Set IAM policies
Stay organized with collections
Save and categorize content based on your preferences.
Demonstrates how to set IAM policies on a source
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[],[],null,["# Set IAM policies\n\nDemonstrates how to set IAM policies on a source\n\nCode sample\n-----------\n\n### Go\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n import (\n \t\"context\"\n \t\"fmt\"\n \t\"io\"\n\n \tiam \"cloud.google.com/go/iam/apiv1/iampb\"\n \tsecuritycenter \"cloud.google.com/go/securitycenter/apiv1\"\n )\n\n // setSourceIamPolicy grants user roles/securitycenter.findingsEditor permision\n // for a source. sourceName is the full resource name of the source to be\n // updated. user is an email address that IAM can grant permissions to.\n func setSourceIamPolicy(w io.Writer, sourceName string, user string) error {\n \t// sourceName := \"organizations/111122222444/sources/1234\"\n \t// user := \"someuser@some_domain.com\n \t// Instantiate a context and a security service client to make API calls.\n \tctx := context.Background()\n \tclient, err := securitycenter.https://cloud.google.com/go/docs/reference/cloud.google.com/go/securitycenter/latest/apiv1.html#cloud_google_com_go_securitycenter_apiv1_Client_NewClient(ctx)\n \tif err != nil {\n \t\treturn fmt.Errorf(\"securitycenter.NewClient: %w\", err)\n \t}\n \tdefer client.https://cloud.google.com/go/docs/reference/cloud.google.com/go/securitycenter/latest/apiv1.html#cloud_google_com_go_securitycenter_apiv1_Client_Close() // Closing the client safely cleans up background resources.\n\n \t// Retrieve the existing policy so we can update only a specific\n \t// field.\n \texisting, err := client.GetIamPolicy(ctx, &iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_GetIamPolicyRequest{\n \t\tResource: sourceName,\n \t})\n \tif err != nil {\n \t\treturn fmt.Errorf(\"GetIamPolicy(%s): %w\", sourceName, err)\n \t}\n\n \treq := &iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_SetIamPolicyRequest{\n \t\tResource: sourceName,\n \t\tPolicy: &iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_Policy{\n \t\t\t// Enables partial update of existing policy\n \t\t\tEtag: existing.Etag,\n \t\t\tBindings: []*iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_Binding{{\n \t\t\t\tRole: \"roles/securitycenter.findingsEditor\",\n \t\t\t\t// New IAM Binding for the user.\n \t\t\t\tMembers: []string{fmt.Sprintf(\"user:%s\", user)},\n \t\t\t},\n \t\t\t},\n \t\t},\n \t}\n \tpolicy, err := client.SetIamPolicy(ctx, req)\n \tif err != nil {\n \t\treturn fmt.Errorf(\"SetIamPolicy(%s, %v): %w\", sourceName, req.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_Policy, err)\n \t}\n\n \tfmt.Fprint(w, \"Bindings:\\n\")\n \tfor _, binding := range policy.Bindings {\n \t\tfor _, member := range binding.Members {\n \t\t\tfmt.Fprintf(w, \"Principal: %s Role: %s\\n\", member, binding.Role)\n \t\t}\n \t}\n \treturn nil\n }\n\n### Java\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n static Policy setIamPolicySource(SourceName sourceName, String userEmail) {\n try (SecurityCenterClient client = SecurityCenterClient.create()) {\n // userEmail = \"someuser@domain.com\"\n // Set up IAM Policy for the user userMail to use the role findingsEditor.\n // The user must be a valid google account.\n Policy oldPolicy = client.getIamPolicy(sourceName.toString());\n Binding bindings =\n Binding.newBuilder()\n .setRole(\"roles/securitycenter.findingsEditor\")\n .addMembers(\"user:\" + userEmail)\n .build();\n Policy policy = oldPolicy.toBuilder().addBindings(bindings).build();\n\n // Start setting up a request to set IAM policy for a source.\n // SourceName sourceName = SourceName.of(\"123234324\", \"423432321\");\n SetIamPolicyRequest.Builder request =\n SetIamPolicyRequest.newBuilder().setPolicy(policy).setResource(sourceName.toString());\n\n // Call the API.\n Policy response = client.setIamPolicy(request.build());\n\n System.out.println(\"Policy: \" + response);\n return response;\n } catch (IOException e) {\n throw new RuntimeException(\"Couldn't create client.\", e);\n }\n }\n\n### Node.js\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n // Imports the Google Cloud client library.\n const {SecurityCenterClient} = require('https://cloud.google.com/nodejs/docs/reference/security-center/latest/overview.html');\n\n // Creates a new client.\n const client = new https://cloud.google.com/nodejs/docs/reference/security-center/latest/overview.html();\n\n async function setSourceIamPolicy() {\n // sourceName is the full resource name of the source to be\n // updated.\n // user is an email address that IAM can grant permissions to.\n /*\n * TODO(developer): Uncomment the following lines\n */\n // const sourceName = \"organizations/111122222444/sources/1234\";\n // const user = \"someuser@domain.com\";\n const [existingPolicy] = await client.getIamPolicy({\n resource: sourceName,\n });\n\n const [updatedPolicy] = await client.setIamPolicy({\n resource: sourceName,\n policy: {\n // Enables partial update of existing policy\n etag: existingPolicy.etag,\n bindings: [\n {\n role: 'roles/securitycenter.findingsEditor',\n // New IAM Binding for the user.\n members: [`user:${user}`],\n },\n ],\n },\n });\n console.log('Updated policy: %j', updatedPolicy);\n }\n setSourceIamPolicy();\n\n### Python\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n from google.cloud import securitycenter_v1\n from google.iam.v1 import policy_pb2\n\n client = securitycenter_v1.SecurityCenterClient()\n\n # 'source_name' is the resource path for a source that has been\n # created previously (you can use list_sources to find a specific one).\n # Its format is:\n # source_name = \"organizations/{organization_id}/sources/{source_id}\"\n # e.g.:\n # source_name = \"organizations/111122222444/sources/1234\"\n # Get the old policy so we can do an incremental update.\n old_policy = client.https://cloud.google.com/python/docs/reference/securitycenter/latest/google.cloud.securitycenter_v1.services.security_center.SecurityCenterClient.html#google_cloud_securitycenter_v1_services_security_center_SecurityCenterClient_get_iam_policy(request={\"resource\": source_name})\n print(f\"Old Policy: {old_policy}\")\n\n # Setup a new IAM binding.\n binding = policy_pb2.Binding()\n binding.role = \"roles/securitycenter.findingsEditor\"\n # user_email is an e-mail address known to Cloud IAM (e.g. a gmail address).\n # user_mail = user@somedomain.com\n binding.members.append(f\"user:{user_email}\")\n\n # Setting the e-tag avoids over-write existing policy\n updated = client.https://cloud.google.com/python/docs/reference/securitycenter/latest/google.cloud.securitycenter_v1.services.security_center.SecurityCenterClient.html#google_cloud_securitycenter_v1_services_security_center_SecurityCenterClient_set_iam_policy(\n request={\n \"resource\": source_name,\n \"policy\": {\"etag\": old_policy.etag, \"bindings\": [binding]},\n }\n )\n\n print(f\"Updated Policy: {updated}\")\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=securitycenter)."]]