This page describes how to manage an existing access policy. You can do the following:
Get the name and etag of an access policy
Console
The Google Cloud console does not support managing
access policies. If you want to manage your access policy, you must
use the gcloud
command-line tool or the API.
gcloud
To get the name of your access policy, use the list
command. The access policy name is required for all access level commands
for the gcloud
command-line tool.
gcloud access-context-manager policies list \ --organization ORGANIZATION_ID
Where:
- ORGANIZATION_ID is the numeric ID of your organization.
You should see output similar to:
NAME ORGANIZATION TITLE ETAG 1034095178592 511928527926 Corp Policy 10bc3c76ca809ab2
API
To get the name of your access policy, call accessPolicies.list
.
GET https://accesscontextmanager.googleapis.com/v1/accessPolicies
Request body
The request body must be empty.
Response body
If successful, the response body will look similar to:
{ "accessPolicies": [ { object(AccessPolicy) } ], "nextPageToken": string }
Where:
accessPolicies
is a list ofAccessPolicy
objects.
Set the default access policy for the gcloud
command-line tool
When using the gcloud
command-line tool, you can set a default access policy. When
you set a default policy, you no longer need to specify a policy each time you
use an Access Context Manager command.
To set a default access policy, use the config
command.
gcloud config set access_context_manager/policy POLICY_NAME
Where:
- POLICY_NAME is the numeric name of your access policy.
Delegate an access policy
Console
The Google Cloud console does not support managing
access policies. If you want to manage your access policy, you must
use the gcloud
command-line tool or the API.
gcloud
To delegate administration by binding a principal and role with a scoped access policy, use the add-iam-policy-binding
command.
gcloud access-context-manager policies add-iam-policy-binding \ [POLICY] --member=PRINCIPAL --role=ROLE
Where:
POLICY is ID of the policy or fully qualified identifier for the policy.
PRINCIPAL is the principal to add the binding for. Specify in the following format:
user|group|serviceAccount:email
ordomain:domain
.ROLE is the role name to assign to the principal. The role name is the complete path of a predefined role, such as
roles/accesscontextmanager.policyEditor
, or the role ID for a custom role, such asorganizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor
.
API
To delegate administration of the scoped access policy, do the following:
Create a request body.
{ "policy": "IAM_POLICY", }
Where:
- IAM_POLICY is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.
Delegate the access policy by calling
accessPolicies.setIamPolicy
.POST https://accesscontextmanager.googleapis.com/v1/accessPolicies
Response body
If successful, the response body contains an instance of policy
.
Describe an access policy
Console
The Google Cloud console does not support managing
access policies. If you want to manage your access policy, you must
use the gcloud
command-line tool or the API.
gcloud
To describe your access policy, use the describe
command.
gcloud access-context-manager policies describe POLICY_NAME
Where:
- POLICY_NAME is the numeric name of your policy.
The following output appears:
name: accessPolicies/1034095178592 parent: organizations/511928527926 title: Corp Policy
API
To describe your access policy, call accessPolicies.get
GET https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME
Where:
- POLICY_NAME is the numeric name of your policy.
Request body
The request body must be empty.
Response body
If successful, the response body contains an
AccessPolicy
object.
Update an access policy
Console
The Google Cloud console does not support managing
access policies. If you want to manage your access policy, you must
use the gcloud
command-line tool or the API.
gcloud
To update your access policy, use the update
command. Currently, you can change only the title of the policy.
gcloud access-context-manager policies update POLICY_NAME \ --title=POLICY_TITLE
Where:
POLICY_NAME is the numeric name of your policy.
POLICY_TITLE is a human-readable title for your policy.
The following output appears:
Waiting for PATCH operation [accessPolicies/POLICY_NAME/update/1542234231134882]...done.
API
Currently, you can change only the title of your access policy.
To update your policy:
Create a request body.
{ "parent": "ORGANIZATION_ID", "title": "POLICY_TITLE" }
Where:
ORGANIZATION_ID is the numeric ID of your organization.
POLICY_TITLE is a human-readable title for your policy.
Call
accessPolicies.patch
.PATCH https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/UPDATE_MASK
Where:
POLICY_NAME is the numeric name of your policy.
UPDATE_MASK is a string that represents the value you want to update. For example,
title
.
Response body
If successful, the response body for the call contains an
Operation
resource that provides details about thePATCH
operation.
Delete an access policy
Console
The Google Cloud console does not currently support managing
access policies. If you want to manage your access policy, you must
use the gcloud
command-line tool or the API.
gcloud
To delete an access policy:
Use the
delete
command.gcloud access-context-manager policies delete POLICY_NAME
Where:
- POLICY_NAME is the numeric name of your policy.
Confirm that you want to delete the access policy.
For example:
You are about to delete policy [POLICY_NAME] Do you want to continue (Y/n)?
The following output appears:
Deleted policy [1034095178592].
API
To delete your access policy, call accessPolicies.delete
.
DELETE https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME
Where:
- POLICY_NAME is the numeric name of your policy.
Request body
The request body must be empty.
Response body
If successful, the response body for the call contains an
Operation
resource that provides details about the
DELETE
operation.