A result of IAM Policy search, containing information of an IAM policy. .. attribute:: resource
The full resource name of the resource associated with this
IAM policy. Example: //compute.googleapis.com/projects/my_pr
oject_123/zones/zone1/instances/instance1
. See Cloud Asset
Inventory Resource Name Format
<https://cloud.google.com/asset-inventory/docs/resource-name-
format>
__ for more information. To search against the
resource
: - use a field query. Example: resource :
"organizations/123"
The IAM policy directly set on the given resource. Note that
the original IAM policy can contain multiple bindings. This
only contains the bindings that match the given query. For
queries that don’t contain a constrain on policies (e.g., an
empty query), this contains all the bindings. To search
against the policy
bindings: - use a field query, as
following: - query by the policy contained members.
Example: policy : "amy@gmail.com"
- query by the
policy contained roles. Example: policy :
"roles/compute.admin"
- query by the policy contained
roles’ implied permissions. Example:
policy.role.permissions : "compute.instances.create"
Classes
Explanation
Explanation about the IAM policy search result. .. attribute:: matched_permissions
The map from roles to their included permissions that match
the permission query (i.e., a query containing
policy.role.permissions:
). Example: if query
policy.role.permissions : "compute.disk.get"
matches a
policy binding that contains owner role, the
matched_permissions will be {"roles/owner":
["compute.disk.get"]}
. The roles can also be found in the
returned policy
bindings. Note that the map is populated
only for requests with permission queries.