Manage an access policy

This page describes how to manage an existing access policy. You can do the following:

Get the name and etag of an access policy

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To get the name of your access policy, use the list command. The access policy name is required for all access level commands for the gcloud command-line tool.

gcloud access-context-manager policies list \
    --organization ORGANIZATION_ID

Where:

  • ORGANIZATION_ID is the numeric ID of your organization.

You should see output similar to:

NAME           ORGANIZATION  TITLE        ETAG
1034095178592  511928527926  Corp Policy  10bc3c76ca809ab2

API

To get the name of your access policy, call accessPolicies.list.

GET https://accesscontextmanager.googleapis.com/v1/accessPolicies

Request body

The request body must be empty.

Response body

If successful, the response body will look similar to:

{
  "accessPolicies": [
    {
      object(AccessPolicy)
    }
  ],
  "nextPageToken": string
}

Where:

Set the default access policy for the gcloud command-line tool

When using the gcloud command-line tool, you can set a default access policy. When you set a default policy, you no longer need to specify a policy each time you use an Access Context Manager command.

To set a default access policy, use the config command.

gcloud config set access_context_manager/policy POLICY_NAME

Where:

Delegate an access policy

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To delegate administration by binding a principal and role with a scoped access policy, use the add-iam-policy-binding command.

gcloud access-context-manager policies add-iam-policy-binding \
[POLICY] --member=PRINCIPAL --role=ROLE

Where:

  • POLICY is ID of the policy or fully qualified identifier for the policy.

  • PRINCIPAL is the principal to add the binding for. Specify in the following format: user|group|serviceAccount:email or domain:domain.

  • ROLE is the role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/accesscontextmanager.policyEditor, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor.

API

To delegate administration of the scoped access policy, do the following:

  1. Create a request body.

    {
    "policy": "IAM_POLICY",
    }

    Where:

    • IAM_POLICY is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.
  2. Delegate the access policy by calling accessPolicies.setIamPolicy.

    POST https://accesscontextmanager.googleapis.com/v1/accessPolicies
    

Response body

If successful, the response body contains an instance of policy.

Describe an access policy

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To describe your access policy, use the describe command.

gcloud access-context-manager policies describe POLICY_NAME

Where:

  • POLICY_NAME is the numeric name of your policy.

The following output appears:

name: accessPolicies/1034095178592
parent: organizations/511928527926
title: Corp Policy

API

To describe your access policy, call accessPolicies.get

GET https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME

Where:

  • POLICY_NAME is the numeric name of your policy.

Request body

The request body must be empty.

Response body

If successful, the response body contains an AccessPolicy object.

Update an access policy

Console

The Google Cloud console does not support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To update your access policy, use the update command. Currently, you can change only the title of the policy.

gcloud access-context-manager policies update POLICY_NAME \
    --title=POLICY_TITLE

Where:

  • POLICY_NAME is the numeric name of your policy.

  • POLICY_TITLE is a human-readable title for your policy.

The following output appears:

Waiting for PATCH operation [accessPolicies/POLICY_NAME/update/1542234231134882]...done.

API

Currently, you can change only the title of your access policy.

To update your policy:

  1. Create a request body.

    {
     "parent": "ORGANIZATION_ID",
     "title": "POLICY_TITLE"
    }

    Where:

    • ORGANIZATION_ID is the numeric ID of your organization.

    • POLICY_TITLE is a human-readable title for your policy.

  2. Call accessPolicies.patch.

    PATCH https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/UPDATE_MASK
    

    Where:

    • POLICY_NAME is the numeric name of your policy.

    • UPDATE_MASK is a string that represents the value you want to update. For example, title.

    Response body

    If successful, the response body for the call contains an Operation resource that provides details about the PATCH operation.

Delete an access policy

Console

The Google Cloud console does not currently support managing access policies. If you want to manage your access policy, you must use the gcloud command-line tool or the API.

gcloud

To delete an access policy:

  1. Use the delete command.

    gcloud access-context-manager policies delete POLICY_NAME

    Where:

    • POLICY_NAME is the numeric name of your policy.
  2. Confirm that you want to delete the access policy.

    For example:

    You are about to delete policy [POLICY_NAME]
    
    Do you want to continue (Y/n)?
    

    The following output appears:

    Deleted policy [1034095178592].
    

API

To delete your access policy, call accessPolicies.delete.

DELETE https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME

Where:

  • POLICY_NAME is the numeric name of your policy.

Request body

The request body must be empty.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the DELETE operation.

What's next