| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="cloudasset_v1p4beta1.html">Cloud Asset API</a> . <a href="cloudasset_v1p4beta1.v1p4beta1.html">v1p4beta1</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Analyzes IAM policies based on the specified request. Returns</p> |
| <p class="toc_element"> |
| <code><a href="#exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Exports IAM policy analysis based on the specified request. This API</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</code> |
| <pre>Analyzes IAM policies based on the specified request. Returns |
| a list of IamPolicyAnalysisResult matching the request. |
| |
| Args: |
| parent: string, Required. The relative name of the root asset. Only resources and IAM policies within |
| the parent will be analyzed. This can only be an organization number (such |
| as "organizations/123") or a folder number (such as "folders/123"). (required) |
| options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to |
| resources via service account impersonation. This is a very expensive |
| operation, because many derived queries will be executed. We highly |
| recommend you use ExportIamPolicyAnalysis rpc instead. |
| |
| For example, if the request analyzes for which resources user A has |
| permission P, and there's an IAM policy states user A has |
| iam.serviceAccounts.getAccessToken permission to a service account SA, |
| and there's another IAM policy states service account SA has permission P |
| to a GCP folder F, then user A potentially has access to the GCP folder |
| F. And those advanced analysis results will be included in |
| AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| |
| Another example, if the request analyzes for who has |
| permission P to a GCP folder F, and there's an IAM policy states user A |
| has iam.serviceAccounts.actAs permission to a service account SA, and |
| there's another IAM policy states service account SA has permission P to |
| the GCP folder F, then user A potentially has access to the GCP folder |
| F. And those advanced analysis results will be included in |
| AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| |
| Default is false. |
| options_outputResourceEdges: boolean, Optional. If true, the result will output resource edges, starting |
| from the policy attached resource, to any expanded resources. |
| Default is false. |
| options_expandResources: boolean, Optional. If true, the resource section of the result will expand any |
| resource attached to an IAM policy to include resources lower in the |
| resource hierarchy. |
| |
| For example, if the request analyzes for which resources user A has |
| permission P, and the results include an IAM policy with P on a GCP |
| folder, the results will also include resources in that folder with |
| permission P. |
| |
| If resource_selector is specified, the resource section of the result |
| will be determined by the selector, and this flag will have no effect. |
| Default is false. |
| analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated) |
| options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles |
| appearing in IAM policy bindings to include their permissions. |
| |
| If access_selector is specified, the access section of the result |
| will be determined by the selector, and this flag will have no effect. |
| |
| Default is false. |
| analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated) |
| options_executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of |
| [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). |
| |
| If this field is set with a value less than the RPC deadline, and the |
| execution of your query hasn't finished in the specified |
| execution timeout, you will get a response with partial result. |
| Otherwise, your query's execution will continue until the RPC deadline. |
| If it's not finished until then, you will get a DEADLINE_EXCEEDED error. |
| |
| Default is empty. |
| options_outputGroupEdges: boolean, Optional. If true, the result will output group identity edges, starting |
| from the binding's group members, to any expanded identities. |
| Default is false. |
| options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any |
| Google groups appearing in an IAM policy binding. |
| |
| If identity_selector is specified, the identity in the result will |
| be determined by the selector, and this flag will have no effect. |
| |
| Default is false. |
| analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of members in |
| [IAM policy |
| binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource |
| name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| . |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A response message for AssetService.AnalyzeIamPolicy. |
| "fullyExplored": True or False, # Represents whether all entries in the main_analysis and |
| # service_account_impersonation_analysis have been fully explored to |
| # answer the query in the request. |
| "nonCriticalErrors": [ # A list of non-critical errors happened during the request handling to |
| # explain why `fully_explored` is false, or empty if no error happened. |
| { # Represents analysis state of each node in the result graph or non-critical |
| # errors in the response. |
| "code": "A String", # The Google standard error code that best describes the state. |
| # For example: |
| # - OK means the node has been successfully explored; |
| # - PERMISSION_DENIED means an access denied error is encountered; |
| # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| "cause": "A String", # The human-readable description of the cause of failure. |
| }, |
| ], |
| "mainAnalysis": { # An analysis message to group the query and results. # The main analysis that matches the original request. |
| "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been |
| # fully explored to answer the query. |
| "analysisQuery": { # IAM policy analysis query message. # The analysis query. |
| "parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within |
| # the parent will be analyzed. This can only be an organization number (such |
| # as "organizations/123") or a folder number (such as "folders/123"). |
| "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY. |
| # directly on the resource, or on ancestors such as organizations, folders or |
| # projects. At least one of ResourceSelector, IdentitySelector or |
| # AccessSelector must be specified in a request. |
| "fullResourceName": "A String", # Required. The [full resource |
| # name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| # . |
| }, |
| "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty |
| # means ANY. |
| # identities possessing them and the resources they control. If multiple |
| # values are specified, results will include identities and resources |
| # matching any of them. |
| "roles": [ # Optional. The roles to appear in result. |
| "A String", |
| ], |
| "permissions": [ # Optional. The permissions to appear in result. |
| "A String", |
| ], |
| }, |
| "identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY. |
| # roles assigned either directly to them or to the groups they belong to, |
| # directly or indirectly. |
| "identity": "A String", # Required. The identity appear in the form of members in |
| # [IAM policy |
| # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| }, |
| }, |
| "analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or |
| # empty if no result is found. |
| { # IAM Policy analysis result, consisting of one IAM policy binding and derived |
| # access control lists. |
| "iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis. |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `alice@example.com` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `admins@example.com`. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `alice@example.com?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `admins@example.com?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the members in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| }, |
| }, |
| "accessControlLists": [ # The access control lists derived from the iam_binding that match or |
| # potentially match resource and access selectors specified in the request. |
| { # An access control list, derived from the above IAM policy binding, which |
| # contains a set of resources and accesses. May include one |
| # item from each set to compose an access control entry. |
| # |
| # NOTICE that there could be multiple access control lists for one IAM policy |
| # binding. The access control lists are created based on resource and access |
| # combinations. |
| # |
| # For example, assume we have the following cases in one IAM policy binding: |
| # - Permission P1 and P2 apply to resource R1 and R2; |
| # - Permission P3 applies to resource R2 and R3; |
| # |
| # This will result in the following access control lists: |
| # - AccessControlList 1: [R1, R2], [P1, P2] |
| # - AccessControlList 2: [R2, R3], [P3] |
| "accesses": [ # The accesses that match one of the following conditions: |
| # - The access_selector, if it is specified in request; |
| # - Otherwise, access specifiers reachable from the policy binding's role. |
| { # A role or permission that appears in an access control list. |
| "permission": "A String", # The permission. |
| "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node. |
| # errors in the response. |
| "code": "A String", # The Google standard error code that best describes the state. |
| # For example: |
| # - OK means the node has been successfully explored; |
| # - PERMISSION_DENIED means an access denied error is encountered; |
| # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| "cause": "A String", # The human-readable description of the cause of failure. |
| }, |
| "role": "A String", # The role. |
| }, |
| ], |
| "resourceEdges": [ # Resource edges of the graph starting from the policy attached |
| # resource to any descendant resources. The Edge.source_node contains |
| # the full resource name of a parent resource and Edge.target_node |
| # contains the full resource name of a child resource. This field is |
| # present only if the output_resource_edges option is enabled in request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. |
| "targetNode": "A String", # The target node of the edge. |
| }, |
| ], |
| "resources": [ # The resources that match one of the following conditions: |
| # - The resource_selector, if it is specified in request; |
| # - Otherwise, resources reachable from the policy attached resource. |
| { # A GCP resource that appears in an access control list. |
| "fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names). |
| "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node. |
| # errors in the response. |
| "code": "A String", # The Google standard error code that best describes the state. |
| # For example: |
| # - OK means the node has been successfully explored; |
| # - PERMISSION_DENIED means an access denied error is encountered; |
| # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| "cause": "A String", # The human-readable description of the cause of failure. |
| }, |
| }, |
| ], |
| }, |
| ], |
| "fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the |
| # iam_binding node have been explored. |
| "identityList": { # The identity list derived from members of the iam_binding that match or |
| # potentially match identity selector specified in the request. |
| "identities": [ # Only the identities that match one of the following conditions will be |
| # presented: |
| # - The identity_selector, if it is specified in request; |
| # - Otherwise, identities reachable from the policy binding's members. |
| { # An identity that appears in an access control list. |
| "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node. |
| # errors in the response. |
| "code": "A String", # The Google standard error code that best describes the state. |
| # For example: |
| # - OK means the node has been successfully explored; |
| # - PERMISSION_DENIED means an access denied error is encountered; |
| # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| "cause": "A String", # The human-readable description of the cause of failure. |
| }, |
| "name": "A String", # The identity name in any form of members appear in |
| # [IAM policy |
| # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such |
| # as: |
| # - user:foo@google.com |
| # - group:group1@google.com |
| # - serviceAccount:s1@prj1.iam.gserviceaccount.com |
| # - projectOwner:some_project_id |
| # - domain:google.com |
| # - allUsers |
| # - etc. |
| }, |
| ], |
| "groupEdges": [ # Group identity edges of the graph starting from the binding's |
| # group members to any node of the identities. The Edge.source_node |
| # contains a group, such as "group:parent@google.com". The |
| # Edge.target_node contains a member of the group, |
| # such as "group:child@google.com" or "user:foo@google.com". |
| # This field is present only if the output_group_edges option is enabled in |
| # request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. |
| "targetNode": "A String", # The target node of the edge. |
| }, |
| ], |
| }, |
| "attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches. |
| }, |
| ], |
| }, |
| "serviceAccountImpersonationAnalysis": [ # The service account impersonation analysis if |
| # AnalyzeIamPolicyRequest.analyze_service_account_impersonation is |
| # enabled. |
| { # An analysis message to group the query and results. |
| "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been |
| # fully explored to answer the query. |
| "analysisQuery": { # IAM policy analysis query message. # The analysis query. |
| "parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within |
| # the parent will be analyzed. This can only be an organization number (such |
| # as "organizations/123") or a folder number (such as "folders/123"). |
| "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY. |
| # directly on the resource, or on ancestors such as organizations, folders or |
| # projects. At least one of ResourceSelector, IdentitySelector or |
| # AccessSelector must be specified in a request. |
| "fullResourceName": "A String", # Required. The [full resource |
| # name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| # . |
| }, |
| "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty |
| # means ANY. |
| # identities possessing them and the resources they control. If multiple |
| # values are specified, results will include identities and resources |
| # matching any of them. |
| "roles": [ # Optional. The roles to appear in result. |
| "A String", |
| ], |
| "permissions": [ # Optional. The permissions to appear in result. |
| "A String", |
| ], |
| }, |
| "identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY. |
| # roles assigned either directly to them or to the groups they belong to, |
| # directly or indirectly. |
| "identity": "A String", # Required. The identity appear in the form of members in |
| # [IAM policy |
| # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| }, |
| }, |
| "analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or |
| # empty if no result is found. |
| { # IAM Policy analysis result, consisting of one IAM policy binding and derived |
| # access control lists. |
| "iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis. |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `alice@example.com` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `admins@example.com`. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `alice@example.com?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `admins@example.com?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the members in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| }, |
| }, |
| "accessControlLists": [ # The access control lists derived from the iam_binding that match or |
| # potentially match resource and access selectors specified in the request. |
| { # An access control list, derived from the above IAM policy binding, which |
| # contains a set of resources and accesses. May include one |
| # item from each set to compose an access control entry. |
| # |
| # NOTICE that there could be multiple access control lists for one IAM policy |
| # binding. The access control lists are created based on resource and access |
| # combinations. |
| # |
| # For example, assume we have the following cases in one IAM policy binding: |
| # - Permission P1 and P2 apply to resource R1 and R2; |
| # - Permission P3 applies to resource R2 and R3; |
| # |
| # This will result in the following access control lists: |
| # - AccessControlList 1: [R1, R2], [P1, P2] |
| # - AccessControlList 2: [R2, R3], [P3] |
| "accesses": [ # The accesses that match one of the following conditions: |
| # - The access_selector, if it is specified in request; |
| # - Otherwise, access specifiers reachable from the policy binding's role. |
| { # A role or permission that appears in an access control list. |
| "permission": "A String", # The permission. |
| "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node. |
| # errors in the response. |
| "code": "A String", # The Google standard error code that best describes the state. |
| # For example: |
| # - OK means the node has been successfully explored; |
| # - PERMISSION_DENIED means an access denied error is encountered; |
| # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| "cause": "A String", # The human-readable description of the cause of failure. |
| }, |
| "role": "A String", # The role. |
| }, |
| ], |
| "resourceEdges": [ # Resource edges of the graph starting from the policy attached |
| # resource to any descendant resources. The Edge.source_node contains |
| # the full resource name of a parent resource and Edge.target_node |
| # contains the full resource name of a child resource. This field is |
| # present only if the output_resource_edges option is enabled in request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. |
| "targetNode": "A String", # The target node of the edge. |
| }, |
| ], |
| "resources": [ # The resources that match one of the following conditions: |
| # - The resource_selector, if it is specified in request; |
| # - Otherwise, resources reachable from the policy attached resource. |
| { # A GCP resource that appears in an access control list. |
| "fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names). |
| "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node. |
| # errors in the response. |
| "code": "A String", # The Google standard error code that best describes the state. |
| # For example: |
| # - OK means the node has been successfully explored; |
| # - PERMISSION_DENIED means an access denied error is encountered; |
| # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| "cause": "A String", # The human-readable description of the cause of failure. |
| }, |
| }, |
| ], |
| }, |
| ], |
| "fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the |
| # iam_binding node have been explored. |
| "identityList": { # The identity list derived from members of the iam_binding that match or |
| # potentially match identity selector specified in the request. |
| "identities": [ # Only the identities that match one of the following conditions will be |
| # presented: |
| # - The identity_selector, if it is specified in request; |
| # - Otherwise, identities reachable from the policy binding's members. |
| { # An identity that appears in an access control list. |
| "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node. |
| # errors in the response. |
| "code": "A String", # The Google standard error code that best describes the state. |
| # For example: |
| # - OK means the node has been successfully explored; |
| # - PERMISSION_DENIED means an access denied error is encountered; |
| # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| "cause": "A String", # The human-readable description of the cause of failure. |
| }, |
| "name": "A String", # The identity name in any form of members appear in |
| # [IAM policy |
| # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such |
| # as: |
| # - user:foo@google.com |
| # - group:group1@google.com |
| # - serviceAccount:s1@prj1.iam.gserviceaccount.com |
| # - projectOwner:some_project_id |
| # - domain:google.com |
| # - allUsers |
| # - etc. |
| }, |
| ], |
| "groupEdges": [ # Group identity edges of the graph starting from the binding's |
| # group members to any node of the identities. The Edge.source_node |
| # contains a group, such as "group:parent@google.com". The |
| # Edge.target_node contains a member of the group, |
| # such as "group:child@google.com" or "user:foo@google.com". |
| # This field is present only if the output_group_edges option is enabled in |
| # request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. |
| "targetNode": "A String", # The target node of the edge. |
| }, |
| ], |
| }, |
| "attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches. |
| }, |
| ], |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</code> |
| <pre>Exports IAM policy analysis based on the specified request. This API |
| implements the google.longrunning.Operation API allowing you to keep |
| track of the export. The metadata contains the request to help callers to |
| map responses to requests. |
| |
| Args: |
| parent: string, Required. The relative name of the root asset. Only resources and IAM policies within |
| the parent will be analyzed. This can only be an organization number (such |
| as "organizations/123") or a folder number (such as "folders/123"). (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # A request message for AssetService.ExportIamPolicyAnalysis. |
| "options": { # Contains request options. # Optional. The request options. |
| "analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to |
| # resources via service account impersonation. This is a very expensive |
| # operation, because many derived queries will be executed. |
| # |
| # For example, if the request analyzes for which resources user A has |
| # permission P, and there's an IAM policy states user A has |
| # iam.serviceAccounts.getAccessToken permission to a service account SA, |
| # and there's another IAM policy states service account SA has permission P |
| # to a GCP folder F, then user A potentially has access to the GCP folder |
| # F. And those advanced analysis results will be included in |
| # AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| # |
| # Another example, if the request analyzes for who has |
| # permission P to a GCP folder F, and there's an IAM policy states user A |
| # has iam.serviceAccounts.actAs permission to a service account SA, and |
| # there's another IAM policy states service account SA has permission P to |
| # the GCP folder F, then user A potentially has access to the GCP folder |
| # F. And those advanced analysis results will be included in |
| # AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| # |
| # Default is false. |
| "expandResources": True or False, # Optional. If true, the resource section of the result will expand any |
| # resource attached to an IAM policy to include resources lower in the |
| # resource hierarchy. |
| # |
| # For example, if the request analyzes for which resources user A has |
| # permission P, and the results include an IAM policy with P on a GCP |
| # folder, the results will also include resources in that folder with |
| # permission P. |
| # |
| # If resource_selector is specified, the resource section of the result |
| # will be determined by the selector, and this flag will have no effect. |
| # Default is false. |
| "outputGroupEdges": True or False, # Optional. If true, the result will output group identity edges, starting |
| # from the binding's group members, to any expanded identities. |
| # Default is false. |
| "outputResourceEdges": True or False, # Optional. If true, the result will output resource edges, starting |
| # from the policy attached resource, to any expanded resources. |
| # Default is false. |
| "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles |
| # appearing in IAM policy bindings to include their permissions. |
| # |
| # If access_selector is specified, the access section of the result |
| # will be determined by the selector, and this flag will have no effect. |
| # |
| # Default is false. |
| "expandGroups": True or False, # Optional. If true, the identities section of the result will expand any |
| # Google groups appearing in an IAM policy binding. |
| # |
| # If identity_selector is specified, the identity in the result will |
| # be determined by the selector, and this flag will have no effect. |
| # |
| # Default is false. |
| }, |
| "outputConfig": { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to. |
| "gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage. |
| "uri": "A String", # Required. The uri of the Cloud Storage object. It's the same uri that is used by |
| # gsutil. For example: "gs://bucket_name/object_name". See [Viewing and |
| # Editing Object |
| # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) |
| # for more information. |
| }, |
| }, |
| "analysisQuery": { # IAM policy analysis query message. # Required. The request query. |
| "parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within |
| # the parent will be analyzed. This can only be an organization number (such |
| # as "organizations/123") or a folder number (such as "folders/123"). |
| "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY. |
| # directly on the resource, or on ancestors such as organizations, folders or |
| # projects. At least one of ResourceSelector, IdentitySelector or |
| # AccessSelector must be specified in a request. |
| "fullResourceName": "A String", # Required. The [full resource |
| # name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| # . |
| }, |
| "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty |
| # means ANY. |
| # identities possessing them and the resources they control. If multiple |
| # values are specified, results will include identities and resources |
| # matching any of them. |
| "roles": [ # Optional. The roles to appear in result. |
| "A String", |
| ], |
| "permissions": [ # Optional. The permissions to appear in result. |
| "A String", |
| ], |
| }, |
| "identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY. |
| # roles assigned either directly to them or to the groups they belong to, |
| # directly or indirectly. |
| "identity": "A String", # Required. The identity appear in the form of members in |
| # [IAM policy |
| # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| }, |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # This resource represents a long-running operation that is the result of a |
| # network API call. |
| "name": "A String", # The server-assigned name, which is only unique within the same service that |
| # originally returns it. If you use the default HTTP mapping, the |
| # `name` should be a resource name ending with `operations/{unique_id}`. |
| "error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| }, |
| "metadata": { # Service-specific metadata associated with the operation. It typically |
| # contains progress information and common metadata such as create time. |
| # Some services might not provide such metadata. Any method that returns a |
| # long-running operation should document the metadata type, if any. |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| "done": True or False, # If the value is `false`, it means the operation is still in progress. |
| # If `true`, the operation is completed, and either `error` or `response` is |
| # available. |
| "response": { # The normal response of the operation in case of success. If the original |
| # method returns no data on success, such as `Delete`, the response is |
| # `google.protobuf.Empty`. If the original method is standard |
| # `Get`/`Create`/`Update`, the response should be the resource. For other |
| # methods, the response should have the type `XxxResponse`, where `Xxx` |
| # is the original method name. For example, if the original method name |
| # is `TakeSnapshot()`, the inferred response type is |
| # `TakeSnapshotResponse`. |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| }</pre> |
| </div> |
| |
| </body></html> |