Docs Home
Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi
gcp.accesscontextmanager.GcpUserAccessBinding
Explore with Pulumi AI
Restricts access to Cloud Console and Google Cloud APIs for a set of users using Context-Aware Access.
To get more information about GcpUserAccessBinding, see:
Example Usage
Access Context Manager Gcp User Access Binding Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const group = new gcp.cloudidentity.Group("group", {
displayName: "my-identity-group",
parent: "customers/A01b123xz",
groupKey: {
id: "my-identity-group@example.com",
},
labels: {
"cloudidentity.googleapis.com/groups.discussion_forum": "",
},
});
const access_policy = new gcp.accesscontextmanager.AccessPolicy("access-policy", {
parent: "organizations/123456789",
title: "my policy",
});
const accessLevelIdForUserAccessBinding = new gcp.accesscontextmanager.AccessLevel("access_level_id_for_user_access_binding", {
parent: pulumi.interpolate`accessPolicies/${access_policy.name}`,
name: pulumi.interpolate`accessPolicies/${access_policy.name}/accessLevels/chromeos_no_lock`,
title: "chromeos_no_lock",
basic: {
conditions: [{
devicePolicy: {
requireScreenLock: true,
osConstraints: [{
osType: "DESKTOP_CHROME_OS",
}],
},
regions: ["US"],
}],
},
});
const gcpUserAccessBinding = new gcp.accesscontextmanager.GcpUserAccessBinding("gcp_user_access_binding", {
organizationId: "123456789",
groupKey: std.trimprefixOutput({
input: group.id,
prefix: "groups/",
}).apply(invoke => invoke.result),
accessLevels: accessLevelIdForUserAccessBinding.name,
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
group = gcp.cloudidentity.Group("group",
display_name="my-identity-group",
parent="customers/A01b123xz",
group_key={
"id": "my-identity-group@example.com",
},
labels={
"cloudidentity.googleapis.com/groups.discussion_forum": "",
})
access_policy = gcp.accesscontextmanager.AccessPolicy("access-policy",
parent="organizations/123456789",
title="my policy")
access_level_id_for_user_access_binding = gcp.accesscontextmanager.AccessLevel("access_level_id_for_user_access_binding",
parent=access_policy.name.apply(lambda name: f"accessPolicies/{name}"),
name=access_policy.name.apply(lambda name: f"accessPolicies/{name}/accessLevels/chromeos_no_lock"),
title="chromeos_no_lock",
basic={
"conditions": [{
"device_policy": {
"require_screen_lock": True,
"os_constraints": [{
"os_type": "DESKTOP_CHROME_OS",
}],
},
"regions": ["US"],
}],
})
gcp_user_access_binding = gcp.accesscontextmanager.GcpUserAccessBinding("gcp_user_access_binding",
organization_id="123456789",
group_key=std.trimprefix_output(input=group.id,
prefix="groups/").apply(lambda invoke: invoke.result),
access_levels=access_level_id_for_user_access_binding.name)
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/accesscontextmanager"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/cloudidentity"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
group, err := cloudidentity.NewGroup(ctx, "group", &cloudidentity.GroupArgs{
DisplayName: pulumi.String("my-identity-group"),
Parent: pulumi.String("customers/A01b123xz"),
GroupKey: &cloudidentity.GroupGroupKeyArgs{
Id: pulumi.String("my-identity-group@example.com"),
},
Labels: pulumi.StringMap{
"cloudidentity.googleapis.com/groups.discussion_forum": pulumi.String(""),
},
})
if err != nil {
return err
}
access_policy, err := accesscontextmanager.NewAccessPolicy(ctx, "access-policy", &accesscontextmanager.AccessPolicyArgs{
Parent: pulumi.String("organizations/123456789"),
Title: pulumi.String("my policy"),
})
if err != nil {
return err
}
accessLevelIdForUserAccessBinding, err := accesscontextmanager.NewAccessLevel(ctx, "access_level_id_for_user_access_binding", &accesscontextmanager.AccessLevelArgs{
Parent: access_policy.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("accessPolicies/%v", name), nil
}).(pulumi.StringOutput),
Name: access_policy.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("accessPolicies/%v/accessLevels/chromeos_no_lock", name), nil
}).(pulumi.StringOutput),
Title: pulumi.String("chromeos_no_lock"),
Basic: &accesscontextmanager.AccessLevelBasicArgs{
Conditions: accesscontextmanager.AccessLevelBasicConditionArray{
&accesscontextmanager.AccessLevelBasicConditionArgs{
DevicePolicy: &accesscontextmanager.AccessLevelBasicConditionDevicePolicyArgs{
RequireScreenLock: pulumi.Bool(true),
OsConstraints: accesscontextmanager.AccessLevelBasicConditionDevicePolicyOsConstraintArray{
&accesscontextmanager.AccessLevelBasicConditionDevicePolicyOsConstraintArgs{
OsType: pulumi.String("DESKTOP_CHROME_OS"),
},
},
},
Regions: pulumi.StringArray{
pulumi.String("US"),
},
},
},
},
})
if err != nil {
return err
}
_, err = accesscontextmanager.NewGcpUserAccessBinding(ctx, "gcp_user_access_binding", &accesscontextmanager.GcpUserAccessBindingArgs{
OrganizationId: pulumi.String("123456789"),
GroupKey: pulumi.String(std.TrimprefixOutput(ctx, std.TrimprefixOutputArgs{
Input: group.ID(),
Prefix: pulumi.String("groups/"),
}, nil).ApplyT(func(invoke std.TrimprefixResult) (*string, error) {
return invoke.Result, nil
}).(pulumi.StringPtrOutput)),
AccessLevels: accessLevelIdForUserAccessBinding.Name,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var @group = new Gcp.CloudIdentity.Group("group", new()
{
DisplayName = "my-identity-group",
Parent = "customers/A01b123xz",
GroupKey = new Gcp.CloudIdentity.Inputs.GroupGroupKeyArgs
{
Id = "my-identity-group@example.com",
},
Labels =
{
{ "cloudidentity.googleapis.com/groups.discussion_forum", "" },
},
});
var access_policy = new Gcp.AccessContextManager.AccessPolicy("access-policy", new()
{
Parent = "organizations/123456789",
Title = "my policy",
});
var accessLevelIdForUserAccessBinding = new Gcp.AccessContextManager.AccessLevel("access_level_id_for_user_access_binding", new()
{
Parent = access_policy.Name.Apply(name => $"accessPolicies/{name}"),
Name = access_policy.Name.Apply(name => $"accessPolicies/{name}/accessLevels/chromeos_no_lock"),
Title = "chromeos_no_lock",
Basic = new Gcp.AccessContextManager.Inputs.AccessLevelBasicArgs
{
Conditions = new[]
{
new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionArgs
{
DevicePolicy = new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionDevicePolicyArgs
{
RequireScreenLock = true,
OsConstraints = new[]
{
new Gcp.AccessContextManager.Inputs.AccessLevelBasicConditionDevicePolicyOsConstraintArgs
{
OsType = "DESKTOP_CHROME_OS",
},
},
},
Regions = new[]
{
"US",
},
},
},
},
});
var gcpUserAccessBinding = new Gcp.AccessContextManager.GcpUserAccessBinding("gcp_user_access_binding", new()
{
OrganizationId = "123456789",
GroupKey = Std.Trimprefix.Invoke(new()
{
Input = @group.Id,
Prefix = "groups/",
}).Apply(invoke => invoke.Result),
AccessLevels = accessLevelIdForUserAccessBinding.Name,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudidentity.Group;
import com.pulumi.gcp.cloudidentity.GroupArgs;
import com.pulumi.gcp.cloudidentity.inputs.GroupGroupKeyArgs;
import com.pulumi.gcp.accesscontextmanager.AccessPolicy;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyArgs;
import com.pulumi.gcp.accesscontextmanager.AccessLevel;
import com.pulumi.gcp.accesscontextmanager.AccessLevelArgs;
import com.pulumi.gcp.accesscontextmanager.inputs.AccessLevelBasicArgs;
import com.pulumi.gcp.accesscontextmanager.GcpUserAccessBinding;
import com.pulumi.gcp.accesscontextmanager.GcpUserAccessBindingArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.TrimprefixArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var group = new Group("group", GroupArgs.builder()
.displayName("my-identity-group")
.parent("customers/A01b123xz")
.groupKey(GroupGroupKeyArgs.builder()
.id("my-identity-group@example.com")
.build())
.labels(Map.of("cloudidentity.googleapis.com/groups.discussion_forum", ""))
.build());
var access_policy = new AccessPolicy("access-policy", AccessPolicyArgs.builder()
.parent("organizations/123456789")
.title("my policy")
.build());
var accessLevelIdForUserAccessBinding = new AccessLevel("accessLevelIdForUserAccessBinding", AccessLevelArgs.builder()
.parent(access_policy.name().applyValue(_name -> String.format("accessPolicies/%s", _name)))
.name(access_policy.name().applyValue(_name -> String.format("accessPolicies/%s/accessLevels/chromeos_no_lock", _name)))
.title("chromeos_no_lock")
.basic(AccessLevelBasicArgs.builder()
.conditions(AccessLevelBasicConditionArgs.builder()
.devicePolicy(AccessLevelBasicConditionDevicePolicyArgs.builder()
.requireScreenLock(true)
.osConstraints(AccessLevelBasicConditionDevicePolicyOsConstraintArgs.builder()
.osType("DESKTOP_CHROME_OS")
.build())
.build())
.regions("US")
.build())
.build())
.build());
var gcpUserAccessBinding = new GcpUserAccessBinding("gcpUserAccessBinding", GcpUserAccessBindingArgs.builder()
.organizationId("123456789")
.groupKey(StdFunctions.trimprefix(TrimprefixArgs.builder()
.input(group.id())
.prefix("groups/")
.build()).applyValue(_invoke -> _invoke.result()))
.accessLevels(accessLevelIdForUserAccessBinding.name())
.build());
}
}
resources:
group:
type: gcp:cloudidentity:Group
properties:
displayName: my-identity-group
parent: customers/A01b123xz
groupKey:
id: my-identity-group@example.com
labels:
cloudidentity.googleapis.com/groups.discussion_forum: ""
accessLevelIdForUserAccessBinding:
type: gcp:accesscontextmanager:AccessLevel
name: access_level_id_for_user_access_binding
properties:
parent: accessPolicies/${["access-policy"].name}
name: accessPolicies/${["access-policy"].name}/accessLevels/chromeos_no_lock
title: chromeos_no_lock
basic:
conditions:
- devicePolicy:
requireScreenLock: true
osConstraints:
- osType: DESKTOP_CHROME_OS
regions:
- US
access-policy:
type: gcp:accesscontextmanager:AccessPolicy
properties:
parent: organizations/123456789
title: my policy
gcpUserAccessBinding:
type: gcp:accesscontextmanager:GcpUserAccessBinding
name: gcp_user_access_binding
properties:
organizationId: '123456789'
groupKey:
fn::invoke:
function: std:trimprefix
arguments:
input: ${group.id}
prefix: groups/
return: result
accessLevels: ${accessLevelIdForUserAccessBinding.name}
Create GcpUserAccessBinding Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GcpUserAccessBinding(name: string, args: GcpUserAccessBindingArgs, opts?: CustomResourceOptions);@overload
def GcpUserAccessBinding(resource_name: str,
args: GcpUserAccessBindingArgs,
opts: Optional[ResourceOptions] = None)
@overload
def GcpUserAccessBinding(resource_name: str,
opts: Optional[ResourceOptions] = None,
group_key: Optional[str] = None,
organization_id: Optional[str] = None,
access_levels: Optional[str] = None,
session_settings: Optional[GcpUserAccessBindingSessionSettingsArgs] = None)func NewGcpUserAccessBinding(ctx *Context, name string, args GcpUserAccessBindingArgs, opts ...ResourceOption) (*GcpUserAccessBinding, error)public GcpUserAccessBinding(string name, GcpUserAccessBindingArgs args, CustomResourceOptions? opts = null)public GcpUserAccessBinding(String name, GcpUserAccessBindingArgs args)
public GcpUserAccessBinding(String name, GcpUserAccessBindingArgs args, CustomResourceOptions options)
type: gcp:accesscontextmanager:GcpUserAccessBinding
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. GcpUserAccessBindingArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. GcpUserAccessBindingArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. GcpUserAccessBindingArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. GcpUserAccessBindingArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. GcpUserAccessBindingArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var gcpUserAccessBindingResource = new Gcp.AccessContextManager.GcpUserAccessBinding("gcpUserAccessBindingResource", new()
{
GroupKey = "string",
OrganizationId = "string",
AccessLevels = "string",
SessionSettings = new Gcp.AccessContextManager.Inputs.GcpUserAccessBindingSessionSettingsArgs
{
MaxInactivity = "string",
SessionLength = "string",
SessionLengthEnabled = false,
SessionReauthMethod = "string",
UseOidcMaxAge = false,
},
});
example, err := accesscontextmanager.NewGcpUserAccessBinding(ctx, "gcpUserAccessBindingResource", &accesscontextmanager.GcpUserAccessBindingArgs{
GroupKey: pulumi.String("string"),
OrganizationId: pulumi.String("string"),
AccessLevels: pulumi.String("string"),
SessionSettings: &accesscontextmanager.GcpUserAccessBindingSessionSettingsArgs{
MaxInactivity: pulumi.String("string"),
SessionLength: pulumi.String("string"),
SessionLengthEnabled: pulumi.Bool(false),
SessionReauthMethod: pulumi.String("string"),
UseOidcMaxAge: pulumi.Bool(false),
},
})
var gcpUserAccessBindingResource = new GcpUserAccessBinding("gcpUserAccessBindingResource", GcpUserAccessBindingArgs.builder()
.groupKey("string")
.organizationId("string")
.accessLevels("string")
.sessionSettings(GcpUserAccessBindingSessionSettingsArgs.builder()
.maxInactivity("string")
.sessionLength("string")
.sessionLengthEnabled(false)
.sessionReauthMethod("string")
.useOidcMaxAge(false)
.build())
.build());
gcp_user_access_binding_resource = gcp.accesscontextmanager.GcpUserAccessBinding("gcpUserAccessBindingResource",
group_key="string",
organization_id="string",
access_levels="string",
session_settings={
"max_inactivity": "string",
"session_length": "string",
"session_length_enabled": False,
"session_reauth_method": "string",
"use_oidc_max_age": False,
})
const gcpUserAccessBindingResource = new gcp.accesscontextmanager.GcpUserAccessBinding("gcpUserAccessBindingResource", {
groupKey: "string",
organizationId: "string",
accessLevels: "string",
sessionSettings: {
maxInactivity: "string",
sessionLength: "string",
sessionLengthEnabled: false,
sessionReauthMethod: "string",
useOidcMaxAge: false,
},
});
type: gcp:accesscontextmanager:GcpUserAccessBinding
properties:
accessLevels: string
groupKey: string
organizationId: string
sessionSettings:
maxInactivity: string
sessionLength: string
sessionLengthEnabled: false
sessionReauthMethod: string
useOidcMaxAge: false
GcpUserAccessBinding Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GcpUserAccessBinding resource accepts the following input properties:
- Group
Key stringThis property is required. 
Changes to this property will trigger replacement. - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- Organization
Id stringThis property is required. Changes to this property will trigger replacement. - Required. ID of the parent organization.
- Access
Levels string - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- Session
Settings GcpUser Access Binding Session Settings - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- Group
Key stringThis property is required. Changes to this property will trigger replacement. - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- Organization
Id stringThis property is required. Changes to this property will trigger replacement. - Required. ID of the parent organization.
- Access
Levels string - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- Session
Settings GcpUser Access Binding Session Settings Args - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- group
Key StringThis property is required. Changes to this property will trigger replacement. - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- organization
Id StringThis property is required. Changes to this property will trigger replacement. - Required. ID of the parent organization.
- access
Levels String - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- session
Settings GcpUser Access Binding Session Settings - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- group
Key stringThis property is required. Changes to this property will trigger replacement. - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- organization
Id stringThis property is required. Changes to this property will trigger replacement. - Required. ID of the parent organization.
- access
Levels string - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- session
Settings GcpUser Access Binding Session Settings - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- group_
key strThis property is required. Changes to this property will trigger replacement. - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- organization_
id strThis property is required. Changes to this property will trigger replacement. - Required. ID of the parent organization.
- access_
levels str - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- session_
settings GcpUser Access Binding Session Settings Args - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- group
Key StringThis property is required. Changes to this property will trigger replacement. - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- organization
Id StringThis property is required. Changes to this property will trigger replacement. - Required. ID of the parent organization.
- access
Levels String - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- session
Settings Property Map - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the GcpUserAccessBinding resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
Look up Existing GcpUserAccessBinding Resource
Get an existing GcpUserAccessBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GcpUserAccessBindingState, opts?: CustomResourceOptions): GcpUserAccessBinding@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_levels: Optional[str] = None,
group_key: Optional[str] = None,
name: Optional[str] = None,
organization_id: Optional[str] = None,
session_settings: Optional[GcpUserAccessBindingSessionSettingsArgs] = None) -> GcpUserAccessBindingfunc GetGcpUserAccessBinding(ctx *Context, name string, id IDInput, state *GcpUserAccessBindingState, opts ...ResourceOption) (*GcpUserAccessBinding, error)public static GcpUserAccessBinding Get(string name, Input<string> id, GcpUserAccessBindingState? state, CustomResourceOptions? opts = null)public static GcpUserAccessBinding get(String name, Output<String> id, GcpUserAccessBindingState state, CustomResourceOptions options)resources: _: type: gcp:accesscontextmanager:GcpUserAccessBinding get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Access
Levels string - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- Group
Key - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- Name string
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- Organization
Id - Required. ID of the parent organization.
- Session
Settings GcpUser Access Binding Session Settings - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- Access
Levels string - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- Group
Key - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- Name string
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- Organization
Id - Required. ID of the parent organization.
- Session
Settings GcpUser Access Binding Session Settings Args - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- access
Levels String - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- group
Key - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- name String
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- organization
Id - Required. ID of the parent organization.
- session
Settings GcpUser Access Binding Session Settings - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- access
Levels string - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- group
Key - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- name string
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- organization
Id - Required. ID of the parent organization.
- session
Settings GcpUser Access Binding Session Settings - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- access_
levels str - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- group_
key - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- name str
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- organization_
id - Required. ID of the parent organization.
- session_
settings GcpUser Access Binding Session Settings Args - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
- access
Levels String - Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- group
Key - Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- name String
- Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- organization
Id - Required. ID of the parent organization.
- session
Settings Property Map - Optional. The Google Cloud session length (GCSL) policy for the group key. Structure is documented below.
Supporting Types
GcpUserAccessBindingSessionSettings, GcpUserAccessBindingSessionSettingsArgs
, GcpUserAccessBindingSessionSettingsArgs
- Max
Inactivity string - Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps.
- Session
Length string - Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param.
- Session
Length boolEnabled - Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
- Session
Reauth stringMethod - Optional. The session challenges proposed to users when the Google Cloud session length is up.
Possible values are:
LOGIN,SECURITY_KEY,PASSWORD. - Use
Oidc boolMax Age - Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
- Max
Inactivity string - Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps.
- Session
Length string - Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param.
- Session
Length boolEnabled - Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
- Session
Reauth stringMethod - Optional. The session challenges proposed to users when the Google Cloud session length is up.
Possible values are:
LOGIN,SECURITY_KEY,PASSWORD. - Use
Oidc boolMax Age - Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
- max
Inactivity String - Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps.
- session
Length String - Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param.
- session
Length BooleanEnabled - Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
- session
Reauth StringMethod - Optional. The session challenges proposed to users when the Google Cloud session length is up.
Possible values are:
LOGIN,SECURITY_KEY,PASSWORD. - use
Oidc BooleanMax Age - Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
- max
Inactivity string - Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps.
- session
Length string - Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param.
- session
Length booleanEnabled - Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
- session
Reauth stringMethod - Optional. The session challenges proposed to users when the Google Cloud session length is up.
Possible values are:
LOGIN,SECURITY_KEY,PASSWORD. - use
Oidc booleanMax Age - Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
- max_
inactivity str - Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps.
- session_
length str - Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param.
- session_
length_ boolenabled - Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
- session_
reauth_ strmethod - Optional. The session challenges proposed to users when the Google Cloud session length is up.
Possible values are:
LOGIN,SECURITY_KEY,PASSWORD. - use_
oidc_ boolmax_ age - Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
- max
Inactivity String - Optional. How long a user is allowed to take between actions before a new access token must be issued. Only set for Google Cloud apps.
- session
Length String - Optional. The session length. Setting this field to zero is equal to disabling session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param.
- session
Length BooleanEnabled - Optional. This field enables or disables Google Cloud session length. When false, all fields set above will be disregarded and the session length is basically infinite.
- session
Reauth StringMethod - Optional. The session challenges proposed to users when the Google Cloud session length is up.
Possible values are:
LOGIN,SECURITY_KEY,PASSWORD. - use
Oidc BooleanMax Age - Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
Import
GcpUserAccessBinding can be imported using any of these accepted formats:
{{name}}
When using the pulumi import command, GcpUserAccessBinding can be imported using one of the formats above. For example:
$ pulumi import gcp:accesscontextmanager/gcpUserAccessBinding:GcpUserAccessBinding default {{name}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.