Blame - docs/dyn/cloudresourcemanager_v1.projects.html - platform/external/python/google-api-python-client

2017-01-06 09:58:29 -0800

[diff] [blame]

366

"details": [ # A list of messages that carry the error details. There will be a

367

# common set of message types for APIs to use.

Sai Cheemalapati

ea3a5e1

2016-10-12 14:05:53 -0700

[diff] [blame]

368

{

369

"a_key": "", # Properties of the object. Contains field @type with type URL.

370

},

371

],

372

},

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

373

"done": True or False, # If the value is `false`, it means the operation is still in progress.

374

# If true, the operation is completed, and either `error` or `response` is

375

# available.

376

"response": { # The normal response of the operation in case of success. If the original

377

# method returns no data on success, such as `Delete`, the response is

378

# `google.protobuf.Empty`. If the original method is standard

379

# `Get`/`Create`/`Update`, the response should be the resource. For other

380

# methods, the response should have the type `XxxResponse`, where `Xxx`

381

# is the original method name. For example, if the original method name

382

# is `TakeSnapshot()`, the inferred response type is

383

# `TakeSnapshotResponse`.

384

"a_key": "", # Properties of the object. Contains field @type with type URL.

385

},

386

"name": "A String", # The server-assigned name, which is only unique within the same service that

387

# originally returns it. If you use the default HTTP mapping, the

388

# `name` should have the format of `operations/some/unique/name`.

Sai Cheemalapati

ea3a5e1

2016-10-12 14:05:53 -0700

[diff] [blame]

}</pre>

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

393

<code class="details" id="delete">delete(projectId, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

394

<pre>Marks the Project identified by the specified

395

`project_id` (for example, `my-project-123`) for deletion.

396

This method will only affect the Project if the following criteria are met:

397

398

+ The Project does not have a billing account associated with it.

399

+ The Project has a lifecycle state of

400

ACTIVE.

401

402

This method changes the Project's lifecycle state from

403

ACTIVE

404

to DELETE_REQUESTED.

405

The deletion starts at an unspecified time,

406

at which point the Project is no longer accessible.

407

408

Until the deletion completes, you can check the lifecycle state

409

checked by retrieving the Project with GetProject,

410

and the Project remains visible to ListProjects.

411

However, you cannot update the project.

412

413

After the deletion completes, the Project is not retrievable by

414

the GetProject and

415

ListProjects methods.

416

417

The caller must have modify permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

418

419

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

420

projectId: string, The Project ID (for example, `foo-bar-123`).

421

422

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

423

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

424

Allowed values

425

1 - v1 error format

426

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

427

428

Returns:

429

An object of the form:

430

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

431

{ # A generic empty message that you can re-use to avoid defining duplicated

432

# empty messages in your APIs. A typical example is to use it as the request

433

# or the response type of an API method. For instance:

434

#

435

# service Foo {

436

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

437

# }

438

#

439

# The JSON representation for `Empty` is empty JSON object `{}`.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

444

<code class="details" id="get">get(projectId, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

445

<pre>Retrieves the Project identified by the specified

446

`project_id` (for example, `my-project-123`).

447

448

The caller must have read permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

449

450

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

451

projectId: string, The Project ID (for example, `my-project-123`).

452

453

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

454

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

455

Allowed values

456

1 - v1 error format

457

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

458

459

Returns:

460

An object of the form:

461

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

462

{ # A Project is a high-level Google Cloud Platform entity. It is a

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

463

# container for ACLs, APIs, App Engine Apps, VMs, and other

464

# Google Cloud Platform resources.

465

"name": "A String", # The user-assigned display name of the Project.

466

# It must be 4 to 30 characters.

467

# Allowed characters are: lowercase and uppercase letters, numbers,

468

# hyphen, single-quote, double-quote, space, and exclamation point.

469

#

470

# Example: <code>My Project</code>

471

# Read-write.

472

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

473

#

474

# The only supported parent type is "organization". Once set, the parent

475

# cannot be modified. The `parent` can be set on creation or using the

476

# `UpdateProject` method; the end user must have the

477

# `resourcemanager.projects.create` permission on the parent.

478

#

479

# Read-write.

480

# Cloud Platform is a generic term for something you (a developer) may want to

481

# interact with through one of our API's. Some examples are an App Engine app,

482

# a Compute Engine instance, a Cloud SQL database, and so on.

483

"type": "A String", # Required field representing the resource type this id is for.

484

# At present, the valid types are: "organization"

485

"id": "A String", # Required field for the type-specific id. This should correspond to the id

486

# used in the type-specific API's.

487

},

488

"projectId": "A String", # The unique, user-assigned ID of the Project.

489

# It must be 6 to 30 lowercase letters, digits, or hyphens.

490

# It must start with a letter.

491

# Trailing hyphens are prohibited.

492

#

493

# Example: <code>tokyo-rain-123</code>

494

# Read-only after creation.

495

"labels": { # The labels associated with this Project.

496

#

497

# Label keys must be between 1 and 63 characters long and must conform

498

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

499

#

500

# Label values must be between 0 and 63 characters long and must conform

501

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

502

#

503

# No more than 256 labels can be associated with a given resource.

504

#

505

# Clients should store labels in a representation such as JSON that does not

506

# depend on specific characters being disallowed.

507

#

508

# Example: <code>"environment" : "dev"</code>

# Read-write.

"a_key": "A String",

},

"projectNumber": "A String", # The number uniquely identifying the project.

513

#

514

# Example: <code>415104041262</code>

515

# Read-only.

516

"lifecycleState": "A String", # The Project lifecycle state.

517

#

518

# Read-only.

519

"createTime": "A String", # Creation time.

520

#

521

# Read-only.

522

}</pre>

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

526

<code class="details" id="getAncestry">getAncestry(projectId, body, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

527

<pre>Gets a list of ancestors in the resource hierarchy for the Project

528

identified by the specified `project_id` (for example, `my-project-123`).

529

530

The caller must have read permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

531

532

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

533

projectId: string, The Project ID (for example, `my-project-123`).

534

535

Required. (required)

536

body: object, The request body. (required)

537

The object takes the form of:

538

539

{ # The request sent to the

# GetAncestry

# method.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

551

552

{ # Response from the GetAncestry method.

553

"ancestor": [ # Ancestors are ordered from bottom to top of the resource hierarchy. The

554

# first ancestor is the project itself, followed by the project's parent,

555

# etc.

556

{ # Identifying information for a single ancestor of a project.

557

"resourceId": { # A container to reference an id for any resource type. A `resource` in Google # Resource id of the ancestor.

558

# Cloud Platform is a generic term for something you (a developer) may want to

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

559

# interact with through one of our API's. Some examples are an App Engine app,

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

560

# a Compute Engine instance, a Cloud SQL database, and so on.

561

"type": "A String", # Required field representing the resource type this id is for.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

562

# At present, the valid types are: "organization"

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

563

"id": "A String", # Required field for the type-specific id. This should correspond to the id

564

# used in the type-specific API's.

},

},

],

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

572

<code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code>

573

<pre>Gets the effective `Policy` on a resource. This is the result of merging

574

`Policies` in the resource hierarchy. The returned `Policy` will not have

575

an `etag`set because it is a computed `Policy` across multiple resources.

576

577

Args:

578

resource: string, The name of the resource to start computing the effective `Policy`. (required)

579

body: object, The request body. (required)

580

The object takes the form of:

581

582

{ # The request sent to the GetEffectiveOrgPolicy method.

583

"constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.

584

}

585

586

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

593

594

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

595

# for configurations of Cloud Platform resources.

596

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

597

# server, not specified by the caller, and represents the last time a call to

598

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

599

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

600

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

601

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

602

# `constraints/serviceuser.services`.

603

#

604

# Immutable after creation.

605

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

606

# `Constraint` type.

607

# `constraint_default` enforcement behavior of the specific `Constraint` at

608

# this resource.

609

#

610

# Suppose that `constraint_default` is set to `ALLOW` for the

611

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

612

# foo.com sets a `Policy` at their Organization resource node that restricts

613

# the allowed service activations to deny all service activations. They

614

# could then set a `Policy` with the `policy_type` `restore_default` on

615

# several experimental projects, restoring the `constraint_default`

616

# enforcement of the `Constraint` for only those projects, allowing those

617

# projects to have all services activated.

618

},

619

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

620

# resource.

621

#

622

# A `ListPolicy` can define specific values that are allowed or denied by

623

# setting either the `allowed_values` or `denied_values` fields. It can also

624

# be used to allow or deny all values, by setting the `all_values` field. If

625

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

626

# or `denied_values` must be set (attempting to set both or neither will

627

# result in a failed request). If `all_values` is set to either `ALLOW` or

628

# `DENY`, `allowed_values` and `denied_values` must be unset.

629

"allValues": "A String", # The policy all_values state.

630

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

631

# set for `allowed_values` and `all_values` is set to

632

# `ALL_VALUES_UNSPECIFIED`.

633

"A String",

634

],

635

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

636

#

637

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

638

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

639

# set to `true`, then the values from the effective `Policy` of the parent

640

# resource are inherited, meaning the values set in this `Policy` are

641

# added to the values inherited up the hierarchy.

642

#

643

# Setting `Policy` hierarchies that inherit both allowed values and denied

644

# values isn't recommended in most circumstances to keep the configuration

645

# simple and understandable. However, it is possible to set a `Policy` with

646

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

647

# In this case, the values that are allowed must be in `allowed_values` and

648

# not present in `denied_values`.

649

#

650

# For example, suppose you have a `Constraint`

651

# `constraints/serviceuser.services`, which has a `constraint_type` of

652

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

653

# Suppose that at the Organization level, a `Policy` is applied that

654

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

655

# `Policy` is applied to a project below the Organization that has

656

# `inherit_from_parent` set to `false` and field all_values set to DENY,

657

# then an attempt to activate any API will be denied.

658

#

659

# The following examples demonstrate different possible layerings:

660

#

661

# Example 1 (no inherited values):

662

# `organizations/foo` has a `Policy` with values:

663

# {allowed_values: “E1” allowed_values:”E2”}

664

# ``projects/bar`` has `inherit_from_parent` `false` and values:

665

# {allowed_values: "E3" allowed_values: "E4"}

666

# The accepted values at `organizations/foo` are `E1`, `E2`.

667

# The accepted values at `projects/bar` are `E3`, and `E4`.

668

#

669

# Example 2 (inherited values):

670

# `organizations/foo` has a `Policy` with values:

671

# {allowed_values: “E1” allowed_values:”E2”}

672

# `projects/bar` has a `Policy` with values:

673

# {value: “E3” value: ”E4” inherit_from_parent: true}

674

# The accepted values at `organizations/foo` are `E1`, `E2`.

675

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

676

#

677

# Example 3 (inheriting both allowed and denied values):

678

# `organizations/foo` has a `Policy` with values:

679

# {allowed_values: "E1" allowed_values: "E2"}

680

# `projects/bar` has a `Policy` with:

681

# {denied_values: "E1"}

682

# The accepted values at `organizations/foo` are `E1`, `E2`.

683

# The value accepted at `projects/bar` is `E2`.

684

#

685

# Example 4 (RestoreDefault):

686

# `organizations/foo` has a `Policy` with values:

687

# {allowed_values: “E1” allowed_values:”E2”}

688

# `projects/bar` has a `Policy` with values:

689

# {RestoreDefault: {}}

690

# The accepted values at `organizations/foo` are `E1`, `E2`.

691

# The accepted values at `projects/bar` are either all or none depending on

692

# the value of `constraint_default` (if `ALLOW`, all; if

693

# `DENY`, none).

694

#

695

# Example 5 (no policy inherits parent policy):

696

# `organizations/foo` has no `Policy` set.

697

# `projects/bar` has no `Policy` set.

698

# The accepted values at both levels are either all or none depending on

699

# the value of `constraint_default` (if `ALLOW`, all; if

700

# `DENY`, none).

701

#

702

# Example 6 (ListConstraint allowing all):

703

# `organizations/foo` has a `Policy` with values:

704

# {allowed_values: “E1” allowed_values: ”E2”}

705

# `projects/bar` has a `Policy` with:

706

# {all: ALLOW}

707

# The accepted values at `organizations/foo` are `E1`, E2`.

708

# Any value is accepted at `projects/bar`.

709

#

710

# Example 7 (ListConstraint allowing none):

711

# `organizations/foo` has a `Policy` with values:

712

# {allowed_values: “E1” allowed_values: ”E2”}

713

# `projects/bar` has a `Policy` with:

714

# {all: DENY}

715

# The accepted values at `organizations/foo` are `E1`, E2`.

716

# No value is accepted at `projects/bar`.

717

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

718

# that matches the value specified in this `Policy`. If `suggested_value`

719

# is not set, it will inherit the value specified higher in the hierarchy,

720

# unless `inherit_from_parent` is `false`.

721

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

722

# set for `denied_values` and `all_values` is set to

723

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

728

# resource.

729

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

730

# configuration is acceptable.

731

#

732

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

733

# with `constraint_default` set to `ALLOW`. A `Policy` for that

734

# `Constraint` exhibits the following behavior:

735

# - If the `Policy` at this resource has enforced set to `false`, serial

736

# port connection attempts will be allowed.

737

# - If the `Policy` at this resource has enforced set to `true`, serial

738

# port connection attempts will be refused.

739

# - If the `Policy` at this resource is `RestoreDefault`, serial port

740

# connection attempts will be allowed.

741

# - If no `Policy` is set at this resource or anywhere higher in the

742

# resource hierarchy, serial port connection attempts will be allowed.

743

# - If no `Policy` is set at this resource, but one exists higher in the

744

# resource hierarchy, the behavior is as if the`Policy` were set at

745

# this resource.

746

#

747

# The following examples demonstrate the different possible layerings:

748

#

749

# Example 1 (nearest `Constraint` wins):

750

# `organizations/foo` has a `Policy` with:

751

# {enforced: false}

752

# `projects/bar` has no `Policy` set.

753

# The constraint at `projects/bar` and `organizations/foo` will not be

754

# enforced.

755

#

756

# Example 2 (enforcement gets replaced):

757

# `organizations/foo` has a `Policy` with:

758

# {enforced: false}

759

# `projects/bar` has a `Policy` with:

760

# {enforced: true}

761

# The constraint at `organizations/foo` is not enforced.

762

# The constraint at `projects/bar` is enforced.

763

#

764

# Example 3 (RestoreDefault):

765

# `organizations/foo` has a `Policy` with:

766

# {enforced: true}

767

# `projects/bar` has a `Policy` with:

768

# {RestoreDefault: {}}

769

# The constraint at `organizations/foo` is enforced.

770

# The constraint at `projects/bar` is not enforced, because

771

# `constraint_default` for the `Constraint` is `ALLOW`.

772

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

773

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

774

# concurrency control.

775

#

776

# When the `Policy` is returned from either a `GetPolicy` or a

777

# `ListOrgPolicy` request, this `etag` indicates the version of the current

778

# `Policy` to use when executing a read-modify-write loop.

779

#

780

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

781

# `etag` will be unset.

782

#

783

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

784

# that was returned from a `GetOrgPolicy` request as part of a

785

# read-modify-write loop for concurrency control. Not setting the `etag`in a

786

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

<code class="details" id="getEffectiveOrgPolicyV1">getEffectiveOrgPolicyV1(resource, body, x__xgafv=None)</code>

793

<pre>Gets the effective `Policy` on a resource. This is the result of merging

794

`Policies` in the resource hierarchy. The returned `Policy` will not have

795

an `etag`set because it is a computed `Policy` across multiple resources.

796

797

Args:

798

resource: string, The name of the resource to start computing the effective `Policy`. (required)

799

body: object, The request body. (required)

800

The object takes the form of:

801

802

{ # The request sent to the GetEffectiveOrgPolicy method.

803

"constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.

804

}

805

806

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

813

814

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

815

# for configurations of Cloud Platform resources.

816

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

817

# server, not specified by the caller, and represents the last time a call to

818

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

819

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

820

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

821

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

822

# `constraints/serviceuser.services`.

823

#

824

# Immutable after creation.

825

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

826

# `Constraint` type.

827

# `constraint_default` enforcement behavior of the specific `Constraint` at

828

# this resource.

829

#

830

# Suppose that `constraint_default` is set to `ALLOW` for the

831

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

832

# foo.com sets a `Policy` at their Organization resource node that restricts

833

# the allowed service activations to deny all service activations. They

834

# could then set a `Policy` with the `policy_type` `restore_default` on

835

# several experimental projects, restoring the `constraint_default`

836

# enforcement of the `Constraint` for only those projects, allowing those

837

# projects to have all services activated.

838

},

839

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

840

# resource.

841

#

842

# A `ListPolicy` can define specific values that are allowed or denied by

843

# setting either the `allowed_values` or `denied_values` fields. It can also

844

# be used to allow or deny all values, by setting the `all_values` field. If

845

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

846

# or `denied_values` must be set (attempting to set both or neither will

847

# result in a failed request). If `all_values` is set to either `ALLOW` or

848

# `DENY`, `allowed_values` and `denied_values` must be unset.

849

"allValues": "A String", # The policy all_values state.

850

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

851

# set for `allowed_values` and `all_values` is set to

852

# `ALL_VALUES_UNSPECIFIED`.

853

"A String",

854

],

855

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

856

#

857

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

858

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

859

# set to `true`, then the values from the effective `Policy` of the parent

860

# resource are inherited, meaning the values set in this `Policy` are

861

# added to the values inherited up the hierarchy.

862

#

863

# Setting `Policy` hierarchies that inherit both allowed values and denied

864

# values isn't recommended in most circumstances to keep the configuration

865

# simple and understandable. However, it is possible to set a `Policy` with

866

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

867

# In this case, the values that are allowed must be in `allowed_values` and

868

# not present in `denied_values`.

869

#

870

# For example, suppose you have a `Constraint`

871

# `constraints/serviceuser.services`, which has a `constraint_type` of

872

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

873

# Suppose that at the Organization level, a `Policy` is applied that

874

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

875

# `Policy` is applied to a project below the Organization that has

876

# `inherit_from_parent` set to `false` and field all_values set to DENY,

877

# then an attempt to activate any API will be denied.

878

#

879

# The following examples demonstrate different possible layerings:

880

#

881

# Example 1 (no inherited values):

882

# `organizations/foo` has a `Policy` with values:

883

# {allowed_values: “E1” allowed_values:”E2”}

884

# ``projects/bar`` has `inherit_from_parent` `false` and values:

885

# {allowed_values: "E3" allowed_values: "E4"}

886

# The accepted values at `organizations/foo` are `E1`, `E2`.

887

# The accepted values at `projects/bar` are `E3`, and `E4`.

888

#

889

# Example 2 (inherited values):

890

# `organizations/foo` has a `Policy` with values:

891

# {allowed_values: “E1” allowed_values:”E2”}

892

# `projects/bar` has a `Policy` with values:

893

# {value: “E3” value: ”E4” inherit_from_parent: true}

894

# The accepted values at `organizations/foo` are `E1`, `E2`.

895

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

896

#

897

# Example 3 (inheriting both allowed and denied values):

898

# `organizations/foo` has a `Policy` with values:

899

# {allowed_values: "E1" allowed_values: "E2"}

900

# `projects/bar` has a `Policy` with:

901

# {denied_values: "E1"}

902

# The accepted values at `organizations/foo` are `E1`, `E2`.

903

# The value accepted at `projects/bar` is `E2`.

904

#

905

# Example 4 (RestoreDefault):

906

# `organizations/foo` has a `Policy` with values:

907

# {allowed_values: “E1” allowed_values:”E2”}

908

# `projects/bar` has a `Policy` with values:

909

# {RestoreDefault: {}}

910

# The accepted values at `organizations/foo` are `E1`, `E2`.

911

# The accepted values at `projects/bar` are either all or none depending on

912

# the value of `constraint_default` (if `ALLOW`, all; if

913

# `DENY`, none).

914

#

915

# Example 5 (no policy inherits parent policy):

916

# `organizations/foo` has no `Policy` set.

917

# `projects/bar` has no `Policy` set.

918

# The accepted values at both levels are either all or none depending on

919

# the value of `constraint_default` (if `ALLOW`, all; if

920

# `DENY`, none).

921

#

922

# Example 6 (ListConstraint allowing all):

923

# `organizations/foo` has a `Policy` with values:

924

# {allowed_values: “E1” allowed_values: ”E2”}

925

# `projects/bar` has a `Policy` with:

926

# {all: ALLOW}

927

# The accepted values at `organizations/foo` are `E1`, E2`.

928

# Any value is accepted at `projects/bar`.

929

#

930

# Example 7 (ListConstraint allowing none):

931

# `organizations/foo` has a `Policy` with values:

932

# {allowed_values: “E1” allowed_values: ”E2”}

933

# `projects/bar` has a `Policy` with:

934

# {all: DENY}

935

# The accepted values at `organizations/foo` are `E1`, E2`.

936

# No value is accepted at `projects/bar`.

937

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

938

# that matches the value specified in this `Policy`. If `suggested_value`

939

# is not set, it will inherit the value specified higher in the hierarchy,

940

# unless `inherit_from_parent` is `false`.

941

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

942

# set for `denied_values` and `all_values` is set to

943

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

948

# resource.

949

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

950

# configuration is acceptable.

951

#

952

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

953

# with `constraint_default` set to `ALLOW`. A `Policy` for that

954

# `Constraint` exhibits the following behavior:

955

# - If the `Policy` at this resource has enforced set to `false`, serial

956

# port connection attempts will be allowed.

957

# - If the `Policy` at this resource has enforced set to `true`, serial

958

# port connection attempts will be refused.

959

# - If the `Policy` at this resource is `RestoreDefault`, serial port

960

# connection attempts will be allowed.

961

# - If no `Policy` is set at this resource or anywhere higher in the

962

# resource hierarchy, serial port connection attempts will be allowed.

963

# - If no `Policy` is set at this resource, but one exists higher in the

964

# resource hierarchy, the behavior is as if the`Policy` were set at

965

# this resource.

966

#

967

# The following examples demonstrate the different possible layerings:

968

#

969

# Example 1 (nearest `Constraint` wins):

970

# `organizations/foo` has a `Policy` with:

971

# {enforced: false}

972

# `projects/bar` has no `Policy` set.

973

# The constraint at `projects/bar` and `organizations/foo` will not be

974

# enforced.

975

#

976

# Example 2 (enforcement gets replaced):

977

# `organizations/foo` has a `Policy` with:

978

# {enforced: false}

979

# `projects/bar` has a `Policy` with:

980

# {enforced: true}

981

# The constraint at `organizations/foo` is not enforced.

982

# The constraint at `projects/bar` is enforced.

983

#

984

# Example 3 (RestoreDefault):

985

# `organizations/foo` has a `Policy` with:

986

# {enforced: true}

987

# `projects/bar` has a `Policy` with:

988

# {RestoreDefault: {}}

989

# The constraint at `organizations/foo` is enforced.

990

# The constraint at `projects/bar` is not enforced, because

991

# `constraint_default` for the `Constraint` is `ALLOW`.

992

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

993

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

994

# concurrency control.

995

#

996

# When the `Policy` is returned from either a `GetPolicy` or a

997

# `ListOrgPolicy` request, this `etag` indicates the version of the current

998

# `Policy` to use when executing a read-modify-write loop.

999

#

1000

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

1001

# `etag` will be unset.

1002

#

1003

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

1004

# that was returned from a `GetOrgPolicy` request as part of a

1005

# read-modify-write loop for concurrency control. Not setting the `etag`in a

1006

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

1012

<code class="details" id="getIamPolicy">getIamPolicy(resource, body, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1013

<pre>Returns the IAM access control policy for the specified Project.

1014

Permission is denied if the policy or the resource does not exist.

1015

1016

Args:

1017

resource: string, REQUIRED: The resource for which the policy is being requested.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1018

See the operation documentation for the appropriate value for this field. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1019

body: object, The request body. (required)

1020

The object takes the form of:

1021

1022

{ # Request message for `GetIamPolicy` method.

1023

}

1024

1025

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1026

Allowed values

1027

1 - v1 error format

1028

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1029

1030

Returns:

1031

An object of the form:

1032

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1033

{ # Defines an Identity and Access Management (IAM) policy. It is used to

1034

# specify access control policies for Cloud Platform resources.

1035

#

1036

#

1037

# A `Policy` consists of a list of `bindings`. A `Binding` binds a list of

1038

# `members` to a `role`, where the members can be user accounts, Google groups,

1039

# Google domains, and service accounts. A `role` is a named list of permissions

# defined by IAM.

#

# **Example**

#

# {

# "bindings": [

# {

# "role": "roles/owner",

1048

# "members": [

1049

# "user:mike@example.com",

1050

# "group:admins@example.com",

1051

# "domain:google.com",

1052

# "serviceAccount:my-other-app@appspot.gserviceaccount.com",

# ]

# },

# {

# "role": "roles/viewer",

1057

# "members": ["user:sean@example.com"]

# }

# ]

# }

#

# For a description of IAM and its features, see the

1063

# [IAM developer's guide](https://cloud.google.com/iam).

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1064

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1065

{ # Specifies the audit configuration for a service.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1066

# The configuration determines which permission types are logged, and what

1067

# identities, if any, are exempted from logging.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1068

# An AuditConifg must have one or more AuditLogConfigs.

1069

#

1070

# If there are AuditConfigs for both `allServices` and a specific service,

1071

# the union of the two AuditConfigs is used for that service: the log_types

1072

# specified in each AuditConfig are enabled, and the exempted_members in each

1073

# AuditConfig are exempted.

1074

# Example Policy with multiple AuditConfigs:

# {

# "audit_configs": [

# {

# "service": "allServices"

1079

# "audit_log_configs": [

1080

# {

1081

# "log_type": "DATA_READ",

1082

# "exempted_members": [

1083

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1088

# },

1089

# {

1090

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "fooservice@googleapis.com"

1096

# "audit_log_configs": [

1097

# {

1098

# "log_type": "DATA_READ",

1099

# },

1100

# {

1101

# "log_type": "DATA_WRITE",

1102

# "exempted_members": [

1103

# "user:bar@gmail.com"

# ]

# }

# ]

# }

# ]

# }

# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1111

# logging. It also exempts foo@gmail.com from DATA_READ logging, and

1112

# bar@gmail.com from DATA_WRITE logging.

1113

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1114

# Next ID: 4

1115

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1120

# {

1121

# "log_type": "DATA_READ",

1122

# "exempted_members": [

1123

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1133

# foo@gmail.com from DATA_READ logging.

1134

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1135

# permission.

1136

# Follows the same format of Binding.members.

1137

"A String",

1138

],

1139

"logType": "A String", # The log type that this config enables.

1140

},

1141

],

1142

"service": "A String", # Specifies a service that will be enabled for audit logging.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1143

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1144

# `allServices` is a special value that covers all services.

1145

},

1146

],

1147

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1148

# prevent simultaneous updates of a policy from overwriting each other.

1149

# It is strongly suggested that systems make use of the `etag` in the

1150

# read-modify-write cycle to perform policy updates in order to avoid race

1151

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1152

# systems are expected to put that etag in the request to `setIamPolicy` to

1153

# ensure that their change will be applied to the same version of the policy.

1154

#

1155

# If no `etag` is provided in the call to `setIamPolicy`, then the existing

1156

# policy is overwritten blindly.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1157

"bindings": [ # Associates a list of `members` to a `role`.

1158

# Multiple `bindings` must not be specified for the same `role`.

1159

# `bindings` with no members will result in an error.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1160

{ # Associates `members` with a `role`.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1161

"role": "A String", # Role that is assigned to `members`.

1162

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1163

# Required

1164

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1165

# `members` can have the following values:

1166

#

1167

# * `allUsers`: A special identifier that represents anyone who is

1168

# on the internet; with or without a Google account.

1169

#

1170

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1171

# who is authenticated with a Google account or a service account.

1172

#

1173

# * `user:{emailid}`: An email address that represents a specific Google

1174

# account. For example, `alice@gmail.com` or `joe@example.com`.

1175

#

1176

#

1177

# * `serviceAccount:{emailid}`: An email address that represents a service

1178

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1179

#

1180

# * `group:{emailid}`: An email address that represents a Google group.

1181

# For example, `admins@example.com`.

1182

#

1183

# * `domain:{domain}`: A Google Apps domain name that represents all the

1184

# users of that domain. For example, `google.com` or `example.com`.

1185

#

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

},

],

"version": 42, # Version of the `Policy`. The default version is 0.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1195

<code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code>

1196

<pre>Gets a `Policy` on a resource.

1197

1198

If no `Policy` is set on the resource, a `Policy` is returned with default

1199

values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The

1200

`etag` value can be used with `SetOrgPolicy()` to create or update a

1201

`Policy` during read-modify-write.

1202

1203

Args:

1204

resource: string, Name of the resource the `Policy` is set on. (required)

1205

body: object, The request body. (required)

1206

The object takes the form of:

1207

1208

{ # The request sent to the GetOrgPolicy method.

1209

"constraint": "A String", # Name of the `Constraint` to get the `Policy`.

1210

}

1211

1212

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1219

1220

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

1221

# for configurations of Cloud Platform resources.

1222

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

1223

# server, not specified by the caller, and represents the last time a call to

1224

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

1225

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

1226

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1227

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

1228

# `constraints/serviceuser.services`.

1229

#

1230

# Immutable after creation.

1231

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

1232

# `Constraint` type.

1233

# `constraint_default` enforcement behavior of the specific `Constraint` at

1234

# this resource.

1235

#

1236

# Suppose that `constraint_default` is set to `ALLOW` for the

1237

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

1238

# foo.com sets a `Policy` at their Organization resource node that restricts

1239

# the allowed service activations to deny all service activations. They

1240

# could then set a `Policy` with the `policy_type` `restore_default` on

1241

# several experimental projects, restoring the `constraint_default`

1242

# enforcement of the `Constraint` for only those projects, allowing those

1243

# projects to have all services activated.

1244

},

1245

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

1246

# resource.

1247

#

1248

# A `ListPolicy` can define specific values that are allowed or denied by

1249

# setting either the `allowed_values` or `denied_values` fields. It can also

1250

# be used to allow or deny all values, by setting the `all_values` field. If

1251

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

1252

# or `denied_values` must be set (attempting to set both or neither will

1253

# result in a failed request). If `all_values` is set to either `ALLOW` or

1254

# `DENY`, `allowed_values` and `denied_values` must be unset.

1255

"allValues": "A String", # The policy all_values state.

1256

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

1257

# set for `allowed_values` and `all_values` is set to

1258

# `ALL_VALUES_UNSPECIFIED`.

1259

"A String",

1260

],

1261

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

1262

#

1263

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

1264

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

1265

# set to `true`, then the values from the effective `Policy` of the parent

1266

# resource are inherited, meaning the values set in this `Policy` are

1267

# added to the values inherited up the hierarchy.

1268

#

1269

# Setting `Policy` hierarchies that inherit both allowed values and denied

1270

# values isn't recommended in most circumstances to keep the configuration

1271

# simple and understandable. However, it is possible to set a `Policy` with

1272

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

1273

# In this case, the values that are allowed must be in `allowed_values` and

1274

# not present in `denied_values`.

1275

#

1276

# For example, suppose you have a `Constraint`

1277

# `constraints/serviceuser.services`, which has a `constraint_type` of

1278

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

1279

# Suppose that at the Organization level, a `Policy` is applied that

1280

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

1281

# `Policy` is applied to a project below the Organization that has

1282

# `inherit_from_parent` set to `false` and field all_values set to DENY,

1283

# then an attempt to activate any API will be denied.

1284

#

1285

# The following examples demonstrate different possible layerings:

1286

#

1287

# Example 1 (no inherited values):

1288

# `organizations/foo` has a `Policy` with values:

1289

# {allowed_values: “E1” allowed_values:”E2”}

1290

# ``projects/bar`` has `inherit_from_parent` `false` and values:

1291

# {allowed_values: "E3" allowed_values: "E4"}

1292

# The accepted values at `organizations/foo` are `E1`, `E2`.

1293

# The accepted values at `projects/bar` are `E3`, and `E4`.

1294

#

1295

# Example 2 (inherited values):

1296

# `organizations/foo` has a `Policy` with values:

1297

# {allowed_values: “E1” allowed_values:”E2”}

1298

# `projects/bar` has a `Policy` with values:

1299

# {value: “E3” value: ”E4” inherit_from_parent: true}

1300

# The accepted values at `organizations/foo` are `E1`, `E2`.

1301

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

1302

#

1303

# Example 3 (inheriting both allowed and denied values):

1304

# `organizations/foo` has a `Policy` with values:

1305

# {allowed_values: "E1" allowed_values: "E2"}

1306

# `projects/bar` has a `Policy` with:

1307

# {denied_values: "E1"}

1308

# The accepted values at `organizations/foo` are `E1`, `E2`.

1309

# The value accepted at `projects/bar` is `E2`.

1310

#

1311

# Example 4 (RestoreDefault):

1312

# `organizations/foo` has a `Policy` with values:

1313

# {allowed_values: “E1” allowed_values:”E2”}

1314

# `projects/bar` has a `Policy` with values:

1315

# {RestoreDefault: {}}

1316

# The accepted values at `organizations/foo` are `E1`, `E2`.

1317

# The accepted values at `projects/bar` are either all or none depending on

1318

# the value of `constraint_default` (if `ALLOW`, all; if

1319

# `DENY`, none).

1320

#

1321

# Example 5 (no policy inherits parent policy):

1322

# `organizations/foo` has no `Policy` set.

1323

# `projects/bar` has no `Policy` set.

1324

# The accepted values at both levels are either all or none depending on

1325

# the value of `constraint_default` (if `ALLOW`, all; if

1326

# `DENY`, none).

1327

#

1328

# Example 6 (ListConstraint allowing all):

1329

# `organizations/foo` has a `Policy` with values:

1330

# {allowed_values: “E1” allowed_values: ”E2”}

1331

# `projects/bar` has a `Policy` with:

1332

# {all: ALLOW}

1333

# The accepted values at `organizations/foo` are `E1`, E2`.

1334

# Any value is accepted at `projects/bar`.

1335

#

1336

# Example 7 (ListConstraint allowing none):

1337

# `organizations/foo` has a `Policy` with values:

1338

# {allowed_values: “E1” allowed_values: ”E2”}

1339

# `projects/bar` has a `Policy` with:

1340

# {all: DENY}

1341

# The accepted values at `organizations/foo` are `E1`, E2`.

1342

# No value is accepted at `projects/bar`.

1343

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

1344

# that matches the value specified in this `Policy`. If `suggested_value`

1345

# is not set, it will inherit the value specified higher in the hierarchy,

1346

# unless `inherit_from_parent` is `false`.

1347

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

1348

# set for `denied_values` and `all_values` is set to

1349

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

1354

# resource.

1355

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

1356

# configuration is acceptable.

1357

#

1358

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

1359

# with `constraint_default` set to `ALLOW`. A `Policy` for that

1360

# `Constraint` exhibits the following behavior:

1361

# - If the `Policy` at this resource has enforced set to `false`, serial

1362

# port connection attempts will be allowed.

1363

# - If the `Policy` at this resource has enforced set to `true`, serial

1364

# port connection attempts will be refused.

1365

# - If the `Policy` at this resource is `RestoreDefault`, serial port

1366

# connection attempts will be allowed.

1367

# - If no `Policy` is set at this resource or anywhere higher in the

1368

# resource hierarchy, serial port connection attempts will be allowed.

1369

# - If no `Policy` is set at this resource, but one exists higher in the

1370

# resource hierarchy, the behavior is as if the`Policy` were set at

1371

# this resource.

1372

#

1373

# The following examples demonstrate the different possible layerings:

1374

#

1375

# Example 1 (nearest `Constraint` wins):

1376

# `organizations/foo` has a `Policy` with:

1377

# {enforced: false}

1378

# `projects/bar` has no `Policy` set.

1379

# The constraint at `projects/bar` and `organizations/foo` will not be

1380

# enforced.

1381

#

1382

# Example 2 (enforcement gets replaced):

1383

# `organizations/foo` has a `Policy` with:

1384

# {enforced: false}

1385

# `projects/bar` has a `Policy` with:

1386

# {enforced: true}

1387

# The constraint at `organizations/foo` is not enforced.

1388

# The constraint at `projects/bar` is enforced.

1389

#

1390

# Example 3 (RestoreDefault):

1391

# `organizations/foo` has a `Policy` with:

1392

# {enforced: true}

1393

# `projects/bar` has a `Policy` with:

1394

# {RestoreDefault: {}}

1395

# The constraint at `organizations/foo` is enforced.

1396

# The constraint at `projects/bar` is not enforced, because

1397

# `constraint_default` for the `Constraint` is `ALLOW`.

1398

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1399

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

1400

# concurrency control.

1401

#

1402

# When the `Policy` is returned from either a `GetPolicy` or a

1403

# `ListOrgPolicy` request, this `etag` indicates the version of the current

1404

# `Policy` to use when executing a read-modify-write loop.

1405

#

1406

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

1407

# `etag` will be unset.

1408

#

1409

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

1410

# that was returned from a `GetOrgPolicy` request as part of a

1411

# read-modify-write loop for concurrency control. Not setting the `etag`in a

1412

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

<code class="details" id="getOrgPolicyV1">getOrgPolicyV1(resource, body, x__xgafv=None)</code>

1419

<pre>Gets a `Policy` on a resource.

1420

1421

If no `Policy` is set on the resource, a `Policy` is returned with default

1422

values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The

1423

`etag` value can be used with `SetOrgPolicy()` to create or update a

1424

`Policy` during read-modify-write.

1425

1426

Args:

1427

resource: string, Name of the resource the `Policy` is set on. (required)

1428

body: object, The request body. (required)

1429

The object takes the form of:

1430

1431

{ # The request sent to the GetOrgPolicy method.

1432

"constraint": "A String", # Name of the `Constraint` to get the `Policy`.

1433

}

1434

1435

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1442

1443

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

1444

# for configurations of Cloud Platform resources.

1445

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

1446

# server, not specified by the caller, and represents the last time a call to

1447

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

1448

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

1449

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1450

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

1451

# `constraints/serviceuser.services`.

1452

#

1453

# Immutable after creation.

1454

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

1455

# `Constraint` type.

1456

# `constraint_default` enforcement behavior of the specific `Constraint` at

1457

# this resource.

1458

#

1459

# Suppose that `constraint_default` is set to `ALLOW` for the

1460

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

1461

# foo.com sets a `Policy` at their Organization resource node that restricts

1462

# the allowed service activations to deny all service activations. They

1463

# could then set a `Policy` with the `policy_type` `restore_default` on

1464

# several experimental projects, restoring the `constraint_default`

1465

# enforcement of the `Constraint` for only those projects, allowing those

1466

# projects to have all services activated.

1467

},

1468

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

1469

# resource.

1470

#

1471

# A `ListPolicy` can define specific values that are allowed or denied by

1472

# setting either the `allowed_values` or `denied_values` fields. It can also

1473

# be used to allow or deny all values, by setting the `all_values` field. If

1474

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

1475

# or `denied_values` must be set (attempting to set both or neither will

1476

# result in a failed request). If `all_values` is set to either `ALLOW` or

1477

# `DENY`, `allowed_values` and `denied_values` must be unset.

1478

"allValues": "A String", # The policy all_values state.

1479

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

1480

# set for `allowed_values` and `all_values` is set to

1481

# `ALL_VALUES_UNSPECIFIED`.

1482

"A String",

1483

],

1484

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

1485

#

1486

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

1487

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

1488

# set to `true`, then the values from the effective `Policy` of the parent

1489

# resource are inherited, meaning the values set in this `Policy` are

1490

# added to the values inherited up the hierarchy.

1491

#

1492

# Setting `Policy` hierarchies that inherit both allowed values and denied

1493

# values isn't recommended in most circumstances to keep the configuration

1494

# simple and understandable. However, it is possible to set a `Policy` with

1495

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

1496

# In this case, the values that are allowed must be in `allowed_values` and

1497

# not present in `denied_values`.

1498

#

1499

# For example, suppose you have a `Constraint`

1500

# `constraints/serviceuser.services`, which has a `constraint_type` of

1501

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

1502

# Suppose that at the Organization level, a `Policy` is applied that

1503

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

1504

# `Policy` is applied to a project below the Organization that has

1505

# `inherit_from_parent` set to `false` and field all_values set to DENY,

1506

# then an attempt to activate any API will be denied.

1507

#

1508

# The following examples demonstrate different possible layerings:

1509

#

1510

# Example 1 (no inherited values):

1511

# `organizations/foo` has a `Policy` with values:

1512

# {allowed_values: “E1” allowed_values:”E2”}

1513

# ``projects/bar`` has `inherit_from_parent` `false` and values:

1514

# {allowed_values: "E3" allowed_values: "E4"}

1515

# The accepted values at `organizations/foo` are `E1`, `E2`.

1516

# The accepted values at `projects/bar` are `E3`, and `E4`.

1517

#

1518

# Example 2 (inherited values):

1519

# `organizations/foo` has a `Policy` with values:

1520

# {allowed_values: “E1” allowed_values:”E2”}

1521

# `projects/bar` has a `Policy` with values:

1522

# {value: “E3” value: ”E4” inherit_from_parent: true}

1523

# The accepted values at `organizations/foo` are `E1`, `E2`.

1524

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

1525

#

1526

# Example 3 (inheriting both allowed and denied values):

1527

# `organizations/foo` has a `Policy` with values:

1528

# {allowed_values: "E1" allowed_values: "E2"}

1529

# `projects/bar` has a `Policy` with:

1530

# {denied_values: "E1"}

1531

# The accepted values at `organizations/foo` are `E1`, `E2`.

1532

# The value accepted at `projects/bar` is `E2`.

1533

#

1534

# Example 4 (RestoreDefault):

1535

# `organizations/foo` has a `Policy` with values:

1536

# {allowed_values: “E1” allowed_values:”E2”}

1537

# `projects/bar` has a `Policy` with values:

1538

# {RestoreDefault: {}}

1539

# The accepted values at `organizations/foo` are `E1`, `E2`.

1540

# The accepted values at `projects/bar` are either all or none depending on

1541

# the value of `constraint_default` (if `ALLOW`, all; if

1542

# `DENY`, none).

1543

#

1544

# Example 5 (no policy inherits parent policy):

1545

# `organizations/foo` has no `Policy` set.

1546

# `projects/bar` has no `Policy` set.

1547

# The accepted values at both levels are either all or none depending on

1548

# the value of `constraint_default` (if `ALLOW`, all; if

1549

# `DENY`, none).

1550

#

1551

# Example 6 (ListConstraint allowing all):

1552

# `organizations/foo` has a `Policy` with values:

1553

# {allowed_values: “E1” allowed_values: ”E2”}

1554

# `projects/bar` has a `Policy` with:

1555

# {all: ALLOW}

1556

# The accepted values at `organizations/foo` are `E1`, E2`.

1557

# Any value is accepted at `projects/bar`.

1558

#

1559

# Example 7 (ListConstraint allowing none):

1560

# `organizations/foo` has a `Policy` with values:

1561

# {allowed_values: “E1” allowed_values: ”E2”}

1562

# `projects/bar` has a `Policy` with:

1563

# {all: DENY}

1564

# The accepted values at `organizations/foo` are `E1`, E2`.

1565

# No value is accepted at `projects/bar`.

1566

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

1567

# that matches the value specified in this `Policy`. If `suggested_value`

1568

# is not set, it will inherit the value specified higher in the hierarchy,

1569

# unless `inherit_from_parent` is `false`.

1570

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

1571

# set for `denied_values` and `all_values` is set to

1572

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

1577

# resource.

1578

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

1579

# configuration is acceptable.

1580

#

1581

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

1582

# with `constraint_default` set to `ALLOW`. A `Policy` for that

1583

# `Constraint` exhibits the following behavior:

1584

# - If the `Policy` at this resource has enforced set to `false`, serial

1585

# port connection attempts will be allowed.

1586

# - If the `Policy` at this resource has enforced set to `true`, serial

1587

# port connection attempts will be refused.

1588

# - If the `Policy` at this resource is `RestoreDefault`, serial port

1589

# connection attempts will be allowed.

1590

# - If no `Policy` is set at this resource or anywhere higher in the

1591

# resource hierarchy, serial port connection attempts will be allowed.

1592

# - If no `Policy` is set at this resource, but one exists higher in the

1593

# resource hierarchy, the behavior is as if the`Policy` were set at

1594

# this resource.

1595

#

1596

# The following examples demonstrate the different possible layerings:

1597

#

1598

# Example 1 (nearest `Constraint` wins):

1599

# `organizations/foo` has a `Policy` with:

1600

# {enforced: false}

1601

# `projects/bar` has no `Policy` set.

1602

# The constraint at `projects/bar` and `organizations/foo` will not be

1603

# enforced.

1604

#

1605

# Example 2 (enforcement gets replaced):

1606

# `organizations/foo` has a `Policy` with:

1607

# {enforced: false}

1608

# `projects/bar` has a `Policy` with:

1609

# {enforced: true}

1610

# The constraint at `organizations/foo` is not enforced.

1611

# The constraint at `projects/bar` is enforced.

1612

#

1613

# Example 3 (RestoreDefault):

1614

# `organizations/foo` has a `Policy` with:

1615

# {enforced: true}

1616

# `projects/bar` has a `Policy` with:

1617

# {RestoreDefault: {}}

1618

# The constraint at `organizations/foo` is enforced.

1619

# The constraint at `projects/bar` is not enforced, because

1620

# `constraint_default` for the `Constraint` is `ALLOW`.

1621

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1622

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

1623

# concurrency control.

1624

#

1625

# When the `Policy` is returned from either a `GetPolicy` or a

1626

# `ListOrgPolicy` request, this `etag` indicates the version of the current

1627

# `Policy` to use when executing a read-modify-write loop.

1628

#

1629

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

1630

# `etag` will be unset.

1631

#

1632

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

1633

# that was returned from a `GetOrgPolicy` request as part of a

1634

# read-modify-write loop for concurrency control. Not setting the `etag`in a

1635

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1641

<code class="details" id="list">list(pageSize=None, filter=None, pageToken=None, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1642

<pre>Lists Projects that are visible to the user and satisfy the

1643

specified filter. This method returns Projects in an unspecified order.

1644

New Projects do not necessarily appear at the end of the list.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1645

1646

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1647

pageSize: integer, The maximum number of Projects to return in the response.

1648

The server can return fewer Projects than requested.

1649

If unspecified, server picks an appropriate default.

1650

1651

Optional.

1652

filter: string, An expression for filtering the results of the request. Filter rules are

1653

case insensitive. The fields eligible for filtering are:

+ `name`

+ `id`

+ <code>labels.<em>key</em></code> where *key* is the name of a label

1658

1659

Some examples of using labels as filters:

|Filter|Description|

|------|-----------|

|name:*|The project has a name.|

1664

|name:Howl|The project's name is `Howl` or `howl`.|

1665

|name:HOWL|Equivalent to above.|

1666

|NAME:howl|Equivalent to above.|

1667

|labels.color:*|The project has the label `color`.|

1668

|labels.color:red|The project's label `color` has the value `red`.|

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1669

|labels.color:red labels.size:big|The project's label `color` has the

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1670

value `red` and its label `size` has the value `big`.

1671

1672

Optional.

1673

pageToken: string, A pagination token returned from a previous call to ListProjects

1674

that indicates from where listing should continue.

1675

1676

Optional.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1677

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1678

Allowed values

1679

1 - v1 error format

1680

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1681

1682

Returns:

1683

An object of the form:

1684

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1685

{ # A page of the response received from the

# ListProjects

# method.

#

# A paginated response where more pages are available has

1690

# `next_page_token` set. This token can be used in a subsequent request to

1691

# retrieve the next request page.

1692

"nextPageToken": "A String", # Pagination token.

1693

#

1694

# If the result set is too large to fit in a single response, this token

1695

# is returned. It encodes the position of the current result cursor.

1696

# Feeding this value into a new list request with the `page_token` parameter

1697

# gives the next page of the results.

1698

#

1699

# When `next_page_token` is not filled in, there is no next page and

1700

# the list returned is the last page in the result set.

1701

#

1702

# Pagination tokens have a limited lifetime.

1703

"projects": [ # The list of Projects that matched the list filter. This list can

1704

# be paginated.

1705

{ # A Project is a high-level Google Cloud Platform entity. It is a

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

1706

# container for ACLs, APIs, App Engine Apps, VMs, and other

1707

# Google Cloud Platform resources.

1708

"name": "A String", # The user-assigned display name of the Project.

1709

# It must be 4 to 30 characters.

1710

# Allowed characters are: lowercase and uppercase letters, numbers,

1711

# hyphen, single-quote, double-quote, space, and exclamation point.

1712

#

1713

# Example: <code>My Project</code>

1714

# Read-write.

1715

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

1716

#

1717

# The only supported parent type is "organization". Once set, the parent

1718

# cannot be modified. The `parent` can be set on creation or using the

1719

# `UpdateProject` method; the end user must have the

1720

# `resourcemanager.projects.create` permission on the parent.

1721

#

1722

# Read-write.

1723

# Cloud Platform is a generic term for something you (a developer) may want to

1724

# interact with through one of our API's. Some examples are an App Engine app,

1725

# a Compute Engine instance, a Cloud SQL database, and so on.

1726

"type": "A String", # Required field representing the resource type this id is for.

1727

# At present, the valid types are: "organization"

1728

"id": "A String", # Required field for the type-specific id. This should correspond to the id

1729

# used in the type-specific API's.

1730

},

1731

"projectId": "A String", # The unique, user-assigned ID of the Project.

1732

# It must be 6 to 30 lowercase letters, digits, or hyphens.

1733

# It must start with a letter.

1734

# Trailing hyphens are prohibited.

1735

#

1736

# Example: <code>tokyo-rain-123</code>

1737

# Read-only after creation.

1738

"labels": { # The labels associated with this Project.

1739

#

1740

# Label keys must be between 1 and 63 characters long and must conform

1741

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

1742

#

1743

# Label values must be between 0 and 63 characters long and must conform

1744

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

1745

#

1746

# No more than 256 labels can be associated with a given resource.

1747

#

1748

# Clients should store labels in a representation such as JSON that does not

1749

# depend on specific characters being disallowed.

1750

#

1751

# Example: <code>"environment" : "dev"</code>

# Read-write.

"a_key": "A String",

},

"projectNumber": "A String", # The number uniquely identifying the project.

1756

#

1757

# Example: <code>415104041262</code>

1758

# Read-only.

1759

"lifecycleState": "A String", # The Project lifecycle state.

1760

#

1761

# Read-only.

1762

"createTime": "A String", # Creation time.

1763

#

1764

# Read-only.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1765

},

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

],

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1771

<code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code>

1772

<pre>Lists `Constraints` that could be applied on the specified resource.

1773

1774

Args:

1775

resource: string, Name of the resource to list `Constraints` for. (required)

1776

body: object, The request body. (required)

1777

The object takes the form of:

1778

1779

{ # The request sent to the [ListAvailableOrgPolicyConstraints]

1780

# google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.

1781

"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported

1782

# and will be ignored. The server may at any point start using this field.

1783

"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will

1784

# be ignored. The server may at any point start using this field to limit

# page size.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1795

1796

{ # The response returned from the ListAvailableOrgPolicyConstraints method.

1797

# Returns all `Constraints` that could be set at this level of the hierarchy

1798

# (contrast with the response from `ListPolicies`, which returns all policies

1799

# which are set).

1800

"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.

1801

"constraints": [ # The collection of constraints that are settable on the request resource.

1802

{ # A `Constraint` describes a way in which a resource's configuration can be

1803

# restricted. For example, it controls which cloud services can be activated

1804

# across an organization, or whether a Compute Engine instance can have

1805

# serial port connections established. `Constraints` can be configured by the

1806

# organization's policy adminstrator to fit the needs of the organzation by

1807

# setting Policies for `Constraints` at different locations in the

1808

# organization's resource hierarchy. Policies are inherited down the resource

1809

# hierarchy from higher levels, but can also be overridden. For details about

1810

# the inheritance rules please read about

1811

# Policies.

1812

#

1813

# `Constraints` have a default behavior determined by the `constraint_default`

1814

# field, which is the enforcement behavior that is used in the absence of a

1815

# `Policy` being defined or inherited for the resource in question.

1816

"constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.

1817

"displayName": "A String", # The human readable name.

1818

#

1819

# Mutable.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

1820

"description": "A String", # Detailed description of what this `Constraint` controls as well as how and

1821

# where it is enforced.

1822

#

1823

# Mutable.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1824

"booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.

1825

#

1826

# For example a constraint `constraints/compute.disableSerialPortAccess`.

1827

# If it is enforced on a VM instance, serial port connections will not be

1828

# opened to that instance.

1829

},

1830

"version": 42, # Version of the `Constraint`. Default version is 0;

1831

"listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.

1832

# configured by an Organization's policy administrator with a `Policy`.

1833

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

1834

# that matches the value specified in this `Constraint`.

1835

},

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

1836

"name": "A String", # Immutable value, required to globally be unique. For example,

1837

# `constraints/serviceuser.services`

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code>

1845

<pre>Retrieves the next page of results.

1846

1847

Args:

1848

previous_request: The request for the previous page. (required)

1849

previous_response: The response from the request for the previous page. (required)

1850

1851

Returns:

1852

A request object that you can call 'execute()' on to request the next

1853

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code>

1859

<pre>Lists all the `Policies` set for a particular resource.

1860

1861

Args:

1862

resource: string, Name of the resource to list Policies for. (required)

1863

body: object, The request body. (required)

1864

The object takes the form of:

1865

1866

{ # The request sent to the ListOrgPolicies method.

1867

"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported

1868

# and will be ignored. The server may at any point start using this field.

1869

"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will

1870

# be ignored. The server may at any point start using this field to limit

# page size.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1881

1882

{ # The response returned from the ListOrgPolicies method. It will be empty

1883

# if no `Policies` are set on the resource.

1884

"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but

1885

# the server may at any point start supplying a valid token.

1886

"policies": [ # The `Policies` that are set on the resource. It will be empty if no

1887

# `Policies` are set.

1888

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

1889

# for configurations of Cloud Platform resources.

1890

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

1891

# server, not specified by the caller, and represents the last time a call to

1892

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

1893

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

1894

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

1895

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

1896

# `constraints/serviceuser.services`.

1897

#

1898

# Immutable after creation.

1899

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

1900

# `Constraint` type.

1901

# `constraint_default` enforcement behavior of the specific `Constraint` at

1902

# this resource.

1903

#

1904

# Suppose that `constraint_default` is set to `ALLOW` for the

1905

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

1906

# foo.com sets a `Policy` at their Organization resource node that restricts

1907

# the allowed service activations to deny all service activations. They

1908

# could then set a `Policy` with the `policy_type` `restore_default` on

1909

# several experimental projects, restoring the `constraint_default`

1910

# enforcement of the `Constraint` for only those projects, allowing those

1911

# projects to have all services activated.

1912

},

1913

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

1914

# resource.

1915

#

1916

# A `ListPolicy` can define specific values that are allowed or denied by

1917

# setting either the `allowed_values` or `denied_values` fields. It can also

1918

# be used to allow or deny all values, by setting the `all_values` field. If

1919

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

1920

# or `denied_values` must be set (attempting to set both or neither will

1921

# result in a failed request). If `all_values` is set to either `ALLOW` or

1922

# `DENY`, `allowed_values` and `denied_values` must be unset.

1923

"allValues": "A String", # The policy all_values state.

1924

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

1925

# set for `allowed_values` and `all_values` is set to

1926

# `ALL_VALUES_UNSPECIFIED`.

1927

"A String",

1928

],

1929

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

1930

#

1931

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

1932

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

1933

# set to `true`, then the values from the effective `Policy` of the parent

1934

# resource are inherited, meaning the values set in this `Policy` are

1935

# added to the values inherited up the hierarchy.

1936

#

1937

# Setting `Policy` hierarchies that inherit both allowed values and denied

1938

# values isn't recommended in most circumstances to keep the configuration

1939

# simple and understandable. However, it is possible to set a `Policy` with

1940

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

1941

# In this case, the values that are allowed must be in `allowed_values` and

1942

# not present in `denied_values`.

1943

#

1944

# For example, suppose you have a `Constraint`

1945

# `constraints/serviceuser.services`, which has a `constraint_type` of

1946

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

1947

# Suppose that at the Organization level, a `Policy` is applied that

1948

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

1949

# `Policy` is applied to a project below the Organization that has

1950

# `inherit_from_parent` set to `false` and field all_values set to DENY,

1951

# then an attempt to activate any API will be denied.

1952

#

1953

# The following examples demonstrate different possible layerings:

1954

#

1955

# Example 1 (no inherited values):

1956

# `organizations/foo` has a `Policy` with values:

1957

# {allowed_values: “E1” allowed_values:”E2”}

1958

# ``projects/bar`` has `inherit_from_parent` `false` and values:

1959

# {allowed_values: "E3" allowed_values: "E4"}

1960

# The accepted values at `organizations/foo` are `E1`, `E2`.

1961

# The accepted values at `projects/bar` are `E3`, and `E4`.

1962

#

1963

# Example 2 (inherited values):

1964

# `organizations/foo` has a `Policy` with values:

1965

# {allowed_values: “E1” allowed_values:”E2”}

1966

# `projects/bar` has a `Policy` with values:

1967

# {value: “E3” value: ”E4” inherit_from_parent: true}

1968

# The accepted values at `organizations/foo` are `E1`, `E2`.

1969

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

1970

#

1971

# Example 3 (inheriting both allowed and denied values):

1972

# `organizations/foo` has a `Policy` with values:

1973

# {allowed_values: "E1" allowed_values: "E2"}

1974

# `projects/bar` has a `Policy` with:

1975

# {denied_values: "E1"}

1976

# The accepted values at `organizations/foo` are `E1`, `E2`.

1977

# The value accepted at `projects/bar` is `E2`.

1978

#

1979

# Example 4 (RestoreDefault):

1980

# `organizations/foo` has a `Policy` with values:

1981

# {allowed_values: “E1” allowed_values:”E2”}

1982

# `projects/bar` has a `Policy` with values:

1983

# {RestoreDefault: {}}

1984

# The accepted values at `organizations/foo` are `E1`, `E2`.

1985

# The accepted values at `projects/bar` are either all or none depending on

1986

# the value of `constraint_default` (if `ALLOW`, all; if

1987

# `DENY`, none).

1988

#

1989

# Example 5 (no policy inherits parent policy):

1990

# `organizations/foo` has no `Policy` set.

1991

# `projects/bar` has no `Policy` set.

1992

# The accepted values at both levels are either all or none depending on

1993

# the value of `constraint_default` (if `ALLOW`, all; if

1994

# `DENY`, none).

1995

#

1996

# Example 6 (ListConstraint allowing all):

1997

# `organizations/foo` has a `Policy` with values:

1998

# {allowed_values: “E1” allowed_values: ”E2”}

1999

# `projects/bar` has a `Policy` with:

2000

# {all: ALLOW}

2001

# The accepted values at `organizations/foo` are `E1`, E2`.

2002

# Any value is accepted at `projects/bar`.

2003

#

2004

# Example 7 (ListConstraint allowing none):

2005

# `organizations/foo` has a `Policy` with values:

2006

# {allowed_values: “E1” allowed_values: ”E2”}

2007

# `projects/bar` has a `Policy` with:

2008

# {all: DENY}

2009

# The accepted values at `organizations/foo` are `E1`, E2`.

2010

# No value is accepted at `projects/bar`.

2011

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

2012

# that matches the value specified in this `Policy`. If `suggested_value`

2013

# is not set, it will inherit the value specified higher in the hierarchy,

2014

# unless `inherit_from_parent` is `false`.

2015

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

2016

# set for `denied_values` and `all_values` is set to

2017

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

2022

# resource.

2023

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

2024

# configuration is acceptable.

2025

#

2026

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

2027

# with `constraint_default` set to `ALLOW`. A `Policy` for that

2028

# `Constraint` exhibits the following behavior:

2029

# - If the `Policy` at this resource has enforced set to `false`, serial

2030

# port connection attempts will be allowed.

2031

# - If the `Policy` at this resource has enforced set to `true`, serial

2032

# port connection attempts will be refused.

2033

# - If the `Policy` at this resource is `RestoreDefault`, serial port

2034

# connection attempts will be allowed.

2035

# - If no `Policy` is set at this resource or anywhere higher in the

2036

# resource hierarchy, serial port connection attempts will be allowed.

2037

# - If no `Policy` is set at this resource, but one exists higher in the

2038

# resource hierarchy, the behavior is as if the`Policy` were set at

2039

# this resource.

2040

#

2041

# The following examples demonstrate the different possible layerings:

2042

#

2043

# Example 1 (nearest `Constraint` wins):

2044

# `organizations/foo` has a `Policy` with:

2045

# {enforced: false}

2046

# `projects/bar` has no `Policy` set.

2047

# The constraint at `projects/bar` and `organizations/foo` will not be

2048

# enforced.

2049

#

2050

# Example 2 (enforcement gets replaced):

2051

# `organizations/foo` has a `Policy` with:

2052

# {enforced: false}

2053

# `projects/bar` has a `Policy` with:

2054

# {enforced: true}

2055

# The constraint at `organizations/foo` is not enforced.

2056

# The constraint at `projects/bar` is enforced.

2057

#

2058

# Example 3 (RestoreDefault):

2059

# `organizations/foo` has a `Policy` with:

2060

# {enforced: true}

2061

# `projects/bar` has a `Policy` with:

2062

# {RestoreDefault: {}}

2063

# The constraint at `organizations/foo` is enforced.

2064

# The constraint at `projects/bar` is not enforced, because

2065

# `constraint_default` for the `Constraint` is `ALLOW`.

2066

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2067

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

2068

# concurrency control.

2069

#

2070

# When the `Policy` is returned from either a `GetPolicy` or a

2071

# `ListOrgPolicy` request, this `etag` indicates the version of the current

2072

# `Policy` to use when executing a read-modify-write loop.

2073

#

2074

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

2075

# `etag` will be unset.

2076

#

2077

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

2078

# that was returned from a `GetOrgPolicy` request as part of a

2079

# read-modify-write loop for concurrency control. Not setting the `etag`in a

2080

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

},

],

}</pre>

</div>

<code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code>

2089

<pre>Retrieves the next page of results.

2090

2091

Args:

2092

previous_request: The request for the previous page. (required)

2093

previous_response: The response from the request for the previous page. (required)

2094

2095

Returns:

2096

A request object that you can call 'execute()' on to request the next

2097

page. Returns None if there are no more items in the collection.

</pre>

</div>

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2102

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

2103

<pre>Retrieves the next page of results.

2104

2105

Args:

2106

previous_request: The request for the previous page. (required)

2107

previous_response: The response from the request for the previous page. (required)

2108

2109

Returns:

2110

A request object that you can call 'execute()' on to request the next

2111

page. Returns None if there are no more items in the collection.

</pre>

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

2116

<code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2117

<pre>Sets the IAM access control policy for the specified Project. Replaces

2118

any existing policy.

2119

2120

The following constraints apply when using `setIamPolicy()`:

2121

2122

+ Project does not support `allUsers` and `allAuthenticatedUsers` as

2123

`members` in a `Binding` of a `Policy`.

2124

2125

+ The owner role can be granted only to `user` and `serviceAccount`.

2126

2127

+ Service accounts can be made owners of a project directly

2128

without any restrictions. However, to be added as an owner, a user must be

2129

invited via Cloud Platform console and must accept the invitation.

2130

2131

+ A user cannot be granted the owner role using `setIamPolicy()`. The user

2132

must be granted the owner role using the Cloud Platform Console and must

2133

explicitly accept the invitation.

2134

2135

+ Invitations to grant the owner role cannot be sent using

2136

`setIamPolicy()`;

2137

they must be sent only using the Cloud Platform Console.

2138

2139

+ Membership changes that leave the project without any owners that have

2140

accepted the Terms of Service (ToS) will be rejected.

2141

2142

+ There must be at least one owner who has accepted the Terms of

2143

Service (ToS) agreement in the policy. Calling `setIamPolicy()` to

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2144

remove the last ToS-accepted owner from the policy will fail. This

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2145

restriction also applies to legacy projects that no longer have owners

2146

who have accepted the ToS. Edits to IAM policies will be rejected until

2147

the lack of a ToS-accepting owner is rectified.

2148

2149

+ Calling this method requires enabling the App Engine Admin API.

2150

2151

Note: Removing service accounts from policies or changing their roles

2152

can render services completely inoperable. It is important to understand

2153

how the service account is being used before removing or updating its

2154

roles.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2155

2156

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2157

resource: string, REQUIRED: The resource for which the policy is being specified.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2158

See the operation documentation for the appropriate value for this field. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2159

body: object, The request body. (required)

2160

The object takes the form of:

2161

2162

{ # Request message for `SetIamPolicy` method.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2163

"policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of

2164

# the policy is limited to a few 10s of KB. An empty policy is a

2165

# valid policy but certain Cloud Platform services (such as Projects)

2166

# might reject them.

2167

# specify access control policies for Cloud Platform resources.

2168

#

2169

#

2170

# A `Policy` consists of a list of `bindings`. A `Binding` binds a list of

2171

# `members` to a `role`, where the members can be user accounts, Google groups,

2172

# Google domains, and service accounts. A `role` is a named list of permissions

# defined by IAM.

#

# **Example**

#

# {

# "bindings": [

# {

# "role": "roles/owner",

2181

# "members": [

2182

# "user:mike@example.com",

2183

# "group:admins@example.com",

2184

# "domain:google.com",

2185

# "serviceAccount:my-other-app@appspot.gserviceaccount.com",

# ]

# },

# {

# "role": "roles/viewer",

2190

# "members": ["user:sean@example.com"]

# }

# ]

# }

#

# For a description of IAM and its features, see the

2196

# [IAM developer's guide](https://cloud.google.com/iam).

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2197

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

2198

{ # Specifies the audit configuration for a service.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2199

# The configuration determines which permission types are logged, and what

2200

# identities, if any, are exempted from logging.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2201

# An AuditConifg must have one or more AuditLogConfigs.

2202

#

2203

# If there are AuditConfigs for both `allServices` and a specific service,

2204

# the union of the two AuditConfigs is used for that service: the log_types

2205

# specified in each AuditConfig are enabled, and the exempted_members in each

2206

# AuditConfig are exempted.

2207

# Example Policy with multiple AuditConfigs:

# {

# "audit_configs": [

# {

# "service": "allServices"

2212

# "audit_log_configs": [

2213

# {

2214

# "log_type": "DATA_READ",

2215

# "exempted_members": [

2216

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

2221

# },

2222

# {

2223

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "fooservice@googleapis.com"

2229

# "audit_log_configs": [

2230

# {

2231

# "log_type": "DATA_READ",

2232

# },

2233

# {

2234

# "log_type": "DATA_WRITE",

2235

# "exempted_members": [

2236

# "user:bar@gmail.com"

# ]

# }

# ]

# }

# ]

# }

# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

2244

# logging. It also exempts foo@gmail.com from DATA_READ logging, and

2245

# bar@gmail.com from DATA_WRITE logging.

2246

"auditLogConfigs": [ # The configuration for logging of each type of permission.

2247

# Next ID: 4

2248

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

2253

# {

2254

# "log_type": "DATA_READ",

2255

# "exempted_members": [

2256

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

2266

# foo@gmail.com from DATA_READ logging.

2267

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

2268

# permission.

2269

# Follows the same format of Binding.members.

2270

"A String",

2271

],

2272

"logType": "A String", # The log type that this config enables.

2273

},

2274

],

2275

"service": "A String", # Specifies a service that will be enabled for audit logging.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2276

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2277

# `allServices` is a special value that covers all services.

2278

},

2279

],

2280

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2281

# prevent simultaneous updates of a policy from overwriting each other.

2282

# It is strongly suggested that systems make use of the `etag` in the

2283

# read-modify-write cycle to perform policy updates in order to avoid race

2284

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2285

# systems are expected to put that etag in the request to `setIamPolicy` to

2286

# ensure that their change will be applied to the same version of the policy.

2287

#

2288

# If no `etag` is provided in the call to `setIamPolicy`, then the existing

2289

# policy is overwritten blindly.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2290

"bindings": [ # Associates a list of `members` to a `role`.

2291

# Multiple `bindings` must not be specified for the same `role`.

2292

# `bindings` with no members will result in an error.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2293

{ # Associates `members` with a `role`.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2294

"role": "A String", # Role that is assigned to `members`.

2295

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

2296

# Required

2297

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

2298

# `members` can have the following values:

2299

#

2300

# * `allUsers`: A special identifier that represents anyone who is

2301

# on the internet; with or without a Google account.

2302

#

2303

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2304

# who is authenticated with a Google account or a service account.

2305

#

2306

# * `user:{emailid}`: An email address that represents a specific Google

2307

# account. For example, `alice@gmail.com` or `joe@example.com`.

2308

#

2309

#

2310

# * `serviceAccount:{emailid}`: An email address that represents a service

2311

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2312

#

2313

# * `group:{emailid}`: An email address that represents a Google group.

2314

# For example, `admins@example.com`.

2315

#

2316

# * `domain:{domain}`: A Google Apps domain name that represents all the

2317

# users of that domain. For example, `google.com` or `example.com`.

2318

#

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

},

],

"version": 42, # Version of the `Policy`. The default version is 0.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2324

},

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2325

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2326

# the fields in the mask will be modified. If no mask is provided, the

2327

# following default mask is used:

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2328

# paths: "bindings, etag"

2329

# This field is only used by Cloud IAM.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2330

}

2331

2332

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2333

Allowed values

2334

1 - v1 error format

2335

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2336

2337

Returns:

2338

An object of the form:

2339

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2340

{ # Defines an Identity and Access Management (IAM) policy. It is used to

2341

# specify access control policies for Cloud Platform resources.

2342

#

2343

#

2344

# A `Policy` consists of a list of `bindings`. A `Binding` binds a list of

2345

# `members` to a `role`, where the members can be user accounts, Google groups,

2346

# Google domains, and service accounts. A `role` is a named list of permissions

# defined by IAM.

#

# **Example**

#

# {

# "bindings": [

# {

# "role": "roles/owner",

2355

# "members": [

2356

# "user:mike@example.com",

2357

# "group:admins@example.com",

2358

# "domain:google.com",

2359

# "serviceAccount:my-other-app@appspot.gserviceaccount.com",

# ]

# },

# {

# "role": "roles/viewer",

2364

# "members": ["user:sean@example.com"]

# }

# ]

# }

#

# For a description of IAM and its features, see the

2370

# [IAM developer's guide](https://cloud.google.com/iam).

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2371

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

2372

{ # Specifies the audit configuration for a service.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2373

# The configuration determines which permission types are logged, and what

2374

# identities, if any, are exempted from logging.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2375

# An AuditConifg must have one or more AuditLogConfigs.

2376

#

2377

# If there are AuditConfigs for both `allServices` and a specific service,

2378

# the union of the two AuditConfigs is used for that service: the log_types

2379

# specified in each AuditConfig are enabled, and the exempted_members in each

2380

# AuditConfig are exempted.

2381

# Example Policy with multiple AuditConfigs:

# {

# "audit_configs": [

# {

# "service": "allServices"

2386

# "audit_log_configs": [

2387

# {

2388

# "log_type": "DATA_READ",

2389

# "exempted_members": [

2390

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

2395

# },

2396

# {

2397

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "fooservice@googleapis.com"

2403

# "audit_log_configs": [

2404

# {

2405

# "log_type": "DATA_READ",

2406

# },

2407

# {

2408

# "log_type": "DATA_WRITE",

2409

# "exempted_members": [

2410

# "user:bar@gmail.com"

# ]

# }

# ]

# }

# ]

# }

# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

2418

# logging. It also exempts foo@gmail.com from DATA_READ logging, and

2419

# bar@gmail.com from DATA_WRITE logging.

2420

"auditLogConfigs": [ # The configuration for logging of each type of permission.

2421

# Next ID: 4

2422

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

2427

# {

2428

# "log_type": "DATA_READ",

2429

# "exempted_members": [

2430

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

2440

# foo@gmail.com from DATA_READ logging.

2441

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

2442

# permission.

2443

# Follows the same format of Binding.members.

2444

"A String",

2445

],

2446

"logType": "A String", # The log type that this config enables.

2447

},

2448

],

2449

"service": "A String", # Specifies a service that will be enabled for audit logging.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2450

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2451

# `allServices` is a special value that covers all services.

2452

},

2453

],

2454

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2455

# prevent simultaneous updates of a policy from overwriting each other.

2456

# It is strongly suggested that systems make use of the `etag` in the

2457

# read-modify-write cycle to perform policy updates in order to avoid race

2458

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2459

# systems are expected to put that etag in the request to `setIamPolicy` to

2460

# ensure that their change will be applied to the same version of the policy.

2461

#

2462

# If no `etag` is provided in the call to `setIamPolicy`, then the existing

2463

# policy is overwritten blindly.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2464

"bindings": [ # Associates a list of `members` to a `role`.

2465

# Multiple `bindings` must not be specified for the same `role`.

2466

# `bindings` with no members will result in an error.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2467

{ # Associates `members` with a `role`.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2468

"role": "A String", # Role that is assigned to `members`.

2469

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

2470

# Required

2471

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

2472

# `members` can have the following values:

2473

#

2474

# * `allUsers`: A special identifier that represents anyone who is

2475

# on the internet; with or without a Google account.

2476

#

2477

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2478

# who is authenticated with a Google account or a service account.

2479

#

2480

# * `user:{emailid}`: An email address that represents a specific Google

2481

# account. For example, `alice@gmail.com` or `joe@example.com`.

2482

#

2483

#

2484

# * `serviceAccount:{emailid}`: An email address that represents a service

2485

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2486

#

2487

# * `group:{emailid}`: An email address that represents a Google group.

2488

# For example, `admins@example.com`.

2489

#

2490

# * `domain:{domain}`: A Google Apps domain name that represents all the

2491

# users of that domain. For example, `google.com` or `example.com`.

2492

#

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

},

],

"version": 42, # Version of the `Policy`. The default version is 0.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2502

<code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code>

2503

<pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for

2504

that `Constraint` on the resource if one does not exist.

2505

2506

Not supplying an `etag` on the request `Policy` results in an unconditional

2507

write of the `Policy`.

2508

2509

Args:

2510

resource: string, Resource name of the resource to attach the `Policy`. (required)

2511

body: object, The request body. (required)

2512

The object takes the form of:

2513

2514

{ # The request sent to the SetOrgPolicyRequest method.

2515

"policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.

2516

# for configurations of Cloud Platform resources.

2517

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

2518

# server, not specified by the caller, and represents the last time a call to

2519

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

2520

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

2521

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2522

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

2523

# `constraints/serviceuser.services`.

2524

#

2525

# Immutable after creation.

2526

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

2527

# `Constraint` type.

2528

# `constraint_default` enforcement behavior of the specific `Constraint` at

2529

# this resource.

2530

#

2531

# Suppose that `constraint_default` is set to `ALLOW` for the

2532

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

2533

# foo.com sets a `Policy` at their Organization resource node that restricts

2534

# the allowed service activations to deny all service activations. They

2535

# could then set a `Policy` with the `policy_type` `restore_default` on

2536

# several experimental projects, restoring the `constraint_default`

2537

# enforcement of the `Constraint` for only those projects, allowing those

2538

# projects to have all services activated.

2539

},

2540

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

2541

# resource.

2542

#

2543

# A `ListPolicy` can define specific values that are allowed or denied by

2544

# setting either the `allowed_values` or `denied_values` fields. It can also

2545

# be used to allow or deny all values, by setting the `all_values` field. If

2546

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

2547

# or `denied_values` must be set (attempting to set both or neither will

2548

# result in a failed request). If `all_values` is set to either `ALLOW` or

2549

# `DENY`, `allowed_values` and `denied_values` must be unset.

2550

"allValues": "A String", # The policy all_values state.

2551

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

2552

# set for `allowed_values` and `all_values` is set to

2553

# `ALL_VALUES_UNSPECIFIED`.

2554

"A String",

2555

],

2556

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

2557

#

2558

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

2559

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

2560

# set to `true`, then the values from the effective `Policy` of the parent

2561

# resource are inherited, meaning the values set in this `Policy` are

2562

# added to the values inherited up the hierarchy.

2563

#

2564

# Setting `Policy` hierarchies that inherit both allowed values and denied

2565

# values isn't recommended in most circumstances to keep the configuration

2566

# simple and understandable. However, it is possible to set a `Policy` with

2567

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

2568

# In this case, the values that are allowed must be in `allowed_values` and

2569

# not present in `denied_values`.

2570

#

2571

# For example, suppose you have a `Constraint`

2572

# `constraints/serviceuser.services`, which has a `constraint_type` of

2573

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

2574

# Suppose that at the Organization level, a `Policy` is applied that

2575

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

2576

# `Policy` is applied to a project below the Organization that has

2577

# `inherit_from_parent` set to `false` and field all_values set to DENY,

2578

# then an attempt to activate any API will be denied.

2579

#

2580

# The following examples demonstrate different possible layerings:

2581

#

2582

# Example 1 (no inherited values):

2583

# `organizations/foo` has a `Policy` with values:

2584

# {allowed_values: “E1” allowed_values:”E2”}

2585

# ``projects/bar`` has `inherit_from_parent` `false` and values:

2586

# {allowed_values: "E3" allowed_values: "E4"}

2587

# The accepted values at `organizations/foo` are `E1`, `E2`.

2588

# The accepted values at `projects/bar` are `E3`, and `E4`.

2589

#

2590

# Example 2 (inherited values):

2591

# `organizations/foo` has a `Policy` with values:

2592

# {allowed_values: “E1” allowed_values:”E2”}

2593

# `projects/bar` has a `Policy` with values:

2594

# {value: “E3” value: ”E4” inherit_from_parent: true}

2595

# The accepted values at `organizations/foo` are `E1`, `E2`.

2596

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

2597

#

2598

# Example 3 (inheriting both allowed and denied values):

2599

# `organizations/foo` has a `Policy` with values:

2600

# {allowed_values: "E1" allowed_values: "E2"}

2601

# `projects/bar` has a `Policy` with:

2602

# {denied_values: "E1"}

2603

# The accepted values at `organizations/foo` are `E1`, `E2`.

2604

# The value accepted at `projects/bar` is `E2`.

2605

#

2606

# Example 4 (RestoreDefault):

2607

# `organizations/foo` has a `Policy` with values:

2608

# {allowed_values: “E1” allowed_values:”E2”}

2609

# `projects/bar` has a `Policy` with values:

2610

# {RestoreDefault: {}}

2611

# The accepted values at `organizations/foo` are `E1`, `E2`.

2612

# The accepted values at `projects/bar` are either all or none depending on

2613

# the value of `constraint_default` (if `ALLOW`, all; if

2614

# `DENY`, none).

2615

#

2616

# Example 5 (no policy inherits parent policy):

2617

# `organizations/foo` has no `Policy` set.

2618

# `projects/bar` has no `Policy` set.

2619

# The accepted values at both levels are either all or none depending on

2620

# the value of `constraint_default` (if `ALLOW`, all; if

2621

# `DENY`, none).

2622

#

2623

# Example 6 (ListConstraint allowing all):

2624

# `organizations/foo` has a `Policy` with values:

2625

# {allowed_values: “E1” allowed_values: ”E2”}

2626

# `projects/bar` has a `Policy` with:

2627

# {all: ALLOW}

2628

# The accepted values at `organizations/foo` are `E1`, E2`.

2629

# Any value is accepted at `projects/bar`.

2630

#

2631

# Example 7 (ListConstraint allowing none):

2632

# `organizations/foo` has a `Policy` with values:

2633

# {allowed_values: “E1” allowed_values: ”E2”}

2634

# `projects/bar` has a `Policy` with:

2635

# {all: DENY}

2636

# The accepted values at `organizations/foo` are `E1`, E2`.

2637

# No value is accepted at `projects/bar`.

2638

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

2639

# that matches the value specified in this `Policy`. If `suggested_value`

2640

# is not set, it will inherit the value specified higher in the hierarchy,

2641

# unless `inherit_from_parent` is `false`.

2642

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

2643

# set for `denied_values` and `all_values` is set to

2644

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

2649

# resource.

2650

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

2651

# configuration is acceptable.

2652

#

2653

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

2654

# with `constraint_default` set to `ALLOW`. A `Policy` for that

2655

# `Constraint` exhibits the following behavior:

2656

# - If the `Policy` at this resource has enforced set to `false`, serial

2657

# port connection attempts will be allowed.

2658

# - If the `Policy` at this resource has enforced set to `true`, serial

2659

# port connection attempts will be refused.

2660

# - If the `Policy` at this resource is `RestoreDefault`, serial port

2661

# connection attempts will be allowed.

2662

# - If no `Policy` is set at this resource or anywhere higher in the

2663

# resource hierarchy, serial port connection attempts will be allowed.

2664

# - If no `Policy` is set at this resource, but one exists higher in the

2665

# resource hierarchy, the behavior is as if the`Policy` were set at

2666

# this resource.

2667

#

2668

# The following examples demonstrate the different possible layerings:

2669

#

2670

# Example 1 (nearest `Constraint` wins):

2671

# `organizations/foo` has a `Policy` with:

2672

# {enforced: false}

2673

# `projects/bar` has no `Policy` set.

2674

# The constraint at `projects/bar` and `organizations/foo` will not be

2675

# enforced.

2676

#

2677

# Example 2 (enforcement gets replaced):

2678

# `organizations/foo` has a `Policy` with:

2679

# {enforced: false}

2680

# `projects/bar` has a `Policy` with:

2681

# {enforced: true}

2682

# The constraint at `organizations/foo` is not enforced.

2683

# The constraint at `projects/bar` is enforced.

2684

#

2685

# Example 3 (RestoreDefault):

2686

# `organizations/foo` has a `Policy` with:

2687

# {enforced: true}

2688

# `projects/bar` has a `Policy` with:

2689

# {RestoreDefault: {}}

2690

# The constraint at `organizations/foo` is enforced.

2691

# The constraint at `projects/bar` is not enforced, because

2692

# `constraint_default` for the `Constraint` is `ALLOW`.

2693

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2694

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

2695

# concurrency control.

2696

#

2697

# When the `Policy` is returned from either a `GetPolicy` or a

2698

# `ListOrgPolicy` request, this `etag` indicates the version of the current

2699

# `Policy` to use when executing a read-modify-write loop.

2700

#

2701

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

2702

# `etag` will be unset.

2703

#

2704

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

2705

# that was returned from a `GetOrgPolicy` request as part of a

2706

# read-modify-write loop for concurrency control. Not setting the `etag`in a

2707

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2719

2720

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

2721

# for configurations of Cloud Platform resources.

2722

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

2723

# server, not specified by the caller, and represents the last time a call to

2724

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

2725

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

2726

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2727

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

2728

# `constraints/serviceuser.services`.

2729

#

2730

# Immutable after creation.

2731

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

2732

# `Constraint` type.

2733

# `constraint_default` enforcement behavior of the specific `Constraint` at

2734

# this resource.

2735

#

2736

# Suppose that `constraint_default` is set to `ALLOW` for the

2737

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

2738

# foo.com sets a `Policy` at their Organization resource node that restricts

2739

# the allowed service activations to deny all service activations. They

2740

# could then set a `Policy` with the `policy_type` `restore_default` on

2741

# several experimental projects, restoring the `constraint_default`

2742

# enforcement of the `Constraint` for only those projects, allowing those

2743

# projects to have all services activated.

2744

},

2745

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

2746

# resource.

2747

#

2748

# A `ListPolicy` can define specific values that are allowed or denied by

2749

# setting either the `allowed_values` or `denied_values` fields. It can also

2750

# be used to allow or deny all values, by setting the `all_values` field. If

2751

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

2752

# or `denied_values` must be set (attempting to set both or neither will

2753

# result in a failed request). If `all_values` is set to either `ALLOW` or

2754

# `DENY`, `allowed_values` and `denied_values` must be unset.

2755

"allValues": "A String", # The policy all_values state.

2756

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

2757

# set for `allowed_values` and `all_values` is set to

2758

# `ALL_VALUES_UNSPECIFIED`.

2759

"A String",

2760

],

2761

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

2762

#

2763

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

2764

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

2765

# set to `true`, then the values from the effective `Policy` of the parent

2766

# resource are inherited, meaning the values set in this `Policy` are

2767

# added to the values inherited up the hierarchy.

2768

#

2769

# Setting `Policy` hierarchies that inherit both allowed values and denied

2770

# values isn't recommended in most circumstances to keep the configuration

2771

# simple and understandable. However, it is possible to set a `Policy` with

2772

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

2773

# In this case, the values that are allowed must be in `allowed_values` and

2774

# not present in `denied_values`.

2775

#

2776

# For example, suppose you have a `Constraint`

2777

# `constraints/serviceuser.services`, which has a `constraint_type` of

2778

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

2779

# Suppose that at the Organization level, a `Policy` is applied that

2780

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

2781

# `Policy` is applied to a project below the Organization that has

2782

# `inherit_from_parent` set to `false` and field all_values set to DENY,

2783

# then an attempt to activate any API will be denied.

2784

#

2785

# The following examples demonstrate different possible layerings:

2786

#

2787

# Example 1 (no inherited values):

2788

# `organizations/foo` has a `Policy` with values:

2789

# {allowed_values: “E1” allowed_values:”E2”}

2790

# ``projects/bar`` has `inherit_from_parent` `false` and values:

2791

# {allowed_values: "E3" allowed_values: "E4"}

2792

# The accepted values at `organizations/foo` are `E1`, `E2`.

2793

# The accepted values at `projects/bar` are `E3`, and `E4`.

2794

#

2795

# Example 2 (inherited values):

2796

# `organizations/foo` has a `Policy` with values:

2797

# {allowed_values: “E1” allowed_values:”E2”}

2798

# `projects/bar` has a `Policy` with values:

2799

# {value: “E3” value: ”E4” inherit_from_parent: true}

2800

# The accepted values at `organizations/foo` are `E1`, `E2`.

2801

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

2802

#

2803

# Example 3 (inheriting both allowed and denied values):

2804

# `organizations/foo` has a `Policy` with values:

2805

# {allowed_values: "E1" allowed_values: "E2"}

2806

# `projects/bar` has a `Policy` with:

2807

# {denied_values: "E1"}

2808

# The accepted values at `organizations/foo` are `E1`, `E2`.

2809

# The value accepted at `projects/bar` is `E2`.

2810

#

2811

# Example 4 (RestoreDefault):

2812

# `organizations/foo` has a `Policy` with values:

2813

# {allowed_values: “E1” allowed_values:”E2”}

2814

# `projects/bar` has a `Policy` with values:

2815

# {RestoreDefault: {}}

2816

# The accepted values at `organizations/foo` are `E1`, `E2`.

2817

# The accepted values at `projects/bar` are either all or none depending on

2818

# the value of `constraint_default` (if `ALLOW`, all; if

2819

# `DENY`, none).

2820

#

2821

# Example 5 (no policy inherits parent policy):

2822

# `organizations/foo` has no `Policy` set.

2823

# `projects/bar` has no `Policy` set.

2824

# The accepted values at both levels are either all or none depending on

2825

# the value of `constraint_default` (if `ALLOW`, all; if

2826

# `DENY`, none).

2827

#

2828

# Example 6 (ListConstraint allowing all):

2829

# `organizations/foo` has a `Policy` with values:

2830

# {allowed_values: “E1” allowed_values: ”E2”}

2831

# `projects/bar` has a `Policy` with:

2832

# {all: ALLOW}

2833

# The accepted values at `organizations/foo` are `E1`, E2`.

2834

# Any value is accepted at `projects/bar`.

2835

#

2836

# Example 7 (ListConstraint allowing none):

2837

# `organizations/foo` has a `Policy` with values:

2838

# {allowed_values: “E1” allowed_values: ”E2”}

2839

# `projects/bar` has a `Policy` with:

2840

# {all: DENY}

2841

# The accepted values at `organizations/foo` are `E1`, E2`.

2842

# No value is accepted at `projects/bar`.

2843

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

2844

# that matches the value specified in this `Policy`. If `suggested_value`

2845

# is not set, it will inherit the value specified higher in the hierarchy,

2846

# unless `inherit_from_parent` is `false`.

2847

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

2848

# set for `denied_values` and `all_values` is set to

2849

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

2854

# resource.

2855

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

2856

# configuration is acceptable.

2857

#

2858

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

2859

# with `constraint_default` set to `ALLOW`. A `Policy` for that

2860

# `Constraint` exhibits the following behavior:

2861

# - If the `Policy` at this resource has enforced set to `false`, serial

2862

# port connection attempts will be allowed.

2863

# - If the `Policy` at this resource has enforced set to `true`, serial

2864

# port connection attempts will be refused.

2865

# - If the `Policy` at this resource is `RestoreDefault`, serial port

2866

# connection attempts will be allowed.

2867

# - If no `Policy` is set at this resource or anywhere higher in the

2868

# resource hierarchy, serial port connection attempts will be allowed.

2869

# - If no `Policy` is set at this resource, but one exists higher in the

2870

# resource hierarchy, the behavior is as if the`Policy` were set at

2871

# this resource.

2872

#

2873

# The following examples demonstrate the different possible layerings:

2874

#

2875

# Example 1 (nearest `Constraint` wins):

2876

# `organizations/foo` has a `Policy` with:

2877

# {enforced: false}

2878

# `projects/bar` has no `Policy` set.

2879

# The constraint at `projects/bar` and `organizations/foo` will not be

2880

# enforced.

2881

#

2882

# Example 2 (enforcement gets replaced):

2883

# `organizations/foo` has a `Policy` with:

2884

# {enforced: false}

2885

# `projects/bar` has a `Policy` with:

2886

# {enforced: true}

2887

# The constraint at `organizations/foo` is not enforced.

2888

# The constraint at `projects/bar` is enforced.

2889

#

2890

# Example 3 (RestoreDefault):

2891

# `organizations/foo` has a `Policy` with:

2892

# {enforced: true}

2893

# `projects/bar` has a `Policy` with:

2894

# {RestoreDefault: {}}

2895

# The constraint at `organizations/foo` is enforced.

2896

# The constraint at `projects/bar` is not enforced, because

2897

# `constraint_default` for the `Constraint` is `ALLOW`.

2898

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2899

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

2900

# concurrency control.

2901

#

2902

# When the `Policy` is returned from either a `GetPolicy` or a

2903

# `ListOrgPolicy` request, this `etag` indicates the version of the current

2904

# `Policy` to use when executing a read-modify-write loop.

2905

#

2906

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

2907

# `etag` will be unset.

2908

#

2909

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

2910

# that was returned from a `GetOrgPolicy` request as part of a

2911

# read-modify-write loop for concurrency control. Not setting the `etag`in a

2912

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

<code class="details" id="setOrgPolicyV1">setOrgPolicyV1(resource, body, x__xgafv=None)</code>

2919

<pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for

2920

that `Constraint` on the resource if one does not exist.

2921

2922

Not supplying an `etag` on the request `Policy` results in an unconditional

2923

write of the `Policy`.

2924

2925

Args:

2926

resource: string, Resource name of the resource to attach the `Policy`. (required)

2927

body: object, The request body. (required)

2928

The object takes the form of:

2929

2930

{ # The request sent to the SetOrgPolicyRequest method.

2931

"policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.

2932

# for configurations of Cloud Platform resources.

2933

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

2934

# server, not specified by the caller, and represents the last time a call to

2935

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

2936

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

2937

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

2938

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

2939

# `constraints/serviceuser.services`.

2940

#

2941

# Immutable after creation.

2942

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

2943

# `Constraint` type.

2944

# `constraint_default` enforcement behavior of the specific `Constraint` at

2945

# this resource.

2946

#

2947

# Suppose that `constraint_default` is set to `ALLOW` for the

2948

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

2949

# foo.com sets a `Policy` at their Organization resource node that restricts

2950

# the allowed service activations to deny all service activations. They

2951

# could then set a `Policy` with the `policy_type` `restore_default` on

2952

# several experimental projects, restoring the `constraint_default`

2953

# enforcement of the `Constraint` for only those projects, allowing those

2954

# projects to have all services activated.

2955

},

2956

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

2957

# resource.

2958

#

2959

# A `ListPolicy` can define specific values that are allowed or denied by

2960

# setting either the `allowed_values` or `denied_values` fields. It can also

2961

# be used to allow or deny all values, by setting the `all_values` field. If

2962

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

2963

# or `denied_values` must be set (attempting to set both or neither will

2964

# result in a failed request). If `all_values` is set to either `ALLOW` or

2965

# `DENY`, `allowed_values` and `denied_values` must be unset.

2966

"allValues": "A String", # The policy all_values state.

2967

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

2968

# set for `allowed_values` and `all_values` is set to

2969

# `ALL_VALUES_UNSPECIFIED`.

2970

"A String",

2971

],

2972

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

2973

#

2974

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

2975

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

2976

# set to `true`, then the values from the effective `Policy` of the parent

2977

# resource are inherited, meaning the values set in this `Policy` are

2978

# added to the values inherited up the hierarchy.

2979

#

2980

# Setting `Policy` hierarchies that inherit both allowed values and denied

2981

# values isn't recommended in most circumstances to keep the configuration

2982

# simple and understandable. However, it is possible to set a `Policy` with

2983

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

2984

# In this case, the values that are allowed must be in `allowed_values` and

2985

# not present in `denied_values`.

2986

#

2987

# For example, suppose you have a `Constraint`

2988

# `constraints/serviceuser.services`, which has a `constraint_type` of

2989

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

2990

# Suppose that at the Organization level, a `Policy` is applied that

2991

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

2992

# `Policy` is applied to a project below the Organization that has

2993

# `inherit_from_parent` set to `false` and field all_values set to DENY,

2994

# then an attempt to activate any API will be denied.

2995

#

2996

# The following examples demonstrate different possible layerings:

2997

#

2998

# Example 1 (no inherited values):

2999

# `organizations/foo` has a `Policy` with values:

3000

# {allowed_values: “E1” allowed_values:”E2”}

3001

# ``projects/bar`` has `inherit_from_parent` `false` and values:

3002

# {allowed_values: "E3" allowed_values: "E4"}

3003

# The accepted values at `organizations/foo` are `E1`, `E2`.

3004

# The accepted values at `projects/bar` are `E3`, and `E4`.

3005

#

3006

# Example 2 (inherited values):

3007

# `organizations/foo` has a `Policy` with values:

3008

# {allowed_values: “E1” allowed_values:”E2”}

3009

# `projects/bar` has a `Policy` with values:

3010

# {value: “E3” value: ”E4” inherit_from_parent: true}

3011

# The accepted values at `organizations/foo` are `E1`, `E2`.

3012

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

3013

#

3014

# Example 3 (inheriting both allowed and denied values):

3015

# `organizations/foo` has a `Policy` with values:

3016

# {allowed_values: "E1" allowed_values: "E2"}

3017

# `projects/bar` has a `Policy` with:

3018

# {denied_values: "E1"}

3019

# The accepted values at `organizations/foo` are `E1`, `E2`.

3020

# The value accepted at `projects/bar` is `E2`.

3021

#

3022

# Example 4 (RestoreDefault):

3023

# `organizations/foo` has a `Policy` with values:

3024

# {allowed_values: “E1” allowed_values:”E2”}

3025

# `projects/bar` has a `Policy` with values:

3026

# {RestoreDefault: {}}

3027

# The accepted values at `organizations/foo` are `E1`, `E2`.

3028

# The accepted values at `projects/bar` are either all or none depending on

3029

# the value of `constraint_default` (if `ALLOW`, all; if

3030

# `DENY`, none).

3031

#

3032

# Example 5 (no policy inherits parent policy):

3033

# `organizations/foo` has no `Policy` set.

3034

# `projects/bar` has no `Policy` set.

3035

# The accepted values at both levels are either all or none depending on

3036

# the value of `constraint_default` (if `ALLOW`, all; if

3037

# `DENY`, none).

3038

#

3039

# Example 6 (ListConstraint allowing all):

3040

# `organizations/foo` has a `Policy` with values:

3041

# {allowed_values: “E1” allowed_values: ”E2”}

3042

# `projects/bar` has a `Policy` with:

3043

# {all: ALLOW}

3044

# The accepted values at `organizations/foo` are `E1`, E2`.

3045

# Any value is accepted at `projects/bar`.

3046

#

3047

# Example 7 (ListConstraint allowing none):

3048

# `organizations/foo` has a `Policy` with values:

3049

# {allowed_values: “E1” allowed_values: ”E2”}

3050

# `projects/bar` has a `Policy` with:

3051

# {all: DENY}

3052

# The accepted values at `organizations/foo` are `E1`, E2`.

3053

# No value is accepted at `projects/bar`.

3054

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

3055

# that matches the value specified in this `Policy`. If `suggested_value`

3056

# is not set, it will inherit the value specified higher in the hierarchy,

3057

# unless `inherit_from_parent` is `false`.

3058

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

3059

# set for `denied_values` and `all_values` is set to

3060

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

3065

# resource.

3066

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

3067

# configuration is acceptable.

3068

#

3069

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

3070

# with `constraint_default` set to `ALLOW`. A `Policy` for that

3071

# `Constraint` exhibits the following behavior:

3072

# - If the `Policy` at this resource has enforced set to `false`, serial

3073

# port connection attempts will be allowed.

3074

# - If the `Policy` at this resource has enforced set to `true`, serial

3075

# port connection attempts will be refused.

3076

# - If the `Policy` at this resource is `RestoreDefault`, serial port

3077

# connection attempts will be allowed.

3078

# - If no `Policy` is set at this resource or anywhere higher in the

3079

# resource hierarchy, serial port connection attempts will be allowed.

3080

# - If no `Policy` is set at this resource, but one exists higher in the

3081

# resource hierarchy, the behavior is as if the`Policy` were set at

3082

# this resource.

3083

#

3084

# The following examples demonstrate the different possible layerings:

3085

#

3086

# Example 1 (nearest `Constraint` wins):

3087

# `organizations/foo` has a `Policy` with:

3088

# {enforced: false}

3089

# `projects/bar` has no `Policy` set.

3090

# The constraint at `projects/bar` and `organizations/foo` will not be

3091

# enforced.

3092

#

3093

# Example 2 (enforcement gets replaced):

3094

# `organizations/foo` has a `Policy` with:

3095

# {enforced: false}

3096

# `projects/bar` has a `Policy` with:

3097

# {enforced: true}

3098

# The constraint at `organizations/foo` is not enforced.

3099

# The constraint at `projects/bar` is enforced.

3100

#

3101

# Example 3 (RestoreDefault):

3102

# `organizations/foo` has a `Policy` with:

3103

# {enforced: true}

3104

# `projects/bar` has a `Policy` with:

3105

# {RestoreDefault: {}}

3106

# The constraint at `organizations/foo` is enforced.

3107

# The constraint at `projects/bar` is not enforced, because

3108

# `constraint_default` for the `Constraint` is `ALLOW`.

3109

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

3110

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

3111

# concurrency control.

3112

#

3113

# When the `Policy` is returned from either a `GetPolicy` or a

3114

# `ListOrgPolicy` request, this `etag` indicates the version of the current

3115

# `Policy` to use when executing a read-modify-write loop.

3116

#

3117

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

3118

# `etag` will be unset.

3119

#

3120

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

3121

# that was returned from a `GetOrgPolicy` request as part of a

3122

# read-modify-write loop for concurrency control. Not setting the `etag`in a

3123

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3135

3136

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

3137

# for configurations of Cloud Platform resources.

3138

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

3139

# server, not specified by the caller, and represents the last time a call to

3140

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

3141

# be ignored.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3142

"version": 42, # Version of the `Policy`. Default version is 0;

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

3143

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

3144

# `constraints/serviceuser.services`.

3145

#

3146

# Immutable after creation.

3147

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

3148

# `Constraint` type.

3149

# `constraint_default` enforcement behavior of the specific `Constraint` at

3150

# this resource.

3151

#

3152

# Suppose that `constraint_default` is set to `ALLOW` for the

3153

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

3154

# foo.com sets a `Policy` at their Organization resource node that restricts

3155

# the allowed service activations to deny all service activations. They

3156

# could then set a `Policy` with the `policy_type` `restore_default` on

3157

# several experimental projects, restoring the `constraint_default`

3158

# enforcement of the `Constraint` for only those projects, allowing those

3159

# projects to have all services activated.

3160

},

3161

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

3162

# resource.

3163

#

3164

# A `ListPolicy` can define specific values that are allowed or denied by

3165

# setting either the `allowed_values` or `denied_values` fields. It can also

3166

# be used to allow or deny all values, by setting the `all_values` field. If

3167

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

3168

# or `denied_values` must be set (attempting to set both or neither will

3169

# result in a failed request). If `all_values` is set to either `ALLOW` or

3170

# `DENY`, `allowed_values` and `denied_values` must be unset.

3171

"allValues": "A String", # The policy all_values state.

3172

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

3173

# set for `allowed_values` and `all_values` is set to

3174

# `ALL_VALUES_UNSPECIFIED`.

3175

"A String",

3176

],

3177

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

3178

#

3179

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

3180

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

3181

# set to `true`, then the values from the effective `Policy` of the parent

3182

# resource are inherited, meaning the values set in this `Policy` are

3183

# added to the values inherited up the hierarchy.

3184

#

3185

# Setting `Policy` hierarchies that inherit both allowed values and denied

3186

# values isn't recommended in most circumstances to keep the configuration

3187

# simple and understandable. However, it is possible to set a `Policy` with

3188

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

3189

# In this case, the values that are allowed must be in `allowed_values` and

3190

# not present in `denied_values`.

3191

#

3192

# For example, suppose you have a `Constraint`

3193

# `constraints/serviceuser.services`, which has a `constraint_type` of

3194

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

3195

# Suppose that at the Organization level, a `Policy` is applied that

3196

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

3197

# `Policy` is applied to a project below the Organization that has

3198

# `inherit_from_parent` set to `false` and field all_values set to DENY,

3199

# then an attempt to activate any API will be denied.

3200

#

3201

# The following examples demonstrate different possible layerings:

3202

#

3203

# Example 1 (no inherited values):

3204

# `organizations/foo` has a `Policy` with values:

3205

# {allowed_values: “E1” allowed_values:”E2”}

3206

# ``projects/bar`` has `inherit_from_parent` `false` and values:

3207

# {allowed_values: "E3" allowed_values: "E4"}

3208

# The accepted values at `organizations/foo` are `E1`, `E2`.

3209

# The accepted values at `projects/bar` are `E3`, and `E4`.

3210

#

3211

# Example 2 (inherited values):

3212

# `organizations/foo` has a `Policy` with values:

3213

# {allowed_values: “E1” allowed_values:”E2”}

3214

# `projects/bar` has a `Policy` with values:

3215

# {value: “E3” value: ”E4” inherit_from_parent: true}

3216

# The accepted values at `organizations/foo` are `E1`, `E2`.

3217

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

3218

#

3219

# Example 3 (inheriting both allowed and denied values):

3220

# `organizations/foo` has a `Policy` with values:

3221

# {allowed_values: "E1" allowed_values: "E2"}

3222

# `projects/bar` has a `Policy` with:

3223

# {denied_values: "E1"}

3224

# The accepted values at `organizations/foo` are `E1`, `E2`.

3225

# The value accepted at `projects/bar` is `E2`.

3226

#

3227

# Example 4 (RestoreDefault):

3228

# `organizations/foo` has a `Policy` with values:

3229

# {allowed_values: “E1” allowed_values:”E2”}

3230

# `projects/bar` has a `Policy` with values:

3231

# {RestoreDefault: {}}

3232

# The accepted values at `organizations/foo` are `E1`, `E2`.

3233

# The accepted values at `projects/bar` are either all or none depending on

3234

# the value of `constraint_default` (if `ALLOW`, all; if

3235

# `DENY`, none).

3236

#

3237

# Example 5 (no policy inherits parent policy):

3238

# `organizations/foo` has no `Policy` set.

3239

# `projects/bar` has no `Policy` set.

3240

# The accepted values at both levels are either all or none depending on

3241

# the value of `constraint_default` (if `ALLOW`, all; if

3242

# `DENY`, none).

3243

#

3244

# Example 6 (ListConstraint allowing all):

3245

# `organizations/foo` has a `Policy` with values:

3246

# {allowed_values: “E1” allowed_values: ”E2”}

3247

# `projects/bar` has a `Policy` with:

3248

# {all: ALLOW}

3249

# The accepted values at `organizations/foo` are `E1`, E2`.

3250

# Any value is accepted at `projects/bar`.

3251

#

3252

# Example 7 (ListConstraint allowing none):

3253

# `organizations/foo` has a `Policy` with values:

3254

# {allowed_values: “E1” allowed_values: ”E2”}

3255

# `projects/bar` has a `Policy` with:

3256

# {all: DENY}

3257

# The accepted values at `organizations/foo` are `E1`, E2`.

3258

# No value is accepted at `projects/bar`.

3259

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

3260

# that matches the value specified in this `Policy`. If `suggested_value`

3261

# is not set, it will inherit the value specified higher in the hierarchy,

3262

# unless `inherit_from_parent` is `false`.

3263

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

3264

# set for `denied_values` and `all_values` is set to

3265

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

3270

# resource.

3271

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

3272

# configuration is acceptable.

3273

#

3274

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

3275

# with `constraint_default` set to `ALLOW`. A `Policy` for that

3276

# `Constraint` exhibits the following behavior:

3277

# - If the `Policy` at this resource has enforced set to `false`, serial

3278

# port connection attempts will be allowed.

3279

# - If the `Policy` at this resource has enforced set to `true`, serial

3280

# port connection attempts will be refused.

3281

# - If the `Policy` at this resource is `RestoreDefault`, serial port

3282

# connection attempts will be allowed.

3283

# - If no `Policy` is set at this resource or anywhere higher in the

3284

# resource hierarchy, serial port connection attempts will be allowed.

3285

# - If no `Policy` is set at this resource, but one exists higher in the

3286

# resource hierarchy, the behavior is as if the`Policy` were set at

3287

# this resource.

3288

#

3289

# The following examples demonstrate the different possible layerings:

3290

#

3291

# Example 1 (nearest `Constraint` wins):

3292

# `organizations/foo` has a `Policy` with:

3293

# {enforced: false}

3294

# `projects/bar` has no `Policy` set.

3295

# The constraint at `projects/bar` and `organizations/foo` will not be

3296

# enforced.

3297

#

3298

# Example 2 (enforcement gets replaced):

3299

# `organizations/foo` has a `Policy` with:

3300

# {enforced: false}

3301

# `projects/bar` has a `Policy` with:

3302

# {enforced: true}

3303

# The constraint at `organizations/foo` is not enforced.

3304

# The constraint at `projects/bar` is enforced.

3305

#

3306

# Example 3 (RestoreDefault):

3307

# `organizations/foo` has a `Policy` with:

3308

# {enforced: true}

3309

# `projects/bar` has a `Policy` with:

3310

# {RestoreDefault: {}}

3311

# The constraint at `organizations/foo` is enforced.

3312

# The constraint at `projects/bar` is not enforced, because

3313

# `constraint_default` for the `Constraint` is `ALLOW`.

3314

},

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame]

3315

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

3316

# concurrency control.

3317

#

3318

# When the `Policy` is returned from either a `GetPolicy` or a

3319

# `ListOrgPolicy` request, this `etag` indicates the version of the current

3320

# `Policy` to use when executing a read-modify-write loop.

3321

#

3322

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

3323

# `etag` will be unset.

3324

#

3325

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

3326

# that was returned from a `GetOrgPolicy` request as part of a

3327

# read-modify-write loop for concurrency control. Not setting the `etag`in a

3328

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3334

<code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code>

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3335

<pre>Returns permissions that a caller has on the specified Project.

3336

3337

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3338

resource: string, REQUIRED: The resource for which the policy detail is being requested.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3339

See the operation documentation for the appropriate value for this field. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3340

body: object, The request body. (required)

3341

The object takes the form of:

3342

3343

{ # Request message for `TestIamPermissions` method.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3344

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

3345

# wildcards (such as '*' or 'storage.*') are not allowed. For more

3346

# information see

3347

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

}

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3353

Allowed values

3354

1 - v1 error format

3355

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3356

3357

Returns:

3358

An object of the form:

3359

3360

{ # Response message for `TestIamPermissions` method.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3361

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

3362

# allowed.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

}</pre>

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3369

<code class="details" id="undelete">undelete(projectId, body, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3370

<pre>Restores the Project identified by the specified

3371

`project_id` (for example, `my-project-123`).

3372

You can only use this method for a Project that has a lifecycle state of

3373

DELETE_REQUESTED.

3374

After deletion starts, the Project cannot be restored.

3375

3376

The caller must have modify permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3377

3378

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3379

projectId: string, The project ID (for example, `foo-bar-123`).

3380

3381

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3382

body: object, The request body. (required)

3383

The object takes the form of:

3384

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3385

{ # The request sent to the UndeleteProject

3386

# method.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3387

}

3388

3389

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3390

Allowed values

3391

1 - v1 error format

3392

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3393

3394

Returns:

3395

An object of the form:

3396

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3397

{ # A generic empty message that you can re-use to avoid defining duplicated

3398

# empty messages in your APIs. A typical example is to use it as the request

3399

# or the response type of an API method. For instance:

3400

#

3401

# service Foo {

3402

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

3403

# }

3404

#

3405

# The JSON representation for `Empty` is empty JSON object `{}`.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3410

<code class="details" id="update">update(projectId, body, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3411

<pre>Updates the attributes of the Project identified by the specified

3412

`project_id` (for example, `my-project-123`).

3413

3414

The caller must have modify permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3415

3416

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3417

projectId: string, The project ID (for example, `my-project-123`).

3418

3419

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3420

body: object, The request body. (required)

3421

The object takes the form of:

3422

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3423

{ # A Project is a high-level Google Cloud Platform entity. It is a

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3424

# container for ACLs, APIs, App Engine Apps, VMs, and other

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3425

# Google Cloud Platform resources.

3426

"name": "A String", # The user-assigned display name of the Project.

3427

# It must be 4 to 30 characters.

3428

# Allowed characters are: lowercase and uppercase letters, numbers,

3429

# hyphen, single-quote, double-quote, space, and exclamation point.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3430

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3431

# Example: <code>My Project</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3432

# Read-write.

3433

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3434

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3435

# The only supported parent type is "organization". Once set, the parent

3436

# cannot be modified. The `parent` can be set on creation or using the

3437

# `UpdateProject` method; the end user must have the

3438

# `resourcemanager.projects.create` permission on the parent.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3439

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3440

# Read-write.

3441

# Cloud Platform is a generic term for something you (a developer) may want to

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3442

# interact with through one of our API's. Some examples are an App Engine app,

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3443

# a Compute Engine instance, a Cloud SQL database, and so on.

3444

"type": "A String", # Required field representing the resource type this id is for.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3445

# At present, the valid types are: "organization"

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3446

"id": "A String", # Required field for the type-specific id. This should correspond to the id

3447

# used in the type-specific API's.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3448

},

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3449

"projectId": "A String", # The unique, user-assigned ID of the Project.

3450

# It must be 6 to 30 lowercase letters, digits, or hyphens.

3451

# It must start with a letter.

3452

# Trailing hyphens are prohibited.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3453

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3454

# Example: <code>tokyo-rain-123</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3455

# Read-only after creation.

3456

"labels": { # The labels associated with this Project.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3457

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3458

# Label keys must be between 1 and 63 characters long and must conform

3459

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3460

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3461

# Label values must be between 0 and 63 characters long and must conform

3462

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3463

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3464

# No more than 256 labels can be associated with a given resource.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3465

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3466

# Clients should store labels in a representation such as JSON that does not

3467

# depend on specific characters being disallowed.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3468

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3469

# Example: <code>"environment" : "dev"</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3470

# Read-write.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3471

"a_key": "A String",

3472

},

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3473

"projectNumber": "A String", # The number uniquely identifying the project.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3474

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3475

# Example: <code>415104041262</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3476

# Read-only.

3477

"lifecycleState": "A String", # The Project lifecycle state.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3478

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3479

# Read-only.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3480

"createTime": "A String", # Creation time.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3481

#

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3482

# Read-only.

Thomas Coffee

2017-03-27 10:39:26 -0700

[diff] [blame^]

3483

}

3484

3485

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3492

3493

{ # A Project is a high-level Google Cloud Platform entity. It is a

3494

# container for ACLs, APIs, App Engine Apps, VMs, and other

3495

# Google Cloud Platform resources.

3496

"name": "A String", # The user-assigned display name of the Project.

3497

# It must be 4 to 30 characters.

3498

# Allowed characters are: lowercase and uppercase letters, numbers,

3499

# hyphen, single-quote, double-quote, space, and exclamation point.

3500

#

3501

# Example: <code>My Project</code>

3502

# Read-write.

3503

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

3504

#

3505

# The only supported parent type is "organization". Once set, the parent

3506

# cannot be modified. The `parent` can be set on creation or using the

3507

# `UpdateProject` method; the end user must have the

3508

# `resourcemanager.projects.create` permission on the parent.

3509

#

3510

# Read-write.

3511

# Cloud Platform is a generic term for something you (a developer) may want to

3512

# interact with through one of our API's. Some examples are an App Engine app,

3513

# a Compute Engine instance, a Cloud SQL database, and so on.

3514

"type": "A String", # Required field representing the resource type this id is for.

3515

# At present, the valid types are: "organization"

3516

"id": "A String", # Required field for the type-specific id. This should correspond to the id

3517

# used in the type-specific API's.

3518

},

3519

"projectId": "A String", # The unique, user-assigned ID of the Project.

3520

# It must be 6 to 30 lowercase letters, digits, or hyphens.

3521

# It must start with a letter.

3522

# Trailing hyphens are prohibited.

3523

#

3524

# Example: <code>tokyo-rain-123</code>

3525

# Read-only after creation.

3526

"labels": { # The labels associated with this Project.

3527

#

3528

# Label keys must be between 1 and 63 characters long and must conform

3529

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

3530

#

3531

# Label values must be between 0 and 63 characters long and must conform

3532

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

3533

#

3534

# No more than 256 labels can be associated with a given resource.

3535

#

3536

# Clients should store labels in a representation such as JSON that does not

3537

# depend on specific characters being disallowed.

3538

#

3539

# Example: <code>"environment" : "dev"</code>

# Read-write.

"a_key": "A String",

},

"projectNumber": "A String", # The number uniquely identifying the project.

3544

#

3545

# Example: <code>415104041262</code>

3546

# Read-only.

3547

"lifecycleState": "A String", # The Project lifecycle state.

3548

#

3549

# Read-only.

3550

"createTime": "A String", # Creation time.

3551

#

3552

# Read-only.

3553

}</pre>

Jon Wayne Parrott