1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. organizations
  5. getIAMPolicy
Google Cloud Classic v7.30.2 published on Wednesday, Jul 10, 2024 by Pulumi

gcp.organizations.getIAMPolicy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.30.2 published on Wednesday, Jul 10, 2024 by Pulumi

    Generates an IAM policy document that may be referenced by and applied to other Google Cloud Platform IAM resources, such as the gcp.projects.IAMPolicy resource.

    Note: Please review the documentation of the resource that you will be using the datasource with. Some resources such as gcp.projects.IAMPolicy and others have limitations in their API methods which are noted on their respective page.

    Using getIAMPolicy

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getIAMPolicy(args: GetIAMPolicyArgs, opts?: InvokeOptions): Promise<GetIAMPolicyResult>
    function getIAMPolicyOutput(args: GetIAMPolicyOutputArgs, opts?: InvokeOptions): Output<GetIAMPolicyResult>
    def get_iam_policy(audit_configs: Optional[Sequence[GetIAMPolicyAuditConfig]] = None,
                       bindings: Optional[Sequence[GetIAMPolicyBinding]] = None,
                       opts: Optional[InvokeOptions] = None) -> GetIAMPolicyResult
    def get_iam_policy_output(audit_configs: Optional[pulumi.Input[Sequence[pulumi.Input[GetIAMPolicyAuditConfigArgs]]]] = None,
                       bindings: Optional[pulumi.Input[Sequence[pulumi.Input[GetIAMPolicyBindingArgs]]]] = None,
                       opts: Optional[InvokeOptions] = None) -> Output[GetIAMPolicyResult]
    func LookupIAMPolicy(ctx *Context, args *LookupIAMPolicyArgs, opts ...InvokeOption) (*LookupIAMPolicyResult, error)
    func LookupIAMPolicyOutput(ctx *Context, args *LookupIAMPolicyOutputArgs, opts ...InvokeOption) LookupIAMPolicyResultOutput

    > Note: This function is named LookupIAMPolicy in the Go SDK.

    public static class GetIAMPolicy 
    {
        public static Task<GetIAMPolicyResult> InvokeAsync(GetIAMPolicyArgs args, InvokeOptions? opts = null)
        public static Output<GetIAMPolicyResult> Invoke(GetIAMPolicyInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetIAMPolicyResult> getIAMPolicy(GetIAMPolicyArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: gcp:organizations/getIAMPolicy:getIAMPolicy
      arguments:
        # arguments dictionary

    The following arguments are supported:

    AuditConfigs List<GetIAMPolicyAuditConfig>
    A nested configuration block that defines logging additional configuration for your project. This field is only supported on gcp.projects.IAMPolicy, gcp.folder.IAMPolicy and gcp.organizations.IAMPolicy.
    Bindings List<GetIAMPolicyBinding>

    A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

    Each document configuration must have one or more binding blocks, which each accept the following arguments:

    AuditConfigs []GetIAMPolicyAuditConfig
    A nested configuration block that defines logging additional configuration for your project. This field is only supported on gcp.projects.IAMPolicy, gcp.folder.IAMPolicy and gcp.organizations.IAMPolicy.
    Bindings []GetIAMPolicyBinding

    A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

    Each document configuration must have one or more binding blocks, which each accept the following arguments:

    auditConfigs List<GetIAMPolicyAuditConfig>
    A nested configuration block that defines logging additional configuration for your project. This field is only supported on gcp.projects.IAMPolicy, gcp.folder.IAMPolicy and gcp.organizations.IAMPolicy.
    bindings List<GetIAMPolicyBinding>

    A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

    Each document configuration must have one or more binding blocks, which each accept the following arguments:

    auditConfigs GetIAMPolicyAuditConfig[]
    A nested configuration block that defines logging additional configuration for your project. This field is only supported on gcp.projects.IAMPolicy, gcp.folder.IAMPolicy and gcp.organizations.IAMPolicy.
    bindings GetIAMPolicyBinding[]

    A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

    Each document configuration must have one or more binding blocks, which each accept the following arguments:

    audit_configs Sequence[GetIAMPolicyAuditConfig]
    A nested configuration block that defines logging additional configuration for your project. This field is only supported on gcp.projects.IAMPolicy, gcp.folder.IAMPolicy and gcp.organizations.IAMPolicy.
    bindings Sequence[GetIAMPolicyBinding]

    A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

    Each document configuration must have one or more binding blocks, which each accept the following arguments:

    auditConfigs List<Property Map>
    A nested configuration block that defines logging additional configuration for your project. This field is only supported on gcp.projects.IAMPolicy, gcp.folder.IAMPolicy and gcp.organizations.IAMPolicy.
    bindings List<Property Map>

    A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

    Each document configuration must have one or more binding blocks, which each accept the following arguments:

    getIAMPolicy Result

    The following output properties are available:

    Id string
    The provider-assigned unique ID for this managed resource.
    PolicyData string
    The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
    AuditConfigs List<GetIAMPolicyAuditConfig>
    Bindings List<GetIAMPolicyBinding>
    Id string
    The provider-assigned unique ID for this managed resource.
    PolicyData string
    The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
    AuditConfigs []GetIAMPolicyAuditConfig
    Bindings []GetIAMPolicyBinding
    id String
    The provider-assigned unique ID for this managed resource.
    policyData String
    The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
    auditConfigs List<GetIAMPolicyAuditConfig>
    bindings List<GetIAMPolicyBinding>
    id string
    The provider-assigned unique ID for this managed resource.
    policyData string
    The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
    auditConfigs GetIAMPolicyAuditConfig[]
    bindings GetIAMPolicyBinding[]
    id str
    The provider-assigned unique ID for this managed resource.
    policy_data str
    The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
    audit_configs Sequence[GetIAMPolicyAuditConfig]
    bindings Sequence[GetIAMPolicyBinding]
    id String
    The provider-assigned unique ID for this managed resource.
    policyData String
    The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
    auditConfigs List<Property Map>
    bindings List<Property Map>

    Supporting Types

    GetIAMPolicyAuditConfig

    AuditLogConfigs List<GetIAMPolicyAuditConfigAuditLogConfig>
    A nested block that defines the operations you'd like to log.
    Service string
    Defines a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
    AuditLogConfigs []GetIAMPolicyAuditConfigAuditLogConfig
    A nested block that defines the operations you'd like to log.
    Service string
    Defines a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
    auditLogConfigs List<GetIAMPolicyAuditConfigAuditLogConfig>
    A nested block that defines the operations you'd like to log.
    service String
    Defines a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
    auditLogConfigs GetIAMPolicyAuditConfigAuditLogConfig[]
    A nested block that defines the operations you'd like to log.
    service string
    Defines a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
    audit_log_configs Sequence[GetIAMPolicyAuditConfigAuditLogConfig]
    A nested block that defines the operations you'd like to log.
    service str
    Defines a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
    auditLogConfigs List<Property Map>
    A nested block that defines the operations you'd like to log.
    service String
    Defines a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.

    GetIAMPolicyAuditConfigAuditLogConfig

    LogType string
    Defines the logging level. DATA_READ, DATA_WRITE and ADMIN_READ capture different types of events. See the audit configuration documentation for more details.
    ExemptedMembers List<string>
    Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.
    LogType string
    Defines the logging level. DATA_READ, DATA_WRITE and ADMIN_READ capture different types of events. See the audit configuration documentation for more details.
    ExemptedMembers []string
    Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.
    logType String
    Defines the logging level. DATA_READ, DATA_WRITE and ADMIN_READ capture different types of events. See the audit configuration documentation for more details.
    exemptedMembers List<String>
    Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.
    logType string
    Defines the logging level. DATA_READ, DATA_WRITE and ADMIN_READ capture different types of events. See the audit configuration documentation for more details.
    exemptedMembers string[]
    Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.
    log_type str
    Defines the logging level. DATA_READ, DATA_WRITE and ADMIN_READ capture different types of events. See the audit configuration documentation for more details.
    exempted_members Sequence[str]
    Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.
    logType String
    Defines the logging level. DATA_READ, DATA_WRITE and ADMIN_READ capture different types of events. See the audit configuration documentation for more details.
    exemptedMembers List<String>
    Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.

    GetIAMPolicyBinding

    Members List<string>
    An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    Role string
    The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
    Condition GetIAMPolicyBindingCondition
    An IAM Condition for a given binding. Structure is documented below.
    Members []string
    An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    Role string
    The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
    Condition GetIAMPolicyBindingCondition
    An IAM Condition for a given binding. Structure is documented below.
    members List<String>
    An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    role String
    The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
    condition GetIAMPolicyBindingCondition
    An IAM Condition for a given binding. Structure is documented below.
    members string[]
    An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    role string
    The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
    condition GetIAMPolicyBindingCondition
    An IAM Condition for a given binding. Structure is documented below.
    members Sequence[str]
    An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    role str
    The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
    condition GetIAMPolicyBindingCondition
    An IAM Condition for a given binding. Structure is documented below.
    members List<String>
    An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    role String
    The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
    condition Property Map
    An IAM Condition for a given binding. Structure is documented below.

    GetIAMPolicyBindingCondition

    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Title string
    A title for the expression, i.e. a short string describing its purpose.
    Description string
    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Title string
    A title for the expression, i.e. a short string describing its purpose.
    Description string
    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    title String
    A title for the expression, i.e. a short string describing its purpose.
    description String
    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression string
    Textual representation of an expression in Common Expression Language syntax.
    title string
    A title for the expression, i.e. a short string describing its purpose.
    description string
    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression str
    Textual representation of an expression in Common Expression Language syntax.
    title str
    A title for the expression, i.e. a short string describing its purpose.
    description str
    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    title String
    A title for the expression, i.e. a short string describing its purpose.
    description String
    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.30.2 published on Wednesday, Jul 10, 2024 by Pulumi