Ruby Client for the Privileged Access Manager API
Privileged Access Manager (PAM) helps you on your journey towards least privilege and helps mitigate risks tied to privileged access misuse or abuse. PAM allows you to shift from always-on standing privileges towards on-demand access with just-in-time, time-bound, and approval-based access elevations. PAM allows IAM administrators to create entitlements that can grant just-in-time, temporary access to any resource scope. Requesters can explore eligible entitlements and request the access needed for their task. Approvers are notified when approvals await their decision. Streamlined workflows facilitated by using PAM can support various use cases, including emergency access for incident responders, time-boxed access for developers for critical deployment or maintenance, temporary access for operators for data ingestion and audits, JIT access to service accounts for automated tasks, and more.
Overview
Privileged Access Manager (PAM) is a Google Cloud native, managed solutionto secure, manage and audit privileged access while ensuring operationalvelocity and developer productivity.
PAM enables just-in-time, time-bound, approval-based access elevations,and auditing of privileged access elevations and activity. PAM lets youdefine the rules of who can request access, what they can request accessto, and if they should be granted access with or without approvals basedon the sensitivity of the access and emergency of the situation.
Concepts
Entitlement
An entitlement is an eligibility or license that allows specified users(requesters) to request and obtain access to specified resources subjectto a set of conditions such as duration, etc. entitlements can be grantedto both human and non-human principals.
Grant
A grant is an instance of active usage against the entitlement. A user canplace a request for a grant against an entitlement. The request may beforwarded to an approver for their decision. Once approved, the grant isactivated, ultimately giving the user access (roles/permissions) on aresource per the criteria specified in entitlement.
How does PAM work
PAM creates and uses a service agent (Google-managed service account) toperform the required IAM policy changes for granting access at aspecificresource/access scope. The service agent requires getIAMPolicy andsetIAMPolicy permissions at the appropriate (or higher) access scope-Organization/Folder/Project to make policy changes on the resources listedin PAM entitlements.
When enabling PAM for a resource scope, the user/ principal performingthat action should have the appropriate permissions at that resourcescope(resourcemanager.{projects|folders|organizations}.setIamPolicy,resourcemanager.{projects|folders|organizations}.getIamPolicy, andresourcemanager.{projects|folders|organizations}.get) to list and grantthe service agent/account the required access to perform IAM policychanges.
Actual client classes for the various versions of this API are defined inversioned client gems, with names of the formgoogle-cloud-privileged_access_manager-v*.The gemgoogle-cloud-privileged_access_manager is the main client library that brings theversioned gems in as dependencies, and provides high-level methods forconstructing clients. More information on versioned clients can be found belowin the section titledWhich client should I use?.
View theClient Library Documentationfor this library, google-cloud-privileged_access_manager, to see the convenience methods forconstructing client objects. Reference documentation for the client objectsthemselves can be found in the client library documentation for the versionedclient gems:google-cloud-privileged_access_manager-v1.
See also theProduct Documentationfor more usage information.
Quick Start
$ gem install google-cloud-privileged_access_managerIn order to use this library, you first need to go through the following steps:
- Select or create a Cloud Platform project.
- Enable billing for your project.
- Enable the API.
- Set up authentication.
require"google/cloud/privileged_access_manager"client=Google::Cloud::PrivilegedAccessManager.privileged_access_managerrequest=::Google::Cloud::PrivilegedAccessManager::V1::CheckOnboardingStatusRequest.new# (request fields as keyword arguments...)response=client.check_onboarding_statusrequest
Debug Logging
This library comes with opt-in Debug Logging that can help you troubleshootyour application's integration with the API. When logging is activated, keyevents such as requests and responses, along with data payloads and metadatasuch as headers and client configuration, are logged to the standard errorstream.
WARNING: Client Library Debug Logging includes your data payloads inplaintext, which could include sensitive data such as PII for yourself or yourcustomers, private keys, or other security data that could be compromising ifleaked. Always practice good data hygiene with your application logs, and followthe principle of least access. Google also recommends that Client Library DebugLogging be enabled only temporarily during active debugging, and not usedpermanently in production.
To enable logging, set the environment variableGOOGLE_SDK_RUBY_LOGGING_GEMSto the valueall. Alternatively, you can set the value to a comma-delimitedlist of client library gem names. This will select the default logging behavior,which writes logs to the standard error stream. On a local workstation, this mayresult in logs appearing on the console. When running on a Google Cloud hostingservice such asGoogle Cloud Run, this generallyresults in logs appearing alongside your application logs in theGoogle Cloud Logging service.
Debug logging also requires that the versioned clients for this service besufficiently recent, released after about Dec 10, 2024. If logging is notworking, try updating the versioned clients in your bundle or installed gems:google-cloud-privileged_access_manager-v1.
Supported Ruby Versions
This library is supported on Ruby 3.0+.
Google provides official support for Ruby versions that are actively supportedby Ruby Core—that is, Ruby versions that are either in normal maintenance orin security maintenance, and not end of life. Older versions of Rubymaystill work, but are unsupported and not recommended. Seehttps://www.ruby-lang.org/en/downloads/branches/ for details about the Rubysupport schedule.
Which client should I use?
Most modern Ruby client libraries for Google APIs come in two flavors: the mainclient library with a name such asgoogle-cloud-privileged_access_manager,and lower-levelversioned client libraries with names such asgoogle-cloud-privileged_access_manager-v1.In most cases, you should install the main client.
What's the difference between the main client and a versioned client?
Aversioned client provides a basic set of data types and client classes forasingle version of a specific service. (That is, for a service with multipleversions, there might be a separate versioned client for each service version.)Most versioned clients are written and maintained by a code generator.
Themain client is designed to provide you with therecommended clientinterfaces for the service. There will be only one main client for any givenservice, even a service with multiple versions. The main client includesfactory methods for constructing the client objects we recommend for mostusers. In some cases, those will be classes provided by an underlying versionedclient; in other cases, they will be handwritten higher-level client objectswith additional capabilities, convenience methods, or best practices built in.Generally, the main client will default to a recommended service version,although in some cases you can override this if you need to talk to a specificservice version.
Why would I want to use the main client?
We recommend that most users install the main client gem for a service. You canidentify this gem as the onewithout a version in its name, e.g.google-cloud-privileged_access_manager.The main client is recommended because it will embody the best practices foraccessing the service, and may also provide more convenient interfaces ortighter integration into frameworks and third-party libraries. In addition, thedocumentation and samples published by Google will generally demonstrate use ofthe main client.
Why would I want to use a versioned client?
You can use a versioned client if you are content with a possibly lower-levelclass interface, you explicitly want to avoid features provided by the mainclient, or you want to access a specific service version not be covered by themain client. You can identify versioned client gems because the service versionis part of the name, e.g.google-cloud-privileged_access_manager-v1.
What about the google-apis-
Client library gems with names that begin withgoogle-apis- are based on anolder code generation technology. They talk to a REST/JSON backend (whereasmost modern clients talk to agRPC backend) and they maynot offer the same performance, features, and ease of use provided by moremodern clients.
Thegoogle-apis- clients have wide coverage across Google services, so youmight need to use one if there is no modern client available for the service.However, if a modern client is available, we generally recommend it over theoldergoogle-apis- clients.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-30 UTC.