You can set or get the Identity and Access Management (IAM), or access control, policy for one or more Connectivity Tests. In addition, you can view the permissions that a user or service account has for a specific Connectivity Test.
This document shows access control examples that use the Network Management API.
To follow these steps in the Google Cloud console or by using gcloud commands,
see the IAM how-to guides.
For information about policy bindings and etags listed in the following commands, see the API reference for IAM policies.
For information about the IAM roles and permissions needed to run Connectivity Tests, see Roles and permissions.
Set an access control policy
This procedure sets the access control policy on the specified Connectivity Tests resource.
API
Use the networkmanagement.connectivitytests.setIamPolicy
method to set the access control policy for a USER,
ROLE, and TEST_ID.
The following example sets a policy that binds the role of
networkmanagement.admin to username@yourcompany.com for mytest-1.
POST https: //networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:setIamPolicy
{
"version": "VERSION",
"etag": "ETAG",
"bindings": [{
"role": "ROLE",
"members": [
"PRINCIPAL"
]
}]
}
Replace the following values:
TEST_ID: the ID of the Connectivity Tests object (test) that you are runningVERSION: specifies the format of the policy; valid values are0,1, and3—any operation that affects conditional role bindings must specify version3ETAG: used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other (an example etag isBwWbrqiZFRs=)ROLE: a role that is assigned to principals (for example,roles/networkmanagement.admin)PRINCIPAL: specifies the identities requesting access for a Google Cloud resource (for example,user:username@yourcompany.com); for a list of principal, or member, types, see the API reference for IAM policies
Get an access control policy
This procedure gets the access control policy for the specified Connectivity Tests resource.
API
Use the networkmanagement.connectivitytests.getIamPolicy
method to set the access control policy for a PRINCIPAL,
ROLE, and TEST_ID.
The following example gets a policy that binds the role of
networkmanagement.admin to username@yourcompany.com for mytest-1.
GET https: //networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:getIamPolicy
{
"version": "VERSION",
"etag": "ETAG",
"bindings": [{
"role": "ROLE",
"members": [
"PRINCIPAL"
]
}]
}
Replace the following values:
TEST_ID: the ID of the Connectivity Tests object (test) that you are runningVERSION: specifies the format of the policy; valid values are0,1, and3—any operation that affects conditional role bindings must specify version3ETAG: used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other (an example etag isBwWbrqiZFRs=)ROLE: a role that is assigned to principals (for example,roles/networkmanagement.admin)PRINCIPAL: specifies the identities requesting access for a Google Cloud resource (for example,user:username@yourcompany.com); for a list of principal types, see the API reference for IAM policies
Test IAM permissions
This procedure returns permissions that a user or service account has for a Connectivity Tests resource.
API
Use the networkmanagement.connectivitytests.testIamPermissions
method to return the permissions assigned to a TEST_ID.
The following example verifies that username@yourcompany.com has the
networkmanagement.connectivitytests.get permission for mytest-1.
POST https://networkmanagement.googleapis.com/v1/{resource=projects/*/locations/global/connectivityTests/TEST_ID}:testIamPermissions
{
"permissions": [
"networkmanagement.connectivitytests.get"
]
}
Replace TEST_ID with the ID of the
Connectivity Tests object (test) that you are running.