// Copyright 2026 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.iam.v3beta; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/iam/v3beta/access_policy_resources.proto"; import "google/iam/v3beta/operation_metadata.proto"; import "google/iam/v3beta/policy_binding_resources.proto"; import "google/longrunning/operations.proto"; import "google/protobuf/empty.proto"; option csharp_namespace = "Google.Cloud.Iam.V3Beta"; option go_package = "cloud.google.com/go/iam/apiv3beta/iampb;iampb"; option java_multiple_files = true; option java_outer_classname = "AccessPoliciesProto"; option java_package = "com.google.iam.v3beta"; option php_namespace = "Google\\Cloud\\Iam\\V3beta"; // Manages Identity and Access Management (IAM) access policies. service AccessPolicies { option (google.api.default_host) = "iam.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // Creates an access policy, and returns a long running operation. rpc CreateAccessPolicy(CreateAccessPolicyRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v3beta/{parent=projects/*/locations/*}/accessPolicies" body: "access_policy" additional_bindings { post: "/v3beta/{parent=folders/*/locations/*}/accessPolicies" body: "access_policy" } additional_bindings { post: "/v3beta/{parent=organizations/*/locations/*}/accessPolicies" body: "access_policy" } }; option (google.api.method_signature) = "parent,access_policy,access_policy_id"; option (google.longrunning.operation_info) = { response_type: "AccessPolicy" metadata_type: "OperationMetadata" }; } // Gets an access policy. rpc GetAccessPolicy(GetAccessPolicyRequest) returns (AccessPolicy) { option (google.api.http) = { get: "/v3beta/{name=projects/*/locations/*/accessPolicies/*}" additional_bindings { get: "/v3beta/{name=folders/*/locations/*/accessPolicies/*}" } additional_bindings { get: "/v3beta/{name=organizations/*/locations/*/accessPolicies/*}" } }; option (google.api.method_signature) = "name"; } // Updates an access policy. rpc UpdateAccessPolicy(UpdateAccessPolicyRequest) returns (google.longrunning.Operation) { option (google.api.http) = { patch: "/v3beta/{access_policy.name=projects/*/locations/*/accessPolicies/*}" body: "access_policy" additional_bindings { patch: "/v3beta/{access_policy.name=folders/*/locations/*/accessPolicies/*}" body: "access_policy" } additional_bindings { patch: "/v3beta/{access_policy.name=organizations/*/locations/*/accessPolicies/*}" body: "access_policy" } }; option (google.longrunning.operation_info) = { response_type: "AccessPolicy" metadata_type: "OperationMetadata" }; } // Deletes an access policy. rpc DeleteAccessPolicy(DeleteAccessPolicyRequest) returns (google.longrunning.Operation) { option (google.api.http) = { delete: "/v3beta/{name=projects/*/locations/*/accessPolicies/*}" additional_bindings { delete: "/v3beta/{name=folders/*/locations/*/accessPolicies/*}" } additional_bindings { delete: "/v3beta/{name=organizations/*/locations/*/accessPolicies/*}" } }; option (google.api.method_signature) = "name"; option (google.longrunning.operation_info) = { response_type: "google.protobuf.Empty" metadata_type: "OperationMetadata" }; } // Lists access policies. rpc ListAccessPolicies(ListAccessPoliciesRequest) returns (ListAccessPoliciesResponse) { option (google.api.http) = { get: "/v3beta/{parent=projects/*/locations/*}/accessPolicies" additional_bindings { get: "/v3beta/{parent=folders/*/locations/*}/accessPolicies" } additional_bindings { get: "/v3beta/{parent=organizations/*/locations/*}/accessPolicies" } }; option (google.api.method_signature) = "parent"; } // Returns all policy bindings that bind a specific policy if a user has // searchPolicyBindings permission on that policy. rpc SearchAccessPolicyBindings(SearchAccessPolicyBindingsRequest) returns (SearchAccessPolicyBindingsResponse) { option (google.api.http) = { get: "/v3beta/{name=organizations/*/locations/*/accessPolicies/*}:searchPolicyBindings" additional_bindings { get: "/v3beta/{name=folders/*/locations/*/accessPolicies/*}:searchPolicyBindings" } additional_bindings { get: "/v3beta/{name=projects/*/locations/*/accessPolicies/*}:searchPolicyBindings" } }; option (google.api.method_signature) = "name"; } } // Request message for CreateAccessPolicy method. message CreateAccessPolicyRequest { // Required. The parent resource where this access policy will be created. // // Format: // `projects/{project_id}/locations/{location}` // `projects/{project_number}/locations/{location}` // `folders/{folder_id}/locations/{location}` // `organizations/{organization_id}/locations/{location}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "iam.googleapis.com/AccessPolicy" } ]; // Required. The ID to use for the access policy, which // will become the final component of the access policy's // resource name. // // This value must start with a lowercase letter followed by up to 62 // lowercase letters, numbers, hyphens, or dots. Pattern, // /[a-z][a-z0-9-\.]{2,62}/. // // This value must be unique among all access policies with the same parent. string access_policy_id = 2 [(google.api.field_behavior) = REQUIRED]; // Required. The access policy to create. AccessPolicy access_policy = 3 [(google.api.field_behavior) = REQUIRED]; // Optional. If set, validate the request and preview the creation, but do not // actually post it. bool validate_only = 4 [(google.api.field_behavior) = OPTIONAL]; } // Request message for GetAccessPolicy method. message GetAccessPolicyRequest { // Required. The name of the access policy to retrieve. // // Format: // `projects/{project_id}/locations/{location}/accessPolicies/{access_policy_id}` // `projects/{project_number}/locations/{location}/accessPolicies/{access_policy_id}` // `folders/{folder_id}/locations/{location}/accessPolicies/{access_policy_id}` // `organizations/{organization_id}/locations/{location}/accessPolicies/{access_policy_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/AccessPolicy" } ]; } // Request message for UpdateAccessPolicy method. message UpdateAccessPolicyRequest { // Required. The access policy to update. // // The access policy's `name` field is used to identify the // policy to update. AccessPolicy access_policy = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. If set, validate the request and preview the update, but do not // actually post it. bool validate_only = 2 [(google.api.field_behavior) = OPTIONAL]; } // Request message for DeleteAccessPolicy method. message DeleteAccessPolicyRequest { // Required. The name of the access policy to delete. // // Format: // `projects/{project_id}/locations/{location}/accessPolicies/{access_policy_id}` // `projects/{project_number}/locations/{location}/accessPolicies/{access_policy_id}` // `folders/{folder_id}/locations/{location}/accessPolicies/{access_policy_id}` // `organizations/{organization_id}/locations/{location}/accessPolicies/{access_policy_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/AccessPolicy" } ]; // Optional. The etag of the access policy. If this is provided, it must match // the server's etag. string etag = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. If set, validate the request and preview the deletion, but do not // actually post it. bool validate_only = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. If set to true, the request will force the deletion of the Policy // even if the Policy references PolicyBindings. bool force = 4 [(google.api.field_behavior) = OPTIONAL]; } // Request message for ListAccessPolicies method. message ListAccessPoliciesRequest { // Required. The parent resource, which owns the collection of access policy // resources. // // Format: // `projects/{project_id}/locations/{location}` // `projects/{project_number}/locations/{location}` // `folders/{folder_id}/locations/{location}` // `organizations/{organization_id}/locations/{location}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "iam.googleapis.com/AccessPolicy" } ]; // Optional. The maximum number of access policies to return. The // service may return fewer than this value. // // If unspecified, at most 50 access policies will be returned. Valid value // ranges from 1 to 1000; values above 1000 will be coerced to 1000. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. A page token, received from a previous // `ListAccessPolicies` call. Provide this to retrieve the // subsequent page. // // When paginating, all other parameters provided to // `ListAccessPolicies` must match the call that provided the // page token. string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; } // Response message for ListAccessPolicies method. message ListAccessPoliciesResponse { // The access policies from the specified parent. repeated AccessPolicy access_policies = 1; // Optional. A token, which can be sent as `page_token` to retrieve the next // page. If this field is omitted, there are no subsequent pages. string next_page_token = 2 [(google.api.field_behavior) = OPTIONAL]; } // Request message for SearchAccessPolicyBindings rpc. message SearchAccessPolicyBindingsRequest { // Required. The name of the access policy. // Format: // `organizations/{organization_id}/locations/{location}/accessPolicies/{access_policy_id}` // `folders/{folder_id}/locations/{location}/accessPolicies/{access_policy_id}` // `projects/{project_id}/locations/{location}/accessPolicies/{access_policy_id}` // `projects/{project_number}/locations/{location}/accessPolicies/{access_policy_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/AccessPolicy" } ]; // Optional. The maximum number of policy bindings to return. The service may // return fewer than this value. // // If unspecified, at most 50 policy bindings will be returned. // The maximum value is 1000; values above 1000 will be coerced to 1000. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. A page token, received from a previous // `SearchAccessPolicyBindingsRequest` call. Provide this to // retrieve the subsequent page. // // When paginating, all other parameters provided to // `SearchAccessPolicyBindingsRequest` must match the call // that provided the page token. string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; } // Response message for SearchAccessPolicyBindings rpc. message SearchAccessPolicyBindingsResponse { // The policy bindings that reference the specified policy. repeated PolicyBinding policy_bindings = 1; // Optional. A token, which can be sent as `page_token` to retrieve the next // page. If this field is omitted, there are no subsequent pages. string next_page_token = 2 [(google.api.field_behavior) = OPTIONAL]; }