docs: docs update (#911)
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/google-api-python-client/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
- [ ] Ensure the tests and linter pass
- [ ] Code coverage does not decrease (if any source code was changed)
- [ ] Appropriate docs were updated (if necessary)
Fixes #<issue_number_goes_here> 🦕
diff --git a/docs/dyn/compute_alpha.licenseCodes.html b/docs/dyn/compute_alpha.licenseCodes.html
index 4fa1610..7f6472a 100644
--- a/docs/dyn/compute_alpha.licenseCodes.html
+++ b/docs/dyn/compute_alpha.licenseCodes.html
@@ -101,20 +101,20 @@
{ # Represents a License Code resource.
#
# A License Code is a unique identifier used to represent a license resource. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images. (== resource_for {$api_version}.licenseCodes ==)
- "kind": "compute#licenseCode", # [Output Only] Type of resource. Always compute#licenseCode for licenses.
- "description": "A String", # [Output Only] Description of this License Code.
- "transferable": True or False, # [Output Only] If true, the license will remain attached when creating images or snapshots from disks. Otherwise, the license is not transferred.
- "state": "A String", # [Output Only] Current state of this License Code.
- "licenseAlias": [ # [Output Only] URL and description aliases of Licenses with the same License Code.
+ "creationTimestamp": "A String", # [Output Only] Creation timestamp in RFC3339 text format.
+ "description": "A String", # [Output Only] Description of this License Code.
+ "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is defined by the server.
+ "kind": "compute#licenseCode", # [Output Only] Type of resource. Always compute#licenseCode for licenses.
+ "licenseAlias": [ # [Output Only] URL and description aliases of Licenses with the same License Code.
{
- "description": "A String", # [Output Only] Description of this License Code.
- "selfLink": "A String", # [Output Only] URL of license corresponding to this License Code.
+ "description": "A String", # [Output Only] Description of this License Code.
+ "selfLink": "A String", # [Output Only] URL of license corresponding to this License Code.
},
],
- "creationTimestamp": "A String", # [Output Only] Creation timestamp in RFC3339 text format.
- "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is defined by the server.
- "selfLink": "A String", # [Output Only] Server-defined URL for the resource.
- "name": "A String", # [Output Only] Name of the resource. The name is 1-20 characters long and must be a valid 64 bit integer.
+ "name": "A String", # [Output Only] Name of the resource. The name is 1-20 characters long and must be a valid 64 bit integer.
+ "selfLink": "A String", # [Output Only] Server-defined URL for the resource.
+ "state": "A String", # [Output Only] Current state of this License Code.
+ "transferable": True or False, # [Output Only] If true, the license will remain attached when creating images or snapshots from disks. Otherwise, the license is not transferred.
}</pre>
</div>
@@ -136,121 +136,79 @@
#
# A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
- # { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
+ # { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
#
# **YAML example:**
#
- # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
+ # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
#
# For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
#
# Example Policy with multiple AuditConfigs:
#
- # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "sampleservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }
+ # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "sampleservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }
#
# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
- "exemptedMembers": [
- "A String",
- ],
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
{ # Provides the configuration for logging a type of permissions. Example:
#
- # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", } ] }
+ # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", } ] }
#
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
- "A String",
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
+ "A String",
],
- "ignoreChildExemptions": True or False,
- "logType": "A String", # The log type that this config enables.
+ "ignoreChildExemptions": True or False,
+ "logType": "A String", # The log type that this config enables.
},
],
- "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
+ "exemptedMembers": [
+ "A String",
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
},
],
- "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
- { # A rule to be applied in a Policy.
- "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
- { # Specifies what kind of log the caller must write
- "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
- #
- # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
- #
- # Field names correspond to IAM request parameters and field values are their respective values.
- #
- # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
- #
- # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}
- "field": "A String", # The field value to attribute.
- "customFields": [ # Custom fields.
- { # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.
- "name": "A String", # Name is the field name.
- "value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.
- },
- ],
- "metric": "A String", # The metric to update.
- },
- "dataAccess": { # Write a Data Access (Gin) log # Data access options.
- "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is currently supported in the LocalIAM implementation, Stubby C++, and Stubby Java. For Apps Framework, see go/af-audit-logging#failclosed. TODO(b/77591626): Add support for Stubby Go. TODO(b/129671387): Add support for Scaffolding.
- },
- "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
- "logName": "A String", # The log_name to populate in the Cloud Audit Record.
- "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
- "permissionType": "A String", # The type of the permission that was checked.
- },
- },
- },
- ],
- "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
- "A String",
- ],
- "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
- "A String",
- ],
- "action": "A String", # Required
- "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
- "A String",
- ],
- "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
- { # A condition to be met.
- "iam": "A String", # Trusted attributes supplied by the IAM system.
- "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
- "values": [ # The objects of the condition.
- "A String",
- ],
- "svc": "A String", # Trusted attributes discharged by the service.
- "op": "A String", # An operator to apply the subject with.
- },
- ],
- "description": "A String", # Human-readable description of the rule.
- },
- ],
- "version": 42, # Specifies the format of the policy.
- #
- # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.
- #
- # Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:
- #
- # * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
- #
- # If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
- "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
- "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.
+ "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
+ "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
+ },
+ "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
#
@@ -273,35 +231,85 @@
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
- "A String",
+ "A String",
],
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
- "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- },
+ "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
},
],
- "iamOwned": True or False,
+ "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
+ "iamOwned": True or False,
+ "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
+ { # A rule to be applied in a Policy.
+ "action": "A String", # Required
+ "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
+ { # A condition to be met.
+ "iam": "A String", # Trusted attributes supplied by the IAM system.
+ "op": "A String", # An operator to apply the subject with.
+ "svc": "A String", # Trusted attributes discharged by the service.
+ "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
+ "values": [ # The objects of the condition.
+ "A String",
+ ],
+ },
+ ],
+ "description": "A String", # Human-readable description of the rule.
+ "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
+ "A String",
+ ],
+ "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
+ { # Specifies what kind of log the caller must write
+ "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
+ "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
+ "permissionType": "A String", # The type of the permission that was checked.
+ },
+ "logName": "A String", # The log_name to populate in the Cloud Audit Record.
+ },
+ "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
+ #
+ # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
+ #
+ # Field names correspond to IAM request parameters and field values are their respective values.
+ #
+ # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
+ #
+ # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}
+ "customFields": [ # Custom fields.
+ { # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.
+ "name": "A String", # Name is the field name.
+ "value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.
+ },
+ ],
+ "field": "A String", # The field value to attribute.
+ "metric": "A String", # The metric to update.
+ },
+ "dataAccess": { # Write a Data Access (Gin) log # Data access options.
+ "logMode": "A String",
+ },
+ },
+ ],
+ "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
+ "A String",
+ ],
+ "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
+ "A String",
+ ],
+ },
+ ],
+ "version": 42, # Specifies the format of the policy.
+ #
+ # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.
+ #
+ # Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:
+ #
+ # * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
+ #
+ # If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
+ #
+ # To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
}</pre>
</div>
@@ -316,127 +324,146 @@
The object takes the form of:
{
- "policy": { # An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. # REQUIRED: The complete policy to be applied to the 'resource'. The size of the policy is limited to a few 10s of KB. An empty policy is in general a valid policy but certain services (like Projects) might reject them.
+ "bindings": [ # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify bindings.
+ { # Associates `members` with a `role`.
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
+ "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
+ },
+ "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
+ #
+ # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
+ #
+ # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
+ #
+ # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` .
+ #
+ #
+ #
+ # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
+ #
+ # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
+ #
+ # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding.
+ #
+ # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding.
+ #
+ # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding.
+ #
+ #
+ #
+ # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
+ "A String",
+ ],
+ "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ },
+ ],
+ "etag": "A String", # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag.
+ "policy": { # An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. # REQUIRED: The complete policy to be applied to the 'resource'. The size of the policy is limited to a few 10s of KB. An empty policy is in general a valid policy but certain services (like Projects) might reject them.
#
#
#
# A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
- # { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
+ # { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
#
# **YAML example:**
#
- # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
+ # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
#
# For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
#
# Example Policy with multiple AuditConfigs:
#
- # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "sampleservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }
+ # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "sampleservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }
#
# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
- "exemptedMembers": [
- "A String",
- ],
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
{ # Provides the configuration for logging a type of permissions. Example:
#
- # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", } ] }
+ # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", } ] }
#
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
- "A String",
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
+ "A String",
],
- "ignoreChildExemptions": True or False,
- "logType": "A String", # The log type that this config enables.
+ "ignoreChildExemptions": True or False,
+ "logType": "A String", # The log type that this config enables.
},
],
- "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
+ "exemptedMembers": [
+ "A String",
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
},
],
- "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
- { # A rule to be applied in a Policy.
- "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
- { # Specifies what kind of log the caller must write
- "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
- #
- # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
- #
- # Field names correspond to IAM request parameters and field values are their respective values.
- #
- # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
- #
- # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}
- "field": "A String", # The field value to attribute.
- "customFields": [ # Custom fields.
- { # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.
- "name": "A String", # Name is the field name.
- "value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.
- },
- ],
- "metric": "A String", # The metric to update.
- },
- "dataAccess": { # Write a Data Access (Gin) log # Data access options.
- "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is currently supported in the LocalIAM implementation, Stubby C++, and Stubby Java. For Apps Framework, see go/af-audit-logging#failclosed. TODO(b/77591626): Add support for Stubby Go. TODO(b/129671387): Add support for Scaffolding.
- },
- "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
- "logName": "A String", # The log_name to populate in the Cloud Audit Record.
- "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
- "permissionType": "A String", # The type of the permission that was checked.
- },
- },
- },
- ],
- "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
- "A String",
- ],
- "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
- "A String",
- ],
- "action": "A String", # Required
- "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
- "A String",
- ],
- "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
- { # A condition to be met.
- "iam": "A String", # Trusted attributes supplied by the IAM system.
- "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
- "values": [ # The objects of the condition.
- "A String",
- ],
- "svc": "A String", # Trusted attributes discharged by the service.
- "op": "A String", # An operator to apply the subject with.
- },
- ],
- "description": "A String", # Human-readable description of the rule.
- },
- ],
- "version": 42, # Specifies the format of the policy.
- #
- # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.
- #
- # Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:
- #
- # * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
- #
- # If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
- "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
- "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.
+ "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
+ "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
+ },
+ "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
#
@@ -459,91 +486,86 @@
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
- "A String",
+ "A String",
],
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
- "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- },
+ "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
},
],
- "iamOwned": True or False,
- },
- "bindings": [ # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify bindings.
- { # Associates `members` with a `role`.
- "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
- #
- # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
- #
- # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
- #
- # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` .
- #
- #
- #
- # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
- #
- # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
- #
- # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding.
- #
- # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding.
- #
- # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding.
- #
- #
- #
- # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
- "A String",
- ],
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
- "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
+ "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
+ "iamOwned": True or False,
+ "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
+ { # A rule to be applied in a Policy.
+ "action": "A String", # Required
+ "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
+ { # A condition to be met.
+ "iam": "A String", # Trusted attributes supplied by the IAM system.
+ "op": "A String", # An operator to apply the subject with.
+ "svc": "A String", # Trusted attributes discharged by the service.
+ "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
+ "values": [ # The objects of the condition.
+ "A String",
+ ],
+ },
+ ],
+ "description": "A String", # Human-readable description of the rule.
+ "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
+ "A String",
+ ],
+ "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
+ { # Specifies what kind of log the caller must write
+ "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
+ "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
+ "permissionType": "A String", # The type of the permission that was checked.
+ },
+ "logName": "A String", # The log_name to populate in the Cloud Audit Record.
+ },
+ "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
+ #
+ # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
+ #
+ # Field names correspond to IAM request parameters and field values are their respective values.
+ #
+ # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
+ #
+ # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}
+ "customFields": [ # Custom fields.
+ { # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.
+ "name": "A String", # Name is the field name.
+ "value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.
+ },
+ ],
+ "field": "A String", # The field value to attribute.
+ "metric": "A String", # The metric to update.
+ },
+ "dataAccess": { # Write a Data Access (Gin) log # Data access options.
+ "logMode": "A String",
+ },
+ },
+ ],
+ "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
+ "A String",
+ ],
+ "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
+ "A String",
+ ],
},
- },
- ],
- "etag": "A String", # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag.
+ ],
+ "version": 42, # Specifies the format of the policy.
+ #
+ # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.
+ #
+ # Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:
+ #
+ # * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
+ #
+ # If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
+ #
+ # To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ },
}
@@ -556,121 +578,79 @@
#
# A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
- # { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
+ # { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
#
# **YAML example:**
#
- # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
+ # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3
#
# For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
#
# Example Policy with multiple AuditConfigs:
#
- # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "sampleservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }
+ # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "sampleservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }
#
# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
- "exemptedMembers": [
- "A String",
- ],
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
{ # Provides the configuration for logging a type of permissions. Example:
#
- # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", } ] }
+ # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE", } ] }
#
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
- "A String",
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
+ "A String",
],
- "ignoreChildExemptions": True or False,
- "logType": "A String", # The log type that this config enables.
+ "ignoreChildExemptions": True or False,
+ "logType": "A String", # The log type that this config enables.
},
],
- "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
+ "exemptedMembers": [
+ "A String",
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
},
],
- "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
- { # A rule to be applied in a Policy.
- "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
- { # Specifies what kind of log the caller must write
- "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
- #
- # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
- #
- # Field names correspond to IAM request parameters and field values are their respective values.
- #
- # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
- #
- # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}
- "field": "A String", # The field value to attribute.
- "customFields": [ # Custom fields.
- { # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.
- "name": "A String", # Name is the field name.
- "value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.
- },
- ],
- "metric": "A String", # The metric to update.
- },
- "dataAccess": { # Write a Data Access (Gin) log # Data access options.
- "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is currently supported in the LocalIAM implementation, Stubby C++, and Stubby Java. For Apps Framework, see go/af-audit-logging#failclosed. TODO(b/77591626): Add support for Stubby Go. TODO(b/129671387): Add support for Scaffolding.
- },
- "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
- "logName": "A String", # The log_name to populate in the Cloud Audit Record.
- "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
- "permissionType": "A String", # The type of the permission that was checked.
- },
- },
- },
- ],
- "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
- "A String",
- ],
- "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
- "A String",
- ],
- "action": "A String", # Required
- "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
- "A String",
- ],
- "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
- { # A condition to be met.
- "iam": "A String", # Trusted attributes supplied by the IAM system.
- "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
- "values": [ # The objects of the condition.
- "A String",
- ],
- "svc": "A String", # Trusted attributes discharged by the service.
- "op": "A String", # An operator to apply the subject with.
- },
- ],
- "description": "A String", # Human-readable description of the rule.
- },
- ],
- "version": 42, # Specifies the format of the policy.
- #
- # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.
- #
- # Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:
- #
- # * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
- #
- # If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
- "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
- #
- # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
- "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.
+ "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
+ "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
+ },
+ "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
#
@@ -693,35 +673,85 @@
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
- "A String",
+ "A String",
],
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
- "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- },
+ "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
},
],
- "iamOwned": True or False,
+ "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
+ "iamOwned": True or False,
+ "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
+ { # A rule to be applied in a Policy.
+ "action": "A String", # Required
+ "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
+ { # A condition to be met.
+ "iam": "A String", # Trusted attributes supplied by the IAM system.
+ "op": "A String", # An operator to apply the subject with.
+ "svc": "A String", # Trusted attributes discharged by the service.
+ "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
+ "values": [ # The objects of the condition.
+ "A String",
+ ],
+ },
+ ],
+ "description": "A String", # Human-readable description of the rule.
+ "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
+ "A String",
+ ],
+ "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
+ { # Specifies what kind of log the caller must write
+ "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
+ "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
+ "permissionType": "A String", # The type of the permission that was checked.
+ },
+ "logName": "A String", # The log_name to populate in the Cloud Audit Record.
+ },
+ "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
+ #
+ # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
+ #
+ # Field names correspond to IAM request parameters and field values are their respective values.
+ #
+ # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
+ #
+ # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}
+ "customFields": [ # Custom fields.
+ { # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.
+ "name": "A String", # Name is the field name.
+ "value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.
+ },
+ ],
+ "field": "A String", # The field value to attribute.
+ "metric": "A String", # The metric to update.
+ },
+ "dataAccess": { # Write a Data Access (Gin) log # Data access options.
+ "logMode": "A String",
+ },
+ },
+ ],
+ "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
+ "A String",
+ ],
+ "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
+ "A String",
+ ],
+ },
+ ],
+ "version": 42, # Specifies the format of the policy.
+ #
+ # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.
+ #
+ # Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:
+ #
+ # * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions
+ #
+ # **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
+ #
+ # If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.
+ #
+ # To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
}</pre>
</div>
@@ -736,8 +766,8 @@
The object takes the form of:
{
- "permissions": [ # The set of permissions to check for the 'resource'. Permissions with wildcards (such as '*' or 'storage.*') are not allowed.
- "A String",
+ "permissions": [ # The set of permissions to check for the 'resource'. Permissions with wildcards (such as '*' or 'storage.*') are not allowed.
+ "A String",
],
}
@@ -746,8 +776,8 @@
An object of the form:
{
- "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
- "A String",
+ "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
+ "A String",
],
}</pre>
</div>