Class: Google::Apis::ComputeAlpha::Policy
- Inherits:
-
Object
- Object
- Google::Apis::ComputeAlpha::Policy
- Defined in:
- generated/google/apis/compute_alpha/classes.rb,
generated/google/apis/compute_alpha/representations.rb,
generated/google/apis/compute_alpha/representations.rb
Overview
An Identity and Access Management (IAM) policy, which specifies access
controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more
members
to a single role
. Members can be user accounts, service accounts,
Google groups, and domains (such as G Suite). A role
is a named list of
permissions; each role
can be an IAM predefined role or a user-created
custom role.
Optionally, a binding
can specify a condition
, which is a logical
expression that allows access to a resource only if the expression evaluates
to true
. A condition can add constraints based on attributes of the request,
the resource, or both.
JSON example:
"bindings": [
"role": "roles/resourcemanager.organizationAdmin", "members":
[ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
serviceAccount:my-project-id@appspot.gserviceaccount.com" ] ,
"role": "
roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"],
"condition": "title": "expirable access", "description": "Does not grant
access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
00:00.000Z')",
], "etag": "BwWWja0YfJA=", "version": 3
YAML example:
bindings: - members: - user:mike@example.com - group:admins@example.com -
domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.
com role: roles/resourcemanager.organizationViewer condition: title: expirable
access description: Does not grant access after Sep 2020 expression: request.
time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
For a description of IAM and its features, see the IAM documentation.
Instance Attribute Summary collapse
-
#audit_configs ⇒ Array<Google::Apis::ComputeAlpha::AuditConfig>
Specifies cloud audit logging configuration for this policy.
-
#bindings ⇒ Array<Google::Apis::ComputeAlpha::Binding>
Associates a list of
members
to arole
. -
#etag ⇒ String
etag
is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. -
#iam_owned ⇒ Boolean
(also: #iam_owned?)
Corresponds to the JSON property
iamOwned
. -
#rules ⇒ Array<Google::Apis::ComputeAlpha::Rule>
If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied.
-
#version ⇒ Fixnum
Specifies the format of the policy.
Instance Method Summary collapse
-
#initialize(**args) ⇒ Policy
constructor
A new instance of Policy.
-
#update!(**args) ⇒ Object
Update properties of this object.
Methods included from Google::Apis::Core::JsonObjectSupport
Methods included from Google::Apis::Core::Hashable
Constructor Details
#initialize(**args) ⇒ Policy
Returns a new instance of Policy.
23950 23951 23952 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23950 def initialize(**args) update!(**args) end |
Instance Attribute Details
#audit_configs ⇒ Array<Google::Apis::ComputeAlpha::AuditConfig>
Specifies cloud audit logging configuration for this policy.
Corresponds to the JSON property auditConfigs
23889 23890 23891 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23889 def audit_configs @audit_configs end |
#bindings ⇒ Array<Google::Apis::ComputeAlpha::Binding>
Associates a list of members
to a role
. Optionally, may specify a
condition
that determines how and when the bindings
are applied. Each of
the bindings
must contain at least one member.
Corresponds to the JSON property bindings
23896 23897 23898 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23896 def bindings @bindings end |
#etag ⇒ String
etag
is used for optimistic concurrency control as a way to help prevent
simultaneous updates of a policy from overwriting each other. It is strongly
suggested that systems make use of the etag
in the read-modify-write cycle
to perform policy updates in order to avoid race conditions: An etag
is
returned in the response to getIamPolicy
, and systems are expected to put
that etag in the request to setIamPolicy
to ensure that their change will be
applied to the same version of the policy.
Important: If you use IAM Conditions, you must include the etag
field
whenever you call setIamPolicy
. If you omit this field, then IAM allows you
to overwrite a version 3
policy with a version 1
policy, and all of the
conditions in the version 3
policy are lost.
Corresponds to the JSON property etag
NOTE: Values are automatically base64 encoded/decoded in the client library.
23912 23913 23914 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23912 def etag @etag end |
#iam_owned ⇒ Boolean Also known as: iam_owned?
Corresponds to the JSON property iamOwned
23917 23918 23919 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23917 def iam_owned @iam_owned end |
#rules ⇒ Array<Google::Apis::ComputeAlpha::Rule>
If more than one rule is specified, the rules are applied in the following
manner: - All matching LOG rules are always applied. - If any DENY/
DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if
one or more matching rule requires logging. - Otherwise, if any ALLOW/
ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if
one or more matching rule requires logging. - Otherwise, if no rule applies,
permission is denied.
Corresponds to the JSON property rules
23929 23930 23931 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23929 def rules @rules end |
#version ⇒ Fixnum
Specifies the format of the policy.
Valid values are 0
, 1
, and 3
. Requests that specify an invalid value are
rejected.
Any operation that affects conditional role bindings must specify version 3
.
This requirement applies to the following operations:
- Getting a policy that includes a conditional role binding * Adding a
conditional role binding to a policy * Changing a conditional role binding in
a policy * Removing any role binding, with or without a condition, from a
policy that includes conditions
Important: If you use IAM Conditions, you must include the
etag
field whenever you callsetIamPolicy
. If you omit this field, then IAM allows you to overwrite a version3
policy with a version1
policy, and all of the conditions in the version3
policy are lost. If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. Corresponds to the JSON propertyversion
23948 23949 23950 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23948 def version @version end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
23955 23956 23957 23958 23959 23960 23961 23962 |
# File 'generated/google/apis/compute_alpha/classes.rb', line 23955 def update!(**args) @audit_configs = args[:audit_configs] if args.key?(:audit_configs) @bindings = args[:bindings] if args.key?(:bindings) @etag = args[:etag] if args.key?(:etag) @iam_owned = args[:iam_owned] if args.key?(:iam_owned) @rules = args[:rules] if args.key?(:rules) @version = args[:version] if args.key?(:version) end |