ --source-file=FILE \ --etag=ETAG \ [--policy=POLICY_NAME]
Where:
FILE is the name of a .yaml file that defines the new settings for your existing service perimeters.
For example:
- name: accessPolicies/11271009391/servicePerimeters/storage_perimeter title: Storage Perimeter description: Perimeter to protect Storage resources. perimeterType: PERIMETER_TYPE_REGULAR status: restrictedServices: - storage.googleapis.com - name: accessPolicies/11271009391/servicePerimeters/bigquery_perimeter title: BigQuery Perimeter description: Perimeter to protect BigQuery resources. perimeterType: PERIMETER_TYPE_REGULAR status: restrictedServices: - bigquery.googleapis.comFor more information about formatting the YAML file, refer to the JSON structure of Access Context Manager's
ServicePerimeterConfigobject.ETAG (optional) is a string that represents the target version of your organization's access policy. If you do not include an etag, the bulk operation targets the latest version of the your organization's access policy.
To obtain the latest etag of your access policy,
listyour access policies.POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
API
To bulk replace all service perimeters,
call servicePerimeters.replaceAll.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters.replaceAll?alt=json
Where:
- POLICY_NAME is the name of your organization's access policy.
Request body
The request body must include a list of
ServicePerimeterConfig objects that specify the
changes you want to make.
Optionally, to target a specific version of your organization's access policy, you can include an etag. If you do not include an etag, the bulk operation targets the latest version of your organization's access policy.
For example:
{
"servicePerimeters": [
object (ServicePerimeterConfig),
object (ServicePerimeterConfig),
...
]
"etag": string
}
Response body
If successful, the response body for the call contains an
Operation resource that provides details about the
post operation.
Example response:
{
"name": "operations/accessPolicies/11271009391/replacePerimeters/1583523447707087",
"done": true,
"response": {
"@type": "type.googleapis.com/google.identity.accesscontextmanager.v1.ReplaceServicePerimetersResponse",
"servicePerimeters": [
{
"name": "accessPolicies/11271009391/servicePerimeters/storage_perimeter",
"title": "Storage Perimeter",
"description": "Perimeter to protect Storage resources.",
"status": {
"accessLevels": [
"accessPolicies/11271009391/accessLevels/corpnet_access"
],
"restrictedServices": [
"bigtable.googleapis.com"
]
}
},
{
"name": "accessPolicies/11271009391/servicePerimeters/storage_perimeter",
"title": "BigQuery Perimeter",
"description": "Perimeter to protect BigQuery resources.",
"status": {
"accessLevels": [
"accessPolicies/11271009391/accessLevels/prodnet_access"
],
"restrictedServices": [
"bigtable.googleapis.com"
]
}
}
]
}
}