Class GoogleIamV2DenyRule
A deny rule in an IAM deny policy.
Implements
Inherited Members
Namespace: Google.Apis.Iam.v2.Data
Assembly: Google.Apis.Iam.v2.dll
Syntax
public class GoogleIamV2DenyRule : IDirectResponseSchema
Properties
DenialCondition
The condition that determines whether this deny rule applies to a request. If the condition expression
evaluates to true
, then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule
is evaluated independently. If this deny rule does not apply to a request, other deny rules might still
apply. The condition can use CEL functions that evaluate resource
tags. Other functions and operators are not
supported.
Declaration
[JsonProperty("denialCondition")]
public virtual GoogleTypeExpr DenialCondition { get; set; }
Property Value
Type | Description |
---|---|
GoogleTypeExpr |
DeniedPermissions
The permissions that are explicitly denied by this rule. Each permission uses the format
{service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the
service. For example, iam.googleapis.com/roles.list
.
Declaration
[JsonProperty("deniedPermissions")]
public virtual IList<string> DeniedPermissions { get; set; }
Property Value
Type | Description |
---|---|
IList<string> |
DeniedPrincipals
The identities that are prevented from using one or more permissions on Google Cloud resources. This field
can contain the following values: * principal://goog/subject/{email_id}
: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,
principal://goog/subject/alice@example.com
. *
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service
account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
. *
principalSet://goog/group/{group_id}
: A Google group. For example,
principalSet://goog/group/admins@example.com
. * principalSet://goog/public:all
: A special identifier
that represents any principal that is on the internet, even if they do not have a Google Account or are not
logged in. * principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated
with the specified Google Workspace or Cloud Identity customer ID. For example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35
. *
principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}
:
A single identity in a workforce identity pool. *
principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}
: All
workforce identities in a group. *
principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}
:
All workforce identities with a specific attribute value. *
principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*
: All identities in a
workforce identity pool. *
principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}
:
A single identity in a workload identity pool. *
principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}
:
A workload identity pool group. *
principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}
:
All identities in a workload identity pool with a certain attribute. *
principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*
:
All identities in a workload identity pool. * deleted:principal://goog/subject/{email_id}?uid={uid}
: A
specific Google Account that was deleted recently. For example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered,
this identifier reverts to the standard identifier for a Google Account. *
deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For
example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is
restored, this identifier reverts to the standard identifier for a Google group. *
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google
Cloud service account that was deleted recently. For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
.
If the service account is undeleted, this identifier reverts to the standard identifier for a service
account. *
deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}
:
Deleted single identity in a workforce identity pool. For example,
deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value
.
Declaration
[JsonProperty("deniedPrincipals")]
public virtual IList<string> DeniedPrincipals { get; set; }
Property Value
Type | Description |
---|---|
IList<string> |
ETag
The ETag of the item.
Declaration
public virtual string ETag { get; set; }
Property Value
Type | Description |
---|---|
string |
ExceptionPermissions
Specifies the permissions that this rule excludes from the set of denied permissions given by
denied_permissions
. If a permission appears in denied_permissions
and in exception_permissions
then
it will not be denied. The excluded permissions can be specified using the same syntax as
denied_permissions
.
Declaration
[JsonProperty("exceptionPermissions")]
public virtual IList<string> ExceptionPermissions { get; set; }
Property Value
Type | Description |
---|---|
IList<string> |
ExceptionPrincipals
The identities that are excluded from the deny rule, even if they are listed in the denied_principals
. For
example, you could add a Google group to the denied_principals
, then exclude specific users who belong to
that group. This field can contain the same values as the denied_principals
field, excluding
principalSet://goog/public:all
, which represents all users on the internet.
Declaration
[JsonProperty("exceptionPrincipals")]
public virtual IList<string> ExceptionPrincipals { get; set; }
Property Value
Type | Description |
---|---|
IList<string> |