authz_policies
Creates, updates, deletes, gets or lists an authz_policies resource.
Overview
| Name | authz_policies |
| Type | Resource |
| Id | google.networksecurity.authz_policies |
Fields
The following fields are returned by SELECT queries:
- projects_locations_authz_policies_get
- projects_locations_authz_policies_list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Required. Identifier. Name of the AuthzPolicy resource in the following format: projects/{project}/locations/{location}/authzPolicies/{authz_policy}. |
action | string | Required. Can be one of ALLOW, DENY, CUSTOM. When the action is CUSTOM, customProvider must be specified. When the action is ALLOW, only requests matching the policy will be allowed. When the action is DENY, only requests matching the policy will be denied. When a request arrives, the policies are evaluated in the following order: 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request. 2. If there are any DENY policies that match the request, the request is denied. 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed. 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request. |
createTime | string (google-datetime) | Output only. The timestamp when the resource was created. |
customProvider | object | Optional. Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified. (id: AuthzPolicyCustomProvider) |
description | string | Optional. A human-readable description of the resource. |
httpRules | array | Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules. |
labels | object | Optional. Set of labels associated with the AuthzPolicy resource. The format must comply with the following requirements. |
target | object | Required. Specifies the set of resources to which this policy should be applied to. (id: AuthzPolicyTarget) |
updateTime | string (google-datetime) | Output only. The timestamp when the resource was updated. |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Required. Identifier. Name of the AuthzPolicy resource in the following format: projects/{project}/locations/{location}/authzPolicies/{authz_policy}. |
action | string | Required. Can be one of ALLOW, DENY, CUSTOM. When the action is CUSTOM, customProvider must be specified. When the action is ALLOW, only requests matching the policy will be allowed. When the action is DENY, only requests matching the policy will be denied. When a request arrives, the policies are evaluated in the following order: 1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request. 2. If there are any DENY policies that match the request, the request is denied. 3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed. 4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request. |
createTime | string (google-datetime) | Output only. The timestamp when the resource was created. |
customProvider | object | Optional. Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified. (id: AuthzPolicyCustomProvider) |
description | string | Optional. A human-readable description of the resource. |
httpRules | array | Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules. |
labels | object | Optional. Set of labels associated with the AuthzPolicy resource. The format must comply with the following requirements. |
target | object | Required. Specifies the set of resources to which this policy should be applied to. (id: AuthzPolicyTarget) |
updateTime | string (google-datetime) | Output only. The timestamp when the resource was updated. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
projects_locations_authz_policies_get | select | projectsId, locationsId, authzPoliciesId | Gets details of a single AuthzPolicy. | |
projects_locations_authz_policies_list | select | projectsId, locationsId | pageSize, pageToken, filter, orderBy | Lists AuthzPolicies in a given project and location. |
projects_locations_authz_policies_create | insert | projectsId, locationsId | authzPolicyId, requestId | Creates a new AuthzPolicy in a given project and location. |
projects_locations_authz_policies_patch | update | projectsId, locationsId, authzPoliciesId | updateMask, requestId | Updates the parameters of a single AuthzPolicy. |
projects_locations_authz_policies_delete | delete | projectsId, locationsId, authzPoliciesId | requestId | Deletes a single AuthzPolicy. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
authzPoliciesId | string | |
locationsId | string | |
projectsId | string | |
authzPolicyId | string | |
filter | string | |
orderBy | string | |
pageSize | integer (int32) | |
pageToken | string | |
requestId | string | |
updateMask | string (google-fieldmask) |
SELECT examples
- projects_locations_authz_policies_get
- projects_locations_authz_policies_list
Gets details of a single AuthzPolicy.
SELECT
name,
action,
createTime,
customProvider,
description,
httpRules,
labels,
target,
updateTime
FROM google.networksecurity.authz_policies
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND authzPoliciesId = '{{ authzPoliciesId }}' -- required;
Lists AuthzPolicies in a given project and location.
SELECT
name,
action,
createTime,
customProvider,
description,
httpRules,
labels,
target,
updateTime
FROM google.networksecurity.authz_policies
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND filter = '{{ filter }}'
AND orderBy = '{{ orderBy }}';
INSERT examples
- projects_locations_authz_policies_create
- Manifest
Creates a new AuthzPolicy in a given project and location.
INSERT INTO google.networksecurity.authz_policies (
data__name,
data__description,
data__labels,
data__target,
data__httpRules,
data__action,
data__customProvider,
projectsId,
locationsId,
authzPolicyId,
requestId
)
SELECT
'{{ name }}',
'{{ description }}',
'{{ labels }}',
'{{ target }}',
'{{ httpRules }}',
'{{ action }}',
'{{ customProvider }}',
'{{ projectsId }}',
'{{ locationsId }}',
'{{ authzPolicyId }}',
'{{ requestId }}'
RETURNING
name,
done,
error,
metadata,
response
;
# Description fields are for documentation purposes
- name: authz_policies
props:
- name: projectsId
value: string
description: Required parameter for the authz_policies resource.
- name: locationsId
value: string
description: Required parameter for the authz_policies resource.
- name: name
value: string
description: >
Required. Identifier. Name of the `AuthzPolicy` resource in the following format: `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
- name: description
value: string
description: >
Optional. A human-readable description of the resource.
- name: labels
value: object
description: >
Optional. Set of labels associated with the `AuthzPolicy` resource. The format must comply with [the following requirements](https://cloud.google.com/compute/docs/labeling-resources#requirements).
- name: target
value: object
description: >
Required. Specifies the set of resources to which this policy should be applied to.
- name: httpRules
value: array
description: >
Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
- name: action
value: string
description: >
Required. Can be one of `ALLOW`, `DENY`, `CUSTOM`. When the action is `CUSTOM`, `customProvider` must be specified. When the action is `ALLOW`, only requests matching the policy will be allowed. When the action is `DENY`, only requests matching the policy will be denied. When a request arrives, the policies are evaluated in the following order: 1. If there is a `CUSTOM` policy that matches the request, the `CUSTOM` policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request. 2. If there are any `DENY` policies that match the request, the request is denied. 3. If there are no `ALLOW` policies for the resource or if any of the `ALLOW` policies match the request, the request is allowed. 4. Else the request is denied by default if none of the configured AuthzPolicies with `ALLOW` action match the request.
valid_values: ['AUTHZ_ACTION_UNSPECIFIED', 'ALLOW', 'DENY', 'CUSTOM']
- name: customProvider
value: object
description: >
Optional. Required if the action is `CUSTOM`. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of `cloudIap` or `authzExtension` must be specified.
- name: authzPolicyId
value: string
- name: requestId
value: string
UPDATE examples
- projects_locations_authz_policies_patch
Updates the parameters of a single AuthzPolicy.
UPDATE google.networksecurity.authz_policies
SET
data__name = '{{ name }}',
data__description = '{{ description }}',
data__labels = '{{ labels }}',
data__target = '{{ target }}',
data__httpRules = '{{ httpRules }}',
data__action = '{{ action }}',
data__customProvider = '{{ customProvider }}'
WHERE
projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND authzPoliciesId = '{{ authzPoliciesId }}' --required
AND updateMask = '{{ updateMask}}'
AND requestId = '{{ requestId}}'
RETURNING
name,
done,
error,
metadata,
response;
DELETE examples
- projects_locations_authz_policies_delete
Deletes a single AuthzPolicy.
DELETE FROM google.networksecurity.authz_policies
WHERE projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND authzPoliciesId = '{{ authzPoliciesId }}' --required
AND requestId = '{{ requestId }}';