blob: 96660e616c59bddc6b99d04697c1003114ddd19b [file] [log] [blame]
Bu Sun Kim65020912020-05-20 12:08:20 -07001<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="cloudasset_v1p4beta1.html">Cloud Asset API</a> . <a href="cloudasset_v1p4beta1.v1p4beta1.html">v1p4beta1</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="#analyzeIamPolicy">analyzeIamPolicy(parent, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, analysisQuery_accessSelector_roles=None, options_expandResources=None, analysisQuery_accessSelector_permissions=None, options_expandRoles=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, x__xgafv=None)</a></code></p>
79<p class="firstline">Analyzes IAM policies based on the specified request. Returns</p>
80<p class="toc_element">
81 <code><a href="#exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</a></code></p>
82<p class="firstline">Exports IAM policy analysis based on the specified request. This API</p>
83<h3>Method Details</h3>
84<div class="method">
85 <code class="details" id="analyzeIamPolicy">analyzeIamPolicy(parent, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, analysisQuery_accessSelector_roles=None, options_expandResources=None, analysisQuery_accessSelector_permissions=None, options_expandRoles=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, x__xgafv=None)</code>
86 <pre>Analyzes IAM policies based on the specified request. Returns
87a list of IamPolicyAnalysisResult matching the request.
88
89Args:
90 parent: string, Required. The relative name of the root asset. Only resources and IAM policies within
91the parent will be analyzed. This can only be an organization number (such
92as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;). (required)
93 analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of members in
94[IAM policy
95binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
96 analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource
97name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
98.
99 options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to
100resources via service account impersonation. This is a very expensive
101operation, because many derived queries will be executed. We highly
102recommend you use ExportIamPolicyAnalysis rpc instead.
103
104For example, if the request analyzes for which resources user A has
105permission P, and there&#x27;s an IAM policy states user A has
106iam.serviceAccounts.getAccessToken permission to a service account SA,
107and there&#x27;s another IAM policy states service account SA has permission P
108to a GCP folder F, then user A potentially has access to the GCP folder
109F. And those advanced analysis results will be included in
110AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
111
112Another example, if the request analyzes for who has
113permission P to a GCP folder F, and there&#x27;s an IAM policy states user A
114has iam.serviceAccounts.actAs permission to a service account SA, and
115there&#x27;s another IAM policy states service account SA has permission P to
116the GCP folder F, then user A potentially has access to the GCP folder
117F. And those advanced analysis results will be included in
118AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
119
120Default is false.
121 options_outputResourceEdges: boolean, Optional. If true, the result will output resource edges, starting
122from the policy attached resource, to any expanded resources.
123Default is false.
124 analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated)
125 options_expandResources: boolean, Optional. If true, the resource section of the result will expand any
126resource attached to an IAM policy to include resources lower in the
127resource hierarchy.
128
129For example, if the request analyzes for which resources user A has
130permission P, and the results include an IAM policy with P on a GCP
131folder, the results will also include resources in that folder with
132permission P.
133
134If resource_selector is specified, the resource section of the result
135will be determined by the selector, and this flag will have no effect.
136Default is false.
137 analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated)
138 options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles
139appearing in IAM policy bindings to include their permissions.
140
141If access_selector is specified, the access section of the result
142will be determined by the selector, and this flag will have no effect.
143
144Default is false.
145 options_executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of
146[Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
147
148If this field is set with a value less than the RPC deadline, and the
149execution of your query hasn&#x27;t finished in the specified
150execution timeout, you will get a response with partial result.
151Otherwise, your query&#x27;s execution will continue until the RPC deadline.
152If it&#x27;s not finished until then, you will get a DEADLINE_EXCEEDED error.
153
154Default is empty.
155 options_outputGroupEdges: boolean, Optional. If true, the result will output group identity edges, starting
156from the binding&#x27;s group members, to any expanded identities.
157Default is false.
158 options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any
159Google groups appearing in an IAM policy binding.
160
161If identity_selector is specified, the identity in the result will
162be determined by the selector, and this flag will have no effect.
163
164Default is false.
165 x__xgafv: string, V1 error format.
166 Allowed values
167 1 - v1 error format
168 2 - v2 error format
169
170Returns:
171 An object of the form:
172
173 { # A response message for AssetService.AnalyzeIamPolicy.
174 &quot;fullyExplored&quot;: True or False, # Represents whether all entries in the main_analysis and
175 # service_account_impersonation_analysis have been fully explored to
176 # answer the query in the request.
177 &quot;nonCriticalErrors&quot;: [ # A list of non-critical errors happened during the request handling to
178 # explain why `fully_explored` is false, or empty if no error happened.
179 { # Represents analysis state of each node in the result graph or non-critical
180 # errors in the response.
181 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
182 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
183 # For example:
184 # - OK means the node has been successfully explored;
185 # - PERMISSION_DENIED means an access denied error is encountered;
186 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
187 },
188 ],
189 &quot;mainAnalysis&quot;: { # An analysis message to group the query and results. # The main analysis that matches the original request.
190 &quot;analysisResults&quot;: [ # A list of IamPolicyAnalysisResult that matches the analysis query, or
191 # empty if no result is found.
192 { # IAM Policy analysis result, consisting of one IAM policy binding and derived
193 # access control lists.
194 &quot;identityList&quot;: { # The identity list derived from members of the iam_binding that match or
195 # potentially match identity selector specified in the request.
196 &quot;identities&quot;: [ # Only the identities that match one of the following conditions will be
197 # presented:
198 # - The identity_selector, if it is specified in request;
199 # - Otherwise, identities reachable from the policy binding&#x27;s members.
200 { # An identity that appears in an access control list.
201 &quot;name&quot;: &quot;A String&quot;, # The identity name in any form of members appear in
202 # [IAM policy
203 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
204 # as:
205 # - user:foo@google.com
206 # - group:group1@google.com
207 # - serviceAccount:s1@prj1.iam.gserviceaccount.com
208 # - projectOwner:some_project_id
209 # - domain:google.com
210 # - allUsers
211 # - etc.
212 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.
213 # errors in the response.
214 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
215 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
216 # For example:
217 # - OK means the node has been successfully explored;
218 # - PERMISSION_DENIED means an access denied error is encountered;
219 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
220 },
221 },
222 ],
223 &quot;groupEdges&quot;: [ # Group identity edges of the graph starting from the binding&#x27;s
224 # group members to any node of the identities. The Edge.source_node
225 # contains a group, such as &quot;group:parent@google.com&quot;. The
226 # Edge.target_node contains a member of the group,
227 # such as &quot;group:child@google.com&quot; or &quot;user:foo@google.com&quot;.
228 # This field is present only if the output_group_edges option is enabled in
229 # request.
230 { # A directional edge.
231 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
232 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
233 },
234 ],
235 },
236 &quot;attachedResourceFullName&quot;: &quot;A String&quot;, # The full name of the resource to which the iam_binding policy attaches.
237 &quot;iamBinding&quot;: { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.
238 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
239 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
240 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
241 # NOTE: An unsatisfied condition will not allow user access via current
242 # binding. Different bindings, including their conditions, are examined
243 # independently.
244 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
245 # are documented at https://github.com/google/cel-spec.
246 #
247 # Example (Comparison):
248 #
249 # title: &quot;Summary size limit&quot;
250 # description: &quot;Determines if a summary is less than 100 chars&quot;
251 # expression: &quot;document.summary.size() &lt; 100&quot;
252 #
253 # Example (Equality):
254 #
255 # title: &quot;Requestor is owner&quot;
256 # description: &quot;Determines if requestor is the document owner&quot;
257 # expression: &quot;document.owner == request.auth.claims.email&quot;
258 #
259 # Example (Logic):
260 #
261 # title: &quot;Public documents&quot;
262 # description: &quot;Determine whether the document should be publicly visible&quot;
263 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
264 #
265 # Example (Data Manipulation):
266 #
267 # title: &quot;Notification string&quot;
268 # description: &quot;Create a notification string with a timestamp.&quot;
269 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
270 #
271 # The exact variables and functions that may be referenced within an expression
272 # are determined by the service that evaluates it. See the service
273 # documentation for additional information.
274 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
275 # syntax.
276 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
277 # its purpose. This can be used e.g. in UIs which allow to enter the
278 # expression.
279 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
280 # reporting, e.g. a file name and a position in the file.
281 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
282 # describes the expression, e.g. when hovered over it in a UI.
283 },
284 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
285 # `members` can have the following values:
286 #
287 # * `allUsers`: A special identifier that represents anyone who is
288 # on the internet; with or without a Google account.
289 #
290 # * `allAuthenticatedUsers`: A special identifier that represents anyone
291 # who is authenticated with a Google account or a service account.
292 #
293 # * `user:{emailid}`: An email address that represents a specific Google
294 # account. For example, `alice@example.com` .
295 #
296 #
297 # * `serviceAccount:{emailid}`: An email address that represents a service
298 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
299 #
300 # * `group:{emailid}`: An email address that represents a Google group.
301 # For example, `admins@example.com`.
302 #
303 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
304 # identifier) representing a user that has been recently deleted. For
305 # example, `alice@example.com?uid=123456789012345678901`. If the user is
306 # recovered, this value reverts to `user:{emailid}` and the recovered user
307 # retains the role in the binding.
308 #
309 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
310 # unique identifier) representing a service account that has been recently
311 # deleted. For example,
312 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
313 # If the service account is undeleted, this value reverts to
314 # `serviceAccount:{emailid}` and the undeleted service account retains the
315 # role in the binding.
316 #
317 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
318 # identifier) representing a Google group that has been recently
319 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
320 # the group is recovered, this value reverts to `group:{emailid}` and the
321 # recovered group retains the role in the binding.
322 #
323 #
324 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
325 # users of that domain. For example, `google.com` or `example.com`.
326 #
327 &quot;A String&quot;,
328 ],
329 },
330 &quot;accessControlLists&quot;: [ # The access control lists derived from the iam_binding that match or
331 # potentially match resource and access selectors specified in the request.
332 { # An access control list, derived from the above IAM policy binding, which
333 # contains a set of resources and accesses. May include one
334 # item from each set to compose an access control entry.
335 #
336 # NOTICE that there could be multiple access control lists for one IAM policy
337 # binding. The access control lists are created based on resource and access
338 # combinations.
339 #
340 # For example, assume we have the following cases in one IAM policy binding:
341 # - Permission P1 and P2 apply to resource R1 and R2;
342 # - Permission P3 applies to resource R2 and R3;
343 #
344 # This will result in the following access control lists:
345 # - AccessControlList 1: [R1, R2], [P1, P2]
346 # - AccessControlList 2: [R2, R3], [P3]
347 &quot;resourceEdges&quot;: [ # Resource edges of the graph starting from the policy attached
348 # resource to any descendant resources. The Edge.source_node contains
349 # the full resource name of a parent resource and Edge.target_node
350 # contains the full resource name of a child resource. This field is
351 # present only if the output_resource_edges option is enabled in request.
352 { # A directional edge.
353 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
354 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
355 },
356 ],
357 &quot;resources&quot;: [ # The resources that match one of the following conditions:
358 # - The resource_selector, if it is specified in request;
359 # - Otherwise, resources reachable from the policy attached resource.
360 { # A GCP resource that appears in an access control list.
361 &quot;fullResourceName&quot;: &quot;A String&quot;, # The [full resource name](https://aip.dev/122#full-resource-names).
362 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.
363 # errors in the response.
364 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
365 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
366 # For example:
367 # - OK means the node has been successfully explored;
368 # - PERMISSION_DENIED means an access denied error is encountered;
369 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
370 },
371 },
372 ],
373 &quot;accesses&quot;: [ # The accesses that match one of the following conditions:
374 # - The access_selector, if it is specified in request;
375 # - Otherwise, access specifiers reachable from the policy binding&#x27;s role.
376 { # A role or permission that appears in an access control list.
377 &quot;role&quot;: &quot;A String&quot;, # The role.
378 &quot;permission&quot;: &quot;A String&quot;, # The permission.
379 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.
380 # errors in the response.
381 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
382 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
383 # For example:
384 # - OK means the node has been successfully explored;
385 # - PERMISSION_DENIED means an access denied error is encountered;
386 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
387 },
388 },
389 ],
390 },
391 ],
392 &quot;fullyExplored&quot;: True or False, # Represents whether all nodes in the transitive closure of the
393 # iam_binding node have been explored.
394 },
395 ],
396 &quot;fullyExplored&quot;: True or False, # Represents whether all entries in the analysis_results have been
397 # fully explored to answer the query.
398 &quot;analysisQuery&quot;: { # IAM policy analysis query message. # The analysis query.
399 &quot;accessSelector&quot;: { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty
400 # means ANY.
401 # identities possessing them and the resources they control. If multiple
402 # values are specified, results will include identities and resources
403 # matching any of them.
404 &quot;roles&quot;: [ # Optional. The roles to appear in result.
405 &quot;A String&quot;,
406 ],
407 &quot;permissions&quot;: [ # Optional. The permissions to appear in result.
408 &quot;A String&quot;,
409 ],
410 },
411 &quot;identitySelector&quot;: { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.
412 # roles assigned either directly to them or to the groups they belong to,
413 # directly or indirectly.
414 &quot;identity&quot;: &quot;A String&quot;, # Required. The identity appear in the form of members in
415 # [IAM policy
416 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
417 },
418 &quot;parent&quot;: &quot;A String&quot;, # Required. The relative name of the root asset. Only resources and IAM policies within
419 # the parent will be analyzed. This can only be an organization number (such
420 # as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;).
421 &quot;resourceSelector&quot;: { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.
422 # directly on the resource, or on ancestors such as organizations, folders or
423 # projects. At least one of ResourceSelector, IdentitySelector or
424 # AccessSelector must be specified in a request.
425 &quot;fullResourceName&quot;: &quot;A String&quot;, # Required. The [full resource
426 # name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
427 # .
428 },
429 },
430 },
431 &quot;serviceAccountImpersonationAnalysis&quot;: [ # The service account impersonation analysis if
432 # AnalyzeIamPolicyRequest.analyze_service_account_impersonation is
433 # enabled.
434 { # An analysis message to group the query and results.
435 &quot;analysisResults&quot;: [ # A list of IamPolicyAnalysisResult that matches the analysis query, or
436 # empty if no result is found.
437 { # IAM Policy analysis result, consisting of one IAM policy binding and derived
438 # access control lists.
439 &quot;identityList&quot;: { # The identity list derived from members of the iam_binding that match or
440 # potentially match identity selector specified in the request.
441 &quot;identities&quot;: [ # Only the identities that match one of the following conditions will be
442 # presented:
443 # - The identity_selector, if it is specified in request;
444 # - Otherwise, identities reachable from the policy binding&#x27;s members.
445 { # An identity that appears in an access control list.
446 &quot;name&quot;: &quot;A String&quot;, # The identity name in any form of members appear in
447 # [IAM policy
448 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
449 # as:
450 # - user:foo@google.com
451 # - group:group1@google.com
452 # - serviceAccount:s1@prj1.iam.gserviceaccount.com
453 # - projectOwner:some_project_id
454 # - domain:google.com
455 # - allUsers
456 # - etc.
457 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.
458 # errors in the response.
459 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
460 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
461 # For example:
462 # - OK means the node has been successfully explored;
463 # - PERMISSION_DENIED means an access denied error is encountered;
464 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
465 },
466 },
467 ],
468 &quot;groupEdges&quot;: [ # Group identity edges of the graph starting from the binding&#x27;s
469 # group members to any node of the identities. The Edge.source_node
470 # contains a group, such as &quot;group:parent@google.com&quot;. The
471 # Edge.target_node contains a member of the group,
472 # such as &quot;group:child@google.com&quot; or &quot;user:foo@google.com&quot;.
473 # This field is present only if the output_group_edges option is enabled in
474 # request.
475 { # A directional edge.
476 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
477 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
478 },
479 ],
480 },
481 &quot;attachedResourceFullName&quot;: &quot;A String&quot;, # The full name of the resource to which the iam_binding policy attaches.
482 &quot;iamBinding&quot;: { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.
483 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
484 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
485 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
486 # NOTE: An unsatisfied condition will not allow user access via current
487 # binding. Different bindings, including their conditions, are examined
488 # independently.
489 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
490 # are documented at https://github.com/google/cel-spec.
491 #
492 # Example (Comparison):
493 #
494 # title: &quot;Summary size limit&quot;
495 # description: &quot;Determines if a summary is less than 100 chars&quot;
496 # expression: &quot;document.summary.size() &lt; 100&quot;
497 #
498 # Example (Equality):
499 #
500 # title: &quot;Requestor is owner&quot;
501 # description: &quot;Determines if requestor is the document owner&quot;
502 # expression: &quot;document.owner == request.auth.claims.email&quot;
503 #
504 # Example (Logic):
505 #
506 # title: &quot;Public documents&quot;
507 # description: &quot;Determine whether the document should be publicly visible&quot;
508 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
509 #
510 # Example (Data Manipulation):
511 #
512 # title: &quot;Notification string&quot;
513 # description: &quot;Create a notification string with a timestamp.&quot;
514 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
515 #
516 # The exact variables and functions that may be referenced within an expression
517 # are determined by the service that evaluates it. See the service
518 # documentation for additional information.
519 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
520 # syntax.
521 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
522 # its purpose. This can be used e.g. in UIs which allow to enter the
523 # expression.
524 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
525 # reporting, e.g. a file name and a position in the file.
526 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
527 # describes the expression, e.g. when hovered over it in a UI.
528 },
529 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
530 # `members` can have the following values:
531 #
532 # * `allUsers`: A special identifier that represents anyone who is
533 # on the internet; with or without a Google account.
534 #
535 # * `allAuthenticatedUsers`: A special identifier that represents anyone
536 # who is authenticated with a Google account or a service account.
537 #
538 # * `user:{emailid}`: An email address that represents a specific Google
539 # account. For example, `alice@example.com` .
540 #
541 #
542 # * `serviceAccount:{emailid}`: An email address that represents a service
543 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
544 #
545 # * `group:{emailid}`: An email address that represents a Google group.
546 # For example, `admins@example.com`.
547 #
548 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
549 # identifier) representing a user that has been recently deleted. For
550 # example, `alice@example.com?uid=123456789012345678901`. If the user is
551 # recovered, this value reverts to `user:{emailid}` and the recovered user
552 # retains the role in the binding.
553 #
554 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
555 # unique identifier) representing a service account that has been recently
556 # deleted. For example,
557 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
558 # If the service account is undeleted, this value reverts to
559 # `serviceAccount:{emailid}` and the undeleted service account retains the
560 # role in the binding.
561 #
562 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
563 # identifier) representing a Google group that has been recently
564 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
565 # the group is recovered, this value reverts to `group:{emailid}` and the
566 # recovered group retains the role in the binding.
567 #
568 #
569 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
570 # users of that domain. For example, `google.com` or `example.com`.
571 #
572 &quot;A String&quot;,
573 ],
574 },
575 &quot;accessControlLists&quot;: [ # The access control lists derived from the iam_binding that match or
576 # potentially match resource and access selectors specified in the request.
577 { # An access control list, derived from the above IAM policy binding, which
578 # contains a set of resources and accesses. May include one
579 # item from each set to compose an access control entry.
580 #
581 # NOTICE that there could be multiple access control lists for one IAM policy
582 # binding. The access control lists are created based on resource and access
583 # combinations.
584 #
585 # For example, assume we have the following cases in one IAM policy binding:
586 # - Permission P1 and P2 apply to resource R1 and R2;
587 # - Permission P3 applies to resource R2 and R3;
588 #
589 # This will result in the following access control lists:
590 # - AccessControlList 1: [R1, R2], [P1, P2]
591 # - AccessControlList 2: [R2, R3], [P3]
592 &quot;resourceEdges&quot;: [ # Resource edges of the graph starting from the policy attached
593 # resource to any descendant resources. The Edge.source_node contains
594 # the full resource name of a parent resource and Edge.target_node
595 # contains the full resource name of a child resource. This field is
596 # present only if the output_resource_edges option is enabled in request.
597 { # A directional edge.
598 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
599 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
600 },
601 ],
602 &quot;resources&quot;: [ # The resources that match one of the following conditions:
603 # - The resource_selector, if it is specified in request;
604 # - Otherwise, resources reachable from the policy attached resource.
605 { # A GCP resource that appears in an access control list.
606 &quot;fullResourceName&quot;: &quot;A String&quot;, # The [full resource name](https://aip.dev/122#full-resource-names).
607 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.
608 # errors in the response.
609 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
610 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
611 # For example:
612 # - OK means the node has been successfully explored;
613 # - PERMISSION_DENIED means an access denied error is encountered;
614 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
615 },
616 },
617 ],
618 &quot;accesses&quot;: [ # The accesses that match one of the following conditions:
619 # - The access_selector, if it is specified in request;
620 # - Otherwise, access specifiers reachable from the policy binding&#x27;s role.
621 { # A role or permission that appears in an access control list.
622 &quot;role&quot;: &quot;A String&quot;, # The role.
623 &quot;permission&quot;: &quot;A String&quot;, # The permission.
624 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.
625 # errors in the response.
626 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
627 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
628 # For example:
629 # - OK means the node has been successfully explored;
630 # - PERMISSION_DENIED means an access denied error is encountered;
631 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
632 },
633 },
634 ],
635 },
636 ],
637 &quot;fullyExplored&quot;: True or False, # Represents whether all nodes in the transitive closure of the
638 # iam_binding node have been explored.
639 },
640 ],
641 &quot;fullyExplored&quot;: True or False, # Represents whether all entries in the analysis_results have been
642 # fully explored to answer the query.
643 &quot;analysisQuery&quot;: { # IAM policy analysis query message. # The analysis query.
644 &quot;accessSelector&quot;: { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty
645 # means ANY.
646 # identities possessing them and the resources they control. If multiple
647 # values are specified, results will include identities and resources
648 # matching any of them.
649 &quot;roles&quot;: [ # Optional. The roles to appear in result.
650 &quot;A String&quot;,
651 ],
652 &quot;permissions&quot;: [ # Optional. The permissions to appear in result.
653 &quot;A String&quot;,
654 ],
655 },
656 &quot;identitySelector&quot;: { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.
657 # roles assigned either directly to them or to the groups they belong to,
658 # directly or indirectly.
659 &quot;identity&quot;: &quot;A String&quot;, # Required. The identity appear in the form of members in
660 # [IAM policy
661 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
662 },
663 &quot;parent&quot;: &quot;A String&quot;, # Required. The relative name of the root asset. Only resources and IAM policies within
664 # the parent will be analyzed. This can only be an organization number (such
665 # as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;).
666 &quot;resourceSelector&quot;: { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.
667 # directly on the resource, or on ancestors such as organizations, folders or
668 # projects. At least one of ResourceSelector, IdentitySelector or
669 # AccessSelector must be specified in a request.
670 &quot;fullResourceName&quot;: &quot;A String&quot;, # Required. The [full resource
671 # name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
672 # .
673 },
674 },
675 },
676 ],
677 }</pre>
678</div>
679
680<div class="method">
681 <code class="details" id="exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</code>
682 <pre>Exports IAM policy analysis based on the specified request. This API
683implements the google.longrunning.Operation API allowing you to keep
684track of the export. The metadata contains the request to help callers to
685map responses to requests.
686
687Args:
688 parent: string, Required. The relative name of the root asset. Only resources and IAM policies within
689the parent will be analyzed. This can only be an organization number (such
690as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;). (required)
691 body: object, The request body.
692 The object takes the form of:
693
694{ # A request message for AssetService.ExportIamPolicyAnalysis.
695 &quot;outputConfig&quot;: { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to.
696 &quot;gcsDestination&quot;: { # A Cloud Storage location. # Destination on Cloud Storage.
697 &quot;uri&quot;: &quot;A String&quot;, # Required. The uri of the Cloud Storage object. It&#x27;s the same uri that is used by
698 # gsutil. For example: &quot;gs://bucket_name/object_name&quot;. See [Viewing and
699 # Editing Object
700 # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
701 # for more information.
702 },
703 },
704 &quot;analysisQuery&quot;: { # IAM policy analysis query message. # Required. The request query.
705 &quot;accessSelector&quot;: { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty
706 # means ANY.
707 # identities possessing them and the resources they control. If multiple
708 # values are specified, results will include identities and resources
709 # matching any of them.
710 &quot;roles&quot;: [ # Optional. The roles to appear in result.
711 &quot;A String&quot;,
712 ],
713 &quot;permissions&quot;: [ # Optional. The permissions to appear in result.
714 &quot;A String&quot;,
715 ],
716 },
717 &quot;identitySelector&quot;: { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.
718 # roles assigned either directly to them or to the groups they belong to,
719 # directly or indirectly.
720 &quot;identity&quot;: &quot;A String&quot;, # Required. The identity appear in the form of members in
721 # [IAM policy
722 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
723 },
724 &quot;parent&quot;: &quot;A String&quot;, # Required. The relative name of the root asset. Only resources and IAM policies within
725 # the parent will be analyzed. This can only be an organization number (such
726 # as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;).
727 &quot;resourceSelector&quot;: { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.
728 # directly on the resource, or on ancestors such as organizations, folders or
729 # projects. At least one of ResourceSelector, IdentitySelector or
730 # AccessSelector must be specified in a request.
731 &quot;fullResourceName&quot;: &quot;A String&quot;, # Required. The [full resource
732 # name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
733 # .
734 },
735 },
736 &quot;options&quot;: { # Contains request options. # Optional. The request options.
737 &quot;outputResourceEdges&quot;: True or False, # Optional. If true, the result will output resource edges, starting
738 # from the policy attached resource, to any expanded resources.
739 # Default is false.
740 &quot;expandRoles&quot;: True or False, # Optional. If true, the access section of result will expand any roles
741 # appearing in IAM policy bindings to include their permissions.
742 #
743 # If access_selector is specified, the access section of the result
744 # will be determined by the selector, and this flag will have no effect.
745 #
746 # Default is false.
747 &quot;expandGroups&quot;: True or False, # Optional. If true, the identities section of the result will expand any
748 # Google groups appearing in an IAM policy binding.
749 #
750 # If identity_selector is specified, the identity in the result will
751 # be determined by the selector, and this flag will have no effect.
752 #
753 # Default is false.
754 &quot;analyzeServiceAccountImpersonation&quot;: True or False, # Optional. If true, the response will include access analysis from identities to
755 # resources via service account impersonation. This is a very expensive
756 # operation, because many derived queries will be executed.
757 #
758 # For example, if the request analyzes for which resources user A has
759 # permission P, and there&#x27;s an IAM policy states user A has
760 # iam.serviceAccounts.getAccessToken permission to a service account SA,
761 # and there&#x27;s another IAM policy states service account SA has permission P
762 # to a GCP folder F, then user A potentially has access to the GCP folder
763 # F. And those advanced analysis results will be included in
764 # AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
765 #
766 # Another example, if the request analyzes for who has
767 # permission P to a GCP folder F, and there&#x27;s an IAM policy states user A
768 # has iam.serviceAccounts.actAs permission to a service account SA, and
769 # there&#x27;s another IAM policy states service account SA has permission P to
770 # the GCP folder F, then user A potentially has access to the GCP folder
771 # F. And those advanced analysis results will be included in
772 # AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
773 #
774 # Default is false.
775 &quot;expandResources&quot;: True or False, # Optional. If true, the resource section of the result will expand any
776 # resource attached to an IAM policy to include resources lower in the
777 # resource hierarchy.
778 #
779 # For example, if the request analyzes for which resources user A has
780 # permission P, and the results include an IAM policy with P on a GCP
781 # folder, the results will also include resources in that folder with
782 # permission P.
783 #
784 # If resource_selector is specified, the resource section of the result
785 # will be determined by the selector, and this flag will have no effect.
786 # Default is false.
787 &quot;outputGroupEdges&quot;: True or False, # Optional. If true, the result will output group identity edges, starting
788 # from the binding&#x27;s group members, to any expanded identities.
789 # Default is false.
790 },
791 }
792
793 x__xgafv: string, V1 error format.
794 Allowed values
795 1 - v1 error format
796 2 - v2 error format
797
798Returns:
799 An object of the form:
800
801 { # This resource represents a long-running operation that is the result of a
802 # network API call.
803 &quot;done&quot;: True or False, # If the value is `false`, it means the operation is still in progress.
804 # If `true`, the operation is completed, and either `error` or `response` is
805 # available.
806 &quot;response&quot;: { # The normal response of the operation in case of success. If the original
807 # method returns no data on success, such as `Delete`, the response is
808 # `google.protobuf.Empty`. If the original method is standard
809 # `Get`/`Create`/`Update`, the response should be the resource. For other
810 # methods, the response should have the type `XxxResponse`, where `Xxx`
811 # is the original method name. For example, if the original method name
812 # is `TakeSnapshot()`, the inferred response type is
813 # `TakeSnapshotResponse`.
814 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
815 },
816 &quot;name&quot;: &quot;A String&quot;, # The server-assigned name, which is only unique within the same service that
817 # originally returns it. If you use the default HTTP mapping, the
818 # `name` should be a resource name ending with `operations/{unique_id}`.
819 &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.
820 # different programming environments, including REST APIs and RPC APIs. It is
821 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
822 # three pieces of data: error code, error message, and error details.
823 #
824 # You can find out more about this error model and how to work with it in the
825 # [API Design Guide](https://cloud.google.com/apis/design/errors).
826 &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of
827 # message types for APIs to use.
828 {
829 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
830 },
831 ],
832 &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
833 &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any
834 # user-facing error message should be localized and sent in the
835 # google.rpc.Status.details field, or localized by the client.
836 },
837 &quot;metadata&quot;: { # Service-specific metadata associated with the operation. It typically
838 # contains progress information and common metadata such as create time.
839 # Some services might not provide such metadata. Any method that returns a
840 # long-running operation should document the metadata type, if any.
841 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
842 },
843 }</pre>
844</div>
845
846</body></html>