Stay organized with collections
Save and categorize content based on your preferences.
Using Access Context Manager, you can make bulk updates to resources that belong to
your organization's access policy, such as
access levels and service perimeters. Changes to your resources are applied only if all parts of the bulk operation are successful.
Because bulk operations affect all service perimeters for your organization,
you can obtain a complete list of your perimeters. Also, you can format this list
as YAML and use it to make bulk changes to your perimeters.
When overriding all service perimeter configurations with the replace-all
command, you must not set the etag fields within perimeters. Etags are likely
to change between fetching and updating the perimeters, causing the
replace-all command to return an etag mismatch error. However, you can
set an etag for the entire replace-all request with the top-level --etag
parameter if you want to enforce the etag check.
Instead of manually removing each of the etag properties within the
perimeters, you can fetch the perimeters without etag properties by specifying
a --format with all fields except etag.
For more information about formatting the YAML file, refer to the
JSON structure of Access Context Manager's
ServicePerimeterConfig object.
ETAG (optional) is a string that represents the target
version of your organization's access policy. If you do not include an
etag, the bulk operation targets the latest version of the your
organization's access policy.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters.replaceAll?alt=json
Where:
POLICY_NAME is the name of your organization's access policy.
Request body
The request body must include a list of
ServicePerimeterConfig objects that specify the
changes you want to make.
Optionally, to target a specific version of your organization's access
policy, you can include an etag. If you do not include an etag, the bulk
operation targets the latest version of your organization's access policy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Making bulk changes to service perimeters\n\nUsing Access Context Manager, you can make bulk updates to resources that belong to\nyour organization's [access policy](/access-context-manager/docs/overview#access-policies), such as\n[access levels](/access-context-manager/docs/overview#access-levels) and [service perimeters](/vpc-service-controls/docs/service-perimeters). Changes to your resources are applied only if all parts of the bulk operation are successful.\n\nThis topic describes only bulk replacement of service perimeters. For more\ninformation about bulk replacement of access levels,\n[refer to the Access Context Manager documentation](/access-context-manager/docs/bulk-operations).\n| **Note:** The Google Cloud console cannot be used for bulk operations.\n\nGet a list of service perimeters\n--------------------------------\n\nBecause bulk operations affect *all* service perimeters for your organization,\nyou can obtain a complete list of your perimeters. Also, you can format this list\nas YAML and use it to make bulk changes to your perimeters.\n\nTo get a formatted list of service perimeters, refer to\n[List service perimeters (formatted)](/vpc-service-controls/docs/manage-service-perimeters#formatted-list).\n\nWhen overriding all service perimeter configurations with the `replace-all`\ncommand, you must not set the `etag` fields within perimeters. Etags are likely\nto change between fetching and updating the perimeters, causing the\n`replace-all` command to return an etag mismatch error. However, you can\nset an `etag` for the entire `replace-all` request with the top-level `--etag`\nparameter if you want to enforce the etag check.\n\nInstead of manually removing each of the `etag` properties within the\nperimeters, you can fetch the perimeters without `etag` properties by specifying\na `--format` with all fields except `etag`. \n\n```bash\ngcloud access-context-manager perimeters list \\\n --policy=POLICY_NAME \\\n --format=\"json(name,title,description,perimeterType,status,spec,useExplicitDryRunSpec)\"\n```\n\nBulk replace service perimeters\n-------------------------------\n\nThe following section details how to bulk replace your service perimeters.\n**Warning:** Bulk replace operations affect *all* your service perimeters. If existing service perimeters aren't included in the operation, those service perimeters are deleted. \n\n### gcloud\n\nTo bulk replace all service perimeters, use the\n`replace-all` command. \n\n```bash\ngcloud access-context-manager perimeters replace-all POLICY_NAME \\\n --source-file=FILE \\\n --etag=ETAG \\\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e is the name of your organization's access policy.\n This value is required only if you haven't set a\n [default access policy](/access-context-manager/docs/manage-access-policy#set-default).\n\n- \u003cvar translate=\"no\"\u003eFILE\u003c/var\u003e is the name of a .yaml file that defines\n the new settings for your existing service perimeters.\n\n For example: \n\n - name: accessPolicies/11271009391/servicePerimeters/storage_perimeter\n title: Storage Perimeter\n description: Perimeter to protect Storage resources.\n perimeterType: PERIMETER_TYPE_REGULAR\n status:\n restrictedServices:\n - storage.googleapis.com\n - name: accessPolicies/11271009391/servicePerimeters/bigquery_perimeter\n title: BigQuery Perimeter\n description: Perimeter to protect BigQuery resources.\n perimeterType: PERIMETER_TYPE_REGULAR\n status:\n restrictedServices:\n - bigquery.googleapis.com\n\n For more information about formatting the YAML file, refer to the\n JSON structure of Access Context Manager's\n [`ServicePerimeterConfig` object](/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#ServicePerimeterConfig).\n- \u003cvar translate=\"no\"\u003eETAG\u003c/var\u003e (optional) is a string that represents the target\n version of your organization's access policy. If you do not include an\n etag, the bulk operation targets the latest version of the your\n organization's access policy.\n\n To obtain the latest etag of your access policy,\n [`list` your access policies](/access-context-manager/docs/manage-access-policy#get_the_name_of_an_access_policy).\n\n### API\n\nTo bulk replace all service perimeters,\ncall [`servicePerimeters.replaceAll`](/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters/replaceAll). \n\n```\nPOST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters.replaceAll?alt=json\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e is the name of your organization's access policy.\n\n### Request body\n\nThe request body must include a list of\n[`ServicePerimeterConfig`](/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimeters#ServicePerimeterConfig) objects that specify the\nchanges you want to make.\n\nOptionally, to target a specific version of your organization's access\npolicy, you can include an etag. If you do not include an etag, the bulk\noperation targets the latest version of your organization's access policy.\n\nFor example: \n\n```json\n{\n \"servicePerimeters\": [\n object (ServicePerimeterConfig),\n object (ServicePerimeterConfig),\n ...\n ]\n \"etag\": string\n}\n```\n\n### Response body\n\nIf successful, the response body for the call contains an\n[`Operation`](/access-context-manager/docs/reference/rest/Shared.Types/Operation) resource that provides details about the\npost operation.\n\nExample response: \n\n {\n \"name\": \"operations/accessPolicies/11271009391/replacePerimeters/1583523447707087\",\n \"done\": true,\n \"response\": {\n \"@type\": \"type.googleapis.com/google.identity.accesscontextmanager.v1.ReplaceServicePerimetersResponse\",\n \"servicePerimeters\": [\n {\n \"name\": \"accessPolicies/11271009391/servicePerimeters/storage_perimeter\",\n \"title\": \"Storage Perimeter\",\n \"description\": \"Perimeter to protect Storage resources.\",\n \"status\": {\n \"accessLevels\": [\n \"accessPolicies/11271009391/accessLevels/corpnet_access\"\n ],\n \"restrictedServices\": [\n \"bigtable.googleapis.com\"\n ]\n }\n },\n {\n \"name\": \"accessPolicies/11271009391/servicePerimeters/storage_perimeter\",\n \"title\": \"BigQuery Perimeter\",\n \"description\": \"Perimeter to protect BigQuery resources.\",\n \"status\": {\n \"accessLevels\": [\n \"accessPolicies/11271009391/accessLevels/prodnet_access\"\n ],\n \"restrictedServices\": [\n \"bigtable.googleapis.com\"\n ]\n }\n }\n ]\n }\n }"]]
