buckets_iam_policies
Creates, updates, deletes, gets or lists a buckets_iam_policies resource.
Overview
| Name | buckets_iam_policies |
| Type | Resource |
| Id | google.storage.buckets_iam_policies |
Fields
The following fields are returned by SELECT queries:
- get_iam_policy
Successful response
| Name | Datatype | Description |
|---|---|---|
condition | object | The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently. (id: Expr) |
members | array | A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows: - allUsers - A special identifier that represents anyone on the internet; with or without a Google account. - allAuthenticatedUsers - A special identifier that represents anyone who is authenticated with a Google account or a service account. - user:emailid - An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com. - serviceAccount:emailid - An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com . - group:emailid - An email address that represents a Google group. For example, group:admins@example.com. - domain:domain - A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com. - projectOwner:projectid - Owners of the given project. For example, projectOwner:my-example-project - projectEditor:projectid - Editors of the given project. For example, projectEditor:my-example-project - projectViewer:projectid - Viewers of the given project. For example, projectViewer:my-example-project |
role | string | The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are: - roles/storage.admin - Full control of Google Cloud Storage resources. - roles/storage.objectViewer - Read-Only access to Google Cloud Storage objects. - roles/storage.objectCreator - Access to create objects in Google Cloud Storage. - roles/storage.objectAdmin - Full control of Google Cloud Storage objects. The legacy IAM roles are: - roles/storage.legacyObjectReader - Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role. - roles/storage.legacyObjectOwner - Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role. - roles/storage.legacyBucketReader - Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role. - roles/storage.legacyBucketWriter - Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role. - roles/storage.legacyBucketOwner - Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_iam_policy | select | bucket | optionsRequestedPolicyVersion, userProject | Returns an IAM policy for the specified bucket. |
set_iam_policy | replace | bucket | userProject | Updates an IAM policy for the specified bucket. |
test_iam_permissions | exec | bucket, permissions | userProject | Tests a set of permissions on the given bucket to see which, if any, are held by the caller. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
bucket | string | |
permissions | string | |
optionsRequestedPolicyVersion | integer (int32) | |
userProject | string |
SELECT examples
- get_iam_policy
Returns an IAM policy for the specified bucket.
SELECT
condition,
members,
role
FROM google.storage.buckets_iam_policies
WHERE bucket = '{{ bucket }}' -- required
AND optionsRequestedPolicyVersion = '{{ optionsRequestedPolicyVersion }}'
AND userProject = '{{ userProject }}';
REPLACE examples
- set_iam_policy
Updates an IAM policy for the specified bucket.
REPLACE google.storage.buckets_iam_policies
SET
data__bindings = '{{ bindings }}',
data__etag = '{{ etag }}',
data__kind = '{{ kind }}',
data__resourceId = '{{ resourceId }}',
data__version = {{ version }}
WHERE
bucket = '{{ bucket }}' --required
AND userProject = '{{ userProject}}'
RETURNING
bindings,
etag,
kind,
resourceId,
version;
Lifecycle Methods
- test_iam_permissions
Tests a set of permissions on the given bucket to see which, if any, are held by the caller.
EXEC google.storage.buckets_iam_policies.test_iam_permissions
@bucket='{{ bucket }}' --required,
@permissions='{{ permissions }}' --required,
@userProject='{{ userProject }}';