Reference documentation and code samples for the Cloud Spanner API class Google::Cloud::Spanner::Policy.
Policy
Represents a Cloud IAM Policy for the Spanner service.
A common pattern for updating a resource's metadata, such as its Policy,
is to read the current data from the service, update the data locally,
and then send the modified data for writing. This pattern may result in
a conflict if two or more processes attempt the sequence simultaneously.
IAM solves this problem with the #etag
property, which is used to verify whether the policy has changed since
the last request. When you make a request to with an etag value, Cloud
IAM compares the etag value in the request with the existing etag
value associated with the policy. It writes the policy only if the
etag values match.
When you update a policy, first read the policy (and its current etag)
from the service, then modify the policy locally, and then write the
modified policy to the service. See
Instance#policy and
Instance#policy= and
Database#policy and
Database#policy=.
Convenience method for adding a member to a binding on this policy.
See Understanding
Roles for a
listing of primitive and curated roles.
See Binding
for a listing of values and patterns for members.
Parameters
role_name (String) — A Cloud IAM role, such as
"roles/spanner.admin".
member (String) — A Cloud IAM identity, such as
"user:owner@example.com".
Used to verify whether the policy has changed since
the last request. The policy will be written only if the etag values
match.
Returns
(String) — the current value of etag
#etag=
defetag=(value)->String
Used to verify whether the policy has changed since
the last request. The policy will be written only if the etag values
match.
Parameter
value (String) — the newly set value
Returns
(String) — the newly set value
#remove
defremove(role_name,member)
Convenience method for removing a member from a binding on this
policy. See Understanding
Roles for a
listing of primitive and curated roles. See
Binding
for a listing of values and patterns for members.
Parameters
role_name (String) — A Cloud IAM role, such as
"roles/spanner.admin".
member (String) — A Cloud IAM identity, such as
"user:owner@example.com".
Convenience method returning the array of members bound to a role in
this policy, or an empty array if no value is present for the role in
#roles. See Understanding
Roles for a
listing of primitive and curated roles. See
Binding
for a listing of values and patterns for members.
Returns
(Array<String>) — The members strings, or an empty array.
The bindings that associate
roles with an array of members. See Understanding
Roles for a
listing of primitive and curated roles.
See Binding
for a listing of values and patterns for members.
Returns
(Hash{String => Array<String>}) — the current value of roles
#roles=
defroles=(value)->Hash{String=>Array<String>}
The bindings that associate
roles with an array of members. See Understanding
Roles for a
listing of primitive and curated roles.
See Binding
for a listing of values and patterns for members.
Parameter
value (Hash{String => Array<String>}) — the newly set value
Returns
(Hash{String => Array<String>}) — the newly set value
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Cloud Spanner API - Class Google::Cloud::Spanner::Policy (v2.27.0)\n\nVersion latestkeyboard_arrow_down\n\n- [2.27.0 (latest)](/ruby/docs/reference/google-cloud-spanner/latest/Google-Cloud-Spanner-Policy)\n- [2.26.0](/ruby/docs/reference/google-cloud-spanner/2.26.0/Google-Cloud-Spanner-Policy)\n- [2.25.0](/ruby/docs/reference/google-cloud-spanner/2.25.0/Google-Cloud-Spanner-Policy)\n- [2.24.0](/ruby/docs/reference/google-cloud-spanner/2.24.0/Google-Cloud-Spanner-Policy)\n- [2.23.0](/ruby/docs/reference/google-cloud-spanner/2.23.0/Google-Cloud-Spanner-Policy)\n- [2.22.0](/ruby/docs/reference/google-cloud-spanner/2.22.0/Google-Cloud-Spanner-Policy)\n- [2.21.0](/ruby/docs/reference/google-cloud-spanner/2.21.0/Google-Cloud-Spanner-Policy)\n- [2.20.0](/ruby/docs/reference/google-cloud-spanner/2.20.0/Google-Cloud-Spanner-Policy)\n- [2.19.1](/ruby/docs/reference/google-cloud-spanner/2.19.1/Google-Cloud-Spanner-Policy)\n- [2.18.1](/ruby/docs/reference/google-cloud-spanner/2.18.1/Google-Cloud-Spanner-Policy)\n- [2.17.0](/ruby/docs/reference/google-cloud-spanner/2.17.0/Google-Cloud-Spanner-Policy)\n- [2.16.1](/ruby/docs/reference/google-cloud-spanner/2.16.1/Google-Cloud-Spanner-Policy)\n- [2.15.0](/ruby/docs/reference/google-cloud-spanner/2.15.0/Google-Cloud-Spanner-Policy)\n- [2.14.0](/ruby/docs/reference/google-cloud-spanner/2.14.0/Google-Cloud-Spanner-Policy)\n- [2.13.0](/ruby/docs/reference/google-cloud-spanner/2.13.0/Google-Cloud-Spanner-Policy)\n- [2.12.1](/ruby/docs/reference/google-cloud-spanner/2.12.1/Google-Cloud-Spanner-Policy)\n- [2.11.0](/ruby/docs/reference/google-cloud-spanner/2.11.0/Google-Cloud-Spanner-Policy) \nReference documentation and code samples for the Cloud Spanner API class Google::Cloud::Spanner::Policy.\n\nPolicy\n------\n\nRepresents a Cloud IAM Policy for the Spanner service.\n\nA common pattern for updating a resource's metadata, such as its Policy,\nis to read the current data from the service, update the data locally,\nand then send the modified data for writing. This pattern may result in\na conflict if two or more processes attempt the sequence simultaneously.\nIAM solves this problem with the [#etag](/ruby/docs/reference/google-cloud-spanner/latest/Google-Cloud-Spanner-Policy#Google__Cloud__Spanner__Policy_etag_instance_ \"Google::Cloud::Spanner::Policy#etag (method)\")\nproperty, which is used to verify whether the policy has changed since\nthe last request. When you make a request to with an `etag` value, Cloud\nIAM compares the `etag` value in the request with the existing `etag`\nvalue associated with the policy. It writes the policy only if the\n`etag` values match.\n\nWhen you update a policy, first read the policy (and its current `etag`)\nfrom the service, then modify the policy locally, and then write the\nmodified policy to the service. See\n[Instance#policy](/ruby/docs/reference/google-cloud-spanner/latest/Google-Cloud-Spanner-Instance#Google__Cloud__Spanner__Instance_policy_instance_ \"Google::Cloud::Spanner::Instance#policy (method)\") and\n[Instance#policy=](/ruby/docs/reference/google-cloud-spanner/latest/Google-Cloud-Spanner-Instance#Google__Cloud__Spanner__Instance_policy__instance_ \"Google::Cloud::Spanner::Instance#policy= (method)\") and\n[Database#policy](/ruby/docs/reference/google-cloud-spanner/latest/Google-Cloud-Spanner-Database#Google__Cloud__Spanner__Database_policy_instance_ \"Google::Cloud::Spanner::Database#policy (method)\") and\n[Database#policy=](/ruby/docs/reference/google-cloud-spanner/latest/Google-Cloud-Spanner-Database#Google__Cloud__Spanner__Database_policy__instance_ \"Google::Cloud::Spanner::Database#policy= (method)\"). \n\nInherits\n--------\n\n- Object\n\nExample\n-------\n\n```ruby\nrequire \"google/cloud/spanner\"\n\nspanner = Google::Cloud::Spanner.new\ninstance = spanner.instance \"my-instance\"\n\npolicy = instance.policy do |p|\n p.remove \"roles/owner\", \"user:owner@example.com\"\n p.add \"roles/owner\", \"user:newowner@example.com\"\n p.roles[\"roles/viewer\"] = [\"allUsers\"]\nend\n```\n\nMethods\n-------\n\n### #add\n\n def add(role_name, member)\n\nConvenience method for adding a member to a binding on this policy.\nSee [Understanding\nRoles](https://cloud.google.com/iam/docs/understanding-roles) for a\nlisting of primitive and curated roles.\nSee [Binding](https://cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding)\nfor a listing of values and patterns for members. \n**Parameters**\n\n- **role_name** (String) --- A Cloud IAM role, such as `\"roles/spanner.admin\"`.\n- **member** (String) --- A Cloud IAM identity, such as `\"user:owner@example.com\"`.\n**Example** \n\n```ruby\nrequire \"google/cloud/spanner\"\n\nspanner = Google::Cloud::Spanner.new\ninstance = spanner.instance \"my-instance\"\n\npolicy = instance.policy do |p|\n p.add \"roles/owner\", \"user:newowner@example.com\"\nend\n```\n\n### #etag\n\n def etag() -\u003e String\n\nUsed to verify whether the policy has changed since\nthe last request. The policy will be written only if the `etag` values\nmatch. \n**Returns**\n\n- (String) --- the current value of etag\n\n### #etag=\n\n def etag=(value) -\u003e String\n\nUsed to verify whether the policy has changed since\nthe last request. The policy will be written only if the `etag` values\nmatch. \n**Parameter**\n\n- **value** (String) --- the newly set value \n**Returns**\n\n- (String) --- the newly set value\n\n### #remove\n\n def remove(role_name, member)\n\nConvenience method for removing a member from a binding on this\npolicy. See [Understanding\nRoles](https://cloud.google.com/iam/docs/understanding-roles) for a\nlisting of primitive and curated roles. See\n[Binding](https://cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding)\nfor a listing of values and patterns for members. \n**Parameters**\n\n- **role_name** (String) --- A Cloud IAM role, such as `\"roles/spanner.admin\"`.\n- **member** (String) --- A Cloud IAM identity, such as `\"user:owner@example.com\"`.\n**Example** \n\n```ruby\nrequire \"google/cloud/spanner\"\n\nspanner = Google::Cloud::Spanner.new\ninstance = spanner.instance \"my-instance\"\n\npolicy = instance.policy do |p|\n p.remove \"roles/owner\", \"user:owner@example.com\"\nend\n```\n\n### #role\n\n def role(role_name) -\u003e Array\u003cString\u003e\n\nConvenience method returning the array of members bound to a role in\nthis policy, or an empty array if no value is present for the role in\n[#roles](/ruby/docs/reference/google-cloud-spanner/latest/Google-Cloud-Spanner-Policy#Google__Cloud__Spanner__Policy_roles_instance_ \"Google::Cloud::Spanner::Policy#roles (method)\"). See [Understanding\nRoles](https://cloud.google.com/iam/docs/understanding-roles) for a\nlisting of primitive and curated roles. See\n[Binding](https://cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding)\nfor a listing of values and patterns for members. \n**Returns**\n\n- (Array\\\u003cString\\\u003e) --- The members strings, or an empty array.\n**Example** \n\n```ruby\nrequire \"google/cloud/spanner\"\n\nspanner = Google::Cloud::Spanner.new\ninstance = spanner.instance \"my-instance\"\n\npolicy = instance.policy do |p|\n p.role(\"roles/viewer\") \u003c\u003c \"user:viewer@example.com\"\nend\n```\n\n### #roles\n\n def roles() -\u003e Hash{String =\u003e Array\u003cString\u003e}\n\nThe bindings that associate\nroles with an array of members. See [Understanding\nRoles](https://cloud.google.com/iam/docs/understanding-roles) for a\nlisting of primitive and curated roles.\nSee [Binding](https://cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding)\nfor a listing of values and patterns for members. \n**Returns**\n\n- (Hash{String =\\\u003e Array\\\u003cString\\\u003e}) --- the current value of roles\n\n### #roles=\n\n def roles=(value) -\u003e Hash{String =\u003e Array\u003cString\u003e}\n\nThe bindings that associate\nroles with an array of members. See [Understanding\nRoles](https://cloud.google.com/iam/docs/understanding-roles) for a\nlisting of primitive and curated roles.\nSee [Binding](https://cloud.google.com/spanner/reference/rpc/google.iam.v1#google.iam.v1.Binding)\nfor a listing of values and patterns for members. \n**Parameter**\n\n- **value** (Hash{String =\\\u003e Array\\\u003cString\\\u003e}) --- the newly set value \n**Returns**\n\n- (Hash{String =\\\u003e Array\\\u003cString\\\u003e}) --- the newly set value"]]