Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. Google Cloud Native
  3. API Docs
  4. storage
  5. storage/v1
  6. BucketIamPolicy

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi
pulumi/pulumi-google-native

google-native.storage/v1.BucketIamPolicy

Explore with Pulumi AI

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi
pulumi/pulumi-google-native

Updates an IAM policy for the specified bucket. Note - this resource’s API doesn’t support deletion. When deleted, the resource will persist on Google Cloud even though it will be deleted from Pulumi state.

Create BucketIamPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new BucketIamPolicy(name: string, args: BucketIamPolicyArgs, opts?: CustomResourceOptions);
@overload
def BucketIamPolicy(resource_name: str,
                    args: BucketIamPolicyArgs,
                    opts: Optional[ResourceOptions] = None)

@overload
def BucketIamPolicy(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    bucket: Optional[str] = None,
                    bindings: Optional[Sequence[BucketIamPolicyBindingsItemArgs]] = None,
                    etag: Optional[str] = None,
                    kind: Optional[str] = None,
                    resource_id: Optional[str] = None,
                    user_project: Optional[str] = None,
                    version: Optional[int] = None)
func NewBucketIamPolicy(ctx *Context, name string, args BucketIamPolicyArgs, opts ...ResourceOption) (*BucketIamPolicy, error)
public BucketIamPolicy(string name, BucketIamPolicyArgs args, CustomResourceOptions? opts = null)
public BucketIamPolicy(String name, BucketIamPolicyArgs args)
public BucketIamPolicy(String name, BucketIamPolicyArgs args, CustomResourceOptions options)

type: google-native:storage/v1:BucketIamPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. BucketIamPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. BucketIamPolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. BucketIamPolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. BucketIamPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. BucketIamPolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var bucketIamPolicyResource = new GoogleNative.Storage.V1.BucketIamPolicy("bucketIamPolicyResource", new()
{
    Bucket = "string",
    Bindings = new[]
    {
        new GoogleNative.Storage.V1.Inputs.BucketIamPolicyBindingsItemArgs
        {
            Condition = new GoogleNative.Storage.V1.Inputs.ExprArgs
            {
                Description = "string",
                Expression = "string",
                Location = "string",
                Title = "string",
            },
            Members = new[]
            {
                "string",
            },
            Role = "string",
        },
    },
    Etag = "string",
    Kind = "string",
    ResourceId = "string",
    UserProject = "string",
    Version = 0,
});
Copy
example, err := storage.NewBucketIamPolicy(ctx, "bucketIamPolicyResource", &storage.BucketIamPolicyArgs{
	Bucket: pulumi.String("string"),
	Bindings: storage.BucketIamPolicyBindingsItemArray{
		&storage.BucketIamPolicyBindingsItemArgs{
			Condition: &storage.ExprArgs{
				Description: pulumi.String("string"),
				Expression:  pulumi.String("string"),
				Location:    pulumi.String("string"),
				Title:       pulumi.String("string"),
			},
			Members: pulumi.StringArray{
				pulumi.String("string"),
			},
			Role: pulumi.String("string"),
		},
	},
	Etag:        pulumi.String("string"),
	Kind:        pulumi.String("string"),
	ResourceId:  pulumi.String("string"),
	UserProject: pulumi.String("string"),
	Version:     pulumi.Int(0),
})
Copy
var bucketIamPolicyResource = new BucketIamPolicy("bucketIamPolicyResource", BucketIamPolicyArgs.builder()
    .bucket("string")
    .bindings(BucketIamPolicyBindingsItemArgs.builder()
        .condition(ExprArgs.builder()
            .description("string")
            .expression("string")
            .location("string")
            .title("string")
            .build())
        .members("string")
        .role("string")
        .build())
    .etag("string")
    .kind("string")
    .resourceId("string")
    .userProject("string")
    .version(0)
    .build());
Copy
bucket_iam_policy_resource = google_native.storage.v1.BucketIamPolicy("bucketIamPolicyResource",
    bucket="string",
    bindings=[{
        "condition": {
            "description": "string",
            "expression": "string",
            "location": "string",
            "title": "string",
        },
        "members": ["string"],
        "role": "string",
    }],
    etag="string",
    kind="string",
    resource_id="string",
    user_project="string",
    version=0)
Copy
const bucketIamPolicyResource = new google_native.storage.v1.BucketIamPolicy("bucketIamPolicyResource", {
    bucket: "string",
    bindings: [{
        condition: {
            description: "string",
            expression: "string",
            location: "string",
            title: "string",
        },
        members: ["string"],
        role: "string",
    }],
    etag: "string",
    kind: "string",
    resourceId: "string",
    userProject: "string",
    version: 0,
});
Copy
type: google-native:storage/v1:BucketIamPolicy
properties:
    bindings:
        - condition:
            description: string
            expression: string
            location: string
            title: string
          members:
            - string
          role: string
    bucket: string
    etag: string
    kind: string
    resourceId: string
    userProject: string
    version: 0
Copy

BucketIamPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The BucketIamPolicy resource accepts the following input properties:

Bucket
This property is required.
Changes to this property will trigger replacement.
string
Bindings List<Pulumi.GoogleNative.Storage.V1.Inputs.BucketIamPolicyBindingsItem>
An association between a role, which comes with a set of permissions, and members who may assume that role.
Etag string
HTTP 1.1 Entity tag for the policy.
Kind string
The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.
ResourceId string
The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, projects//buckets/bucket/objects/object for objects, and projects//buckets/bucket/managedFolders/managedFolder. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects//buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.
UserProject string
The project to be billed for this request. Required for Requester Pays buckets.
Version int
The IAM policy format version.
Bucket
This property is required.
Changes to this property will trigger replacement.
string
Bindings []BucketIamPolicyBindingsItemArgs
An association between a role, which comes with a set of permissions, and members who may assume that role.
Etag string
HTTP 1.1 Entity tag for the policy.
Kind string
The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.
ResourceId string
The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, projects//buckets/bucket/objects/object for objects, and projects//buckets/bucket/managedFolders/managedFolder. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects//buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.
UserProject string
The project to be billed for this request. Required for Requester Pays buckets.
Version int
The IAM policy format version.
bucket
This property is required.
Changes to this property will trigger replacement.
String
bindings List<BucketIamPolicyBindingsItem>
An association between a role, which comes with a set of permissions, and members who may assume that role.
etag String
HTTP 1.1 Entity tag for the policy.
kind String
The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.
resourceId String
The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, projects//buckets/bucket/objects/object for objects, and projects//buckets/bucket/managedFolders/managedFolder. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects//buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.
userProject String
The project to be billed for this request. Required for Requester Pays buckets.
version Integer
The IAM policy format version.
bucket
This property is required.
Changes to this property will trigger replacement.
string
bindings BucketIamPolicyBindingsItem[]
An association between a role, which comes with a set of permissions, and members who may assume that role.
etag string
HTTP 1.1 Entity tag for the policy.
kind string
The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.
resourceId string
The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, projects//buckets/bucket/objects/object for objects, and projects//buckets/bucket/managedFolders/managedFolder. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects//buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.
userProject string
The project to be billed for this request. Required for Requester Pays buckets.
version number
The IAM policy format version.
bucket
This property is required.
Changes to this property will trigger replacement.
str
bindings Sequence[BucketIamPolicyBindingsItemArgs]
An association between a role, which comes with a set of permissions, and members who may assume that role.
etag str
HTTP 1.1 Entity tag for the policy.
kind str
The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.
resource_id str
The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, projects//buckets/bucket/objects/object for objects, and projects//buckets/bucket/managedFolders/managedFolder. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects//buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.
user_project str
The project to be billed for this request. Required for Requester Pays buckets.
version int
The IAM policy format version.
bucket
This property is required.
Changes to this property will trigger replacement.
String
bindings List<Property Map>
An association between a role, which comes with a set of permissions, and members who may assume that role.
etag String
HTTP 1.1 Entity tag for the policy.
kind String
The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.
resourceId String
The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, projects//buckets/bucket/objects/object for objects, and projects//buckets/bucket/managedFolders/managedFolder. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects//buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.
userProject String
The project to be billed for this request. Required for Requester Pays buckets.
version Number
The IAM policy format version.

Outputs

All input properties are implicitly available as output properties. Additionally, the BucketIamPolicy resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.

Supporting Types

BucketIamPolicyBindingsItem
, BucketIamPolicyBindingsItemArgs

Condition Pulumi.GoogleNative.Storage.V1.Inputs.Expr
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
Members List<string>
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
Role string
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
Condition Expr
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
Members []string
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
Role string
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition Expr
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members List<String>
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role String
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition Expr
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members string[]
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role string
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition Expr
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members Sequence[str]
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role str
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition Property Map
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members List<String>
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role String
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.

BucketIamPolicyBindingsItemResponse
, BucketIamPolicyBindingsItemResponseArgs

Condition This property is required. Pulumi.GoogleNative.Storage.V1.Inputs.ExprResponse
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
Members This property is required. List<string>
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
Role This property is required. string
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
Condition This property is required. ExprResponse
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
Members This property is required. []string
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
Role This property is required. string
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition This property is required. ExprResponse
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members This property is required. List<String>
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role This property is required. String
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition This property is required. ExprResponse
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members This property is required. string[]
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role This property is required. string
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition This property is required. ExprResponse
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members This property is required. Sequence[str]
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role This property is required. str
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition This property is required. Property Map
The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
members This property is required. List<String>
A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role This property is required. String
The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.

Expr
, ExprArgs

Description string
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
Location string
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
Description string
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression string
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
Location string
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title string
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description String
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location String
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description string
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression string
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location string
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title string
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description str
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression str
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location str
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title str
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description String
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression String
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location String
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title String
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

ExprResponse
, ExprResponseArgs

Description This property is required. string
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression This property is required. string
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
Location This property is required. string
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title This property is required. string
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
Description This property is required. string
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Expression This property is required. string
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
Location This property is required. string
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
Title This property is required. string
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description This property is required. String
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression This property is required. String
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location This property is required. String
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title This property is required. String
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description This property is required. string
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression This property is required. string
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location This property is required. string
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title This property is required. string
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description This property is required. str
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression This property is required. str
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location This property is required. str
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title This property is required. str
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description This property is required. String
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression This property is required. String
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.
location This property is required. String
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title This property is required. String
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

Package Details

Repository
Google Cloud Native pulumi/pulumi-google-native
License
Apache-2.0

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi
pulumi/pulumi-google-native