Cloud Run V2 API - Class Google::Iam::V1::Policy (v0.28.0)
Reference documentation and code samples for the Cloud Run V2 API class Google::Iam::V1::Policy.
An Identity and Access Management (IAM) policy, which specifies accesscontrols for Google Cloud resources.
APolicy is a collection ofbindings. Abinding binds one or moremembers, or principals, to a singlerole. Principals can be useraccounts, service accounts, Google groups, and domains (such as G Suite). Arole is a named list of permissions; eachrole can be an IAM predefinedrole or a user-created custom role.
For some types of Google Cloud resources, abinding can also specify acondition, which is a logical expression that allows access to a resourceonly if the expression evaluates totrue. A condition can add constraintsbased on attributes of the request, the resource, or both. To learn whichresources support conditions in their IAM policies, see theIAMdocumentation.
JSON example:
{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
YAML example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3
For a description of IAM and its features, see theIAM documentation.
Inherits
- Object
Extended By
- Google::Protobuf::MessageExts::ClassMethods
Includes
- Google::Protobuf::MessageExts
Methods
#audit_configs
defaudit_configs()->::Array<::Google::Iam::V1::AuditConfig>- (::Array<::Google::Iam::V1::AuditConfig>) — Specifies cloud audit logging configuration for this policy.
#audit_configs=
defaudit_configs=(value)->::Array<::Google::Iam::V1::AuditConfig>- value (::Array<::Google::Iam::V1::AuditConfig>) — Specifies cloud audit logging configuration for this policy.
- (::Array<::Google::Iam::V1::AuditConfig>) — Specifies cloud audit logging configuration for this policy.
#bindings
defbindings()->::Array<::Google::Iam::V1::Binding>- (::Array<::Google::Iam::V1::Binding>) — Associates a list of
members, or principals, with arole. Optionally,may specify aconditionthat determines how and when thebindingsareapplied. Each of thebindingsmust contain at least one principal.The
bindingsin aPolicycan refer to up to 1,500 principals; up to 250of these principals can be Google groups. Each occurrence of a principalcounts towards these limits. For example, if thebindingsgrant 50different roles touser:alice@example.com, and not to any otherprincipal, then you can add another 1,450 principals to thebindingsinthePolicy.
#bindings=
defbindings=(value)->::Array<::Google::Iam::V1::Binding>- value (::Array<::Google::Iam::V1::Binding>) — Associates a list of
members, or principals, with arole. Optionally,may specify aconditionthat determines how and when thebindingsareapplied. Each of thebindingsmust contain at least one principal.The
bindingsin aPolicycan refer to up to 1,500 principals; up to 250of these principals can be Google groups. Each occurrence of a principalcounts towards these limits. For example, if thebindingsgrant 50different roles touser:alice@example.com, and not to any otherprincipal, then you can add another 1,450 principals to thebindingsinthePolicy.
- (::Array<::Google::Iam::V1::Binding>) — Associates a list of
members, or principals, with arole. Optionally,may specify aconditionthat determines how and when thebindingsareapplied. Each of thebindingsmust contain at least one principal.The
bindingsin aPolicycan refer to up to 1,500 principals; up to 250of these principals can be Google groups. Each occurrence of a principalcounts towards these limits. For example, if thebindingsgrant 50different roles touser:alice@example.com, and not to any otherprincipal, then you can add another 1,450 principals to thebindingsinthePolicy.
#etag
defetag()->::String- (::String) —
etagis used for optimistic concurrency control as a way to helpprevent simultaneous updates of a policy from overwriting each other.It is strongly suggested that systems make use of theetagin theread-modify-write cycle to perform policy updates in order to avoid raceconditions: Anetagis returned in the response togetIamPolicy, andsystems are expected to put that etag in the request tosetIamPolicytoensure that their change will be applied to the same version of the policy.Important: If you use IAM Conditions, you must include the
etagfieldwhenever you callsetIamPolicy. If you omit this field, then IAM allowsyou to overwrite a version3policy with a version1policy, and all ofthe conditions in the version3policy are lost.
#etag=
defetag=(value)->::String- value (::String) —
etagis used for optimistic concurrency control as a way to helpprevent simultaneous updates of a policy from overwriting each other.It is strongly suggested that systems make use of theetagin theread-modify-write cycle to perform policy updates in order to avoid raceconditions: Anetagis returned in the response togetIamPolicy, andsystems are expected to put that etag in the request tosetIamPolicytoensure that their change will be applied to the same version of the policy.Important: If you use IAM Conditions, you must include the
etagfieldwhenever you callsetIamPolicy. If you omit this field, then IAM allowsyou to overwrite a version3policy with a version1policy, and all ofthe conditions in the version3policy are lost.
- (::String) —
etagis used for optimistic concurrency control as a way to helpprevent simultaneous updates of a policy from overwriting each other.It is strongly suggested that systems make use of theetagin theread-modify-write cycle to perform policy updates in order to avoid raceconditions: Anetagis returned in the response togetIamPolicy, andsystems are expected to put that etag in the request tosetIamPolicytoensure that their change will be applied to the same version of the policy.Important: If you use IAM Conditions, you must include the
etagfieldwhenever you callsetIamPolicy. If you omit this field, then IAM allowsyou to overwrite a version3policy with a version1policy, and all ofthe conditions in the version3policy are lost.
#version
defversion()->::Integer- (::Integer) — Specifies the format of the policy.
Valid values are
0,1, and3. Requests that specify an invalid valueare rejected.Any operation that affects conditional role bindings must specify version
3. This requirement applies to the following operations:- Getting a policy that includes a conditional role binding
- Adding a conditional role binding to a policy
- Changing a conditional role binding in a policy
- Removing any role binding, with or without a condition, from a policythat includes conditions
Important: If you use IAM Conditions, you must include the
etagfieldwhenever you callsetIamPolicy. If you omit this field, then IAM allowsyou to overwrite a version3policy with a version1policy, and all ofthe conditions in the version3policy are lost.If a policy does not include any conditions, operations on that policy mayspecify any valid version or leave the field unset.
To learn which resources support conditions in their IAM policies, see theIAMdocumentation.
#version=
defversion=(value)->::Integer- value (::Integer) — Specifies the format of the policy.
Valid values are
0,1, and3. Requests that specify an invalid valueare rejected.Any operation that affects conditional role bindings must specify version
3. This requirement applies to the following operations:- Getting a policy that includes a conditional role binding
- Adding a conditional role binding to a policy
- Changing a conditional role binding in a policy
- Removing any role binding, with or without a condition, from a policythat includes conditions
Important: If you use IAM Conditions, you must include the
etagfieldwhenever you callsetIamPolicy. If you omit this field, then IAM allowsyou to overwrite a version3policy with a version1policy, and all ofthe conditions in the version3policy are lost.If a policy does not include any conditions, operations on that policy mayspecify any valid version or leave the field unset.
To learn which resources support conditions in their IAM policies, see theIAMdocumentation.
- (::Integer) — Specifies the format of the policy.
Valid values are
0,1, and3. Requests that specify an invalid valueare rejected.Any operation that affects conditional role bindings must specify version
3. This requirement applies to the following operations:- Getting a policy that includes a conditional role binding
- Adding a conditional role binding to a policy
- Changing a conditional role binding in a policy
- Removing any role binding, with or without a condition, from a policythat includes conditions
Important: If you use IAM Conditions, you must include the
etagfieldwhenever you callsetIamPolicy. If you omit this field, then IAM allowsyou to overwrite a version3policy with a version1policy, and all ofthe conditions in the version3policy are lost.If a policy does not include any conditions, operations on that policy mayspecify any valid version or leave the field unset.
To learn which resources support conditions in their IAM policies, see theIAMdocumentation.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-30 UTC.