gcp iam condition - ghdrako/doc_snipets GitHub Wiki
A Policy is a collection of bindings.
A binding binds one or more members, or principals, to a single role.
Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite).
A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.
For some types of Google Cloud resources, a binding can also specify a condition.
Conditions
"bindings": [
{
"role": ...,
"members": ...,
"condition": ...
},
...
]
"condition": {
"title": ...,
"description": ...,
"expression": ...
}
pobranie dotychczasowej polisy
gcloud projects get-iam-policy project-id --format json > file-path
{
"bindings": [
{
"members": [
"user:[email protected]"
],
"role": "roles/owner"
},
{
"members": [
"user:[email protected]"
],
"role": "roles/iam.securityReviewer"
}
],
"etag": "BwWKmjvelug=",
"version": 1
}
Po dodaniu bindingu z warunkiem
{
"bindings": [
{
"members": [
"user:[email protected]"
],
"role": "roles/owner"
},
{
"members": [
"user:[email protected]"
],
"role": "roles/iam.securityReviewer",
"condition": {
"title": "Expires_2019",
"description": "Expires at noon on 2019-12-31",
"expression":
"request.time < timestamp('2019-12-31T12:00:00Z')"
}
}
],
"etag": "BwWKmjvelug=",
"version": 3
}
gcloud projects set-iam-policy project-id file-path
Allow policies can use the following allow policy versions:
| Version | Description |
|---|---|
| 1 | The first version of the IAM syntax schema for policies. Supports binding one role to one or more principals. Does not support conditional role bndings |
| 2 | Reserved for internal use. |
| 3 | Introduces the condition field in the role binding, which constrains the role binding via context-based and attribute-based rules. For more formation, see the overview of IAM Conditions. |
Important: If you use IAM Conditions, always specify allow policy version 3, and always include the etag field when you use a client library or the REST API to set an allow policy. If you omit the etag field, then IAM allows you to overwrite a version 3 allow policy with a version 1 allow policy, which deletes all of the conditions from the allow policy.