Identity and Access Management#

Non-API-specific IAM policy definitions

For allowed roles / permissions, see: https://cloud.google.com/iam/docs/understanding-roles

Example usage:

# ``get_iam_policy`` returns a :class:'~google.api_core.iam.Policy`.
policy = resource.get_iam_policy()

phred = policy.user("phred@example.com")
admin_group = policy.group("admins@groups.example.com")
account = policy.service_account("account-1234@accounts.example.com")
policy["roles/owner"] = [phred, admin_group, account]
policy["roles/editor"] = policy.authenticated_users()
policy["roles/viewer"] = policy.all_users()

resource.set_iam_policy(policy)
google.api_core.iam.OWNER_ROLE = 'roles/owner'#

Generic role implying all rights to an object.

google.api_core.iam.EDITOR_ROLE = 'roles/editor'#

Generic role implying rights to modify an object.

google.api_core.iam.VIEWER_ROLE = 'roles/viewer'#

Generic role implying rights to access an object.

class google.api_core.iam.Policy(etag=None, version=None)[source]#

Bases: collections.abc.MutableMapping

IAM Policy

See https://cloud.google.com/iam/reference/rest/v1/Policy

Parameters:
  • etag (Optional[str]) – ETag used to identify a unique of the policy
  • version (Optional[int]) – unique version of the policy
owners#

Legacy access to owner role.

DEPRECATED: use policy["roles/owners"] instead.

editors#

Legacy access to editor role.

DEPRECATED: use policy["roles/editors"] instead.

viewers#

Legacy access to viewer role.

DEPRECATED: use policy["roles/viewers"] instead

static user(email)[source]#

Factory method for a user member.

Parameters:email (str) – E-mail for this particular user.
Returns:A member string corresponding to the given user.
Return type:str
static service_account(email)[source]#

Factory method for a service account member.

Parameters:email (str) – E-mail for this particular service account.
Returns:A member string corresponding to the given service account.
Return type:str
static group(email)[source]#

Factory method for a group member.

Parameters:email (str) – An id or e-mail for this particular group.
Returns:A member string corresponding to the given group.
Return type:str
static domain(domain)[source]#

Factory method for a domain member.

Parameters:domain (str) – The domain for this member.
Returns:A member string corresponding to the given domain.
Return type:str
static all_users()[source]#

Factory method for a member representing all users.

Returns:A member string representing all users.
Return type:str
static authenticated_users()[source]#

Factory method for a member representing all authenticated users.

Returns:A member string representing all authenticated users.
Return type:str
classmethod from_api_repr(resource)[source]#

Factory: create a policy from a JSON resource.

Parameters:resource (dict) – policy resource returned by getIamPolicy API.
Returns:the parsed policy
Return type:Policy
to_api_repr()[source]#

Render a JSON policy resource.

Returns:a resource to be passed to the setIamPolicy API.
Return type:dict