Docs Home
Google Cloud v8.22.0 published on Thursday, Mar 13, 2025 by Pulumi
gcp.organizations.getIAMPolicy
Explore with Pulumi AI
Generates an IAM policy document that may be referenced by and applied to
other Google Cloud Platform IAM resources, such as the gcp.projects.IAMPolicy resource.
Note: Please review the documentation of the resource that you will be using the datasource with. Some resources such as gcp.projects.IAMPolicy and others have limitations in their API methods which are noted on their respective page.
Using getIAMPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getIAMPolicy(args: GetIAMPolicyArgs, opts?: InvokeOptions): Promise<GetIAMPolicyResult>
function getIAMPolicyOutput(args: GetIAMPolicyOutputArgs, opts?: InvokeOptions): Output<GetIAMPolicyResult>def get_iam_policy(audit_configs: Optional[Sequence[GetIAMPolicyAuditConfig]] = None,
bindings: Optional[Sequence[GetIAMPolicyBinding]] = None,
opts: Optional[InvokeOptions] = None) -> GetIAMPolicyResult
def get_iam_policy_output(audit_configs: Optional[pulumi.Input[Sequence[pulumi.Input[GetIAMPolicyAuditConfigArgs]]]] = None,
bindings: Optional[pulumi.Input[Sequence[pulumi.Input[GetIAMPolicyBindingArgs]]]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetIAMPolicyResult]func LookupIAMPolicy(ctx *Context, args *LookupIAMPolicyArgs, opts ...InvokeOption) (*LookupIAMPolicyResult, error)
func LookupIAMPolicyOutput(ctx *Context, args *LookupIAMPolicyOutputArgs, opts ...InvokeOption) LookupIAMPolicyResultOutput> Note: This function is named LookupIAMPolicy in the Go SDK.
public static class GetIAMPolicy
{
public static Task<GetIAMPolicyResult> InvokeAsync(GetIAMPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetIAMPolicyResult> Invoke(GetIAMPolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetIAMPolicyResult> getIAMPolicy(GetIAMPolicyArgs args, InvokeOptions options)
public static Output<GetIAMPolicyResult> getIAMPolicy(GetIAMPolicyArgs args, InvokeOptions options)
fn::invoke:
function: gcp:organizations/getIAMPolicy:getIAMPolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- Audit
Configs List<GetIAMPolicy Audit Config> - A nested configuration block that defines logging additional configuration for your project. This field is only supported on
gcp.projects.IAMPolicy,gcp.folder.IAMPolicyandgcp.organizations.IAMPolicy. - Bindings
List<Get
IAMPolicy Binding> A nested configuration block (described below) defining a binding to be included in the policy document. Multiple
bindingarguments are supported.Each document configuration must have one or more
bindingblocks, which each accept the following arguments:
- Audit
Configs []GetIAMPolicy Audit Config - A nested configuration block that defines logging additional configuration for your project. This field is only supported on
gcp.projects.IAMPolicy,gcp.folder.IAMPolicyandgcp.organizations.IAMPolicy. - Bindings
[]Get
IAMPolicy Binding A nested configuration block (described below) defining a binding to be included in the policy document. Multiple
bindingarguments are supported.Each document configuration must have one or more
bindingblocks, which each accept the following arguments:
- audit
Configs List<GetIAMPolicy Audit Config> - A nested configuration block that defines logging additional configuration for your project. This field is only supported on
gcp.projects.IAMPolicy,gcp.folder.IAMPolicyandgcp.organizations.IAMPolicy. - bindings
List<Get
IAMPolicy Binding> A nested configuration block (described below) defining a binding to be included in the policy document. Multiple
bindingarguments are supported.Each document configuration must have one or more
bindingblocks, which each accept the following arguments:
- audit
Configs GetIAMPolicy Audit Config[] - A nested configuration block that defines logging additional configuration for your project. This field is only supported on
gcp.projects.IAMPolicy,gcp.folder.IAMPolicyandgcp.organizations.IAMPolicy. - bindings
Get
IAMPolicy Binding[] A nested configuration block (described below) defining a binding to be included in the policy document. Multiple
bindingarguments are supported.Each document configuration must have one or more
bindingblocks, which each accept the following arguments:
- audit_
configs Sequence[GetIAMPolicy Audit Config] - A nested configuration block that defines logging additional configuration for your project. This field is only supported on
gcp.projects.IAMPolicy,gcp.folder.IAMPolicyandgcp.organizations.IAMPolicy. - bindings
Sequence[Get
IAMPolicy Binding] A nested configuration block (described below) defining a binding to be included in the policy document. Multiple
bindingarguments are supported.Each document configuration must have one or more
bindingblocks, which each accept the following arguments:
- audit
Configs List<Property Map> - A nested configuration block that defines logging additional configuration for your project. This field is only supported on
gcp.projects.IAMPolicy,gcp.folder.IAMPolicyandgcp.organizations.IAMPolicy. - bindings List<Property Map>
A nested configuration block (described below) defining a binding to be included in the policy document. Multiple
bindingarguments are supported.Each document configuration must have one or more
bindingblocks, which each accept the following arguments:
getIAMPolicy Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Data string - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
- Audit
Configs List<GetIAMPolicy Audit Config> - Bindings
List<Get
IAMPolicy Binding>
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Data string - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
- Audit
Configs []GetIAMPolicy Audit Config - Bindings
[]Get
IAMPolicy Binding
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Data String - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
- audit
Configs List<GetIAMPolicy Audit Config> - bindings
List<Get
IAMPolicy Binding>
- id string
- The provider-assigned unique ID for this managed resource.
- policy
Data string - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
- audit
Configs GetIAMPolicy Audit Config[] - bindings
Get
IAMPolicy Binding[]
- id str
- The provider-assigned unique ID for this managed resource.
- policy_
data str - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
- audit_
configs Sequence[GetIAMPolicy Audit Config] - bindings
Sequence[Get
IAMPolicy Binding]
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Data String - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.
- audit
Configs List<Property Map> - bindings List<Property Map>
Supporting Types
GetIAMPolicyAuditConfig
- Audit
Log List<GetConfigs IAMPolicy Audit Config Audit Log Config> - A nested block that defines the operations you'd like to log.
- Service string
- Defines a service that will be enabled for audit logging. For example,
storage.googleapis.com,cloudsql.googleapis.com.allServicesis a special value that covers all services.
- Audit
Log []GetConfigs IAMPolicy Audit Config Audit Log Config - A nested block that defines the operations you'd like to log.
- Service string
- Defines a service that will be enabled for audit logging. For example,
storage.googleapis.com,cloudsql.googleapis.com.allServicesis a special value that covers all services.
- audit
Log List<GetConfigs IAMPolicy Audit Config Audit Log Config> - A nested block that defines the operations you'd like to log.
- service String
- Defines a service that will be enabled for audit logging. For example,
storage.googleapis.com,cloudsql.googleapis.com.allServicesis a special value that covers all services.
- audit
Log GetConfigs IAMPolicy Audit Config Audit Log Config[] - A nested block that defines the operations you'd like to log.
- service string
- Defines a service that will be enabled for audit logging. For example,
storage.googleapis.com,cloudsql.googleapis.com.allServicesis a special value that covers all services.
- audit_
log_ Sequence[Getconfigs IAMPolicy Audit Config Audit Log Config] - A nested block that defines the operations you'd like to log.
- service str
- Defines a service that will be enabled for audit logging. For example,
storage.googleapis.com,cloudsql.googleapis.com.allServicesis a special value that covers all services.
- audit
Log List<Property Map>Configs - A nested block that defines the operations you'd like to log.
- service String
- Defines a service that will be enabled for audit logging. For example,
storage.googleapis.com,cloudsql.googleapis.com.allServicesis a special value that covers all services.
GetIAMPolicyAuditConfigAuditLogConfig
- Log
Type string - Defines the logging level.
DATA_READ,DATA_WRITEandADMIN_READcapture different types of events. See the audit configuration documentation for more details. - Exempted
Members List<string> - Specifies the identities that are exempt from these types of logging operations. Follows the same format of the
membersarray forbinding.
- Log
Type string - Defines the logging level.
DATA_READ,DATA_WRITEandADMIN_READcapture different types of events. See the audit configuration documentation for more details. - Exempted
Members []string - Specifies the identities that are exempt from these types of logging operations. Follows the same format of the
membersarray forbinding.
- log
Type String - Defines the logging level.
DATA_READ,DATA_WRITEandADMIN_READcapture different types of events. See the audit configuration documentation for more details. - exempted
Members List<String> - Specifies the identities that are exempt from these types of logging operations. Follows the same format of the
membersarray forbinding.
- log
Type string - Defines the logging level.
DATA_READ,DATA_WRITEandADMIN_READcapture different types of events. See the audit configuration documentation for more details. - exempted
Members string[] - Specifies the identities that are exempt from these types of logging operations. Follows the same format of the
membersarray forbinding.
- log_
type str - Defines the logging level.
DATA_READ,DATA_WRITEandADMIN_READcapture different types of events. See the audit configuration documentation for more details. - exempted_
members Sequence[str] - Specifies the identities that are exempt from these types of logging operations. Follows the same format of the
membersarray forbinding.
- log
Type String - Defines the logging level.
DATA_READ,DATA_WRITEandADMIN_READcapture different types of events. See the audit configuration documentation for more details. - exempted
Members List<String> - Specifies the identities that are exempt from these types of logging operations. Follows the same format of the
membersarray forbinding.
GetIAMPolicyBinding
- Members List<string>
- An array of identities that will be granted the privilege in the
role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:- allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
- allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
- user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
- serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
- group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
- domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
- Role string
- The role/permission that will be granted to the members.
See the IAM Roles documentation for a complete list of roles.
Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}. - Condition
Get
IAMPolicy Binding Condition - An IAM Condition for a given binding. Structure is documented below.
- Members []string
- An array of identities that will be granted the privilege in the
role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:- allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
- allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
- user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
- serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
- group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
- domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
- Role string
- The role/permission that will be granted to the members.
See the IAM Roles documentation for a complete list of roles.
Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}. - Condition
Get
IAMPolicy Binding Condition - An IAM Condition for a given binding. Structure is documented below.
- members List<String>
- An array of identities that will be granted the privilege in the
role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:- allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
- allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
- user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
- serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
- group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
- domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
- role String
- The role/permission that will be granted to the members.
See the IAM Roles documentation for a complete list of roles.
Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}. - condition
Get
IAMPolicy Binding Condition - An IAM Condition for a given binding. Structure is documented below.
- members string[]
- An array of identities that will be granted the privilege in the
role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:- allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
- allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
- user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
- serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
- group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
- domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
- role string
- The role/permission that will be granted to the members.
See the IAM Roles documentation for a complete list of roles.
Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}. - condition
Get
IAMPolicy Binding Condition - An IAM Condition for a given binding. Structure is documented below.
- members Sequence[str]
- An array of identities that will be granted the privilege in the
role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:- allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
- allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
- user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
- serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
- group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
- domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
- role str
- The role/permission that will be granted to the members.
See the IAM Roles documentation for a complete list of roles.
Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}. - condition
Get
IAMPolicy Binding Condition - An IAM Condition for a given binding. Structure is documented below.
- members List<String>
- An array of identities that will be granted the privilege in the
role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:- allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
- allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
- user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
- serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
- group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
- domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
- role String
- The role/permission that will be granted to the members.
See the IAM Roles documentation for a complete list of roles.
Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}. - condition Property Map
- An IAM Condition for a given binding. Structure is documented below.
GetIAMPolicyBindingCondition
- Expression string
- Textual representation of an expression in Common Expression Language syntax.
- Title string
- A title for the expression, i.e. a short string describing its purpose.
- Description string
- An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Expression string
- Textual representation of an expression in Common Expression Language syntax.
- Title string
- A title for the expression, i.e. a short string describing its purpose.
- Description string
- An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression String
- Textual representation of an expression in Common Expression Language syntax.
- title String
- A title for the expression, i.e. a short string describing its purpose.
- description String
- An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression string
- Textual representation of an expression in Common Expression Language syntax.
- title string
- A title for the expression, i.e. a short string describing its purpose.
- description string
- An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression str
- Textual representation of an expression in Common Expression Language syntax.
- title str
- A title for the expression, i.e. a short string describing its purpose.
- description str
- An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- expression String
- Textual representation of an expression in Common Expression Language syntax.
- title String
- A title for the expression, i.e. a short string describing its purpose.
- description String
- An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.