access_policies
Creates, updates, deletes, gets or lists an access_policies resource.
Overview
| Name | access_policies |
| Type | Resource |
| Id | google.accesscontextmanager.access_policies |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Output only. Identifier. Resource name of the AccessPolicy. Format: accessPolicies/{access_policy} |
etag | string | Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Policies will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format. |
parent | string | Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id} |
scopes | array | The scopes of the AccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A with scopes=["folders/123"] has the following behavior: - ServicePerimeter can only restrict projects within folders/123. - ServicePerimeter within policy A can only reference access levels defined within policy A. - Only one policy can include a given scope; thus, attempting to create a second policy which includes folders/123 will result in an error. If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of folders/{folder_number} or projects/{project_number} |
title | string | Required. Human readable title. Does not affect behavior. |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Output only. Identifier. Resource name of the AccessPolicy. Format: accessPolicies/{access_policy} |
etag | string | Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Policies will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format. |
parent | string | Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id} |
scopes | array | The scopes of the AccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A with scopes=["folders/123"] has the following behavior: - ServicePerimeter can only restrict projects within folders/123. - ServicePerimeter within policy A can only reference access levels defined within policy A. - Only one policy can include a given scope; thus, attempting to create a second policy which includes folders/123 will result in an error. If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of folders/{folder_number} or projects/{project_number} |
title | string | Required. Human readable title. Does not affect behavior. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | accessPoliciesId | Returns an access policy based on the name. | |
list | select | parent, pageSize, pageToken | Lists all access policies in an organization. | |
create | insert | Creates an access policy. This method fails if the organization already has an access policy. The long-running operation has a successful status after the access policy propagates to long-lasting storage. Syntactic and basic semantic errors are returned in metadata as a BadRequest proto. | ||
patch | update | accessPoliciesId | updateMask | Updates an access policy. The long-running operation from this RPC has a successful status after the changes to the access policy propagate to long-lasting storage. |
delete | delete | accessPoliciesId | Deletes an access policy based on the resource name. The long-running operation has a successful status after the access policy is removed from long-lasting storage. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
accessPoliciesId | string | |
pageSize | integer (int32) | |
pageToken | string | |
parent | string | |
updateMask | string (google-fieldmask) |
SELECT examples
- get
- list
Returns an access policy based on the name.
SELECT
name,
etag,
parent,
scopes,
title
FROM google.accesscontextmanager.access_policies
WHERE accessPoliciesId = '{{ accessPoliciesId }}' -- required;
Lists all access policies in an organization.
SELECT
name,
etag,
parent,
scopes,
title
FROM google.accesscontextmanager.access_policies
WHERE parent = '{{ parent }}'
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}';
INSERT examples
- create
- Manifest
Creates an access policy. This method fails if the organization already has an access policy. The long-running operation has a successful status after the access policy propagates to long-lasting storage. Syntactic and basic semantic errors are returned in metadata as a BadRequest proto.
INSERT INTO google.accesscontextmanager.access_policies (
data__name,
data__parent,
data__title,
data__scopes
)
SELECT
'{{ name }}',
'{{ parent }}',
'{{ title }}',
'{{ scopes }}'
RETURNING
name,
done,
error,
metadata,
response
;
# Description fields are for documentation purposes
- name: access_policies
props:
- name: name
value: string
description: >
Output only. Identifier. Resource name of the `AccessPolicy`. Format: `accessPolicies/{access_policy}`
- name: parent
value: string
description: >
Required. The parent of this `AccessPolicy` in the Cloud Resource Hierarchy. Currently immutable once created. Format: `organizations/{organization_id}`
- name: title
value: string
description: >
Required. Human readable title. Does not affect behavior.
- name: scopes
value: array
description: >
The scopes of the AccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A with `scopes=["folders/123"]` has the following behavior: - ServicePerimeter can only restrict projects within `folders/123`. - ServicePerimeter within policy A can only reference access levels defined within policy A. - Only one policy can include a given scope; thus, attempting to create a second policy which includes `folders/123` will result in an error. If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of `folders/{folder_number}` or `projects/{project_number}`
UPDATE examples
- patch
Updates an access policy. The long-running operation from this RPC has a successful status after the changes to the access policy propagate to long-lasting storage.
UPDATE google.accesscontextmanager.access_policies
SET
data__name = '{{ name }}',
data__parent = '{{ parent }}',
data__title = '{{ title }}',
data__scopes = '{{ scopes }}'
WHERE
accessPoliciesId = '{{ accessPoliciesId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
done,
error,
metadata,
response;
DELETE examples
- delete
Deletes an access policy based on the resource name. The long-running operation has a successful status after the access policy is removed from long-lasting storage.
DELETE FROM google.accesscontextmanager.access_policies
WHERE accessPoliciesId = '{{ accessPoliciesId }}' --required;