Package com.google.iam.v1

Class Policy

java.lang.Object
com.google.protobuf.AbstractMessageLite<MessageType,BuilderType>
com.google.protobuf.GeneratedMessageLite<Policy,Policy.Builder>
com.google.iam.v1.Policy
All Implemented Interfaces:
PolicyOrBuilder, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder
public final class Policy extends com.google.protobuf.GeneratedMessageLite<Policy,Policy.Builder> implements PolicyOrBuilder
 An Identity and Access Management (IAM) policy, which specifies access
 controls for Google Cloud resources.


 A `Policy` is a collection of `bindings`. A `binding` binds one or more
 `members`, or principals, to a single `role`. Principals can be user
 accounts, service accounts, Google groups, and domains (such as G Suite). A
 `role` is a named list of permissions; each `role` can be an IAM predefined
 role or a user-created custom role.

 For some types of Google Cloud resources, a `binding` can also specify a
 `condition`, which is a logical expression that allows access to a resource
 only if the expression evaluates to `true`. A condition can add constraints
 based on attributes of the request, the resource, or both. To learn which
 resources support conditions in their IAM policies, see the
 [IAM
 documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

 **JSON example:**

 ```
 {
 "bindings": [
 {
 "role": "roles/resourcemanager.organizationAdmin",
 "members": [
 "user:mike@example.com",
 "group:admins@example.com",
 "domain:google.com",
 "serviceAccount:my-project-id@appspot.gserviceaccount.com"
 ]
 },
 {
 "role": "roles/resourcemanager.organizationViewer",
 "members": [
 "user:eve@example.com"
 ],
 "condition": {
 "title": "expirable access",
 "description": "Does not grant access after Sep 2020",
 "expression": "request.time <
 timestamp('2020-10-01T00:00:00.000Z')",
 }
 }
 ],
 "etag": "BwWWja0YfJA=",
 "version": 3
 }
 ```

 **YAML example:**

 ```
 bindings:
 - members:
 - user:mike@example.com
 - group:admins@example.com
 - domain:google.com
 - serviceAccount:my-project-id@appspot.gserviceaccount.com
 role: roles/resourcemanager.organizationAdmin
 - members:
 - user:eve@example.com
 role: roles/resourcemanager.organizationViewer
 condition:
 title: expirable access
 description: Does not grant access after Sep 2020
 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
 etag: BwWWja0YfJA=
 version: 3
 ```

 For a description of IAM and its features, see the
 [IAM documentation](https://cloud.google.com/iam/docs/).
Protobuf type google.iam.v1.Policy

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static final class 
    Policy.Builder
    An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.

    Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageLite

    com.google.protobuf.GeneratedMessageLite.DefaultInstanceBasedParser<T extends com.google.protobuf.GeneratedMessageLite<T,?>>, com.google.protobuf.GeneratedMessageLite.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageLite.ExtendableMessage<MessageType,BuilderType>,BuilderType extends com.google.protobuf.GeneratedMessageLite.ExtendableBuilder<MessageType,BuilderType>>, com.google.protobuf.GeneratedMessageLite.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageLite.ExtendableMessage<MessageType,BuilderType>,BuilderType extends com.google.protobuf.GeneratedMessageLite.ExtendableBuilder<MessageType,BuilderType>>, com.google.protobuf.GeneratedMessageLite.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageLite.ExtendableMessage<MessageType,BuilderType>,BuilderType extends com.google.protobuf.GeneratedMessageLite.ExtendableBuilder<MessageType,BuilderType>>, com.google.protobuf.GeneratedMessageLite.GeneratedExtension<ContainingType extends com.google.protobuf.MessageLite,Type extends Object>, com.google.protobuf.GeneratedMessageLite.MethodToInvoke, com.google.protobuf.GeneratedMessageLite.SerializedForm

    Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

    com.google.protobuf.AbstractMessageLite.InternalOneOfEnum

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final int
    AUDIT_CONFIGS_FIELD_NUMBER
     
    static final int
    BINDINGS_FIELD_NUMBER
     
    static final int
    ETAG_FIELD_NUMBER
     
    static final int
    VERSION_FIELD_NUMBER
     

    Fields inherited from class com.google.protobuf.GeneratedMessageLite

    unknownFields

    Fields inherited from class com.google.protobuf.AbstractMessageLite

    memoizedHashCode

  • Method Summary

    Modifier and Type
    Method
    Description
    protected final Object
    dynamicMethod(com.google.protobuf.GeneratedMessageLite.MethodToInvoke method, Object arg0, Object arg1)
     
    AuditConfig
    getAuditConfigs(int index)
    Specifies cloud audit logging configuration for this policy.
    int
    getAuditConfigsCount()
    Specifies cloud audit logging configuration for this policy.
    List<AuditConfig>
    getAuditConfigsList()
    Specifies cloud audit logging configuration for this policy.
    AuditConfigOrBuilder
    getAuditConfigsOrBuilder(int index)
    Specifies cloud audit logging configuration for this policy.
    List<? extends AuditConfigOrBuilder>
    getAuditConfigsOrBuilderList()
    Specifies cloud audit logging configuration for this policy.
    Binding
    getBindings(int index)
    Associates a list of `members`, or principals, with a `role`.
    int
    getBindingsCount()
    Associates a list of `members`, or principals, with a `role`.
    List<Binding>
    getBindingsList()
    Associates a list of `members`, or principals, with a `role`.
    BindingOrBuilder
    getBindingsOrBuilder(int index)
    Associates a list of `members`, or principals, with a `role`.
    List<? extends BindingOrBuilder>
    getBindingsOrBuilderList()
    Associates a list of `members`, or principals, with a `role`.
    static Policy
    getDefaultInstance()
     
    com.google.protobuf.ByteString
    getEtag()
    `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
    int
    getVersion()
    Specifies the format of the policy.
    static Policy.Builder
    newBuilder()
     
    static Policy.Builder
    newBuilder(Policy prototype)
     
    static Policy
    parseDelimitedFrom(InputStream input)
     
    static Policy
    parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Policy
    parseFrom(byte[] data)
     
    static Policy
    parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Policy
    parseFrom(com.google.protobuf.ByteString data)
     
    static Policy
    parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Policy
    parseFrom(com.google.protobuf.CodedInputStream input)
     
    static Policy
    parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Policy
    parseFrom(InputStream input)
     
    static Policy
    parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Policy
    parseFrom(ByteBuffer data)
     
    static Policy
    parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static com.google.protobuf.Parser<Policy>
    parser()
     

    Methods inherited from class com.google.protobuf.GeneratedMessageLite

    createBuilder, createBuilder, dynamicMethod, dynamicMethod, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyLongList, emptyProtobufList, equals, getDefaultInstanceForType, getParserForType, getSerializedSize, hashCode, isInitialized, isInitialized, makeImmutable, mergeLengthDelimitedField, mergeUnknownFields, mergeVarintField, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, newBuilderForType, newMessageInfo, newRepeatedGeneratedExtension, newSingularGeneratedExtension, parseDelimitedFrom, parseDelimitedFrom, parseFrom, parseFrom, parseFrom, parseFrom, parseFrom, parseFrom, parseFrom, parseFrom, parseFrom, parseFrom, parsePartialFrom, parseUnknownField, registerDefaultInstance, toBuilder, toString, writeTo

    Methods inherited from class com.google.protobuf.AbstractMessageLite

    addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

    getDefaultInstanceForType, isInitialized

  • Field Details

  • Method Details

    • getVersion

      public int getVersion()
       Specifies the format of the policy.

 Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
 are rejected.

 Any operation that affects conditional role bindings must specify version
 `3`. This requirement applies to the following operations:

 * Getting a policy that includes a conditional role binding
 * Adding a conditional role binding to a policy
 * Changing a conditional role binding in a policy
 * Removing any role binding, with or without a condition, from a policy
 that includes conditions

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.

 If a policy does not include any conditions, operations on that policy may
 specify any valid version or leave the field unset.

 To learn which resources support conditions in their IAM policies, see the
 [IAM
 documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      int32 version = 1 [json_name = "version"];
      Specified by:
      getVersion in interface PolicyOrBuilder
      Returns:
      The version.

    • getBindingsList

      public List<Binding> getBindingsList()
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];
      Specified by:
      getBindingsList in interface PolicyOrBuilder

    • getBindingsOrBuilderList

      public List<? extends BindingOrBuilder> getBindingsOrBuilderList()
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • getBindingsCount

      public int getBindingsCount()
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];
      Specified by:
      getBindingsCount in interface PolicyOrBuilder

    • getBindings

      public Binding getBindings(int index)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];
      Specified by:
      getBindings in interface PolicyOrBuilder

    • getBindingsOrBuilder

      public BindingOrBuilder getBindingsOrBuilder(int index)
       Associates a list of `members`, or principals, with a `role`. Optionally,
 may specify a `condition` that determines how and when the `bindings` are
 applied. Each of the `bindings` must contain at least one principal.

 The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
 of these principals can be Google groups. Each occurrence of a principal
 counts towards these limits. For example, if the `bindings` grant 50
 different roles to `user:alice@example.com`, and not to any other
 principal, then you can add another 1,450 principals to the `bindings` in
 the `Policy`.
      repeated .google.iam.v1.Binding bindings = 4 [json_name = "bindings"];

    • getAuditConfigsList

      public List<AuditConfig> getAuditConfigsList()
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];
      Specified by:
      getAuditConfigsList in interface PolicyOrBuilder

    • getAuditConfigsOrBuilderList

      public List<? extends AuditConfigOrBuilder> getAuditConfigsOrBuilderList()
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • getAuditConfigsCount

      public int getAuditConfigsCount()
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];
      Specified by:
      getAuditConfigsCount in interface PolicyOrBuilder

    • getAuditConfigs

      public AuditConfig getAuditConfigs(int index)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];
      Specified by:
      getAuditConfigs in interface PolicyOrBuilder

    • getAuditConfigsOrBuilder

      public AuditConfigOrBuilder getAuditConfigsOrBuilder(int index)
       Specifies cloud audit logging configuration for this policy.
      repeated .google.iam.v1.AuditConfig audit_configs = 6 [json_name = "auditConfigs"];

    • getEtag

      public com.google.protobuf.ByteString getEtag()
       `etag` is used for optimistic concurrency control as a way to help
 prevent simultaneous updates of a policy from overwriting each other.
 It is strongly suggested that systems make use of the `etag` in the
 read-modify-write cycle to perform policy updates in order to avoid race
 conditions: An `etag` is returned in the response to `getIamPolicy`, and
 systems are expected to put that etag in the request to `setIamPolicy` to
 ensure that their change will be applied to the same version of the policy.

 **Important:** If you use IAM Conditions, you must include the `etag` field
 whenever you call `setIamPolicy`. If you omit this field, then IAM allows
 you to overwrite a version `3` policy with a version `1` policy, and all of
 the conditions in the version `3` policy are lost.
      bytes etag = 3 [json_name = "etag"];
      Specified by:
      getEtag in interface PolicyOrBuilder
      Returns:
      The etag.

    • parseFrom

      public static Policy parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Policy parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Policy parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Policy parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Policy parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Policy parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Policy parseFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static Policy parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static Policy parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static Policy parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseFrom

      public static Policy parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static Policy parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • newBuilder

      public static Policy.Builder newBuilder()

    • newBuilder

      public static Policy.Builder newBuilder(Policy prototype)

    • dynamicMethod

      protected final Object dynamicMethod(com.google.protobuf.GeneratedMessageLite.MethodToInvoke method, Object arg0, Object arg1)
      Specified by:
      dynamicMethod in class com.google.protobuf.GeneratedMessageLite<Policy,Policy.Builder>

    • getDefaultInstance

      public static Policy getDefaultInstance()

    • parser

      public static com.google.protobuf.Parser<Policy> parser()