- release_tracks: [ALPHA, BETA, GA]

  help_text:
    brief: Set the IAM policy for a service.
    description: |
      This command replaces the existing IAM policy for a service, given a service
      and a file encoded in JSON or YAML that contains the IAM policy. If the
      given policy file specifies an "etag" value, then the replacement will
      succeed only if the policy already in place matches that etag. (An etag
      obtain via `get-iam-policy` will prevent the replacement if the policy
      for the service has been subsequently updated.) A policy file that does not
      contain an etag value will replace any existing policy for the service.
    examples: |
      The following command will read an IAM policy defined in a JSON file
      'policy.json' and set it for a service with identifier
      'my-service'

        $ {command} --region=us-central1 my-service policy.json

      See https://cloud.google.com/iam/docs/managing-policies for details of the
      policy file format and contents.

  request:
    collection: run.projects.locations.services
    modify_request_hooks:
    - googlecloudsdk.command_lib.run.platforms:ValidatePlatformIsManaged

  arguments:
    resource:
      help_text: The service for which to set the IAM policy.
      spec: !REF googlecloudsdk.command_lib.run.resources:service
      # The --region flag is specified at the group level, so don't try to add it here
      removed_flags: ['region']
      command_level_fallthroughs:
        region:
        - arg_name: 'region'

  ALPHA:
    iam:
      policy_version: 3
      get_iam_policy_version_path: options_requestedPolicyVersion
  BETA:
    iam:
      policy_version: 3
      get_iam_policy_version_path: options_requestedPolicyVersion
  GA:
    iam:
      policy_version: 3
      get_iam_policy_version_path: options_requestedPolicyVersion