Using Access Context Manager, you can make bulk updates to resources that belong to your organization's access policy, such as access levels and service perimeters. Changes to your resources are applied only if all parts of the bulk operation are successful.
This topic describes only bulk replacement of service perimeters. For more information about bulk replacement of access levels, refer to the Access Context Manager documentation.
Get a list of service perimeters
Because bulk operations affect all service perimeters for your organization, you can obtain a complete list of your perimeters. Also, you can format this list as YAML and use it to make bulk changes to your perimeters.
To get a formatted list of service perimeters, refer to List service perimeters (formatted).
When overriding all service perimeter configurations with the replace-all
command, you must not set the etag
fields within perimeters. Etags are likely
to change between fetching and updating the perimeters, causing the
replace-all
command to return an etag mismatch error. However, you can
set an etag
for the entire replace-all
request with the top-level --etag
parameter if you want to enforce the etag check.
Instead of manually removing each of the etag
properties within the
perimeters, you can fetch the perimeters without etag
properties by specifying
a --format
with all fields except etag
.
gcloud access-context-manager perimeters list \ --policy=POLICY_NAME \ --format="json(name,title,description,perimeterType,status,spec,useExplicitDryRunSpec)"
Bulk replace service perimeters
The following section details how to bulk replace your service perimeters.
gcloud
To bulk replace all service perimeters, use the
replace-all
command.
gcloud access-context-manager perimeters replace-all POLICY_NAME \ --source-file=FILE \ --etag=ETAG \
Where:
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
FILE is the name of a .yaml file that defines the new settings for your existing service perimeters.
For example:
- name: accessPolicies/11271009391/servicePerimeters/storage_perimeter title: Storage Perimeter description: Perimeter to protect Storage resources. perimeterType: PERIMETER_TYPE_REGULAR status: restrictedServices: - storage.googleapis.com - name: accessPolicies/11271009391/servicePerimeters/bigquery_perimeter title: BigQuery Perimeter description: Perimeter to protect BigQuery resources. perimeterType: PERIMETER_TYPE_REGULAR status: restrictedServices: - bigquery.googleapis.com
For more information about formatting the YAML file, refer to the JSON structure of Access Context Manager's
ServicePerimeterConfig
object.ETAG (optional) is a string that represents the target version of your organization's access policy. If you do not include an etag, the bulk operation targets the latest version of the your organization's access policy.
To obtain the latest etag of your access policy,
list
your access policies.
API
To bulk replace all service perimeters,
call servicePerimeters.replaceAll
.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters.replaceAll?alt=json
Where:
- POLICY_NAME is the name of your organization's access policy.
Request body
The request body must include a list of
ServicePerimeterConfig
objects that specify the
changes you want to make.
Optionally, to target a specific version of your organization's access policy, you can include an etag. If you do not include an etag, the bulk operation targets the latest version of your organization's access policy.
For example:
{ "servicePerimeters": [ object (ServicePerimeterConfig), object (ServicePerimeterConfig), ... ] "etag": string }
Response body
If successful, the response body for the call contains an
Operation
resource that provides details about the
post operation.
Example response:
{
"name": "operations/accessPolicies/11271009391/replacePerimeters/1583523447707087",
"done": true,
"response": {
"@type": "type.googleapis.com/google.identity.accesscontextmanager.v1.ReplaceServicePerimetersResponse",
"servicePerimeters": [
{
"name": "accessPolicies/11271009391/servicePerimeters/storage_perimeter",
"title": "Storage Perimeter",
"description": "Perimeter to protect Storage resources.",
"status": {
"accessLevels": [
"accessPolicies/11271009391/accessLevels/corpnet_access"
],
"restrictedServices": [
"bigtable.googleapis.com"
]
}
},
{
"name": "accessPolicies/11271009391/servicePerimeters/storage_perimeter",
"title": "BigQuery Perimeter",
"description": "Perimeter to protect BigQuery resources.",
"status": {
"accessLevels": [
"accessPolicies/11271009391/accessLevels/prodnet_access"
],
"restrictedServices": [
"bigtable.googleapis.com"
]
}
}
]
}
}