Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 1 | <html><body> |
| 2 | <style> |
| 3 | |
| 4 | body, h1, h2, h3, div, span, p, pre, a { |
| 5 | margin: 0; |
| 6 | padding: 0; |
| 7 | border: 0; |
| 8 | font-weight: inherit; |
| 9 | font-style: inherit; |
| 10 | font-size: 100%; |
| 11 | font-family: inherit; |
| 12 | vertical-align: baseline; |
| 13 | } |
| 14 | |
| 15 | body { |
| 16 | font-size: 13px; |
| 17 | padding: 1em; |
| 18 | } |
| 19 | |
| 20 | h1 { |
| 21 | font-size: 26px; |
| 22 | margin-bottom: 1em; |
| 23 | } |
| 24 | |
| 25 | h2 { |
| 26 | font-size: 24px; |
| 27 | margin-bottom: 1em; |
| 28 | } |
| 29 | |
| 30 | h3 { |
| 31 | font-size: 20px; |
| 32 | margin-bottom: 1em; |
| 33 | margin-top: 1em; |
| 34 | } |
| 35 | |
| 36 | pre, code { |
| 37 | line-height: 1.5; |
| 38 | font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| 39 | } |
| 40 | |
| 41 | pre { |
| 42 | margin-top: 0.5em; |
| 43 | } |
| 44 | |
| 45 | h1, h2, h3, p { |
| 46 | font-family: Arial, sans serif; |
| 47 | } |
| 48 | |
| 49 | h1, h2, h3 { |
| 50 | border-bottom: solid #CCC 1px; |
| 51 | } |
| 52 | |
| 53 | .toc_element { |
| 54 | margin-top: 0.5em; |
| 55 | } |
| 56 | |
| 57 | .firstline { |
| 58 | margin-left: 2 em; |
| 59 | } |
| 60 | |
| 61 | .method { |
| 62 | margin-top: 1em; |
| 63 | border: solid 1px #CCC; |
| 64 | padding: 1em; |
| 65 | background: #EEE; |
| 66 | } |
| 67 | |
| 68 | .details { |
| 69 | font-weight: bold; |
| 70 | font-size: 14px; |
| 71 | } |
| 72 | |
| 73 | </style> |
| 74 | |
| 75 | <h1><a href="cloudasset_v1p4beta1.html">Cloud Asset API</a> . <a href="cloudasset_v1p4beta1.v1p4beta1.html">v1p4beta1</a></h1> |
| 76 | <h2>Instance Methods</h2> |
| 77 | <p class="toc_element"> |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 78 | <code><a href="#analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</a></code></p> |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 79 | <p class="firstline">Analyzes IAM policies based on the specified request. Returns</p> |
| 80 | <p class="toc_element"> |
| 81 | <code><a href="#exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</a></code></p> |
| 82 | <p class="firstline">Exports IAM policy analysis based on the specified request. This API</p> |
| 83 | <h3>Method Details</h3> |
| 84 | <div class="method"> |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 85 | <code class="details" id="analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</code> |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 86 | <pre>Analyzes IAM policies based on the specified request. Returns |
| 87 | a list of IamPolicyAnalysisResult matching the request. |
| 88 | |
| 89 | Args: |
| 90 | parent: string, Required. The relative name of the root asset. Only resources and IAM policies within |
| 91 | the parent will be analyzed. This can only be an organization number (such |
| 92 | as "organizations/123") or a folder number (such as "folders/123"). (required) |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 93 | options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to |
| 94 | resources via service account impersonation. This is a very expensive |
| 95 | operation, because many derived queries will be executed. We highly |
| 96 | recommend you use ExportIamPolicyAnalysis rpc instead. |
| 97 | |
| 98 | For example, if the request analyzes for which resources user A has |
| 99 | permission P, and there's an IAM policy states user A has |
| 100 | iam.serviceAccounts.getAccessToken permission to a service account SA, |
| 101 | and there's another IAM policy states service account SA has permission P |
| 102 | to a GCP folder F, then user A potentially has access to the GCP folder |
| 103 | F. And those advanced analysis results will be included in |
| 104 | AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| 105 | |
| 106 | Another example, if the request analyzes for who has |
| 107 | permission P to a GCP folder F, and there's an IAM policy states user A |
| 108 | has iam.serviceAccounts.actAs permission to a service account SA, and |
| 109 | there's another IAM policy states service account SA has permission P to |
| 110 | the GCP folder F, then user A potentially has access to the GCP folder |
| 111 | F. And those advanced analysis results will be included in |
| 112 | AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| 113 | |
| 114 | Default is false. |
| 115 | options_outputResourceEdges: boolean, Optional. If true, the result will output resource edges, starting |
| 116 | from the policy attached resource, to any expanded resources. |
| 117 | Default is false. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 118 | options_expandResources: boolean, Optional. If true, the resource section of the result will expand any |
| 119 | resource attached to an IAM policy to include resources lower in the |
| 120 | resource hierarchy. |
| 121 | |
| 122 | For example, if the request analyzes for which resources user A has |
| 123 | permission P, and the results include an IAM policy with P on a GCP |
| 124 | folder, the results will also include resources in that folder with |
| 125 | permission P. |
| 126 | |
| 127 | If resource_selector is specified, the resource section of the result |
| 128 | will be determined by the selector, and this flag will have no effect. |
| 129 | Default is false. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 130 | analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated) |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 131 | options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles |
| 132 | appearing in IAM policy bindings to include their permissions. |
| 133 | |
| 134 | If access_selector is specified, the access section of the result |
| 135 | will be determined by the selector, and this flag will have no effect. |
| 136 | |
| 137 | Default is false. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 138 | analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated) |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 139 | options_executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of |
| 140 | [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). |
| 141 | |
| 142 | If this field is set with a value less than the RPC deadline, and the |
| 143 | execution of your query hasn't finished in the specified |
| 144 | execution timeout, you will get a response with partial result. |
| 145 | Otherwise, your query's execution will continue until the RPC deadline. |
| 146 | If it's not finished until then, you will get a DEADLINE_EXCEEDED error. |
| 147 | |
| 148 | Default is empty. |
| 149 | options_outputGroupEdges: boolean, Optional. If true, the result will output group identity edges, starting |
| 150 | from the binding's group members, to any expanded identities. |
| 151 | Default is false. |
| 152 | options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any |
| 153 | Google groups appearing in an IAM policy binding. |
| 154 | |
| 155 | If identity_selector is specified, the identity in the result will |
| 156 | be determined by the selector, and this flag will have no effect. |
| 157 | |
| 158 | Default is false. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 159 | analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of members in |
| 160 | [IAM policy |
| 161 | binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| 162 | analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource |
| 163 | name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| 164 | . |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 165 | x__xgafv: string, V1 error format. |
| 166 | Allowed values |
| 167 | 1 - v1 error format |
| 168 | 2 - v2 error format |
| 169 | |
| 170 | Returns: |
| 171 | An object of the form: |
| 172 | |
| 173 | { # A response message for AssetService.AnalyzeIamPolicy. |
| 174 | "fullyExplored": True or False, # Represents whether all entries in the main_analysis and |
| 175 | # service_account_impersonation_analysis have been fully explored to |
| 176 | # answer the query in the request. |
| 177 | "nonCriticalErrors": [ # A list of non-critical errors happened during the request handling to |
| 178 | # explain why `fully_explored` is false, or empty if no error happened. |
| 179 | { # Represents analysis state of each node in the result graph or non-critical |
| 180 | # errors in the response. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 181 | "code": "A String", # The Google standard error code that best describes the state. |
| 182 | # For example: |
| 183 | # - OK means the node has been successfully explored; |
| 184 | # - PERMISSION_DENIED means an access denied error is encountered; |
| 185 | # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 186 | "cause": "A String", # The human-readable description of the cause of failure. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 187 | }, |
| 188 | ], |
| 189 | "mainAnalysis": { # An analysis message to group the query and results. # The main analysis that matches the original request. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 190 | "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been |
| 191 | # fully explored to answer the query. |
| 192 | "analysisQuery": { # IAM policy analysis query message. # The analysis query. |
| 193 | "parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within |
| 194 | # the parent will be analyzed. This can only be an organization number (such |
| 195 | # as "organizations/123") or a folder number (such as "folders/123"). |
| 196 | "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY. |
| 197 | # directly on the resource, or on ancestors such as organizations, folders or |
| 198 | # projects. At least one of ResourceSelector, IdentitySelector or |
| 199 | # AccessSelector must be specified in a request. |
| 200 | "fullResourceName": "A String", # Required. The [full resource |
| 201 | # name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| 202 | # . |
| 203 | }, |
| 204 | "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty |
| 205 | # means ANY. |
| 206 | # identities possessing them and the resources they control. If multiple |
| 207 | # values are specified, results will include identities and resources |
| 208 | # matching any of them. |
| 209 | "roles": [ # Optional. The roles to appear in result. |
| 210 | "A String", |
| 211 | ], |
| 212 | "permissions": [ # Optional. The permissions to appear in result. |
| 213 | "A String", |
| 214 | ], |
| 215 | }, |
| 216 | "identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY. |
| 217 | # roles assigned either directly to them or to the groups they belong to, |
| 218 | # directly or indirectly. |
| 219 | "identity": "A String", # Required. The identity appear in the form of members in |
| 220 | # [IAM policy |
| 221 | # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| 222 | }, |
| 223 | }, |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 224 | "analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or |
| 225 | # empty if no result is found. |
| 226 | { # IAM Policy analysis result, consisting of one IAM policy binding and derived |
| 227 | # access control lists. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 228 | "iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 229 | "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| 230 | # `members` can have the following values: |
| 231 | # |
| 232 | # * `allUsers`: A special identifier that represents anyone who is |
| 233 | # on the internet; with or without a Google account. |
| 234 | # |
| 235 | # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| 236 | # who is authenticated with a Google account or a service account. |
| 237 | # |
| 238 | # * `user:{emailid}`: An email address that represents a specific Google |
| 239 | # account. For example, `alice@example.com` . |
| 240 | # |
| 241 | # |
| 242 | # * `serviceAccount:{emailid}`: An email address that represents a service |
| 243 | # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| 244 | # |
| 245 | # * `group:{emailid}`: An email address that represents a Google group. |
| 246 | # For example, `admins@example.com`. |
| 247 | # |
| 248 | # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| 249 | # identifier) representing a user that has been recently deleted. For |
| 250 | # example, `alice@example.com?uid=123456789012345678901`. If the user is |
| 251 | # recovered, this value reverts to `user:{emailid}` and the recovered user |
| 252 | # retains the role in the binding. |
| 253 | # |
| 254 | # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| 255 | # unique identifier) representing a service account that has been recently |
| 256 | # deleted. For example, |
| 257 | # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. |
| 258 | # If the service account is undeleted, this value reverts to |
| 259 | # `serviceAccount:{emailid}` and the undeleted service account retains the |
| 260 | # role in the binding. |
| 261 | # |
| 262 | # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| 263 | # identifier) representing a Google group that has been recently |
| 264 | # deleted. For example, `admins@example.com?uid=123456789012345678901`. If |
| 265 | # the group is recovered, this value reverts to `group:{emailid}` and the |
| 266 | # recovered group retains the role in the binding. |
| 267 | # |
| 268 | # |
| 269 | # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| 270 | # users of that domain. For example, `google.com` or `example.com`. |
| 271 | # |
| 272 | "A String", |
| 273 | ], |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 274 | "role": "A String", # Role that is assigned to `members`. |
| 275 | # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| 276 | "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| 277 | # |
| 278 | # If the condition evaluates to `true`, then this binding applies to the |
| 279 | # current request. |
| 280 | # |
| 281 | # If the condition evaluates to `false`, then this binding does not apply to |
| 282 | # the current request. However, a different role binding might grant the same |
| 283 | # role to one or more of the members in this binding. |
| 284 | # |
| 285 | # To learn which resources support conditions in their IAM policies, see the |
| 286 | # [IAM |
| 287 | # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| 288 | # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| 289 | # are documented at https://github.com/google/cel-spec. |
| 290 | # |
| 291 | # Example (Comparison): |
| 292 | # |
| 293 | # title: "Summary size limit" |
| 294 | # description: "Determines if a summary is less than 100 chars" |
| 295 | # expression: "document.summary.size() < 100" |
| 296 | # |
| 297 | # Example (Equality): |
| 298 | # |
| 299 | # title: "Requestor is owner" |
| 300 | # description: "Determines if requestor is the document owner" |
| 301 | # expression: "document.owner == request.auth.claims.email" |
| 302 | # |
| 303 | # Example (Logic): |
| 304 | # |
| 305 | # title: "Public documents" |
| 306 | # description: "Determine whether the document should be publicly visible" |
| 307 | # expression: "document.type != 'private' && document.type != 'internal'" |
| 308 | # |
| 309 | # Example (Data Manipulation): |
| 310 | # |
| 311 | # title: "Notification string" |
| 312 | # description: "Create a notification string with a timestamp." |
| 313 | # expression: "'New message received at ' + string(document.create_time)" |
| 314 | # |
| 315 | # The exact variables and functions that may be referenced within an expression |
| 316 | # are determined by the service that evaluates it. See the service |
| 317 | # documentation for additional information. |
| 318 | "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| 319 | # its purpose. This can be used e.g. in UIs which allow to enter the |
| 320 | # expression. |
| 321 | "location": "A String", # Optional. String indicating the location of the expression for error |
| 322 | # reporting, e.g. a file name and a position in the file. |
| 323 | "description": "A String", # Optional. Description of the expression. This is a longer text which |
| 324 | # describes the expression, e.g. when hovered over it in a UI. |
| 325 | "expression": "A String", # Textual representation of an expression in Common Expression Language |
| 326 | # syntax. |
| 327 | }, |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 328 | }, |
| 329 | "accessControlLists": [ # The access control lists derived from the iam_binding that match or |
| 330 | # potentially match resource and access selectors specified in the request. |
| 331 | { # An access control list, derived from the above IAM policy binding, which |
| 332 | # contains a set of resources and accesses. May include one |
| 333 | # item from each set to compose an access control entry. |
| 334 | # |
| 335 | # NOTICE that there could be multiple access control lists for one IAM policy |
| 336 | # binding. The access control lists are created based on resource and access |
| 337 | # combinations. |
| 338 | # |
| 339 | # For example, assume we have the following cases in one IAM policy binding: |
| 340 | # - Permission P1 and P2 apply to resource R1 and R2; |
| 341 | # - Permission P3 applies to resource R2 and R3; |
| 342 | # |
| 343 | # This will result in the following access control lists: |
| 344 | # - AccessControlList 1: [R1, R2], [P1, P2] |
| 345 | # - AccessControlList 2: [R2, R3], [P3] |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 346 | "accesses": [ # The accesses that match one of the following conditions: |
| 347 | # - The access_selector, if it is specified in request; |
| 348 | # - Otherwise, access specifiers reachable from the policy binding's role. |
| 349 | { # A role or permission that appears in an access control list. |
| 350 | "permission": "A String", # The permission. |
| 351 | "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node. |
| 352 | # errors in the response. |
| 353 | "code": "A String", # The Google standard error code that best describes the state. |
| 354 | # For example: |
| 355 | # - OK means the node has been successfully explored; |
| 356 | # - PERMISSION_DENIED means an access denied error is encountered; |
| 357 | # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| 358 | "cause": "A String", # The human-readable description of the cause of failure. |
| 359 | }, |
| 360 | "role": "A String", # The role. |
| 361 | }, |
| 362 | ], |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 363 | "resourceEdges": [ # Resource edges of the graph starting from the policy attached |
| 364 | # resource to any descendant resources. The Edge.source_node contains |
| 365 | # the full resource name of a parent resource and Edge.target_node |
| 366 | # contains the full resource name of a child resource. This field is |
| 367 | # present only if the output_resource_edges option is enabled in request. |
| 368 | { # A directional edge. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 369 | "sourceNode": "A String", # The source node of the edge. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 370 | "targetNode": "A String", # The target node of the edge. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 371 | }, |
| 372 | ], |
| 373 | "resources": [ # The resources that match one of the following conditions: |
| 374 | # - The resource_selector, if it is specified in request; |
| 375 | # - Otherwise, resources reachable from the policy attached resource. |
| 376 | { # A GCP resource that appears in an access control list. |
| 377 | "fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names). |
| 378 | "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node. |
| 379 | # errors in the response. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 380 | "code": "A String", # The Google standard error code that best describes the state. |
| 381 | # For example: |
| 382 | # - OK means the node has been successfully explored; |
| 383 | # - PERMISSION_DENIED means an access denied error is encountered; |
| 384 | # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 385 | "cause": "A String", # The human-readable description of the cause of failure. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 386 | }, |
| 387 | }, |
| 388 | ], |
| 389 | }, |
| 390 | ], |
| 391 | "fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the |
| 392 | # iam_binding node have been explored. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 393 | "identityList": { # The identity list derived from members of the iam_binding that match or |
| 394 | # potentially match identity selector specified in the request. |
| 395 | "identities": [ # Only the identities that match one of the following conditions will be |
| 396 | # presented: |
| 397 | # - The identity_selector, if it is specified in request; |
| 398 | # - Otherwise, identities reachable from the policy binding's members. |
| 399 | { # An identity that appears in an access control list. |
| 400 | "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node. |
| 401 | # errors in the response. |
| 402 | "code": "A String", # The Google standard error code that best describes the state. |
| 403 | # For example: |
| 404 | # - OK means the node has been successfully explored; |
| 405 | # - PERMISSION_DENIED means an access denied error is encountered; |
| 406 | # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| 407 | "cause": "A String", # The human-readable description of the cause of failure. |
| 408 | }, |
| 409 | "name": "A String", # The identity name in any form of members appear in |
| 410 | # [IAM policy |
| 411 | # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such |
| 412 | # as: |
| 413 | # - user:foo@google.com |
| 414 | # - group:group1@google.com |
| 415 | # - serviceAccount:s1@prj1.iam.gserviceaccount.com |
| 416 | # - projectOwner:some_project_id |
| 417 | # - domain:google.com |
| 418 | # - allUsers |
| 419 | # - etc. |
| 420 | }, |
| 421 | ], |
| 422 | "groupEdges": [ # Group identity edges of the graph starting from the binding's |
| 423 | # group members to any node of the identities. The Edge.source_node |
| 424 | # contains a group, such as "group:parent@google.com". The |
| 425 | # Edge.target_node contains a member of the group, |
| 426 | # such as "group:child@google.com" or "user:foo@google.com". |
| 427 | # This field is present only if the output_group_edges option is enabled in |
| 428 | # request. |
| 429 | { # A directional edge. |
| 430 | "sourceNode": "A String", # The source node of the edge. |
| 431 | "targetNode": "A String", # The target node of the edge. |
| 432 | }, |
| 433 | ], |
| 434 | }, |
| 435 | "attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 436 | }, |
| 437 | ], |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 438 | }, |
| 439 | "serviceAccountImpersonationAnalysis": [ # The service account impersonation analysis if |
| 440 | # AnalyzeIamPolicyRequest.analyze_service_account_impersonation is |
| 441 | # enabled. |
| 442 | { # An analysis message to group the query and results. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 443 | "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been |
| 444 | # fully explored to answer the query. |
| 445 | "analysisQuery": { # IAM policy analysis query message. # The analysis query. |
| 446 | "parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within |
| 447 | # the parent will be analyzed. This can only be an organization number (such |
| 448 | # as "organizations/123") or a folder number (such as "folders/123"). |
| 449 | "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY. |
| 450 | # directly on the resource, or on ancestors such as organizations, folders or |
| 451 | # projects. At least one of ResourceSelector, IdentitySelector or |
| 452 | # AccessSelector must be specified in a request. |
| 453 | "fullResourceName": "A String", # Required. The [full resource |
| 454 | # name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| 455 | # . |
| 456 | }, |
| 457 | "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty |
| 458 | # means ANY. |
| 459 | # identities possessing them and the resources they control. If multiple |
| 460 | # values are specified, results will include identities and resources |
| 461 | # matching any of them. |
| 462 | "roles": [ # Optional. The roles to appear in result. |
| 463 | "A String", |
| 464 | ], |
| 465 | "permissions": [ # Optional. The permissions to appear in result. |
| 466 | "A String", |
| 467 | ], |
| 468 | }, |
| 469 | "identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY. |
| 470 | # roles assigned either directly to them or to the groups they belong to, |
| 471 | # directly or indirectly. |
| 472 | "identity": "A String", # Required. The identity appear in the form of members in |
| 473 | # [IAM policy |
| 474 | # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| 475 | }, |
| 476 | }, |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 477 | "analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or |
| 478 | # empty if no result is found. |
| 479 | { # IAM Policy analysis result, consisting of one IAM policy binding and derived |
| 480 | # access control lists. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 481 | "iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 482 | "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| 483 | # `members` can have the following values: |
| 484 | # |
| 485 | # * `allUsers`: A special identifier that represents anyone who is |
| 486 | # on the internet; with or without a Google account. |
| 487 | # |
| 488 | # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| 489 | # who is authenticated with a Google account or a service account. |
| 490 | # |
| 491 | # * `user:{emailid}`: An email address that represents a specific Google |
| 492 | # account. For example, `alice@example.com` . |
| 493 | # |
| 494 | # |
| 495 | # * `serviceAccount:{emailid}`: An email address that represents a service |
| 496 | # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| 497 | # |
| 498 | # * `group:{emailid}`: An email address that represents a Google group. |
| 499 | # For example, `admins@example.com`. |
| 500 | # |
| 501 | # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| 502 | # identifier) representing a user that has been recently deleted. For |
| 503 | # example, `alice@example.com?uid=123456789012345678901`. If the user is |
| 504 | # recovered, this value reverts to `user:{emailid}` and the recovered user |
| 505 | # retains the role in the binding. |
| 506 | # |
| 507 | # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| 508 | # unique identifier) representing a service account that has been recently |
| 509 | # deleted. For example, |
| 510 | # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. |
| 511 | # If the service account is undeleted, this value reverts to |
| 512 | # `serviceAccount:{emailid}` and the undeleted service account retains the |
| 513 | # role in the binding. |
| 514 | # |
| 515 | # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| 516 | # identifier) representing a Google group that has been recently |
| 517 | # deleted. For example, `admins@example.com?uid=123456789012345678901`. If |
| 518 | # the group is recovered, this value reverts to `group:{emailid}` and the |
| 519 | # recovered group retains the role in the binding. |
| 520 | # |
| 521 | # |
| 522 | # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| 523 | # users of that domain. For example, `google.com` or `example.com`. |
| 524 | # |
| 525 | "A String", |
| 526 | ], |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 527 | "role": "A String", # Role that is assigned to `members`. |
| 528 | # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| 529 | "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| 530 | # |
| 531 | # If the condition evaluates to `true`, then this binding applies to the |
| 532 | # current request. |
| 533 | # |
| 534 | # If the condition evaluates to `false`, then this binding does not apply to |
| 535 | # the current request. However, a different role binding might grant the same |
| 536 | # role to one or more of the members in this binding. |
| 537 | # |
| 538 | # To learn which resources support conditions in their IAM policies, see the |
| 539 | # [IAM |
| 540 | # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| 541 | # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| 542 | # are documented at https://github.com/google/cel-spec. |
| 543 | # |
| 544 | # Example (Comparison): |
| 545 | # |
| 546 | # title: "Summary size limit" |
| 547 | # description: "Determines if a summary is less than 100 chars" |
| 548 | # expression: "document.summary.size() < 100" |
| 549 | # |
| 550 | # Example (Equality): |
| 551 | # |
| 552 | # title: "Requestor is owner" |
| 553 | # description: "Determines if requestor is the document owner" |
| 554 | # expression: "document.owner == request.auth.claims.email" |
| 555 | # |
| 556 | # Example (Logic): |
| 557 | # |
| 558 | # title: "Public documents" |
| 559 | # description: "Determine whether the document should be publicly visible" |
| 560 | # expression: "document.type != 'private' && document.type != 'internal'" |
| 561 | # |
| 562 | # Example (Data Manipulation): |
| 563 | # |
| 564 | # title: "Notification string" |
| 565 | # description: "Create a notification string with a timestamp." |
| 566 | # expression: "'New message received at ' + string(document.create_time)" |
| 567 | # |
| 568 | # The exact variables and functions that may be referenced within an expression |
| 569 | # are determined by the service that evaluates it. See the service |
| 570 | # documentation for additional information. |
| 571 | "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| 572 | # its purpose. This can be used e.g. in UIs which allow to enter the |
| 573 | # expression. |
| 574 | "location": "A String", # Optional. String indicating the location of the expression for error |
| 575 | # reporting, e.g. a file name and a position in the file. |
| 576 | "description": "A String", # Optional. Description of the expression. This is a longer text which |
| 577 | # describes the expression, e.g. when hovered over it in a UI. |
| 578 | "expression": "A String", # Textual representation of an expression in Common Expression Language |
| 579 | # syntax. |
| 580 | }, |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 581 | }, |
| 582 | "accessControlLists": [ # The access control lists derived from the iam_binding that match or |
| 583 | # potentially match resource and access selectors specified in the request. |
| 584 | { # An access control list, derived from the above IAM policy binding, which |
| 585 | # contains a set of resources and accesses. May include one |
| 586 | # item from each set to compose an access control entry. |
| 587 | # |
| 588 | # NOTICE that there could be multiple access control lists for one IAM policy |
| 589 | # binding. The access control lists are created based on resource and access |
| 590 | # combinations. |
| 591 | # |
| 592 | # For example, assume we have the following cases in one IAM policy binding: |
| 593 | # - Permission P1 and P2 apply to resource R1 and R2; |
| 594 | # - Permission P3 applies to resource R2 and R3; |
| 595 | # |
| 596 | # This will result in the following access control lists: |
| 597 | # - AccessControlList 1: [R1, R2], [P1, P2] |
| 598 | # - AccessControlList 2: [R2, R3], [P3] |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 599 | "accesses": [ # The accesses that match one of the following conditions: |
| 600 | # - The access_selector, if it is specified in request; |
| 601 | # - Otherwise, access specifiers reachable from the policy binding's role. |
| 602 | { # A role or permission that appears in an access control list. |
| 603 | "permission": "A String", # The permission. |
| 604 | "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node. |
| 605 | # errors in the response. |
| 606 | "code": "A String", # The Google standard error code that best describes the state. |
| 607 | # For example: |
| 608 | # - OK means the node has been successfully explored; |
| 609 | # - PERMISSION_DENIED means an access denied error is encountered; |
| 610 | # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| 611 | "cause": "A String", # The human-readable description of the cause of failure. |
| 612 | }, |
| 613 | "role": "A String", # The role. |
| 614 | }, |
| 615 | ], |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 616 | "resourceEdges": [ # Resource edges of the graph starting from the policy attached |
| 617 | # resource to any descendant resources. The Edge.source_node contains |
| 618 | # the full resource name of a parent resource and Edge.target_node |
| 619 | # contains the full resource name of a child resource. This field is |
| 620 | # present only if the output_resource_edges option is enabled in request. |
| 621 | { # A directional edge. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 622 | "sourceNode": "A String", # The source node of the edge. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 623 | "targetNode": "A String", # The target node of the edge. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 624 | }, |
| 625 | ], |
| 626 | "resources": [ # The resources that match one of the following conditions: |
| 627 | # - The resource_selector, if it is specified in request; |
| 628 | # - Otherwise, resources reachable from the policy attached resource. |
| 629 | { # A GCP resource that appears in an access control list. |
| 630 | "fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names). |
| 631 | "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node. |
| 632 | # errors in the response. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 633 | "code": "A String", # The Google standard error code that best describes the state. |
| 634 | # For example: |
| 635 | # - OK means the node has been successfully explored; |
| 636 | # - PERMISSION_DENIED means an access denied error is encountered; |
| 637 | # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 638 | "cause": "A String", # The human-readable description of the cause of failure. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 639 | }, |
| 640 | }, |
| 641 | ], |
| 642 | }, |
| 643 | ], |
| 644 | "fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the |
| 645 | # iam_binding node have been explored. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 646 | "identityList": { # The identity list derived from members of the iam_binding that match or |
| 647 | # potentially match identity selector specified in the request. |
| 648 | "identities": [ # Only the identities that match one of the following conditions will be |
| 649 | # presented: |
| 650 | # - The identity_selector, if it is specified in request; |
| 651 | # - Otherwise, identities reachable from the policy binding's members. |
| 652 | { # An identity that appears in an access control list. |
| 653 | "analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node. |
| 654 | # errors in the response. |
| 655 | "code": "A String", # The Google standard error code that best describes the state. |
| 656 | # For example: |
| 657 | # - OK means the node has been successfully explored; |
| 658 | # - PERMISSION_DENIED means an access denied error is encountered; |
| 659 | # - DEADLINE_EXCEEDED means the node hasn't been explored in time; |
| 660 | "cause": "A String", # The human-readable description of the cause of failure. |
| 661 | }, |
| 662 | "name": "A String", # The identity name in any form of members appear in |
| 663 | # [IAM policy |
| 664 | # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such |
| 665 | # as: |
| 666 | # - user:foo@google.com |
| 667 | # - group:group1@google.com |
| 668 | # - serviceAccount:s1@prj1.iam.gserviceaccount.com |
| 669 | # - projectOwner:some_project_id |
| 670 | # - domain:google.com |
| 671 | # - allUsers |
| 672 | # - etc. |
| 673 | }, |
| 674 | ], |
| 675 | "groupEdges": [ # Group identity edges of the graph starting from the binding's |
| 676 | # group members to any node of the identities. The Edge.source_node |
| 677 | # contains a group, such as "group:parent@google.com". The |
| 678 | # Edge.target_node contains a member of the group, |
| 679 | # such as "group:child@google.com" or "user:foo@google.com". |
| 680 | # This field is present only if the output_group_edges option is enabled in |
| 681 | # request. |
| 682 | { # A directional edge. |
| 683 | "sourceNode": "A String", # The source node of the edge. |
| 684 | "targetNode": "A String", # The target node of the edge. |
| 685 | }, |
| 686 | ], |
| 687 | }, |
| 688 | "attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 689 | }, |
| 690 | ], |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 691 | }, |
| 692 | ], |
| 693 | }</pre> |
| 694 | </div> |
| 695 | |
| 696 | <div class="method"> |
| 697 | <code class="details" id="exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</code> |
| 698 | <pre>Exports IAM policy analysis based on the specified request. This API |
| 699 | implements the google.longrunning.Operation API allowing you to keep |
| 700 | track of the export. The metadata contains the request to help callers to |
| 701 | map responses to requests. |
| 702 | |
| 703 | Args: |
| 704 | parent: string, Required. The relative name of the root asset. Only resources and IAM policies within |
| 705 | the parent will be analyzed. This can only be an organization number (such |
| 706 | as "organizations/123") or a folder number (such as "folders/123"). (required) |
| 707 | body: object, The request body. |
| 708 | The object takes the form of: |
| 709 | |
| 710 | { # A request message for AssetService.ExportIamPolicyAnalysis. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 711 | "options": { # Contains request options. # Optional. The request options. |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 712 | "analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to |
| 713 | # resources via service account impersonation. This is a very expensive |
| 714 | # operation, because many derived queries will be executed. |
| 715 | # |
| 716 | # For example, if the request analyzes for which resources user A has |
| 717 | # permission P, and there's an IAM policy states user A has |
| 718 | # iam.serviceAccounts.getAccessToken permission to a service account SA, |
| 719 | # and there's another IAM policy states service account SA has permission P |
| 720 | # to a GCP folder F, then user A potentially has access to the GCP folder |
| 721 | # F. And those advanced analysis results will be included in |
| 722 | # AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| 723 | # |
| 724 | # Another example, if the request analyzes for who has |
| 725 | # permission P to a GCP folder F, and there's an IAM policy states user A |
| 726 | # has iam.serviceAccounts.actAs permission to a service account SA, and |
| 727 | # there's another IAM policy states service account SA has permission P to |
| 728 | # the GCP folder F, then user A potentially has access to the GCP folder |
| 729 | # F. And those advanced analysis results will be included in |
| 730 | # AnalyzeIamPolicyResponse.service_account_impersonation_analysis. |
| 731 | # |
| 732 | # Default is false. |
| 733 | "expandResources": True or False, # Optional. If true, the resource section of the result will expand any |
| 734 | # resource attached to an IAM policy to include resources lower in the |
| 735 | # resource hierarchy. |
| 736 | # |
| 737 | # For example, if the request analyzes for which resources user A has |
| 738 | # permission P, and the results include an IAM policy with P on a GCP |
| 739 | # folder, the results will also include resources in that folder with |
| 740 | # permission P. |
| 741 | # |
| 742 | # If resource_selector is specified, the resource section of the result |
| 743 | # will be determined by the selector, and this flag will have no effect. |
| 744 | # Default is false. |
| 745 | "outputGroupEdges": True or False, # Optional. If true, the result will output group identity edges, starting |
| 746 | # from the binding's group members, to any expanded identities. |
| 747 | # Default is false. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 748 | "outputResourceEdges": True or False, # Optional. If true, the result will output resource edges, starting |
| 749 | # from the policy attached resource, to any expanded resources. |
| 750 | # Default is false. |
| 751 | "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles |
| 752 | # appearing in IAM policy bindings to include their permissions. |
| 753 | # |
| 754 | # If access_selector is specified, the access section of the result |
| 755 | # will be determined by the selector, and this flag will have no effect. |
| 756 | # |
| 757 | # Default is false. |
| 758 | "expandGroups": True or False, # Optional. If true, the identities section of the result will expand any |
| 759 | # Google groups appearing in an IAM policy binding. |
| 760 | # |
| 761 | # If identity_selector is specified, the identity in the result will |
| 762 | # be determined by the selector, and this flag will have no effect. |
| 763 | # |
| 764 | # Default is false. |
| 765 | }, |
| 766 | "outputConfig": { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to. |
| 767 | "gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage. |
| 768 | "uri": "A String", # Required. The uri of the Cloud Storage object. It's the same uri that is used by |
| 769 | # gsutil. For example: "gs://bucket_name/object_name". See [Viewing and |
| 770 | # Editing Object |
| 771 | # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) |
| 772 | # for more information. |
| 773 | }, |
| 774 | }, |
| 775 | "analysisQuery": { # IAM policy analysis query message. # Required. The request query. |
| 776 | "parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within |
| 777 | # the parent will be analyzed. This can only be an organization number (such |
| 778 | # as "organizations/123") or a folder number (such as "folders/123"). |
| 779 | "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY. |
| 780 | # directly on the resource, or on ancestors such as organizations, folders or |
| 781 | # projects. At least one of ResourceSelector, IdentitySelector or |
| 782 | # AccessSelector must be specified in a request. |
| 783 | "fullResourceName": "A String", # Required. The [full resource |
| 784 | # name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
| 785 | # . |
| 786 | }, |
| 787 | "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty |
| 788 | # means ANY. |
| 789 | # identities possessing them and the resources they control. If multiple |
| 790 | # values are specified, results will include identities and resources |
| 791 | # matching any of them. |
| 792 | "roles": [ # Optional. The roles to appear in result. |
| 793 | "A String", |
| 794 | ], |
| 795 | "permissions": [ # Optional. The permissions to appear in result. |
| 796 | "A String", |
| 797 | ], |
| 798 | }, |
| 799 | "identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY. |
| 800 | # roles assigned either directly to them or to the groups they belong to, |
| 801 | # directly or indirectly. |
| 802 | "identity": "A String", # Required. The identity appear in the form of members in |
| 803 | # [IAM policy |
| 804 | # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
| 805 | }, |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 806 | }, |
| 807 | } |
| 808 | |
| 809 | x__xgafv: string, V1 error format. |
| 810 | Allowed values |
| 811 | 1 - v1 error format |
| 812 | 2 - v2 error format |
| 813 | |
| 814 | Returns: |
| 815 | An object of the form: |
| 816 | |
| 817 | { # This resource represents a long-running operation that is the result of a |
| 818 | # network API call. |
Bu Sun Kim | 4ed7d3f | 2020-05-27 12:20:54 -0700 | [diff] [blame^] | 819 | "name": "A String", # The server-assigned name, which is only unique within the same service that |
| 820 | # originally returns it. If you use the default HTTP mapping, the |
| 821 | # `name` should be a resource name ending with `operations/{unique_id}`. |
| 822 | "error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation. |
| 823 | # different programming environments, including REST APIs and RPC APIs. It is |
| 824 | # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| 825 | # three pieces of data: error code, error message, and error details. |
| 826 | # |
| 827 | # You can find out more about this error model and how to work with it in the |
| 828 | # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| 829 | "message": "A String", # A developer-facing error message, which should be in English. Any |
| 830 | # user-facing error message should be localized and sent in the |
| 831 | # google.rpc.Status.details field, or localized by the client. |
| 832 | "details": [ # A list of messages that carry the error details. There is a common set of |
| 833 | # message types for APIs to use. |
| 834 | { |
| 835 | "a_key": "", # Properties of the object. Contains field @type with type URL. |
| 836 | }, |
| 837 | ], |
| 838 | "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| 839 | }, |
| 840 | "metadata": { # Service-specific metadata associated with the operation. It typically |
| 841 | # contains progress information and common metadata such as create time. |
| 842 | # Some services might not provide such metadata. Any method that returns a |
| 843 | # long-running operation should document the metadata type, if any. |
| 844 | "a_key": "", # Properties of the object. Contains field @type with type URL. |
| 845 | }, |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 846 | "done": True or False, # If the value is `false`, it means the operation is still in progress. |
| 847 | # If `true`, the operation is completed, and either `error` or `response` is |
| 848 | # available. |
| 849 | "response": { # The normal response of the operation in case of success. If the original |
| 850 | # method returns no data on success, such as `Delete`, the response is |
| 851 | # `google.protobuf.Empty`. If the original method is standard |
| 852 | # `Get`/`Create`/`Update`, the response should be the resource. For other |
| 853 | # methods, the response should have the type `XxxResponse`, where `Xxx` |
| 854 | # is the original method name. For example, if the original method name |
| 855 | # is `TakeSnapshot()`, the inferred response type is |
| 856 | # `TakeSnapshotResponse`. |
| 857 | "a_key": "", # Properties of the object. Contains field @type with type URL. |
| 858 | }, |
Bu Sun Kim | 6502091 | 2020-05-20 12:08:20 -0700 | [diff] [blame] | 859 | }</pre> |
| 860 | </div> |
| 861 | |
| 862 | </body></html> |