Regen docs (#373)
diff --git a/docs/dyn/cloudresourcemanager_v1.projects.html b/docs/dyn/cloudresourcemanager_v1.projects.html
index a01bda5..661a574 100644
--- a/docs/dyn/cloudresourcemanager_v1.projects.html
+++ b/docs/dyn/cloudresourcemanager_v1.projects.html
@@ -75,6 +75,12 @@
<h1><a href="cloudresourcemanager_v1.html">Google Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.projects.html">projects</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
+ <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Clears a `Policy` from a resource.</p>
+<p class="toc_element">
+ <code><a href="#clearOrgPolicyV1">clearOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Clears a `Policy` from a resource.</p>
+<p class="toc_element">
<code><a href="#create">create(body, x__xgafv=None)</a></code></p>
<p class="firstline">Request that a new Project be created. The result is an Operation which</p>
<p class="toc_element">
@@ -87,18 +93,48 @@
<code><a href="#getAncestry">getAncestry(projectId=None, body, x__xgafv=None)</a></code></p>
<p class="firstline">Gets a list of ancestors in the resource hierarchy for the Project</p>
<p class="toc_element">
+ <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p>
+<p class="toc_element">
+ <code><a href="#getEffectiveOrgPolicyV1">getEffectiveOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p>
+<p class="toc_element">
<code><a href="#getIamPolicy">getIamPolicy(resource=None, body, x__xgafv=None)</a></code></p>
<p class="firstline">Returns the IAM access control policy for the specified Project.</p>
<p class="toc_element">
+ <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets a `Policy` on a resource.</p>
+<p class="toc_element">
+ <code><a href="#getOrgPolicyV1">getOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets a `Policy` on a resource.</p>
+<p class="toc_element">
<code><a href="#list">list(pageSize=None, filter=None, pageToken=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists Projects that are visible to the user and satisfy the</p>
<p class="toc_element">
+ <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p>
+<p class="toc_element">
+ <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p>
+<p class="firstline">Retrieves the next page of results.</p>
+<p class="toc_element">
+ <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Lists all the `Policies` set for a particular resource.</p>
+<p class="toc_element">
+ <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p>
+<p class="firstline">Retrieves the next page of results.</p>
+<p class="toc_element">
<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
<code><a href="#setIamPolicy">setIamPolicy(resource=None, body, x__xgafv=None)</a></code></p>
<p class="firstline">Sets the IAM access control policy for the specified Project. Replaces</p>
<p class="toc_element">
+ <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p>
+<p class="toc_element">
+ <code><a href="#setOrgPolicyV1">setOrgPolicyV1(resource, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p>
+<p class="toc_element">
<code><a href="#testIamPermissions">testIamPermissions(resource=None, body, x__xgafv=None)</a></code></p>
<p class="firstline">Returns permissions that a caller has on the specified Project.</p>
<p class="toc_element">
@@ -109,6 +145,76 @@
<p class="firstline">Updates the attributes of the Project identified by the specified</p>
<h3>Method Details</h3>
<div class="method">
+ <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Clears a `Policy` from a resource.
+
+Args:
+ resource: string, Name of the resource for the `Policy` to clear. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the ClearOrgPolicy method.
+ "etag": "A String", # The current version, for concurrency control. Not sending an `etag`
+ # will cause the `Policy` to be cleared blindly.
+ "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # A generic empty message that you can re-use to avoid defining duplicated
+ # empty messages in your APIs. A typical example is to use it as the request
+ # or the response type of an API method. For instance:
+ #
+ # service Foo {
+ # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
+ # }
+ #
+ # The JSON representation for `Empty` is empty JSON object `{}`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="clearOrgPolicyV1">clearOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Clears a `Policy` from a resource.
+
+Args:
+ resource: string, Name of the resource for the `Policy` to clear. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the ClearOrgPolicy method.
+ "etag": "A String", # The current version, for concurrency control. Not sending an `etag`
+ # will cause the `Policy` to be cleared blindly.
+ "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # A generic empty message that you can re-use to avoid defining duplicated
+ # empty messages in your APIs. A typical example is to use it as the request
+ # or the response type of an API method. For instance:
+ #
+ # service Foo {
+ # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
+ # }
+ #
+ # The JSON representation for `Empty` is empty JSON object `{}`.
+ }</pre>
+</div>
+
+<div class="method">
<code class="details" id="create">create(body, x__xgafv=None)</code>
<pre>Request that a new Project be created. The result is an Operation which
can be used to track the creation process. It is automatically deleted
@@ -201,6 +307,22 @@
# long-running operation should document the metadata type, if any.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
+ "done": True or False, # If the value is `false`, it means the operation is still in progress.
+ # If true, the operation is completed, and either `error` or `response` is
+ # available.
+ "response": { # The normal response of the operation in case of success. If the original
+ # method returns no data on success, such as `Delete`, the response is
+ # `google.protobuf.Empty`. If the original method is standard
+ # `Get`/`Create`/`Update`, the response should be the resource. For other
+ # methods, the response should have the type `XxxResponse`, where `Xxx`
+ # is the original method name. For example, if the original method name
+ # is `TakeSnapshot()`, the inferred response type is
+ # `TakeSnapshotResponse`.
+ "a_key": "", # Properties of the object. Contains field @type with type URL.
+ },
+ "name": "A String", # The server-assigned name, which is only unique within the same service that
+ # originally returns it. If you use the default HTTP mapping, the
+ # `name` should have the format of `operations/some/unique/name`.
"error": { # The `Status` type defines a logical error model that is suitable for different # The error result of the operation in case of failure or cancellation.
# programming environments, including REST APIs and RPC APIs. It is used by
# [gRPC](https://github.com/grpc). The error model is designed to be:
@@ -264,22 +386,6 @@
},
],
},
- "done": True or False, # If the value is `false`, it means the operation is still in progress.
- # If true, the operation is completed, and either `error` or `response` is
- # available.
- "response": { # The normal response of the operation in case of success. If the original
- # method returns no data on success, such as `Delete`, the response is
- # `google.protobuf.Empty`. If the original method is standard
- # `Get`/`Create`/`Update`, the response should be the resource. For other
- # methods, the response should have the type `XxxResponse`, where `Xxx`
- # is the original method name. For example, if the original method name
- # is `TakeSnapshot()`, the inferred response type is
- # `TakeSnapshotResponse`.
- "a_key": "", # Properties of the object. Contains field @type with type URL.
- },
- "name": "A String", # The server-assigned name, which is only unique within the same service that
- # originally returns it. If you use the default HTTP mapping, the
- # `name` should have the format of `operations/some/unique/name`.
}</pre>
</div>
@@ -463,6 +569,446 @@
</div>
<div class="method">
+ <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Gets the effective `Policy` on a resource. This is the result of merging
+`Policies` in the resource hierarchy. The returned `Policy` will not have
+an `etag`set because it is a computed `Policy` across multiple resources.
+
+Args:
+ resource: string, The name of the resource to start computing the effective `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetEffectiveOrgPolicy method.
+ "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="getEffectiveOrgPolicyV1">getEffectiveOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Gets the effective `Policy` on a resource. This is the result of merging
+`Policies` in the resource hierarchy. The returned `Policy` will not have
+an `etag`set because it is a computed `Policy` across multiple resources.
+
+Args:
+ resource: string, The name of the resource to start computing the effective `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetEffectiveOrgPolicy method.
+ "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
<code class="details" id="getIamPolicy">getIamPolicy(resource=None, body, x__xgafv=None)</code>
<pre>Returns the IAM access control policy for the specified Project.
Permission is denied if the policy or the resource does not exist.
@@ -517,8 +1063,8 @@
# [IAM developer's guide](https://cloud.google.com/iam).
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service.
- # It consists of which permission types are logged, and what identities, if
- # any, are exempted from logging.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
# An AuditConifg must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service,
@@ -594,7 +1140,7 @@
},
],
"service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `resourcemanager`, `storage`, `compute`.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# `allServices` is a special value that covers all services.
},
],
@@ -646,6 +1192,452 @@
</div>
<div class="method">
+ <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Gets a `Policy` on a resource.
+
+If no `Policy` is set on the resource, a `Policy` is returned with default
+values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
+`etag` value can be used with `SetOrgPolicy()` to create or update a
+`Policy` during read-modify-write.
+
+Args:
+ resource: string, Name of the resource the `Policy` is set on. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetOrgPolicy method.
+ "constraint": "A String", # Name of the `Constraint` to get the `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="getOrgPolicyV1">getOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Gets a `Policy` on a resource.
+
+If no `Policy` is set on the resource, a `Policy` is returned with default
+values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
+`etag` value can be used with `SetOrgPolicy()` to create or update a
+`Policy` during read-modify-write.
+
+Args:
+ resource: string, Name of the resource the `Policy` is set on. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the GetOrgPolicy method.
+ "constraint": "A String", # Name of the `Constraint` to get the `Policy`.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
<code class="details" id="list">list(pageSize=None, filter=None, pageToken=None, x__xgafv=None)</code>
<pre>Lists Projects that are visible to the user and satisfy the
specified filter. This method returns Projects in an unspecified order.
@@ -674,7 +1666,7 @@
|NAME:howl|Equivalent to above.|
|labels.color:*|The project has the label `color`.|
|labels.color:red|The project's label `color` has the value `red`.|
-|labels.color:red label.size:big|The project's label `color` has the
+|labels.color:red labels.size:big|The project's label `color` has the
value `red` and its label `size` has the value `big`.
Optional.
@@ -776,6 +1768,337 @@
</div>
<div class="method">
+ <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code>
+ <pre>Lists `Constraints` that could be applied on the specified resource.
+
+Args:
+ resource: string, Name of the resource to list `Constraints` for. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the [ListAvailableOrgPolicyConstraints]
+ # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.
+ "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
+ # and will be ignored. The server may at any point start using this field.
+ "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
+ # be ignored. The server may at any point start using this field to limit
+ # page size.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # The response returned from the ListAvailableOrgPolicyConstraints method.
+ # Returns all `Constraints` that could be set at this level of the hierarchy
+ # (contrast with the response from `ListPolicies`, which returns all policies
+ # which are set).
+ "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
+ "constraints": [ # The collection of constraints that are settable on the request resource.
+ { # A `Constraint` describes a way in which a resource's configuration can be
+ # restricted. For example, it controls which cloud services can be activated
+ # across an organization, or whether a Compute Engine instance can have
+ # serial port connections established. `Constraints` can be configured by the
+ # organization's policy adminstrator to fit the needs of the organzation by
+ # setting Policies for `Constraints` at different locations in the
+ # organization's resource hierarchy. Policies are inherited down the resource
+ # hierarchy from higher levels, but can also be overridden. For details about
+ # the inheritance rules please read about
+ # Policies.
+ #
+ # `Constraints` have a default behavior determined by the `constraint_default`
+ # field, which is the enforcement behavior that is used in the absence of a
+ # `Policy` being defined or inherited for the resource in question.
+ "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.
+ "displayName": "A String", # The human readable name.
+ #
+ # Mutable.
+ "name": "A String", # Immutable value, required to globally be unique. For example,
+ # `constraints/serviceuser.services`
+ "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
+ #
+ # For example a constraint `constraints/compute.disableSerialPortAccess`.
+ # If it is enforced on a VM instance, serial port connections will not be
+ # opened to that instance.
+ },
+ "version": 42, # Version of the `Constraint`. Default version is 0;
+ "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
+ # configured by an Organization's policy administrator with a `Policy`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Constraint`.
+ },
+ "description": "A String", # Detailed description of what this `Constraint` controls as well as how and
+ # where it is enforced.
+ #
+ # Mutable.
+ },
+ ],
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code>
+ <pre>Retrieves the next page of results.
+
+Args:
+ previous_request: The request for the previous page. (required)
+ previous_response: The response from the request for the previous page. (required)
+
+Returns:
+ A request object that you can call 'execute()' on to request the next
+ page. Returns None if there are no more items in the collection.
+ </pre>
+</div>
+
+<div class="method">
+ <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code>
+ <pre>Lists all the `Policies` set for a particular resource.
+
+Args:
+ resource: string, Name of the resource to list Policies for. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the ListOrgPolicies method.
+ "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
+ # and will be ignored. The server may at any point start using this field.
+ "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
+ # be ignored. The server may at any point start using this field to limit
+ # page size.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # The response returned from the ListOrgPolicies method. It will be empty
+ # if no `Policies` are set on the resource.
+ "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
+ # the server may at any point start supplying a valid token.
+ "policies": [ # The `Policies` that are set on the resource. It will be empty if no
+ # `Policies` are set.
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ },
+ ],
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code>
+ <pre>Retrieves the next page of results.
+
+Args:
+ previous_request: The request for the previous page. (required)
+ previous_response: The response from the request for the previous page. (required)
+
+Returns:
+ A request object that you can call 'execute()' on to request the next
+ page. Returns None if there are no more items in the collection.
+ </pre>
+</div>
+
+<div class="method">
<code class="details" id="list_next">list_next(previous_request, previous_response)</code>
<pre>Retrieves the next page of results.
@@ -818,7 +2141,7 @@
+ There must be at least one owner who has accepted the Terms of
Service (ToS) agreement in the policy. Calling `setIamPolicy()` to
-to remove the last ToS-accepted owner from the policy will fail. This
+remove the last ToS-accepted owner from the policy will fail. This
restriction also applies to legacy projects that no longer have owners
who have accepted the ToS. Edits to IAM policies will be rejected until
the lack of a ToS-accepting owner is rectified.
@@ -873,8 +2196,8 @@
# [IAM developer's guide](https://cloud.google.com/iam).
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service.
- # It consists of which permission types are logged, and what identities, if
- # any, are exempted from logging.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
# An AuditConifg must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service,
@@ -950,7 +2273,7 @@
},
],
"service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `resourcemanager`, `storage`, `compute`.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# `allServices` is a special value that covers all services.
},
],
@@ -1000,8 +2323,8 @@
"version": 42, # Version of the `Policy`. The default version is 0.
},
"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
- # the fields in the mask will be modified. If no mask is provided, a default
- # mask is used:
+ # the fields in the mask will be modified. If no mask is provided, the
+ # following default mask is used:
# paths: "bindings, etag"
# This field is only used by Cloud IAM.
}
@@ -1047,8 +2370,8 @@
# [IAM developer's guide](https://cloud.google.com/iam).
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service.
- # It consists of which permission types are logged, and what identities, if
- # any, are exempted from logging.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
# An AuditConifg must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service,
@@ -1124,7 +2447,7 @@
},
],
"service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `resourcemanager`, `storage`, `compute`.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# `allServices` is a special value that covers all services.
},
],
@@ -1176,6 +2499,838 @@
</div>
<div class="method">
+ <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code>
+ <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for
+that `Constraint` on the resource if one does not exist.
+
+Not supplying an `etag` on the request `Policy` results in an unconditional
+write of the `Policy`.
+
+Args:
+ resource: string, Resource name of the resource to attach the `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the SetOrgPolicyRequest method.
+ "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ },
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="setOrgPolicyV1">setOrgPolicyV1(resource, body, x__xgafv=None)</code>
+ <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for
+that `Constraint` on the resource if one does not exist.
+
+Not supplying an `etag` on the request `Policy` results in an unconditional
+write of the `Policy`.
+
+Args:
+ resource: string, Resource name of the resource to attach the `Policy`. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # The request sent to the SetOrgPolicyRequest method.
+ "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ },
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+ # for configurations of Cloud Platform resources.
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # Immutable after creation.
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
+ # resource.
+ #
+ # A `ListPolicy` can define specific values that are allowed or denied by
+ # setting either the `allowed_values` or `denied_values` fields. It can also
+ # be used to allow or deny all values, by setting the `all_values` field. If
+ # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`
+ # or `denied_values` must be set (attempting to set both or neither will
+ # result in a failed request). If `all_values` is set to either `ALLOW` or
+ # `DENY`, `allowed_values` and `denied_values` must be unset.
+ "allValues": "A String", # The policy all_values state.
+ "deniedValues": [ # List of values denied at this resource. Can only be set if no values are
+ # set for `allowed_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
+ #
+ # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+ # set to `true`, then the values from the effective `Policy` of the parent
+ # resource are inherited, meaning the values set in this `Policy` are
+ # added to the values inherited up the hierarchy.
+ #
+ # Setting `Policy` hierarchies that inherit both allowed values and denied
+ # values isn't recommended in most circumstances to keep the configuration
+ # simple and understandable. However, it is possible to set a `Policy` with
+ # `allowed_values` set that inherits a `Policy` with `denied_values` set.
+ # In this case, the values that are allowed must be in `allowed_values` and
+ # not present in `denied_values`.
+ #
+ # For example, suppose you have a `Constraint`
+ # `constraints/serviceuser.services`, which has a `constraint_type` of
+ # `list_constraint`, and with `constraint_default` set to `ALLOW`.
+ # Suppose that at the Organization level, a `Policy` is applied that
+ # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
+ # `Policy` is applied to a project below the Organization that has
+ # `inherit_from_parent` set to `false` and field all_values set to DENY,
+ # then an attempt to activate any API will be denied.
+ #
+ # The following examples demonstrate different possible layerings:
+ #
+ # Example 1 (no inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # ``projects/bar`` has `inherit_from_parent` `false` and values:
+ # {allowed_values: "E3" allowed_values: "E4"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E3`, and `E4`.
+ #
+ # Example 2 (inherited values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {value: “E3” value: ”E4” inherit_from_parent: true}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+ #
+ # Example 3 (inheriting both allowed and denied values):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: "E1" allowed_values: "E2"}
+ # `projects/bar` has a `Policy` with:
+ # {denied_values: "E1"}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The value accepted at `projects/bar` is `E2`.
+ #
+ # Example 4 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values:”E2”}
+ # `projects/bar` has a `Policy` with values:
+ # {RestoreDefault: {}}
+ # The accepted values at `organizations/foo` are `E1`, `E2`.
+ # The accepted values at `projects/bar` are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 5 (no policy inherits parent policy):
+ # `organizations/foo` has no `Policy` set.
+ # `projects/bar` has no `Policy` set.
+ # The accepted values at both levels are either all or none depending on
+ # the value of `constraint_default` (if `ALLOW`, all; if
+ # `DENY`, none).
+ #
+ # Example 6 (ListConstraint allowing all):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: ALLOW}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # Any value is accepted at `projects/bar`.
+ #
+ # Example 7 (ListConstraint allowing none):
+ # `organizations/foo` has a `Policy` with values:
+ # {allowed_values: “E1” allowed_values: ”E2”}
+ # `projects/bar` has a `Policy` with:
+ # {all: DENY}
+ # The accepted values at `organizations/foo` are `E1`, E2`.
+ # No value is accepted at `projects/bar`.
+ "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
+ # that matches the value specified in this `Policy`. If `suggested_value`
+ # is not set, it will inherit the value specified higher in the hierarchy,
+ # unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. an only be set if no values are
+ # set for `denied_values` and `all_values` is set to
+ # `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
+ },
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`
+ # with `constraint_default` set to `ALLOW`. A `Policy` for that
+ # `Constraint` exhibits the following behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ }</pre>
+</div>
+
+<div class="method">
<code class="details" id="testIamPermissions">testIamPermissions(resource=None, body, x__xgafv=None)</code>
<pre>Returns permissions that a caller has on the specified Project.