REST Resource: folders.locations.policyBindings

Resource: PolicyBinding

IAM policy binding

JSON representation 
{
  "name": string,
  "uid": string,
  "etag": string,
  "displayName": string,
  "annotations": {
    string: string,
    ...
  },
  "target": {
    object (Target)
  },
  "policyKind": enum (PolicyKind),
  "policy": string,
  "policyUid": string,
  "condition": {
    object (Expr)
  },
  "createTime": string,
  "updateTime": string
}
Fields
name

string

Identifier. The name of the policy binding, in the format {binding_parent/locations/{location}/policyBindings/{policyBindingId}. The binding parent is the closest Resource Manager resource (i.e., Project, Folder or Organization) to the binding target.

Format:

  • projects/{projectId}/locations/{location}/policyBindings/{policyBindingId}
  • projects/{projectNumber}/locations/{location}/policyBindings/{policyBindingId}
  • folders/{folderId}/locations/{location}/policyBindings/{policyBindingId}
  • organizations/{organizationId}/locations/{location}/policyBindings/{policyBindingId}
uid

string

Output only. The globally unique ID of the policy binding. Assigned when the policy binding is created.
etag

string

Optional. The etag for the policy binding. If this is provided on update, it must match the server's etag.
displayName

string

Optional. The description of the policy binding. Must be less than or equal to 63 characters.
annotations

map (key: string, value: string)

Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
target

object (Target)

Required. Immutable. Target is the full resource name of the resource to which the policy will be bound. Immutable once set.
policyKind

enum (PolicyKind)

Immutable. The kind of the policy to attach in this binding. This field must be one of the following:

  • Left empty (will be automatically set to the policy kind)
  • The input policy kind
policy

string

Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).
policyUid

string

Output only. The globally unique ID of the policy to be bound.
condition

object (Expr)

Optional. Condition can either be a principal condition or a resource condition. It depends on the type of target, the policy it is attached to, and/or the expression itself. When set, the expression field in the Expr must include from 1 to 10 subexpressions, joined by the "||"(Logical OR), "&&"(Logical AND) or "!"(Logical NOT) operators and cannot contain more than 250 characters. Allowed operations for principal.subject:

  • principal.subject == <principal subject string>
  • principal.subject != <principal subject string>
  • principal.subject in [<list of principal subjects>]
  • principal.subject.startsWith(<string>)
  • principal.subject.endsWith(<string>)

Allowed operations for principal.type:

  • principal.type == <principal type string>
  • principal.type != <principal type string>
  • principal.type in [<list of principal types>]

Supported principal types are Workspace, Workforce Pool, Workload Pool and Service Account. Allowed string must be one of:

  • iam.googleapis.com/WorkspaceIdentity
  • iam.googleapis.com/WorkforcePoolIdentity
  • iam.googleapis.com/WorkloadPoolIdentity
  • iam.googleapis.com/ServiceAccount

When the bound policy is a principal access boundary policy, the only supported attributes in any subexpression are principal.type and principal.subject. An example expression is: "principal.type == 'iam.googleapis.com/ServiceAccount'" or "principal.subject == 'bob@example.com'".
createTime

string (Timestamp format)

Output only. The time when the policy binding was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
updateTime

string (Timestamp format)

Output only. The time when the policy binding was most recently updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Target

Target is the full resource name of the resource to which the policy will be bound. Immutable once set.

JSON representation 
{

  // Union field target can be only one of the following:
  "principalSet": string
  // End of list of possible types for union field target.
}
Fields

Union field target.

target can be only one of the following:
principalSet

string

Immutable. Full Resource Name used for principal access boundary policy bindings Examples:

  • Organization: //cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID
  • Folder: //cloudresourcemanager.googleapis.com/folders/FOLDER_ID
  • Project:
    • //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER
    • //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
  • Workload Identity Pool: //iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID
  • Workforce Identity: //iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID
  • Workspace Identity: //iam.googleapis.com/locations/global/workspace/WORKSPACE_ID

PolicyKind

Different policy kinds supported in this binding.

Enums
POLICY_KIND_UNSPECIFIED Unspecified policy kind; Not a valid state
PRINCIPAL_ACCESS_BOUNDARY Principal access boundary policy kind
ACCESS Access policy kind. Keep behind visibility label until Access Policy launch.

Expr

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec.

Example (Comparison):

title: "Summary size limit"
description: "Determines if a summary is less than 100 chars"
expression: "document.summary.size() < 100"

Example (Equality):

title: "Requestor is owner"
description: "Determines if requestor is the document owner"
expression: "document.owner == request.auth.claims.email"

Example (Logic):

title: "Public documents"
description: "Determine whether the document should be publicly visible"
expression: "document.type != 'private' && document.type != 'internal'"

Example (Data Manipulation):

title: "Notification string"
description: "Create a notification string with a timestamp."
expression: "'New message received at ' + string(document.create_time)"

The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

JSON representation 
{
  "expression": string,
  "title": string,
  "description": string,
  "location": string
}
Fields
expression

string

Textual representation of an expression in Common Expression Language syntax.
title

string

Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description

string

Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
location

string

Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Methods

create

 Creates a policy binding and returns a long-running operation.

delete

 Deletes a policy binding and returns a long-running operation.

get

 Gets a policy binding.

list

 Lists policy bindings.

patch

 Updates a policy binding and returns a long-running operation.

searchTargetPolicyBindings

 Search policy bindings by target.