0
# IAM Policy Management
1
2
Standard Google Cloud IAM operations for IAP resources, enabling programmatic management of access policies, permissions, and role bindings for IAP-protected resources. This includes setting policies for who can access IAP-protected applications and what permissions they have.
3
4
## Capabilities
5
6
### IAM Policy Operations
7
8
Manage IAM policies for IAP-protected resources using standard Google Cloud IAM operations. These methods allow you to control access to IAP-protected applications by managing user and group permissions.
9
10
```python { .api }
11
def set_iam_policy(
12
self,
13
request: iam_policy_pb2.SetIamPolicyRequest,
14
*,
15
retry=DEFAULT,
16
timeout=DEFAULT,
17
metadata=()
18
) -> policy_pb2.Policy:
19
"""
20
Sets the access control policy for an IAP protected resource.
21
22
Args:
23
request: The request object containing the resource and policy.
24
retry: Designation of what errors should be retried.
25
timeout: The timeout for this request.
26
metadata: Strings which should be sent along with the request.
27
28
Returns:
29
The IAM policy that was set on the resource.
30
"""
31
32
def get_iam_policy(
33
self,
34
request: iam_policy_pb2.GetIamPolicyRequest,
35
*,
36
retry=DEFAULT,
37
timeout=DEFAULT,
38
metadata=()
39
) -> policy_pb2.Policy:
40
"""
41
Gets the access control policy for an IAP protected resource.
42
43
Args:
44
request: The request object containing the resource name.
45
retry: Designation of what errors should be retried.
46
timeout: The timeout for this request.
47
metadata: Strings which should be sent along with the request.
48
49
Returns:
50
The current IAM policy for the resource.
51
"""
52
53
def test_iam_permissions(
54
self,
55
request: iam_policy_pb2.TestIamPermissionsRequest,
56
*,
57
retry=DEFAULT,
58
timeout=DEFAULT,
59
metadata=()
60
) -> iam_policy_pb2.TestIamPermissionsResponse:
61
"""
62
Returns permissions that a caller has on the IAP protected resource.
63
64
Args:
65
request: The request object containing resource and permissions to test.
66
retry: Designation of what errors should be retried.
67
timeout: The timeout for this request.
68
metadata: Strings which should be sent along with the request.
69
70
Returns:
71
The permissions that the caller has on the resource.
72
"""
73
```
74
75
Example usage:
76
77
```python
78
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
79
from google.iam.v1 import iam_policy_pb2, policy_pb2
80
81
client = IdentityAwareProxyAdminServiceClient()
82
83
# Resource name for IAP-protected service
84
resource_name = "projects/my-project/iap_web/compute/services/my-service"
85
86
# Get current IAM policy
87
get_policy_request = iam_policy_pb2.GetIamPolicyRequest(
88
resource=resource_name
89
)
90
91
current_policy = client.get_iam_policy(request=get_policy_request)
92
print(f"Current policy version: {current_policy.version}")
93
print(f"Current bindings: {len(current_policy.bindings)}")
94
95
# Add a new role binding
96
new_binding = policy_pb2.Binding(
97
role="roles/iap.httpsResourceAccessor",
98
members=[
99
"user:alice@example.com",
100
"group:iap-users@example.com"
101
]
102
)
103
104
current_policy.bindings.append(new_binding)
105
106
# Set the updated policy
107
set_policy_request = iam_policy_pb2.SetIamPolicyRequest(
108
resource=resource_name,
109
policy=current_policy
110
)
111
112
updated_policy = client.set_iam_policy(request=set_policy_request)
113
print(f"Updated policy with {len(updated_policy.bindings)} bindings")
114
115
# Test specific permissions
116
test_permissions_request = iam_policy_pb2.TestIamPermissionsRequest(
117
resource=resource_name,
118
permissions=[
119
"iap.webServiceVersions.accessViaIAP",
120
"iap.webServices.getIamPolicy"
121
]
122
)
123
124
permissions_response = client.test_iam_permissions(request=test_permissions_request)
125
print(f"Caller has permissions: {permissions_response.permissions}")
126
```
127
128
## IAP-Specific IAM Roles
129
130
When working with IAP IAM policies, you'll commonly use these IAP-specific roles:
131
132
### Web-based IAP Roles
133
134
- **`roles/iap.httpsResourceAccessor`**: Access to web-based applications protected by IAP
135
- **`roles/iap.webServiceViewer`**: View IAP-protected web services
136
- **`roles/iap.settingsAdmin`**: Administer IAP settings
137
138
### Tunnel/TCP IAP Roles
139
140
- **`roles/iap.tunnelResourceAccessor`**: Access to resources through IAP TCP forwarding
141
- **`roles/iap.tunnelDestGroupAdmin`**: Administer tunnel destination groups
142
143
### General IAP Roles
144
145
- **`roles/iap.admin`**: Full administrative access to IAP
146
- **`roles/iap.policyAdmin`**: Administer IAP access policies
147
148
Example with specific IAP roles:
149
150
```python
151
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
152
from google.iam.v1 import iam_policy_pb2, policy_pb2
153
154
client = IdentityAwareProxyAdminServiceClient()
155
resource_name = "projects/my-project/iap_web/compute/services/my-service"
156
157
# Create policy with IAP-specific roles
158
policy = policy_pb2.Policy(
159
version=3, # Use version 3 for conditional bindings
160
bindings=[
161
policy_pb2.Binding(
162
role="roles/iap.httpsResourceAccessor",
163
members=[
164
"user:user1@example.com",
165
"user:user2@example.com"
166
]
167
),
168
policy_pb2.Binding(
169
role="roles/iap.settingsAdmin",
170
members=["group:iap-admins@example.com"]
171
),
172
policy_pb2.Binding(
173
role="roles/iap.webServiceViewer",
174
members=["serviceAccount:monitoring@my-project.iam.gserviceaccount.com"]
175
)
176
]
177
)
178
179
# Set the policy
180
set_request = iam_policy_pb2.SetIamPolicyRequest(
181
resource=resource_name,
182
policy=policy
183
)
184
185
result = client.set_iam_policy(request=set_request)
186
print(f"Set IAP policy with {len(result.bindings)} role bindings")
187
```
188
189
## Conditional IAM Policies
190
191
IAP supports conditional IAM policies (IAM Conditions) that allow fine-grained access control based on attributes like time, location, or custom attributes.
192
193
```python
194
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
195
from google.iam.v1 import iam_policy_pb2, policy_pb2
196
from google.type import expr_pb2
197
198
client = IdentityAwareProxyAdminServiceClient()
199
resource_name = "projects/my-project/iap_web/compute/services/my-service"
200
201
# Create conditional binding - only allow access during business hours
202
business_hours_condition = expr_pb2.Expr(
203
title="Business hours only",
204
description="Allow access only during business hours (9 AM to 5 PM UTC)",
205
expression='''
206
request.time.getHours() >= 9 && request.time.getHours() < 17
207
'''
208
)
209
210
conditional_binding = policy_pb2.Binding(
211
role="roles/iap.httpsResourceAccessor",
212
members=["group:contractors@example.com"],
213
condition=business_hours_condition
214
)
215
216
# Create policy with conditional binding
217
policy = policy_pb2.Policy(
218
version=3, # Version 3 required for conditions
219
bindings=[conditional_binding]
220
)
221
222
set_request = iam_policy_pb2.SetIamPolicyRequest(
223
resource=resource_name,
224
policy=policy
225
)
226
227
result = client.set_iam_policy(request=set_request)
228
print("Set conditional IAM policy for business hours access")
229
```
230
231
## Types
232
233
### Request Types (from google.iam.v1)
234
235
```python { .api }
236
class SetIamPolicyRequest:
237
"""Request message for SetIamPolicy."""
238
resource: str # Resource name
239
policy: policy_pb2.Policy # Policy to set
240
update_mask: field_mask_pb2.FieldMask # Optional mask for partial updates
241
242
class GetIamPolicyRequest:
243
"""Request message for GetIamPolicy."""
244
resource: str # Resource name
245
options: GetPolicyOptions # Optional policy options
246
247
class TestIamPermissionsRequest:
248
"""Request message for TestIamPermissions."""
249
resource: str # Resource name
250
permissions: List[str] # Permissions to test
251
```
252
253
### Response Types (from google.iam.v1)
254
255
```python { .api }
256
class TestIamPermissionsResponse:
257
"""Response message for TestIamPermissions."""
258
permissions: List[str] # Permissions the caller has
259
```
260
261
### Policy Types (from google.iam.v1)
262
263
```python { .api }
264
class Policy:
265
"""IAM policy definition."""
266
version: int # Policy language version
267
bindings: List[Binding] # Role bindings
268
audit_configs: List[AuditConfig] # Audit configuration
269
etag: bytes # Concurrency control
270
271
class Binding:
272
"""Associates members with a role."""
273
role: str # Role name (e.g., "roles/iap.httpsResourceAccessor")
274
members: List[str] # Members (users, groups, service accounts)
275
condition: expr_pb2.Expr # Optional conditional expression
276
277
class AuditConfig:
278
"""Audit configuration for a service."""
279
service: str # Service name
280
audit_log_configs: List[AuditLogConfig] # Audit log configurations
281
282
class AuditLogConfig:
283
"""Configuration for audit logging."""
284
log_type: LogType # Type of audit log
285
exempted_members: List[str] # Members exempt from logging
286
287
class LogType(Enum):
288
LOG_TYPE_UNSPECIFIED = 0
289
ADMIN_READ = 1
290
DATA_WRITE = 2
291
DATA_READ = 3
292
```
293
294
### Common IAP Permissions
295
296
When using `test_iam_permissions`, these are common IAP permissions you might test:
297
298
- **`iap.webServiceVersions.accessViaIAP`**: Access web application via IAP
299
- **`iap.webServices.getIamPolicy`**: View IAM policy for web service
300
- **`iap.webServices.setIamPolicy`**: Modify IAM policy for web service
301
- **`iap.webTypes.getIamPolicy`**: View IAM policy for web resource type
302
- **`iap.webTypes.setIamPolicy`**: Modify IAM policy for web resource type
303
- **`iap.tunnelInstances.accessViaIAP`**: Access compute instance via IAP tunnel
304
- **`iap.tunnelZones.getIamPolicy`**: View IAM policy for tunnel zone
305
- **`iap.tunnelZones.setIamPolicy`**: Modify IAM policy for tunnel zone