blob: 9ecbfc8176fcf9aeccb3b677965222dabbbd9c7d [file] [log] [blame]
Bu Sun Kim65020912020-05-20 12:08:20 -07001<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="cloudasset_v1p4beta1.html">Cloud Asset API</a> . <a href="cloudasset_v1p4beta1.v1p4beta1.html">v1p4beta1</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -070078 <code><a href="#analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</a></code></p>
Bu Sun Kim65020912020-05-20 12:08:20 -070079<p class="firstline">Analyzes IAM policies based on the specified request. Returns</p>
80<p class="toc_element">
81 <code><a href="#exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</a></code></p>
82<p class="firstline">Exports IAM policy analysis based on the specified request. This API</p>
83<h3>Method Details</h3>
84<div class="method">
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -070085 <code class="details" id="analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</code>
Bu Sun Kim65020912020-05-20 12:08:20 -070086 <pre>Analyzes IAM policies based on the specified request. Returns
87a list of IamPolicyAnalysisResult matching the request.
88
89Args:
90 parent: string, Required. The relative name of the root asset. Only resources and IAM policies within
91the parent will be analyzed. This can only be an organization number (such
92as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;). (required)
Bu Sun Kim65020912020-05-20 12:08:20 -070093 options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to
94resources via service account impersonation. This is a very expensive
95operation, because many derived queries will be executed. We highly
96recommend you use ExportIamPolicyAnalysis rpc instead.
97
98For example, if the request analyzes for which resources user A has
99permission P, and there&#x27;s an IAM policy states user A has
100iam.serviceAccounts.getAccessToken permission to a service account SA,
101and there&#x27;s another IAM policy states service account SA has permission P
102to a GCP folder F, then user A potentially has access to the GCP folder
103F. And those advanced analysis results will be included in
104AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
105
106Another example, if the request analyzes for who has
107permission P to a GCP folder F, and there&#x27;s an IAM policy states user A
108has iam.serviceAccounts.actAs permission to a service account SA, and
109there&#x27;s another IAM policy states service account SA has permission P to
110the GCP folder F, then user A potentially has access to the GCP folder
111F. And those advanced analysis results will be included in
112AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
113
114Default is false.
115 options_outputResourceEdges: boolean, Optional. If true, the result will output resource edges, starting
116from the policy attached resource, to any expanded resources.
117Default is false.
Bu Sun Kim65020912020-05-20 12:08:20 -0700118 options_expandResources: boolean, Optional. If true, the resource section of the result will expand any
119resource attached to an IAM policy to include resources lower in the
120resource hierarchy.
121
122For example, if the request analyzes for which resources user A has
123permission P, and the results include an IAM policy with P on a GCP
124folder, the results will also include resources in that folder with
125permission P.
126
127If resource_selector is specified, the resource section of the result
128will be determined by the selector, and this flag will have no effect.
129Default is false.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700130 analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated)
Bu Sun Kim65020912020-05-20 12:08:20 -0700131 options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles
132appearing in IAM policy bindings to include their permissions.
133
134If access_selector is specified, the access section of the result
135will be determined by the selector, and this flag will have no effect.
136
137Default is false.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700138 analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated)
Bu Sun Kim65020912020-05-20 12:08:20 -0700139 options_executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of
140[Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
141
142If this field is set with a value less than the RPC deadline, and the
143execution of your query hasn&#x27;t finished in the specified
144execution timeout, you will get a response with partial result.
145Otherwise, your query&#x27;s execution will continue until the RPC deadline.
146If it&#x27;s not finished until then, you will get a DEADLINE_EXCEEDED error.
147
148Default is empty.
149 options_outputGroupEdges: boolean, Optional. If true, the result will output group identity edges, starting
150from the binding&#x27;s group members, to any expanded identities.
151Default is false.
152 options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any
153Google groups appearing in an IAM policy binding.
154
155If identity_selector is specified, the identity in the result will
156be determined by the selector, and this flag will have no effect.
157
158Default is false.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700159 analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of members in
160[IAM policy
161binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
162 analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource
163name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
164.
Bu Sun Kim65020912020-05-20 12:08:20 -0700165 x__xgafv: string, V1 error format.
166 Allowed values
167 1 - v1 error format
168 2 - v2 error format
169
170Returns:
171 An object of the form:
172
173 { # A response message for AssetService.AnalyzeIamPolicy.
174 &quot;fullyExplored&quot;: True or False, # Represents whether all entries in the main_analysis and
175 # service_account_impersonation_analysis have been fully explored to
176 # answer the query in the request.
177 &quot;nonCriticalErrors&quot;: [ # A list of non-critical errors happened during the request handling to
178 # explain why `fully_explored` is false, or empty if no error happened.
179 { # Represents analysis state of each node in the result graph or non-critical
180 # errors in the response.
Bu Sun Kim65020912020-05-20 12:08:20 -0700181 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
182 # For example:
183 # - OK means the node has been successfully explored;
184 # - PERMISSION_DENIED means an access denied error is encountered;
185 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700186 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
Bu Sun Kim65020912020-05-20 12:08:20 -0700187 },
188 ],
189 &quot;mainAnalysis&quot;: { # An analysis message to group the query and results. # The main analysis that matches the original request.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700190 &quot;fullyExplored&quot;: True or False, # Represents whether all entries in the analysis_results have been
191 # fully explored to answer the query.
192 &quot;analysisQuery&quot;: { # IAM policy analysis query message. # The analysis query.
193 &quot;parent&quot;: &quot;A String&quot;, # Required. The relative name of the root asset. Only resources and IAM policies within
194 # the parent will be analyzed. This can only be an organization number (such
195 # as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;).
196 &quot;resourceSelector&quot;: { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.
197 # directly on the resource, or on ancestors such as organizations, folders or
198 # projects. At least one of ResourceSelector, IdentitySelector or
199 # AccessSelector must be specified in a request.
200 &quot;fullResourceName&quot;: &quot;A String&quot;, # Required. The [full resource
201 # name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
202 # .
203 },
204 &quot;accessSelector&quot;: { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty
205 # means ANY.
206 # identities possessing them and the resources they control. If multiple
207 # values are specified, results will include identities and resources
208 # matching any of them.
209 &quot;roles&quot;: [ # Optional. The roles to appear in result.
210 &quot;A String&quot;,
211 ],
212 &quot;permissions&quot;: [ # Optional. The permissions to appear in result.
213 &quot;A String&quot;,
214 ],
215 },
216 &quot;identitySelector&quot;: { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.
217 # roles assigned either directly to them or to the groups they belong to,
218 # directly or indirectly.
219 &quot;identity&quot;: &quot;A String&quot;, # Required. The identity appear in the form of members in
220 # [IAM policy
221 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
222 },
223 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700224 &quot;analysisResults&quot;: [ # A list of IamPolicyAnalysisResult that matches the analysis query, or
225 # empty if no result is found.
226 { # IAM Policy analysis result, consisting of one IAM policy binding and derived
227 # access control lists.
Bu Sun Kim65020912020-05-20 12:08:20 -0700228 &quot;iamBinding&quot;: { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.
Bu Sun Kim65020912020-05-20 12:08:20 -0700229 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
230 # `members` can have the following values:
231 #
232 # * `allUsers`: A special identifier that represents anyone who is
233 # on the internet; with or without a Google account.
234 #
235 # * `allAuthenticatedUsers`: A special identifier that represents anyone
236 # who is authenticated with a Google account or a service account.
237 #
238 # * `user:{emailid}`: An email address that represents a specific Google
239 # account. For example, `alice@example.com` .
240 #
241 #
242 # * `serviceAccount:{emailid}`: An email address that represents a service
243 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
244 #
245 # * `group:{emailid}`: An email address that represents a Google group.
246 # For example, `admins@example.com`.
247 #
248 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
249 # identifier) representing a user that has been recently deleted. For
250 # example, `alice@example.com?uid=123456789012345678901`. If the user is
251 # recovered, this value reverts to `user:{emailid}` and the recovered user
252 # retains the role in the binding.
253 #
254 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
255 # unique identifier) representing a service account that has been recently
256 # deleted. For example,
257 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
258 # If the service account is undeleted, this value reverts to
259 # `serviceAccount:{emailid}` and the undeleted service account retains the
260 # role in the binding.
261 #
262 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
263 # identifier) representing a Google group that has been recently
264 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
265 # the group is recovered, this value reverts to `group:{emailid}` and the
266 # recovered group retains the role in the binding.
267 #
268 #
269 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
270 # users of that domain. For example, `google.com` or `example.com`.
271 #
272 &quot;A String&quot;,
273 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700274 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
275 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
276 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
277 #
278 # If the condition evaluates to `true`, then this binding applies to the
279 # current request.
280 #
281 # If the condition evaluates to `false`, then this binding does not apply to
282 # the current request. However, a different role binding might grant the same
283 # role to one or more of the members in this binding.
284 #
285 # To learn which resources support conditions in their IAM policies, see the
286 # [IAM
287 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
288 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
289 # are documented at https://github.com/google/cel-spec.
290 #
291 # Example (Comparison):
292 #
293 # title: &quot;Summary size limit&quot;
294 # description: &quot;Determines if a summary is less than 100 chars&quot;
295 # expression: &quot;document.summary.size() &lt; 100&quot;
296 #
297 # Example (Equality):
298 #
299 # title: &quot;Requestor is owner&quot;
300 # description: &quot;Determines if requestor is the document owner&quot;
301 # expression: &quot;document.owner == request.auth.claims.email&quot;
302 #
303 # Example (Logic):
304 #
305 # title: &quot;Public documents&quot;
306 # description: &quot;Determine whether the document should be publicly visible&quot;
307 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
308 #
309 # Example (Data Manipulation):
310 #
311 # title: &quot;Notification string&quot;
312 # description: &quot;Create a notification string with a timestamp.&quot;
313 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
314 #
315 # The exact variables and functions that may be referenced within an expression
316 # are determined by the service that evaluates it. See the service
317 # documentation for additional information.
318 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
319 # its purpose. This can be used e.g. in UIs which allow to enter the
320 # expression.
321 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
322 # reporting, e.g. a file name and a position in the file.
323 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
324 # describes the expression, e.g. when hovered over it in a UI.
325 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
326 # syntax.
327 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700328 },
329 &quot;accessControlLists&quot;: [ # The access control lists derived from the iam_binding that match or
330 # potentially match resource and access selectors specified in the request.
331 { # An access control list, derived from the above IAM policy binding, which
332 # contains a set of resources and accesses. May include one
333 # item from each set to compose an access control entry.
334 #
335 # NOTICE that there could be multiple access control lists for one IAM policy
336 # binding. The access control lists are created based on resource and access
337 # combinations.
338 #
339 # For example, assume we have the following cases in one IAM policy binding:
340 # - Permission P1 and P2 apply to resource R1 and R2;
341 # - Permission P3 applies to resource R2 and R3;
342 #
343 # This will result in the following access control lists:
344 # - AccessControlList 1: [R1, R2], [P1, P2]
345 # - AccessControlList 2: [R2, R3], [P3]
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700346 &quot;accesses&quot;: [ # The accesses that match one of the following conditions:
347 # - The access_selector, if it is specified in request;
348 # - Otherwise, access specifiers reachable from the policy binding&#x27;s role.
349 { # A role or permission that appears in an access control list.
350 &quot;permission&quot;: &quot;A String&quot;, # The permission.
351 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.
352 # errors in the response.
353 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
354 # For example:
355 # - OK means the node has been successfully explored;
356 # - PERMISSION_DENIED means an access denied error is encountered;
357 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
358 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
359 },
360 &quot;role&quot;: &quot;A String&quot;, # The role.
361 },
362 ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700363 &quot;resourceEdges&quot;: [ # Resource edges of the graph starting from the policy attached
364 # resource to any descendant resources. The Edge.source_node contains
365 # the full resource name of a parent resource and Edge.target_node
366 # contains the full resource name of a child resource. This field is
367 # present only if the output_resource_edges option is enabled in request.
368 { # A directional edge.
Bu Sun Kim65020912020-05-20 12:08:20 -0700369 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700370 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
Bu Sun Kim65020912020-05-20 12:08:20 -0700371 },
372 ],
373 &quot;resources&quot;: [ # The resources that match one of the following conditions:
374 # - The resource_selector, if it is specified in request;
375 # - Otherwise, resources reachable from the policy attached resource.
376 { # A GCP resource that appears in an access control list.
377 &quot;fullResourceName&quot;: &quot;A String&quot;, # The [full resource name](https://aip.dev/122#full-resource-names).
378 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.
379 # errors in the response.
Bu Sun Kim65020912020-05-20 12:08:20 -0700380 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
381 # For example:
382 # - OK means the node has been successfully explored;
383 # - PERMISSION_DENIED means an access denied error is encountered;
384 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
Bu Sun Kim65020912020-05-20 12:08:20 -0700385 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
Bu Sun Kim65020912020-05-20 12:08:20 -0700386 },
387 },
388 ],
389 },
390 ],
391 &quot;fullyExplored&quot;: True or False, # Represents whether all nodes in the transitive closure of the
392 # iam_binding node have been explored.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700393 &quot;identityList&quot;: { # The identity list derived from members of the iam_binding that match or
394 # potentially match identity selector specified in the request.
395 &quot;identities&quot;: [ # Only the identities that match one of the following conditions will be
396 # presented:
397 # - The identity_selector, if it is specified in request;
398 # - Otherwise, identities reachable from the policy binding&#x27;s members.
399 { # An identity that appears in an access control list.
400 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.
401 # errors in the response.
402 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
403 # For example:
404 # - OK means the node has been successfully explored;
405 # - PERMISSION_DENIED means an access denied error is encountered;
406 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
407 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
408 },
409 &quot;name&quot;: &quot;A String&quot;, # The identity name in any form of members appear in
410 # [IAM policy
411 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
412 # as:
413 # - user:foo@google.com
414 # - group:group1@google.com
415 # - serviceAccount:s1@prj1.iam.gserviceaccount.com
416 # - projectOwner:some_project_id
417 # - domain:google.com
418 # - allUsers
419 # - etc.
420 },
421 ],
422 &quot;groupEdges&quot;: [ # Group identity edges of the graph starting from the binding&#x27;s
423 # group members to any node of the identities. The Edge.source_node
424 # contains a group, such as &quot;group:parent@google.com&quot;. The
425 # Edge.target_node contains a member of the group,
426 # such as &quot;group:child@google.com&quot; or &quot;user:foo@google.com&quot;.
427 # This field is present only if the output_group_edges option is enabled in
428 # request.
429 { # A directional edge.
430 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
431 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
432 },
433 ],
434 },
435 &quot;attachedResourceFullName&quot;: &quot;A String&quot;, # The full name of the resource to which the iam_binding policy attaches.
Bu Sun Kim65020912020-05-20 12:08:20 -0700436 },
437 ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700438 },
439 &quot;serviceAccountImpersonationAnalysis&quot;: [ # The service account impersonation analysis if
440 # AnalyzeIamPolicyRequest.analyze_service_account_impersonation is
441 # enabled.
442 { # An analysis message to group the query and results.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700443 &quot;fullyExplored&quot;: True or False, # Represents whether all entries in the analysis_results have been
444 # fully explored to answer the query.
445 &quot;analysisQuery&quot;: { # IAM policy analysis query message. # The analysis query.
446 &quot;parent&quot;: &quot;A String&quot;, # Required. The relative name of the root asset. Only resources and IAM policies within
447 # the parent will be analyzed. This can only be an organization number (such
448 # as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;).
449 &quot;resourceSelector&quot;: { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.
450 # directly on the resource, or on ancestors such as organizations, folders or
451 # projects. At least one of ResourceSelector, IdentitySelector or
452 # AccessSelector must be specified in a request.
453 &quot;fullResourceName&quot;: &quot;A String&quot;, # Required. The [full resource
454 # name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
455 # .
456 },
457 &quot;accessSelector&quot;: { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty
458 # means ANY.
459 # identities possessing them and the resources they control. If multiple
460 # values are specified, results will include identities and resources
461 # matching any of them.
462 &quot;roles&quot;: [ # Optional. The roles to appear in result.
463 &quot;A String&quot;,
464 ],
465 &quot;permissions&quot;: [ # Optional. The permissions to appear in result.
466 &quot;A String&quot;,
467 ],
468 },
469 &quot;identitySelector&quot;: { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.
470 # roles assigned either directly to them or to the groups they belong to,
471 # directly or indirectly.
472 &quot;identity&quot;: &quot;A String&quot;, # Required. The identity appear in the form of members in
473 # [IAM policy
474 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
475 },
476 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700477 &quot;analysisResults&quot;: [ # A list of IamPolicyAnalysisResult that matches the analysis query, or
478 # empty if no result is found.
479 { # IAM Policy analysis result, consisting of one IAM policy binding and derived
480 # access control lists.
Bu Sun Kim65020912020-05-20 12:08:20 -0700481 &quot;iamBinding&quot;: { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.
Bu Sun Kim65020912020-05-20 12:08:20 -0700482 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
483 # `members` can have the following values:
484 #
485 # * `allUsers`: A special identifier that represents anyone who is
486 # on the internet; with or without a Google account.
487 #
488 # * `allAuthenticatedUsers`: A special identifier that represents anyone
489 # who is authenticated with a Google account or a service account.
490 #
491 # * `user:{emailid}`: An email address that represents a specific Google
492 # account. For example, `alice@example.com` .
493 #
494 #
495 # * `serviceAccount:{emailid}`: An email address that represents a service
496 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
497 #
498 # * `group:{emailid}`: An email address that represents a Google group.
499 # For example, `admins@example.com`.
500 #
501 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
502 # identifier) representing a user that has been recently deleted. For
503 # example, `alice@example.com?uid=123456789012345678901`. If the user is
504 # recovered, this value reverts to `user:{emailid}` and the recovered user
505 # retains the role in the binding.
506 #
507 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
508 # unique identifier) representing a service account that has been recently
509 # deleted. For example,
510 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
511 # If the service account is undeleted, this value reverts to
512 # `serviceAccount:{emailid}` and the undeleted service account retains the
513 # role in the binding.
514 #
515 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
516 # identifier) representing a Google group that has been recently
517 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
518 # the group is recovered, this value reverts to `group:{emailid}` and the
519 # recovered group retains the role in the binding.
520 #
521 #
522 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
523 # users of that domain. For example, `google.com` or `example.com`.
524 #
525 &quot;A String&quot;,
526 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700527 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
528 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
529 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
530 #
531 # If the condition evaluates to `true`, then this binding applies to the
532 # current request.
533 #
534 # If the condition evaluates to `false`, then this binding does not apply to
535 # the current request. However, a different role binding might grant the same
536 # role to one or more of the members in this binding.
537 #
538 # To learn which resources support conditions in their IAM policies, see the
539 # [IAM
540 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
541 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
542 # are documented at https://github.com/google/cel-spec.
543 #
544 # Example (Comparison):
545 #
546 # title: &quot;Summary size limit&quot;
547 # description: &quot;Determines if a summary is less than 100 chars&quot;
548 # expression: &quot;document.summary.size() &lt; 100&quot;
549 #
550 # Example (Equality):
551 #
552 # title: &quot;Requestor is owner&quot;
553 # description: &quot;Determines if requestor is the document owner&quot;
554 # expression: &quot;document.owner == request.auth.claims.email&quot;
555 #
556 # Example (Logic):
557 #
558 # title: &quot;Public documents&quot;
559 # description: &quot;Determine whether the document should be publicly visible&quot;
560 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
561 #
562 # Example (Data Manipulation):
563 #
564 # title: &quot;Notification string&quot;
565 # description: &quot;Create a notification string with a timestamp.&quot;
566 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
567 #
568 # The exact variables and functions that may be referenced within an expression
569 # are determined by the service that evaluates it. See the service
570 # documentation for additional information.
571 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
572 # its purpose. This can be used e.g. in UIs which allow to enter the
573 # expression.
574 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
575 # reporting, e.g. a file name and a position in the file.
576 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
577 # describes the expression, e.g. when hovered over it in a UI.
578 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
579 # syntax.
580 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700581 },
582 &quot;accessControlLists&quot;: [ # The access control lists derived from the iam_binding that match or
583 # potentially match resource and access selectors specified in the request.
584 { # An access control list, derived from the above IAM policy binding, which
585 # contains a set of resources and accesses. May include one
586 # item from each set to compose an access control entry.
587 #
588 # NOTICE that there could be multiple access control lists for one IAM policy
589 # binding. The access control lists are created based on resource and access
590 # combinations.
591 #
592 # For example, assume we have the following cases in one IAM policy binding:
593 # - Permission P1 and P2 apply to resource R1 and R2;
594 # - Permission P3 applies to resource R2 and R3;
595 #
596 # This will result in the following access control lists:
597 # - AccessControlList 1: [R1, R2], [P1, P2]
598 # - AccessControlList 2: [R2, R3], [P3]
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700599 &quot;accesses&quot;: [ # The accesses that match one of the following conditions:
600 # - The access_selector, if it is specified in request;
601 # - Otherwise, access specifiers reachable from the policy binding&#x27;s role.
602 { # A role or permission that appears in an access control list.
603 &quot;permission&quot;: &quot;A String&quot;, # The permission.
604 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.
605 # errors in the response.
606 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
607 # For example:
608 # - OK means the node has been successfully explored;
609 # - PERMISSION_DENIED means an access denied error is encountered;
610 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
611 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
612 },
613 &quot;role&quot;: &quot;A String&quot;, # The role.
614 },
615 ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700616 &quot;resourceEdges&quot;: [ # Resource edges of the graph starting from the policy attached
617 # resource to any descendant resources. The Edge.source_node contains
618 # the full resource name of a parent resource and Edge.target_node
619 # contains the full resource name of a child resource. This field is
620 # present only if the output_resource_edges option is enabled in request.
621 { # A directional edge.
Bu Sun Kim65020912020-05-20 12:08:20 -0700622 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700623 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
Bu Sun Kim65020912020-05-20 12:08:20 -0700624 },
625 ],
626 &quot;resources&quot;: [ # The resources that match one of the following conditions:
627 # - The resource_selector, if it is specified in request;
628 # - Otherwise, resources reachable from the policy attached resource.
629 { # A GCP resource that appears in an access control list.
630 &quot;fullResourceName&quot;: &quot;A String&quot;, # The [full resource name](https://aip.dev/122#full-resource-names).
631 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.
632 # errors in the response.
Bu Sun Kim65020912020-05-20 12:08:20 -0700633 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
634 # For example:
635 # - OK means the node has been successfully explored;
636 # - PERMISSION_DENIED means an access denied error is encountered;
637 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
Bu Sun Kim65020912020-05-20 12:08:20 -0700638 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
Bu Sun Kim65020912020-05-20 12:08:20 -0700639 },
640 },
641 ],
642 },
643 ],
644 &quot;fullyExplored&quot;: True or False, # Represents whether all nodes in the transitive closure of the
645 # iam_binding node have been explored.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700646 &quot;identityList&quot;: { # The identity list derived from members of the iam_binding that match or
647 # potentially match identity selector specified in the request.
648 &quot;identities&quot;: [ # Only the identities that match one of the following conditions will be
649 # presented:
650 # - The identity_selector, if it is specified in request;
651 # - Otherwise, identities reachable from the policy binding&#x27;s members.
652 { # An identity that appears in an access control list.
653 &quot;analysisState&quot;: { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.
654 # errors in the response.
655 &quot;code&quot;: &quot;A String&quot;, # The Google standard error code that best describes the state.
656 # For example:
657 # - OK means the node has been successfully explored;
658 # - PERMISSION_DENIED means an access denied error is encountered;
659 # - DEADLINE_EXCEEDED means the node hasn&#x27;t been explored in time;
660 &quot;cause&quot;: &quot;A String&quot;, # The human-readable description of the cause of failure.
661 },
662 &quot;name&quot;: &quot;A String&quot;, # The identity name in any form of members appear in
663 # [IAM policy
664 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
665 # as:
666 # - user:foo@google.com
667 # - group:group1@google.com
668 # - serviceAccount:s1@prj1.iam.gserviceaccount.com
669 # - projectOwner:some_project_id
670 # - domain:google.com
671 # - allUsers
672 # - etc.
673 },
674 ],
675 &quot;groupEdges&quot;: [ # Group identity edges of the graph starting from the binding&#x27;s
676 # group members to any node of the identities. The Edge.source_node
677 # contains a group, such as &quot;group:parent@google.com&quot;. The
678 # Edge.target_node contains a member of the group,
679 # such as &quot;group:child@google.com&quot; or &quot;user:foo@google.com&quot;.
680 # This field is present only if the output_group_edges option is enabled in
681 # request.
682 { # A directional edge.
683 &quot;sourceNode&quot;: &quot;A String&quot;, # The source node of the edge.
684 &quot;targetNode&quot;: &quot;A String&quot;, # The target node of the edge.
685 },
686 ],
687 },
688 &quot;attachedResourceFullName&quot;: &quot;A String&quot;, # The full name of the resource to which the iam_binding policy attaches.
Bu Sun Kim65020912020-05-20 12:08:20 -0700689 },
690 ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700691 },
692 ],
693 }</pre>
694</div>
695
696<div class="method">
697 <code class="details" id="exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</code>
698 <pre>Exports IAM policy analysis based on the specified request. This API
699implements the google.longrunning.Operation API allowing you to keep
700track of the export. The metadata contains the request to help callers to
701map responses to requests.
702
703Args:
704 parent: string, Required. The relative name of the root asset. Only resources and IAM policies within
705the parent will be analyzed. This can only be an organization number (such
706as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;). (required)
707 body: object, The request body.
708 The object takes the form of:
709
710{ # A request message for AssetService.ExportIamPolicyAnalysis.
Bu Sun Kim65020912020-05-20 12:08:20 -0700711 &quot;options&quot;: { # Contains request options. # Optional. The request options.
Bu Sun Kim65020912020-05-20 12:08:20 -0700712 &quot;analyzeServiceAccountImpersonation&quot;: True or False, # Optional. If true, the response will include access analysis from identities to
713 # resources via service account impersonation. This is a very expensive
714 # operation, because many derived queries will be executed.
715 #
716 # For example, if the request analyzes for which resources user A has
717 # permission P, and there&#x27;s an IAM policy states user A has
718 # iam.serviceAccounts.getAccessToken permission to a service account SA,
719 # and there&#x27;s another IAM policy states service account SA has permission P
720 # to a GCP folder F, then user A potentially has access to the GCP folder
721 # F. And those advanced analysis results will be included in
722 # AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
723 #
724 # Another example, if the request analyzes for who has
725 # permission P to a GCP folder F, and there&#x27;s an IAM policy states user A
726 # has iam.serviceAccounts.actAs permission to a service account SA, and
727 # there&#x27;s another IAM policy states service account SA has permission P to
728 # the GCP folder F, then user A potentially has access to the GCP folder
729 # F. And those advanced analysis results will be included in
730 # AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
731 #
732 # Default is false.
733 &quot;expandResources&quot;: True or False, # Optional. If true, the resource section of the result will expand any
734 # resource attached to an IAM policy to include resources lower in the
735 # resource hierarchy.
736 #
737 # For example, if the request analyzes for which resources user A has
738 # permission P, and the results include an IAM policy with P on a GCP
739 # folder, the results will also include resources in that folder with
740 # permission P.
741 #
742 # If resource_selector is specified, the resource section of the result
743 # will be determined by the selector, and this flag will have no effect.
744 # Default is false.
745 &quot;outputGroupEdges&quot;: True or False, # Optional. If true, the result will output group identity edges, starting
746 # from the binding&#x27;s group members, to any expanded identities.
747 # Default is false.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700748 &quot;outputResourceEdges&quot;: True or False, # Optional. If true, the result will output resource edges, starting
749 # from the policy attached resource, to any expanded resources.
750 # Default is false.
751 &quot;expandRoles&quot;: True or False, # Optional. If true, the access section of result will expand any roles
752 # appearing in IAM policy bindings to include their permissions.
753 #
754 # If access_selector is specified, the access section of the result
755 # will be determined by the selector, and this flag will have no effect.
756 #
757 # Default is false.
758 &quot;expandGroups&quot;: True or False, # Optional. If true, the identities section of the result will expand any
759 # Google groups appearing in an IAM policy binding.
760 #
761 # If identity_selector is specified, the identity in the result will
762 # be determined by the selector, and this flag will have no effect.
763 #
764 # Default is false.
765 },
766 &quot;outputConfig&quot;: { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to.
767 &quot;gcsDestination&quot;: { # A Cloud Storage location. # Destination on Cloud Storage.
768 &quot;uri&quot;: &quot;A String&quot;, # Required. The uri of the Cloud Storage object. It&#x27;s the same uri that is used by
769 # gsutil. For example: &quot;gs://bucket_name/object_name&quot;. See [Viewing and
770 # Editing Object
771 # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
772 # for more information.
773 },
774 },
775 &quot;analysisQuery&quot;: { # IAM policy analysis query message. # Required. The request query.
776 &quot;parent&quot;: &quot;A String&quot;, # Required. The relative name of the root asset. Only resources and IAM policies within
777 # the parent will be analyzed. This can only be an organization number (such
778 # as &quot;organizations/123&quot;) or a folder number (such as &quot;folders/123&quot;).
779 &quot;resourceSelector&quot;: { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.
780 # directly on the resource, or on ancestors such as organizations, folders or
781 # projects. At least one of ResourceSelector, IdentitySelector or
782 # AccessSelector must be specified in a request.
783 &quot;fullResourceName&quot;: &quot;A String&quot;, # Required. The [full resource
784 # name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
785 # .
786 },
787 &quot;accessSelector&quot;: { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty
788 # means ANY.
789 # identities possessing them and the resources they control. If multiple
790 # values are specified, results will include identities and resources
791 # matching any of them.
792 &quot;roles&quot;: [ # Optional. The roles to appear in result.
793 &quot;A String&quot;,
794 ],
795 &quot;permissions&quot;: [ # Optional. The permissions to appear in result.
796 &quot;A String&quot;,
797 ],
798 },
799 &quot;identitySelector&quot;: { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.
800 # roles assigned either directly to them or to the groups they belong to,
801 # directly or indirectly.
802 &quot;identity&quot;: &quot;A String&quot;, # Required. The identity appear in the form of members in
803 # [IAM policy
804 # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
805 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700806 },
807 }
808
809 x__xgafv: string, V1 error format.
810 Allowed values
811 1 - v1 error format
812 2 - v2 error format
813
814Returns:
815 An object of the form:
816
817 { # This resource represents a long-running operation that is the result of a
818 # network API call.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700819 &quot;name&quot;: &quot;A String&quot;, # The server-assigned name, which is only unique within the same service that
820 # originally returns it. If you use the default HTTP mapping, the
821 # `name` should be a resource name ending with `operations/{unique_id}`.
822 &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.
823 # different programming environments, including REST APIs and RPC APIs. It is
824 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
825 # three pieces of data: error code, error message, and error details.
826 #
827 # You can find out more about this error model and how to work with it in the
828 # [API Design Guide](https://cloud.google.com/apis/design/errors).
829 &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any
830 # user-facing error message should be localized and sent in the
831 # google.rpc.Status.details field, or localized by the client.
832 &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of
833 # message types for APIs to use.
834 {
835 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
836 },
837 ],
838 &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
839 },
840 &quot;metadata&quot;: { # Service-specific metadata associated with the operation. It typically
841 # contains progress information and common metadata such as create time.
842 # Some services might not provide such metadata. Any method that returns a
843 # long-running operation should document the metadata type, if any.
844 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
845 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700846 &quot;done&quot;: True or False, # If the value is `false`, it means the operation is still in progress.
847 # If `true`, the operation is completed, and either `error` or `response` is
848 # available.
849 &quot;response&quot;: { # The normal response of the operation in case of success. If the original
850 # method returns no data on success, such as `Delete`, the response is
851 # `google.protobuf.Empty`. If the original method is standard
852 # `Get`/`Create`/`Update`, the response should be the resource. For other
853 # methods, the response should have the type `XxxResponse`, where `Xxx`
854 # is the original method name. For example, if the original method name
855 # is `TakeSnapshot()`, the inferred response type is
856 # `TakeSnapshotResponse`.
857 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
858 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700859 }</pre>
860</div>
861
862</body></html>