Google Native

v0.27.0 published on Friday, Oct 21, 2022 by Pulumi

getBucketIamPolicy

Returns an IAM policy for the specified bucket.

Using getBucketIamPolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getBucketIamPolicy(args: GetBucketIamPolicyArgs, opts?: InvokeOptions): Promise<GetBucketIamPolicyResult>
function getBucketIamPolicyOutput(args: GetBucketIamPolicyOutputArgs, opts?: InvokeOptions): Output<GetBucketIamPolicyResult>
def get_bucket_iam_policy(bucket: Optional[str] = None,
                          options_requested_policy_version: Optional[int] = None,
                          user_project: Optional[str] = None,
                          opts: Optional[InvokeOptions] = None) -> GetBucketIamPolicyResult
def get_bucket_iam_policy_output(bucket: Optional[pulumi.Input[str]] = None,
                          options_requested_policy_version: Optional[pulumi.Input[int]] = None,
                          user_project: Optional[pulumi.Input[str]] = None,
                          opts: Optional[InvokeOptions] = None) -> Output[GetBucketIamPolicyResult]
func LookupBucketIamPolicy(ctx *Context, args *LookupBucketIamPolicyArgs, opts ...InvokeOption) (*LookupBucketIamPolicyResult, error)
func LookupBucketIamPolicyOutput(ctx *Context, args *LookupBucketIamPolicyOutputArgs, opts ...InvokeOption) LookupBucketIamPolicyResultOutput

> Note: This function is named LookupBucketIamPolicy in the Go SDK.

public static class GetBucketIamPolicy 
{
    public static Task<GetBucketIamPolicyResult> InvokeAsync(GetBucketIamPolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetBucketIamPolicyResult> Invoke(GetBucketIamPolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetBucketIamPolicyResult> getBucketIamPolicy(GetBucketIamPolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
  function: google-native:storage/v1:getBucketIamPolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

getBucketIamPolicy Result

The following output properties are available:

Bindings List<Pulumi.GoogleNative.Storage.V1.Outputs.BucketIamPolicyBindingsItemResponse>

An association between a role, which comes with a set of permissions, and members who may assume that role.

Etag string

HTTP 1.1 Entity tag for the policy.

Kind string

The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.

ResourceId string

The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, and projects//buckets/bucket/objects/object for objects. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects/_/buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.

Version int

The IAM policy format version.

Bindings []BucketIamPolicyBindingsItemResponse

An association between a role, which comes with a set of permissions, and members who may assume that role.

Etag string

HTTP 1.1 Entity tag for the policy.

Kind string

The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.

ResourceId string

The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, and projects//buckets/bucket/objects/object for objects. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects/_/buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.

Version int

The IAM policy format version.

bindings List<BucketIamPolicyBindingsItemResponse>

An association between a role, which comes with a set of permissions, and members who may assume that role.

etag String

HTTP 1.1 Entity tag for the policy.

kind String

The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.

resourceId String

The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, and projects//buckets/bucket/objects/object for objects. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects/_/buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.

version Integer

The IAM policy format version.

bindings BucketIamPolicyBindingsItemResponse[]

An association between a role, which comes with a set of permissions, and members who may assume that role.

etag string

HTTP 1.1 Entity tag for the policy.

kind string

The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.

resourceId string

The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, and projects//buckets/bucket/objects/object for objects. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects/_/buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.

version number

The IAM policy format version.

bindings Sequence[BucketIamPolicyBindingsItemResponse]

An association between a role, which comes with a set of permissions, and members who may assume that role.

etag str

HTTP 1.1 Entity tag for the policy.

kind str

The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.

resource_id str

The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, and projects//buckets/bucket/objects/object for objects. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects/_/buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.

version int

The IAM policy format version.

bindings List<Property Map>

An association between a role, which comes with a set of permissions, and members who may assume that role.

etag String

HTTP 1.1 Entity tag for the policy.

kind String

The kind of item this is. For policies, this is always storage#policy. This field is ignored on input.

resourceId String

The ID of the resource to which this policy belongs. Will be of the form projects//buckets/bucket for buckets, and projects//buckets/bucket/objects/object for objects. A specific generation may be specified by appending #generationNumber to the end of the object name, e.g. projects/_/buckets/my-bucket/objects/data.txt#17. The current generation can be denoted with #0. This field is ignored on input.

version Number

The IAM policy format version.

Supporting Types

BucketIamPolicyBindingsItemResponse

Condition Pulumi.GoogleNative.Storage.V1.Inputs.ExprResponse

The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.

Members List<string>

A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
Role string

The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
Condition ExprResponse

The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.

Members []string

A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
Role string

The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition ExprResponse

The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.

members List<String>

A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role String

The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition ExprResponse

The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.

members string[]

A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role string

The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition ExprResponse

The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.

members Sequence[str]

A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role str

The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.
condition Property Map

The condition that is associated with this binding. NOTE: an unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.

members List<String>

A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows:

  • allUsers — A special identifier that represents anyone on the internet; with or without a Google account.
  • allAuthenticatedUsers — A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:emailid — An email address that represents a specific account. For example, user:alice@gmail.com or user:joe@example.com.
  • serviceAccount:emailid — An email address that represents a service account. For example, serviceAccount:my-other-app@appspot.gserviceaccount.com .
  • group:emailid — An email address that represents a Google group. For example, group:admins@example.com.
  • domain:domain — A Google Apps domain name that represents all the users of that domain. For example, domain:google.com or domain:example.com.
  • projectOwner:projectid — Owners of the given project. For example, projectOwner:my-example-project
  • projectEditor:projectid — Editors of the given project. For example, projectEditor:my-example-project
  • projectViewer:projectid — Viewers of the given project. For example, projectViewer:my-example-project
role String

The role to which members belong. Two types of roles are supported: new IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format roles/storage.specificRole. The new IAM roles are:

  • roles/storage.admin — Full control of Google Cloud Storage resources.
  • roles/storage.objectViewer — Read-Only access to Google Cloud Storage objects.
  • roles/storage.objectCreator — Access to create objects in Google Cloud Storage.
  • roles/storage.objectAdmin — Full control of Google Cloud Storage objects. The legacy IAM roles are:
  • roles/storage.legacyObjectReader — Read-only access to objects without listing. Equivalent to an ACL entry on an object with the READER role.
  • roles/storage.legacyObjectOwner — Read/write access to existing objects without listing. Equivalent to an ACL entry on an object with the OWNER role.
  • roles/storage.legacyBucketReader — Read access to buckets with object listing. Equivalent to an ACL entry on a bucket with the READER role.
  • roles/storage.legacyBucketWriter — Read access to buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the WRITER role.
  • roles/storage.legacyBucketOwner — Read and write access to existing buckets with object listing/creation/deletion. Equivalent to an ACL entry on a bucket with the OWNER role.

ExprResponse

Description string

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

Expression string

Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

Location string

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Title string

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

Description string

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

Expression string

Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

Location string

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Title string

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description String

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

expression String

Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

location String

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title String

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description string

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

expression string

Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

location string

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title string

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description str

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

expression str

Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

location str

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title str

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

description String

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

expression String

Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported.

location String

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title String

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

Package Details

Repository
https://github.com/pulumi/pulumi-google-native
License
Apache-2.0