Blame - docs/dyn/cloudasset_v1p4beta1.v1p4beta1.html - platform/external/python/google-api-python-client

<code><a href="#analyzeIamPolicy">analyzeIamPolicy(parent, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, analysisQuery_accessSelector_roles=None, options_expandResources=None, analysisQuery_accessSelector_permissions=None, options_expandRoles=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, x__xgafv=None)</a></code></p>

79

<p class="firstline">Analyzes IAM policies based on the specified request. Returns</p>

80

81

<code><a href="#exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</a></code></p>

82

<p class="firstline">Exports IAM policy analysis based on the specified request. This API</p>

83

<h3>Method Details</h3>

84

85

<code class="details" id="analyzeIamPolicy">analyzeIamPolicy(parent, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, analysisQuery_accessSelector_roles=None, options_expandResources=None, analysisQuery_accessSelector_permissions=None, options_expandRoles=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, x__xgafv=None)</code>

86

<pre>Analyzes IAM policies based on the specified request. Returns

87

a list of IamPolicyAnalysisResult matching the request.

88

89

Args:

90

parent: string, Required. The relative name of the root asset. Only resources and IAM policies within

91

the parent will be analyzed. This can only be an organization number (such

92

as "organizations/123") or a folder number (such as "folders/123"). (required)

93

analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of members in

94

[IAM policy

95

binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

96

analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource

97

name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

98

.

99

options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to

100

resources via service account impersonation. This is a very expensive

101

operation, because many derived queries will be executed. We highly

102

recommend you use ExportIamPolicyAnalysis rpc instead.

103

104

For example, if the request analyzes for which resources user A has

105

permission P, and there's an IAM policy states user A has

106

iam.serviceAccounts.getAccessToken permission to a service account SA,

107

and there's another IAM policy states service account SA has permission P

108

to a GCP folder F, then user A potentially has access to the GCP folder

109

F. And those advanced analysis results will be included in

110

AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

111

112

Another example, if the request analyzes for who has

113

permission P to a GCP folder F, and there's an IAM policy states user A

114

has iam.serviceAccounts.actAs permission to a service account SA, and

115

there's another IAM policy states service account SA has permission P to

116

the GCP folder F, then user A potentially has access to the GCP folder

117

F. And those advanced analysis results will be included in

118

AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

119

120

Default is false.

121

options_outputResourceEdges: boolean, Optional. If true, the result will output resource edges, starting

122

from the policy attached resource, to any expanded resources.

123

Default is false.

124

analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated)

125

options_expandResources: boolean, Optional. If true, the resource section of the result will expand any

126

resource attached to an IAM policy to include resources lower in the

127

resource hierarchy.

128

129

For example, if the request analyzes for which resources user A has

130

permission P, and the results include an IAM policy with P on a GCP

131

folder, the results will also include resources in that folder with

132

permission P.

133

134

If resource_selector is specified, the resource section of the result

135

will be determined by the selector, and this flag will have no effect.

136

Default is false.

137

analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated)

138

options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles

139

appearing in IAM policy bindings to include their permissions.

140

141

If access_selector is specified, the access section of the result

142

will be determined by the selector, and this flag will have no effect.

143

144

Default is false.

145

options_executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of

146

[Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).

147

148

If this field is set with a value less than the RPC deadline, and the

149

execution of your query hasn't finished in the specified

150

execution timeout, you will get a response with partial result.

151

Otherwise, your query's execution will continue until the RPC deadline.

152

If it's not finished until then, you will get a DEADLINE_EXCEEDED error.

153

154

Default is empty.

155

options_outputGroupEdges: boolean, Optional. If true, the result will output group identity edges, starting

156

from the binding's group members, to any expanded identities.

157

Default is false.

158

options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any

159

Google groups appearing in an IAM policy binding.

160

161

If identity_selector is specified, the identity in the result will

162

be determined by the selector, and this flag will have no effect.

163

164

Default is false.

165

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

172

173

{ # A response message for AssetService.AnalyzeIamPolicy.

174

"fullyExplored": True or False, # Represents whether all entries in the main_analysis and

175

# service_account_impersonation_analysis have been fully explored to

176

# answer the query in the request.

177

"nonCriticalErrors": [ # A list of non-critical errors happened during the request handling to

178

# explain why `fully_explored` is false, or empty if no error happened.

179

{ # Represents analysis state of each node in the result graph or non-critical

180

# errors in the response.

181

"cause": "A String", # The human-readable description of the cause of failure.

182

"code": "A String", # The Google standard error code that best describes the state.

183

# For example:

184

# - OK means the node has been successfully explored;

185

# - PERMISSION_DENIED means an access denied error is encountered;

186

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

187

},

188

],

189

"mainAnalysis": { # An analysis message to group the query and results. # The main analysis that matches the original request.

190

"analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or

191

# empty if no result is found.

192

{ # IAM Policy analysis result, consisting of one IAM policy binding and derived

193

# access control lists.

194

"identityList": { # The identity list derived from members of the iam_binding that match or

195

# potentially match identity selector specified in the request.

196

"identities": [ # Only the identities that match one of the following conditions will be

197

# presented:

198

# - The identity_selector, if it is specified in request;

199

# - Otherwise, identities reachable from the policy binding's members.

200

{ # An identity that appears in an access control list.

201

"name": "A String", # The identity name in any form of members appear in

202

# [IAM policy

203

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such

204

# as:

205

# - user:foo@google.com

206

# - group:group1@google.com

207

# - serviceAccount:s1@prj1.iam.gserviceaccount.com

208

# - projectOwner:some_project_id

209

# - domain:google.com

210

# - allUsers

211

# - etc.

212

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.

213

# errors in the response.

214

"cause": "A String", # The human-readable description of the cause of failure.

215

"code": "A String", # The Google standard error code that best describes the state.

216

# For example:

217

# - OK means the node has been successfully explored;

218

# - PERMISSION_DENIED means an access denied error is encountered;

219

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

},

},

],

"groupEdges": [ # Group identity edges of the graph starting from the binding's

224

# group members to any node of the identities. The Edge.source_node

225

# contains a group, such as "group:parent@google.com". The

226

# Edge.target_node contains a member of the group,

227

# such as "group:child@google.com" or "user:foo@google.com".

228

# This field is present only if the output_group_edges option is enabled in

229

# request.

230

{ # A directional edge.

231

"targetNode": "A String", # The target node of the edge.

232

"sourceNode": "A String", # The source node of the edge.

},

],

},

"attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches.

237

"iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.

238

"role": "A String", # Role that is assigned to `members`.

239

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

240

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

241

# NOTE: An unsatisfied condition will not allow user access via current

242

# binding. Different bindings, including their conditions, are examined

243

# independently.

244

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

245

# are documented at https://github.com/google/cel-spec.

246

#

247

# Example (Comparison):

248

#

249

# title: "Summary size limit"

250

# description: "Determines if a summary is less than 100 chars"

251

# expression: "document.summary.size() < 100"

252

#

253

# Example (Equality):

254

#

255

# title: "Requestor is owner"

256

# description: "Determines if requestor is the document owner"

257

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

262

# description: "Determine whether the document should be publicly visible"

263

# expression: "document.type != 'private' && document.type != 'internal'"

264

#

265

# Example (Data Manipulation):

266

#

267

# title: "Notification string"

268

# description: "Create a notification string with a timestamp."

269

# expression: "'New message received at ' + string(document.create_time)"

270

#

271

# The exact variables and functions that may be referenced within an expression

272

# are determined by the service that evaluates it. See the service

273

# documentation for additional information.

274

"expression": "A String", # Textual representation of an expression in Common Expression Language

275

# syntax.

276

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

277

# its purpose. This can be used e.g. in UIs which allow to enter the

278

# expression.

279

"location": "A String", # Optional. String indicating the location of the expression for error

280

# reporting, e.g. a file name and a position in the file.

281

"description": "A String", # Optional. Description of the expression. This is a longer text which

282

# describes the expression, e.g. when hovered over it in a UI.

283

},

284

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

285

# `members` can have the following values:

286

#

287

# * `allUsers`: A special identifier that represents anyone who is

288

# on the internet; with or without a Google account.

289

#

290

# * `allAuthenticatedUsers`: A special identifier that represents anyone

291

# who is authenticated with a Google account or a service account.

292

#

293

# * `user:{emailid}`: An email address that represents a specific Google

294

# account. For example, `alice@example.com` .

295

#

296

#

297

# * `serviceAccount:{emailid}`: An email address that represents a service

298

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

299

#

300

# * `group:{emailid}`: An email address that represents a Google group.

301

# For example, `admins@example.com`.

302

#

303

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

304

# identifier) representing a user that has been recently deleted. For

305

# example, `alice@example.com?uid=123456789012345678901`. If the user is

306

# recovered, this value reverts to `user:{emailid}` and the recovered user

307

# retains the role in the binding.

308

#

309

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

310

# unique identifier) representing a service account that has been recently

311

# deleted. For example,

312

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

313

# If the service account is undeleted, this value reverts to

314

# `serviceAccount:{emailid}` and the undeleted service account retains the

315

# role in the binding.

316

#

317

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

318

# identifier) representing a Google group that has been recently

319

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

320

# the group is recovered, this value reverts to `group:{emailid}` and the

321

# recovered group retains the role in the binding.

322

#

323

#

324

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

325

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

"accessControlLists": [ # The access control lists derived from the iam_binding that match or

331

# potentially match resource and access selectors specified in the request.

332

{ # An access control list, derived from the above IAM policy binding, which

333

# contains a set of resources and accesses. May include one

334

# item from each set to compose an access control entry.

335

#

336

# NOTICE that there could be multiple access control lists for one IAM policy

337

# binding. The access control lists are created based on resource and access

338

# combinations.

339

#

340

# For example, assume we have the following cases in one IAM policy binding:

341

# - Permission P1 and P2 apply to resource R1 and R2;

342

# - Permission P3 applies to resource R2 and R3;

343

#

344

# This will result in the following access control lists:

345

# - AccessControlList 1: [R1, R2], [P1, P2]

346

# - AccessControlList 2: [R2, R3], [P3]

347

"resourceEdges": [ # Resource edges of the graph starting from the policy attached

348

# resource to any descendant resources. The Edge.source_node contains

349

# the full resource name of a parent resource and Edge.target_node

350

# contains the full resource name of a child resource. This field is

351

# present only if the output_resource_edges option is enabled in request.

352

{ # A directional edge.

353

"targetNode": "A String", # The target node of the edge.

354

"sourceNode": "A String", # The source node of the edge.

355

},

356

],

357

"resources": [ # The resources that match one of the following conditions:

358

# - The resource_selector, if it is specified in request;

359

# - Otherwise, resources reachable from the policy attached resource.

360

{ # A GCP resource that appears in an access control list.

361

"fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names).

362

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.

363

# errors in the response.

364

"cause": "A String", # The human-readable description of the cause of failure.

365

"code": "A String", # The Google standard error code that best describes the state.

366

# For example:

367

# - OK means the node has been successfully explored;

368

# - PERMISSION_DENIED means an access denied error is encountered;

369

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

},

},

],

"accesses": [ # The accesses that match one of the following conditions:

374

# - The access_selector, if it is specified in request;

375

# - Otherwise, access specifiers reachable from the policy binding's role.

376

{ # A role or permission that appears in an access control list.

377

"role": "A String", # The role.

378

"permission": "A String", # The permission.

379

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.

380

# errors in the response.

381

"cause": "A String", # The human-readable description of the cause of failure.

382

"code": "A String", # The Google standard error code that best describes the state.

383

# For example:

384

# - OK means the node has been successfully explored;

385

# - PERMISSION_DENIED means an access denied error is encountered;

386

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

},

},

],

},

],

"fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the

393

# iam_binding node have been explored.

394

},

395

],

396

"fullyExplored": True or False, # Represents whether all entries in the analysis_results have been

397

# fully explored to answer the query.

398

"analysisQuery": { # IAM policy analysis query message. # The analysis query.

399

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty

400

# means ANY.

401

# identities possessing them and the resources they control. If multiple

402

# values are specified, results will include identities and resources

403

# matching any of them.

404

"roles": [ # Optional. The roles to appear in result.

405

"A String",

406

],

407

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.

412

# roles assigned either directly to them or to the groups they belong to,

413

# directly or indirectly.

414

"identity": "A String", # Required. The identity appear in the form of members in

415

# [IAM policy

416

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

417

},

418

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

419

# the parent will be analyzed. This can only be an organization number (such

420

# as "organizations/123") or a folder number (such as "folders/123").

421

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.

422

# directly on the resource, or on ancestors such as organizations, folders or

423

# projects. At least one of ResourceSelector, IdentitySelector or

424

# AccessSelector must be specified in a request.

425

"fullResourceName": "A String", # Required. The [full resource

426

# name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

# .

},

},

},

"serviceAccountImpersonationAnalysis": [ # The service account impersonation analysis if

432

# AnalyzeIamPolicyRequest.analyze_service_account_impersonation is

433

# enabled.

434

{ # An analysis message to group the query and results.

435

"analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or

436

# empty if no result is found.

437

{ # IAM Policy analysis result, consisting of one IAM policy binding and derived

438

# access control lists.

439

"identityList": { # The identity list derived from members of the iam_binding that match or

440

# potentially match identity selector specified in the request.

441

"identities": [ # Only the identities that match one of the following conditions will be

442

# presented:

443

# - The identity_selector, if it is specified in request;

444

# - Otherwise, identities reachable from the policy binding's members.

445

{ # An identity that appears in an access control list.

446

"name": "A String", # The identity name in any form of members appear in

447

# [IAM policy

448

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such

449

# as:

450

# - user:foo@google.com

451

# - group:group1@google.com

452

# - serviceAccount:s1@prj1.iam.gserviceaccount.com

453

# - projectOwner:some_project_id

454

# - domain:google.com

455

# - allUsers

456

# - etc.

457

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.

458

# errors in the response.

459

"cause": "A String", # The human-readable description of the cause of failure.

460

"code": "A String", # The Google standard error code that best describes the state.

461

# For example:

462

# - OK means the node has been successfully explored;

463

# - PERMISSION_DENIED means an access denied error is encountered;

464

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

},

},

],

"groupEdges": [ # Group identity edges of the graph starting from the binding's

469

# group members to any node of the identities. The Edge.source_node

470

# contains a group, such as "group:parent@google.com". The

471

# Edge.target_node contains a member of the group,

472

# such as "group:child@google.com" or "user:foo@google.com".

473

# This field is present only if the output_group_edges option is enabled in

474

# request.

475

{ # A directional edge.

476

"targetNode": "A String", # The target node of the edge.

477

"sourceNode": "A String", # The source node of the edge.

},

],

},

"attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches.

482

"iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.

483

"role": "A String", # Role that is assigned to `members`.

484

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

485

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

486

# NOTE: An unsatisfied condition will not allow user access via current

487

# binding. Different bindings, including their conditions, are examined

488

# independently.

489

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

490

# are documented at https://github.com/google/cel-spec.

491

#

492

# Example (Comparison):

493

#

494

# title: "Summary size limit"

495

# description: "Determines if a summary is less than 100 chars"

496

# expression: "document.summary.size() < 100"

497

#

498

# Example (Equality):

499

#

500

# title: "Requestor is owner"

501

# description: "Determines if requestor is the document owner"

502

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

507

# description: "Determine whether the document should be publicly visible"

508

# expression: "document.type != 'private' && document.type != 'internal'"

509

#

510

# Example (Data Manipulation):

511

#

512

# title: "Notification string"

513

# description: "Create a notification string with a timestamp."

514

# expression: "'New message received at ' + string(document.create_time)"

515

#

516

# The exact variables and functions that may be referenced within an expression

517

# are determined by the service that evaluates it. See the service

518

# documentation for additional information.

519

"expression": "A String", # Textual representation of an expression in Common Expression Language

520

# syntax.

521

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

522

# its purpose. This can be used e.g. in UIs which allow to enter the

523

# expression.

524

"location": "A String", # Optional. String indicating the location of the expression for error

525

# reporting, e.g. a file name and a position in the file.

526

"description": "A String", # Optional. Description of the expression. This is a longer text which

527

# describes the expression, e.g. when hovered over it in a UI.

528

},

529

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

530

# `members` can have the following values:

531

#

532

# * `allUsers`: A special identifier that represents anyone who is

533

# on the internet; with or without a Google account.

534

#

535

# * `allAuthenticatedUsers`: A special identifier that represents anyone

536

# who is authenticated with a Google account or a service account.

537

#

538

# * `user:{emailid}`: An email address that represents a specific Google

539

# account. For example, `alice@example.com` .

540

#

541

#

542

# * `serviceAccount:{emailid}`: An email address that represents a service

543

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

544

#

545

# * `group:{emailid}`: An email address that represents a Google group.

546

# For example, `admins@example.com`.

547

#

548

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

549

# identifier) representing a user that has been recently deleted. For

550

# example, `alice@example.com?uid=123456789012345678901`. If the user is

551

# recovered, this value reverts to `user:{emailid}` and the recovered user

552

# retains the role in the binding.

553

#

554

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

555

# unique identifier) representing a service account that has been recently

556

# deleted. For example,

557

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

558

# If the service account is undeleted, this value reverts to

559

# `serviceAccount:{emailid}` and the undeleted service account retains the

560

# role in the binding.

561

#

562

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

563

# identifier) representing a Google group that has been recently

564

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

565

# the group is recovered, this value reverts to `group:{emailid}` and the

566

# recovered group retains the role in the binding.

567

#

568

#

569

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

570

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

"accessControlLists": [ # The access control lists derived from the iam_binding that match or

576

# potentially match resource and access selectors specified in the request.

577

{ # An access control list, derived from the above IAM policy binding, which

578

# contains a set of resources and accesses. May include one

579

# item from each set to compose an access control entry.

580

#

581

# NOTICE that there could be multiple access control lists for one IAM policy

582

# binding. The access control lists are created based on resource and access

583

# combinations.

584

#

585

# For example, assume we have the following cases in one IAM policy binding:

586

# - Permission P1 and P2 apply to resource R1 and R2;

587

# - Permission P3 applies to resource R2 and R3;

588

#

589

# This will result in the following access control lists:

590

# - AccessControlList 1: [R1, R2], [P1, P2]

591

# - AccessControlList 2: [R2, R3], [P3]

592

"resourceEdges": [ # Resource edges of the graph starting from the policy attached

593

# resource to any descendant resources. The Edge.source_node contains

594

# the full resource name of a parent resource and Edge.target_node

595

# contains the full resource name of a child resource. This field is

596

# present only if the output_resource_edges option is enabled in request.

597

{ # A directional edge.

598

"targetNode": "A String", # The target node of the edge.

599

"sourceNode": "A String", # The source node of the edge.

600

},

601

],

602

"resources": [ # The resources that match one of the following conditions:

603

# - The resource_selector, if it is specified in request;

604

# - Otherwise, resources reachable from the policy attached resource.

605

{ # A GCP resource that appears in an access control list.

606

"fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names).

607

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.

608

# errors in the response.

609

"cause": "A String", # The human-readable description of the cause of failure.

610

"code": "A String", # The Google standard error code that best describes the state.

611

# For example:

612

# - OK means the node has been successfully explored;

613

# - PERMISSION_DENIED means an access denied error is encountered;

614

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

},

},

],

"accesses": [ # The accesses that match one of the following conditions:

619

# - The access_selector, if it is specified in request;

620

# - Otherwise, access specifiers reachable from the policy binding's role.

621

{ # A role or permission that appears in an access control list.

622

"role": "A String", # The role.

623

"permission": "A String", # The permission.

624

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.

625

# errors in the response.

626

"cause": "A String", # The human-readable description of the cause of failure.

627

"code": "A String", # The Google standard error code that best describes the state.

628

# For example:

629

# - OK means the node has been successfully explored;

630

# - PERMISSION_DENIED means an access denied error is encountered;

631

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

},

},

],

},

],

"fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the

638

# iam_binding node have been explored.

639

},

640

],

641

"fullyExplored": True or False, # Represents whether all entries in the analysis_results have been

642

# fully explored to answer the query.

643

"analysisQuery": { # IAM policy analysis query message. # The analysis query.

644

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty

645

# means ANY.

646

# identities possessing them and the resources they control. If multiple

647

# values are specified, results will include identities and resources

648

# matching any of them.

649

"roles": [ # Optional. The roles to appear in result.

650

"A String",

651

],

652

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.

657

# roles assigned either directly to them or to the groups they belong to,

658

# directly or indirectly.

659

"identity": "A String", # Required. The identity appear in the form of members in

660

# [IAM policy

661

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

662

},

663

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

664

# the parent will be analyzed. This can only be an organization number (such

665

# as "organizations/123") or a folder number (such as "folders/123").

666

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.

667

# directly on the resource, or on ancestors such as organizations, folders or

668

# projects. At least one of ResourceSelector, IdentitySelector or

669

# AccessSelector must be specified in a request.

670

"fullResourceName": "A String", # Required. The [full resource

671

# name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

# .

},

},

},

],

}</pre>

</div>

<code class="details" id="exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</code>

682

<pre>Exports IAM policy analysis based on the specified request. This API

683

implements the google.longrunning.Operation API allowing you to keep

684

track of the export. The metadata contains the request to help callers to

685

map responses to requests.

686

687

Args:

688

parent: string, Required. The relative name of the root asset. Only resources and IAM policies within

689

the parent will be analyzed. This can only be an organization number (such

690

as "organizations/123") or a folder number (such as "folders/123"). (required)

691

body: object, The request body.

692

The object takes the form of:

693

694

{ # A request message for AssetService.ExportIamPolicyAnalysis.

695

"outputConfig": { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to.

696

"gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage.

697

"uri": "A String", # Required. The uri of the Cloud Storage object. It's the same uri that is used by

698

# gsutil. For example: "gs://bucket_name/object_name". See [Viewing and

699

# Editing Object

700

# Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)

701

# for more information.

702

},

703

},

704

"analysisQuery": { # IAM policy analysis query message. # Required. The request query.

705

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty

706

# means ANY.

707

# identities possessing them and the resources they control. If multiple

708

# values are specified, results will include identities and resources

709

# matching any of them.

710

"roles": [ # Optional. The roles to appear in result.

711

"A String",

712

],

713

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.

718

# roles assigned either directly to them or to the groups they belong to,

719

# directly or indirectly.

720

"identity": "A String", # Required. The identity appear in the form of members in

721

# [IAM policy

722

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

723

},

724

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

725

# the parent will be analyzed. This can only be an organization number (such

726

# as "organizations/123") or a folder number (such as "folders/123").

727

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.

728

# directly on the resource, or on ancestors such as organizations, folders or

729

# projects. At least one of ResourceSelector, IdentitySelector or

730

# AccessSelector must be specified in a request.

731

"fullResourceName": "A String", # Required. The [full resource

732

# name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

# .

},

},

"options": { # Contains request options. # Optional. The request options.

737

"outputResourceEdges": True or False, # Optional. If true, the result will output resource edges, starting

738

# from the policy attached resource, to any expanded resources.

739

# Default is false.

740

"expandRoles": True or False, # Optional. If true, the access section of result will expand any roles

741

# appearing in IAM policy bindings to include their permissions.

742

#

743

# If access_selector is specified, the access section of the result

744

# will be determined by the selector, and this flag will have no effect.

745

#

746

# Default is false.

747

"expandGroups": True or False, # Optional. If true, the identities section of the result will expand any

748

# Google groups appearing in an IAM policy binding.

749

#

750

# If identity_selector is specified, the identity in the result will

751

# be determined by the selector, and this flag will have no effect.

752

#

753

# Default is false.

754

"analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to

755

# resources via service account impersonation. This is a very expensive

756

# operation, because many derived queries will be executed.

757

#

758

# For example, if the request analyzes for which resources user A has

759

# permission P, and there's an IAM policy states user A has

760

# iam.serviceAccounts.getAccessToken permission to a service account SA,

761

# and there's another IAM policy states service account SA has permission P

762

# to a GCP folder F, then user A potentially has access to the GCP folder

763

# F. And those advanced analysis results will be included in

764

# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

765

#

766

# Another example, if the request analyzes for who has

767

# permission P to a GCP folder F, and there's an IAM policy states user A

768

# has iam.serviceAccounts.actAs permission to a service account SA, and

769

# there's another IAM policy states service account SA has permission P to

770

# the GCP folder F, then user A potentially has access to the GCP folder

771

# F. And those advanced analysis results will be included in

772

# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

773

#

774

# Default is false.

775

"expandResources": True or False, # Optional. If true, the resource section of the result will expand any

776

# resource attached to an IAM policy to include resources lower in the

777

# resource hierarchy.

778

#

779

# For example, if the request analyzes for which resources user A has

780

# permission P, and the results include an IAM policy with P on a GCP

781

# folder, the results will also include resources in that folder with

782

# permission P.

783

#

784

# If resource_selector is specified, the resource section of the result

785

# will be determined by the selector, and this flag will have no effect.

786

# Default is false.

787

"outputGroupEdges": True or False, # Optional. If true, the result will output group identity edges, starting

788

# from the binding's group members, to any expanded identities.

# Default is false.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

800

801

{ # This resource represents a long-running operation that is the result of a

802

# network API call.

803

"done": True or False, # If the value is `false`, it means the operation is still in progress.

804

# If `true`, the operation is completed, and either `error` or `response` is

805

# available.

806

"response": { # The normal response of the operation in case of success. If the original

807

# method returns no data on success, such as `Delete`, the response is

808

# `google.protobuf.Empty`. If the original method is standard

809

# `Get`/`Create`/`Update`, the response should be the resource. For other

810

# methods, the response should have the type `XxxResponse`, where `Xxx`

811

# is the original method name. For example, if the original method name

812

# is `TakeSnapshot()`, the inferred response type is

813

# `TakeSnapshotResponse`.

814

"a_key": "", # Properties of the object. Contains field @type with type URL.

815

},

816

"name": "A String", # The server-assigned name, which is only unique within the same service that

817

# originally returns it. If you use the default HTTP mapping, the

818

# `name` should be a resource name ending with `operations/{unique_id}`.

819

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

820

# different programming environments, including REST APIs and RPC APIs. It is

821

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

822

# three pieces of data: error code, error message, and error details.

823

#

824

# You can find out more about this error model and how to work with it in the

825

# [API Design Guide](https://cloud.google.com/apis/design/errors).