Blame - docs/dyn/cloudasset_v1p1beta1.iamPolicies.html - platform/external/python/google-api-python-client

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # The IAM policy directly set on the given resource. Note that the original

130

# IAM policy can contain multiple bindings. This only contains the bindings

131

# that match the given query. For queries that don't contain a constrain on

132

# policies (e.g. an empty query), this contains all the bindings.

133

# controls for Google Cloud resources.

134

#

135

#

136

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

137

# `members` to a single `role`. Members can be user accounts, service accounts,

138

# Google groups, and domains (such as G Suite). A `role` is a named list of

139

# permissions; each `role` can be an IAM predefined role or a user-created

140

# custom role.

141

#

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

142

# For some types of Google Cloud resources, a `binding` can also specify a

143

# `condition`, which is a logical expression that allows access to a resource

144

# only if the expression evaluates to `true`. A condition can add constraints

145

# based on attributes of the request, the resource, or both. To learn which

146

# resources support conditions in their IAM policies, see the

147

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

155

# "members": [

156

# "user:mike@example.com",

157

# "group:admins@example.com",

158

# "domain:google.com",

159

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

164

# "members": [

165

# "user:eve@example.com"

166

# ],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

167

# "condition": {

168

# "title": "expirable access",

169

# "description": "Does not grant access after Sep 2020",

170

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

183

# - group:admins@example.com

184

# - domain:google.com

185

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

186

# role: roles/resourcemanager.organizationAdmin

187

# - members:

188

# - user:eve@example.com

189

# role: roles/resourcemanager.organizationViewer

190

# condition:

191

# title: expirable access

192

# description: Does not grant access after Sep 2020

193

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

194

# - etag: BwWWja0YfJA=

195

# - version: 3

196

#

197

# For a description of IAM and its features, see the

198

# [IAM documentation](https://cloud.google.com/iam/docs/).

199

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

200

# prevent simultaneous updates of a policy from overwriting each other.

201

# It is strongly suggested that systems make use of the `etag` in the

202

# read-modify-write cycle to perform policy updates in order to avoid race

203

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

204

# systems are expected to put that etag in the request to `setIamPolicy` to

205

# ensure that their change will be applied to the same version of the policy.

206

#

207

# **Important:** If you use IAM Conditions, you must include the `etag` field

208

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

209

# you to overwrite a version `3` policy with a version `1` policy, and all of

210

# the conditions in the version `3` policy are lost.

211

"version": 42, # Specifies the format of the policy.

212

#

213

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

214

# are rejected.

215

#

216

# Any operation that affects conditional role bindings must specify version

217

# `3`. This requirement applies to the following operations:

218

#

219

# * Getting a policy that includes a conditional role binding

220

# * Adding a conditional role binding to a policy

221

# * Changing a conditional role binding in a policy

222

# * Removing any role binding, with or without a condition, from a policy

223

# that includes conditions

224

#

225

# **Important:** If you use IAM Conditions, you must include the `etag` field

226

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

227

# you to overwrite a version `3` policy with a version `1` policy, and all of

228

# the conditions in the version `3` policy are lost.

229

#

230

# If a policy does not include any conditions, operations on that policy may

231

# specify any valid version or leave the field unset.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

232

#

233

# To learn which resources support conditions in their IAM policies, see the

234

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

235

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

236

{ # Specifies the audit configuration for a service.

237

# The configuration determines which permission types are logged, and what

238

# identities, if any, are exempted from logging.

239

# An AuditConfig must have one or more AuditLogConfigs.

240

#

241

# If there are AuditConfigs for both `allServices` and a specific service,

242

# the union of the two AuditConfigs is used for that service: the log_types

243

# specified in each AuditConfig are enabled, and the exempted_members in each

244

# AuditLogConfig are exempted.

245

#

246

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

252

# "audit_log_configs": [

253

# {

254

# "log_type": "DATA_READ",

255

# "exempted_members": [

256

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

261

# },

262

# {

263

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

269

# "audit_log_configs": [

270

# {

271

# "log_type": "DATA_READ",

272

# },

273

# {

274

# "log_type": "DATA_WRITE",

275

# "exempted_members": [

276

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

285

# logging. It also exempts jose@example.com from DATA_READ logging, and

286

# aliya@example.com from DATA_WRITE logging.

287

"service": "A String", # Specifies a service that will be enabled for audit logging.

288

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

289

# `allServices` is a special value that covers all services.

290

"auditLogConfigs": [ # The configuration for logging of each type of permission.

291

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

296

# {

297

# "log_type": "DATA_READ",

298

# "exempted_members": [

299

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

309

# jose@example.com from DATA_READ logging.

310

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

311

# permission.

312

# Follows the same format of Binding.members.

313

"A String",

314

],

315

"logType": "A String", # The log type that this config enables.

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

321

# `condition` that determines how and when the `bindings` are applied. Each

322

# of the `bindings` must contain at least one member.

323

{ # Associates `members` with a `role`.

324

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

325

#

326

# If the condition evaluates to `true`, then this binding applies to the

327

# current request.

328

#

329

# If the condition evaluates to `false`, then this binding does not apply to

330

# the current request. However, a different role binding might grant the same

331

# role to one or more of the members in this binding.

332

#

333

# To learn which resources support conditions in their IAM policies, see the

334

# [IAM

335

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

336

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

337

# are documented at https://github.com/google/cel-spec.

338

#

339

# Example (Comparison):

340

#

341

# title: "Summary size limit"

342

# description: "Determines if a summary is less than 100 chars"

343

# expression: "document.summary.size() < 100"

344

#

345

# Example (Equality):

346

#

347

# title: "Requestor is owner"

348

# description: "Determines if requestor is the document owner"

349

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

354

# description: "Determine whether the document should be publicly visible"

355

# expression: "document.type != 'private' && document.type != 'internal'"

356

#

357

# Example (Data Manipulation):

358

#

359

# title: "Notification string"

360

# description: "Create a notification string with a timestamp."

361

# expression: "'New message received at ' + string(document.create_time)"

362

#

363

# The exact variables and functions that may be referenced within an expression

364

# are determined by the service that evaluates it. See the service

365

# documentation for additional information.

366

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

367

# its purpose. This can be used e.g. in UIs which allow to enter the

368

# expression.

369

"location": "A String", # Optional. String indicating the location of the expression for error

370

# reporting, e.g. a file name and a position in the file.

371

"description": "A String", # Optional. Description of the expression. This is a longer text which

372

# describes the expression, e.g. when hovered over it in a UI.

373

"expression": "A String", # Textual representation of an expression in Common Expression Language

374

# syntax.

375

},

376

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

377

# `members` can have the following values:

378

#

379

# * `allUsers`: A special identifier that represents anyone who is

380

# on the internet; with or without a Google account.

381

#

382

# * `allAuthenticatedUsers`: A special identifier that represents anyone

383

# who is authenticated with a Google account or a service account.

384

#

385

# * `user:{emailid}`: An email address that represents a specific Google

386

# account. For example, `alice@example.com` .

387

#

388

#

389

# * `serviceAccount:{emailid}`: An email address that represents a service

390

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

391

#

392

# * `group:{emailid}`: An email address that represents a Google group.

393

# For example, `admins@example.com`.

394

#

395

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

396

# identifier) representing a user that has been recently deleted. For

397

# example, `alice@example.com?uid=123456789012345678901`. If the user is

398

# recovered, this value reverts to `user:{emailid}` and the recovered user

399

# retains the role in the binding.

400

#

401

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

402

# unique identifier) representing a service account that has been recently

403

# deleted. For example,

404

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

405

# If the service account is undeleted, this value reverts to

406

# `serviceAccount:{emailid}` and the undeleted service account retains the

407

# role in the binding.

408

#

409

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

410

# identifier) representing a Google group that has been recently

411

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

412

# the group is recovered, this value reverts to `group:{emailid}` and the

413

# recovered group retains the role in the binding.

414

#

415

#

416

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

417

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

422

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

423

},

424

],

425

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

426

"resource": "A String", # The [full resource

427

# name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

428

# of the resource associated with this IAM policy.

429

"explanation": { # Explanation about the IAM policy search result. # Explanation about the IAM policy search result. It contains additional

430

# information to explain why the search result matches the query.

431

"matchedPermissions": { # The map from roles to their included permission matching the permission

432

# query (e.g. containing `policy.role.permissions:`). A sample role string:

433

# "roles/compute.instanceAdmin". The roles can also be found in the

434

# returned `policy` bindings. Note that the map is populated only if

435

# requesting with a permission query.

436

"a_key": { # IAM permissions

437

"permissions": [ # A list of permissions. A sample permission string: "compute.disk.get".

"A String",

],

},

},

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

443

},

444

],

445

"nextPageToken": "A String", # Set if there are more results than those appearing in this response; to get

446

# the next set of results, call this method again, using this value as the

# `page_token`.

}</pre>

</div>

<code class="details" id="searchAll_next">searchAll_next(previous_request, previous_response)</code>

453

<pre>Retrieves the next page of results.

454

455

Args:

456

previous_request: The request for the previous page. (required)

457

previous_response: The response from the request for the previous page. (required)

458

459

Returns:

460

A request object that you can call 'execute()' on to request the next

461

page. Returns None if there are no more items in the collection.

</pre>

</div>

</body></html>