Console

1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

   Go to Principal Access Boundary policies

2. Select the organization that owns the principal access boundary policy that you wantto edit.

3. Click the policy ID of the principal access boundary policy that you want to edit.

4. ClickeditEdit policy.

5. To edit the policy's rules, do the following:

   1. Click the rule that you want to edit.
   2. Edit the rule's description, or the resources included in the rule.
   3. ClickDone.

6. To delete a rule from the policy, clickdeleteDelete in that rule's row.

7. To edit the policy's display name, edit theDisplay name field.

8. To edit the policy'senforcement version, click theEnforcement version list and choose a new value.

9. Optional: To test your changes to the principal access boundary policy with Policy Simulator, clickTestchanges. Review thesimulation results andupdate the policy if necessary.

   To learn more about testing principal access boundary policies with Policy Simulator, seePolicy Simulator for principal access boundarypolicies.

10. ClickSave.

gcloud

Thegcloud iam principal-access-boundary-policies update command updates an existing principal access boundary policy.

Before using any of the command data below, make the following replacements:

• PAB_POLICY_ID: The ID of the principal access boundary policy that you want toupdate—for example,example-policy.
• ORG_ID: The ID of the organization that owns theprincipal access boundary policy. Organization IDs are numeric, like123456789012.

• FIELD_TO_UPDATE=UPDATED_VALUE: The fields that you want to update and the corresponding updated value.

  The following are examples of flags that you can use to update the fields in the policy:

  • --display-name=DISPLAY_NAME: Replace the display name of the policy withDISPLAY_NAME.
  • --details-enforcement-version=ENFORCEMENT_VERSION: Update the policy'senforcement version toENFORCEMENT_VERSION.

  • --details-rules=RULES_FILE.json: Replace the principal access boundary policy's rules with the rules inRULES_FILE.json. To learn how to format the rules file, seeCreate a principal access boundary policy.

    If you use this flag, you can't use the--add-details-rules flag.

  • --add-details-rules=RULES_FILE: Append the rules inRULES_FILE.json to the policy's existing rules. To learn how to format the rules file, seeCreate a principal access boundary policy.

    If you use this flag, you can't use--details-rules flag.

  • --remove-details-rules=RULES_FILE: Remove the rules inRULES_FILE.json from the policy's existing rules. To learn how to format the rules file, seeCreate a principal access boundary policy. Only rules that exactly match one of the rules inRULES_FILE.json are removed.

    If you use this flag, you can't use--clear-rule-details flag.

  • --clear-details-rules: Clear all rules from the principal access boundary policy.

    If you use this flag, you can't use--remove-rule-details flag.

  For a full list of flags that you can use to update a principal access boundary policy, see thegcloud iam principal-access-boundary-policies update command reference.

• FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

gcloudiamprincipal-access-boundary-policiesupdatePAB_POLICY_ID\--organization=ORG_ID--location=global\--FIELD_TO_UPDATE=UPDATED_VALUE\--format=FORMAT

gcloudiamprincipal-access-boundary-policiesupdatePAB_POLICY_ID`--organization=ORG_ID--location=global`--FIELD_TO_UPDATE=UPDATED_VALUE`--format=FORMAT

gcloudiamprincipal-access-boundary-policiesupdatePAB_POLICY_ID^--organization=ORG_ID--location=global^--FIELD_TO_UPDATE=UPDATED_VALUE^--format=FORMAT

The response contains a long-running operation representing your request. After the operation is complete, the response prints the updated principal access boundary policy.

Request issued for: [example-policy]Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374208720-6181fae5e2034-2d8a712b-5c92e5b9] to complete...done.Updated principalAccessBoundaryPolicy [example-policy].{  "name": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy",  "uid": "puid_13364150419245236225",  "etag": "W/\"Gh/PcTdJD/AWHUhPW45kdw==\"",  "displayName": "Updated display name",  "createTime": "2024-05-07T00:05:48.295209Z",  "updateTime": "2024-05-10T20:50:09.200421Z",  "details": [    "rules": {      [        "description": "Make principals eligible to access example.com"        "resources": {          "//cloudresourcemanager.googleapis.com/organizations/123456789012"        },        "effect": ALLOW      ]    },    "enforcementVersion": "1"  ]}

REST

TheprincipalAccessBoundaryPolicies.patch method updates an existing principal access boundary policy.

Before using any of the request data, make the following replacements:

• ORG_ID: The ID of the organization that owns theprincipal access boundary policy. Organization IDs are numeric, like123456789012.
• PAB_POLICY_ID: The ID of the principal access boundary policy that you want toupdate—for example,example-policy.

• FIELDS_TO_UPDATE: A comma-separated list of fields that you want to update. If you don't specify the fields to update, IAM replaces the existing policy with the content of the request body.

  Accepted values aredisplayName,details,details.rules,details.rules.description,details.rules.resources,details.rules.effect anddetails.enforcementVersion.

• DISPLAY_NAME: Optional. A human-readabledescription of the principal access boundary policy—for example,Example policy. The displayname can be a maximum of 63 characters.

• PAB_RULES: A list of principal access boundary rules, which define the resources that affected principals are eligible to access. A principal access boundary policy can have up to 500 rules. Each rule has the following format:

  {"description":"DESCRIPTION","resources":[RESOURCES],"effect":ALLOW}

  Replace the following values:

  • DESCRIPTION: Optional. The description of the principal access boundary policy rule. The description can be a maximum of 256 characters.

  • RESOURCES: A list of Resource Manager resources (projects, folders, and organizations) that you want principals to be eligible to access. Any principal that is subject to this policy is eligible to access these resources.

    Each principal access boundary policy can reference a maximum of 500 resources across all rules in the policy.

• ENFORCEMENT_VERSION: The version of principal access boundary policies that IAM uses when enforcing the policy. The enforcement version determines which permissions IAM enforces the principal access boundary policy for.

  Accepted values are1,2,3, andlatest.

  For more information about enforcement versions, seePrincipal access boundary enforcement versions.

HTTP method and URL:

PATCH https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID?updateMask=FIELDS_TO_UPDATE

Request JSON body:

{  "displayName":DISPLAY_NAME,  "details": {    "rules": [PAB_RULES    ],    "enforcementVersion": "ENFORCEMENT_VERSION",  }}

To send your request, expand one of these options:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID?updateMask=FIELDS_TO_UPDATE"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v3/organizations/ORG_ID/locations/global/principalAccessBoundaryPolicies/PAB_POLICY_ID?updateMask=FIELDS_TO_UPDATE" | Select-Object -Expand Content

The response contains a long-running operation representing your request. To learn how to get the status of a long-running operation, seeCheck the status of a long-running operation on this page.

{  "name": "organizations/123456789012/locations/global/operations/operation-1715626721931-6185a7953ef76-76f80ee4-19cd1bf7",  "metadata": {    "@type": "type.googleapis.com/google.iam.v3.OperationMetadata",    "createTime": "2024-05-13T18:58:43.721277235Z",    "target": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-policy",    "verb": "update",    "requestedCancellation": false,    "apiVersion": "v3"  },  "done": false}

Console

1. In the Google Cloud console, go to thePrincipal Access Boundarypolicies page.

   Go to Principal Access Boundary policies

2. Select the organization that owns the principal access boundary policy that you wantto edit.

3. Click the policy ID of the principal access boundary policy whose bindings you wantto edit.

4. Click theBindings tab.

5. Find the ID of the binding that you want to edit. In that binding's row,clickmore_vertActions, thenclickEdit binding.

6. To update the binding's display name, edit theDisplay name field.

7. To add a condition to the binding, do the following:

   1. ClickaddAdd condition.
   2. In theTitle field, enter a brief summary of the purpose of thecondition.
   3. Optional: In theDescription field, enter a longer description ofthe condition.
   4. In theExpression field, enter condition expression that uses theCommon Expression Language (CEL) syntax. Theexpression must reference theprincipal.type orprincipal.subjectattributes. Other attributes are not supported.
   5. ClickSave.

8. To update an existing condition, do the following:

   1. ClickeditEdit conditionnext to the name of the condition.
   2. Update the condition's title, description, or expression.
   3. ClickSave.

9. Optional: To test your changes to the principal access boundary policy binding with Policy Simulator, clickTestchanges. Review thesimulation results andupdate the policy binding if necessary.

   To learn more about testing principal access boundary policies with Policy Simulator, seePolicy Simulator for principal access boundarypolicies.

10. To save your changes, clickSave.

gcloud

Thegcloud iam policy-bindings update command updates an existing policy binding.

Before using any of the command data below, make the following replacements:

• BINDING_ID: The ID of the policy binding that you want toupdate—for example,example-binding.

• RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the valueproject,folder, ororganization

  The resource type depends on the principal set in the policy binding. To see which resource type to use, seeSupported principal types.

• RESOURCE_ID: The ID of the project,folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings,likemy-project. Folder and organization IDs are numeric, like123456789012.

• FIELD_TO_UPDATE=UPDATED_VALUE: The fields that you want to update and the corresponding updated value.

  The following are examples of flags that you can use to update the fields in a policy binding:

  • --display-name=DISPLAY_NAME: Replace the display name of the binding withDISPLAY_NAME.
  • --condition-description=CONDITION_DESCRIPTION: If the binding has a condition, replace the condition's description withCONDITION_DESCRIPTION. Otherwise, add a new condition to the binding with the specified description. If you use this flag to update a binding that doesn't have a condition, you must also set the--condition-expression flag.
  • --condition-expression=CONDITION_EXPRESSION: If the binding has a condition, replace the condition's expression withCONDITION_EXPRESSION. Otherwise, add a new condition to the binding with the specified expression.
  • --condition-title=CONDITION_TITLE: If the binding has a condition, replace the condition's title withCONDITION_TITLE. Otherwise, add a new condition to the binding with the specified title. If you use this flag to update a binding that doesn't have a condition, you must also set the--condition-expression flag.

  For a full list of fields you can update, see thegcloud iam policy-bindings update command reference.

• FORMAT: The format for the response. Usejson oryaml.

Execute the following command:

gcloudiampolicy-bindingsupdateBINDING_ID\--RESOURCE_TYPE=RESOURCE_ID--location=global\--FIELD_TO_UPDATE=UPDATED_VALUE\--format=FORMAT

gcloudiampolicy-bindingsupdateBINDING_ID`--RESOURCE_TYPE=RESOURCE_ID--location=global`--FIELD_TO_UPDATE=UPDATED_VALUE`--format=FORMAT

gcloudiampolicy-bindingsupdateBINDING_ID^--RESOURCE_TYPE=RESOURCE_ID--location=global^--FIELD_TO_UPDATE=UPDATED_VALUE^--format=FORMAT

The response contains a long-running operation representing your request. To learn how to get the status of a long-running operation, seeCheck the status of a long-running operation on this page.

Update request issued for: [my-binding]Waiting for operation [organizations/123456789012/locations/global/operations/operation-1715374545618-6181fc272c6f9-55ff07f4-97d0ac76] to complete...done.Updated policyBinding [my-binding].{  "createTime": "2024-05-06T18:08:24.729843Z",  "displayName": "Updated display name",  "etag": "W/\"xkdnPfTxoxyVqOwhQSJbMg==\"",  "name": "organizations/123456789012/locations/global/policyBindings/example-binding",  "policy": "organizations/123456789012/locations/global/principalAccessBoundaryPolicies/example-pab-policy",  "policyKind": "PRINCIPAL_ACCESS_BOUNDARY",  "policyUid": "puid_9519202237377675265",  "target": {    "principalSet": "//cloudresourcemanager.googleapis.com/organizations/123456789012"  },  "uid": "buid_9904260005517852673",   "updateTime": "2024-05-06T18:11:16.798841Z"}

REST

ThepolicyBindings.patch method updates an existing policy binding.

Before using any of the request data, make the following replacements:

• RESOURCE_TYPE: The type of the Resource Manager resource (project, folder, or organization) that the policy binding is a child of. Use the valueprojects,folders, ororganizations

  The resource type depends on the principal set in the policy binding. To see which resource type to use, seeSupported principal types.

• RESOURCE_ID: The ID of the project,folder, or organization that the policy binding is a child of. Project IDs are alphanumeric strings,likemy-project. Folder and organization IDs are numeric, like123456789012.
• BINDING_ID: The ID of the policy binding that you want toupdate—for example,example-binding.

• FIELDS_TO_UPDATE: A comma-separated list of fields that you want to update. If you don't specify the fields to update, IAM replaces the existing binding with the content of the request body.

  Accepted values aredisplayName,condition,condition.expression,condition.title, andcondition.description.

• DISPLAY_NAME: Optional. Ahuman-readable description of the binding—for example,Example binding. Thedisplay name can be a maximum of 63 characters.

• CONDITION_DETAILS: Optional. Acondition expression that specifies which principals in the principal set the principal access boundary policy is enforced for. Contains the following fields:

  • expression: A condition expression that usesCommon Expression Language (CEL) syntax. The expression must reference theprincipal.type orprincipal.subject attributes. Other attributes are not supported.

    The expression can contain up to 10 logical operators (&&,||,!), and can be up to 250 characters long.

  • title: Optional. A brief summary of the purpose of the condition.
  • description: Optional. A longer description of the condition.

HTTP method and URL:

POST https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID?updateMask=FIELDS_TO_UPDATE

Request JSON body:

{  "displayName":DISPLAY_NAME,  "condition": {CONDITION_DETAILS  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID?updateMask=FIELDS_TO_UPDATE"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v3/RESOURCE_TYPE/RESOURCE_ID/locations/global/policyBindings/BINDING_ID?updateMask=FIELDS_TO_UPDATE" | Select-Object -Expand Content

The response contains a long-running operation representing your request. To learn how to get the status of a long-running operation, seeCheck the status of a long-running operation on this page.

{  "name": "organizations/123456789012/locations/global/operations/operation-1715373159010-6181f6fcccfa7-dcd0055c-00c22cad",  "metadata": {    "@type": "type.googleapis.com/google.iam.v3.OperationMetadata",    "createTime": "2024-05-10T20:32:39.254910121Z",    "target": "organizations/123456789012/locations/global/policyBindings/example-binding",    "verb": "update",    "requestedCancellation": false,    "apiVersion": "v3"  },  "done": false}

Theoperations.get method returns the status of a long-running operation.

Before using any of the request data, make the following replacements:

• OPERATION_NAME: The full name of the operation. You receive this name in the response to your original request.

  The operation name has the following format:

  RESOURCE_TYPE/RESOURCE_ID/locations/global/operations/OPERATION_ID

HTTP method and URL:

GET https://iam.googleapis.com/v3/OPERATION_NAME

To send your request, expand one of these options:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v3/OPERATION_NAME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v3/OPERATION_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "name": "organizations/314340013352/locations/global/operations/operation-1732752311821-627edd607a3df-9a62cdea-2a7d9f07",  "metadata": {    "@type": "type.googleapis.com/google.iam.v3.OperationMetadata",    "createTime": "2024-11-28T00:05:12.006289686Z",    "endTime": "2024-11-28T00:05:12.192141801Z",    "target": "organizations/314340013352/locations/global/principalAccessBoundaryPolicies/example-policy",    "verb": "create",    "requestedCancellation": false,    "apiVersion": "v3"  },  "done": true,  "response": {PAB_POLICY  }}

If the operation'sdone field is not present, continue to monitor its status by getting the operation repeatedly. Usetruncated exponential backoff to introduce a delay between each request. When thedone field is set totrue, the operation is complete, and you can stop getting the operation.