gcp.iam.ProjectAccessPolicy

Google Cloud v9.26.0, Jun 9 26

Viewing docs for Google Cloud v9.26.0
published on Tuesday, Jun 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Viewing docs for Google Cloud v9.26.0
published on Tuesday, Jun 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Example Usage

Access Policy Project Minimal

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as time from "@pulumiverse/time";

const project = new gcp.organizations.Project("project", {
    projectId: "ap-project-",
    name: "ap-project-",
    orgId: "123456789",
    billingAccount: "000000-0000000-0000000-000000",
    deletionPolicy: "DELETE",
});
const iamApi = new gcp.projects.Service("iam_api", {
    project: project.projectId,
    service: "iam.googleapis.com",
    disableOnDestroy: false,
});
const waitForProjectPropagation = new time.Sleep("wait_for_project_propagation", {createDuration: "30s"}, {
    dependsOn: [iamApi],
});
const testSa = new gcp.serviceaccount.Account("test_sa", {
    accountId: "svc-acc-",
    displayName: "Test Service Account for Access Policy",
    project: project.projectId,
}, {
    dependsOn: [waitForProjectPropagation],
});
const example = new gcp.iam.ProjectAccessPolicy("example", {
    project: project.projectId,
    location: "global",
    accessPolicyId: "my-project-policy-",
    details: {
        rules: [{
            effect: "ALLOW",
            principals: [pulumi.interpolate`principal://iam.googleapis.com/projects/-/serviceAccounts/${testSa.email}`],
            operation: {
                permissions: ["eventarc.googleapis.com/messageBuses.publish"],
            },
        }],
    },
}, {
    dependsOn: [
        waitForProjectPropagation,
        testSa,
    ],
});

import pulumi
import pulumi_gcp as gcp
import pulumiverse_time as time

project = gcp.organizations.Project("project",
    project_id="ap-project-",
    name="ap-project-",
    org_id="123456789",
    billing_account="000000-0000000-0000000-000000",
    deletion_policy="DELETE")
iam_api = gcp.projects.Service("iam_api",
    project=project.project_id,
    service="iam.googleapis.com",
    disable_on_destroy=False)
wait_for_project_propagation = time.Sleep("wait_for_project_propagation", create_duration="30s",
opts = pulumi.ResourceOptions(depends_on=[iam_api]))
test_sa = gcp.serviceaccount.Account("test_sa",
    account_id="svc-acc-",
    display_name="Test Service Account for Access Policy",
    project=project.project_id,
    opts = pulumi.ResourceOptions(depends_on=[wait_for_project_propagation]))
example = gcp.iam.ProjectAccessPolicy("example",
    project=project.project_id,
    location="global",
    access_policy_id="my-project-policy-",
    details={
        "rules": [{
            "effect": "ALLOW",
            "principals": [test_sa.email.apply(lambda email: f"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}")],
            "operation": {
                "permissions": ["eventarc.googleapis.com/messageBuses.publish"],
            },
        }],
    },
    opts = pulumi.ResourceOptions(depends_on=[
            wait_for_project_propagation,
            test_sa,
        ]))

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/projects"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-time/sdk/go/time"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("ap-project-"),
			Name:           pulumi.String("ap-project-"),
			OrgId:          pulumi.String("123456789"),
			BillingAccount: pulumi.String("000000-0000000-0000000-000000"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		iamApi, err := projects.NewService(ctx, "iam_api", &projects.ServiceArgs{
			Project:          project.ProjectId,
			Service:          pulumi.String("iam.googleapis.com"),
			DisableOnDestroy: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		waitForProjectPropagation, err := time.NewSleep(ctx, "wait_for_project_propagation", &time.SleepArgs{
			CreateDuration: pulumi.String("30s"),
		}, pulumi.DependsOn([]pulumi.Resource{
			iamApi,
		}))
		if err != nil {
			return err
		}
		testSa, err := serviceaccount.NewAccount(ctx, "test_sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("svc-acc-"),
			DisplayName: pulumi.String("Test Service Account for Access Policy"),
			Project:     project.ProjectId,
		}, pulumi.DependsOn([]pulumi.Resource{
			waitForProjectPropagation,
		}))
		if err != nil {
			return err
		}
		_, err = iam.NewProjectAccessPolicy(ctx, "example", &iam.ProjectAccessPolicyArgs{
			Project:        project.ProjectId,
			Location:       pulumi.String("global"),
			AccessPolicyId: pulumi.String("my-project-policy-"),
			Details: &iam.ProjectAccessPolicyDetailsArgs{
				Rules: iam.ProjectAccessPolicyDetailsRuleArray{
					&iam.ProjectAccessPolicyDetailsRuleArgs{
						Effect: pulumi.String("ALLOW"),
						Principals: pulumi.StringArray{
							testSa.Email.ApplyT(func(email string) (string, error) {
								return fmt.Sprintf("principal://iam.googleapis.com/projects/-/serviceAccounts/%v", email), nil
							}).(pulumi.StringOutput),
						},
						Operation: &iam.ProjectAccessPolicyDetailsRuleOperationArgs{
							Permissions: pulumi.StringArray{
								pulumi.String("eventarc.googleapis.com/messageBuses.publish"),
							},
						},
					},
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			waitForProjectPropagation,
			testSa,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Time = Pulumiverse.Time;

return await Deployment.RunAsync(() => 
{
    var project = new Gcp.Organizations.Project("project", new()
    {
        ProjectId = "ap-project-",
        Name = "ap-project-",
        OrgId = "123456789",
        BillingAccount = "000000-0000000-0000000-000000",
        DeletionPolicy = "DELETE",
    });

    var iamApi = new Gcp.Projects.Service("iam_api", new()
    {
        Project = project.ProjectId,
        ServiceName = "iam.googleapis.com",
        DisableOnDestroy = false,
    });

    var waitForProjectPropagation = new Time.Sleep("wait_for_project_propagation", new()
    {
        CreateDuration = "30s",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            iamApi,
        },
    });

    var testSa = new Gcp.ServiceAccount.Account("test_sa", new()
    {
        AccountId = "svc-acc-",
        DisplayName = "Test Service Account for Access Policy",
        Project = project.ProjectId,
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            waitForProjectPropagation,
        },
    });

    var example = new Gcp.Iam.ProjectAccessPolicy("example", new()
    {
        Project = project.ProjectId,
        Location = "global",
        AccessPolicyId = "my-project-policy-",
        Details = new Gcp.Iam.Inputs.ProjectAccessPolicyDetailsArgs
        {
            Rules = new[]
            {
                new Gcp.Iam.Inputs.ProjectAccessPolicyDetailsRuleArgs
                {
                    Effect = "ALLOW",
                    Principals = new[]
                    {
                        testSa.Email.Apply(email => $"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}"),
                    },
                    Operation = new Gcp.Iam.Inputs.ProjectAccessPolicyDetailsRuleOperationArgs
                    {
                        Permissions = new[]
                        {
                            "eventarc.googleapis.com/messageBuses.publish",
                        },
                    },
                },
            },
        },
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            waitForProjectPropagation,
            testSa,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.projects.Service;
import com.pulumi.gcp.projects.ServiceArgs;
import com.pulumiverse.time.Sleep;
import com.pulumiverse.time.SleepArgs;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.gcp.iam.ProjectAccessPolicy;
import com.pulumi.gcp.iam.ProjectAccessPolicyArgs;
import com.pulumi.gcp.iam.inputs.ProjectAccessPolicyDetailsArgs;
import com.pulumi.gcp.iam.inputs.ProjectAccessPolicyDetailsRuleArgs;
import com.pulumi.gcp.iam.inputs.ProjectAccessPolicyDetailsRuleOperationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var project = new Project("project", ProjectArgs.builder()
            .projectId("ap-project-")
            .name("ap-project-")
            .orgId("123456789")
            .billingAccount("000000-0000000-0000000-000000")
            .deletionPolicy("DELETE")
            .build());

        var iamApi = new Service("iamApi", ServiceArgs.builder()
            .project(project.projectId())
            .service("iam.googleapis.com")
            .disableOnDestroy(false)
            .build());

        var waitForProjectPropagation = new Sleep("waitForProjectPropagation", SleepArgs.builder()
            .createDuration("30s")
            .build(), CustomResourceOptions.builder()
                .dependsOn(iamApi)
                .build());

        var testSa = new Account("testSa", AccountArgs.builder()
            .accountId("svc-acc-")
            .displayName("Test Service Account for Access Policy")
            .project(project.projectId())
            .build(), CustomResourceOptions.builder()
                .dependsOn(waitForProjectPropagation)
                .build());

        var example = new ProjectAccessPolicy("example", ProjectAccessPolicyArgs.builder()
            .project(project.projectId())
            .location("global")
            .accessPolicyId("my-project-policy-")
            .details(ProjectAccessPolicyDetailsArgs.builder()
                .rules(ProjectAccessPolicyDetailsRuleArgs.builder()
                    .effect("ALLOW")
                    .principals(testSa.email().applyValue(_email -> String.format("principal://iam.googleapis.com/projects/-/serviceAccounts/%s", _email)))
                    .operation(ProjectAccessPolicyDetailsRuleOperationArgs.builder()
                        .permissions("eventarc.googleapis.com/messageBuses.publish")
                        .build())
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(                
                    waitForProjectPropagation,
                    testSa)
                .build());

    }
}

resources:
  project:
    type: gcp:organizations:Project
    properties:
      projectId: ap-project-
      name: ap-project-
      orgId: '123456789'
      billingAccount: 000000-0000000-0000000-000000
      deletionPolicy: DELETE
  iamApi:
    type: gcp:projects:Service
    name: iam_api
    properties:
      project: ${project.projectId}
      service: iam.googleapis.com
      disableOnDestroy: false
  waitForProjectPropagation:
    type: time:Sleep
    name: wait_for_project_propagation
    properties:
      createDuration: 30s
    options:
      dependsOn:
        - ${iamApi}
  testSa:
    type: gcp:serviceaccount:Account
    name: test_sa
    properties:
      accountId: svc-acc-
      displayName: Test Service Account for Access Policy
      project: ${project.projectId}
    options:
      dependsOn:
        - ${waitForProjectPropagation}
  example:
    type: gcp:iam:ProjectAccessPolicy
    properties:
      project: ${project.projectId}
      location: global
      accessPolicyId: my-project-policy-
      details:
        rules:
          - effect: ALLOW
            principals:
              - principal://iam.googleapis.com/projects/-/serviceAccounts/${testSa.email}
            operation:
              permissions:
                - eventarc.googleapis.com/messageBuses.publish
    options:
      dependsOn:
        - ${waitForProjectPropagation}
        - ${testSa}

pulumi {
  required_providers {
    gcp = {
      source = "pulumi/gcp"
    }
    time = {
      source = "pulumi/time"
    }
  }
}

resource "gcp_organizations_project" "project" {
  project_id      = "ap-project-"
  name            = "ap-project-"
  org_id          = "123456789"
  billing_account = "000000-0000000-0000000-000000"
  deletion_policy = "DELETE"
}
resource "gcp_projects_service" "iam_api" {
  project            = gcp_organizations_project.project.project_id
  service            = "iam.googleapis.com"
  disable_on_destroy = false
}
resource "time_sleep" "wait_for_project_propagation" {
  depends_on      = [gcp_projects_service.iam_api]
  create_duration = "30s"
}
resource "gcp_serviceaccount_account" "test_sa" {
  depends_on   = [time_sleep.wait_for_project_propagation]
  account_id   = "svc-acc-"
  display_name = "Test Service Account for Access Policy"
  project      = gcp_organizations_project.project.project_id
}
resource "gcp_iam_projectaccesspolicy" "example" {
  depends_on       = [time_sleep.wait_for_project_propagation, gcp_serviceaccount_account.test_sa]
  project          = gcp_organizations_project.project.project_id
  location         = "global"
  access_policy_id = "my-project-policy-"
  details = {
    rules = [{
      "effect"     = "ALLOW"
      "principals" = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${gcp_serviceaccount_account.test_sa.email}"]
      "operation" = {
        "permissions" = ["eventarc.googleapis.com/messageBuses.publish"]
      }
    }]
  }
}

Create ProjectAccessPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ProjectAccessPolicy(name: string, args: ProjectAccessPolicyArgs, opts?: CustomResourceOptions);

@overload
def ProjectAccessPolicy(resource_name: str,
                        args: ProjectAccessPolicyArgs,
                        opts: Optional[ResourceOptions] = None)

@overload
def ProjectAccessPolicy(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        access_policy_id: Optional[str] = None,
                        location: Optional[str] = None,
                        annotations: Optional[Mapping[str, str]] = None,
                        deletion_policy: Optional[str] = None,
                        details: Optional[ProjectAccessPolicyDetailsArgs] = None,
                        display_name: Optional[str] = None,
                        project: Optional[str] = None)

func NewProjectAccessPolicy(ctx *Context, name string, args ProjectAccessPolicyArgs, opts ...ResourceOption) (*ProjectAccessPolicy, error)

public ProjectAccessPolicy(string name, ProjectAccessPolicyArgs args, CustomResourceOptions? opts = null)

public ProjectAccessPolicy(String name, ProjectAccessPolicyArgs args)
public ProjectAccessPolicy(String name, ProjectAccessPolicyArgs args, CustomResourceOptions options)

type: gcp:iam:ProjectAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

resource "gcp_iam_projectaccesspolicy" "name" {
    # resource properties
}

Parameters

name string: The unique name of the resource.
args ProjectAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ProjectAccessPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ProjectAccessPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ProjectAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ProjectAccessPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var projectAccessPolicyResource = new Gcp.Iam.ProjectAccessPolicy("projectAccessPolicyResource", new()
{
    AccessPolicyId = "string",
    Location = "string",
    Annotations = 
    {
        { "string", "string" },
    },
    DeletionPolicy = "string",
    Details = new Gcp.Iam.Inputs.ProjectAccessPolicyDetailsArgs
    {
        Rules = new[]
        {
            new Gcp.Iam.Inputs.ProjectAccessPolicyDetailsRuleArgs
            {
                Effect = "string",
                Operation = new Gcp.Iam.Inputs.ProjectAccessPolicyDetailsRuleOperationArgs
                {
                    Permissions = new[]
                    {
                        "string",
                    },
                    ExcludedPermissions = new[]
                    {
                        "string",
                    },
                },
                Principals = new[]
                {
                    "string",
                },
                Conditions = new[]
                {
                    new Gcp.Iam.Inputs.ProjectAccessPolicyDetailsRuleConditionArgs
                    {
                        Service = "string",
                        Expression = "string",
                    },
                },
                Description = "string",
                ExcludedPrincipals = new[]
                {
                    "string",
                },
            },
        },
    },
    DisplayName = "string",
    Project = "string",
});

example, err := iam.NewProjectAccessPolicy(ctx, "projectAccessPolicyResource", &iam.ProjectAccessPolicyArgs{
	AccessPolicyId: pulumi.String("string"),
	Location:       pulumi.String("string"),
	Annotations: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	DeletionPolicy: pulumi.String("string"),
	Details: &iam.ProjectAccessPolicyDetailsArgs{
		Rules: iam.ProjectAccessPolicyDetailsRuleArray{
			&iam.ProjectAccessPolicyDetailsRuleArgs{
				Effect: pulumi.String("string"),
				Operation: &iam.ProjectAccessPolicyDetailsRuleOperationArgs{
					Permissions: pulumi.StringArray{
						pulumi.String("string"),
					},
					ExcludedPermissions: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
				Principals: pulumi.StringArray{
					pulumi.String("string"),
				},
				Conditions: iam.ProjectAccessPolicyDetailsRuleConditionArray{
					&iam.ProjectAccessPolicyDetailsRuleConditionArgs{
						Service:    pulumi.String("string"),
						Expression: pulumi.String("string"),
					},
				},
				Description: pulumi.String("string"),
				ExcludedPrincipals: pulumi.StringArray{
					pulumi.String("string"),
				},
			},
		},
	},
	DisplayName: pulumi.String("string"),
	Project:     pulumi.String("string"),
})

resource "gcp_iam_projectaccesspolicy" "projectAccessPolicyResource" {
  access_policy_id = "string"
  location         = "string"
  annotations = {
    "string" = "string"
  }
  deletion_policy = "string"
  details = {
    rules = [{
      "effect" = "string"
      "operation" = {
        "permissions"         = ["string"]
        "excludedPermissions" = ["string"]
      }
      "principals" = ["string"]
      "conditions" = [{
        "service"    = "string"
        "expression" = "string"
      }]
      "description"        = "string"
      "excludedPrincipals" = ["string"]
    }]
  }
  display_name = "string"
  project      = "string"
}

var projectAccessPolicyResource = new ProjectAccessPolicy("projectAccessPolicyResource", ProjectAccessPolicyArgs.builder()
    .accessPolicyId("string")
    .location("string")
    .annotations(Map.of("string", "string"))
    .deletionPolicy("string")
    .details(ProjectAccessPolicyDetailsArgs.builder()
        .rules(ProjectAccessPolicyDetailsRuleArgs.builder()
            .effect("string")
            .operation(ProjectAccessPolicyDetailsRuleOperationArgs.builder()
                .permissions("string")
                .excludedPermissions("string")
                .build())
            .principals("string")
            .conditions(ProjectAccessPolicyDetailsRuleConditionArgs.builder()
                .service("string")
                .expression("string")
                .build())
            .description("string")
            .excludedPrincipals("string")
            .build())
        .build())
    .displayName("string")
    .project("string")
    .build());

project_access_policy_resource = gcp.iam.ProjectAccessPolicy("projectAccessPolicyResource",
    access_policy_id="string",
    location="string",
    annotations={
        "string": "string",
    },
    deletion_policy="string",
    details={
        "rules": [{
            "effect": "string",
            "operation": {
                "permissions": ["string"],
                "excluded_permissions": ["string"],
            },
            "principals": ["string"],
            "conditions": [{
                "service": "string",
                "expression": "string",
            }],
            "description": "string",
            "excluded_principals": ["string"],
        }],
    },
    display_name="string",
    project="string")

const projectAccessPolicyResource = new gcp.iam.ProjectAccessPolicy("projectAccessPolicyResource", {
    accessPolicyId: "string",
    location: "string",
    annotations: {
        string: "string",
    },
    deletionPolicy: "string",
    details: {
        rules: [{
            effect: "string",
            operation: {
                permissions: ["string"],
                excludedPermissions: ["string"],
            },
            principals: ["string"],
            conditions: [{
                service: "string",
                expression: "string",
            }],
            description: "string",
            excludedPrincipals: ["string"],
        }],
    },
    displayName: "string",
    project: "string",
});

type: gcp:iam:ProjectAccessPolicy
properties:
    accessPolicyId: string
    annotations:
        string: string
    deletionPolicy: string
    details:
        rules:
            - conditions:
                - expression: string
                  service: string
              description: string
              effect: string
              excludedPrincipals:
                - string
              operation:
                excludedPermissions:
                    - string
                permissions:
                    - string
              principals:
                - string
    displayName: string
    location: string
    project: string

ProjectAccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ProjectAccessPolicy resource accepts the following input properties:

AccessPolicyId string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
Location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
Annotations Dictionary<string, string>: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
DeletionPolicy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
Details ProjectAccessPolicyDetails: Access policy details. Structure is documented below.
DisplayName string: The description of the access policy. Must be less than or equal to 63 characters.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

AccessPolicyId string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
Location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
Annotations map[string]string: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
DeletionPolicy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
Details ProjectAccessPolicyDetailsArgs: Access policy details. Structure is documented below.
DisplayName string: The description of the access policy. Must be less than or equal to 63 characters.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

access_policy_id string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations map(string): User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletion_policy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details object: Access policy details. Structure is documented below.
display_name string: The description of the access policy. Must be less than or equal to 63 characters.
project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

accessPolicyId String: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
location String: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations Map<String,String>: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletionPolicy String: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details ProjectAccessPolicyDetails: Access policy details. Structure is documented below.
displayName String: The description of the access policy. Must be less than or equal to 63 characters.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

accessPolicyId string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations {[key: string]: string}: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletionPolicy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details ProjectAccessPolicyDetails: Access policy details. Structure is documented below.
displayName string: The description of the access policy. Must be less than or equal to 63 characters.
project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

access_policy_id str: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
location str: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations Mapping[str, str]: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletion_policy str: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details ProjectAccessPolicyDetailsArgs: Access policy details. Structure is documented below.
display_name str: The description of the access policy. Must be less than or equal to 63 characters.
project str: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

accessPolicyId String: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
location String: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations Map<String>: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletionPolicy String: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details Property Map: Access policy details. Structure is documented below.
displayName String: The description of the access policy. Must be less than or equal to 63 characters.
project String: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the ProjectAccessPolicy resource produces the following output properties:

CreateTime string

The time when the access policy was created.

EffectiveAnnotations Dictionary<string, string>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

CreateTime string

The time when the access policy was created.

EffectiveAnnotations map[string]string

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

create_time string

The time when the access policy was created.

effective_annotations map(string)

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

id string

The provider-assigned unique ID for this managed resource.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid string

The globally unique ID of the access policy.

update_time string

The time when the access policy was most recently updated.

createTime String

The time when the access policy was created.

effectiveAnnotations Map<String,String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

id String

The provider-assigned unique ID for this managed resource.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

createTime string

The time when the access policy was created.

effectiveAnnotations {[key: string]: string}

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

id string

The provider-assigned unique ID for this managed resource.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid string

The globally unique ID of the access policy.

updateTime string

The time when the access policy was most recently updated.

create_time str

The time when the access policy was created.

effective_annotations Mapping[str, str]

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag str

The etag for the access policy. If this is provided on update, it must match the server's etag.

id str

The provider-assigned unique ID for this managed resource.

name str

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid str

The globally unique ID of the access policy.

update_time str

The time when the access policy was most recently updated.

createTime String

The time when the access policy was created.

effectiveAnnotations Map<String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

id String

The provider-assigned unique ID for this managed resource.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

Look up Existing ProjectAccessPolicy Resource

Get an existing ProjectAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ProjectAccessPolicyState, opts?: CustomResourceOptions): ProjectAccessPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_policy_id: Optional[str] = None,
        annotations: Optional[Mapping[str, str]] = None,
        create_time: Optional[str] = None,
        deletion_policy: Optional[str] = None,
        details: Optional[ProjectAccessPolicyDetailsArgs] = None,
        display_name: Optional[str] = None,
        effective_annotations: Optional[Mapping[str, str]] = None,
        etag: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        project: Optional[str] = None,
        uid: Optional[str] = None,
        update_time: Optional[str] = None) -> ProjectAccessPolicy

func GetProjectAccessPolicy(ctx *Context, name string, id IDInput, state *ProjectAccessPolicyState, opts ...ResourceOption) (*ProjectAccessPolicy, error)

public static ProjectAccessPolicy Get(string name, Input<string> id, ProjectAccessPolicyState? state, CustomResourceOptions? opts = null)

public static ProjectAccessPolicy get(String name, Output<String> id, ProjectAccessPolicyState state, CustomResourceOptions options)

resources:  _:    type: gcp:iam:ProjectAccessPolicy    get:      id: ${id}

import {
  to = gcp_iam_projectaccesspolicy.example
  id = "${id}"
}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessPolicyId string

The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.

Annotations Dictionary<string, string>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.

CreateTime string

The time when the access policy was created.

DeletionPolicy string

Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.

Details ProjectAccessPolicyDetails

Access policy details. Structure is documented below.

DisplayName string

The description of the access policy. Must be less than or equal to 63 characters.

EffectiveAnnotations Dictionary<string, string>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

AccessPolicyId string

Annotations map[string]string

CreateTime string

The time when the access policy was created.

DeletionPolicy string

Details ProjectAccessPolicyDetailsArgs

Access policy details. Structure is documented below.

DisplayName string

The description of the access policy. Must be less than or equal to 63 characters.

EffectiveAnnotations map[string]string

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

access_policy_id string

annotations map(string)

create_time string

The time when the access policy was created.

deletion_policy string

details object

Access policy details. Structure is documented below.

display_name string

The description of the access policy. Must be less than or equal to 63 characters.

effective_annotations map(string)

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

uid string

The globally unique ID of the access policy.

update_time string

The time when the access policy was most recently updated.

accessPolicyId String

annotations Map<String,String>

createTime String

The time when the access policy was created.

deletionPolicy String

details ProjectAccessPolicyDetails

Access policy details. Structure is documented below.

displayName String

The description of the access policy. Must be less than or equal to 63 characters.

effectiveAnnotations Map<String,String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

location String

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

accessPolicyId string

annotations {[key: string]: string}

createTime string

The time when the access policy was created.

deletionPolicy string

details ProjectAccessPolicyDetails

Access policy details. Structure is documented below.

displayName string

The description of the access policy. Must be less than or equal to 63 characters.

effectiveAnnotations {[key: string]: string}

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

uid string

The globally unique ID of the access policy.

updateTime string

The time when the access policy was most recently updated.

access_policy_id str

annotations Mapping[str, str]

create_time str

The time when the access policy was created.

deletion_policy str

details ProjectAccessPolicyDetailsArgs

Access policy details. Structure is documented below.

display_name str

The description of the access policy. Must be less than or equal to 63 characters.

effective_annotations Mapping[str, str]

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag str

The etag for the access policy. If this is provided on update, it must match the server's etag.

location str

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name str

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

uid str

The globally unique ID of the access policy.

update_time str

The time when the access policy was most recently updated.

accessPolicyId String

annotations Map<String>

createTime String

The time when the access policy was created.

deletionPolicy String

details Property Map

Access policy details. Structure is documented below.

displayName String

The description of the access policy. Must be less than or equal to 63 characters.

effectiveAnnotations Map<String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

location String

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

Supporting Types

ProjectAccessPolicyDetails, ProjectAccessPolicyDetailsArgs

Rules List<ProjectAccessPolicyDetailsRule>: A list of access policy rules. Structure is documented below.

Rules []ProjectAccessPolicyDetailsRule: A list of access policy rules. Structure is documented below.

rules list(object): A list of access policy rules. Structure is documented below.

rules List<ProjectAccessPolicyDetailsRule>: A list of access policy rules. Structure is documented below.

rules ProjectAccessPolicyDetailsRule[]: A list of access policy rules. Structure is documented below.

rules Sequence[ProjectAccessPolicyDetailsRule]: A list of access policy rules. Structure is documented below.

rules List<Property Map>: A list of access policy rules. Structure is documented below.

ProjectAccessPolicyDetailsRule, ProjectAccessPolicyDetailsRuleArgs

Effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

Operation ProjectAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

Principals List<string>

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

Conditions List<ProjectAccessPolicyDetailsRuleCondition>

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

Description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

ExcludedPrincipals List<string>

The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

Effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

Operation ProjectAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

Principals []string

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

Conditions []ProjectAccessPolicyDetailsRuleCondition

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

Description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

ExcludedPrincipals []string

effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation object

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals list(string)

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions list(object)

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

excluded_principals list(string)

effect String

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation ProjectAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals List<String>

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions List<ProjectAccessPolicyDetailsRuleCondition>

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description String

Customer specified description of the rule. Must be less than or equal to 256 characters.

excludedPrincipals List<String>

effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation ProjectAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals string[]

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions ProjectAccessPolicyDetailsRuleCondition[]

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

excludedPrincipals string[]

effect str

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation ProjectAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals Sequence[str]

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions Sequence[ProjectAccessPolicyDetailsRuleCondition]

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description str

Customer specified description of the rule. Must be less than or equal to 256 characters.

excluded_principals Sequence[str]

effect String

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation Property Map

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals List<String>

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions List<Property Map>

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description String

Customer specified description of the rule. Must be less than or equal to 256 characters.

excludedPrincipals List<String>

ProjectAccessPolicyDetailsRuleCondition, ProjectAccessPolicyDetailsRuleConditionArgs

Service string: The identifier for this object. Format specified above.
Expression string: Textual representation of an expression in Common Expression Language syntax.

Service string: The identifier for this object. Format specified above.
Expression string: Textual representation of an expression in Common Expression Language syntax.

service string: The identifier for this object. Format specified above.
expression string: Textual representation of an expression in Common Expression Language syntax.

service String: The identifier for this object. Format specified above.
expression String: Textual representation of an expression in Common Expression Language syntax.

service string: The identifier for this object. Format specified above.
expression string: Textual representation of an expression in Common Expression Language syntax.

service str: The identifier for this object. Format specified above.
expression str: Textual representation of an expression in Common Expression Language syntax.

service String: The identifier for this object. Format specified above.
expression String: Textual representation of an expression in Common Expression Language syntax.

ProjectAccessPolicyDetailsRuleOperation, ProjectAccessPolicyDetailsRuleOperationArgs

Permissions List<string>

The permissions that are explicitly affected by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. Currently supported permissions are as follows:

eventarc.googleapis.com/messageBuses.publish.

ExcludedPermissions List<string>

Specifies the permissions that this rule excludes from the set of affected permissions given by permissions. If a permission appears in permissions and in excludedPermissions then it will not be subject to the policy effect. The excluded permissions can be specified using the same syntax as permissions.

Permissions []string

eventarc.googleapis.com/messageBuses.publish.

ExcludedPermissions []string

permissions list(string)

eventarc.googleapis.com/messageBuses.publish.

excluded_permissions list(string)

permissions List<String>

eventarc.googleapis.com/messageBuses.publish.

excludedPermissions List<String>

permissions string[]

eventarc.googleapis.com/messageBuses.publish.

excludedPermissions string[]

permissions Sequence[str]

eventarc.googleapis.com/messageBuses.publish.

excluded_permissions Sequence[str]

permissions List<String>

eventarc.googleapis.com/messageBuses.publish.

excludedPermissions List<String>

Import

ProjectAccessPolicy can be imported using any of these accepted formats:

projects/{{project}}/locations/{{location}}/accessPolicies/{{access_policy_id}}
{{project}}/{{location}}/{{access_policy_id}}
{{location}}/{{access_policy_id}}

When using the pulumi import command, ProjectAccessPolicy can be imported using one of the formats above. For example:

$ pulumi import gcp:iam/projectAccessPolicy:ProjectAccessPolicy default projects/{{project}}/locations/{{location}}/accessPolicies/{{access_policy_id}}
$ pulumi import gcp:iam/projectAccessPolicy:ProjectAccessPolicy default {{project}}/{{location}}/{{access_policy_id}}
$ pulumi import gcp:iam/projectAccessPolicy:ProjectAccessPolicy default {{location}}/{{access_policy_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Viewing docs for Google Cloud v9.26.0
published on Tuesday, Jun 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

gcp.iam.ProjectAccessPolicy

On this page

On this page

Example Usage

Access Policy Project Minimal

Create ProjectAccessPolicy Resource

Constructor syntax

Parameters

Constructor example

ProjectAccessPolicy Resource Properties

Inputs

Outputs

Look up Existing ProjectAccessPolicy Resource

Supporting Types

ProjectAccessPolicyDetails, ProjectAccessPolicyDetailsArgs

ProjectAccessPolicyDetailsRule, ProjectAccessPolicyDetailsRuleArgs

ProjectAccessPolicyDetailsRuleCondition, ProjectAccessPolicyDetailsRuleConditionArgs

ProjectAccessPolicyDetailsRuleOperation, ProjectAccessPolicyDetailsRuleOperationArgs

Import

Package Details

On this page

On this page

Try Pulumi Cloud free.
Your team will thank you.

gcp.iam.ProjectAccessPolicy

On this page

On this page

Example Usage

Access Policy Project Minimal

Create ProjectAccessPolicy Resource

Constructor syntax

Parameters

Constructor example

ProjectAccessPolicy Resource Properties

Inputs

Outputs

Look up Existing ProjectAccessPolicy Resource

Supporting Types

ProjectAccessPolicyDetails, ProjectAccessPolicyDetailsArgs

ProjectAccessPolicyDetailsRule, ProjectAccessPolicyDetailsRuleArgs

ProjectAccessPolicyDetailsRuleCondition, ProjectAccessPolicyDetailsRuleConditionArgs

ProjectAccessPolicyDetailsRuleOperation, ProjectAccessPolicyDetailsRuleOperationArgs

Import

Package Details

On this page

On this page

Try Pulumi Cloud free.Your team will thank you.

Try Pulumi Cloud free.
Your team will thank you.