// Copyright 2026 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.iam.v3beta; import "google/api/field_behavior.proto"; import "google/api/field_info.proto"; import "google/api/resource.proto"; import "google/protobuf/timestamp.proto"; import "google/type/expr.proto"; option csharp_namespace = "Google.Cloud.Iam.V3Beta"; option go_package = "cloud.google.com/go/iam/apiv3beta/iampb;iampb"; option java_multiple_files = true; option java_outer_classname = "AccessPolicyResourcesProto"; option java_package = "com.google.iam.v3beta"; option php_namespace = "Google\\Cloud\\Iam\\V3beta"; // An IAM access policy resource. message AccessPolicy { option (google.api.resource) = { type: "iam.googleapis.com/AccessPolicy" pattern: "organizations/{organization}/locations/{location}/accessPolicies/{access_policy}" pattern: "folders/{folder}/locations/{location}/accessPolicies/{access_policy}" pattern: "projects/{project}/locations/{location}/accessPolicies/{access_policy}" plural: "accessPolicies" singular: "accessPolicy" }; // Identifier. The resource name of the access policy. // // The following formats are supported: // // * `projects/{project_id}/locations/{location}/accessPolicies/{policy_id}` // * `projects/{project_number}/locations/{location}/accessPolicies/{policy_id}` // * `folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}` // * `organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}` string name = 1 [(google.api.field_behavior) = IDENTIFIER]; // Output only. The globally unique ID of the access policy. string uid = 2 [ (google.api.field_info).format = UUID4, (google.api.field_behavior) = OUTPUT_ONLY ]; // Optional. The etag for the access policy. // If this is provided on update, it must match the server's etag. string etag = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. The description of the access policy. Must be less than // or equal to 63 characters. string display_name = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. User defined annotations. See // https://google.aip.dev/148#annotations for more details such as format and // size limitations map annotations = 5 [(google.api.field_behavior) = OPTIONAL]; // Output only. The time when the access policy was created. google.protobuf.Timestamp create_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time when the access policy was most recently // updated. google.protobuf.Timestamp update_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; // Optional. The details for the access policy. AccessPolicyDetails details = 8 [(google.api.field_behavior) = OPTIONAL]; } // Access policy details. message AccessPolicyDetails { // Required. A list of access policy rules. repeated AccessPolicyRule rules = 1 [(google.api.field_behavior) = REQUIRED]; } // Access Policy Rule that determines the behavior of the policy. message AccessPolicyRule { // Attributes that are used to determine whether this rule applies to a // request. message Operation { // Optional. The permissions that are explicitly affected by this rule. Each // permission uses the format `{service_fqdn}/{resource}.{verb}`, where // `{service_fqdn}` is the fully qualified domain name for the service. // Currently supported permissions are as follows: // // * `eventarc.googleapis.com/messageBuses.publish`. repeated string permissions = 1 [(google.api.field_behavior) = OPTIONAL]; // Optional. Specifies the permissions that this rule excludes from the set // of affected permissions given by `permissions`. If a permission appears // in `permissions` _and_ in `excluded_permissions` then it will _not_ be // subject to the policy effect. // // The excluded permissions can be specified using the same syntax as // `permissions`. repeated string excluded_permissions = 2 [(google.api.field_behavior) = OPTIONAL]; } // An effect to describe the access relationship. enum Effect { // The effect is unspecified. EFFECT_UNSPECIFIED = 0; // The policy will deny access if it evaluates to true. DENY = 1; // The policy will grant access if it evaluates to true. ALLOW = 2; } // Optional. Customer specified description of the rule. Must be less than or // equal to 256 characters. optional string description = 1 [(google.api.field_behavior) = OPTIONAL]; // Required. The effect of the rule. optional Effect effect = 2 [(google.api.field_behavior) = REQUIRED]; // Required. The identities for which this rule's effect governs using one or // more permissions on Google Cloud resources. This field can contain the // following values: // // * `principal://goog/subject/{email_id}`: A specific Google Account. // Includes Gmail, Cloud Identity, and Google Workspace user accounts. For // example, `principal://goog/subject/alice@example.com`. // // * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`: // A Google Cloud service account. For example, // `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`. // // * `principalSet://goog/group/{group_id}`: A Google group. For example, // `principalSet://goog/group/admins@example.com`. // // * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the // principals associated with the specified Google Workspace or Cloud // Identity customer ID. For example, // `principalSet://goog/cloudIdentityCustomerId/C01Abc35`. // // // If an identifier that was previously set on a policy is soft deleted, then // calls to read that policy will return the identifier with a deleted // prefix. Users cannot set identifiers with this syntax. // // * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific // Google Account that was deleted recently. For example, // `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If // the Google Account is recovered, this identifier reverts to the standard // identifier for a Google Account. // // * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group // that was deleted recently. For example, // `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. // If the Google group is restored, this identifier reverts to the standard // identifier for a Google group. // // * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`: // A Google Cloud service account that was deleted recently. For example, // `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`. // If the service account is undeleted, this identifier reverts to the // standard identifier for a service account. repeated string principals = 3 [(google.api.field_behavior) = REQUIRED]; // Optional. The identities that are excluded from the access policy rule, // even if they are listed in the `principals`. For example, you could add a // Google group to the `principals`, then exclude specific users who belong to // that group. repeated string excluded_principals = 4 [(google.api.field_behavior) = OPTIONAL]; // Required. Attributes that are used to determine whether this rule applies // to a request. Operation operation = 10 [(google.api.field_behavior) = REQUIRED]; // Optional. The conditions that determine whether this rule applies to a // request. Conditions are identified by their key, which is the FQDN of the // service that they are relevant to. For example: // // ``` // "conditions": { // "iam.googleapis.com": { // "expression": // } // } // ``` // // Each rule is evaluated independently. If this rule does not apply // to a request, other rules might still apply. // Currently supported keys are as follows: // // // * `eventarc.googleapis.com`: Can use `CEL` functions that evaluate // resource fields. // // * `iam.googleapis.com`: Can use `CEL` functions that evaluate // [resource // tags](https://cloud.google.com/iam/help/conditions/resource-tags) and // combine them using boolean and logical operators. Other functions and // operators are not supported. map conditions = 9 [(google.api.field_behavior) = OPTIONAL]; }