| Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 1 | <html><body> |
| 2 | <style> |
| 3 | |
| 4 | body, h1, h2, h3, div, span, p, pre, a { |
| 5 | margin: 0; |
| 6 | padding: 0; |
| 7 | border: 0; |
| 8 | font-weight: inherit; |
| 9 | font-style: inherit; |
| 10 | font-size: 100%; |
| 11 | font-family: inherit; |
| 12 | vertical-align: baseline; |
| 13 | } |
| 14 | |
| 15 | body { |
| 16 | font-size: 13px; |
| 17 | padding: 1em; |
| 18 | } |
| 19 | |
| 20 | h1 { |
| 21 | font-size: 26px; |
| 22 | margin-bottom: 1em; |
| 23 | } |
| 24 | |
| 25 | h2 { |
| 26 | font-size: 24px; |
| 27 | margin-bottom: 1em; |
| 28 | } |
| 29 | |
| 30 | h3 { |
| 31 | font-size: 20px; |
| 32 | margin-bottom: 1em; |
| 33 | margin-top: 1em; |
| 34 | } |
| 35 | |
| 36 | pre, code { |
| 37 | line-height: 1.5; |
| 38 | font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| 39 | } |
| 40 | |
| 41 | pre { |
| 42 | margin-top: 0.5em; |
| 43 | } |
| 44 | |
| 45 | h1, h2, h3, p { |
| 46 | font-family: Arial, sans serif; |
| 47 | } |
| 48 | |
| 49 | h1, h2, h3 { |
| 50 | border-bottom: solid #CCC 1px; |
| 51 | } |
| 52 | |
| 53 | .toc_element { |
| 54 | margin-top: 0.5em; |
| 55 | } |
| 56 | |
| 57 | .firstline { |
| 58 | margin-left: 2 em; |
| 59 | } |
| 60 | |
| 61 | .method { |
| 62 | margin-top: 1em; |
| 63 | border: solid 1px #CCC; |
| 64 | padding: 1em; |
| 65 | background: #EEE; |
| 66 | } |
| 67 | |
| 68 | .details { |
| 69 | font-weight: bold; |
| 70 | font-size: 14px; |
| 71 | } |
| 72 | |
| 73 | </style> |
| 74 | |
| 75 | <h1><a href="cloudasset_v1p1beta1.html">Cloud Asset API</a> . <a href="cloudasset_v1p1beta1.iamPolicies.html">iamPolicies</a></h1> |
| 76 | <h2>Instance Methods</h2> |
| 77 | <p class="toc_element"> |
| 78 | <code><a href="#searchAll">searchAll(scope, pageToken=None, pageSize=None, query=None, x__xgafv=None)</a></code></p> |
| 79 | <p class="firstline">Searches all the IAM policies under a given accessible CRM scope</p> |
| 80 | <p class="toc_element"> |
| 81 | <code><a href="#searchAll_next">searchAll_next(previous_request, previous_response)</a></code></p> |
| 82 | <p class="firstline">Retrieves the next page of results.</p> |
| 83 | <h3>Method Details</h3> |
| 84 | <div class="method"> |
| 85 | <code class="details" id="searchAll">searchAll(scope, pageToken=None, pageSize=None, query=None, x__xgafv=None)</code> |
| 86 | <pre>Searches all the IAM policies under a given accessible CRM scope |
| 87 | (project/folder/organization). This RPC gives callers |
| 88 | especially admins the ability to search all the IAM policies under a scope, |
| 89 | even if they don't have .getIamPolicy permission of all the IAM policies. |
| 90 | Callers should have cloud.assets.SearchAllIamPolicies permission on the |
| 91 | requested scope, otherwise it will be rejected. |
| 92 | |
| 93 | Args: |
| 94 | scope: string, Required. The relative name of an asset. The search is limited to the resources |
| 95 | within the `scope`. The allowed value must be: |
| 96 | * Organization number (such as "organizations/123") |
| 97 | * Folder number(such as "folders/1234") |
| 98 | * Project number (such as "projects/12345") |
| 99 | * Project id (such as "projects/abc") (required) |
| 100 | pageToken: string, Optional. If present, retrieve the next batch of results from the preceding call to |
| 101 | this method. `page_token` must be the value of `next_page_token` from the |
| 102 | previous response. The values of all other method parameters must be |
| 103 | identical to those in the previous call. |
| 104 | pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even |
| 105 | if a larger value is given. If set to zero, server will pick an appropriate |
| 106 | default. Returned results may be fewer than requested. When this happens, |
| 107 | there could be more results as long as `next_page_token` is returned. |
| 108 | query: string, Optional. The query statement. |
| 109 | Examples: |
| 110 | * "policy:myuser@mydomain.com" |
| 111 | * "policy:(myuser@mydomain.com viewer)" |
| 112 | x__xgafv: string, V1 error format. |
| 113 | Allowed values |
| 114 | 1 - v1 error format |
| 115 | 2 - v2 error format |
| 116 | |
| 117 | Returns: |
| 118 | An object of the form: |
| 119 | |
| 120 | { # Search all IAM policies response. |
| 121 | "results": [ # A list of IamPolicy that match the search query. Related information such |
| 122 | # as the associated resource is returned along with the policy. |
| 123 | { # The result for a IAM Policy search. |
| 124 | "resource": "A String", # The [full resource |
| 125 | # name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| 126 | # of the resource associated with this IAM policy. |
| 127 | "explanation": { # Explanation about the IAM policy search result. # Explanation about the IAM policy search result. It contains additional |
| 128 | # information to explain why the search result matches the query. |
| 129 | "matchedPermissions": { # The map from roles to their included permission matching the permission |
| 130 | # query (e.g. containing `policy.role.permissions:`). A sample role string: |
| 131 | # "roles/compute.instanceAdmin". The roles can also be found in the |
| 132 | # returned `policy` bindings. Note that the map is populated only if |
| 133 | # requesting with a permission query. |
| 134 | "a_key": { # IAM permissions |
| 135 | "permissions": [ # A list of permissions. A sample permission string: "compute.disk.get". |
| 136 | "A String", |
| 137 | ], |
| 138 | }, |
| 139 | }, |
| 140 | }, |
| 141 | "project": "A String", # The project that the associated GCP resource belongs to, in the form of |
| 142 | # `projects/{project_number}`. If an IAM policy is set on a resource (like VM |
| 143 | # instance, Cloud Storage bucket), the project field will indicate the |
| 144 | # project that contains the resource. If an IAM policy is set on a folder or |
| 145 | # orgnization, the project field will be empty. |
| 146 | "policy": { # An Identity and Access Management (IAM) policy, which specifies access # The IAM policy directly set on the given resource. Note that the original |
| 147 | # IAM policy can contain multiple bindings. This only contains the bindings |
| 148 | # that match the given query. For queries that don't contain a constrain on |
| 149 | # policies (e.g. an empty query), this contains all the bindings. |
| 150 | # controls for Google Cloud resources. |
| 151 | # |
| 152 | # |
| 153 | # A `Policy` is a collection of `bindings`. A `binding` binds one or more |
| 154 | # `members` to a single `role`. Members can be user accounts, service accounts, |
| 155 | # Google groups, and domains (such as G Suite). A `role` is a named list of |
| 156 | # permissions; each `role` can be an IAM predefined role or a user-created |
| 157 | # custom role. |
| 158 | # |
| 159 | # Optionally, a `binding` can specify a `condition`, which is a logical |
| 160 | # expression that allows access to a resource only if the expression evaluates |
| 161 | # to `true`. A condition can add constraints based on attributes of the |
| 162 | # request, the resource, or both. |
| 163 | # |
| 164 | # **JSON example:** |
| 165 | # |
| 166 | # { |
| 167 | # "bindings": [ |
| 168 | # { |
| 169 | # "role": "roles/resourcemanager.organizationAdmin", |
| 170 | # "members": [ |
| 171 | # "user:mike@example.com", |
| 172 | # "group:admins@example.com", |
| 173 | # "domain:google.com", |
| 174 | # "serviceAccount:my-project-id@appspot.gserviceaccount.com" |
| 175 | # ] |
| 176 | # }, |
| 177 | # { |
| 178 | # "role": "roles/resourcemanager.organizationViewer", |
| 179 | # "members": ["user:eve@example.com"], |
| 180 | # "condition": { |
| 181 | # "title": "expirable access", |
| 182 | # "description": "Does not grant access after Sep 2020", |
| 183 | # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", |
| 184 | # } |
| 185 | # } |
| 186 | # ], |
| 187 | # "etag": "BwWWja0YfJA=", |
| 188 | # "version": 3 |
| 189 | # } |
| 190 | # |
| 191 | # **YAML example:** |
| 192 | # |
| 193 | # bindings: |
| 194 | # - members: |
| 195 | # - user:mike@example.com |
| 196 | # - group:admins@example.com |
| 197 | # - domain:google.com |
| 198 | # - serviceAccount:my-project-id@appspot.gserviceaccount.com |
| 199 | # role: roles/resourcemanager.organizationAdmin |
| 200 | # - members: |
| 201 | # - user:eve@example.com |
| 202 | # role: roles/resourcemanager.organizationViewer |
| 203 | # condition: |
| 204 | # title: expirable access |
| 205 | # description: Does not grant access after Sep 2020 |
| 206 | # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') |
| 207 | # - etag: BwWWja0YfJA= |
| 208 | # - version: 3 |
| 209 | # |
| 210 | # For a description of IAM and its features, see the |
| 211 | # [IAM documentation](https://cloud.google.com/iam/docs/). |
| 212 | "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| 213 | # prevent simultaneous updates of a policy from overwriting each other. |
| 214 | # It is strongly suggested that systems make use of the `etag` in the |
| 215 | # read-modify-write cycle to perform policy updates in order to avoid race |
| 216 | # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| 217 | # systems are expected to put that etag in the request to `setIamPolicy` to |
| 218 | # ensure that their change will be applied to the same version of the policy. |
| 219 | # |
| 220 | # **Important:** If you use IAM Conditions, you must include the `etag` field |
| 221 | # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| 222 | # you to overwrite a version `3` policy with a version `1` policy, and all of |
| 223 | # the conditions in the version `3` policy are lost. |
| 224 | "version": 42, # Specifies the format of the policy. |
| 225 | # |
| 226 | # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value |
| 227 | # are rejected. |
| 228 | # |
| 229 | # Any operation that affects conditional role bindings must specify version |
| 230 | # `3`. This requirement applies to the following operations: |
| 231 | # |
| 232 | # * Getting a policy that includes a conditional role binding |
| 233 | # * Adding a conditional role binding to a policy |
| 234 | # * Changing a conditional role binding in a policy |
| 235 | # * Removing any role binding, with or without a condition, from a policy |
| 236 | # that includes conditions |
| 237 | # |
| 238 | # **Important:** If you use IAM Conditions, you must include the `etag` field |
| 239 | # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| 240 | # you to overwrite a version `3` policy with a version `1` policy, and all of |
| 241 | # the conditions in the version `3` policy are lost. |
| 242 | # |
| 243 | # If a policy does not include any conditions, operations on that policy may |
| 244 | # specify any valid version or leave the field unset. |
| 245 | "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| 246 | { # Specifies the audit configuration for a service. |
| 247 | # The configuration determines which permission types are logged, and what |
| 248 | # identities, if any, are exempted from logging. |
| 249 | # An AuditConfig must have one or more AuditLogConfigs. |
| 250 | # |
| 251 | # If there are AuditConfigs for both `allServices` and a specific service, |
| 252 | # the union of the two AuditConfigs is used for that service: the log_types |
| 253 | # specified in each AuditConfig are enabled, and the exempted_members in each |
| 254 | # AuditLogConfig are exempted. |
| 255 | # |
| 256 | # Example Policy with multiple AuditConfigs: |
| 257 | # |
| 258 | # { |
| 259 | # "audit_configs": [ |
| 260 | # { |
| 261 | # "service": "allServices" |
| 262 | # "audit_log_configs": [ |
| 263 | # { |
| 264 | # "log_type": "DATA_READ", |
| 265 | # "exempted_members": [ |
| 266 | # "user:jose@example.com" |
| 267 | # ] |
| 268 | # }, |
| 269 | # { |
| 270 | # "log_type": "DATA_WRITE", |
| 271 | # }, |
| 272 | # { |
| 273 | # "log_type": "ADMIN_READ", |
| 274 | # } |
| 275 | # ] |
| 276 | # }, |
| 277 | # { |
| 278 | # "service": "sampleservice.googleapis.com" |
| 279 | # "audit_log_configs": [ |
| 280 | # { |
| 281 | # "log_type": "DATA_READ", |
| 282 | # }, |
| 283 | # { |
| 284 | # "log_type": "DATA_WRITE", |
| 285 | # "exempted_members": [ |
| 286 | # "user:aliya@example.com" |
| 287 | # ] |
| 288 | # } |
| 289 | # ] |
| 290 | # } |
| 291 | # ] |
| 292 | # } |
| 293 | # |
| 294 | # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| 295 | # logging. It also exempts jose@example.com from DATA_READ logging, and |
| 296 | # aliya@example.com from DATA_WRITE logging. |
| 297 | "service": "A String", # Specifies a service that will be enabled for audit logging. |
| 298 | # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| 299 | # `allServices` is a special value that covers all services. |
| 300 | "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| 301 | { # Provides the configuration for logging a type of permissions. |
| 302 | # Example: |
| 303 | # |
| 304 | # { |
| 305 | # "audit_log_configs": [ |
| 306 | # { |
| 307 | # "log_type": "DATA_READ", |
| 308 | # "exempted_members": [ |
| 309 | # "user:jose@example.com" |
| 310 | # ] |
| 311 | # }, |
| 312 | # { |
| 313 | # "log_type": "DATA_WRITE", |
| 314 | # } |
| 315 | # ] |
| 316 | # } |
| 317 | # |
| 318 | # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| 319 | # jose@example.com from DATA_READ logging. |
| 320 | "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| 321 | # permission. |
| 322 | # Follows the same format of Binding.members. |
| 323 | "A String", |
| 324 | ], |
| 325 | "logType": "A String", # The log type that this config enables. |
| 326 | }, |
| 327 | ], |
| 328 | }, |
| 329 | ], |
| 330 | "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a |
| 331 | # `condition` that determines how and when the `bindings` are applied. Each |
| 332 | # of the `bindings` must contain at least one member. |
| 333 | { # Associates `members` with a `role`. |
| 334 | "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| 335 | # NOTE: An unsatisfied condition will not allow user access via current |
| 336 | # binding. Different bindings, including their conditions, are examined |
| 337 | # independently. |
| 338 | # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| 339 | # are documented at https://github.com/google/cel-spec. |
| 340 | # |
| 341 | # Example (Comparison): |
| 342 | # |
| 343 | # title: "Summary size limit" |
| 344 | # description: "Determines if a summary is less than 100 chars" |
| 345 | # expression: "document.summary.size() < 100" |
| 346 | # |
| 347 | # Example (Equality): |
| 348 | # |
| 349 | # title: "Requestor is owner" |
| 350 | # description: "Determines if requestor is the document owner" |
| 351 | # expression: "document.owner == request.auth.claims.email" |
| 352 | # |
| 353 | # Example (Logic): |
| 354 | # |
| 355 | # title: "Public documents" |
| 356 | # description: "Determine whether the document should be publicly visible" |
| 357 | # expression: "document.type != 'private' && document.type != 'internal'" |
| 358 | # |
| 359 | # Example (Data Manipulation): |
| 360 | # |
| 361 | # title: "Notification string" |
| 362 | # description: "Create a notification string with a timestamp." |
| 363 | # expression: "'New message received at ' + string(document.create_time)" |
| 364 | # |
| 365 | # The exact variables and functions that may be referenced within an expression |
| 366 | # are determined by the service that evaluates it. See the service |
| 367 | # documentation for additional information. |
| 368 | "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| 369 | # its purpose. This can be used e.g. in UIs which allow to enter the |
| 370 | # expression. |
| 371 | "location": "A String", # Optional. String indicating the location of the expression for error |
| 372 | # reporting, e.g. a file name and a position in the file. |
| 373 | "description": "A String", # Optional. Description of the expression. This is a longer text which |
| 374 | # describes the expression, e.g. when hovered over it in a UI. |
| 375 | "expression": "A String", # Textual representation of an expression in Common Expression Language |
| 376 | # syntax. |
| 377 | }, |
| 378 | "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| 379 | # `members` can have the following values: |
| 380 | # |
| 381 | # * `allUsers`: A special identifier that represents anyone who is |
| 382 | # on the internet; with or without a Google account. |
| 383 | # |
| 384 | # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| 385 | # who is authenticated with a Google account or a service account. |
| 386 | # |
| 387 | # * `user:{emailid}`: An email address that represents a specific Google |
| 388 | # account. For example, `alice@example.com` . |
| 389 | # |
| 390 | # |
| 391 | # * `serviceAccount:{emailid}`: An email address that represents a service |
| 392 | # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| 393 | # |
| 394 | # * `group:{emailid}`: An email address that represents a Google group. |
| 395 | # For example, `admins@example.com`. |
| 396 | # |
| 397 | # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| 398 | # identifier) representing a user that has been recently deleted. For |
| 399 | # example, `alice@example.com?uid=123456789012345678901`. If the user is |
| 400 | # recovered, this value reverts to `user:{emailid}` and the recovered user |
| 401 | # retains the role in the binding. |
| 402 | # |
| 403 | # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| 404 | # unique identifier) representing a service account that has been recently |
| 405 | # deleted. For example, |
| 406 | # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. |
| 407 | # If the service account is undeleted, this value reverts to |
| 408 | # `serviceAccount:{emailid}` and the undeleted service account retains the |
| 409 | # role in the binding. |
| 410 | # |
| 411 | # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| 412 | # identifier) representing a Google group that has been recently |
| 413 | # deleted. For example, `admins@example.com?uid=123456789012345678901`. If |
| 414 | # the group is recovered, this value reverts to `group:{emailid}` and the |
| 415 | # recovered group retains the role in the binding. |
| 416 | # |
| 417 | # |
| 418 | # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| 419 | # users of that domain. For example, `google.com` or `example.com`. |
| 420 | # |
| 421 | "A String", |
| 422 | ], |
| 423 | "role": "A String", # Role that is assigned to `members`. |
| 424 | # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| 425 | }, |
| 426 | ], |
| 427 | }, |
| 428 | }, |
| 429 | ], |
| 430 | "nextPageToken": "A String", # Set if there are more results than those appearing in this response; to get |
| 431 | # the next set of results, call this method again, using this value as the |
| 432 | # `page_token`. |
| 433 | }</pre> |
| 434 | </div> |
| 435 | |
| 436 | <div class="method"> |
| 437 | <code class="details" id="searchAll_next">searchAll_next(previous_request, previous_response)</code> |
| 438 | <pre>Retrieves the next page of results. |
| 439 | |
| 440 | Args: |
| 441 | previous_request: The request for the previous page. (required) |
| 442 | previous_response: The response from the request for the previous page. (required) |
| 443 | |
| 444 | Returns: |
| 445 | A request object that you can call 'execute()' on to request the next |
| 446 | page. Returns None if there are no more items in the collection. |
| 447 | </pre> |
| 448 | </div> |
| 449 | |
| 450 | </body></html> |