Class: Google::Iam::V3beta::AccessPolicyRule

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/iam/v3beta/access_policy_resources.rb

Overview

Access Policy Rule that determines the behavior of the policy.

Defined Under Namespace

Modules: Effect Classes: ConditionsEntry, Operation

Instance Attribute Summary collapse

Instance Attribute Details

#conditions::Google::Protobuf::Map{::String => ::Google::Type::Expr}

Returns Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
 "iam.googleapis.com": {
  "expression": <cel expression>
 }
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

  • eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

  • iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

Returns:

  • (::Google::Protobuf::Map{::String => ::Google::Type::Expr})

    Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

    "conditions": {
 "iam.googleapis.com": {
  "expression": <cel expression>
 }
}

    Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

    • eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

    • iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
 
# File 'proto_docs/google/iam/v3beta/access_policy_resources.rb', line 172

class AccessPolicyRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Attributes that are used to determine whether this rule applies to a
  # request.
  # @!attribute [rw] permissions
  #   @return [::Array<::String>]
  #     Optional. The permissions that are explicitly affected by this rule. Each
  #     permission uses the format `{service_fqdn}/{resource}.{verb}`, where
  #     `{service_fqdn}` is the fully qualified domain name for the service.
  #     Currently supported permissions are as follows:
  #
  #     * `eventarc.googleapis.com/messageBuses.publish`.
  # @!attribute [rw] excluded_permissions
  #   @return [::Array<::String>]
  #     Optional. Specifies the permissions that this rule excludes from the set
  #     of affected permissions given by `permissions`. If a permission appears
  #     in `permissions` _and_ in `excluded_permissions` then it will _not_ be
  #     subject to the policy effect.
  #
  #     The excluded permissions can be specified using the same syntax as
  #     `permissions`.
  class Operation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Type::Expr]
  class ConditionsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An effect to describe the access relationship.
  module Effect
    # The effect is unspecified.
    EFFECT_UNSPECIFIED = 0

    # The policy will deny access if it evaluates to true.
    DENY = 1

    # The policy will grant access if it evaluates to true.
    ALLOW = 2
  end
end

#description::String

Returns Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.

Returns:

  • (::String)

    Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
 
# File 'proto_docs/google/iam/v3beta/access_policy_resources.rb', line 172

class AccessPolicyRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Attributes that are used to determine whether this rule applies to a
  # request.
  # @!attribute [rw] permissions
  #   @return [::Array<::String>]
  #     Optional. The permissions that are explicitly affected by this rule. Each
  #     permission uses the format `{service_fqdn}/{resource}.{verb}`, where
  #     `{service_fqdn}` is the fully qualified domain name for the service.
  #     Currently supported permissions are as follows:
  #
  #     * `eventarc.googleapis.com/messageBuses.publish`.
  # @!attribute [rw] excluded_permissions
  #   @return [::Array<::String>]
  #     Optional. Specifies the permissions that this rule excludes from the set
  #     of affected permissions given by `permissions`. If a permission appears
  #     in `permissions` _and_ in `excluded_permissions` then it will _not_ be
  #     subject to the policy effect.
  #
  #     The excluded permissions can be specified using the same syntax as
  #     `permissions`.
  class Operation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Type::Expr]
  class ConditionsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An effect to describe the access relationship.
  module Effect
    # The effect is unspecified.
    EFFECT_UNSPECIFIED = 0

    # The policy will deny access if it evaluates to true.
    DENY = 1

    # The policy will grant access if it evaluates to true.
    ALLOW = 2
  end
end

#effect::Google::Iam::V3beta::AccessPolicyRule::Effect

Returns Required. The effect of the rule.

Returns:



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
 
# File 'proto_docs/google/iam/v3beta/access_policy_resources.rb', line 172

class AccessPolicyRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Attributes that are used to determine whether this rule applies to a
  # request.
  # @!attribute [rw] permissions
  #   @return [::Array<::String>]
  #     Optional. The permissions that are explicitly affected by this rule. Each
  #     permission uses the format `{service_fqdn}/{resource}.{verb}`, where
  #     `{service_fqdn}` is the fully qualified domain name for the service.
  #     Currently supported permissions are as follows:
  #
  #     * `eventarc.googleapis.com/messageBuses.publish`.
  # @!attribute [rw] excluded_permissions
  #   @return [::Array<::String>]
  #     Optional. Specifies the permissions that this rule excludes from the set
  #     of affected permissions given by `permissions`. If a permission appears
  #     in `permissions` _and_ in `excluded_permissions` then it will _not_ be
  #     subject to the policy effect.
  #
  #     The excluded permissions can be specified using the same syntax as
  #     `permissions`.
  class Operation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Type::Expr]
  class ConditionsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An effect to describe the access relationship.
  module Effect
    # The effect is unspecified.
    EFFECT_UNSPECIFIED = 0

    # The policy will deny access if it evaluates to true.
    DENY = 1

    # The policy will grant access if it evaluates to true.
    ALLOW = 2
  end
end

#excluded_principals::Array<::String>

Returns Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

Returns:

  • (::Array<::String>)

    Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
 
# File 'proto_docs/google/iam/v3beta/access_policy_resources.rb', line 172

class AccessPolicyRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Attributes that are used to determine whether this rule applies to a
  # request.
  # @!attribute [rw] permissions
  #   @return [::Array<::String>]
  #     Optional. The permissions that are explicitly affected by this rule. Each
  #     permission uses the format `{service_fqdn}/{resource}.{verb}`, where
  #     `{service_fqdn}` is the fully qualified domain name for the service.
  #     Currently supported permissions are as follows:
  #
  #     * `eventarc.googleapis.com/messageBuses.publish`.
  # @!attribute [rw] excluded_permissions
  #   @return [::Array<::String>]
  #     Optional. Specifies the permissions that this rule excludes from the set
  #     of affected permissions given by `permissions`. If a permission appears
  #     in `permissions` _and_ in `excluded_permissions` then it will _not_ be
  #     subject to the policy effect.
  #
  #     The excluded permissions can be specified using the same syntax as
  #     `permissions`.
  class Operation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Type::Expr]
  class ConditionsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An effect to describe the access relationship.
  module Effect
    # The effect is unspecified.
    EFFECT_UNSPECIFIED = 0

    # The policy will deny access if it evaluates to true.
    DENY = 1

    # The policy will grant access if it evaluates to true.
    ALLOW = 2
  end
end

#operation::Google::Iam::V3beta::AccessPolicyRule::Operation

Returns Required. Attributes that are used to determine whether this rule applies to a request.

Returns:



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
 
# File 'proto_docs/google/iam/v3beta/access_policy_resources.rb', line 172

class AccessPolicyRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Attributes that are used to determine whether this rule applies to a
  # request.
  # @!attribute [rw] permissions
  #   @return [::Array<::String>]
  #     Optional. The permissions that are explicitly affected by this rule. Each
  #     permission uses the format `{service_fqdn}/{resource}.{verb}`, where
  #     `{service_fqdn}` is the fully qualified domain name for the service.
  #     Currently supported permissions are as follows:
  #
  #     * `eventarc.googleapis.com/messageBuses.publish`.
  # @!attribute [rw] excluded_permissions
  #   @return [::Array<::String>]
  #     Optional. Specifies the permissions that this rule excludes from the set
  #     of affected permissions given by `permissions`. If a permission appears
  #     in `permissions` _and_ in `excluded_permissions` then it will _not_ be
  #     subject to the policy effect.
  #
  #     The excluded permissions can be specified using the same syntax as
  #     `permissions`.
  class Operation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Type::Expr]
  class ConditionsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An effect to describe the access relationship.
  module Effect
    # The effect is unspecified.
    EFFECT_UNSPECIFIED = 0

    # The policy will deny access if it evaluates to true.
    DENY = 1

    # The policy will grant access if it evaluates to true.
    ALLOW = 2
  end
end

#principals::Array<::String>

Returns Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

Returns:

  • (::Array<::String>)

    Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

    • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

    • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

    If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

    • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

    • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
 
# File 'proto_docs/google/iam/v3beta/access_policy_resources.rb', line 172

class AccessPolicyRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Attributes that are used to determine whether this rule applies to a
  # request.
  # @!attribute [rw] permissions
  #   @return [::Array<::String>]
  #     Optional. The permissions that are explicitly affected by this rule. Each
  #     permission uses the format `{service_fqdn}/{resource}.{verb}`, where
  #     `{service_fqdn}` is the fully qualified domain name for the service.
  #     Currently supported permissions are as follows:
  #
  #     * `eventarc.googleapis.com/messageBuses.publish`.
  # @!attribute [rw] excluded_permissions
  #   @return [::Array<::String>]
  #     Optional. Specifies the permissions that this rule excludes from the set
  #     of affected permissions given by `permissions`. If a permission appears
  #     in `permissions` _and_ in `excluded_permissions` then it will _not_ be
  #     subject to the policy effect.
  #
  #     The excluded permissions can be specified using the same syntax as
  #     `permissions`.
  class Operation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Type::Expr]
  class ConditionsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An effect to describe the access relationship.
  module Effect
    # The effect is unspecified.
    EFFECT_UNSPECIFIED = 0

    # The policy will deny access if it evaluates to true.
    DENY = 1

    # The policy will grant access if it evaluates to true.
    ALLOW = 2
  end
end