AccessPolicyRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)Access Policy Rule that determines the behavior of the policy.
.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields
Attributes |
|
|---|---|
| Name | Description |
description |
str
Optional. Customer specified description of the rule. Must be less than or equal to 256 characters. This field is a member of oneof_ _description.
|
effect |
google.cloud.iam_v3beta.types.AccessPolicyRule.Effect
Required. The effect of the rule. This field is a member of oneof_ _effect.
|
principals |
MutableSequence[str]
Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values: - principal://goog/subject/{email_id}: A specific Google
Account. Includes Gmail, Cloud Identity, and Google
Workspace user accounts. For example,
principal://goog/subject/alice@example.com.
- principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
- principalSet://goog/group/{group_id}: A Google group.
For example,
principalSet://goog/group/admins@example.com.
- principalSet://goog/cloudIdentityCustomerId/{customer_id}:
All of the principals associated with the specified Google
Workspace or Cloud Identity customer ID. For example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35.
If an identifier that was previously set on a policy is soft
deleted, then calls to read that policy will return the
identifier with a deleted prefix. Users cannot set
identifiers with this syntax.
- deleted:principal://goog/subject/{email_id}?uid={uid}:
A specific Google Account that was deleted recently. For
example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890.
If the Google Account is recovered, this identifier
reverts to the standard identifier for a Google Account.
- deleted:principalSet://goog/group/{group_id}?uid={uid}:
A Google group that was deleted recently. For example,
deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
If the Google group is restored, this identifier reverts
to the standard identifier for a Google group.
- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently.
For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier
reverts to the standard identifier for a service account.
|
excluded_principals |
MutableSequence[str]
Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals.
For example, you could add a Google group to the
principals, then exclude specific users who belong to
that group.
|
operation |
google.cloud.iam_v3beta.types.AccessPolicyRule.Operation
Required. Attributes that are used to determine whether this rule applies to a request. |
conditions |
MutableMapping[str, google.type.expr_pb2.Expr]
Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example: :: "conditions": { "iam.googleapis.com": { "expression": |
Classes
ConditionsEntry
ConditionsEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)The abstract base class for a message.
| Parameters | |
|---|---|
| Name | Description |
kwargs |
dict
Keys and values corresponding to the fields of the message. |
mapping |
Union[dict,
A dictionary or message to be used to determine the values for this message. |
ignore_unknown_fields |
Optional(bool)
If True, do not raise errors for unknown fields. Only applied if |
Effect
Effect(value)An effect to describe the access relationship.
Operation
Operation(mapping=None, *, ignore_unknown_fields=False, **kwargs)Attributes that are used to determine whether this rule applies to a request.