Optional. The condition to apply to the policy binding. When set, the
expression field in the Expr must include from 1 to 10 subexpressions,
joined by the
"||"(Logical OR), "&&"(Logical AND) or "!"(Logical NOT) operators and
cannot contain more than 250 characters.
The condition is currently only supported when bound to policies of kind
principal access boundary.
When the bound policy is a principal access boundary policy, the only
supported attributes in any subexpression are principal.type and
principal.subject. An example expression is: "principal.type ==
'iam.googleapis.com/ServiceAccount'" or "principal.subject ==
'bob@example.com'".
Allowed operations for principal.subject:
principal.subject == <principal subject string>
principal.subject != <principal subject string>
principal.subject in [<list of principal subjects>]
principal.subject.startsWith(<string>)
principal.subject.endsWith(<string>)
Allowed operations for principal.type:
principal.type == <principal type string>
principal.type != <principal type string>
principal.type in [<list of principal types>]
Supported principal types are Workspace, Workforce Pool, Workload Pool and
Service Account. Allowed string must be one of:
Identifier. The name of the policy binding, in the format
{binding_parent/locations/{location}/policyBindings/{policy_binding_id}.
The binding parent is the closest Resource Manager resource (project,
folder, or organization) to the binding target.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Identity and Access Management (IAM) v3 API - Class PolicyBinding (1.0.0-beta01)\n\n public sealed class PolicyBinding : IMessage\u003cPolicyBinding\u003e, IEquatable\u003cPolicyBinding\u003e, IDeepCloneable\u003cPolicyBinding\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Identity and Access Management (IAM) v3 API class PolicyBinding.\n\nIAM policy binding resource. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e PolicyBinding \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[PolicyBinding](/dotnet/docs/reference/Google.Cloud.Iam.V3/latest/Google.Cloud.Iam.V3.PolicyBinding), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[PolicyBinding](/dotnet/docs/reference/Google.Cloud.Iam.V3/latest/Google.Cloud.Iam.V3.PolicyBinding), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[PolicyBinding](/dotnet/docs/reference/Google.Cloud.Iam.V3/latest/Google.Cloud.Iam.V3.PolicyBinding), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.Iam.V3](/dotnet/docs/reference/Google.Cloud.Iam.V3/latest/Google.Cloud.Iam.V3)\n\nAssembly\n--------\n\nGoogle.Cloud.Iam.V3.dll\n\nConstructors\n------------\n\n### PolicyBinding()\n\n public PolicyBinding()\n\n### PolicyBinding(PolicyBinding)\n\n public PolicyBinding(PolicyBinding other)\n\nProperties\n----------\n\n### Annotations\n\n public MapField\u003cstring, string\u003e Annotations { get; }\n\nOptional. User-defined annotations. See\n\u003chttps://google.aip.dev/148#annotations\u003e for more details such as format and\nsize limitations\n\n### Condition\n\n public Expr Condition { get; set; }\n\nOptional. The condition to apply to the policy binding. When set, the\n`expression` field in the `Expr` must include from 1 to 10 subexpressions,\njoined by the\n\"\\|\\|\"(Logical OR), \"\\&\\&\"(Logical AND) or \"!\"(Logical NOT) operators and\ncannot contain more than 250 characters.\n\nThe condition is currently only supported when bound to policies of kind\nprincipal access boundary.\n\nWhen the bound policy is a principal access boundary policy, the only\nsupported attributes in any subexpression are `principal.type` and\n`principal.subject`. An example expression is: \"principal.type ==\n'iam.googleapis.com/ServiceAccount'\" or \"principal.subject ==\n'bob@example.com'\".\n\nAllowed operations for `principal.subject`:\n\n- `principal.subject == \u003cprincipal subject string\u003e`\n- `principal.subject != \u003cprincipal subject string\u003e`\n- `principal.subject in [\u003clist of principal subjects\u003e]`\n- `principal.subject.startsWith(\u003cstring\u003e)`\n- `principal.subject.endsWith(\u003cstring\u003e)`\n\nAllowed operations for `principal.type`:\n\n- `principal.type == \u003cprincipal type string\u003e`\n- `principal.type != \u003cprincipal type string\u003e`\n- `principal.type in [\u003clist of principal types\u003e]`\n\nSupported principal types are Workspace, Workforce Pool, Workload Pool and\nService Account. Allowed string must be one of:\n\n- iam.googleapis.com/WorkspaceIdentity\n- iam.googleapis.com/WorkforcePoolIdentity\n- iam.googleapis.com/WorkloadPoolIdentity\n- iam.googleapis.com/ServiceAccount\n\n### CreateTime\n\n public Timestamp CreateTime { get; set; }\n\nOutput only. The time when the policy binding was created.\n\n### DisplayName\n\n public string DisplayName { get; set; }\n\nOptional. The description of the policy binding. Must be less than or equal\nto 63 characters.\n\n### Etag\n\n public string Etag { get; set; }\n\nOptional. The etag for the policy binding.\nIf this is provided on update, it must match the server's etag.\n\n### Name\n\n public string Name { get; set; }\n\nIdentifier. The name of the policy binding, in the format\n`{binding_parent/locations/{location}/policyBindings/{policy_binding_id}`.\nThe binding parent is the closest Resource Manager resource (project,\nfolder, or organization) to the binding target.\n\nFormat:\n\n- `projects/{project_id}/locations/{location}/policyBindings/{policy_binding_id}`\n- `projects/{project_number}/locations/{location}/policyBindings/{policy_binding_id}`\n- `folders/{folder_id}/locations/{location}/policyBindings/{policy_binding_id}`\n- `organizations/{organization_id}/locations/{location}/policyBindings/{policy_binding_id}`\n\n### Policy\n\n public string Policy { get; set; }\n\nRequired. Immutable. The resource name of the policy to be bound. The\nbinding parent and policy must belong to the same organization.\n\n### PolicyBindingName\n\n public PolicyBindingName PolicyBindingName { get; set; }\n\n[PolicyBindingName](/dotnet/docs/reference/Google.Cloud.Iam.V3/latest/Google.Cloud.Iam.V3.PolicyBindingName)-typed view over the [Name](/dotnet/docs/reference/Google.Cloud.Iam.V3/latest/Google.Cloud.Iam.V3.PolicyBinding#Google_Cloud_Iam_V3_PolicyBinding_Name) resource name property.\n\n### PolicyKind\n\n public PolicyBinding.Types.PolicyKind PolicyKind { get; set; }\n\nImmutable. The kind of the policy to attach in this binding. This field\nmust be one of the following:\n\n- Left empty (will be automatically set to the policy kind)\n- The input policy kind\n\n### PolicyUid\n\n public string PolicyUid { get; set; }\n\nOutput only. The globally unique ID of the policy to be bound.\n\n### Target\n\n public PolicyBinding.Types.Target Target { get; set; }\n\nRequired. Immutable. Target is the full resource name of the resource to\nwhich the policy will be bound. Immutable once set.\n\n### Uid\n\n public string Uid { get; set; }\n\nOutput only. The globally unique ID of the policy binding. Assigned when\nthe policy binding is created.\n\n### UpdateTime\n\n public Timestamp UpdateTime { get; set; }\n\nOutput only. The time when the policy binding was most recently updated."]]
