--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # gcp_privilegedaccessmanager_grant{% #gcp_privilegedaccessmanager_grant %} ## `additional_email_recipients`{% #additional_email_recipients %} **Type**: `UNORDERED_LIST_STRING`**Provider name**: `additionalEmailRecipients`**Description**: Optional. Additional email addresses to notify for all the actions performed on the grant. ## `ancestors`{% #ancestors %} **Type**: `UNORDERED_LIST_STRING` ## `audit_trail`{% #audit_trail %} **Type**: `STRUCT`**Provider name**: `auditTrail`**Description**: Output only. Audit trail of access provided by this grant. If unspecified then access was never granted. - `access_grant_time`**Type**: `TIMESTAMP`**Provider name**: `accessGrantTime`**Description**: Output only. The time at which access was given. - `access_remove_time`**Type**: `TIMESTAMP`**Provider name**: `accessRemoveTime`**Description**: Output only. The time at which the system removed access. This could be because of an automatic expiry or because of a revocation. If unspecified, then access hasn't been removed yet. ## `create_time`{% #create_time %} **Type**: `TIMESTAMP`**Provider name**: `createTime`**Description**: Output only. Create time stamp. ## `externally_modified`{% #externally_modified %} **Type**: `BOOLEAN`**Provider name**: `externallyModified`**Description**: Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM. After it is set, this flag remains set forever irrespective of the grant state. A `true` value here indicates that PAM no longer has any certainty on the access a user has because of this grant. ## `justification`{% #justification %} **Type**: `STRUCT`**Provider name**: `justification`**Description**: Optional. Justification of why this access is needed. - `unstructured_justification`**Type**: `STRING`**Provider name**: `unstructuredJustification`**Description**: A free form textual justification. The system only ensures that this is not empty. No other kind of validation is performed on the string. ## `labels`{% #labels %} **Type**: `UNORDERED_LIST_STRING` ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: Identifier. Name of this grant. Possible formats: * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` The last segment of this name (`{grant-id}`) is autogenerated. ## `organization_id`{% #organization_id %} **Type**: `STRING` ## `parent`{% #parent %} **Type**: `STRING` ## `privileged_access`{% #privileged_access %} **Type**: `STRUCT`**Provider name**: `privilegedAccess`**Description**: Output only. The access that would be granted by this grant. - `gcp_iam_access`**Type**: `STRUCT`**Provider name**: `gcpIamAccess`**Description**: Access to a Google Cloud resource through IAM. - `resource`**Type**: `STRING`**Provider name**: `resource`**Description**: Required. Name of the resource. - `resource_type`**Type**: `STRING`**Provider name**: `resourceType`**Description**: Required. The type of this resource. - `role_bindings`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `roleBindings`**Description**: Required. Role bindings that are created on successful grant. - `condition_expression`**Type**: `STRING`**Provider name**: `conditionExpression`**Description**: Optional. The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement is able to access the resource only if this condition evaluates to true for their request. This field uses the same CEL format as IAM and supports all attributes that IAM supports, except tags. [https://cloud.google.com/iam/docs/conditions-overview#attributes](https://cloud.google.com/iam/docs/conditions-overview#attributes). - `role`**Type**: `STRING`**Provider name**: `role`**Description**: Required. IAM role to be granted. [https://cloud.google.com/iam/docs/roles-overview](https://cloud.google.com/iam/docs/roles-overview). ## `project_id`{% #project_id %} **Type**: `STRING` ## `project_number`{% #project_number %} **Type**: `STRING` ## `region_id`{% #region_id %} **Type**: `STRING` ## `requested_duration`{% #requested_duration %} **Type**: `STRING`**Provider name**: `requestedDuration`**Description**: Required. The amount of time access is needed for. This value should be less than the `max_request_duration` value of the entitlement. ## `requester`{% #requester %} **Type**: `STRING`**Provider name**: `requester`**Description**: Output only. Username of the user who created this grant. ## `resource_name`{% #resource_name %} **Type**: `STRING` ## `state`{% #state %} **Type**: `STRING`**Provider name**: `state`**Description**: Output only. Current state of this grant.**Possible values**: - `STATE_UNSPECIFIED` - Unspecified state. This value is never returned by the server. - `APPROVAL_AWAITED` - The entitlement had an approval workflow configured and this grant is waiting for the workflow to complete. - `DENIED` - The approval workflow completed with a denied result. No access is granted for this grant. This is a terminal state. - `SCHEDULED` - The approval workflow completed successfully with an approved result or none was configured. Access is provided at an appropriate time. - `ACTIVATING` - Access is being given. - `ACTIVE` - Access was successfully given and is currently active. - `ACTIVATION_FAILED` - The system could not give access due to a non-retriable error. This is a terminal state. - `EXPIRED` - Expired after waiting for the approval workflow to complete. This is a terminal state. - `REVOKING` - Access is being revoked. - `REVOKED` - Access was revoked by a user. This is a terminal state. - `ENDED` - System took back access as the requested duration was over. This is a terminal state. - `WITHDRAWING` - Access is being withdrawn. - `WITHDRAWN` - Grant was withdrawn by the grant owner. This is a terminal state. ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `timeline`{% #timeline %} **Type**: `STRUCT`**Provider name**: `timeline`**Description**: Output only. Timeline of this grant. - `events`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `events`**Description**: Output only. The events that have occurred on this grant. This list contains entries in the same order as they occurred. The first entry is always be of type `Requested` and there is always at least one entry in this array. - `activated`**Type**: `STRUCT`**Provider name**: `activated`**Description**: The grant was successfully activated to give access. - `activation_failed`**Type**: `STRUCT`**Provider name**: `activationFailed`**Description**: There was a non-retriable error while trying to give access. - `error`**Type**: `STRUCT`**Provider name**: `error`**Description**: Output only. The error that occurred while activating the grant. - `code`**Type**: `INT32`**Provider name**: `code`**Description**: The status code, which should be an enum value of google.rpc.Code. - `message`**Type**: `STRING`**Provider name**: `message`**Description**: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. - `approved`**Type**: `STRUCT`**Provider name**: `approved`**Description**: The grant was approved. - `actor`**Type**: `STRING`**Provider name**: `actor`**Description**: Output only. Username of the user who approved the grant. - `reason`**Type**: `STRING`**Provider name**: `reason`**Description**: Output only. The reason provided by the approver for approving the grant. - `denied`**Type**: `STRUCT`**Provider name**: `denied`**Description**: The grant was denied. - `actor`**Type**: `STRING`**Provider name**: `actor`**Description**: Output only. Username of the user who denied the grant. - `reason`**Type**: `STRING`**Provider name**: `reason`**Description**: Output only. The reason provided by the approver for denying the grant. - `ended`**Type**: `STRUCT`**Provider name**: `ended`**Description**: Access given by the grant ended automatically as the approved duration was over. - `event_time`**Type**: `TIMESTAMP`**Provider name**: `eventTime`**Description**: Output only. The time (as recorded at server) when this event occurred. - `expired`**Type**: `STRUCT`**Provider name**: `expired`**Description**: The approval workflow did not complete in the necessary duration, and so the grant is expired. - `externally_modified`**Type**: `STRUCT`**Provider name**: `externallyModified`**Description**: The policy bindings made by grant have been modified outside of PAM. - `requested`**Type**: `STRUCT`**Provider name**: `requested`**Description**: The grant was requested. - `expire_time`**Type**: `TIMESTAMP`**Provider name**: `expireTime`**Description**: Output only. The time at which this grant expires unless the approval workflow completes. If omitted, then the request never expires. - `revoked`**Type**: `STRUCT`**Provider name**: `revoked`**Description**: The grant was revoked. - `actor`**Type**: `STRING`**Provider name**: `actor`**Description**: Output only. Username of the user who revoked the grant. - `reason`**Type**: `STRING`**Provider name**: `reason`**Description**: Output only. The reason provided by the user for revoking the grant. - `scheduled`**Type**: `STRUCT`**Provider name**: `scheduled`**Description**: The grant has been scheduled to give access. - `scheduled_activation_time`**Type**: `TIMESTAMP`**Provider name**: `scheduledActivationTime`**Description**: Output only. The time at which the access is granted. - `withdrawn`**Type**: `STRUCT`**Provider name**: `withdrawn`**Description**: The grant was withdrawn. ## `update_time`{% #update_time %} **Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. Update time stamp. ## `zone_id`{% #zone_id %} **Type**: `STRING`