### Cloud Policies and Conditions<br>

***

This lesson builds up on Cloud IAM (previous lesson).<br>


In [None]:
{
    "bindings": [
        {
            "role": "roles/storage.admin",
            "members": [
                "user:tony@gmail.com"
            ]
        },
        {
            "role": "roles/storage.objectViewer",
            "members": [
                "user:larkfederal@gmail.com"
            ],
            "condition": {
                "title": "Expires_January_1_2021",
                "description": "Do not grant access after jan 2021",
                "expression":
                    "request.time < timestamp('2021-01-01T00:00:00.000Z')"
            }
        }
    ],
    "etag": "BeEEja0YfWJ=",
    "version": 3
}

^- an example of policy formatting in Json.<br>

policy formatting can be written in both JSON and YAML.<br>
YAML is much more condense and cleaner.<br>

In [None]:
gcloud projects get-iam-policy <project-id>

gcloud resource-manager folders get-iam-policy <folder-id>

gcloud organization get-iam-policy <organization-id>

**More details of versions**<br>

version 1 - supports binding 1 role to 1 or more members, DOES NOT support conditional role bindings<br>
version 2 - google's internal use. so you'll usually not see a version 2<br>
version 3 - allows condition fields in role binding<br>
if you don't specify the version, it'll use default (version 1) policy<br>
<br>

**Policy Limitations**<br>

1 policy per resource (including organization, folders, projects)<br>
each IAM policy can contain up to 1500 members or 250 Google groups per policy<br>
It'll take up to 7 minutes to fully propagate across GCP<br>
Limit of 100 conditional role bindings per policy<br>
<br>

**Conditions**<br>

Conditions attributes are either based on resources or requests (ex. timestamp, originating/destination IP)<br>

**Conditional role bindings** - holds conditions within the bindings<br>
can be added to new or existing IAM policies to further control the access Cloud resources<br>
<br>

In [None]:
expression: request.time.getHours("America/Toronto") >= 9 &&
            request.time.getHours("America/Toronto") <= 17 &&
            request.time.getDayOfWeek("America/Toronto") >= 1 &&
            request.time.getDayOfWeek("America/Toronto") <= 5

^- example of YAML expression that limits the access ONLY at business hours.<br>

**Condition Limitations**<br>

Limited to specific services<br>
Primitive roles are unsupported<br>
Members CANNOT be allUsers or allAuthenticatedUsers<br>
Limit of 100 conditional role bindings per policy<br>
20 role bindings for same role and same member<br>
<br>

In [None]:
auditConfigs:
- auditLogConfigs:
    - logType: DATA_READ
    - logType: ADMIN_READ
    - logType: DATA_WRITE
    service: allServices
- auditLogConfigs:
    - exemptedMembers:
        - tony@gmail.com
        logType: ADMIN_READ
    service: storage.googleapis.com

^- an YAML example of audit configs<br>

it logs all the readings from all services<br>
while exempting tony from admin reading logging on cloud storage.<br>
<br>