DenyRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)
A deny rule in an IAM deny policy.
Attributes | |
---|---|
Name | Description |
denied_principals |
Sequence[str]
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: - principalSet://goog/public:all : A special identifier
that represents any principal that is on the internet,
even if they do not have a Google Account or are not
logged in.
- principal://goog/subject/{email_id} : A specific
Google Account. Includes Gmail, Cloud Identity, and
Google Workspace user accounts. For example,
principal://goog/subject/alice@example.com .
- deleted:principal://goog/subject/{email_id}?uid={uid} :
A specific Google Account that was deleted recently. For
example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890 .
If the Google Account is recovered, this identifier
reverts to the standard identifier for a Google Account.
- principalSet://goog/group/{group_id} : A Google group.
For example,
principalSet://goog/group/admins@example.com .
- deleted:principalSet://goog/group/{group_id}?uid={uid} :
A Google group that was deleted recently. For example,
deleted:principalSet://goog/group/admins@example.com?uid=1234567890 .
If the Google group is restored, this identifier reverts
to the standard identifier for a Google group.
- principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id} :
A Google Cloud service account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com .
- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid} :
A Google Cloud service account that was deleted recently.
For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890 .
If the service account is undeleted, this identifier
reverts to the standard identifier for a service account.
- principalSet://goog/cloudIdentityCustomerId/{customer_id} :
All of the principals associated with the specified
Google Workspace or Cloud Identity customer ID. For
example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35 .
|
exception_principals |
Sequence[str]
The identities that are excluded from the deny rule, even if they are listed in the denied_principals . For example,
you could add a Google group to the denied_principals ,
then exclude specific users who belong to that group.
This field can contain the same values as the
denied_principals field, excluding
principalSet://goog/public:all , which represents all
users on the internet.
|
denied_permissions |
Sequence[str]
The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb} , where
{service_fqdn} is the fully qualified domain name for
the service. For example, iam.googleapis.com/roles.list .
|
exception_permissions |
Sequence[str]
Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions .
If a permission appears in denied_permissions *and* in
exception_permissions then it will *not* be denied.
The excluded permissions can be specified using the same
syntax as denied_permissions .
|
denial_condition |
google.type.expr_pb2.Expr
The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true , then the deny rule is applied; otherwise, the deny
rule is not applied.
Each deny rule is evaluated independently. If this deny rule
does not apply to a request, other deny rules might still
apply.
The condition can use CEL functions that evaluate `resource
tags |