AccessBoundary

An access boundary defines the upper bound of what a principal may access. It includes a list of access boundary rules that each defines the resource that may be allowed as well as permissions that may be used on those resources.

JSON representation
{"accessBoundaryRules":[{object (AccessBoundaryRule)}]}
Fields
accessBoundaryRules[]

object (AccessBoundaryRule)

A list of access boundary rules which defines the upper bound of the permission a principal may carry. If multiple rules are specified, the effective access boundary is the union of all the access boundary rules attached.

One access boundary can contain at most 10 rules.

AccessBoundaryRule

An access boundary rule defines an upper bound of IAM permissions on a single resource.

JSON representation
{"availableResource":string,"availablePermissions":[string],"availabilityCondition":{object (Expr)}}
Fields
availableResource

string

The full resource name of a Google Cloud resource entity. The format definition is athttps://cloud.google.com/apis/design/resource_names.

Example value://cloudresourcemanager.googleapis.com/projects/my-project.

availablePermissions[]

string

A list of permissions that may be allowed for use on the specified resource.

The only supported values in the list are IAM roles, following the format ofgoogle.iam.v1.Binding.role.

Example value:inRole:roles/logging.viewer for predefined roles andinRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.

availabilityCondition

object (Expr)

The availability condition further constrains the access allowed by the access boundary rule.

If the condition evaluates totrue, then this access boundary rule will provide access to the specified resource, assuming the principal has the required permissions for the resource.

If the condition does not evaluate totrue, then access to the specified resource will not be available. Note that all access boundary rules in an access boundary are evaluated together as a union. As such, another access boundary rule may allow access to the resource, even if this access boundary rule does not allow access.

To learn which resources support conditions in their IAM policies, see theIAM documentation.

The maximum length of theexpression field is 2048 characters.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-21 UTC.