Google Cloud v8.26.0, Apr 10 25

Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi

gcp.iam.PrincipalAccessBoundaryPolicy

Explore with Pulumi AI

Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage
Iam Principal Access Boundary Policy
Iam Organizations Policy Binding
Create PrincipalAccessBoundaryPolicy Resource
Constructor syntax
Constructor example
PrincipalAccessBoundaryPolicy Resource Properties
Inputs
Outputs
Look up Existing PrincipalAccessBoundaryPolicy Resource
Supporting Types
Import
Package Details

Request a Change

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pab_policy_for_org = new gcp.iam.PrincipalAccessBoundaryPolicy("pab-policy-for-org", {
    organization: "123456789",
    location: "global",
    displayName: "PAB policy for Organization",
    principalAccessBoundaryPolicyId: "pab-policy-for-org",
});

import pulumi
import pulumi_gcp as gcp

pab_policy_for_org = gcp.iam.PrincipalAccessBoundaryPolicy("pab-policy-for-org",
    organization="123456789",
    location="global",
    display_name="PAB policy for Organization",
    principal_access_boundary_policy_id="pab-policy-for-org")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewPrincipalAccessBoundaryPolicy(ctx, "pab-policy-for-org", &iam.PrincipalAccessBoundaryPolicyArgs{
			Organization:                    pulumi.String("123456789"),
			Location:                        pulumi.String("global"),
			DisplayName:                     pulumi.String("PAB policy for Organization"),
			PrincipalAccessBoundaryPolicyId: pulumi.String("pab-policy-for-org"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pab_policy_for_org = new Gcp.Iam.PrincipalAccessBoundaryPolicy("pab-policy-for-org", new()
    {
        Organization = "123456789",
        Location = "global",
        DisplayName = "PAB policy for Organization",
        PrincipalAccessBoundaryPolicyId = "pab-policy-for-org",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.PrincipalAccessBoundaryPolicy;
import com.pulumi.gcp.iam.PrincipalAccessBoundaryPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pab_policy_for_org = new PrincipalAccessBoundaryPolicy("pab-policy-for-org", PrincipalAccessBoundaryPolicyArgs.builder()
            .organization("123456789")
            .location("global")
            .displayName("PAB policy for Organization")
            .principalAccessBoundaryPolicyId("pab-policy-for-org")
            .build());

    }
}

resources:
  pab-policy-for-org:
    type: gcp:iam:PrincipalAccessBoundaryPolicy
    properties:
      organization: '123456789'
      location: global
      displayName: PAB policy for Organization
      principalAccessBoundaryPolicyId: pab-policy-for-org

Iam Organizations Policy Binding

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as time from "@pulumi/time";

const pabPolicy = new gcp.iam.PrincipalAccessBoundaryPolicy("pab_policy", {
    organization: "123456789",
    location: "global",
    displayName: "Binding for all principals in the Organization",
    principalAccessBoundaryPolicyId: "my-pab-policy",
});
const wait60Seconds = new time.index.Sleep("wait_60_seconds", {createDuration: "60s"}, {
    dependsOn: [pabPolicy],
});
const my_pab_policy = new gcp.iam.OrganizationsPolicyBinding("my-pab-policy", {
    organization: "123456789",
    location: "global",
    displayName: "Binding for all principals in the Organization",
    policyKind: "PRINCIPAL_ACCESS_BOUNDARY",
    policyBindingId: "binding-for-all-org-principals",
    policy: pulumi.interpolate`organizations/123456789/locations/global/principalAccessBoundaryPolicies/${pabPolicy.principalAccessBoundaryPolicyId}`,
    target: {
        principalSet: "//cloudresourcemanager.googleapis.com/organizations/123456789",
    },
}, {
    dependsOn: [wait60Seconds],
});

import pulumi
import pulumi_gcp as gcp
import pulumi_time as time

pab_policy = gcp.iam.PrincipalAccessBoundaryPolicy("pab_policy",
    organization="123456789",
    location="global",
    display_name="Binding for all principals in the Organization",
    principal_access_boundary_policy_id="my-pab-policy")
wait60_seconds = time.index.Sleep("wait_60_seconds", create_duration=60s,
opts = pulumi.ResourceOptions(depends_on=[pab_policy]))
my_pab_policy = gcp.iam.OrganizationsPolicyBinding("my-pab-policy",
    organization="123456789",
    location="global",
    display_name="Binding for all principals in the Organization",
    policy_kind="PRINCIPAL_ACCESS_BOUNDARY",
    policy_binding_id="binding-for-all-org-principals",
    policy=pab_policy.principal_access_boundary_policy_id.apply(lambda principal_access_boundary_policy_id: f"organizations/123456789/locations/global/principalAccessBoundaryPolicies/{principal_access_boundary_policy_id}"),
    target={
        "principal_set": "//cloudresourcemanager.googleapis.com/organizations/123456789",
    },
    opts = pulumi.ResourceOptions(depends_on=[wait60_seconds]))

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi-time/sdk/go/time"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pabPolicy, err := iam.NewPrincipalAccessBoundaryPolicy(ctx, "pab_policy", &iam.PrincipalAccessBoundaryPolicyArgs{
			Organization:                    pulumi.String("123456789"),
			Location:                        pulumi.String("global"),
			DisplayName:                     pulumi.String("Binding for all principals in the Organization"),
			PrincipalAccessBoundaryPolicyId: pulumi.String("my-pab-policy"),
		})
		if err != nil {
			return err
		}
		wait60Seconds, err := time.NewSleep(ctx, "wait_60_seconds", &time.SleepArgs{
			CreateDuration: "60s",
		}, pulumi.DependsOn([]pulumi.Resource{
			pabPolicy,
		}))
		if err != nil {
			return err
		}
		_, err = iam.NewOrganizationsPolicyBinding(ctx, "my-pab-policy", &iam.OrganizationsPolicyBindingArgs{
			Organization:    pulumi.String("123456789"),
			Location:        pulumi.String("global"),
			DisplayName:     pulumi.String("Binding for all principals in the Organization"),
			PolicyKind:      pulumi.String("PRINCIPAL_ACCESS_BOUNDARY"),
			PolicyBindingId: pulumi.String("binding-for-all-org-principals"),
			Policy: pabPolicy.PrincipalAccessBoundaryPolicyId.ApplyT(func(principalAccessBoundaryPolicyId string) (string, error) {
				return fmt.Sprintf("organizations/123456789/locations/global/principalAccessBoundaryPolicies/%v", principalAccessBoundaryPolicyId), nil
			}).(pulumi.StringOutput),
			Target: &iam.OrganizationsPolicyBindingTargetArgs{
				PrincipalSet: pulumi.String("//cloudresourcemanager.googleapis.com/organizations/123456789"),
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			wait60Seconds,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Time = Pulumi.Time;

return await Deployment.RunAsync(() => 
{
    var pabPolicy = new Gcp.Iam.PrincipalAccessBoundaryPolicy("pab_policy", new()
    {
        Organization = "123456789",
        Location = "global",
        DisplayName = "Binding for all principals in the Organization",
        PrincipalAccessBoundaryPolicyId = "my-pab-policy",
    });

    var wait60Seconds = new Time.Index.Sleep("wait_60_seconds", new()
    {
        CreateDuration = "60s",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            pabPolicy,
        },
    });

    var my_pab_policy = new Gcp.Iam.OrganizationsPolicyBinding("my-pab-policy", new()
    {
        Organization = "123456789",
        Location = "global",
        DisplayName = "Binding for all principals in the Organization",
        PolicyKind = "PRINCIPAL_ACCESS_BOUNDARY",
        PolicyBindingId = "binding-for-all-org-principals",
        Policy = pabPolicy.PrincipalAccessBoundaryPolicyId.Apply(principalAccessBoundaryPolicyId => $"organizations/123456789/locations/global/principalAccessBoundaryPolicies/{principalAccessBoundaryPolicyId}"),
        Target = new Gcp.Iam.Inputs.OrganizationsPolicyBindingTargetArgs
        {
            PrincipalSet = "//cloudresourcemanager.googleapis.com/organizations/123456789",
        },
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            wait60Seconds,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.PrincipalAccessBoundaryPolicy;
import com.pulumi.gcp.iam.PrincipalAccessBoundaryPolicyArgs;
import com.pulumi.time.sleep;
import com.pulumi.time.sleepArgs;
import com.pulumi.gcp.iam.OrganizationsPolicyBinding;
import com.pulumi.gcp.iam.OrganizationsPolicyBindingArgs;
import com.pulumi.gcp.iam.inputs.OrganizationsPolicyBindingTargetArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pabPolicy = new PrincipalAccessBoundaryPolicy("pabPolicy", PrincipalAccessBoundaryPolicyArgs.builder()
            .organization("123456789")
            .location("global")
            .displayName("Binding for all principals in the Organization")
            .principalAccessBoundaryPolicyId("my-pab-policy")
            .build());

        var wait60Seconds = new Sleep("wait60Seconds", SleepArgs.builder()
            .createDuration("60s")
            .build(), CustomResourceOptions.builder()
                .dependsOn(List.of(pabPolicy))
                .build());

        var my_pab_policy = new OrganizationsPolicyBinding("my-pab-policy", OrganizationsPolicyBindingArgs.builder()
            .organization("123456789")
            .location("global")
            .displayName("Binding for all principals in the Organization")
            .policyKind("PRINCIPAL_ACCESS_BOUNDARY")
            .policyBindingId("binding-for-all-org-principals")
            .policy(pabPolicy.principalAccessBoundaryPolicyId().applyValue(_principalAccessBoundaryPolicyId -> String.format("organizations/123456789/locations/global/principalAccessBoundaryPolicies/%s", _principalAccessBoundaryPolicyId)))
            .target(OrganizationsPolicyBindingTargetArgs.builder()
                .principalSet("//cloudresourcemanager.googleapis.com/organizations/123456789")
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(wait60Seconds)
                .build());

    }
}

resources:
  pabPolicy:
    type: gcp:iam:PrincipalAccessBoundaryPolicy
    name: pab_policy
    properties:
      organization: '123456789'
      location: global
      displayName: Binding for all principals in the Organization
      principalAccessBoundaryPolicyId: my-pab-policy
  wait60Seconds:
    type: time:sleep
    name: wait_60_seconds
    properties:
      createDuration: 60s
    options:
      dependsOn:
        - ${pabPolicy}
  my-pab-policy:
    type: gcp:iam:OrganizationsPolicyBinding
    properties:
      organization: '123456789'
      location: global
      displayName: Binding for all principals in the Organization
      policyKind: PRINCIPAL_ACCESS_BOUNDARY
      policyBindingId: binding-for-all-org-principals
      policy: organizations/123456789/locations/global/principalAccessBoundaryPolicies/${pabPolicy.principalAccessBoundaryPolicyId}
      target:
        principalSet: //cloudresourcemanager.googleapis.com/organizations/123456789
    options:
      dependsOn:
        - ${wait60Seconds}

Create PrincipalAccessBoundaryPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

TypeScript
Python
Go
C#
Java
YAML

new PrincipalAccessBoundaryPolicy(name: string, args: PrincipalAccessBoundaryPolicyArgs, opts?: CustomResourceOptions);

@overload
def PrincipalAccessBoundaryPolicy(resource_name: str,
                                  args: PrincipalAccessBoundaryPolicyArgs,
                                  opts: Optional[ResourceOptions] = None)

@overload
def PrincipalAccessBoundaryPolicy(resource_name: str,
                                  opts: Optional[ResourceOptions] = None,
                                  location: Optional[str] = None,
                                  organization: Optional[str] = None,
                                  principal_access_boundary_policy_id: Optional[str] = None,
                                  annotations: Optional[Mapping[str, str]] = None,
                                  details: Optional[PrincipalAccessBoundaryPolicyDetailsArgs] = None,
                                  display_name: Optional[str] = None)

func NewPrincipalAccessBoundaryPolicy(ctx *Context, name string, args PrincipalAccessBoundaryPolicyArgs, opts ...ResourceOption) (*PrincipalAccessBoundaryPolicy, error)

public PrincipalAccessBoundaryPolicy(string name, PrincipalAccessBoundaryPolicyArgs args, CustomResourceOptions? opts = null)

public PrincipalAccessBoundaryPolicy(String name, PrincipalAccessBoundaryPolicyArgs args)
public PrincipalAccessBoundaryPolicy(String name, PrincipalAccessBoundaryPolicyArgs args, CustomResourceOptions options)

type: gcp:iam:PrincipalAccessBoundaryPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args PrincipalAccessBoundaryPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args PrincipalAccessBoundaryPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PrincipalAccessBoundaryPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PrincipalAccessBoundaryPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args PrincipalAccessBoundaryPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var principalAccessBoundaryPolicyResource = new Gcp.Iam.PrincipalAccessBoundaryPolicy("principalAccessBoundaryPolicyResource", new()
{
    Location = "string",
    Organization = "string",
    PrincipalAccessBoundaryPolicyId = "string",
    Annotations = 
    {
        { "string", "string" },
    },
    Details = new Gcp.Iam.Inputs.PrincipalAccessBoundaryPolicyDetailsArgs
    {
        Rules = new[]
        {
            new Gcp.Iam.Inputs.PrincipalAccessBoundaryPolicyDetailsRuleArgs
            {
                Effect = "string",
                Resources = new[]
                {
                    "string",
                },
                Description = "string",
            },
        },
        EnforcementVersion = "string",
    },
    DisplayName = "string",
});

example, err := iam.NewPrincipalAccessBoundaryPolicy(ctx, "principalAccessBoundaryPolicyResource", &iam.PrincipalAccessBoundaryPolicyArgs{
	Location:                        pulumi.String("string"),
	Organization:                    pulumi.String("string"),
	PrincipalAccessBoundaryPolicyId: pulumi.String("string"),
	Annotations: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Details: &iam.PrincipalAccessBoundaryPolicyDetailsArgs{
		Rules: iam.PrincipalAccessBoundaryPolicyDetailsRuleArray{
			&iam.PrincipalAccessBoundaryPolicyDetailsRuleArgs{
				Effect: pulumi.String("string"),
				Resources: pulumi.StringArray{
					pulumi.String("string"),
				},
				Description: pulumi.String("string"),
			},
		},
		EnforcementVersion: pulumi.String("string"),
	},
	DisplayName: pulumi.String("string"),
})

var principalAccessBoundaryPolicyResource = new PrincipalAccessBoundaryPolicy("principalAccessBoundaryPolicyResource", PrincipalAccessBoundaryPolicyArgs.builder()
    .location("string")
    .organization("string")
    .principalAccessBoundaryPolicyId("string")
    .annotations(Map.of("string", "string"))
    .details(PrincipalAccessBoundaryPolicyDetailsArgs.builder()
        .rules(PrincipalAccessBoundaryPolicyDetailsRuleArgs.builder()
            .effect("string")
            .resources("string")
            .description("string")
            .build())
        .enforcementVersion("string")
        .build())
    .displayName("string")
    .build());

principal_access_boundary_policy_resource = gcp.iam.PrincipalAccessBoundaryPolicy("principalAccessBoundaryPolicyResource",
    location="string",
    organization="string",
    principal_access_boundary_policy_id="string",
    annotations={
        "string": "string",
    },
    details={
        "rules": [{
            "effect": "string",
            "resources": ["string"],
            "description": "string",
        }],
        "enforcement_version": "string",
    },
    display_name="string")

const principalAccessBoundaryPolicyResource = new gcp.iam.PrincipalAccessBoundaryPolicy("principalAccessBoundaryPolicyResource", {
    location: "string",
    organization: "string",
    principalAccessBoundaryPolicyId: "string",
    annotations: {
        string: "string",
    },
    details: {
        rules: [{
            effect: "string",
            resources: ["string"],
            description: "string",
        }],
        enforcementVersion: "string",
    },
    displayName: "string",
});

type: gcp:iam:PrincipalAccessBoundaryPolicy
properties:
    annotations:
        string: string
    details:
        enforcementVersion: string
        rules:
            - description: string
              effect: string
              resources:
                - string
    displayName: string
    location: string
    organization: string
    principalAccessBoundaryPolicyId: string

PrincipalAccessBoundaryPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The PrincipalAccessBoundaryPolicy resource accepts the following input properties:

Location string

The location the principal access boundary policy is in.

Organization string

The parent organization of the principal access boundary policy.

PrincipalAccessBoundaryPolicyId string

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

Annotations Dictionary<string, string>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effective_annotations for all of the annotations present on the resource.

Details PrincipalAccessBoundaryPolicyDetails

Principal access boundary policy details Structure is documented below.

DisplayName string

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

Location string

The location the principal access boundary policy is in.

Organization string

The parent organization of the principal access boundary policy.

PrincipalAccessBoundaryPolicyId string

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

Annotations map[string]string

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

Details PrincipalAccessBoundaryPolicyDetailsArgs

Principal access boundary policy details Structure is documented below.

DisplayName string

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

location String

The location the principal access boundary policy is in.

organization String

The parent organization of the principal access boundary policy.

principalAccessBoundaryPolicyId String

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

annotations Map<String,String>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

details PrincipalAccessBoundaryPolicyDetails

Principal access boundary policy details Structure is documented below.

displayName String

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

location string

The location the principal access boundary policy is in.

organization string

The parent organization of the principal access boundary policy.

principalAccessBoundaryPolicyId string

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

annotations {[key: string]: string}

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

details PrincipalAccessBoundaryPolicyDetails

Principal access boundary policy details Structure is documented below.

displayName string

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

location str

The location the principal access boundary policy is in.

organization str

The parent organization of the principal access boundary policy.

principal_access_boundary_policy_id str

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

annotations Mapping[str, str]

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

details PrincipalAccessBoundaryPolicyDetailsArgs

Principal access boundary policy details Structure is documented below.

display_name str

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

location String

The location the principal access boundary policy is in.

organization String

The parent organization of the principal access boundary policy.

principalAccessBoundaryPolicyId String

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

annotations Map<String>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

details Property Map

Principal access boundary policy details Structure is documented below.

displayName String

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

Outputs

All input properties are implicitly available as output properties. Additionally, the PrincipalAccessBoundaryPolicy resource produces the following output properties:

CreateTime string: Output only. The time when the principal access boundary policy was created.
EffectiveAnnotations Dictionary<string, string>
Etag string: The etag for the principal access boundary. If this is provided on update, it must match the server's etag.
Id string: The provider-assigned unique ID for this managed resource.
Name string: Identifier. The resource name of the principal access boundary policy. The following format is supported: organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}
Uid string: Output only. The globally unique ID of the principal access boundary policy.
UpdateTime string: Output only. The time when the principal access boundary policy was most recently updated.

CreateTime string: Output only. The time when the principal access boundary policy was created.
EffectiveAnnotations map[string]string
Etag string: The etag for the principal access boundary. If this is provided on update, it must match the server's etag.
Id string: The provider-assigned unique ID for this managed resource.
Name string: Identifier. The resource name of the principal access boundary policy. The following format is supported: organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}
Uid string: Output only. The globally unique ID of the principal access boundary policy.
UpdateTime string: Output only. The time when the principal access boundary policy was most recently updated.

createTime String: Output only. The time when the principal access boundary policy was created.
effectiveAnnotations Map<String,String>
etag String: The etag for the principal access boundary. If this is provided on update, it must match the server's etag.
id String: The provider-assigned unique ID for this managed resource.
name String: Identifier. The resource name of the principal access boundary policy. The following format is supported: organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}
uid String: Output only. The globally unique ID of the principal access boundary policy.
updateTime String: Output only. The time when the principal access boundary policy was most recently updated.

createTime string: Output only. The time when the principal access boundary policy was created.
effectiveAnnotations {[key: string]: string}
etag string: The etag for the principal access boundary. If this is provided on update, it must match the server's etag.
id string: The provider-assigned unique ID for this managed resource.
name string: Identifier. The resource name of the principal access boundary policy. The following format is supported: organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}
uid string: Output only. The globally unique ID of the principal access boundary policy.
updateTime string: Output only. The time when the principal access boundary policy was most recently updated.

create_time str: Output only. The time when the principal access boundary policy was created.
effective_annotations Mapping[str, str]
etag str: The etag for the principal access boundary. If this is provided on update, it must match the server's etag.
id str: The provider-assigned unique ID for this managed resource.
name str: Identifier. The resource name of the principal access boundary policy. The following format is supported: organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}
uid str: Output only. The globally unique ID of the principal access boundary policy.
update_time str: Output only. The time when the principal access boundary policy was most recently updated.

createTime String: Output only. The time when the principal access boundary policy was created.
effectiveAnnotations Map<String>
etag String: The etag for the principal access boundary. If this is provided on update, it must match the server's etag.
id String: The provider-assigned unique ID for this managed resource.
name String: Identifier. The resource name of the principal access boundary policy. The following format is supported: organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}
uid String: Output only. The globally unique ID of the principal access boundary policy.
updateTime String: Output only. The time when the principal access boundary policy was most recently updated.

Look up Existing PrincipalAccessBoundaryPolicy Resource

Get an existing PrincipalAccessBoundaryPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: PrincipalAccessBoundaryPolicyState, opts?: CustomResourceOptions): PrincipalAccessBoundaryPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        annotations: Optional[Mapping[str, str]] = None,
        create_time: Optional[str] = None,
        details: Optional[PrincipalAccessBoundaryPolicyDetailsArgs] = None,
        display_name: Optional[str] = None,
        effective_annotations: Optional[Mapping[str, str]] = None,
        etag: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        organization: Optional[str] = None,
        principal_access_boundary_policy_id: Optional[str] = None,
        uid: Optional[str] = None,
        update_time: Optional[str] = None) -> PrincipalAccessBoundaryPolicy

func GetPrincipalAccessBoundaryPolicy(ctx *Context, name string, id IDInput, state *PrincipalAccessBoundaryPolicyState, opts ...ResourceOption) (*PrincipalAccessBoundaryPolicy, error)

public static PrincipalAccessBoundaryPolicy Get(string name, Input<string> id, PrincipalAccessBoundaryPolicyState? state, CustomResourceOptions? opts = null)

public static PrincipalAccessBoundaryPolicy get(String name, Output<String> id, PrincipalAccessBoundaryPolicyState state, CustomResourceOptions options)

resources:  _:    type: gcp:iam:PrincipalAccessBoundaryPolicy    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Annotations Dictionary<string, string>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

CreateTime string

Output only. The time when the principal access boundary policy was created.

Details PrincipalAccessBoundaryPolicyDetails

Principal access boundary policy details Structure is documented below.

DisplayName string

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

EffectiveAnnotations Dictionary<string, string>

Etag string

The etag for the principal access boundary. If this is provided on update, it must match the server's etag.

Location string

The location the principal access boundary policy is in.

Name string

Identifier. The resource name of the principal access boundary policy. The following format is supported: organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}

Organization string

The parent organization of the principal access boundary policy.

PrincipalAccessBoundaryPolicyId string

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

Uid string

Output only. The globally unique ID of the principal access boundary policy.

UpdateTime string

Output only. The time when the principal access boundary policy was most recently updated.

Annotations map[string]string

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

CreateTime string

Output only. The time when the principal access boundary policy was created.

Details PrincipalAccessBoundaryPolicyDetailsArgs

Principal access boundary policy details Structure is documented below.

DisplayName string

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

EffectiveAnnotations map[string]string

Etag string

The etag for the principal access boundary. If this is provided on update, it must match the server's etag.

Location string

The location the principal access boundary policy is in.

Name string

Organization string

The parent organization of the principal access boundary policy.

PrincipalAccessBoundaryPolicyId string

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

Uid string

Output only. The globally unique ID of the principal access boundary policy.

UpdateTime string

Output only. The time when the principal access boundary policy was most recently updated.

annotations Map<String,String>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

createTime String

Output only. The time when the principal access boundary policy was created.

details PrincipalAccessBoundaryPolicyDetails

Principal access boundary policy details Structure is documented below.

displayName String

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

effectiveAnnotations Map<String,String>

etag String

The etag for the principal access boundary. If this is provided on update, it must match the server's etag.

location String

The location the principal access boundary policy is in.

name String

organization String

The parent organization of the principal access boundary policy.

principalAccessBoundaryPolicyId String

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

uid String

Output only. The globally unique ID of the principal access boundary policy.

updateTime String

Output only. The time when the principal access boundary policy was most recently updated.

annotations {[key: string]: string}

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

createTime string

Output only. The time when the principal access boundary policy was created.

details PrincipalAccessBoundaryPolicyDetails

Principal access boundary policy details Structure is documented below.

displayName string

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

effectiveAnnotations {[key: string]: string}

etag string

The etag for the principal access boundary. If this is provided on update, it must match the server's etag.

location string

The location the principal access boundary policy is in.

name string

organization string

The parent organization of the principal access boundary policy.

principalAccessBoundaryPolicyId string

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

uid string

Output only. The globally unique ID of the principal access boundary policy.

updateTime string

Output only. The time when the principal access boundary policy was most recently updated.

annotations Mapping[str, str]

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

create_time str

Output only. The time when the principal access boundary policy was created.

details PrincipalAccessBoundaryPolicyDetailsArgs

Principal access boundary policy details Structure is documented below.

display_name str

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

effective_annotations Mapping[str, str]

etag str

The etag for the principal access boundary. If this is provided on update, it must match the server's etag.

location str

The location the principal access boundary policy is in.

name str

organization str

The parent organization of the principal access boundary policy.

principal_access_boundary_policy_id str

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

uid str

Output only. The globally unique ID of the principal access boundary policy.

update_time str

Output only. The time when the principal access boundary policy was most recently updated.

annotations Map<String>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations

createTime String

Output only. The time when the principal access boundary policy was created.

details Property Map

Principal access boundary policy details Structure is documented below.

displayName String

The description of the principal access boundary policy. Must be less than or equal to 63 characters.

effectiveAnnotations Map<String>

etag String

The etag for the principal access boundary. If this is provided on update, it must match the server's etag.

location String

The location the principal access boundary policy is in.

name String

organization String

The parent organization of the principal access boundary policy.

principalAccessBoundaryPolicyId String

The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.

uid String

Output only. The globally unique ID of the principal access boundary policy.

updateTime String

Output only. The time when the principal access boundary policy was most recently updated.

Supporting Types

PrincipalAccessBoundaryPolicyDetails
, PrincipalAccessBoundaryPolicyDetailsArgs

Rules List<PrincipalAccessBoundaryPolicyDetailsRule>: A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is documented below.
EnforcementVersion string: The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.

Rules []PrincipalAccessBoundaryPolicyDetailsRule: A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is documented below.
EnforcementVersion string: The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.

rules List<PrincipalAccessBoundaryPolicyDetailsRule>: A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is documented below.
enforcementVersion String: The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.

rules PrincipalAccessBoundaryPolicyDetailsRule[]: A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is documented below.
enforcementVersion string: The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.

rules Sequence[PrincipalAccessBoundaryPolicyDetailsRule]: A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is documented below.
enforcement_version str: The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.

rules List<Property Map>: A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is documented below.
enforcementVersion String: The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.

PrincipalAccessBoundaryPolicyDetailsRule
, PrincipalAccessBoundaryPolicyDetailsRuleArgs

Effect string

The access relationship of principals to the resources in this rule. Possible values: ALLOW

Resources List<string>

A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported:

Organizations, such as //cloudresourcemanager.googleapis.com/organizations/123.
Folders, such as //cloudresourcemanager.googleapis.com/folders/123.
Projects, such as //cloudresourcemanager.googleapis.com/projects/123 or //cloudresourcemanager.googleapis.com/projects/my-project-id.

Description string

The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.

Effect string

The access relationship of principals to the resources in this rule. Possible values: ALLOW

Resources []string

Organizations, such as //cloudresourcemanager.googleapis.com/organizations/123.
Folders, such as //cloudresourcemanager.googleapis.com/folders/123.
Projects, such as //cloudresourcemanager.googleapis.com/projects/123 or //cloudresourcemanager.googleapis.com/projects/my-project-id.

Description string

The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.

effect String

The access relationship of principals to the resources in this rule. Possible values: ALLOW

resources List<String>

Organizations, such as //cloudresourcemanager.googleapis.com/organizations/123.
Folders, such as //cloudresourcemanager.googleapis.com/folders/123.
Projects, such as //cloudresourcemanager.googleapis.com/projects/123 or //cloudresourcemanager.googleapis.com/projects/my-project-id.

description String

The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.

effect string

The access relationship of principals to the resources in this rule. Possible values: ALLOW

resources string[]

Organizations, such as //cloudresourcemanager.googleapis.com/organizations/123.
Folders, such as //cloudresourcemanager.googleapis.com/folders/123.
Projects, such as //cloudresourcemanager.googleapis.com/projects/123 or //cloudresourcemanager.googleapis.com/projects/my-project-id.

description string

The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.

effect str

The access relationship of principals to the resources in this rule. Possible values: ALLOW

resources Sequence[str]

Organizations, such as //cloudresourcemanager.googleapis.com/organizations/123.
Folders, such as //cloudresourcemanager.googleapis.com/folders/123.
Projects, such as //cloudresourcemanager.googleapis.com/projects/123 or //cloudresourcemanager.googleapis.com/projects/my-project-id.

description str

The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.

effect String

The access relationship of principals to the resources in this rule. Possible values: ALLOW

resources List<String>

Organizations, such as //cloudresourcemanager.googleapis.com/organizations/123.
Folders, such as //cloudresourcemanager.googleapis.com/folders/123.
Projects, such as //cloudresourcemanager.googleapis.com/projects/123 or //cloudresourcemanager.googleapis.com/projects/my-project-id.

description String

The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.

Import

PrincipalAccessBoundaryPolicy can be imported using any of these accepted formats:

organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}
{{organization}}/{{location}}/{{principal_access_boundary_policy_id}}

When using the pulumi import command, PrincipalAccessBoundaryPolicy can be imported using one of the formats above. For example:

$ pulumi import gcp:iam/principalAccessBoundaryPolicy:PrincipalAccessBoundaryPolicy default organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}

$ pulumi import gcp:iam/principalAccessBoundaryPolicy:PrincipalAccessBoundaryPolicy default {{organization}}/{{location}}/{{principal_access_boundary_policy_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage
Iam Principal Access Boundary Policy
Iam Organizations Policy Binding
Create PrincipalAccessBoundaryPolicy Resource
Constructor syntax
Constructor example
PrincipalAccessBoundaryPolicy Resource Properties
Inputs
Outputs
Look up Existing PrincipalAccessBoundaryPolicy Resource
Supporting Types
Import
Package Details

Request a Change

gcp.iam.PrincipalAccessBoundaryPolicy

On this page

On this page

Example Usage

Iam Principal Access Boundary Policy

Iam Organizations Policy Binding

Create PrincipalAccessBoundaryPolicy Resource

Constructor syntax

Parameters

Constructor example

PrincipalAccessBoundaryPolicy Resource Properties

Inputs

Outputs

Look up Existing PrincipalAccessBoundaryPolicy Resource

Supporting Types

PrincipalAccessBoundaryPolicyDetails
, PrincipalAccessBoundaryPolicyDetailsArgs

PrincipalAccessBoundaryPolicyDetailsRule
, PrincipalAccessBoundaryPolicyDetailsRuleArgs

Import

Package Details

On this page

On this page

gcp.iam.PrincipalAccessBoundaryPolicy

On this page

On this page

Example Usage

Iam Principal Access Boundary Policy

Iam Organizations Policy Binding

Create PrincipalAccessBoundaryPolicy Resource

Constructor syntax

Parameters

Constructor example

PrincipalAccessBoundaryPolicy Resource Properties

Inputs

Outputs

Look up Existing PrincipalAccessBoundaryPolicy Resource

Supporting Types

PrincipalAccessBoundaryPolicyDetails, PrincipalAccessBoundaryPolicyDetailsArgs

PrincipalAccessBoundaryPolicyDetailsRule, PrincipalAccessBoundaryPolicyDetailsRuleArgs

Import

Package Details

On this page

On this page

PrincipalAccessBoundaryPolicyDetails
, PrincipalAccessBoundaryPolicyDetailsArgs

PrincipalAccessBoundaryPolicyDetailsRule
, PrincipalAccessBoundaryPolicyDetailsRuleArgs