Package google.iam.v2beta

Index

Policies

An interface for managing Identity and Access Management (IAM) policies.

CreatePolicy

rpc CreatePolicy(CreatePolicyRequest) returns (Operation)

Creates a policy.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see theAuthentication Overview.

DeletePolicy

rpc DeletePolicy(DeletePolicyRequest) returns (Operation)

Deletes a policy. This action is permanent.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see theAuthentication Overview.

GetPolicy

rpc GetPolicy(GetPolicyRequest) returns (Policy)

Gets a policy.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see theAuthentication Overview.

ListPolicies

rpc ListPolicies(ListPoliciesRequest) returns (ListPoliciesResponse)

Retrieves the policies of the specified kind that are attached to a resource.

The response lists only policy metadata. In particular, policy rules are omitted.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see theAuthentication Overview.

UpdatePolicy

rpc UpdatePolicy(UpdatePolicyRequest) returns (Operation)

Updates the specified policy.

You can update only the rules and the display name for the policy.

To update a policy, you should use a read-modify-write loop:

  1. UseGetPolicy to read the current version of the policy.
  2. Modify the policy as needed.
  3. UseUpdatePolicy to write the updated policy.

This pattern helps prevent conflicts between concurrent updates.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see theAuthentication Overview.

CreatePolicyRequest

Request message forCreatePolicy.

Fields
parent

string

Required. The resource that the policy is attached to, along with the kind of policy to create. Format:policies/{attachment_point}/denypolicies

The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character,/, must be written as%2F. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

policy

Policy

Required. The policy to create.

policy_id

string

The ID to use for this policy, which will become the final component of the policy's resource name. The ID must contain 3 to 63 characters. It can contain lowercase letters and numbers, as well as dashes (-) and periods (.). The first character must be a lowercase letter.

DeletePolicyRequest

Request message forDeletePolicy.

Fields
name

string

Required. The resource name of the policy to delete. Format:policies/{attachment_point}/denypolicies/{policy_id}

Use the URL-encoded full resource name, which means that the forward-slash character,/, must be written as%2F. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

etag

string

Optional. The expectedetag of the policy to delete. If the value does not match the value that is stored in IAM, the request fails with a409 error code andABORTED status.

If you omit this field, the policy is deleted regardless of its currentetag.

DenyRule

A deny rule in an IAM deny policy.

Fields
denied_principals[]

string

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com.

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.

  • principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}: A single identity in a workforce identity pool.

  • principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}: All workforce identities in a group.

  • principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}: All workforce identities with a specific attribute value.

  • principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*: All identities in a workforce identity pool.

  • principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}: A single identity in a workload identity pool.

  • principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}: A workload identity pool group.

  • principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}: All identities in a workload identity pool with a certain attribute.

  • principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*: All identities in a workload identity pool.

  • principalSet://cloudresourcemanager.googleapis.com/[projects|folders|organizations]/{project_number|folder_number|org_number}/type/ServiceAccount: All service accounts grouped under a resource (project, folder, or organization).

  • principalSet://cloudresourcemanager.googleapis.com/[projects|folders|organizations]/{project_number|folder_number|org_number}/type/ServiceAgent: All service agents grouped under a resource (project, folder, or organization).

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}: Deleted single identity in a workforce identity pool. For example,deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value.

exception_principals[]

string

The identities that are excluded from the deny rule, even if they are listed in thedenied_principals. For example, you could add a Google group to thedenied_principals, then exclude specific users who belong to that group.

This field can contain the same values as thedenied_principals field, excludingprincipalSet://goog/public:all, which represents all users on the internet.

denied_permissions[]

string

The permissions that are explicitly denied by this rule. Each permission uses the format{service_fqdn}/{resource}.{verb}, where{service_fqdn} is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list.

exception_permissions[]

string

Specifies the permissions that this rule excludes from the set of denied permissions given bydenied_permissions. If a permission appears indenied_permissionsand inexception_permissions then it willnot be denied.

The excluded permissions can be specified using the same syntax asdenied_permissions.

denial_condition

Expr

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates totrue, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluateresource tags. Other functions and operators are not supported.

GetPolicyRequest

Request message forGetPolicy.

Fields
name

string

Required. The resource name of the policy to retrieve. Format:policies/{attachment_point}/denypolicies/{policy_id}

Use the URL-encoded full resource name, which means that the forward-slash character,/, must be written as%2F. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

ListPoliciesRequest

Request message forListPolicies.

Fields
parent

string

Required. The resource that the policy is attached to, along with the kind of policy to list. Format:policies/{attachment_point}/denypolicies

The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character,/, must be written as%2F. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

page_size

int32

The maximum number of policies to return. IAM ignores this value and uses the value 1000.

page_token

string

A page token received in aListPoliciesResponse. Provide this token to retrieve the next page.

ListPoliciesResponse

Response message forListPolicies.

Fields
policies[]

Policy

Metadata for the policies that are attached to the resource.

next_page_token

string

A page token that you can use in aListPoliciesRequest to retrieve the next page. If this field is omitted, there are no additional pages.

Policy

Data for an IAM policy.

Fields
name

string

Immutable. The resource name of thePolicy, which must be unique. Format:policies/{attachment_point}/denypolicies/{policy_id}

The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character,/, must be written as%2F. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy.

For organizations and folders, use the numeric ID in the full resource name. For projects, requests can use the alphanumeric or the numeric ID. Responses always contain the numeric ID.

uid

string

Immutable. The globally unique ID of thePolicy. Assigned automatically when thePolicy is created.

kind

string

Output only. The kind of thePolicy. Always contains the valueDenyPolicy.

display_name

string

A user-specified description of thePolicy. This value can be up to 63 characters.

annotations

map<string, string>

A key-value map to store arbitrary metadata for thePolicy. Keys can be up to 63 characters. Values can be up to 255 characters.

etag

string

An opaque tag that identifies the current version of thePolicy. IAM uses this value to help manage concurrent updates, so they do not cause one update to be overwritten by another.

If this field is present in aCreatePolicyRequest, the value is ignored.

create_time

Timestamp

Output only. The time when thePolicy was created.

update_time

Timestamp

Output only. The time when thePolicy was last updated.

delete_time

Timestamp

Output only. The time when thePolicy was deleted. Empty if the policy is not deleted.

rules[]

PolicyRule

A list of rules that specify the behavior of thePolicy. All of the rules should be of thekind specified in thePolicy.

PolicyOperationMetadata

Metadata for long-runningPolicy operations.

Fields
create_time

Timestamp

Timestamp when thegoogle.longrunning.Operation was created.

PolicyRule

A single rule in aPolicy.

Fields
description

string

A user-specified description of the rule. This value can be up to 256 characters.

Union fieldkind.

kind can be only one of the following:

deny_rule

DenyRule

A rule for a deny policy.

UpdatePolicyRequest

Request message forUpdatePolicy.

Fields
policy

Policy

Required. The policy to update.

To prevent conflicting updates, theetag value must match the value that is stored in IAM. If theetag values do not match, the request fails with a409 error code andABORTED status.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-21 UTC.