Blame - docs/dyn/secretmanager_v1beta1.projects.secrets.html - platform/external/python/google-api-python-client

<h1><a href="secretmanager_v1beta1.html">Secret Manager API</a> . <a href="secretmanager_v1beta1.projects.html">projects</a> . <a href="secretmanager_v1beta1.projects.secrets.html">secrets</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="secretmanager_v1beta1.projects.secrets.versions.html">versions()</a></code>

79

</p>

80

<p class="firstline">Returns the versions Resource.</p>

81

82

83

<code><a href="#addVersion">addVersion(parent, body=None, x__xgafv=None)</a></code></p>

84

<p class="firstline">Creates a new SecretVersion containing secret data and attaches</p>

85

86

<code><a href="#create">create(parent, body=None, secretId=None, x__xgafv=None)</a></code></p>

87

<p class="firstline">Creates a new Secret containing no SecretVersions.</p>

88

89

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

90

<p class="firstline">Deletes a Secret.</p>

91

92

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

93

<p class="firstline">Gets metadata for a given Secret.</p>

94

95

<code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>

96

<p class="firstline">Gets the access control policy for a secret.</p>

97

98

<code><a href="#list">list(parent, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

99

<p class="firstline">Lists Secrets.</p>

100

101

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

102

<p class="firstline">Retrieves the next page of results.</p>

103

104

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

105

<p class="firstline">Updates metadata of an existing Secret.</p>

106

107

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

108

<p class="firstline">Sets the access control policy on the specified secret. Replaces any</p>

109

110

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

111

<p class="firstline">Returns permissions that a caller has for the specified secret.</p>

112

<h3>Method Details</h3>

113

114

<code class="details" id="addVersion">addVersion(parent, body=None, x__xgafv=None)</code>

115

<pre>Creates a new SecretVersion containing secret data and attaches

116

it to an existing Secret.

117

118

Args:

119

parent: string, Required. The resource name of the Secret to associate with the

120

SecretVersion in the format `projects/*/secrets/*`. (required)

121

body: object, The request body.

122

The object takes the form of:

123

124

{ # Request message for SecretManagerService.AddSecretVersion.

125

"payload": { # A secret payload resource in the Secret Manager API. This contains the # Required. The secret payload of the SecretVersion.

126

# sensitive secret data that is associated with a SecretVersion.

127

"data": "A String", # The secret data. Must be no larger than 64KiB.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

138

139

{ # A secret version resource in the Secret Manager API.

140

"state": "A String", # Output only. The current state of the SecretVersion.

141

"name": "A String", # Output only. The resource name of the SecretVersion in the

142

# format `projects/*/secrets/*/versions/*`.

143

#

144

# SecretVersion IDs in a Secret start at 1 and

145

# are incremented for each subsequent version of the secret.

146

"destroyTime": "A String", # Output only. The time this SecretVersion was destroyed.

147

# Only present if state is

148

# DESTROYED.

149

"createTime": "A String", # Output only. The time at which the SecretVersion was created.

}</pre>

</div>

<code class="details" id="create">create(parent, body=None, secretId=None, x__xgafv=None)</code>

155

<pre>Creates a new Secret containing no SecretVersions.

156

157

Args:

158

parent: string, Required. The resource name of the project to associate with the

159

Secret, in the format `projects/*`. (required)

160

body: object, The request body.

161

The object takes the form of:

162

163

{ # A Secret is a logical secret whose value and versions can

164

# be accessed.

165

#

166

# A Secret is made up of zero or more SecretVersions that

167

# represent the secret data.

168

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

169

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

170

#

171

# The replication policy cannot be changed after the Secret has been created.

172

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

173

# locations specified in Secret.replication.user_managed.replicas

174

"replicas": [ # Required. The list of Replicas for this Secret.

175

#

176

# Cannot be empty.

177

{ # Represents a Replica for this Secret.

178

"location": "A String", # The canonical IDs of the location to replicate data.

179

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

188

"labels": { # The labels assigned to this Secret.

189

#

190

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

191

# of maximum 128 bytes, and must conform to the following PCRE regular

192

# expression: `\p{Ll}\p{Lo}{0,62}`

193

#

194

# Label values must be between 0 and 63 characters long, have a UTF-8

195

# encoding of maximum 128 bytes, and must conform to the following PCRE

196

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

197

#

198

# No more than 64 labels can be assigned to a given resource.

"a_key": "A String",

},

}

secretId: string, Required. This must be unique within the project.

204

205

A secret ID is a string with a maximum length of 255 characters and can

206

contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and

207

underscore (`_`) characters.

208

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

215

216

{ # A Secret is a logical secret whose value and versions can

217

# be accessed.

218

#

219

# A Secret is made up of zero or more SecretVersions that

220

# represent the secret data.

221

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

222

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

223

#

224

# The replication policy cannot be changed after the Secret has been created.

225

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

226

# locations specified in Secret.replication.user_managed.replicas

227

"replicas": [ # Required. The list of Replicas for this Secret.

228

#

229

# Cannot be empty.

230

{ # Represents a Replica for this Secret.

231

"location": "A String", # The canonical IDs of the location to replicate data.

232

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

241

"labels": { # The labels assigned to this Secret.

242

#

243

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

244

# of maximum 128 bytes, and must conform to the following PCRE regular

245

# expression: `\p{Ll}\p{Lo}{0,62}`

246

#

247

# Label values must be between 0 and 63 characters long, have a UTF-8

248

# encoding of maximum 128 bytes, and must conform to the following PCRE

249

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

250

#

251

# No more than 64 labels can be assigned to a given resource.

"a_key": "A String",

},

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

259

<pre>Deletes a Secret.

260

261

Args:

262

name: string, Required. The resource name of the Secret to delete in the format

263

`projects/*/secrets/*`. (required)

264

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

271

272

{ # A generic empty message that you can re-use to avoid defining duplicated

273

# empty messages in your APIs. A typical example is to use it as the request

274

# or the response type of an API method. For instance:

275

#

276

# service Foo {

277

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

278

# }

279

#

280

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

286

<pre>Gets metadata for a given Secret.

287

288

Args:

289

name: string, Required. The resource name of the Secret, in the format `projects/*/secrets/*`. (required)

290

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

297

298

{ # A Secret is a logical secret whose value and versions can

299

# be accessed.

300

#

301

# A Secret is made up of zero or more SecretVersions that

302

# represent the secret data.

303

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

304

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

305

#

306

# The replication policy cannot be changed after the Secret has been created.

307

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

308

# locations specified in Secret.replication.user_managed.replicas

309

"replicas": [ # Required. The list of Replicas for this Secret.

310

#

311

# Cannot be empty.

312

{ # Represents a Replica for this Secret.

313

"location": "A String", # The canonical IDs of the location to replicate data.

314

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

323

"labels": { # The labels assigned to this Secret.

324

#

325

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

326

# of maximum 128 bytes, and must conform to the following PCRE regular

327

# expression: `\p{Ll}\p{Lo}{0,62}`

328

#

329

# Label values must be between 0 and 63 characters long, have a UTF-8

330

# encoding of maximum 128 bytes, and must conform to the following PCRE

331

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

332

#

333

# No more than 64 labels can be assigned to a given resource.

"a_key": "A String",

},

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>

341

<pre>Gets the access control policy for a secret.

342

Returns empty policy if the secret exists and does not have a policy set.

343

344

Args:

345

resource: string, REQUIRED: The resource for which the policy is being requested.

346

See the operation documentation for the appropriate value for this field. (required)

347

options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.

348

349

Valid values are 0, 1, and 3. Requests specifying an invalid value will be

350

rejected.

351

352

Requests for policies with any conditional bindings must specify version 3.

353

Policies without any conditional bindings may specify any valid value or

354

leave the field unset.

355

356

To learn which resources support conditions in their IAM policies, see the

357

[IAM

358

documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

359

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

366

367

{ # An Identity and Access Management (IAM) policy, which specifies access

368

# controls for Google Cloud resources.

369

#

370

#

371

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

372

# `members` to a single `role`. Members can be user accounts, service accounts,

373

# Google groups, and domains (such as G Suite). A `role` is a named list of

374

# permissions; each `role` can be an IAM predefined role or a user-created

375

# custom role.

376

#

377

# For some types of Google Cloud resources, a `binding` can also specify a

378

# `condition`, which is a logical expression that allows access to a resource

379

# only if the expression evaluates to `true`. A condition can add constraints

380

# based on attributes of the request, the resource, or both. To learn which

381

# resources support conditions in their IAM policies, see the

382

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

390

# "members": [

391

# "user:mike@example.com",

392

# "group:admins@example.com",

393

# "domain:google.com",

394

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

399

# "members": [

400

# "user:eve@example.com"

401

# ],

402

# "condition": {

403

# "title": "expirable access",

404

# "description": "Does not grant access after Sep 2020",

405

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

418

# - group:admins@example.com

419

# - domain:google.com

420

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

421

# role: roles/resourcemanager.organizationAdmin

422

# - members:

423

# - user:eve@example.com

424

# role: roles/resourcemanager.organizationViewer

425

# condition:

426

# title: expirable access

427

# description: Does not grant access after Sep 2020

428

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

429

# - etag: BwWWja0YfJA=

430

# - version: 3

431

#

432

# For a description of IAM and its features, see the

433

# [IAM documentation](https://cloud.google.com/iam/docs/).

434

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

435

# prevent simultaneous updates of a policy from overwriting each other.

436

# It is strongly suggested that systems make use of the `etag` in the

437

# read-modify-write cycle to perform policy updates in order to avoid race

438

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

439

# systems are expected to put that etag in the request to `setIamPolicy` to

440

# ensure that their change will be applied to the same version of the policy.

441

#

442

# **Important:** If you use IAM Conditions, you must include the `etag` field

443

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

444

# you to overwrite a version `3` policy with a version `1` policy, and all of

445

# the conditions in the version `3` policy are lost.

446

"version": 42, # Specifies the format of the policy.

447

#

448

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

449

# are rejected.

450

#

451

# Any operation that affects conditional role bindings must specify version

452

# `3`. This requirement applies to the following operations:

453

#

454

# * Getting a policy that includes a conditional role binding

455

# * Adding a conditional role binding to a policy

456

# * Changing a conditional role binding in a policy

457

# * Removing any role binding, with or without a condition, from a policy

458

# that includes conditions

459

#

460

# **Important:** If you use IAM Conditions, you must include the `etag` field

461

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

462

# you to overwrite a version `3` policy with a version `1` policy, and all of

463

# the conditions in the version `3` policy are lost.

464

#

465

# If a policy does not include any conditions, operations on that policy may

466

# specify any valid version or leave the field unset.

467

#

468

# To learn which resources support conditions in their IAM policies, see the

469

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

470

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

471

{ # Specifies the audit configuration for a service.

472

# The configuration determines which permission types are logged, and what

473

# identities, if any, are exempted from logging.

474

# An AuditConfig must have one or more AuditLogConfigs.

475

#

476

# If there are AuditConfigs for both `allServices` and a specific service,

477

# the union of the two AuditConfigs is used for that service: the log_types

478

# specified in each AuditConfig are enabled, and the exempted_members in each

479

# AuditLogConfig are exempted.

480

#

481

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

487

# "audit_log_configs": [

488

# {

489

# "log_type": "DATA_READ",

490

# "exempted_members": [

491

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

496

# },

497

# {

498

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

504

# "audit_log_configs": [

505

# {

506

# "log_type": "DATA_READ",

507

# },

508

# {

509

# "log_type": "DATA_WRITE",

510

# "exempted_members": [

511

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

520

# logging. It also exempts jose@example.com from DATA_READ logging, and

521

# aliya@example.com from DATA_WRITE logging.

522

"service": "A String", # Specifies a service that will be enabled for audit logging.

523

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

524

# `allServices` is a special value that covers all services.

525

"auditLogConfigs": [ # The configuration for logging of each type of permission.

526

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

531

# {

532

# "log_type": "DATA_READ",

533

# "exempted_members": [

534

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

544

# jose@example.com from DATA_READ logging.

545

"logType": "A String", # The log type that this config enables.

546

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

547

# permission.

548

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

556

# `condition` that determines how and when the `bindings` are applied. Each

557

# of the `bindings` must contain at least one member.

558

{ # Associates `members` with a `role`.

559

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

560

#

561

# If the condition evaluates to `true`, then this binding applies to the

562

# current request.

563

#

564

# If the condition evaluates to `false`, then this binding does not apply to

565

# the current request. However, a different role binding might grant the same

566

# role to one or more of the members in this binding.

567

#

568

# To learn which resources support conditions in their IAM policies, see the

569

# [IAM

570

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

571

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

572

# are documented at https://github.com/google/cel-spec.

573

#

574

# Example (Comparison):

575

#

576

# title: "Summary size limit"

577

# description: "Determines if a summary is less than 100 chars"

578

# expression: "document.summary.size() < 100"

579

#

580

# Example (Equality):

581

#

582

# title: "Requestor is owner"

583

# description: "Determines if requestor is the document owner"

584

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

589

# description: "Determine whether the document should be publicly visible"

590

# expression: "document.type != 'private' && document.type != 'internal'"

591

#

592

# Example (Data Manipulation):

593

#

594

# title: "Notification string"

595

# description: "Create a notification string with a timestamp."

596

# expression: "'New message received at ' + string(document.create_time)"

597

#

598

# The exact variables and functions that may be referenced within an expression

599

# are determined by the service that evaluates it. See the service

600

# documentation for additional information.

601

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

602

# its purpose. This can be used e.g. in UIs which allow to enter the

603

# expression.

604

"location": "A String", # Optional. String indicating the location of the expression for error

605

# reporting, e.g. a file name and a position in the file.

606

"description": "A String", # Optional. Description of the expression. This is a longer text which

607

# describes the expression, e.g. when hovered over it in a UI.

608

"expression": "A String", # Textual representation of an expression in Common Expression Language

609

# syntax.

610

},

611

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

612

# `members` can have the following values:

613

#

614

# * `allUsers`: A special identifier that represents anyone who is

615

# on the internet; with or without a Google account.

616

#

617

# * `allAuthenticatedUsers`: A special identifier that represents anyone

618

# who is authenticated with a Google account or a service account.

619

#

620

# * `user:{emailid}`: An email address that represents a specific Google

621

# account. For example, `alice@example.com` .

622

#

623

#

624

# * `serviceAccount:{emailid}`: An email address that represents a service

625

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

626

#

627

# * `group:{emailid}`: An email address that represents a Google group.

628

# For example, `admins@example.com`.

629

#

630

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

631

# identifier) representing a user that has been recently deleted. For

632

# example, `alice@example.com?uid=123456789012345678901`. If the user is

633

# recovered, this value reverts to `user:{emailid}` and the recovered user

634

# retains the role in the binding.

635

#

636

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

637

# unique identifier) representing a service account that has been recently

638

# deleted. For example,

639

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

640

# If the service account is undeleted, this value reverts to

641

# `serviceAccount:{emailid}` and the undeleted service account retains the

642

# role in the binding.

643

#

644

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

645

# identifier) representing a Google group that has been recently

646

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

647

# the group is recovered, this value reverts to `group:{emailid}` and the

648

# recovered group retains the role in the binding.

649

#

650

#

651

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

652

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

657

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

},

],

}</pre>

</div>

<code class="details" id="list">list(parent, pageToken=None, pageSize=None, x__xgafv=None)</code>

<pre>Lists Secrets.

Args:

parent: string, Required. The resource name of the project associated with the

669

Secrets, in the format `projects/*`. (required)

670

pageToken: string, Optional. Pagination token, returned earlier via

671

ListSecretsResponse.next_page_token.

672

pageSize: integer, Optional. The maximum number of results to be returned in a single page. If

673

set to 0, the server decides the number of results to return. If the

674

number is greater than 25000, it is capped at 25000.

675

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

682

683

{ # Response message for SecretManagerService.ListSecrets.

684

"secrets": [ # The list of Secrets sorted in reverse by create_time (newest

685

# first).

686

{ # A Secret is a logical secret whose value and versions can

687

# be accessed.

688

#

689

# A Secret is made up of zero or more SecretVersions that

690

# represent the secret data.

691

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

692

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

693

#

694

# The replication policy cannot be changed after the Secret has been created.

695

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

696

# locations specified in Secret.replication.user_managed.replicas

697

"replicas": [ # Required. The list of Replicas for this Secret.

698

#

699

# Cannot be empty.

700

{ # Represents a Replica for this Secret.

701

"location": "A String", # The canonical IDs of the location to replicate data.

702

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

711

"labels": { # The labels assigned to this Secret.

712

#

713

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

714

# of maximum 128 bytes, and must conform to the following PCRE regular

715

# expression: `\p{Ll}\p{Lo}{0,62}`

716

#

717

# Label values must be between 0 and 63 characters long, have a UTF-8

718

# encoding of maximum 128 bytes, and must conform to the following PCRE

719

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

720

#

721

# No more than 64 labels can be assigned to a given resource.

"a_key": "A String",

},

},

],

"nextPageToken": "A String", # A token to retrieve the next page of results. Pass this value in

727

# ListSecretsRequest.page_token to retrieve the next page.

728

"totalSize": 42, # The total number of Secrets.

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

734

<pre>Retrieves the next page of results.

735

736

Args:

737

previous_request: The request for the previous page. (required)

738

previous_response: The response from the request for the previous page. (required)

739

740

Returns:

741

A request object that you can call 'execute()' on to request the next

742

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

748

<pre>Updates metadata of an existing Secret.

749

750

Args:

751

name: string, Output only. The resource name of the Secret in the format `projects/*/secrets/*`. (required)

752

body: object, The request body.

753

The object takes the form of:

754

755

{ # A Secret is a logical secret whose value and versions can

756

# be accessed.

757

#

758

# A Secret is made up of zero or more SecretVersions that

759

# represent the secret data.

760

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

761

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

762

#

763

# The replication policy cannot be changed after the Secret has been created.

764

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

765

# locations specified in Secret.replication.user_managed.replicas

766

"replicas": [ # Required. The list of Replicas for this Secret.

767

#

768

# Cannot be empty.

769

{ # Represents a Replica for this Secret.

770

"location": "A String", # The canonical IDs of the location to replicate data.

771

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

780

"labels": { # The labels assigned to this Secret.

781

#

782

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

783

# of maximum 128 bytes, and must conform to the following PCRE regular

784

# expression: `\p{Ll}\p{Lo}{0,62}`

785

#

786

# Label values must be between 0 and 63 characters long, have a UTF-8

787

# encoding of maximum 128 bytes, and must conform to the following PCRE

788

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

789

#

790

# No more than 64 labels can be assigned to a given resource.

"a_key": "A String",

},

}

updateMask: string, Required. Specifies the fields to be updated.

796

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

803

804

{ # A Secret is a logical secret whose value and versions can

805

# be accessed.

806

#

807

# A Secret is made up of zero or more SecretVersions that

808

# represent the secret data.

809

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

810

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

811

#

812

# The replication policy cannot be changed after the Secret has been created.

813

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

814

# locations specified in Secret.replication.user_managed.replicas

815

"replicas": [ # Required. The list of Replicas for this Secret.

816

#

817

# Cannot be empty.

818

{ # Represents a Replica for this Secret.

819

"location": "A String", # The canonical IDs of the location to replicate data.

820

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

829

"labels": { # The labels assigned to this Secret.

830

#

831

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

832

# of maximum 128 bytes, and must conform to the following PCRE regular

833

# expression: `\p{Ll}\p{Lo}{0,62}`

834

#

835

# Label values must be between 0 and 63 characters long, have a UTF-8

836

# encoding of maximum 128 bytes, and must conform to the following PCRE

837

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

838

#

839

# No more than 64 labels can be assigned to a given resource.

"a_key": "A String",

},

}</pre>

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

847

<pre>Sets the access control policy on the specified secret. Replaces any

848

existing policy.

849

850

Permissions on SecretVersions are enforced according

851

to the policy set on the associated Secret.

852

853

Args:

854

resource: string, REQUIRED: The resource for which the policy is being specified.

855

See the operation documentation for the appropriate value for this field. (required)

856

body: object, The request body.

857

The object takes the form of:

858

859

{ # Request message for `SetIamPolicy` method.

860

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

861

# the policy is limited to a few 10s of KB. An empty policy is a

862

# valid policy but certain Cloud Platform services (such as Projects)

863

# might reject them.

864

# controls for Google Cloud resources.

865

#

866

#

867

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

868

# `members` to a single `role`. Members can be user accounts, service accounts,

869

# Google groups, and domains (such as G Suite). A `role` is a named list of

870

# permissions; each `role` can be an IAM predefined role or a user-created

871

# custom role.

872

#

873

# For some types of Google Cloud resources, a `binding` can also specify a

874

# `condition`, which is a logical expression that allows access to a resource

875

# only if the expression evaluates to `true`. A condition can add constraints

876

# based on attributes of the request, the resource, or both. To learn which

877

# resources support conditions in their IAM policies, see the

878

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

886

# "members": [

887

# "user:mike@example.com",

888

# "group:admins@example.com",

889

# "domain:google.com",

890

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

895

# "members": [

896

# "user:eve@example.com"

897

# ],

898

# "condition": {

899

# "title": "expirable access",

900

# "description": "Does not grant access after Sep 2020",

901

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

914

# - group:admins@example.com

915

# - domain:google.com

916

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

917

# role: roles/resourcemanager.organizationAdmin

918

# - members:

919

# - user:eve@example.com

920

# role: roles/resourcemanager.organizationViewer

921

# condition:

922

# title: expirable access

923

# description: Does not grant access after Sep 2020

924

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

925

# - etag: BwWWja0YfJA=

926

# - version: 3

927

#

928

# For a description of IAM and its features, see the

929

# [IAM documentation](https://cloud.google.com/iam/docs/).

930

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

931

# prevent simultaneous updates of a policy from overwriting each other.

932

# It is strongly suggested that systems make use of the `etag` in the

933

# read-modify-write cycle to perform policy updates in order to avoid race

934

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

935

# systems are expected to put that etag in the request to `setIamPolicy` to

936

# ensure that their change will be applied to the same version of the policy.

937

#

938

# **Important:** If you use IAM Conditions, you must include the `etag` field

939

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

940

# you to overwrite a version `3` policy with a version `1` policy, and all of

941

# the conditions in the version `3` policy are lost.

942

"version": 42, # Specifies the format of the policy.

943

#

944

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

945

# are rejected.

946

#

947

# Any operation that affects conditional role bindings must specify version

948

# `3`. This requirement applies to the following operations:

949

#

950

# * Getting a policy that includes a conditional role binding

951

# * Adding a conditional role binding to a policy

952

# * Changing a conditional role binding in a policy

953

# * Removing any role binding, with or without a condition, from a policy

954

# that includes conditions

955

#

956

# **Important:** If you use IAM Conditions, you must include the `etag` field

957

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

958

# you to overwrite a version `3` policy with a version `1` policy, and all of

959

# the conditions in the version `3` policy are lost.

960

#

961

# If a policy does not include any conditions, operations on that policy may

962

# specify any valid version or leave the field unset.

963

#

964

# To learn which resources support conditions in their IAM policies, see the

965

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

966

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

967

{ # Specifies the audit configuration for a service.

968

# The configuration determines which permission types are logged, and what

969

# identities, if any, are exempted from logging.

970

# An AuditConfig must have one or more AuditLogConfigs.

971

#

972

# If there are AuditConfigs for both `allServices` and a specific service,

973

# the union of the two AuditConfigs is used for that service: the log_types

974

# specified in each AuditConfig are enabled, and the exempted_members in each

975

# AuditLogConfig are exempted.

976

#

977

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

983

# "audit_log_configs": [

984

# {

985

# "log_type": "DATA_READ",

986

# "exempted_members": [

987

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

992

# },

993

# {

994

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

1000

# "audit_log_configs": [

1001

# {

1002

# "log_type": "DATA_READ",

1003

# },

1004

# {

1005

# "log_type": "DATA_WRITE",

1006

# "exempted_members": [

1007

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1016

# logging. It also exempts jose@example.com from DATA_READ logging, and

1017

# aliya@example.com from DATA_WRITE logging.

1018

"service": "A String", # Specifies a service that will be enabled for audit logging.

1019

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1020

# `allServices` is a special value that covers all services.

1021

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1022

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1027

# {

1028

# "log_type": "DATA_READ",

1029

# "exempted_members": [

1030

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1040

# jose@example.com from DATA_READ logging.

1041

"logType": "A String", # The log type that this config enables.

1042

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1043

# permission.

1044

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1052

# `condition` that determines how and when the `bindings` are applied. Each

1053

# of the `bindings` must contain at least one member.

1054

{ # Associates `members` with a `role`.

1055

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1056

#

1057

# If the condition evaluates to `true`, then this binding applies to the

1058

# current request.

1059

#

1060

# If the condition evaluates to `false`, then this binding does not apply to

1061

# the current request. However, a different role binding might grant the same

1062

# role to one or more of the members in this binding.

1063

#

1064

# To learn which resources support conditions in their IAM policies, see the

1065

# [IAM

1066

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1067

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1068

# are documented at https://github.com/google/cel-spec.

1069

#

1070

# Example (Comparison):

1071

#

1072

# title: "Summary size limit"

1073

# description: "Determines if a summary is less than 100 chars"

1074

# expression: "document.summary.size() < 100"

1075

#

1076

# Example (Equality):

1077

#

1078

# title: "Requestor is owner"

1079

# description: "Determines if requestor is the document owner"

1080

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1085

# description: "Determine whether the document should be publicly visible"

1086

# expression: "document.type != 'private' && document.type != 'internal'"

1087

#

1088

# Example (Data Manipulation):

1089

#

1090

# title: "Notification string"

1091

# description: "Create a notification string with a timestamp."

1092

# expression: "'New message received at ' + string(document.create_time)"

1093

#

1094

# The exact variables and functions that may be referenced within an expression

1095

# are determined by the service that evaluates it. See the service

1096

# documentation for additional information.

1097

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1098

# its purpose. This can be used e.g. in UIs which allow to enter the

1099

# expression.

1100

"location": "A String", # Optional. String indicating the location of the expression for error

1101

# reporting, e.g. a file name and a position in the file.

1102

"description": "A String", # Optional. Description of the expression. This is a longer text which

1103

# describes the expression, e.g. when hovered over it in a UI.

1104

"expression": "A String", # Textual representation of an expression in Common Expression Language

1105

# syntax.

1106

},

1107

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1108

# `members` can have the following values:

1109

#

1110

# * `allUsers`: A special identifier that represents anyone who is

1111

# on the internet; with or without a Google account.

1112

#

1113

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1114

# who is authenticated with a Google account or a service account.

1115

#

1116

# * `user:{emailid}`: An email address that represents a specific Google

1117

# account. For example, `alice@example.com` .

1118

#

1119

#

1120

# * `serviceAccount:{emailid}`: An email address that represents a service

1121

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1122

#

1123

# * `group:{emailid}`: An email address that represents a Google group.

1124

# For example, `admins@example.com`.

1125

#

1126

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1127

# identifier) representing a user that has been recently deleted. For

1128

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1129

# recovered, this value reverts to `user:{emailid}` and the recovered user

1130

# retains the role in the binding.

1131

#

1132

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1133

# unique identifier) representing a service account that has been recently

1134

# deleted. For example,

1135

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1136

# If the service account is undeleted, this value reverts to

1137

# `serviceAccount:{emailid}` and the undeleted service account retains the

1138

# role in the binding.

1139

#

1140

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1141

# identifier) representing a Google group that has been recently

1142

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1143

# the group is recovered, this value reverts to `group:{emailid}` and the

1144

# recovered group retains the role in the binding.

1145

#

1146

#

1147

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1148

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

1153

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

},

],

},

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

1158

# the fields in the mask will be modified. If no mask is provided, the

1159

# following default mask is used:

1160

#

1161

# `paths: "bindings, etag"`

1162

}

1163

1164

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1171

1172

{ # An Identity and Access Management (IAM) policy, which specifies access

1173

# controls for Google Cloud resources.

1174

#

1175

#

1176

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1177

# `members` to a single `role`. Members can be user accounts, service accounts,

1178

# Google groups, and domains (such as G Suite). A `role` is a named list of

1179

# permissions; each `role` can be an IAM predefined role or a user-created

1180

# custom role.

1181

#

1182

# For some types of Google Cloud resources, a `binding` can also specify a

1183

# `condition`, which is a logical expression that allows access to a resource

1184

# only if the expression evaluates to `true`. A condition can add constraints

1185

# based on attributes of the request, the resource, or both. To learn which

1186

# resources support conditions in their IAM policies, see the

1187

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

1195

# "members": [

1196

# "user:mike@example.com",

1197

# "group:admins@example.com",

1198

# "domain:google.com",

1199

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

1204

# "members": [

1205

# "user:eve@example.com"

1206

# ],

1207

# "condition": {

1208

# "title": "expirable access",

1209

# "description": "Does not grant access after Sep 2020",

1210

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

1223

# - group:admins@example.com

1224

# - domain:google.com

1225

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1226

# role: roles/resourcemanager.organizationAdmin

1227

# - members:

1228

# - user:eve@example.com

1229

# role: roles/resourcemanager.organizationViewer

1230

# condition:

1231

# title: expirable access

1232

# description: Does not grant access after Sep 2020

1233

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

1234

# - etag: BwWWja0YfJA=

1235

# - version: 3

1236

#

1237

# For a description of IAM and its features, see the

1238

# [IAM documentation](https://cloud.google.com/iam/docs/).

1239

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1240

# prevent simultaneous updates of a policy from overwriting each other.

1241

# It is strongly suggested that systems make use of the `etag` in the

1242

# read-modify-write cycle to perform policy updates in order to avoid race

1243

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1244

# systems are expected to put that etag in the request to `setIamPolicy` to

1245

# ensure that their change will be applied to the same version of the policy.

1246

#

1247

# **Important:** If you use IAM Conditions, you must include the `etag` field

1248

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1249

# you to overwrite a version `3` policy with a version `1` policy, and all of

1250

# the conditions in the version `3` policy are lost.

1251

"version": 42, # Specifies the format of the policy.

1252

#

1253

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1254

# are rejected.

1255

#

1256

# Any operation that affects conditional role bindings must specify version

1257

# `3`. This requirement applies to the following operations:

1258

#

1259

# * Getting a policy that includes a conditional role binding

1260

# * Adding a conditional role binding to a policy

1261

# * Changing a conditional role binding in a policy

1262

# * Removing any role binding, with or without a condition, from a policy

1263

# that includes conditions

1264

#

1265

# **Important:** If you use IAM Conditions, you must include the `etag` field

1266

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1267

# you to overwrite a version `3` policy with a version `1` policy, and all of

1268

# the conditions in the version `3` policy are lost.

1269

#

1270

# If a policy does not include any conditions, operations on that policy may

1271

# specify any valid version or leave the field unset.

1272

#

1273

# To learn which resources support conditions in their IAM policies, see the

1274

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1275

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1276

{ # Specifies the audit configuration for a service.

1277

# The configuration determines which permission types are logged, and what

1278

# identities, if any, are exempted from logging.

1279

# An AuditConfig must have one or more AuditLogConfigs.

1280

#

1281

# If there are AuditConfigs for both `allServices` and a specific service,

1282

# the union of the two AuditConfigs is used for that service: the log_types

1283

# specified in each AuditConfig are enabled, and the exempted_members in each

1284

# AuditLogConfig are exempted.

1285

#

1286

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

1292

# "audit_log_configs": [

1293

# {

1294

# "log_type": "DATA_READ",

1295

# "exempted_members": [

1296

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1301

# },

1302

# {

1303

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

1309

# "audit_log_configs": [

1310

# {

1311

# "log_type": "DATA_READ",

1312

# },

1313

# {

1314

# "log_type": "DATA_WRITE",

1315

# "exempted_members": [

1316

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1325

# logging. It also exempts jose@example.com from DATA_READ logging, and

1326

# aliya@example.com from DATA_WRITE logging.

1327

"service": "A String", # Specifies a service that will be enabled for audit logging.

1328

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1329

# `allServices` is a special value that covers all services.

1330

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1331

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1336

# {

1337

# "log_type": "DATA_READ",

1338

# "exempted_members": [

1339

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1349

# jose@example.com from DATA_READ logging.

1350

"logType": "A String", # The log type that this config enables.

1351

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1352

# permission.

1353

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1361

# `condition` that determines how and when the `bindings` are applied. Each

1362

# of the `bindings` must contain at least one member.

1363

{ # Associates `members` with a `role`.

1364

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1365

#

1366

# If the condition evaluates to `true`, then this binding applies to the

1367

# current request.

1368

#

1369

# If the condition evaluates to `false`, then this binding does not apply to

1370

# the current request. However, a different role binding might grant the same

1371

# role to one or more of the members in this binding.

1372

#

1373

# To learn which resources support conditions in their IAM policies, see the

1374

# [IAM

1375

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1376

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1377

# are documented at https://github.com/google/cel-spec.

1378

#

1379

# Example (Comparison):

1380

#

1381

# title: "Summary size limit"

1382

# description: "Determines if a summary is less than 100 chars"

1383

# expression: "document.summary.size() < 100"

1384

#

1385

# Example (Equality):

1386

#

1387

# title: "Requestor is owner"

1388

# description: "Determines if requestor is the document owner"

1389

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1394

# description: "Determine whether the document should be publicly visible"

1395

# expression: "document.type != 'private' && document.type != 'internal'"

1396

#

1397

# Example (Data Manipulation):

1398

#

1399

# title: "Notification string"

1400

# description: "Create a notification string with a timestamp."

1401

# expression: "'New message received at ' + string(document.create_time)"

1402

#

1403

# The exact variables and functions that may be referenced within an expression

1404

# are determined by the service that evaluates it. See the service

1405

# documentation for additional information.

1406

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1407

# its purpose. This can be used e.g. in UIs which allow to enter the

1408

# expression.

1409

"location": "A String", # Optional. String indicating the location of the expression for error

1410

# reporting, e.g. a file name and a position in the file.

1411

"description": "A String", # Optional. Description of the expression. This is a longer text which

1412

# describes the expression, e.g. when hovered over it in a UI.

1413

"expression": "A String", # Textual representation of an expression in Common Expression Language

1414

# syntax.

1415

},

1416

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1417

# `members` can have the following values:

1418

#

1419

# * `allUsers`: A special identifier that represents anyone who is

1420

# on the internet; with or without a Google account.

1421

#

1422

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1423

# who is authenticated with a Google account or a service account.

1424

#

1425

# * `user:{emailid}`: An email address that represents a specific Google

1426

# account. For example, `alice@example.com` .

1427

#

1428

#

1429

# * `serviceAccount:{emailid}`: An email address that represents a service

1430

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1431

#

1432

# * `group:{emailid}`: An email address that represents a Google group.

1433

# For example, `admins@example.com`.

1434

#

1435

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1436

# identifier) representing a user that has been recently deleted. For

1437

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1438

# recovered, this value reverts to `user:{emailid}` and the recovered user

1439

# retains the role in the binding.

1440

#

1441

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1442

# unique identifier) representing a service account that has been recently

1443

# deleted. For example,

1444

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1445

# If the service account is undeleted, this value reverts to

1446

# `serviceAccount:{emailid}` and the undeleted service account retains the

1447

# role in the binding.

1448

#

1449

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1450

# identifier) representing a Google group that has been recently

1451

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1452

# the group is recovered, this value reverts to `group:{emailid}` and the

1453

# recovered group retains the role in the binding.

1454

#

1455

#

1456

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1457

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

1462

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

},

],

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

1470

<pre>Returns permissions that a caller has for the specified secret.

1471

If the secret does not exist, this call returns an empty set of

1472

permissions, not a NOT_FOUND error.

1473

1474

Note: This operation is designed to be used for building permission-aware

1475

UIs and command-line tools, not for authorization checking. This operation

1476

may "fail open" without warning.

1477

1478

Args:

1479

resource: string, REQUIRED: The resource for which the policy detail is being requested.

1480

See the operation documentation for the appropriate value for this field. (required)

1481

body: object, The request body.

1482

The object takes the form of:

1483

1484

{ # Request message for `TestIamPermissions` method.

1485

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

1486

# wildcards (such as '*' or 'storage.*') are not allowed. For more

1487

# information see

1488

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

"A String",

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1500

1501

{ # Response message for `TestIamPermissions` method.

1502

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

# allowed.

"A String",

],

}</pre>

</div>

</body></html>