Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / 43fc0cf47ac1b1e90cd52422bc5abdbbf1a8e456 / . / docs / dyn / iam_v1.iamPolicies.html
blob: e99b9e7f9c7a9a273f74e288b147cc7bcc861055 [file] [log] [blame]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="iam_v1.html">Identity and Access Management (IAM) API</a> . <a href="iam_v1.iamPolicies.html">iamPolicies</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="#lintPolicy">lintPolicy(body, x__xgafv=None)</a></code></p>
79<p class="firstline">Lints a Cloud IAM policy object or its sub fields. Currently supports</p>
80<p class="toc_element">
81 <code><a href="#queryAuditableServices">queryAuditableServices(body, x__xgafv=None)</a></code></p>
82<p class="firstline">Returns a list of services that support service level audit logging</p>
83<h3>Method Details</h3>
84<div class="method">
85 <code class="details" id="lintPolicy">lintPolicy(body, x__xgafv=None)</code>
86 <pre>Lints a Cloud IAM policy object or its sub fields. Currently supports
87google.iam.v1.Policy, google.iam.v1.Binding and
88google.iam.v1.Binding.condition.
89
90Each lint operation consists of multiple lint validation units.
91Validation units have the following properties:
92
93- Each unit inspects the input object in regard to a particular
94 linting aspect and issues a google.iam.admin.v1.LintResult
95 disclosing the result.
96- Domain of discourse of each unit can be either
97 google.iam.v1.Policy, google.iam.v1.Binding, or
98 google.iam.v1.Binding.condition depending on the purpose of the
99 validation.
100- A unit may require additional data (like the list of all possible
101 enumerable values of a particular attribute used in the policy instance)
102 which shall be provided by the caller. Refer to the comments of
103 google.iam.admin.v1.LintPolicyRequest.context for more details.
104
105The set of applicable validation units is determined by the Cloud IAM
106server and is not configurable.
107
108Regardless of any lint issues or their severities, successful calls to
109`lintPolicy` return an HTTP 200 OK status code.
110
111Args:
112 body: object, The request body. (required)
113 The object takes the form of:
114
115{ # The request to lint a Cloud IAM policy object. LintPolicy is currently
116 # functional only for `lint_object` of type `condition`.
117 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # Policy object to be linted. The functionality of linting a policy is not
118 # yet implemented and if this field is set, it returns NOT_IMPLEMENTED
119 # error.
120 # specify access control policies for Cloud Platform resources.
121 #
122 #
123 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of
124 # `members` to a `role`, where the members can be user accounts, Google groups,
125 # Google domains, and service accounts. A `role` is a named list of permissions
126 # defined by IAM.
127 #
128 # **JSON Example**
129 #
130 # {
131 # "bindings": [
132 # {
133 # "role": "roles/owner",
134 # "members": [
135 # "user:mike@example.com",
136 # "group:admins@example.com",
137 # "domain:google.com",
138 # "serviceAccount:my-other-app@appspot.gserviceaccount.com"
139 # ]
140 # },
141 # {
142 # "role": "roles/viewer",
143 # "members": ["user:sean@example.com"]
144 # }
145 # ]
146 # }
147 #
148 # **YAML Example**
149 #
150 # bindings:
151 # - members:
152 # - user:mike@example.com
153 # - group:admins@example.com
154 # - domain:google.com
155 # - serviceAccount:my-other-app@appspot.gserviceaccount.com
156 # role: roles/owner
157 # - members:
158 # - user:sean@example.com
159 # role: roles/viewer
160 #
161 #
162 # For a description of IAM and its features, see the
163 # [IAM developer's guide](https://cloud.google.com/iam/docs).
164 "bindings": [ # Associates a list of `members` to a `role`.
165 # `bindings` with no members will result in an error.
166 { # Associates `members` with a `role`.
167 "role": "A String", # Role that is assigned to `members`.
168 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
169 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
170 # `members` can have the following values:
171 #
172 # * `allUsers`: A special identifier that represents anyone who is
173 # on the internet; with or without a Google account.
174 #
175 # * `allAuthenticatedUsers`: A special identifier that represents anyone
176 # who is authenticated with a Google account or a service account.
177 #
178 # * `user:{emailid}`: An email address that represents a specific Google
179 # account. For example, `alice@gmail.com` .
180 #
181 #
182 # * `serviceAccount:{emailid}`: An email address that represents a service
183 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
184 #
185 # * `group:{emailid}`: An email address that represents a Google group.
186 # For example, `admins@example.com`.
187 #
188 #
189 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
190 # users of that domain. For example, `google.com` or `example.com`.
191 #
192 "A String",
193 ],
194 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
195 # NOTE: An unsatisfied condition will not allow user access via current
196 # binding. Different bindings, including their conditions, are examined
197 # independently.
198 #
199 # title: "User account presence"
200 # description: "Determines whether the request has a user account"
201 # expression: "size(request.user) > 0"
202 "location": "A String", # An optional string indicating the location of the expression for error
203 # reporting, e.g. a file name and a position in the file.
204 "expression": "A String", # Textual representation of an expression in
205 # Common Expression Language syntax.
206 #
207 # The application context of the containing message determines which
208 # well-known feature set of CEL is supported.
209 "description": "A String", # An optional description of the expression. This is a longer text which
210 # describes the expression, e.g. when hovered over it in a UI.
211 "title": "A String", # An optional title for the expression, i.e. a short string describing
212 # its purpose. This can be used e.g. in UIs which allow to enter the
213 # expression.
214 },
215 },
216 ],
217 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
218 { # Specifies the audit configuration for a service.
219 # The configuration determines which permission types are logged, and what
220 # identities, if any, are exempted from logging.
221 # An AuditConfig must have one or more AuditLogConfigs.
222 #
223 # If there are AuditConfigs for both `allServices` and a specific service,
224 # the union of the two AuditConfigs is used for that service: the log_types
225 # specified in each AuditConfig are enabled, and the exempted_members in each
226 # AuditLogConfig are exempted.
227 #
228 # Example Policy with multiple AuditConfigs:
229 #
230 # {
231 # "audit_configs": [
232 # {
233 # "service": "allServices"
234 # "audit_log_configs": [
235 # {
236 # "log_type": "DATA_READ",
237 # "exempted_members": [
238 # "user:foo@gmail.com"
239 # ]
240 # },
241 # {
242 # "log_type": "DATA_WRITE",
243 # },
244 # {
245 # "log_type": "ADMIN_READ",
246 # }
247 # ]
248 # },
249 # {
250 # "service": "fooservice.googleapis.com"
251 # "audit_log_configs": [
252 # {
253 # "log_type": "DATA_READ",
254 # },
255 # {
256 # "log_type": "DATA_WRITE",
257 # "exempted_members": [
258 # "user:bar@gmail.com"
259 # ]
260 # }
261 # ]
262 # }
263 # ]
264 # }
265 #
266 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
267 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
268 # bar@gmail.com from DATA_WRITE logging.
269 "auditLogConfigs": [ # The configuration for logging of each type of permission.
270 { # Provides the configuration for logging a type of permissions.
271 # Example:
272 #
273 # {
274 # "audit_log_configs": [
275 # {
276 # "log_type": "DATA_READ",
277 # "exempted_members": [
278 # "user:foo@gmail.com"
279 # ]
280 # },
281 # {
282 # "log_type": "DATA_WRITE",
283 # }
284 # ]
285 # }
286 #
287 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
288 # foo@gmail.com from DATA_READ logging.
289 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
290 # permission.
291 # Follows the same format of Binding.members.
292 "A String",
293 ],
294 "logType": "A String", # The log type that this config enables.
295 },
296 ],
297 "service": "A String", # Specifies a service that will be enabled for audit logging.
298 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
299 # `allServices` is a special value that covers all services.
300 },
301 ],
302 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
303 # prevent simultaneous updates of a policy from overwriting each other.
304 # It is strongly suggested that systems make use of the `etag` in the
305 # read-modify-write cycle to perform policy updates in order to avoid race
306 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
307 # systems are expected to put that etag in the request to `setIamPolicy` to
308 # ensure that their change will be applied to the same version of the policy.
309 #
310 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
311 # policy is overwritten blindly.
312 "version": 42, # Deprecated.
313 },
314 "fullResourceName": "A String", # The full resource name of the policy this lint request is about.
315 #
316 # The name follows the Google Cloud Platform (GCP) resource format.
317 # For example, a GCP project with ID `my-project` will be named
318 # `//cloudresourcemanager.googleapis.com/projects/my-project`.
319 #
320 # The resource name is not used to read the policy instance from the Cloud
321 # IAM database. The candidate policy for lint has to be provided in the same
322 # request object.
323 "binding": { # Associates `members` with a `role`. # Binding object to be linted. The functionality of linting a binding is
324 # not yet implemented and if this field is set, it returns NOT_IMPLEMENTED
325 # error.
326 "role": "A String", # Role that is assigned to `members`.
327 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
328 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
329 # `members` can have the following values:
330 #
331 # * `allUsers`: A special identifier that represents anyone who is
332 # on the internet; with or without a Google account.
333 #
334 # * `allAuthenticatedUsers`: A special identifier that represents anyone
335 # who is authenticated with a Google account or a service account.
336 #
337 # * `user:{emailid}`: An email address that represents a specific Google
338 # account. For example, `alice@gmail.com` .
339 #
340 #
341 # * `serviceAccount:{emailid}`: An email address that represents a service
342 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
343 #
344 # * `group:{emailid}`: An email address that represents a Google group.
345 # For example, `admins@example.com`.
346 #
347 #
348 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
349 # users of that domain. For example, `google.com` or `example.com`.
350 #
351 "A String",
352 ],
353 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
354 # NOTE: An unsatisfied condition will not allow user access via current
355 # binding. Different bindings, including their conditions, are examined
356 # independently.
357 #
358 # title: "User account presence"
359 # description: "Determines whether the request has a user account"
360 # expression: "size(request.user) > 0"
361 "location": "A String", # An optional string indicating the location of the expression for error
362 # reporting, e.g. a file name and a position in the file.
363 "expression": "A String", # Textual representation of an expression in
364 # Common Expression Language syntax.
365 #
366 # The application context of the containing message determines which
367 # well-known feature set of CEL is supported.
368 "description": "A String", # An optional description of the expression. This is a longer text which
369 # describes the expression, e.g. when hovered over it in a UI.
370 "title": "A String", # An optional title for the expression, i.e. a short string describing
371 # its purpose. This can be used e.g. in UIs which allow to enter the
372 # expression.
373 },
374 },
375 "condition": { # Represents an expression text. Example: # google.iam.v1.Binding.condition object to be linted.
376 #
377 # title: "User account presence"
378 # description: "Determines whether the request has a user account"
379 # expression: "size(request.user) > 0"
380 "location": "A String", # An optional string indicating the location of the expression for error
381 # reporting, e.g. a file name and a position in the file.
382 "expression": "A String", # Textual representation of an expression in
383 # Common Expression Language syntax.
384 #
385 # The application context of the containing message determines which
386 # well-known feature set of CEL is supported.
387 "description": "A String", # An optional description of the expression. This is a longer text which
388 # describes the expression, e.g. when hovered over it in a UI.
389 "title": "A String", # An optional title for the expression, i.e. a short string describing
390 # its purpose. This can be used e.g. in UIs which allow to enter the
391 # expression.
392 },
393 "context": { # `context` contains additional *permission-controlled* data that any
394 # lint unit may depend on, in form of `{key: value}` pairs. Currently, this
395 # field is non-operational and it will not be used during the lint operation.
396 "a_key": "", # Properties of the object.
397 },
398 }
399
400 x__xgafv: string, V1 error format.
401 Allowed values
402 1 - v1 error format
403 2 - v2 error format
404
405Returns:
406 An object of the form:
407
408 { # The response of a lint operation. An empty response indicates
409 # the operation was able to fully execute and no lint issue was found.
410 "lintResults": [ # List of lint results sorted by a composite <severity, binding_ordinal> key,
411 # descending order of severity and ascending order of binding_ordinal.
412 # There is no certain order among the same keys.
413 #
414 # For cross-binding results (only if the input object to lint is
415 # instance of google.iam.v1.Policy), there will be a
416 # google.iam.admin.v1.LintResult for each of the involved bindings,
417 # and the associated debug_message may enumerate the other involved
418 # binding ordinal number(s).
419 { # Structured response of a single validation unit.
420 "validationUnitName": "A String", # The validation unit name, for instance
421 # “lintValidationUnits/ConditionComplexityCheck”.
422 "severity": "A String", # The validation unit severity.
423 "level": "A String", # The validation unit level.
424 "bindingOrdinal": 42, # 0-based index ordinality of the binding in the input object associated
425 # with this result.
426 # This field is populated only if the input object to lint is of type
427 # google.iam.v1.Policy, which can comprise more than one binding.
428 # It is set to -1 if the result is not associated with any particular
429 # binding and only targets the policy as a whole, such as results about
430 # policy size violations.
431 "debugMessage": "A String", # Human readable debug message associated with the issue.
432 "fieldName": "A String", # The name of the field for which this lint result is about.
433 #
434 # For nested messages, `field_name` consists of names of the embedded fields
435 # separated by period character. The top-level qualifier is the input object
436 # to lint in the request. For instance, if the lint request is on a
437 # google.iam.v1.Policy and this lint result is about a condition
438 # expression of one of the input policy bindings, the field would be
439 # populated as `policy.bindings.condition.expression`.
440 #
441 # This field does not identify the ordinality of the repetitive fields (for
442 # instance bindings in a policy).
443 "locationOffset": 42, # 0-based character position of problematic construct within the object
444 # identified by `field_name`. Currently, this is populated only for condition
445 # expression.
446 },
447 ],
448 }</pre>
449</div>
450
451<div class="method">
452 <code class="details" id="queryAuditableServices">queryAuditableServices(body, x__xgafv=None)</code>
453 <pre>Returns a list of services that support service level audit logging
454configuration for the given resource.
455
456Args:
457 body: object, The request body. (required)
458 The object takes the form of:
459
460{ # A request to get the list of auditable services for a resource.
461 "fullResourceName": "A String", # Required. The full resource name to query from the list of auditable
462 # services.
463 #
464 # The name follows the Google Cloud Platform resource format.
465 # For example, a Cloud Platform project with id `my-project` will be named
466 # `//cloudresourcemanager.googleapis.com/projects/my-project`.
467 }
468
469 x__xgafv: string, V1 error format.
470 Allowed values
471 1 - v1 error format
472 2 - v2 error format
473
474Returns:
475 An object of the form:
476
477 { # A response containing a list of auditable services for a resource.
478 "services": [ # The auditable services for a resource.
479 { # Contains information about an auditable service.
480 "name": "A String", # Public name of the service.
481 # For example, the service name for Cloud IAM is 'iam.googleapis.com'.
482 },
483 ],
484 }</pre>
485</div>
486
487</body></html>