Identity and Access Management¶

Non-API-specific IAM policy definitions

For allowed roles / permissions, see: https://cloud.google.com/iam/docs/understanding-roles

Example usage:

# ``get_iam_policy`` returns a :class:'~google.api_core.iam.Policy`.
policy = resource.get_iam_policy()

phred = policy.user("phred@example.com")
admin_group = policy.group("admins@groups.example.com")
account = policy.service_account("account-1234@accounts.example.com")
policy["roles/owner"] = [phred, admin_group, account]
policy["roles/editor"] = policy.authenticated_users()
policy["roles/viewer"] = policy.all_users()

resource.set_iam_policy(policy)

google.api_core.iam.OWNER_ROLE = 'roles/owner'¶: Generic role implying all rights to an object.

google.api_core.iam.EDITOR_ROLE = 'roles/editor'¶: Generic role implying rights to modify an object.

google.api_core.iam.VIEWER_ROLE = 'roles/viewer'¶: Generic role implying rights to access an object.

class google.api_core.iam.Policy(etag=None, version=None)[source]¶

Bases: collections.abc.MutableMapping

IAM Policy

See https://cloud.google.com/iam/reference/rest/v1/Policy

Parameters

etag (Optional[str]) – ETag used to identify a unique of the policy
version (Optional[int]) – unique version of the policy

property owners¶

Legacy access to owner role.

DEPRECATED: use policy["roles/owners"] instead.

property editors¶

Legacy access to editor role.

DEPRECATED: use policy["roles/editors"] instead.

property viewers¶

Legacy access to viewer role.

DEPRECATED: use policy["roles/viewers"] instead

static user(email)[source]¶

Factory method for a user member.

Parameters: email (str) – E-mail for this particular user.
Returns: A member string corresponding to the given user.
Return type: str

static service_account(email)[source]¶

Factory method for a service account member.

Parameters: email (str) – E-mail for this particular service account.
Returns: A member string corresponding to the given service account.
Return type: str

static group(email)[source]¶

Factory method for a group member.

Parameters: email (str) – An id or e-mail for this particular group.
Returns: A member string corresponding to the given group.
Return type: str

static domain(domain)[source]¶

Factory method for a domain member.

Parameters: domain (str) – The domain for this member.
Returns: A member string corresponding to the given domain.
Return type: str

static all_users()[source]¶

Factory method for a member representing all users.

Returns: A member string representing all users.
Return type: str

static authenticated_users()[source]¶

Factory method for a member representing all authenticated users.

Returns: A member string representing all authenticated users.
Return type: str

classmethod from_api_repr(resource)[source]¶

Factory: create a policy from a JSON resource.

Parameters: resource (dict) – policy resource returned by getIamPolicy API.
Returns: the parsed policy
Return type: Policy

to_api_repr()[source]¶

Render a JSON policy resource.

Returns: a resource to be passed to the setIamPolicy API.
Return type: dict

Identity and Access Management¶

google-api-core

Navigation

Related Topics