Configure temporary access
This topic describes how to set temporary (expiring) access to Google Cloudresources using conditional role bindings in your allow policies. By using thedate/time attributes, youcan enforce time-based controls when accessing a given resource. For example,you can grant temporary access to a project that starts and stops at a specifiedtime or on a scheduled and recurring basis.
Note: The examples on this page show how to modify access to aproject. However, you can adapt these steps to modify access to any Google Cloud resource that accepts IAM allow policies. For a list of these resource types, seeResource types that accept allow policies.
Before you begin
- ReadConditions Overview to understand thebasics of Identity and Access Management (IAM) conditional role bindings.
- Review thedate/time attributesthat can be used in a condition expression. Date/time attributes arerecognized by all Google Cloud services.
Required roles
To get the permissions that you need to manage conditional role bindings, ask your administrator to grant you the following IAM roles:
- To manage access to projects:Project IAM Admin (
roles/resourcemanager.projectIamAdmin) on the project - To manage access to folders:Folder Admin (
roles/resourcemanager.folderAdmin) on the folder - To manage access to projects, folders, and organizations:Organization Admin (
roles/resourcemanager.organizationAdmin) on the organization - To manage access to almost all Google Cloud resources:Security Admin (
roles/iam.securityAdmin) on the project, folder, or organization whose resources you want to manage access to
For more information about granting roles, seeManage access to projects, folders, and organizations.
These predefined roles contain the permissions required to manage conditional role bindings. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to manage conditional role bindings:
- To manage access to projects:
resourcemanager.projects.getIamPolicyon the projectresourcemanager.projects.setIamPolicyon the project
- To manage access to folders:
resourcemanager.folders.getIamPolicyon the folderresourcemanager.folders.setIamPolicyon the folder
- To manage access to organizations:
resourcemanager.organizations.getIamPolicyon the organizationresourcemanager.organizations.setIamPolicyon the organization
You might also be able to get these permissions withcustom roles or otherpredefined roles.
Grant temporary access
A conditional role binding can be used to grant time-bounded access to aresource, ensuring that a user can no longer access the resource after thespecified expiry date and time.
Consider the following scenario: the company ExampleCo's information securityrules emphasize that no employee should have indefinite access to resources inproduction projects. Previously, the admins have been manually setting anddeleting IAM role bindings to meet the engineers' emergencyneeds. To reduce administrative overhead, ExampleCo can instead configure aconditional role binding with a date/time condition to set an end date for thebinding.
Note: You cannot use conditions when you grantlegacy basic roles, including Owner (roles/owner), Editor (roles/editor), and Viewer (roles/viewer). Also, you cannot use conditions when you grant roles to all users (allUsers) or all authenticated users (allAuthenticatedUsers).
To grant expirable access to a project resource:
Console
In the Google Cloud console, go to theIAM page.
From the list of principals, locate the desired principal and click the button.
From theEdit permissions panel, locate the desired role toconfigure a condition for. Then underIAM condition (optional), clickAdd IAM condition.
In theEdit condition panel, enter a title and optionaldescription for the condition.
You can add a condition expression using either theConditionbuilder or theCondition editor. The conditionbuilder provides an interactive interface to select your desiredcondition type, operator, and other applicable details about theexpression. The condition editor provides a text-based interface tomanually enter an expression usingCEL syntax.
Condition builder:
- From theCondition type drop-down, selectExpiringAccess.
- From theOperator drop-down, selectby.
- From theTime drop-down, click thebutton to select from a date and time range.
- ClickSave to apply the condition.
- After theEdit condition panel is closed, clickSaveagain from theEdit permissions panel to update your allow policy.
Condition editor:
Click theCondition editor tab and enter the followingexpression (replacing the timestamp with your own):
request.time < timestamp("2020-07-01T00:00:00.000Z")After entering your expression, you can optionally choose to validatethe CEL syntax by clickingRun Linter above the text box on thetop-right.
ClickSave to apply the condition.
After theEdit condition panel is closed, clickSaveagain from theEdit permissions panel to update your allow policy.
gcloud
Allow policies are set using theread-modify-writepattern.
Execute thegcloud projects get-iam-policycommand to get the current allow policy for the project. In the followingexample, the JSON version of the allow policy is downloaded to a path on disk.
Command:
gcloud projects get-iam-policyproject-id --format=json >filepath
The JSON format of the allow policy is downloaded:
{"bindings":[{"members":["user:my-user@example.com"],"role":"roles/owner"},{"members":["group:my-group@example.com"],"role":"roles/iam.securityReviewer"}],"etag":"BwWKmjvelug=","version":1}To configure the allow policy with expirable access, add the followinghighlighted condition expression (replacing the timestamp with your own). Thegcloud CLI updates the version automatically:
{"bindings":[{"members":["user:my-user@example.com"],"role":"roles/owner"},{"members":["group:my-group@example.com"],"role":"roles/iam.securityReviewer","condition":{"title":"Expires_July_1_2020","description":"Expires on July 1, 2020","expression":"request.time < timestamp('2020-07-01T00:00:00.000Z')"}}],"etag":"BwWKmjvelug=","version":3}Next, set the new allow policy by executing thegcloud projects set-iam-policycommand:
gcloud projects set-iam-policyproject-idfilepath
The new allow policy is applied, and the group's role grant will expire atthe specified time.
REST
Use theread-modify-writepattern to allow access until a specific time.
First, read the allow policy for the project:
The Resource Manager API'sprojects.getIamPolicy method gets a project's allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Request JSON body:
{ "options": { "requestedPolicyVersion":POLICY_VERSION }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy" | Select-Object -Expand Content
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
{"version": 1, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] }, { "role": "roles/iam.securityReviewer", "members": [ "group:my-group@example.com" ] } ]}Next, modify the allow policy so that it allows access until a specifictime. Make sure to change theversion field to the value3:
{"version":3,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/owner","members":["user:my-user@example.com"]},{"role":"roles/iam.securityReviewer","members":["group:my-group@example.com"],"condition":{"title":"Expires_July_1_2020","description":"Expires on July 1, 2020","expression":"request.time < timestamp('2020-07-01T00:00:00.000Z')"}}]}Finally, write the updated allow policy:
The Resource Manager API'sprojects.setIamPolicy method sets the allow policy in the request as the project's new allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Request JSON body:
{ "policy": { "version": 3, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] }, { "role": "roles/iam.securityReviewer", "members": [ "group:my-group@example.com" ], "condition": { "title": "Expires_July_1_2020", "description": "Expires on July 1, 2020", "expression": "request.time < timestamp('2020-07-01T00:00:00.000Z')" } } ] }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy" | Select-Object -Expand Content
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.Manage access based on days/hours of the week
A conditional role binding can be used to grant access to a resource only withincertain days or hours of the week on a recurring basis.
Consider the following scenario: the company ExampleCo has a quality assuranceproject. The entire QA team is required to have highly-privileged roles tocomplete their work. ExampleCo has to abide by labor laws in their location,which limit work hours to Monday through Friday from 9 AM to 5 PM. ExampleCo canuse date/time conditions to ensure that their employees are only able to accessGoogle Cloud during the work week and during scheduled work hours.
Note: You cannot use conditions when you grantlegacy basic roles, including Owner (roles/owner), Editor (roles/editor), and Viewer (roles/viewer). Also, you cannot use conditions when you grant roles to all users (allUsers) or all authenticated users (allAuthenticatedUsers).
To grant access to a project resource for only certain days or hours of theweek on a recurring basis:
Console
In the Google Cloud console, go to theIAM page.
From the list of principals, locate the desired principal and click the button.
From theEdit permissions panel, locate the desired role toconfigure a condition for. Then underIAM condition (optional), clickAdd IAM condition.
In theEdit condition panel, enter a title and optional descriptionfor the condition.
You can add a condition expression using either theConditionbuilder or theCondition editor. The conditionbuilder provides an interactive interface to select your desiredcondition type, operator, and other applicable details about theexpression. The condition editor provides a text-based interface tomanually enter an expression usingCEL syntax.
Condition builder:
- ClickAdd.
- From theCondition type drop-down, selectTimeScheduleDay of Week.
- From theOperator drop-down, selectAfter or On.
- From theDay of Week drop-down, selectMonday.
- From theChoose a time zone drop-down, select your desired timezone from the list.
- Ensure that theAnd operator is selected on the left, and thenclickAdd again.
- From theCondition type drop-down, selectTimeScheduleDay of Week.
- From theOperator drop-down, selectBefore or On.
- From theDay of Week drop-down, selectFriday.
- From theChoose a time zone drop-down, select your desired timezone from the list.
At this point, you've configured access only on Monday through Friday.Now, you will configure access from 9 AM (09:00) to 5 PM (17:00).
- Ensure that theAnd operator is selected on the left, and thenclickAdd again.
From theCondition type drop-down, selectTimeScheduleHour of Day.
- From theOperator drop-down, selectAfter or On.
- From theHour of Day drop-down, select9 (9 AM).
- From theChoose a time zone drop-down, select your desired timezone from the list.
- From theCondition type drop-down, selectTimeScheduleHour of Day.
- From theOperator drop-down, selectBefore or On. Notethat for this selection, "on" will logically evaluate to all timesbetween 17:00 (5 PM) and 17:59 (5:59 PM). To set access to expire at4:59 PM, ensure the hour is set to 16 instead of 17.
- From theHour of Day drop-down, select17 (5 PM).
- From theChoose a time zone drop-down, select your desired timezone from the list.
- ClickSave to apply the condition.
- Once theEdit condition panel is closed, clickSaveagain from theEdit permissions panel to update your allow policy.
You've now configured access from Monday to Friday, 9 AM to 5 PM.
Condition editor:
Click theCondition editor tab and enter the followingexpression (replacing the placeholder values with your own):
request.time.getHours("Europe/Berlin") >= 9 &&request.time.getHours("Europe/Berlin") <= 17 &&request.time.getDayOfWeek("Europe/Berlin") >= 1 &&request.time.getDayOfWeek("Europe/Berlin") <= 5After entering your expression, you can optionally choose to validatethe CEL syntax by clickingRun Linter above the text box on thetop-right.
ClickSave to apply the condition.
Once theEdit condition panel is closed, clickSaveagain from theEdit permissions panel to update your allow policy.
gcloud
Allow policies are set using theread-modify-writepattern.
Execute thegcloud projects get-iam-policycommand to get the current allow policy for the project. In the followingexample, the JSON version of the allow policy is downloaded to a path on disk.
Command:
gcloud projects get-iam-policyproject-id --format=json >filepath
The JSON format of the allow policy is downloaded:
{"bindings":[{"members":["user:my-user@example.com"],"role":"roles/owner"},{"members":["group:my-group@example.com"],"role":"roles/bigquery.dataViewer"}],"etag":"BwWKmjvelug=","version":1}To configure the allow policy with scheduled access, add the followinghighlighted condition expression (replacing the timestamp with your own). Thegcloud CLI updates the version automatically:
{"bindings":[{"members":["user:my-user@example.com"],"role":"roles/owner"},{"members":["group:my-group@example.com"],"role":"roles/bigquery.dataViewer","condition":{"title":"Business_hours","description":"Business hours Monday-Friday","expression":"request.time.getHours('Europe/Berlin') >= 9 && request.time.getHours('Europe/Berlin') <= 17 && request.time.getDayOfWeek('Europe/Berlin') >= 1 && request.time.getDayOfWeek('Europe/Berlin') <= 5"}}],"etag":"BwWKmjvelug=","version":3}Next, set the new allow policy by executing thegcloud projects set-iam-policycommand:
gcloud projects set-iam-policyproject-idfilepath
The new allow policy is applied, and the group's role grant will allow accessbetween the specified days and times.
REST
Use theread-modify-writepattern to allow scheduled access.First, read the allow policy for the project:
The Resource Manager API'sprojects.getIamPolicy method gets a project's allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Request JSON body:
{ "options": { "requestedPolicyVersion":POLICY_VERSION }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy" | Select-Object -Expand Content
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
{"version": 1, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] }, { "role": "roles/bigquery.dataViewer", "members": [ "group:my-group@example.com" ] } ]}Next, modify the allow policy to allow scheduled access.
Add the following highlighted condition expression (replacing the timestamp withyour own). Ensure that you've updated theversion value to3:
{"etag":"BwWKmjvelug=","version":3,"bindings":[{"role":"roles/owner","members":["user:my-user@example.com"]},{"role":"roles/bigquery.dataViewer","members":["group:my-group@example.com"],"condition":{"title":"Business_hours","description":"Business hours Monday-Friday","expression":"request.time.getHours('Europe/Berlin') >= 9&& request.time.getHours('Europe/Berlin') <= 17&& request.time.getDayOfWeek('Europe/Berlin') >= 1&& request.time.getDayOfWeek('Europe/Berlin') <= 5"}}]} The Resource Manager API'sprojects.setIamPolicy method sets the allow policy in the request as the project's new allow policy.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Request JSON body:
{ "policy": { "etag": "BwWKmjvelug=", "version": 3, "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] }, { "role": "roles/bigquery.dataViewer", "members": [ "group:my-group@example.com" ], "condition": { "title": "Business_hours", "description": "Business hours Monday-Friday", "expression": "request.time.getHours('Europe/Berlin') >= 9 && request.time.getHours('Europe/Berlin') <= 17 && request.time.getDayOfWeek('Europe/Berlin') >= 1 && request.time.getDayOfWeek('Europe/Berlin') <= 5" } } ] }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy" | Select-Object -Expand Content
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.What's next
- Learn how tomanage conditional role bindings.
- Learn how tolint allow policies.
- Learn how to use conditional role bindings tomanage just-in-time privileged access to projects.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.