Blame - docs/dyn/cloudasset_v1p4beta1.v1p4beta1.html - platform/external/python/google-api-python-client

2020-05-20 12:08:20 -0700

[diff] [blame]

80

81

<code><a href="#exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

82

<p class="firstline">Exports the answers of which identities have what accesses on which</p>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

83

<h3>Method Details</h3>

84

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

85

<code class="details" id="analyzeIamPolicy">analyzeIamPolicy(parent, options_outputGroupEdges=None, options_outputResourceEdges=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_expandGroups=None, analysisQuery_accessSelector_roles=None, analysisQuery_identitySelector_identity=None, options_executionTimeout=None, analysisQuery_resourceSelector_fullResourceName=None, options_expandResources=None, options_analyzeServiceAccountImpersonation=None, x__xgafv=None)</code>

86

<pre>Analyzes IAM policies to answer which identities have what accesses on

87

which resources.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

88

89

Args:

90

parent: string, Required. The relative name of the root asset. Only resources and IAM policies within

91

the parent will be analyzed. This can only be an organization number (such

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

92

as "organizations/123") or a folder number (such as "folders/123").

93

94

To know how to get organization id, visit [here

95

](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).

96

97

To know how to get folder id, visit [here

98

](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). (required)

99

options_outputGroupEdges: boolean, Optional. If true, the result will output group identity edges, starting

100

from the binding's group members, to any expanded identities.

101

Default is false.

102

options_outputResourceEdges: boolean, Optional. If true, the result will output resource edges, starting

103

from the policy attached resource, to any expanded resources.

104

Default is false.

105

options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles

106

appearing in IAM policy bindings to include their permissions.

107

108

If access_selector is specified, the access section of the result

109

will be determined by the selector, and this flag will have no effect.

110

111

Default is false.

112

analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated)

113

options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any

114

Google groups appearing in an IAM policy binding.

115

116

If identity_selector is specified, the identity in the result will

117

be determined by the selector, and this flag will have no effect.

118

119

Default is false.

120

analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated)

121

analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of members in

122

[IAM policy

123

binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

124

125

The examples of supported forms are:

126

"user:mike@example.com",

127

"group:admins@example.com",

128

"domain:google.com",

129

"serviceAccount:my-project-id@appspot.gserviceaccount.com".

130

131

Notice that wildcard characters (such as * and ?) are not supported.

132

You must give a specific identity.

133

options_executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of

134

[Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).

135

136

If this field is set with a value less than the RPC deadline, and the

137

execution of your query hasn't finished in the specified

138

execution timeout, you will get a response with partial result.

139

Otherwise, your query's execution will continue until the RPC deadline.

140

If it's not finished until then, you will get a DEADLINE_EXCEEDED error.

141

142

Default is empty.

143

analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource

144

name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

145

of a resource of [supported resource

146

types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).

147

options_expandResources: boolean, Optional. If true, the resource section of the result will expand any

148

resource attached to an IAM policy to include resources lower in the

149

resource hierarchy.

150

151

For example, if the request analyzes for which resources user A has

152

permission P, and the results include an IAM policy with P on a GCP

153

folder, the results will also include resources in that folder with

154

permission P.

155

156

If resource_selector is specified, the resource section of the result

157

will be determined by the selector, and this flag will have no effect.

158

Default is false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

159

options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to

160

resources via service account impersonation. This is a very expensive

161

operation, because many derived queries will be executed. We highly

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

162

recommend you use AssetService.ExportIamPolicyAnalysis rpc instead.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

163

164

For example, if the request analyzes for which resources user A has

165

permission P, and there's an IAM policy states user A has

166

iam.serviceAccounts.getAccessToken permission to a service account SA,

167

and there's another IAM policy states service account SA has permission P

168

to a GCP folder F, then user A potentially has access to the GCP folder

169

F. And those advanced analysis results will be included in

170

AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

171

172

Another example, if the request analyzes for who has

173

permission P to a GCP folder F, and there's an IAM policy states user A

174

has iam.serviceAccounts.actAs permission to a service account SA, and

175

there's another IAM policy states service account SA has permission P to

176

the GCP folder F, then user A potentially has access to the GCP folder

177

F. And those advanced analysis results will be included in

178

AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

179

180

Default is false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

181

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

188

189

{ # A response message for AssetService.AnalyzeIamPolicy.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

190

"mainAnalysis": { # An analysis message to group the query and results. # The main analysis that matches the original request.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

191

"fullyExplored": True or False, # Represents whether all entries in the analysis_results have been

192

# fully explored to answer the query.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

193

"analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or

194

# empty if no result is found.

195

{ # IAM Policy analysis result, consisting of one IAM policy binding and derived

196

# access control lists.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

197

"accessControlLists": [ # The access control lists derived from the iam_binding that match or

198

# potentially match resource and access selectors specified in the request.

199

{ # An access control list, derived from the above IAM policy binding, which

200

# contains a set of resources and accesses. May include one

201

# item from each set to compose an access control entry.

202

#

203

# NOTICE that there could be multiple access control lists for one IAM policy

204

# binding. The access control lists are created based on resource and access

205

# combinations.

206

#

207

# For example, assume we have the following cases in one IAM policy binding:

208

# - Permission P1 and P2 apply to resource R1 and R2;

209

# - Permission P3 applies to resource R2 and R3;

210

#

211

# This will result in the following access control lists:

212

# - AccessControlList 1: [R1, R2], [P1, P2]

213

# - AccessControlList 2: [R2, R3], [P3]

214

"resources": [ # The resources that match one of the following conditions:

215

# - The resource_selector, if it is specified in request;

216

# - Otherwise, resources reachable from the policy attached resource.

217

{ # A Google Cloud resource under analysis.

218

"fullResourceName": "A String", # The [full resource

219

# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

220

"analysisState": { # Represents the detailed state of an entity under analysis, such as a # The analysis state of this resource.

221

# resource, an identity or an access.

222

"cause": "A String", # The human-readable description of the cause of failure.

223

"code": "A String", # The Google standard error code that best describes the state.

224

# For example:

225

# - OK means the analysis on this entity has been successfully finished;

226

# - PERMISSION_DENIED means an access denied error is encountered;

227

# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started

# in time;

},

},

],

"accesses": [ # The accesses that match one of the following conditions:

233

# - The access_selector, if it is specified in request;

234

# - Otherwise, access specifiers reachable from the policy binding's role.

235

{ # An IAM role or permission under analysis.

236

"permission": "A String", # The permission.

237

"analysisState": { # Represents the detailed state of an entity under analysis, such as a # The analysis state of this access.

238

# resource, an identity or an access.

239

"cause": "A String", # The human-readable description of the cause of failure.

240

"code": "A String", # The Google standard error code that best describes the state.

241

# For example:

242

# - OK means the analysis on this entity has been successfully finished;

243

# - PERMISSION_DENIED means an access denied error is encountered;

244

# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started

245

# in time;

246

},

247

"role": "A String", # The role.

248

},

249

],

250

"resourceEdges": [ # Resource edges of the graph starting from the policy attached

251

# resource to any descendant resources. The Edge.source_node contains

252

# the full resource name of a parent resource and Edge.target_node

253

# contains the full resource name of a child resource. This field is

254

# present only if the output_resource_edges option is enabled in request.

255

{ # A directional edge.

256

"sourceNode": "A String", # The source node of the edge.

257

"targetNode": "A String", # The target node of the edge.

},

],

},

],

"fullyExplored": True or False, # Represents whether all analyses on the iam_binding have successfully

263

# finished.

264

"identityList": { # The identity list derived from members of the iam_binding that match or

265

# potentially match identity selector specified in the request.

266

"groupEdges": [ # Group identity edges of the graph starting from the binding's

267

# group members to any node of the identities. The Edge.source_node

268

# contains a group, such as "group:parent@google.com". The

269

# Edge.target_node contains a member of the group,

270

# such as "group:child@google.com" or "user:foo@google.com".

271

# This field is present only if the output_group_edges option is enabled in

272

# request.

273

{ # A directional edge.

274

"sourceNode": "A String", # The source node of the edge.

275

"targetNode": "A String", # The target node of the edge.

276

},

277

],

278

"identities": [ # Only the identities that match one of the following conditions will be

279

# presented:

280

# - The identity_selector, if it is specified in request;

281

# - Otherwise, identities reachable from the policy binding's members.

282

{ # An identity under analysis.

283

"name": "A String", # The identity name in any form of members appear in

284

# [IAM policy

285

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such

286

# as:

287

# - user:foo@google.com

288

# - group:group1@google.com

289

# - serviceAccount:s1@prj1.iam.gserviceaccount.com

290

# - projectOwner:some_project_id

291

# - domain:google.com

292

# - allUsers

293

# - etc.

294

"analysisState": { # Represents the detailed state of an entity under analysis, such as a # The analysis state of this identity.

295

# resource, an identity or an access.

296

"cause": "A String", # The human-readable description of the cause of failure.

297

"code": "A String", # The Google standard error code that best describes the state.

298

# For example:

299

# - OK means the analysis on this entity has been successfully finished;

300

# - PERMISSION_DENIED means an access denied error is encountered;

301

# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started

# in time;

},

},

],

},

"attachedResourceFullName": "A String", # The [full resource

308

# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

309

# of the resource to which the iam_binding policy attaches.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

310

"iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

311

"role": "A String", # Role that is assigned to `members`.

312

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

313

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

314

#

315

# If the condition evaluates to `true`, then this binding applies to the

316

# current request.

317

#

318

# If the condition evaluates to `false`, then this binding does not apply to

319

# the current request. However, a different role binding might grant the same

320

# role to one or more of the members in this binding.

321

#

322

# To learn which resources support conditions in their IAM policies, see the

323

# [IAM

324

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

325

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

326

# are documented at https://github.com/google/cel-spec.

327

#

328

# Example (Comparison):

329

#

330

# title: "Summary size limit"

331

# description: "Determines if a summary is less than 100 chars"

332

# expression: "document.summary.size() < 100"

333

#

334

# Example (Equality):

335

#

336

# title: "Requestor is owner"

337

# description: "Determines if requestor is the document owner"

338

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

343

# description: "Determine whether the document should be publicly visible"

344

# expression: "document.type != 'private' && document.type != 'internal'"

345

#

346

# Example (Data Manipulation):

347

#

348

# title: "Notification string"

349

# description: "Create a notification string with a timestamp."

350

# expression: "'New message received at ' + string(document.create_time)"

351

#

352

# The exact variables and functions that may be referenced within an expression

353

# are determined by the service that evaluates it. See the service

354

# documentation for additional information.

355

"location": "A String", # Optional. String indicating the location of the expression for error

356

# reporting, e.g. a file name and a position in the file.

357

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

358

# its purpose. This can be used e.g. in UIs which allow to enter the

359

# expression.

360

"expression": "A String", # Textual representation of an expression in Common Expression Language

361

# syntax.

362

"description": "A String", # Optional. Description of the expression. This is a longer text which

363

# describes the expression, e.g. when hovered over it in a UI.

364

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

365

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

366

# `members` can have the following values:

367

#

368

# * `allUsers`: A special identifier that represents anyone who is

369

# on the internet; with or without a Google account.

370

#

371

# * `allAuthenticatedUsers`: A special identifier that represents anyone

372

# who is authenticated with a Google account or a service account.

373

#

374

# * `user:{emailid}`: An email address that represents a specific Google

375

# account. For example, `alice@example.com` .

376

#

377

#

378

# * `serviceAccount:{emailid}`: An email address that represents a service

379

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

380

#

381

# * `group:{emailid}`: An email address that represents a Google group.

382

# For example, `admins@example.com`.

383

#

384

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

385

# identifier) representing a user that has been recently deleted. For

386

# example, `alice@example.com?uid=123456789012345678901`. If the user is

387

# recovered, this value reverts to `user:{emailid}` and the recovered user

388

# retains the role in the binding.

389

#

390

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

391

# unique identifier) representing a service account that has been recently

392

# deleted. For example,

393

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

394

# If the service account is undeleted, this value reverts to

395

# `serviceAccount:{emailid}` and the undeleted service account retains the

396

# role in the binding.

397

#

398

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

399

# identifier) representing a Google group that has been recently

400

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

401

# the group is recovered, this value reverts to `group:{emailid}` and the

402

# recovered group retains the role in the binding.

403

#

404

#

405

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

406

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

411

},

412

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

413

"analysisQuery": { # IAM policy analysis query message. # The analysis query.

414

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. This is optional.

415

# identities possessing them and the resources they control. If multiple

416

# values are specified, results will include identities and resources

417

# matching any of them.

418

"roles": [ # Optional. The roles to appear in result.

419

"A String",

420

],

421

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Either ResourceSelector or

426

# IdentitySelector must be specified.

427

# directly on the resource, or on ancestors such as organizations, folders or

428

# projects.

429

"fullResourceName": "A String", # Required. The [full resource

430

# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

431

# of a resource of [supported resource

432

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).

433

},

434

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

435

# the parent will be analyzed. This can only be an organization number (such

436

# as "organizations/123") or a folder number (such as "folders/123").

437

#

438

# To know how to get organization id, visit [here

439

# ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).

440

#

441

# To know how to get folder id, visit [here

442

# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).

443

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Either ResourceSelector or

444

# IdentitySelector must be specified.

445

# roles assigned either directly to them or to the groups they belong to,

446

# directly or indirectly.

447

"identity": "A String", # Required. The identity appear in the form of members in

448

# [IAM policy

449

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

450

#

451

# The examples of supported forms are:

452

# "user:mike@example.com",

453

# "group:admins@example.com",

454

# "domain:google.com",

455

# "serviceAccount:my-project-id@appspot.gserviceaccount.com".

456

#

457

# Notice that wildcard characters (such as * and ?) are not supported.

458

# You must give a specific identity.

459

},

460

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

461

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

462

"fullyExplored": True or False, # Represents whether all entries in the main_analysis and

463

# service_account_impersonation_analysis have been fully explored to

464

# answer the query in the request.

465

"nonCriticalErrors": [ # A list of non-critical errors happened during the request handling to

466

# explain why `fully_explored` is false, or empty if no error happened.

467

{ # Represents the detailed state of an entity under analysis, such as a

468

# resource, an identity or an access.

469

"cause": "A String", # The human-readable description of the cause of failure.

470

"code": "A String", # The Google standard error code that best describes the state.

471

# For example:

472

# - OK means the analysis on this entity has been successfully finished;

473

# - PERMISSION_DENIED means an access denied error is encountered;

474

# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started

475

# in time;

476

},

477

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

478

"serviceAccountImpersonationAnalysis": [ # The service account impersonation analysis if

479

# AnalyzeIamPolicyRequest.analyze_service_account_impersonation is

480

# enabled.

481

{ # An analysis message to group the query and results.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

482

"fullyExplored": True or False, # Represents whether all entries in the analysis_results have been

483

# fully explored to answer the query.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

484

"analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or

485

# empty if no result is found.

486

{ # IAM Policy analysis result, consisting of one IAM policy binding and derived

487

# access control lists.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

488

"accessControlLists": [ # The access control lists derived from the iam_binding that match or

489

# potentially match resource and access selectors specified in the request.

490

{ # An access control list, derived from the above IAM policy binding, which

491

# contains a set of resources and accesses. May include one

492

# item from each set to compose an access control entry.

493

#

494

# NOTICE that there could be multiple access control lists for one IAM policy

495

# binding. The access control lists are created based on resource and access

496

# combinations.

497

#

498

# For example, assume we have the following cases in one IAM policy binding:

499

# - Permission P1 and P2 apply to resource R1 and R2;

500

# - Permission P3 applies to resource R2 and R3;

501

#

502

# This will result in the following access control lists:

503

# - AccessControlList 1: [R1, R2], [P1, P2]

504

# - AccessControlList 2: [R2, R3], [P3]

505

"resources": [ # The resources that match one of the following conditions:

506

# - The resource_selector, if it is specified in request;

507

# - Otherwise, resources reachable from the policy attached resource.

508

{ # A Google Cloud resource under analysis.

509

"fullResourceName": "A String", # The [full resource

510

# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

511

"analysisState": { # Represents the detailed state of an entity under analysis, such as a # The analysis state of this resource.

512

# resource, an identity or an access.

513

"cause": "A String", # The human-readable description of the cause of failure.

514

"code": "A String", # The Google standard error code that best describes the state.

515

# For example:

516

# - OK means the analysis on this entity has been successfully finished;

517

# - PERMISSION_DENIED means an access denied error is encountered;

518

# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started

# in time;

},

},

],

"accesses": [ # The accesses that match one of the following conditions:

524

# - The access_selector, if it is specified in request;

525

# - Otherwise, access specifiers reachable from the policy binding's role.

526

{ # An IAM role or permission under analysis.

527

"permission": "A String", # The permission.

528

"analysisState": { # Represents the detailed state of an entity under analysis, such as a # The analysis state of this access.

529

# resource, an identity or an access.

530

"cause": "A String", # The human-readable description of the cause of failure.

531

"code": "A String", # The Google standard error code that best describes the state.

532

# For example:

533

# - OK means the analysis on this entity has been successfully finished;

534

# - PERMISSION_DENIED means an access denied error is encountered;

535

# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started

536

# in time;

537

},

538

"role": "A String", # The role.

539

},

540

],

541

"resourceEdges": [ # Resource edges of the graph starting from the policy attached

542

# resource to any descendant resources. The Edge.source_node contains

543

# the full resource name of a parent resource and Edge.target_node

544

# contains the full resource name of a child resource. This field is

545

# present only if the output_resource_edges option is enabled in request.

546

{ # A directional edge.

547

"sourceNode": "A String", # The source node of the edge.

548

"targetNode": "A String", # The target node of the edge.

},

],

},

],

"fullyExplored": True or False, # Represents whether all analyses on the iam_binding have successfully

554

# finished.

555

"identityList": { # The identity list derived from members of the iam_binding that match or

556

# potentially match identity selector specified in the request.

557

"groupEdges": [ # Group identity edges of the graph starting from the binding's

558

# group members to any node of the identities. The Edge.source_node

559

# contains a group, such as "group:parent@google.com". The

560

# Edge.target_node contains a member of the group,

561

# such as "group:child@google.com" or "user:foo@google.com".

562

# This field is present only if the output_group_edges option is enabled in

563

# request.

564

{ # A directional edge.

565

"sourceNode": "A String", # The source node of the edge.

566

"targetNode": "A String", # The target node of the edge.

567

},

568

],

569

"identities": [ # Only the identities that match one of the following conditions will be

570

# presented:

571

# - The identity_selector, if it is specified in request;

572

# - Otherwise, identities reachable from the policy binding's members.

573

{ # An identity under analysis.

574

"name": "A String", # The identity name in any form of members appear in

575

# [IAM policy

576

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such

577

# as:

578

# - user:foo@google.com

579

# - group:group1@google.com

580

# - serviceAccount:s1@prj1.iam.gserviceaccount.com

581

# - projectOwner:some_project_id

582

# - domain:google.com

583

# - allUsers

584

# - etc.

585

"analysisState": { # Represents the detailed state of an entity under analysis, such as a # The analysis state of this identity.

586

# resource, an identity or an access.

587

"cause": "A String", # The human-readable description of the cause of failure.

588

"code": "A String", # The Google standard error code that best describes the state.

589

# For example:

590

# - OK means the analysis on this entity has been successfully finished;

591

# - PERMISSION_DENIED means an access denied error is encountered;

592

# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started

# in time;

},

},

],

},

"attachedResourceFullName": "A String", # The [full resource

599

# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

600

# of the resource to which the iam_binding policy attaches.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

601

"iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

602

"role": "A String", # Role that is assigned to `members`.

603

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

604

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

605

#

606

# If the condition evaluates to `true`, then this binding applies to the

607

# current request.

608

#

609

# If the condition evaluates to `false`, then this binding does not apply to

610

# the current request. However, a different role binding might grant the same

611

# role to one or more of the members in this binding.

612

#

613

# To learn which resources support conditions in their IAM policies, see the

614

# [IAM

615

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

616

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

617

# are documented at https://github.com/google/cel-spec.

618

#

619

# Example (Comparison):

620

#

621

# title: "Summary size limit"

622

# description: "Determines if a summary is less than 100 chars"

623

# expression: "document.summary.size() < 100"

624

#

625

# Example (Equality):

626

#

627

# title: "Requestor is owner"

628

# description: "Determines if requestor is the document owner"

629

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

634

# description: "Determine whether the document should be publicly visible"

635

# expression: "document.type != 'private' && document.type != 'internal'"

636

#

637

# Example (Data Manipulation):

638

#

639

# title: "Notification string"

640

# description: "Create a notification string with a timestamp."

641

# expression: "'New message received at ' + string(document.create_time)"

642

#

643

# The exact variables and functions that may be referenced within an expression

644

# are determined by the service that evaluates it. See the service

645

# documentation for additional information.

646

"location": "A String", # Optional. String indicating the location of the expression for error

647

# reporting, e.g. a file name and a position in the file.

648

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

649

# its purpose. This can be used e.g. in UIs which allow to enter the

650

# expression.

651

"expression": "A String", # Textual representation of an expression in Common Expression Language

652

# syntax.

653

"description": "A String", # Optional. Description of the expression. This is a longer text which

654

# describes the expression, e.g. when hovered over it in a UI.

655

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

656

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

657

# `members` can have the following values:

658

#

659

# * `allUsers`: A special identifier that represents anyone who is

660

# on the internet; with or without a Google account.

661

#

662

# * `allAuthenticatedUsers`: A special identifier that represents anyone

663

# who is authenticated with a Google account or a service account.

664

#

665

# * `user:{emailid}`: An email address that represents a specific Google

666

# account. For example, `alice@example.com` .

667

#

668

#

669

# * `serviceAccount:{emailid}`: An email address that represents a service

670

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

671

#

672

# * `group:{emailid}`: An email address that represents a Google group.

673

# For example, `admins@example.com`.

674

#

675

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

676

# identifier) representing a user that has been recently deleted. For

677

# example, `alice@example.com?uid=123456789012345678901`. If the user is

678

# recovered, this value reverts to `user:{emailid}` and the recovered user

679

# retains the role in the binding.

680

#

681

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

682

# unique identifier) representing a service account that has been recently

683

# deleted. For example,

684

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

685

# If the service account is undeleted, this value reverts to

686

# `serviceAccount:{emailid}` and the undeleted service account retains the

687

# role in the binding.

688

#

689

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

690

# identifier) representing a Google group that has been recently

691

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

692

# the group is recovered, this value reverts to `group:{emailid}` and the

693

# recovered group retains the role in the binding.

694

#

695

#

696

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

697

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

702

},

703

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

704

"analysisQuery": { # IAM policy analysis query message. # The analysis query.

705

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. This is optional.

706

# identities possessing them and the resources they control. If multiple

707

# values are specified, results will include identities and resources

708

# matching any of them.

709

"roles": [ # Optional. The roles to appear in result.

710

"A String",

711

],

712

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Either ResourceSelector or

717

# IdentitySelector must be specified.

718

# directly on the resource, or on ancestors such as organizations, folders or

719

# projects.

720

"fullResourceName": "A String", # Required. The [full resource

721

# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

722

# of a resource of [supported resource

723

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).

724

},

725

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

726

# the parent will be analyzed. This can only be an organization number (such

727

# as "organizations/123") or a folder number (such as "folders/123").

728

#

729

# To know how to get organization id, visit [here

730

# ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).

731

#

732

# To know how to get folder id, visit [here

733

# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).

734

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Either ResourceSelector or

735

# IdentitySelector must be specified.

736

# roles assigned either directly to them or to the groups they belong to,

737

# directly or indirectly.

738

"identity": "A String", # Required. The identity appear in the form of members in

739

# [IAM policy

740

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

741

#

742

# The examples of supported forms are:

743

# "user:mike@example.com",

744

# "group:admins@example.com",

745

# "domain:google.com",

746

# "serviceAccount:my-project-id@appspot.gserviceaccount.com".

747

#

748

# Notice that wildcard characters (such as * and ?) are not supported.

749

# You must give a specific identity.

750

},

751

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

759

<pre>Exports the answers of which identities have what accesses on which

760

resources to a Google Cloud Storage destination. The output format is

761

the JSON format that represents a AnalyzeIamPolicyResponse

762

in the JSON format.

763

This method implements the google.longrunning.Operation, which allows

764

you to keep track of the export. We recommend intervals of at least 2

765

seconds with exponential retry to poll the export operation result. The

766

metadata contains the request to help callers to map responses to requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

767

768

Args:

769

parent: string, Required. The relative name of the root asset. Only resources and IAM policies within

770

the parent will be analyzed. This can only be an organization number (such

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

771

as "organizations/123") or a folder number (such as "folders/123").

772

773

To know how to get organization id, visit [here

774

](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).

775

776

To know how to get folder id, visit [here

777

](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

778

body: object, The request body.

779

The object takes the form of:

780

781

{ # A request message for AssetService.ExportIamPolicyAnalysis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

782

"options": { # Contains request options. # Optional. The request options.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

783

"analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to

784

# resources via service account impersonation. This is a very expensive

785

# operation, because many derived queries will be executed.

786

#

787

# For example, if the request analyzes for which resources user A has

788

# permission P, and there's an IAM policy states user A has

789

# iam.serviceAccounts.getAccessToken permission to a service account SA,

790

# and there's another IAM policy states service account SA has permission P

791

# to a GCP folder F, then user A potentially has access to the GCP folder

792

# F. And those advanced analysis results will be included in

793

# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

794

#

795

# Another example, if the request analyzes for who has

796

# permission P to a GCP folder F, and there's an IAM policy states user A

797

# has iam.serviceAccounts.actAs permission to a service account SA, and

798

# there's another IAM policy states service account SA has permission P to

799

# the GCP folder F, then user A potentially has access to the GCP folder

800

# F. And those advanced analysis results will be included in

801

# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

802

#

803

# Default is false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

804

"outputGroupEdges": True or False, # Optional. If true, the result will output group identity edges, starting

805

# from the binding's group members, to any expanded identities.

806

# Default is false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

807

"expandResources": True or False, # Optional. If true, the resource section of the result will expand any

808

# resource attached to an IAM policy to include resources lower in the

809

# resource hierarchy.

810

#

811

# For example, if the request analyzes for which resources user A has

812

# permission P, and the results include an IAM policy with P on a GCP

813

# folder, the results will also include resources in that folder with

814

# permission P.

815

#

816

# If resource_selector is specified, the resource section of the result

817

# will be determined by the selector, and this flag will have no effect.

818

# Default is false.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

819

"expandRoles": True or False, # Optional. If true, the access section of result will expand any roles

820

# appearing in IAM policy bindings to include their permissions.

821

#

822

# If access_selector is specified, the access section of the result

823

# will be determined by the selector, and this flag will have no effect.

824

#

825

# Default is false.

826

"expandGroups": True or False, # Optional. If true, the identities section of the result will expand any

827

# Google groups appearing in an IAM policy binding.

828

#

829

# If identity_selector is specified, the identity in the result will

830

# be determined by the selector, and this flag will have no effect.

831

#

832

# Default is false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

833

"outputResourceEdges": True or False, # Optional. If true, the result will output resource edges, starting

834

# from the policy attached resource, to any expanded resources.

835

# Default is false.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

836

},

837

"analysisQuery": { # IAM policy analysis query message. # Required. The request query.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

838

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. This is optional.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

839

# identities possessing them and the resources they control. If multiple

840

# values are specified, results will include identities and resources

841

# matching any of them.

842

"roles": [ # Optional. The roles to appear in result.

843

"A String",

844

],

845

"permissions": [ # Optional. The permissions to appear in result.

846

"A String",

847

],

848

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

849

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Either ResourceSelector or

850

# IdentitySelector must be specified.

851

# directly on the resource, or on ancestors such as organizations, folders or

852

# projects.

853

"fullResourceName": "A String", # Required. The [full resource

854

# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)

855

# of a resource of [supported resource

856

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).

857

},

858

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

859

# the parent will be analyzed. This can only be an organization number (such

860

# as "organizations/123") or a folder number (such as "folders/123").

861

#

862

# To know how to get organization id, visit [here

863

# ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).

864

#

865

# To know how to get folder id, visit [here

866

# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).

867

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Either ResourceSelector or

868

# IdentitySelector must be specified.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

869

# roles assigned either directly to them or to the groups they belong to,

870

# directly or indirectly.

871

"identity": "A String", # Required. The identity appear in the form of members in

872

# [IAM policy

873

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

874

#

875

# The examples of supported forms are:

876

# "user:mike@example.com",

877

# "group:admins@example.com",

878

# "domain:google.com",

879

# "serviceAccount:my-project-id@appspot.gserviceaccount.com".

880

#

881

# Notice that wildcard characters (such as * and ?) are not supported.

882

# You must give a specific identity.

883

},

884

},

885

"outputConfig": { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to.

886

"gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage.

887

"uri": "A String", # Required. The uri of the Cloud Storage object. It's the same uri that is used by

888

# gsutil. For example: "gs://bucket_name/object_name". See [Viewing and

889

# Editing Object

890

# Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)

891

# for more information.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

892

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

903

904

{ # This resource represents a long-running operation that is the result of a

905

# network API call.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

906

"done": True or False, # If the value is `false`, it means the operation is still in progress.

907

# If `true`, the operation is completed, and either `error` or `response` is

908

# available.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

909

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

910

# different programming environments, including REST APIs and RPC APIs. It is

911

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

912

# three pieces of data: error code, error message, and error details.

913

#

914

# You can find out more about this error model and how to work with it in the

915

# [API Design Guide](https://cloud.google.com/apis/design/errors).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

916

"details": [ # A list of messages that carry the error details. There is a common set of

917

# message types for APIs to use.

918

{

919

"a_key": "", # Properties of the object. Contains field @type with type URL.

920

},

921

],

922

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

923

"message": "A String", # A developer-facing error message, which should be in English. Any

924

# user-facing error message should be localized and sent in the

925

# google.rpc.Status.details field, or localized by the client.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

926

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

927

"name": "A String", # The server-assigned name, which is only unique within the same service that

928

# originally returns it. If you use the default HTTP mapping, the

929

# `name` should be a resource name ending with `operations/{unique_id}`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

930

"metadata": { # Service-specific metadata associated with the operation. It typically

931

# contains progress information and common metadata such as create time.

932

# Some services might not provide such metadata. Any method that returns a

933

# long-running operation should document the metadata type, if any.

934

"a_key": "", # Properties of the object. Contains field @type with type URL.

935

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

936

"response": { # The normal response of the operation in case of success. If the original

937

# method returns no data on success, such as `Delete`, the response is

938

# `google.protobuf.Empty`. If the original method is standard

939

# `Get`/`Create`/`Update`, the response should be the resource. For other

940

# methods, the response should have the type `XxxResponse`, where `Xxx`

941

# is the original method name. For example, if the original method name

942

# is `TakeSnapshot()`, the inferred response type is

943

# `TakeSnapshotResponse`.

944

"a_key": "", # Properties of the object. Contains field @type with type URL.

945

},

Bu Sun Kim