Identity and Access Management (IAM) v3beta API - Class AccessPolicyRule (1.0.0-beta03)

Reference documentation and code samples for the Identity and Access Management (IAM) v3beta API class AccessPolicyRule.

Access Policy Rule that determines the behavior of the policy.

Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
 "iam.googleapis.com": {
  "expression": <cel expression>
 }
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

• eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

• iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.

Required. The effect of the rule.

Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

Gets whether the "description" field is set

Gets whether the "effect" field is set

Required. Attributes that are used to determine whether this rule applies to a request.

Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

• principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

• principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

• principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

• principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.