> ## Documentation Index
> Fetch the complete documentation index at: https://datum-4926dda5-docs-api-reference-demo.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# PolicyBinding

> PolicyBinding is the Schema for the policybindings API.

<Note>
  API resource reference for **PolicyBinding**, part of the [IAM service](/api/iam/overview). To create or change one, see [Changing resources](/datumctl/resources/changing); to inspect, see [Reading resources](/datumctl/resources/reading).
</Note>

<Warning>
  This resource is part of the `v1alpha1` API and is subject to change. Fields and behavior may change in future releases.
</Warning>

## Identity

|         |                    |
| ------- | ------------------ |
| Group   | `iam.miloapis.com` |
| Version | `v1alpha1`         |
| Kind    | `PolicyBinding`    |
| Scope   | Project            |

## Overview

A `PolicyBinding` grants access by binding a `Role` to one or more subjects (users, groups, or service accounts) for a specific set of resources. Use it to control who can act on what within a Project: you pick the role that defines the permissions, list the subjects that receive them, and select the resources the role applies to.

## Spec fields

| Field                                         | Type      | Required | Description                                                                                                    |
| --------------------------------------------- | --------- | -------- | -------------------------------------------------------------------------------------------------------------- |
| `spec.roleRef`                                | Object    | Yes      | Reference to the Role being bound.                                                                             |
| `spec.roleRef.name`                           | string    | Yes      | Name of the referenced Role.                                                                                   |
| `spec.roleRef.namespace`                      | string    | No       | Namespace of the referenced Role. If empty, the PolicyBinding's own scope is assumed.                          |
| `spec.subjects`                               | \[]Object | Yes      | The identities the role applies to.                                                                            |
| `spec.subjects[].kind`                        | string    | Yes      | Type of subject. One of `User`, `Group`, or `ServiceAccount`.                                                  |
| `spec.subjects[].name`                        | string    | Yes      | Name of the subject. The special group name `system:authenticated-users` refers to all authenticated users.    |
| `spec.subjects[].namespace`                   | string    | No       | Scope of the subject. Ignored for Users, Groups, and ServiceAccounts when not specified.                       |
| `spec.subjects[].uid`                         | string    | No       | Unique identifier of the subject. Optional for `system:` groups.                                               |
| `spec.resourceSelector`                       | Object    | Yes      | Selects which resources the role applies to. `resourceKind` and `resourceRef` are mutually exclusive.          |
| `spec.resourceSelector.resourceKind`          | Object    | No       | Apply the role to all resources of a specific kind.                                                            |
| `spec.resourceSelector.resourceKind.kind`     | string    | Yes      | The resource type being referenced.                                                                            |
| `spec.resourceSelector.resourceKind.apiGroup` | string    | No       | API group of the resource type. If omitted, the kind must be in the core API group.                            |
| `spec.resourceSelector.resourceRef`           | Object    | No       | Apply the role to a single, specific resource instance.                                                        |
| `spec.resourceSelector.resourceRef.kind`      | string    | Yes      | The resource type being referenced.                                                                            |
| `spec.resourceSelector.resourceRef.name`      | string    | Yes      | Name of the resource being referenced.                                                                         |
| `spec.resourceSelector.resourceRef.uid`       | string    | Yes      | Unique identifier of the resource being referenced.                                                            |
| `spec.resourceSelector.resourceRef.apiGroup`  | string    | No       | API group of the resource. Required for third-party types; if omitted, the kind must be in the core API group. |
| `spec.resourceSelector.resourceRef.namespace` | string    | No       | Scope of the resource. Required for Project-scoped resources; omitted for Platform-scoped resources.           |

## Status fields (read-only)

| Field                       | Type      | Description                                                                   |
| --------------------------- | --------- | ----------------------------------------------------------------------------- |
| `status.conditions`         | \[]Object | Conditions representing the current status of the PolicyBinding.              |
| `status.observedGeneration` | integer   | The most recent generation observed for this PolicyBinding by the controller. |

## Usage

```yaml theme={null}
apiVersion: iam.miloapis.com/v1alpha1
kind: PolicyBinding
metadata:
  name: dns-editors
spec:
  roleRef:
    name: dns-editor
  subjects:
    - kind: User
      name: alice@example.com
  resourceSelector:
    resourceKind:
      apiGroup: dns.networking.miloapis.com
      kind: DNSZone
```

```bash theme={null}
datumctl apply -f policybinding.yaml --project my-project
datumctl get policybindings.iam.miloapis.com --project my-project
datumctl describe policybindings.iam.miloapis.com dns-editors --project my-project
```

<Tip>
  Run `datumctl explain policybindings.iam.miloapis.com --recursive` to see the full, live field tree for this resource.
</Tip>
