[−][src]Struct google_cloudasset1::Policy
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more
members
to a single role
. Members can be user accounts, service accounts,
Google groups, and domains (such as G Suite). A role
is a named list of
permissions; each role
can be an IAM predefined role or a user-created
custom role.
Optionally, a binding
can specify a condition
, which is a logical
expression that allows access to a resource only if the expression evaluates
to true
. A condition can add constraints based on attributes of the
request, the resource, or both.
JSON example:
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": ["user:eve@example.com"],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
}
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
YAML example:
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
- etag: BwWWja0YfJA=
- version: 3
For a description of IAM and its features, see the IAM documentation.
This type is not used in any activity, and only used as part of another schema.
Fields
audit_configs: Option<Vec<AuditConfig>>
Specifies cloud audit logging configuration for this policy.
etag: Option<String>
etag
is used for optimistic concurrency control as a way to help
prevent simultaneous updates of a policy from overwriting each other.
It is strongly suggested that systems make use of the etag
in the
read-modify-write cycle to perform policy updates in order to avoid race
conditions: An etag
is returned in the response to getIamPolicy
, and
systems are expected to put that etag in the request to setIamPolicy
to
ensure that their change will be applied to the same version of the policy.
Important: If you use IAM Conditions, you must include the etag
field
whenever you call setIamPolicy
. If you omit this field, then IAM allows
you to overwrite a version 3
policy with a version 1
policy, and all of
the conditions in the version 3
policy are lost.
bindings: Option<Vec<Binding>>
Associates a list of members
to a role
. Optionally, may specify a
condition
that determines how and when the bindings
are applied. Each
of the bindings
must contain at least one member.
version: Option<i32>
Specifies the format of the policy.
Valid values are 0
, 1
, and 3
. Requests that specify an invalid value
are rejected.
Any operation that affects conditional role bindings must specify version
3
. This requirement applies to the following operations:
- Getting a policy that includes a conditional role binding
- Adding a conditional role binding to a policy
- Changing a conditional role binding in a policy
- Removing any role binding, with or without a condition, from a policy that includes conditions
Important: If you use IAM Conditions, you must include the etag
field
whenever you call setIamPolicy
. If you omit this field, then IAM allows
you to overwrite a version 3
policy with a version 1
policy, and all of
the conditions in the version 3
policy are lost.
If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
Trait Implementations
impl Clone for Policy
[src]
impl Debug for Policy
[src]
impl Default for Policy
[src]
impl<'de> Deserialize<'de> for Policy
[src]
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error> where
__D: Deserializer<'de>,
[src]
__D: Deserializer<'de>,
impl Part for Policy
[src]
impl Serialize for Policy
[src]
Auto Trait Implementations
impl RefUnwindSafe for Policy
impl Send for Policy
impl Sync for Policy
impl Unpin for Policy
impl UnwindSafe for Policy
Blanket Implementations
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,
impl<T> Borrow<T> for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
[src]
T: ?Sized,
fn borrow_mut(&mut self) -> &mut T
[src]
impl<T> DeserializeOwned for T where
T: for<'de> Deserialize<'de>,
[src]
T: for<'de> Deserialize<'de>,
impl<T> From<T> for T
[src]
impl<T, U> Into<U> for T where
U: From<T>,
[src]
U: From<T>,
impl<T> ToOwned for T where
T: Clone,
[src]
T: Clone,
type Owned = T
The resulting type after obtaining ownership.
fn to_owned(&self) -> T
[src]
fn clone_into(&self, target: &mut T)
[src]
impl<T, U> TryFrom<U> for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = Infallible
The type returned in the event of a conversion error.
fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T, U> TryInto<U> for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,
type Error = <U as TryFrom<T>>::Error
The type returned in the event of a conversion error.
fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>
[src]
impl<T> Typeable for T where
T: Any,
T: Any,