Package com.google.iam.v1

Class Policy.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder<MessageType,BuilderType>
com.google.protobuf.GeneratedMessageLite.Builder<Policy,Policy.Builder>
com.google.iam.v1.Policy.Builder
All Implemented Interfaces:
PolicyOrBuilder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, Cloneable
Enclosing class:
Policy
public static final class Policy.Builder extends com.google.protobuf.GeneratedMessageLite.Builder<Policy,Policy.Builder> implements PolicyOrBuilder
 An Identity and Access Management (IAM) policy, which specifies access
 controls for Google Cloud resources.


 A `Policy` is a collection of `bindings`. A `binding` binds one or more
 `members`, or principals, to a single `role`. Principals can be user
 accounts, service accounts, Google groups, and domains (such as G Suite). A
 `role` is a named list of permissions; each `role` can be an IAM predefined
 role or a user-created custom role.

 For some types of Google Cloud resources, a `binding` can also specify a
 `condition`, which is a logical expression that allows access to a resource
 only if the expression evaluates to `true`. A condition can add constraints
 based on attributes of the request, the resource, or both. To learn which
 resources support conditions in their IAM policies, see the
 [IAM
 documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

 **JSON example:**

 ```
 {
 "bindings": [
 {
 "role": "roles/resourcemanager.organizationAdmin",
 "members": [
 "user:mike@example.com",
 "group:admins@example.com",
 "domain:google.com",
 "serviceAccount:my-project-id@appspot.gserviceaccount.com"
 ]
 },
 {
 "role": "roles/resourcemanager.organizationViewer",
 "members": [
 "user:eve@example.com"
 ],
 "condition": {
 "title": "expirable access",
 "description": "Does not grant access after Sep 2020",
 "expression": "request.time <
 timestamp('2020-10-01T00:00:00.000Z')",
 }
 }
 ],
 "etag": "BwWWja0YfJA=",
 "version": 3
 }
 ```

 **YAML example:**

 ```
 bindings:
 - members:
 - user:mike@example.com
 - group:admins@example.com
 - domain:google.com
 - serviceAccount:my-project-id@appspot.gserviceaccount.com
 role: roles/resourcemanager.organizationAdmin
 - members:
 - user:eve@example.com
 role: roles/resourcemanager.organizationViewer
 condition:
 title: expirable access
 description: Does not grant access after Sep 2020
 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
 etag: BwWWja0YfJA=
 version: 3
 ```

 For a description of IAM and its features, see the
 [IAM documentation](https://cloud.google.com/iam/docs/).
Protobuf type google.iam.v1.Policy

  • Method Details

    • getVersion

      public int getVersion()
       Specifies the format of the policy.

 Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
 are rejected.

 Any operation that affects conditional role bindings must specify version
 `3`. This requirement applies to the following operations:

 * Getting a policy that includes a conditional role binding
 * Adding a conditional role binding to a policy
 * Changing a conditional role binding in a policy
 * Removing any role binding, with or without a condition, from a policy
 that includes conditions

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.

 If a policy does not include any conditions, operations on that policy may
 specify any valid version or leave the field unset.

 To learn which resources support conditions in their IAM policies, see the
 [IAM
 documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      int32 version = 1 [json_name = "version"];
      Specified by:
      getVersion in interface PolicyOrBuilder
      Returns:
      The version.

    • setVersion

      public Policy.Builder setVersion(int value)
       Specifies the format of the policy.

 Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
 are rejected.

 Any operation that affects conditional role bindings must specify version
 `3`. This requirement applies to the following operations:

 * Getting a policy that includes a conditional role binding
 * Adding a conditional role binding to a policy
 * Changing a conditional role binding in a policy
 * Removing any role binding, with or without a condition, from a policy
 that includes conditions

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.

 If a policy does not include any conditions, operations on that policy may
 specify any valid version or leave the field unset.

 To learn which resources support conditions in their IAM policies, see the
 [IAM
 documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      int32 version = 1 [json_name = "version"];
      Parameters:
      value - The version to set.
      Returns:
      This builder for chaining.

    • clearVersion

      public Policy.Builder clearVersion()
       Specifies the format of the policy.

 Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
 are rejected.

 Any operation that affects conditional role bindings must specify version
 `3`. This requirement applies to the following operations:

 * Getting a policy that includes a conditional role binding
 * Adding a conditional role binding to a policy
 * Changing a conditional role binding in a policy
 * Removing any role binding, with or without a condition, from a policy
 that includes conditions

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.

 If a policy does not include any conditions, operations on that policy may
 specify any valid version or leave the field unset.

 To learn which resources support conditions in their IAM policies, see the
 [IAM
 documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      int32 version = 1 [json_name = "version"];
      Returns:
      This builder for chaining.

    • getBindingsList

      public List<Binding> getBindingsList()
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];
      Specified by:
      getBindingsList in interface PolicyOrBuilder

    • getBindingsCount

      public int getBindingsCount()
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];
      Specified by:
      getBindingsCount in interface PolicyOrBuilder

    • getBindings

      public Binding getBindings(int index)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];
      Specified by:
      getBindings in interface PolicyOrBuilder

    • setBindings

      public Policy.Builder setBindings(int index, Binding value)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • setBindings

      public Policy.Builder setBindings(int index, Binding.Builder builderForValue)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • addBindings

      public Policy.Builder addBindings(Binding value)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • addBindings

      public Policy.Builder addBindings(int index, Binding value)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • addBindings

      public Policy.Builder addBindings(Binding.Builder builderForValue)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • addBindings

      public Policy.Builder addBindings(int index, Binding.Builder builderForValue)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • addAllBindings

      public Policy.Builder addAllBindings(Iterable<? extends Binding> values)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • clearBindings

      public Policy.Builder clearBindings()
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • removeBindings

      public Policy.Builder removeBindings(int index)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • getAuditConfigsList

      public List<AuditConfig> getAuditConfigsList()
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];
      Specified by:
      getAuditConfigsList in interface PolicyOrBuilder

    • getAuditConfigsCount

      public int getAuditConfigsCount()
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];
      Specified by:
      getAuditConfigsCount in interface PolicyOrBuilder

    • getAuditConfigs

      public AuditConfig getAuditConfigs(int index)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];
      Specified by:
      getAuditConfigs in interface PolicyOrBuilder

    • setAuditConfigs

      public Policy.Builder setAuditConfigs(int index, AuditConfig value)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • setAuditConfigs

      public Policy.Builder setAuditConfigs(int index, AuditConfig.Builder builderForValue)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • addAuditConfigs

      public Policy.Builder addAuditConfigs(AuditConfig value)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • addAuditConfigs

      public Policy.Builder addAuditConfigs(int index, AuditConfig value)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • addAuditConfigs

      public Policy.Builder addAuditConfigs(AuditConfig.Builder builderForValue)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • addAuditConfigs

      public Policy.Builder addAuditConfigs(int index, AuditConfig.Builder builderForValue)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • addAllAuditConfigs

      public Policy.Builder addAllAuditConfigs(Iterable<? extends AuditConfig> values)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • clearAuditConfigs

      public Policy.Builder clearAuditConfigs()
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • removeAuditConfigs

      public Policy.Builder removeAuditConfigs(int index)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • getEtag

      public com.google.protobuf.ByteString getEtag()
       `etag` is used for optimistic concurrency control as a way to help
 prevent simultaneous updates of a policy from overwriting each other.
 It is strongly suggested that systems make use of the `etag` in the
 read-modify-write cycle to perform policy updates in order to avoid race
 conditions: An `etag` is returned in the response to `getIamPolicy`, and
 systems are expected to put that etag in the request to `setIamPolicy` to
 ensure that their change will be applied to the same version of the policy.

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.
      bytes etag = 3 [json_name = "etag"];
      Specified by:
      getEtag in interface PolicyOrBuilder
      Returns:
      The etag.

    • setEtag

      public Policy.Builder setEtag(com.google.protobuf.ByteString value)
       `etag` is used for optimistic concurrency control as a way to help
 prevent simultaneous updates of a policy from overwriting each other.
 It is strongly suggested that systems make use of the `etag` in the
 read-modify-write cycle to perform policy updates in order to avoid race
 conditions: An `etag` is returned in the response to `getIamPolicy`, and
 systems are expected to put that etag in the request to `setIamPolicy` to
 ensure that their change will be applied to the same version of the policy.

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.
      bytes etag = 3 [json_name = "etag"];
      Parameters:
      value - The etag to set.
      Returns:
      This builder for chaining.

    • clearEtag

      public Policy.Builder clearEtag()
       `etag` is used for optimistic concurrency control as a way to help
 prevent simultaneous updates of a policy from overwriting each other.
 It is strongly suggested that systems make use of the `etag` in the
 read-modify-write cycle to perform policy updates in order to avoid race
 conditions: An `etag` is returned in the response to `getIamPolicy`, and
 systems are expected to put that etag in the request to `setIamPolicy` to
 ensure that their change will be applied to the same version of the policy.

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.
      bytes etag = 3 [json_name = "etag"];
      Returns:
      This builder for chaining.