Bu Sun Kim | 715bd7f | 2019-06-14 16:50:42 -0700 | [diff] [blame] | 1 | <html><body> |
| 2 | <style> |
| 3 | |
| 4 | body, h1, h2, h3, div, span, p, pre, a { |
| 5 | margin: 0; |
| 6 | padding: 0; |
| 7 | border: 0; |
| 8 | font-weight: inherit; |
| 9 | font-style: inherit; |
| 10 | font-size: 100%; |
| 11 | font-family: inherit; |
| 12 | vertical-align: baseline; |
| 13 | } |
| 14 | |
| 15 | body { |
| 16 | font-size: 13px; |
| 17 | padding: 1em; |
| 18 | } |
| 19 | |
| 20 | h1 { |
| 21 | font-size: 26px; |
| 22 | margin-bottom: 1em; |
| 23 | } |
| 24 | |
| 25 | h2 { |
| 26 | font-size: 24px; |
| 27 | margin-bottom: 1em; |
| 28 | } |
| 29 | |
| 30 | h3 { |
| 31 | font-size: 20px; |
| 32 | margin-bottom: 1em; |
| 33 | margin-top: 1em; |
| 34 | } |
| 35 | |
| 36 | pre, code { |
| 37 | line-height: 1.5; |
| 38 | font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| 39 | } |
| 40 | |
| 41 | pre { |
| 42 | margin-top: 0.5em; |
| 43 | } |
| 44 | |
| 45 | h1, h2, h3, p { |
| 46 | font-family: Arial, sans serif; |
| 47 | } |
| 48 | |
| 49 | h1, h2, h3 { |
| 50 | border-bottom: solid #CCC 1px; |
| 51 | } |
| 52 | |
| 53 | .toc_element { |
| 54 | margin-top: 0.5em; |
| 55 | } |
| 56 | |
| 57 | .firstline { |
| 58 | margin-left: 2 em; |
| 59 | } |
| 60 | |
| 61 | .method { |
| 62 | margin-top: 1em; |
| 63 | border: solid 1px #CCC; |
| 64 | padding: 1em; |
| 65 | background: #EEE; |
| 66 | } |
| 67 | |
| 68 | .details { |
| 69 | font-weight: bold; |
| 70 | font-size: 14px; |
| 71 | } |
| 72 | |
| 73 | </style> |
| 74 | |
| 75 | <h1><a href="iam_v1.html">Identity and Access Management (IAM) API</a> . <a href="iam_v1.iamPolicies.html">iamPolicies</a></h1> |
| 76 | <h2>Instance Methods</h2> |
| 77 | <p class="toc_element"> |
| 78 | <code><a href="#lintPolicy">lintPolicy(body, x__xgafv=None)</a></code></p> |
| 79 | <p class="firstline">Lints a Cloud IAM policy object or its sub fields. Currently supports</p> |
| 80 | <p class="toc_element"> |
| 81 | <code><a href="#queryAuditableServices">queryAuditableServices(body, x__xgafv=None)</a></code></p> |
| 82 | <p class="firstline">Returns a list of services that support service level audit logging</p> |
| 83 | <h3>Method Details</h3> |
| 84 | <div class="method"> |
| 85 | <code class="details" id="lintPolicy">lintPolicy(body, x__xgafv=None)</code> |
| 86 | <pre>Lints a Cloud IAM policy object or its sub fields. Currently supports |
| 87 | google.iam.v1.Policy, google.iam.v1.Binding and |
| 88 | google.iam.v1.Binding.condition. |
| 89 | |
| 90 | Each lint operation consists of multiple lint validation units. |
| 91 | Validation units have the following properties: |
| 92 | |
| 93 | - Each unit inspects the input object in regard to a particular |
| 94 | linting aspect and issues a google.iam.admin.v1.LintResult |
| 95 | disclosing the result. |
| 96 | - Domain of discourse of each unit can be either |
| 97 | google.iam.v1.Policy, google.iam.v1.Binding, or |
| 98 | google.iam.v1.Binding.condition depending on the purpose of the |
| 99 | validation. |
| 100 | - A unit may require additional data (like the list of all possible |
| 101 | enumerable values of a particular attribute used in the policy instance) |
| 102 | which shall be provided by the caller. Refer to the comments of |
| 103 | google.iam.admin.v1.LintPolicyRequest.context for more details. |
| 104 | |
| 105 | The set of applicable validation units is determined by the Cloud IAM |
| 106 | server and is not configurable. |
| 107 | |
| 108 | Regardless of any lint issues or their severities, successful calls to |
| 109 | `lintPolicy` return an HTTP 200 OK status code. |
| 110 | |
| 111 | Args: |
| 112 | body: object, The request body. (required) |
| 113 | The object takes the form of: |
| 114 | |
| 115 | { # The request to lint a Cloud IAM policy object. LintPolicy is currently |
| 116 | # functional only for `lint_object` of type `condition`. |
| 117 | "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # Policy object to be linted. The functionality of linting a policy is not |
| 118 | # yet implemented and if this field is set, it returns NOT_IMPLEMENTED |
| 119 | # error. |
| 120 | # specify access control policies for Cloud Platform resources. |
| 121 | # |
| 122 | # |
| 123 | # A `Policy` consists of a list of `bindings`. A `binding` binds a list of |
| 124 | # `members` to a `role`, where the members can be user accounts, Google groups, |
| 125 | # Google domains, and service accounts. A `role` is a named list of permissions |
| 126 | # defined by IAM. |
| 127 | # |
| 128 | # **JSON Example** |
| 129 | # |
| 130 | # { |
| 131 | # "bindings": [ |
| 132 | # { |
| 133 | # "role": "roles/owner", |
| 134 | # "members": [ |
| 135 | # "user:mike@example.com", |
| 136 | # "group:admins@example.com", |
| 137 | # "domain:google.com", |
| 138 | # "serviceAccount:my-other-app@appspot.gserviceaccount.com" |
| 139 | # ] |
| 140 | # }, |
| 141 | # { |
| 142 | # "role": "roles/viewer", |
| 143 | # "members": ["user:sean@example.com"] |
| 144 | # } |
| 145 | # ] |
| 146 | # } |
| 147 | # |
| 148 | # **YAML Example** |
| 149 | # |
| 150 | # bindings: |
| 151 | # - members: |
| 152 | # - user:mike@example.com |
| 153 | # - group:admins@example.com |
| 154 | # - domain:google.com |
| 155 | # - serviceAccount:my-other-app@appspot.gserviceaccount.com |
| 156 | # role: roles/owner |
| 157 | # - members: |
| 158 | # - user:sean@example.com |
| 159 | # role: roles/viewer |
| 160 | # |
| 161 | # |
| 162 | # For a description of IAM and its features, see the |
| 163 | # [IAM developer's guide](https://cloud.google.com/iam/docs). |
| 164 | "bindings": [ # Associates a list of `members` to a `role`. |
| 165 | # `bindings` with no members will result in an error. |
| 166 | { # Associates `members` with a `role`. |
| 167 | "role": "A String", # Role that is assigned to `members`. |
| 168 | # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| 169 | "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| 170 | # `members` can have the following values: |
| 171 | # |
| 172 | # * `allUsers`: A special identifier that represents anyone who is |
| 173 | # on the internet; with or without a Google account. |
| 174 | # |
| 175 | # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| 176 | # who is authenticated with a Google account or a service account. |
| 177 | # |
| 178 | # * `user:{emailid}`: An email address that represents a specific Google |
| 179 | # account. For example, `alice@gmail.com` . |
| 180 | # |
| 181 | # |
| 182 | # * `serviceAccount:{emailid}`: An email address that represents a service |
| 183 | # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| 184 | # |
| 185 | # * `group:{emailid}`: An email address that represents a Google group. |
| 186 | # For example, `admins@example.com`. |
| 187 | # |
| 188 | # |
| 189 | # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| 190 | # users of that domain. For example, `google.com` or `example.com`. |
| 191 | # |
| 192 | "A String", |
| 193 | ], |
| 194 | "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. |
| 195 | # NOTE: An unsatisfied condition will not allow user access via current |
| 196 | # binding. Different bindings, including their conditions, are examined |
| 197 | # independently. |
| 198 | # |
| 199 | # title: "User account presence" |
| 200 | # description: "Determines whether the request has a user account" |
| 201 | # expression: "size(request.user) > 0" |
| 202 | "location": "A String", # An optional string indicating the location of the expression for error |
| 203 | # reporting, e.g. a file name and a position in the file. |
| 204 | "expression": "A String", # Textual representation of an expression in |
| 205 | # Common Expression Language syntax. |
| 206 | # |
| 207 | # The application context of the containing message determines which |
| 208 | # well-known feature set of CEL is supported. |
| 209 | "description": "A String", # An optional description of the expression. This is a longer text which |
| 210 | # describes the expression, e.g. when hovered over it in a UI. |
| 211 | "title": "A String", # An optional title for the expression, i.e. a short string describing |
| 212 | # its purpose. This can be used e.g. in UIs which allow to enter the |
| 213 | # expression. |
| 214 | }, |
| 215 | }, |
| 216 | ], |
| 217 | "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| 218 | { # Specifies the audit configuration for a service. |
| 219 | # The configuration determines which permission types are logged, and what |
| 220 | # identities, if any, are exempted from logging. |
| 221 | # An AuditConfig must have one or more AuditLogConfigs. |
| 222 | # |
| 223 | # If there are AuditConfigs for both `allServices` and a specific service, |
| 224 | # the union of the two AuditConfigs is used for that service: the log_types |
| 225 | # specified in each AuditConfig are enabled, and the exempted_members in each |
| 226 | # AuditLogConfig are exempted. |
| 227 | # |
| 228 | # Example Policy with multiple AuditConfigs: |
| 229 | # |
| 230 | # { |
| 231 | # "audit_configs": [ |
| 232 | # { |
| 233 | # "service": "allServices" |
| 234 | # "audit_log_configs": [ |
| 235 | # { |
| 236 | # "log_type": "DATA_READ", |
| 237 | # "exempted_members": [ |
| 238 | # "user:foo@gmail.com" |
| 239 | # ] |
| 240 | # }, |
| 241 | # { |
| 242 | # "log_type": "DATA_WRITE", |
| 243 | # }, |
| 244 | # { |
| 245 | # "log_type": "ADMIN_READ", |
| 246 | # } |
| 247 | # ] |
| 248 | # }, |
| 249 | # { |
| 250 | # "service": "fooservice.googleapis.com" |
| 251 | # "audit_log_configs": [ |
| 252 | # { |
| 253 | # "log_type": "DATA_READ", |
| 254 | # }, |
| 255 | # { |
| 256 | # "log_type": "DATA_WRITE", |
| 257 | # "exempted_members": [ |
| 258 | # "user:bar@gmail.com" |
| 259 | # ] |
| 260 | # } |
| 261 | # ] |
| 262 | # } |
| 263 | # ] |
| 264 | # } |
| 265 | # |
| 266 | # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| 267 | # logging. It also exempts foo@gmail.com from DATA_READ logging, and |
| 268 | # bar@gmail.com from DATA_WRITE logging. |
| 269 | "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| 270 | { # Provides the configuration for logging a type of permissions. |
| 271 | # Example: |
| 272 | # |
| 273 | # { |
| 274 | # "audit_log_configs": [ |
| 275 | # { |
| 276 | # "log_type": "DATA_READ", |
| 277 | # "exempted_members": [ |
| 278 | # "user:foo@gmail.com" |
| 279 | # ] |
| 280 | # }, |
| 281 | # { |
| 282 | # "log_type": "DATA_WRITE", |
| 283 | # } |
| 284 | # ] |
| 285 | # } |
| 286 | # |
| 287 | # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| 288 | # foo@gmail.com from DATA_READ logging. |
| 289 | "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| 290 | # permission. |
| 291 | # Follows the same format of Binding.members. |
| 292 | "A String", |
| 293 | ], |
| 294 | "logType": "A String", # The log type that this config enables. |
| 295 | }, |
| 296 | ], |
| 297 | "service": "A String", # Specifies a service that will be enabled for audit logging. |
| 298 | # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| 299 | # `allServices` is a special value that covers all services. |
| 300 | }, |
| 301 | ], |
| 302 | "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| 303 | # prevent simultaneous updates of a policy from overwriting each other. |
| 304 | # It is strongly suggested that systems make use of the `etag` in the |
| 305 | # read-modify-write cycle to perform policy updates in order to avoid race |
| 306 | # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| 307 | # systems are expected to put that etag in the request to `setIamPolicy` to |
| 308 | # ensure that their change will be applied to the same version of the policy. |
| 309 | # |
| 310 | # If no `etag` is provided in the call to `setIamPolicy`, then the existing |
| 311 | # policy is overwritten blindly. |
| 312 | "version": 42, # Deprecated. |
| 313 | }, |
| 314 | "fullResourceName": "A String", # The full resource name of the policy this lint request is about. |
| 315 | # |
| 316 | # The name follows the Google Cloud Platform (GCP) resource format. |
| 317 | # For example, a GCP project with ID `my-project` will be named |
| 318 | # `//cloudresourcemanager.googleapis.com/projects/my-project`. |
| 319 | # |
| 320 | # The resource name is not used to read the policy instance from the Cloud |
| 321 | # IAM database. The candidate policy for lint has to be provided in the same |
| 322 | # request object. |
| 323 | "binding": { # Associates `members` with a `role`. # Binding object to be linted. The functionality of linting a binding is |
| 324 | # not yet implemented and if this field is set, it returns NOT_IMPLEMENTED |
| 325 | # error. |
| 326 | "role": "A String", # Role that is assigned to `members`. |
| 327 | # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| 328 | "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| 329 | # `members` can have the following values: |
| 330 | # |
| 331 | # * `allUsers`: A special identifier that represents anyone who is |
| 332 | # on the internet; with or without a Google account. |
| 333 | # |
| 334 | # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| 335 | # who is authenticated with a Google account or a service account. |
| 336 | # |
| 337 | # * `user:{emailid}`: An email address that represents a specific Google |
| 338 | # account. For example, `alice@gmail.com` . |
| 339 | # |
| 340 | # |
| 341 | # * `serviceAccount:{emailid}`: An email address that represents a service |
| 342 | # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| 343 | # |
| 344 | # * `group:{emailid}`: An email address that represents a Google group. |
| 345 | # For example, `admins@example.com`. |
| 346 | # |
| 347 | # |
| 348 | # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| 349 | # users of that domain. For example, `google.com` or `example.com`. |
| 350 | # |
| 351 | "A String", |
| 352 | ], |
| 353 | "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. |
| 354 | # NOTE: An unsatisfied condition will not allow user access via current |
| 355 | # binding. Different bindings, including their conditions, are examined |
| 356 | # independently. |
| 357 | # |
| 358 | # title: "User account presence" |
| 359 | # description: "Determines whether the request has a user account" |
| 360 | # expression: "size(request.user) > 0" |
| 361 | "location": "A String", # An optional string indicating the location of the expression for error |
| 362 | # reporting, e.g. a file name and a position in the file. |
| 363 | "expression": "A String", # Textual representation of an expression in |
| 364 | # Common Expression Language syntax. |
| 365 | # |
| 366 | # The application context of the containing message determines which |
| 367 | # well-known feature set of CEL is supported. |
| 368 | "description": "A String", # An optional description of the expression. This is a longer text which |
| 369 | # describes the expression, e.g. when hovered over it in a UI. |
| 370 | "title": "A String", # An optional title for the expression, i.e. a short string describing |
| 371 | # its purpose. This can be used e.g. in UIs which allow to enter the |
| 372 | # expression. |
| 373 | }, |
| 374 | }, |
| 375 | "condition": { # Represents an expression text. Example: # google.iam.v1.Binding.condition object to be linted. |
| 376 | # |
| 377 | # title: "User account presence" |
| 378 | # description: "Determines whether the request has a user account" |
| 379 | # expression: "size(request.user) > 0" |
| 380 | "location": "A String", # An optional string indicating the location of the expression for error |
| 381 | # reporting, e.g. a file name and a position in the file. |
| 382 | "expression": "A String", # Textual representation of an expression in |
| 383 | # Common Expression Language syntax. |
| 384 | # |
| 385 | # The application context of the containing message determines which |
| 386 | # well-known feature set of CEL is supported. |
| 387 | "description": "A String", # An optional description of the expression. This is a longer text which |
| 388 | # describes the expression, e.g. when hovered over it in a UI. |
| 389 | "title": "A String", # An optional title for the expression, i.e. a short string describing |
| 390 | # its purpose. This can be used e.g. in UIs which allow to enter the |
| 391 | # expression. |
| 392 | }, |
| 393 | "context": { # `context` contains additional *permission-controlled* data that any |
| 394 | # lint unit may depend on, in form of `{key: value}` pairs. Currently, this |
| 395 | # field is non-operational and it will not be used during the lint operation. |
| 396 | "a_key": "", # Properties of the object. |
| 397 | }, |
| 398 | } |
| 399 | |
| 400 | x__xgafv: string, V1 error format. |
| 401 | Allowed values |
| 402 | 1 - v1 error format |
| 403 | 2 - v2 error format |
| 404 | |
| 405 | Returns: |
| 406 | An object of the form: |
| 407 | |
| 408 | { # The response of a lint operation. An empty response indicates |
| 409 | # the operation was able to fully execute and no lint issue was found. |
| 410 | "lintResults": [ # List of lint results sorted by a composite <severity, binding_ordinal> key, |
| 411 | # descending order of severity and ascending order of binding_ordinal. |
| 412 | # There is no certain order among the same keys. |
| 413 | # |
| 414 | # For cross-binding results (only if the input object to lint is |
| 415 | # instance of google.iam.v1.Policy), there will be a |
| 416 | # google.iam.admin.v1.LintResult for each of the involved bindings, |
| 417 | # and the associated debug_message may enumerate the other involved |
| 418 | # binding ordinal number(s). |
| 419 | { # Structured response of a single validation unit. |
| 420 | "validationUnitName": "A String", # The validation unit name, for instance |
| 421 | # “lintValidationUnits/ConditionComplexityCheck”. |
| 422 | "severity": "A String", # The validation unit severity. |
| 423 | "level": "A String", # The validation unit level. |
| 424 | "bindingOrdinal": 42, # 0-based index ordinality of the binding in the input object associated |
| 425 | # with this result. |
| 426 | # This field is populated only if the input object to lint is of type |
| 427 | # google.iam.v1.Policy, which can comprise more than one binding. |
| 428 | # It is set to -1 if the result is not associated with any particular |
| 429 | # binding and only targets the policy as a whole, such as results about |
| 430 | # policy size violations. |
| 431 | "debugMessage": "A String", # Human readable debug message associated with the issue. |
| 432 | "fieldName": "A String", # The name of the field for which this lint result is about. |
| 433 | # |
| 434 | # For nested messages, `field_name` consists of names of the embedded fields |
| 435 | # separated by period character. The top-level qualifier is the input object |
| 436 | # to lint in the request. For instance, if the lint request is on a |
| 437 | # google.iam.v1.Policy and this lint result is about a condition |
| 438 | # expression of one of the input policy bindings, the field would be |
| 439 | # populated as `policy.bindings.condition.expression`. |
| 440 | # |
| 441 | # This field does not identify the ordinality of the repetitive fields (for |
| 442 | # instance bindings in a policy). |
| 443 | "locationOffset": 42, # 0-based character position of problematic construct within the object |
| 444 | # identified by `field_name`. Currently, this is populated only for condition |
| 445 | # expression. |
| 446 | }, |
| 447 | ], |
| 448 | }</pre> |
| 449 | </div> |
| 450 | |
| 451 | <div class="method"> |
| 452 | <code class="details" id="queryAuditableServices">queryAuditableServices(body, x__xgafv=None)</code> |
| 453 | <pre>Returns a list of services that support service level audit logging |
| 454 | configuration for the given resource. |
| 455 | |
| 456 | Args: |
| 457 | body: object, The request body. (required) |
| 458 | The object takes the form of: |
| 459 | |
| 460 | { # A request to get the list of auditable services for a resource. |
| 461 | "fullResourceName": "A String", # Required. The full resource name to query from the list of auditable |
| 462 | # services. |
| 463 | # |
| 464 | # The name follows the Google Cloud Platform resource format. |
| 465 | # For example, a Cloud Platform project with id `my-project` will be named |
| 466 | # `//cloudresourcemanager.googleapis.com/projects/my-project`. |
| 467 | } |
| 468 | |
| 469 | x__xgafv: string, V1 error format. |
| 470 | Allowed values |
| 471 | 1 - v1 error format |
| 472 | 2 - v2 error format |
| 473 | |
| 474 | Returns: |
| 475 | An object of the form: |
| 476 | |
| 477 | { # A response containing a list of auditable services for a resource. |
| 478 | "services": [ # The auditable services for a resource. |
| 479 | { # Contains information about an auditable service. |
| 480 | "name": "A String", # Public name of the service. |
| 481 | # For example, the service name for Cloud IAM is 'iam.googleapis.com'. |
| 482 | }, |
| 483 | ], |
| 484 | }</pre> |
| 485 | </div> |
| 486 | |
| 487 | </body></html> |