Cloud Resource Manager API Connector Overview
The Workflows connector defines the built-infunctions that can be used to access other Google Cloud products within aworkflow.
This page provides an overview of the individual connector.There is no need to import or load connector libraries in a workflow—connectorswork out of the box when used in a call step.
Cloud Resource Manager API
Creates, reads, and updates metadata for Google Cloud Platform resource containers.To learn more, see theCloud Resource Manager API documentation.
Cloud Resource Manager connector sample
YAML
# This workflow expects following item to be provided through the input argument for execution:# - projectNumber (string)# - The project number.## Expected successful output: "SUCCESS"main:params:[args]steps:-init:assign:-project_number:${args.projectNumber}-get_project:call:googleapis.cloudresourcemanager.v3.projects.getargs:name:${"projects/" + project_number}-the_end:return:"SUCCESS"JSON
{"main":{"params":["args"],"steps":[{"init":{"assign":[{"project_number":"${args.projectNumber}"}]}},{"get_project":{"call":"googleapis.cloudresourcemanager.v3.projects.get","args":{"name":"${\"projects/\" + project_number}"}}},{"the_end":{"return":"SUCCESS"}}]}}Module: googleapis.cloudresourcemanager.v1.folders
| Functions | |
|---|---|
clearOrgPolicy | Clears aPolicy from a resource. |
getEffectiveOrgPolicy | Gets the effectivePolicy on a resource. This is the result of mergingPolicies in the resource hierarchy. The returnedPolicy will nothave anetagset because it is a computedPolicy across multipleresources. Subtrees of Resource Manager resource hierarchy with 'under:'prefix will not be expanded. |
getOrgPolicy | Gets aPolicy on a resource. If noPolicy is set on the resource, aPolicy is returned with default values includingPOLICY_TYPE_NOT_SETfor thepolicy_type oneof. Theetag value can be used withSetOrgPolicy() to create or update aPolicy duringread-modify-write. |
listAvailableOrgPolicyConstraints | ListsConstraints that could be applied on the specified resource. |
listOrgPolicies | Lists all thePolicies set for a particular resource. |
setOrgPolicy | Updates the specifiedPolicy on the resource. Creates a newPolicyfor thatConstraint on the resource if one does not exist. Notsupplying anetag on the requestPolicy results in an unconditionalwrite of thePolicy. |
Module: googleapis.cloudresourcemanager.v1.liens
| Functions | |
|---|---|
create | Create a Lien which applies to the resource denoted by theparentfield. Callers of this method will require permission on theparentresource. For example, applying toprojects/1234 requires permissionresourcemanager.projects.updateLiens. NOTE: Some resources may limitthe number of Liens which may be applied. |
delete | Delete a Lien byname. Callers of this method will require permissionon theparent resource. For example, a Lien with aparent ofprojects/1234 requires permissionresourcemanager.projects.updateLiens. |
get | Retrieve a Lien byname. Callers of this method will requirepermission on theparent resource. For example, a Lien with aparentofprojects/1234 requires permissionresourcemanager.projects.get |
list | List all Liens applied to theparent resource. Callers of this methodwill require permission on theparent resource. For example, a Lienwith aparent ofprojects/1234 requires permissionresourcemanager.projects.get. |
Module: googleapis.cloudresourcemanager.v1.operations
| Functions | |
|---|---|
get | Gets the latest state of a long-running operation. Clients can use thismethod to poll the operation result at intervals as recommended by theAPI service. |
Module: googleapis.cloudresourcemanager.v1.organizations
| Functions | |
|---|---|
clearOrgPolicy | Clears aPolicy from a resource. |
get | Fetches an Organization resource identified by the specified resourcename. |
getEffectiveOrgPolicy | Gets the effectivePolicy on a resource. This is the result of mergingPolicies in the resource hierarchy. The returnedPolicy will nothave anetagset because it is a computedPolicy across multipleresources. Subtrees of Resource Manager resource hierarchy with 'under:'prefix will not be expanded. |
getIamPolicy | Gets the access control policy for an Organization resource. May beempty if no such policy or resource exists. Theresource field shouldbe the organization's resource name, e.g. "organizations/123".Authorization requires the Google IAM permissionresourcemanager.organizations.getIamPolicy on the specifiedorganization |
getOrgPolicy | Gets aPolicy on a resource. If noPolicy is set on the resource, aPolicy is returned with default values includingPOLICY_TYPE_NOT_SETfor thepolicy_type oneof. Theetag value can be used withSetOrgPolicy() to create or update aPolicy duringread-modify-write. |
listAvailableOrgPolicyConstraints | ListsConstraints that could be applied on the specified resource. |
listOrgPolicies | Lists all thePolicies set for a particular resource. |
search | Searches Organization resources that are visible to the user and satisfythe specified filter. This method returns Organizations in anunspecified order. New Organizations do not necessarily appear at theend of the results. Search will only return organizations on which theuser has the permissionresourcemanager.organizations.get |
setIamPolicy | Sets the access control policy on an Organization resource. Replaces anyexisting policy. Theresource field should be the organization'sresource name, e.g. "organizations/123". Authorization requires theGoogle IAM permissionresourcemanager.organizations.setIamPolicy onthe specified organization |
setOrgPolicy | Updates the specifiedPolicy on the resource. Creates a newPolicyfor thatConstraint on the resource if one does not exist. Notsupplying anetag on the requestPolicy results in an unconditionalwrite of thePolicy. |
testIamPermissions | Returns permissions that a caller has on the specified Organization. Theresource field should be the organization's resource name, e.g."organizations/123". There are no permissions required for making thisAPI call. |
Module: googleapis.cloudresourcemanager.v1.projects
| Functions | |
|---|---|
clearOrgPolicy | Clears aPolicy from a resource. |
create | Request that a new Project be created. The result is an Operation whichcan be used to track the creation process. This process usually takes afew seconds, but can sometimes take much longer. The tracking Operationis automatically deleted after a few hours, so there is no need to callDeleteOperation. Authorization requires the Google IAM permissionresourcemanager.projects.create on the specified parent for the newproject. The parent is identified by a specified ResourceId, which mustinclude both an ID and a type, such as organization. This method doesnot associate the new project with a billing account. You can set orupdate the billing account associated with a project using the[projects.updateBillingInfo](/billing/reference/rest/v1/projects/updateBillingInfo) method. |
delete | Marks the Project identified by the specifiedproject_id (for example,my-project-123) for deletion. This method will only affect the Projectif it has a lifecycle state of ACTIVE. This method changes the Project'slifecycle state from ACTIVE to DELETE_REQUESTED. The deletion starts atan unspecified time, at which point the Project is no longer accessible.Until the deletion completes, you can check the lifecycle state checkedby retrieving the Project with GetProject, and the Project remainsvisible to ListProjects. However, you cannot update the project. Afterthe deletion completes, the Project is not retrievable by the GetProjectand ListProjects methods. The caller must have delete permissions forthis Project. |
get | Retrieves the Project identified by the specifiedproject_id (forexample,my-project-123). The caller must have read permissions forthis Project. |
getAncestry | Gets a list of ancestors in the resource hierarchy for the Projectidentified by the specifiedproject_id (for example,my-project-123). The caller must have read permissions for thisProject. |
getEffectiveOrgPolicy | Gets the effectivePolicy on a resource. This is the result of mergingPolicies in the resource hierarchy. The returnedPolicy will nothave anetagset because it is a computedPolicy across multipleresources. Subtrees of Resource Manager resource hierarchy with 'under:'prefix will not be expanded. |
getIamPolicy | Returns the IAM access control policy for the specified Project.Permission is denied if the policy or the resource does not exist.Authorization requires the Google IAM permissionresourcemanager.projects.getIamPolicy on the project. For additionalinformation aboutresource (e.g. my-project-id) structure andidentification, seeResourceNames. |
getOrgPolicy | Gets aPolicy on a resource. If noPolicy is set on the resource, aPolicy is returned with default values includingPOLICY_TYPE_NOT_SETfor thepolicy_type oneof. Theetag value can be used withSetOrgPolicy() to create or update aPolicy duringread-modify-write. |
list | Lists Projects that the caller has theresourcemanager.projects.getpermission on and satisfy the specified filter. This method returnsProjects in an unspecified order. This method is eventually consistentwith project mutations; this means that a newly created project may notappear in the results or recent updates to an existing project may notbe reflected in the results. To retrieve the latest state of a project,use the GetProject method. NOTE: If the request filter contains aparent.type andparent.id and the caller has theresourcemanager.projects.list permission on the parent, the resultswill be drawn from an alternate index which provides more consistentresults. In future versions of this API, this List method will be splitinto List and Search to properly capture the behavioral difference. |
listAvailableOrgPolicyConstraints | ListsConstraints that could be applied on the specified resource. |
listOrgPolicies | Lists all thePolicies set for a particular resource. |
setIamPolicy | Sets the IAM access control policy for the specified Project. CAUTION:This method will replace the existing policy, and cannot be used toappend additional IAM settings. NOTE: Removing service accounts frompolicies or changing their roles can render services completelyinoperable. It is important to understand how the service account isbeing used before removing or updating its roles. For additionalinformation aboutresource (e.g. my-project-id) structure andidentification, seeResourceNames. Thefollowing constraints apply when usingsetIamPolicy(): + Project doesnot supportallUsers andallAuthenticatedUsers asmembers in aBinding of aPolicy. + The owner role can be granted to auser,serviceAccount, or a group that is part of an organization. Forexample, group@myownpersonaldomain.com could be added as an owner to aproject in the myownpersonaldomain.com organization, but not theexamplepetstore.com organization. + Service accounts can be made ownersof a project directly without any restrictions. However, to be added asan owner, a user must be invited via Cloud Platform console and mustaccept the invitation. + A user cannot be granted the owner role usingsetIamPolicy(). The user must be granted the owner role using theCloud Platform Console and must explicitly accept the invitation. + Youcan only grant ownership of a project to a member by using the GCPConsole. Inviting a member will deliver an invitation email that theymust accept. An invitation email is not generated if you are granting arole other than owner, or if both the member you are inviting and theproject are part of your organization. + If the project is not part ofan organization, there must be at least one owner who has accepted theTerms of Service (ToS) agreement in the policy. CallingsetIamPolicy()to remove the last ToS-accepted owner from the policy will fail. Thisrestriction also applies to legacy projects that no longer have ownerswho have accepted the ToS. Edits to IAM policies will be rejected untilthe lack of a ToS-accepting owner is rectified. If the project is partof an organization, you can remove all owners, potentially making theorganization inaccessible. Authorization requires the Google IAMpermissionresourcemanager.projects.setIamPolicy on the project |
setOrgPolicy | Updates the specifiedPolicy on the resource. Creates a newPolicyfor thatConstraint on the resource if one does not exist. Notsupplying anetag on the requestPolicy results in an unconditionalwrite of thePolicy. |
testIamPermissions | Returns permissions that a caller has on the specified Project. Foradditional information aboutresource (e.g. my-project-id) structureand identification, seeResourceNames. There areno permissions required for making this API call. |
undelete | Restores the Project identified by the specifiedproject_id (forexample,my-project-123). You can only use this method for a Projectthat has a lifecycle state of DELETE_REQUESTED. After deletion starts,the Project cannot be restored. The caller must have undeletepermissions for this Project. |
update | Updates the attributes of the Project identified by the specifiedproject_id (for example,my-project-123). The caller must havemodify permissions for this Project. |
Module: googleapis.cloudresourcemanager.v2.folders
| Functions | |
|---|---|
create | Creates a Folder in the resource hierarchy. Returns an Operation whichcan be used to track the progress of the folder creation workflow. Uponsuccess the Operation.response field will be populated with the createdFolder. In order to succeed, the addition of this new Folder must notviolate the Folder naming, height or fanout constraints. + The Folder'sdisplay_name must be distinct from all other Folders that share itsparent. + The addition of the Folder must not cause the active Folderhierarchy to exceed a height of 10. Note, the full active + deletedFolder hierarchy is allowed to reach a height of 20; this providesadditional headroom when moving folders that contain deleted folders. +The addition of the Folder must not cause the total number of Foldersunder its parent to exceed 300. If the operation fails due to a folderconstraint violation, some errors may be returned by the CreateFolderrequest, with status code FAILED_PRECONDITION and an error description.Other folder constraint violations will be communicated in theOperation, with the specific PreconditionFailure returned via thedetails list in the Operation.error field. The caller must haveresourcemanager.folders.create permission on the identified parent. |
delete | Requests deletion of a Folder. The Folder is moved into theDELETE_REQUESTED state immediately, and is deleted approximately 30 dayslater. This method may only be called on an empty Folder in the ACTIVEstate, where a Folder is empty if it doesn't contain any Folders orProjects in the ACTIVE state. The caller must haveresourcemanager.folders.delete permission on the identified folder. |
get | Retrieves a Folder identified by the supplied resource name. ValidFolder resource names have the formatfolders/{folder_id} (forexample,folders/1234). The caller must haveresourcemanager.folders.get permission on the identified folder. |
getIamPolicy | Gets the access control policy for a Folder. The returned policy may beempty if no such policy or resource exists. Theresource field shouldbe the Folder's resource name, e.g. "folders/1234". The caller musthaveresourcemanager.folders.getIamPolicy permission on the identifiedfolder. |
list | Lists the Folders that are direct descendants of supplied parentresource. List provides a strongly consistent view of the Foldersunderneath the specified parent resource. List returns Folders sortedbased upon the (ascending) lexical ordering of their display_name. Thecaller must haveresourcemanager.folders.list permission on theidentified parent. |
move | Moves a Folder under a new resource parent. Returns an Operation whichcan be used to track the progress of the folder move workflow. Uponsuccess the Operation.response field will be populated with the movedFolder. Upon failure, a FolderOperationError categorizing the failurecause will be returned - if the failure occurs synchronously then theFolderOperationError will be returned via the Status.details field andif it occurs asynchronously then the FolderOperation will be returnedvia the Operation.error field. In addition, the Operation.metadata fieldwill be populated with a FolderOperation message as an aid to statelessclients. Folder moves will be rejected if they violate either thenaming, height or fanout constraints described in the CreateFolderdocumentation. The caller must haveresourcemanager.folders.movepermission on the folder's current and proposed new parent. |
patch | Updates a Folder, changing its display_name. Changes to the folderdisplay_name will be rejected if they violate either the display_nameformatting rules or naming constraints described in the CreateFolderdocumentation. The Folder's display name must start and end with aletter or digit, may contain letters, digits, spaces, hyphens andunderscores and can be between 3 and 30 characters. This is captured bythe regular expression:\p{L}\p{N}{1,28}[\p{L}\p{N}]. The callermust haveresourcemanager.folders.update permission on the identifiedfolder. If the update fails due to the unique name constraint then aPreconditionFailure explaining this violation will be returned in theStatus.details field. |
search | Search for folders that match specific filter criteria. Search providesan eventually consistent view of the folders a user has access to whichmeet the specified filter criteria. This will only return folders onwhich the caller has the permissionresourcemanager.folders.get. |
setIamPolicy | Sets the access control policy on a Folder, replacing any existingpolicy. Theresource field should be the Folder's resource name, e.g."folders/1234". The caller must haveresourcemanager.folders.setIamPolicy permission on the identifiedfolder. |
testIamPermissions | Returns permissions that a caller has on the specified Folder. Theresource field should be the Folder's resource name, e.g."folders/1234". There are no permissions required for making this APIcall. |
undelete | Cancels the deletion request for a Folder. This method may only becalled on a Folder in the DELETE_REQUESTED state. In order to succeed,the Folder's parent must be in the ACTIVE state. In addition,reintroducing the folder into the tree must not violate folder naming,height and fanout constraints described in the CreateFolderdocumentation. The caller must haveresourcemanager.folders.undeletepermission on the identified folder. |
Module: googleapis.cloudresourcemanager.v3.folders
| Functions | |
|---|---|
create | Creates a folder in the resource hierarchy. Returns anOperation whichcan be used to track the progress of the folder creation workflow. Uponsuccess, theOperation.response field will be populated with thecreated Folder. In order to succeed, the addition of this new foldermust not violate the folder naming, height, or fanout constraints. + Thefolder'sdisplay_name must be distinct from all other folders thatshare its parent. + The addition of the folder must not cause the activefolder hierarchy to exceed a height of 10. Note, the full active +deleted folder hierarchy is allowed to reach a height of 20; thisprovides additional headroom when moving folders that contain deletedfolders. + The addition of the folder must not cause the total number offolders under its parent to exceed 300. If the operation fails due to afolder constraint violation, some errors may be returned by theCreateFolder request, with status codeFAILED_PRECONDITION and anerror description. Other folder constraint violations will becommunicated in theOperation, with the specificPreconditionFailurereturned in the details list in theOperation.error field. The callermust haveresourcemanager.folders.create permission on the identifiedparent. |
delete | Requests deletion of a folder. The folder is moved into theDELETE_REQUESTED state immediately, and is deleted approximately 30 dayslater. This method may only be called on an empty folder, where a folderis empty if it doesn't contain any folders or projects in the ACTIVEstate. If called on a folder in DELETE_REQUESTED state the operationwill result in a no-op success. The caller must haveresourcemanager.folders.delete permission on the identified folder. |
get | Retrieves a folder identified by the supplied resource name. Validfolder resource names have the formatfolders/{folder_id} (forexample,folders/1234). The caller must haveresourcemanager.folders.get permission on the identified folder. |
getIamPolicy | Gets the access control policy for a folder. The returned policy may beempty if no such policy or resource exists. Theresource field shouldbe the folder's resource name, for example: "folders/1234". The callermust haveresourcemanager.folders.getIamPolicy permission on theidentified folder. |
list | Lists the folders that are direct descendants of supplied parentresource.list() provides a strongly consistent view of the foldersunderneath the specified parent resource.list() returns folderssorted based upon the (ascending) lexical ordering of theirdisplay_name. The caller must haveresourcemanager.folders.listpermission on the identified parent. |
move | Moves a folder under a new resource parent. Returns anOperation whichcan be used to track the progress of the folder move workflow. Uponsuccess, theOperation.response field will be populated with the movedfolder. Upon failure, aFolderOperationError categorizing the failurecause will be returned - if the failure occurs synchronously then theFolderOperationError will be returned in theStatus.details field.If it occurs asynchronously, then the FolderOperation will be returnedin theOperation.error field. In addition, theOperation.metadatafield will be populated with aFolderOperation message as an aid tostateless clients. Folder moves will be rejected if they violate eitherthe naming, height, or fanout constraints described in the CreateFolderdocumentation. The caller must haveresourcemanager.folders.movepermission on the folder's current and proposed new parent. |
patch | Updates a folder, changing itsdisplay_name. Changes to the folderdisplay_name will be rejected if they violate either thedisplay_name formatting rules or the naming constraints described inthe CreateFolder documentation. The folder'sdisplay_name must startand end with a letter or digit, may contain letters, digits, spaces,hyphens and underscores and can be between 3 and 30 characters. This iscaptured by the regular expression:\p{L}\p{N}{1,28}[\p{L}\p{N}].The caller must haveresourcemanager.folders.update permission on theidentified folder. If the update fails due to the unique name constraintthen aPreconditionFailure explaining this violation will be returnedin the Status.details field. |
search | Search for folders that match specific filter criteria.search()provides an eventually consistent view of the folders a user has accessto which meet the specified filter criteria. This will only returnfolders on which the caller has the permissionresourcemanager.folders.get. |
setIamPolicy | Sets the access control policy on a folder, replacing any existingpolicy. Theresource field should be the folder's resource name, forexample: "folders/1234". The caller must haveresourcemanager.folders.setIamPolicy permission on the identifiedfolder. |
testIamPermissions | Returns permissions that a caller has on the specified folder. Theresource field should be the folder's resource name, for example:"folders/1234". There are no permissions required for making this APIcall. |
undelete | Cancels the deletion request for a folder. This method may be called ona folder in any state. If the folder is in the ACTIVE state the resultwill be a no-op success. In order to succeed, the folder's parent mustbe in the ACTIVE state. In addition, reintroducing the folder into thetree must not violate folder naming, height, and fanout constraintsdescribed in the CreateFolder documentation. The caller must haveresourcemanager.folders.undelete permission on the identified folder. |
Module: googleapis.cloudresourcemanager.v3.liens
| Functions | |
|---|---|
create | Create a Lien which applies to the resource denoted by theparentfield. Callers of this method will require permission on theparentresource. For example, applying toprojects/1234 requires permissionresourcemanager.projects.updateLiens. NOTE: Some resources may limitthe number of Liens which may be applied. |
delete | Delete a Lien byname. Callers of this method will require permissionon theparent resource. For example, a Lien with aparent ofprojects/1234 requires permissionresourcemanager.projects.updateLiens. |
get | Retrieve a Lien byname. Callers of this method will requirepermission on theparent resource. For example, a Lien with aparentofprojects/1234 requires permissionresourcemanager.projects.get |
list | List all Liens applied to theparent resource. Callers of this methodwill require permission on theparent resource. For example, a Lienwith aparent ofprojects/1234 requires permissionresourcemanager.projects.get. |
Module: googleapis.cloudresourcemanager.v3.operations
| Functions | |
|---|---|
get | Gets the latest state of a long-running operation. Clients can use thismethod to poll the operation result at intervals as recommended by theAPI service. |
Module: googleapis.cloudresourcemanager.v3.organizations
| Functions | |
|---|---|
get | Fetches an organization resource identified by the specified resourcename. |
getIamPolicy | Gets the access control policy for an organization resource. The policymay be empty if no such policy or resource exists. Theresource fieldshould be the organization's resource name, for example:"organizations/123". Authorization requires the IAM permissionresourcemanager.organizations.getIamPolicy on the specifiedorganization. |
search | Searches organization resources that are visible to the user and satisfythe specified filter. This method returns organizations in anunspecified order. New organizations do not necessarily appear at theend of the results, and may take a small amount of time to appear.Search will only return organizations on which the user has thepermissionresourcemanager.organizations.get |
setIamPolicy | Sets the access control policy on an organization resource. Replaces anyexisting policy. Theresource field should be the organization'sresource name, for example: "organizations/123". Authorizationrequires the IAM permissionresourcemanager.organizations.setIamPolicyon the specified organization. |
testIamPermissions | Returns the permissions that a caller has on the specified organization.Theresource field should be the organization's resource name, forexample: "organizations/123". There are no permissions required formaking this API call. |
Module: googleapis.cloudresourcemanager.v3.projects
| Functions | |
|---|---|
create | Request that a new project be created. The result is anOperationwhich can be used to track the creation process. This process usuallytakes a few seconds, but can sometimes take much longer. The trackingOperation is automatically deleted after a few hours, so there is noneed to callDeleteOperation. |
delete | Marks the project identified by the specifiedname (for example,projects/415104041262) for deletion. This method will only affect theproject if it has a lifecycle state of ACTIVE. This method changes theProject's lifecycle state from ACTIVE to DELETE_REQUESTED. The deletionstarts at an unspecified time, at which point the Project is no longeraccessible. Until the deletion completes, you can check the lifecyclestate checked by retrieving the project with GetProject, and the projectremains visible to ListProjects. However, you cannot update the project.After the deletion completes, the project is not retrievable by theGetProject, ListProjects, and SearchProjects methods. This methodbehaves idempotently, such that deleting aDELETE_REQUESTED projectwill not cause an error, but also won't do anything. The caller musthaveresourcemanager.projects.delete permissions for this project. |
get | Retrieves the project identified by the specifiedname (for example,projects/415104041262). The caller must haveresourcemanager.projects.get permission for this project. |
getIamPolicy | Returns the IAM access control policy for the specified project, in theformatprojects/{ProjectIdOrNumber} e.g. projects/123. Permission isdenied if the policy or the resource do not exist. |
list | Lists projects that are direct children of the specified folder ororganization resource.list() provides a strongly consistent view ofthe projects underneath the specified parent resource.list() returnsprojects sorted based upon the (ascending) lexical ordering of theirdisplay_name. The caller must haveresourcemanager.projects.listpermission on the identified parent. |
move | Move a project to another place in your resource hierarchy, under a newresource parent. Returns an operation which can be used to track theprocess of the project move workflow. Upon success, theOperation.response field will be populated with the moved project. Thecaller must haveresourcemanager.projects.move permission on theproject, on the project's current and proposed new parent. If projecthas no current parent, or it currently does not have an associatedorganization resource, you will also need theresourcemanager.projects.setIamPolicy permission in the project. |
patch | Updates thedisplay_name and labels of the project identified by thespecifiedname (for example,projects/415104041262). Deleting alllabels requires an update mask for labels field. The caller must haveresourcemanager.projects.update permission for this project. |
search | Search for projects that the caller has bothresourcemanager.projects.get permission on, and also satisfy thespecified query. This method returns projects in an unspecified order.This method is eventually consistent with project mutations; this meansthat a newly created project may not appear in the results or recentupdates to an existing project may not be reflected in the results. Toretrieve the latest state of a project, use the GetProject method. |
setIamPolicy | Sets the IAM access control policy for the specified project, in theformatprojects/{ProjectIdOrNumber} e.g. projects/123. CAUTION: Thismethod will replace the existing policy, and cannot be used to appendadditional IAM settings. Note: Removing service accounts from policiesor changing their roles can render services completely inoperable. It isimportant to understand how the service account is being used beforeremoving or updating its roles. The following constraints apply whenusingsetIamPolicy(): + Project does not supportallUsers andallAuthenticatedUsers asmembers in aBinding of aPolicy. + Theowner role can be granted to auser,serviceAccount, or a group thatis part of an organization. For example, group@myownpersonaldomain.comcould be added as an owner to a project in the myownpersonaldomain.comorganization, but not the examplepetstore.com organization. + Serviceaccounts can be made owners of a project directly without anyrestrictions. However, to be added as an owner, a user must be invitedusing the Cloud Platform console and must accept the invitation. + Auser cannot be granted the owner role usingsetIamPolicy(). The usermust be granted the owner role using the Cloud Platform Console and mustexplicitly accept the invitation. + Invitations to grant the owner rolecannot be sent usingsetIamPolicy(); they must be sent only using theCloud Platform Console. + If the project is not part of an organization,there must be at least one owner who has accepted the Terms of Service(ToS) agreement in the policy. CallingsetIamPolicy() to remove thelast ToS-accepted owner from the policy will fail. This restriction alsoapplies to legacy projects that no longer have owners who have acceptedthe ToS. Edits to IAM policies will be rejected until the lack of aToS-accepting owner is rectified. If the project is part of anorganization, you can remove all owners, potentially making theorganization inaccessible. + Calling this method requires enabling theApp Engine Admin API. |
testIamPermissions | Returns permissions that a caller has on the specified project, in theformatprojects/{ProjectIdOrNumber} e.g. projects/123.. |
undelete | Restores the project identified by the specifiedname (for example,projects/415104041262). You can only use this method for a projectthat has a lifecycle state of DELETE_REQUESTED. After deletion starts,the project cannot be restored. The caller must haveresourcemanager.projects.undelete permission for this project. |
Module: googleapis.cloudresourcemanager.v3.tagBindings
| Functions | |
|---|---|
create | Creates a TagBinding between a TagValue and a cloud resource (currentlyproject, folder, or organization). |
delete | Deletes a TagBinding. |
list | Lists the TagBindings for the given cloud resource, as specified withparent. NOTE: Theparent field is expected to be a full resourcename:https://cloud.google.com/apis/design/resource_names#full_resource_name |
Module: googleapis.cloudresourcemanager.v3.tagKeys
| Functions | |
|---|---|
create | Creates a new TagKey. If another request with the same parameters issent while the original request is in process, the second request willreceive an error. A maximum of 300 TagKeys can exist under a parent atany given time. |
delete | Deletes a TagKey. The TagKey cannot be deleted if it has any childTagValues. |
get | Retrieves a TagKey. This method will returnPERMISSION_DENIED if thekey does not exist or the user does not have permission to view it. |
getIamPolicy | Gets the access control policy for a TagKey. The returned policy may beempty if no such policy or resource exists. Theresource field shouldbe the TagKey's resource name. For example, "tagKeys/1234". The callermust havecloudresourcemanager.googleapis.com/tagKeys.getIamPolicypermission on the specified TagKey. |
list | Lists all TagKeys for a parent resource. |
patch | Updates the attributes of the TagKey resource. |
setIamPolicy | Sets the access control policy on a TagKey, replacing any existingpolicy. Theresource field should be the TagKey's resource name. Forexample, "tagKeys/1234". The caller must haveresourcemanager.tagKeys.setIamPolicy permission on the identifiedtagValue. |
testIamPermissions | Returns permissions that a caller has on the specified TagKey. Theresource field should be the TagKey's resource name. For example,"tagKeys/1234". There are no permissions required for making this APIcall. |
Module: googleapis.cloudresourcemanager.v3.tagValues
| Functions | |
|---|---|
create | Creates a TagValue as a child of the specified TagKey. If a anotherrequest with the same parameters is sent while the original request isin process the second request will receive an error. A maximum of 300TagValues can exist under a TagKey at any given time. |
delete | Deletes a TagValue. The TagValue cannot have any bindings when it isdeleted. |
get | Retrieves TagValue. If the TagValue or namespaced name does not exist,or if the user does not have permission to view it, this method willreturnPERMISSION_DENIED. |
getIamPolicy | Gets the access control policy for a TagValue. The returned policy maybe empty if no such policy or resource exists. Theresource fieldshould be the TagValue's resource name. For example:tagValues/1234.The caller must have thecloudresourcemanager.googleapis.com/tagValues.getIamPolicy permissionon the identified TagValue to get the access control policy. |
list | Lists all TagValues for a specific TagKey. |
patch | Updates the attributes of the TagValue resource. |
setIamPolicy | Sets the access control policy on a TagValue, replacing any existingpolicy. Theresource field should be the TagValue's resource name. Forexample:tagValues/1234. The caller must haveresourcemanager.tagValues.setIamPolicy permission on the identifiedtagValue. |
testIamPermissions | Returns permissions that a caller has on the specified TagValue. Theresource field should be the TagValue's resource name. For example:tagValues/1234. There are no permissions required for making this APIcall. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.