Skip to main content
API resource reference for PolicyBinding, part of the IAM service. To create or change one, see Changing resources; to inspect, see Reading resources.
This resource is part of the v1alpha1 API and is subject to change. Fields and behavior may change in future releases.

Identity

Groupiam.miloapis.com
Versionv1alpha1
KindPolicyBinding
ScopeProject

Overview

A PolicyBinding grants access by binding a Role to one or more subjects (users, groups, or service accounts) for a specific set of resources. Use it to control who can act on what within a Project: you pick the role that defines the permissions, list the subjects that receive them, and select the resources the role applies to.

Spec fields

FieldTypeRequiredDescription
spec.roleRefObjectYesReference to the Role being bound.
spec.roleRef.namestringYesName of the referenced Role.
spec.roleRef.namespacestringNoNamespace of the referenced Role. If empty, the PolicyBinding’s own scope is assumed.
spec.subjects[]ObjectYesThe identities the role applies to.
spec.subjects[].kindstringYesType of subject. One of User, Group, or ServiceAccount.
spec.subjects[].namestringYesName of the subject. The special group name system:authenticated-users refers to all authenticated users.
spec.subjects[].namespacestringNoScope of the subject. Ignored for Users, Groups, and ServiceAccounts when not specified.
spec.subjects[].uidstringNoUnique identifier of the subject. Optional for system: groups.
spec.resourceSelectorObjectYesSelects which resources the role applies to. resourceKind and resourceRef are mutually exclusive.
spec.resourceSelector.resourceKindObjectNoApply the role to all resources of a specific kind.
spec.resourceSelector.resourceKind.kindstringYesThe resource type being referenced.
spec.resourceSelector.resourceKind.apiGroupstringNoAPI group of the resource type. If omitted, the kind must be in the core API group.
spec.resourceSelector.resourceRefObjectNoApply the role to a single, specific resource instance.
spec.resourceSelector.resourceRef.kindstringYesThe resource type being referenced.
spec.resourceSelector.resourceRef.namestringYesName of the resource being referenced.
spec.resourceSelector.resourceRef.uidstringYesUnique identifier of the resource being referenced.
spec.resourceSelector.resourceRef.apiGroupstringNoAPI group of the resource. Required for third-party types; if omitted, the kind must be in the core API group.
spec.resourceSelector.resourceRef.namespacestringNoScope of the resource. Required for Project-scoped resources; omitted for Platform-scoped resources.

Status fields (read-only)

FieldTypeDescription
status.conditions[]ObjectConditions representing the current status of the PolicyBinding.
status.observedGenerationintegerThe most recent generation observed for this PolicyBinding by the controller.

Usage

apiVersion: iam.miloapis.com/v1alpha1
kind: PolicyBinding
metadata:
  name: dns-editors
spec:
  roleRef:
    name: dns-editor
  subjects:
    - kind: User
      name: alice@example.com
  resourceSelector:
    resourceKind:
      apiGroup: dns.networking.miloapis.com
      kind: DNSZone
datumctl apply -f policybinding.yaml --project my-project
datumctl get policybindings.iam.miloapis.com --project my-project
datumctl describe policybindings.iam.miloapis.com dns-editors --project my-project
Run datumctl explain policybindings.iam.miloapis.com --recursive to see the full, live field tree for this resource.
Last modified on July 2, 2026