Blame - docs/dyn/cloudasset_v1p4beta1.v1p4beta1.html - platform/external/python/google-api-python-client

<code><a href="#analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

79

<p class="firstline">Analyzes IAM policies based on the specified request. Returns</p>

80

81

<code><a href="#exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</a></code></p>

82

<p class="firstline">Exports IAM policy analysis based on the specified request. This API</p>

83

<h3>Method Details</h3>

84

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

85

<code class="details" id="analyzeIamPolicy">analyzeIamPolicy(parent, options_analyzeServiceAccountImpersonation=None, options_outputResourceEdges=None, options_expandResources=None, analysisQuery_accessSelector_roles=None, options_expandRoles=None, analysisQuery_accessSelector_permissions=None, options_executionTimeout=None, options_outputGroupEdges=None, options_expandGroups=None, analysisQuery_identitySelector_identity=None, analysisQuery_resourceSelector_fullResourceName=None, x__xgafv=None)</code>

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

86

<pre>Analyzes IAM policies based on the specified request. Returns

87

a list of IamPolicyAnalysisResult matching the request.

88

89

Args:

90

parent: string, Required. The relative name of the root asset. Only resources and IAM policies within

91

the parent will be analyzed. This can only be an organization number (such

92

as "organizations/123") or a folder number (such as "folders/123"). (required)

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

93

options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to

94

resources via service account impersonation. This is a very expensive

95

operation, because many derived queries will be executed. We highly

96

recommend you use ExportIamPolicyAnalysis rpc instead.

97

98

For example, if the request analyzes for which resources user A has

99

permission P, and there's an IAM policy states user A has

100

iam.serviceAccounts.getAccessToken permission to a service account SA,

101

and there's another IAM policy states service account SA has permission P

102

to a GCP folder F, then user A potentially has access to the GCP folder

103

F. And those advanced analysis results will be included in

104

AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

105

106

Another example, if the request analyzes for who has

107

permission P to a GCP folder F, and there's an IAM policy states user A

108

has iam.serviceAccounts.actAs permission to a service account SA, and

109

there's another IAM policy states service account SA has permission P to

110

the GCP folder F, then user A potentially has access to the GCP folder

111

F. And those advanced analysis results will be included in

112

AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

113

114

Default is false.

115

options_outputResourceEdges: boolean, Optional. If true, the result will output resource edges, starting

116

from the policy attached resource, to any expanded resources.

117

Default is false.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

118

options_expandResources: boolean, Optional. If true, the resource section of the result will expand any

119

resource attached to an IAM policy to include resources lower in the

120

resource hierarchy.

121

122

For example, if the request analyzes for which resources user A has

123

permission P, and the results include an IAM policy with P on a GCP

124

folder, the results will also include resources in that folder with

125

permission P.

126

127

If resource_selector is specified, the resource section of the result

128

will be determined by the selector, and this flag will have no effect.

129

Default is false.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

130

analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated)

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

131

options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles

132

appearing in IAM policy bindings to include their permissions.

133

134

If access_selector is specified, the access section of the result

135

will be determined by the selector, and this flag will have no effect.

136

137

Default is false.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

138

analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated)

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

139

options_executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of

140

[Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).

141

142

If this field is set with a value less than the RPC deadline, and the

143

execution of your query hasn't finished in the specified

144

execution timeout, you will get a response with partial result.

145

Otherwise, your query's execution will continue until the RPC deadline.

146

If it's not finished until then, you will get a DEADLINE_EXCEEDED error.

147

148

Default is empty.

149

options_outputGroupEdges: boolean, Optional. If true, the result will output group identity edges, starting

150

from the binding's group members, to any expanded identities.

151

Default is false.

152

options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any

153

Google groups appearing in an IAM policy binding.

154

155

If identity_selector is specified, the identity in the result will

156

be determined by the selector, and this flag will have no effect.

157

158

Default is false.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

159

analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of members in

160

[IAM policy

161

binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

162

analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource

163

name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

164

.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

165

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

172

173

{ # A response message for AssetService.AnalyzeIamPolicy.

174

"fullyExplored": True or False, # Represents whether all entries in the main_analysis and

175

# service_account_impersonation_analysis have been fully explored to

176

# answer the query in the request.

177

"nonCriticalErrors": [ # A list of non-critical errors happened during the request handling to

178

# explain why `fully_explored` is false, or empty if no error happened.

179

{ # Represents analysis state of each node in the result graph or non-critical

180

# errors in the response.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

181

"code": "A String", # The Google standard error code that best describes the state.

182

# For example:

183

# - OK means the node has been successfully explored;

184

# - PERMISSION_DENIED means an access denied error is encountered;

185

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

186

"cause": "A String", # The human-readable description of the cause of failure.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

187

},

188

],

189

"mainAnalysis": { # An analysis message to group the query and results. # The main analysis that matches the original request.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

190

"fullyExplored": True or False, # Represents whether all entries in the analysis_results have been

191

# fully explored to answer the query.

192

"analysisQuery": { # IAM policy analysis query message. # The analysis query.

193

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

194

# the parent will be analyzed. This can only be an organization number (such

195

# as "organizations/123") or a folder number (such as "folders/123").

196

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.

197

# directly on the resource, or on ancestors such as organizations, folders or

198

# projects. At least one of ResourceSelector, IdentitySelector or

199

# AccessSelector must be specified in a request.

200

"fullResourceName": "A String", # Required. The [full resource

201

# name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

202

# .

203

},

204

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty

205

# means ANY.

206

# identities possessing them and the resources they control. If multiple

207

# values are specified, results will include identities and resources

208

# matching any of them.

209

"roles": [ # Optional. The roles to appear in result.

210

"A String",

211

],

212

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.

217

# roles assigned either directly to them or to the groups they belong to,

218

# directly or indirectly.

219

"identity": "A String", # Required. The identity appear in the form of members in

220

# [IAM policy

221

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

222

},

223

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

224

"analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or

225

# empty if no result is found.

226

{ # IAM Policy analysis result, consisting of one IAM policy binding and derived

227

# access control lists.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

228

"iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

229

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

230

# `members` can have the following values:

231

#

232

# * `allUsers`: A special identifier that represents anyone who is

233

# on the internet; with or without a Google account.

234

#

235

# * `allAuthenticatedUsers`: A special identifier that represents anyone

236

# who is authenticated with a Google account or a service account.

237

#

238

# * `user:{emailid}`: An email address that represents a specific Google

239

# account. For example, `alice@example.com` .

240

#

241

#

242

# * `serviceAccount:{emailid}`: An email address that represents a service

243

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

244

#

245

# * `group:{emailid}`: An email address that represents a Google group.

246

# For example, `admins@example.com`.

247

#

248

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

249

# identifier) representing a user that has been recently deleted. For

250

# example, `alice@example.com?uid=123456789012345678901`. If the user is

251

# recovered, this value reverts to `user:{emailid}` and the recovered user

252

# retains the role in the binding.

253

#

254

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

255

# unique identifier) representing a service account that has been recently

256

# deleted. For example,

257

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

258

# If the service account is undeleted, this value reverts to

259

# `serviceAccount:{emailid}` and the undeleted service account retains the

260

# role in the binding.

261

#

262

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

263

# identifier) representing a Google group that has been recently

264

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

265

# the group is recovered, this value reverts to `group:{emailid}` and the

266

# recovered group retains the role in the binding.

267

#

268

#

269

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

270

# users of that domain. For example, `google.com` or `example.com`.

271

#

272

"A String",

273

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

274

"role": "A String", # Role that is assigned to `members`.

275

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

276

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

277

#

278

# If the condition evaluates to `true`, then this binding applies to the

279

# current request.

280

#

281

# If the condition evaluates to `false`, then this binding does not apply to

282

# the current request. However, a different role binding might grant the same

283

# role to one or more of the members in this binding.

284

#

285

# To learn which resources support conditions in their IAM policies, see the

286

# [IAM

287

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

288

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

289

# are documented at https://github.com/google/cel-spec.

290

#

291

# Example (Comparison):

292

#

293

# title: "Summary size limit"

294

# description: "Determines if a summary is less than 100 chars"

295

# expression: "document.summary.size() < 100"

296

#

297

# Example (Equality):

298

#

299

# title: "Requestor is owner"

300

# description: "Determines if requestor is the document owner"

301

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

306

# description: "Determine whether the document should be publicly visible"

307

# expression: "document.type != 'private' && document.type != 'internal'"

308

#

309

# Example (Data Manipulation):

310

#

311

# title: "Notification string"

312

# description: "Create a notification string with a timestamp."

313

# expression: "'New message received at ' + string(document.create_time)"

314

#

315

# The exact variables and functions that may be referenced within an expression

316

# are determined by the service that evaluates it. See the service

317

# documentation for additional information.

318

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

319

# its purpose. This can be used e.g. in UIs which allow to enter the

320

# expression.

321

"location": "A String", # Optional. String indicating the location of the expression for error

322

# reporting, e.g. a file name and a position in the file.

323

"description": "A String", # Optional. Description of the expression. This is a longer text which

324

# describes the expression, e.g. when hovered over it in a UI.

325

"expression": "A String", # Textual representation of an expression in Common Expression Language

326

# syntax.

327

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

328

},

329

"accessControlLists": [ # The access control lists derived from the iam_binding that match or

330

# potentially match resource and access selectors specified in the request.

331

{ # An access control list, derived from the above IAM policy binding, which

332

# contains a set of resources and accesses. May include one

333

# item from each set to compose an access control entry.

334

#

335

# NOTICE that there could be multiple access control lists for one IAM policy

336

# binding. The access control lists are created based on resource and access

337

# combinations.

338

#

339

# For example, assume we have the following cases in one IAM policy binding:

340

# - Permission P1 and P2 apply to resource R1 and R2;

341

# - Permission P3 applies to resource R2 and R3;

342

#

343

# This will result in the following access control lists:

344

# - AccessControlList 1: [R1, R2], [P1, P2]

345

# - AccessControlList 2: [R2, R3], [P3]

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

346

"accesses": [ # The accesses that match one of the following conditions:

347

# - The access_selector, if it is specified in request;

348

# - Otherwise, access specifiers reachable from the policy binding's role.

349

{ # A role or permission that appears in an access control list.

350

"permission": "A String", # The permission.

351

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.

352

# errors in the response.

353

"code": "A String", # The Google standard error code that best describes the state.

354

# For example:

355

# - OK means the node has been successfully explored;

356

# - PERMISSION_DENIED means an access denied error is encountered;

357

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

358

"cause": "A String", # The human-readable description of the cause of failure.

359

},

360

"role": "A String", # The role.

361

},

362

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

363

"resourceEdges": [ # Resource edges of the graph starting from the policy attached

364

# resource to any descendant resources. The Edge.source_node contains

365

# the full resource name of a parent resource and Edge.target_node

366

# contains the full resource name of a child resource. This field is

367

# present only if the output_resource_edges option is enabled in request.

368

{ # A directional edge.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

369

"sourceNode": "A String", # The source node of the edge.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

370

"targetNode": "A String", # The target node of the edge.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

371

},

372

],

373

"resources": [ # The resources that match one of the following conditions:

374

# - The resource_selector, if it is specified in request;

375

# - Otherwise, resources reachable from the policy attached resource.

376

{ # A GCP resource that appears in an access control list.

377

"fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names).

378

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.

379

# errors in the response.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

380

"code": "A String", # The Google standard error code that best describes the state.

381

# For example:

382

# - OK means the node has been successfully explored;

383

# - PERMISSION_DENIED means an access denied error is encountered;

384

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

385

"cause": "A String", # The human-readable description of the cause of failure.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

],

"fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the

392

# iam_binding node have been explored.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

393

"identityList": { # The identity list derived from members of the iam_binding that match or

394

# potentially match identity selector specified in the request.

395

"identities": [ # Only the identities that match one of the following conditions will be

396

# presented:

397

# - The identity_selector, if it is specified in request;

398

# - Otherwise, identities reachable from the policy binding's members.

399

{ # An identity that appears in an access control list.

400

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.

401

# errors in the response.

402

"code": "A String", # The Google standard error code that best describes the state.

403

# For example:

404

# - OK means the node has been successfully explored;

405

# - PERMISSION_DENIED means an access denied error is encountered;

406

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

407

"cause": "A String", # The human-readable description of the cause of failure.

408

},

409

"name": "A String", # The identity name in any form of members appear in

410

# [IAM policy

411

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such

412

# as:

413

# - user:foo@google.com

414

# - group:group1@google.com

415

# - serviceAccount:s1@prj1.iam.gserviceaccount.com

416

# - projectOwner:some_project_id

417

# - domain:google.com

# - allUsers

# - etc.

},

],

"groupEdges": [ # Group identity edges of the graph starting from the binding's

423

# group members to any node of the identities. The Edge.source_node

424

# contains a group, such as "group:parent@google.com". The

425

# Edge.target_node contains a member of the group,

426

# such as "group:child@google.com" or "user:foo@google.com".

427

# This field is present only if the output_group_edges option is enabled in

428

# request.

429

{ # A directional edge.

430

"sourceNode": "A String", # The source node of the edge.

431

"targetNode": "A String", # The target node of the edge.

},

],

},

"attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

436

},

437

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

438

},

439

"serviceAccountImpersonationAnalysis": [ # The service account impersonation analysis if

440

# AnalyzeIamPolicyRequest.analyze_service_account_impersonation is

441

# enabled.

442

{ # An analysis message to group the query and results.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

443

"fullyExplored": True or False, # Represents whether all entries in the analysis_results have been

444

# fully explored to answer the query.

445

"analysisQuery": { # IAM policy analysis query message. # The analysis query.

446

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

447

# the parent will be analyzed. This can only be an organization number (such

448

# as "organizations/123") or a folder number (such as "folders/123").

449

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.

450

# directly on the resource, or on ancestors such as organizations, folders or

451

# projects. At least one of ResourceSelector, IdentitySelector or

452

# AccessSelector must be specified in a request.

453

"fullResourceName": "A String", # Required. The [full resource

454

# name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

455

# .

456

},

457

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty

458

# means ANY.

459

# identities possessing them and the resources they control. If multiple

460

# values are specified, results will include identities and resources

461

# matching any of them.

462

"roles": [ # Optional. The roles to appear in result.

463

"A String",

464

],

465

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.

470

# roles assigned either directly to them or to the groups they belong to,

471

# directly or indirectly.

472

"identity": "A String", # Required. The identity appear in the form of members in

473

# [IAM policy

474

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

475

},

476

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

477

"analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or

478

# empty if no result is found.

479

{ # IAM Policy analysis result, consisting of one IAM policy binding and derived

480

# access control lists.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

481

"iamBinding": { # Associates `members` with a `role`. # The Cloud IAM policy binding under analysis.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

482

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

483

# `members` can have the following values:

484

#

485

# * `allUsers`: A special identifier that represents anyone who is

486

# on the internet; with or without a Google account.

487

#

488

# * `allAuthenticatedUsers`: A special identifier that represents anyone

489

# who is authenticated with a Google account or a service account.

490

#

491

# * `user:{emailid}`: An email address that represents a specific Google

492

# account. For example, `alice@example.com` .

493

#

494

#

495

# * `serviceAccount:{emailid}`: An email address that represents a service

496

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

497

#

498

# * `group:{emailid}`: An email address that represents a Google group.

499

# For example, `admins@example.com`.

500

#

501

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

502

# identifier) representing a user that has been recently deleted. For

503

# example, `alice@example.com?uid=123456789012345678901`. If the user is

504

# recovered, this value reverts to `user:{emailid}` and the recovered user

505

# retains the role in the binding.

506

#

507

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

508

# unique identifier) representing a service account that has been recently

509

# deleted. For example,

510

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

511

# If the service account is undeleted, this value reverts to

512

# `serviceAccount:{emailid}` and the undeleted service account retains the

513

# role in the binding.

514

#

515

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

516

# identifier) representing a Google group that has been recently

517

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

518

# the group is recovered, this value reverts to `group:{emailid}` and the

519

# recovered group retains the role in the binding.

520

#

521

#

522

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

523

# users of that domain. For example, `google.com` or `example.com`.

524

#

525

"A String",

526

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

527

"role": "A String", # Role that is assigned to `members`.

528

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

529

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

530

#

531

# If the condition evaluates to `true`, then this binding applies to the

532

# current request.

533

#

534

# If the condition evaluates to `false`, then this binding does not apply to

535

# the current request. However, a different role binding might grant the same

536

# role to one or more of the members in this binding.

537

#

538

# To learn which resources support conditions in their IAM policies, see the

539

# [IAM

540

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

541

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

542

# are documented at https://github.com/google/cel-spec.

543

#

544

# Example (Comparison):

545

#

546

# title: "Summary size limit"

547

# description: "Determines if a summary is less than 100 chars"

548

# expression: "document.summary.size() < 100"

549

#

550

# Example (Equality):

551

#

552

# title: "Requestor is owner"

553

# description: "Determines if requestor is the document owner"

554

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

559

# description: "Determine whether the document should be publicly visible"

560

# expression: "document.type != 'private' && document.type != 'internal'"

561

#

562

# Example (Data Manipulation):

563

#

564

# title: "Notification string"

565

# description: "Create a notification string with a timestamp."

566

# expression: "'New message received at ' + string(document.create_time)"

567

#

568

# The exact variables and functions that may be referenced within an expression

569

# are determined by the service that evaluates it. See the service

570

# documentation for additional information.

571

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

572

# its purpose. This can be used e.g. in UIs which allow to enter the

573

# expression.

574

"location": "A String", # Optional. String indicating the location of the expression for error

575

# reporting, e.g. a file name and a position in the file.

576

"description": "A String", # Optional. Description of the expression. This is a longer text which

577

# describes the expression, e.g. when hovered over it in a UI.

578

"expression": "A String", # Textual representation of an expression in Common Expression Language

579

# syntax.

580

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

581

},

582

"accessControlLists": [ # The access control lists derived from the iam_binding that match or

583

# potentially match resource and access selectors specified in the request.

584

{ # An access control list, derived from the above IAM policy binding, which

585

# contains a set of resources and accesses. May include one

586

# item from each set to compose an access control entry.

587

#

588

# NOTICE that there could be multiple access control lists for one IAM policy

589

# binding. The access control lists are created based on resource and access

590

# combinations.

591

#

592

# For example, assume we have the following cases in one IAM policy binding:

593

# - Permission P1 and P2 apply to resource R1 and R2;

594

# - Permission P3 applies to resource R2 and R3;

595

#

596

# This will result in the following access control lists:

597

# - AccessControlList 1: [R1, R2], [P1, P2]

598

# - AccessControlList 2: [R2, R3], [P3]

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

599

"accesses": [ # The accesses that match one of the following conditions:

600

# - The access_selector, if it is specified in request;

601

# - Otherwise, access specifiers reachable from the policy binding's role.

602

{ # A role or permission that appears in an access control list.

603

"permission": "A String", # The permission.

604

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this access node.

605

# errors in the response.

606

"code": "A String", # The Google standard error code that best describes the state.

607

# For example:

608

# - OK means the node has been successfully explored;

609

# - PERMISSION_DENIED means an access denied error is encountered;

610

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

611

"cause": "A String", # The human-readable description of the cause of failure.

612

},

613

"role": "A String", # The role.

614

},

615

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

616

"resourceEdges": [ # Resource edges of the graph starting from the policy attached

617

# resource to any descendant resources. The Edge.source_node contains

618

# the full resource name of a parent resource and Edge.target_node

619

# contains the full resource name of a child resource. This field is

620

# present only if the output_resource_edges option is enabled in request.

621

{ # A directional edge.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

622

"sourceNode": "A String", # The source node of the edge.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

623

"targetNode": "A String", # The target node of the edge.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

624

},

625

],

626

"resources": [ # The resources that match one of the following conditions:

627

# - The resource_selector, if it is specified in request;

628

# - Otherwise, resources reachable from the policy attached resource.

629

{ # A GCP resource that appears in an access control list.

630

"fullResourceName": "A String", # The [full resource name](https://aip.dev/122#full-resource-names).

631

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this resource node.

632

# errors in the response.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

633

"code": "A String", # The Google standard error code that best describes the state.

634

# For example:

635

# - OK means the node has been successfully explored;

636

# - PERMISSION_DENIED means an access denied error is encountered;

637

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

638

"cause": "A String", # The human-readable description of the cause of failure.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

],

"fullyExplored": True or False, # Represents whether all nodes in the transitive closure of the

645

# iam_binding node have been explored.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

646

"identityList": { # The identity list derived from members of the iam_binding that match or

647

# potentially match identity selector specified in the request.

648

"identities": [ # Only the identities that match one of the following conditions will be

649

# presented:

650

# - The identity_selector, if it is specified in request;

651

# - Otherwise, identities reachable from the policy binding's members.

652

{ # An identity that appears in an access control list.

653

"analysisState": { # Represents analysis state of each node in the result graph or non-critical # The analysis state of this identity node.

654

# errors in the response.

655

"code": "A String", # The Google standard error code that best describes the state.

656

# For example:

657

# - OK means the node has been successfully explored;

658

# - PERMISSION_DENIED means an access denied error is encountered;

659

# - DEADLINE_EXCEEDED means the node hasn't been explored in time;

660

"cause": "A String", # The human-readable description of the cause of failure.

661

},

662

"name": "A String", # The identity name in any form of members appear in

663

# [IAM policy

664

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such

665

# as:

666

# - user:foo@google.com

667

# - group:group1@google.com

668

# - serviceAccount:s1@prj1.iam.gserviceaccount.com

669

# - projectOwner:some_project_id

670

# - domain:google.com

# - allUsers

# - etc.

},

],

"groupEdges": [ # Group identity edges of the graph starting from the binding's

676

# group members to any node of the identities. The Edge.source_node

677

# contains a group, such as "group:parent@google.com". The

678

# Edge.target_node contains a member of the group,

679

# such as "group:child@google.com" or "user:foo@google.com".

680

# This field is present only if the output_group_edges option is enabled in

681

# request.

682

{ # A directional edge.

683

"sourceNode": "A String", # The source node of the edge.

684

"targetNode": "A String", # The target node of the edge.

},

],

},

"attachedResourceFullName": "A String", # The full name of the resource to which the iam_binding policy attaches.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

689

},

690

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="exportIamPolicyAnalysis">exportIamPolicyAnalysis(parent, body=None, x__xgafv=None)</code>

698

<pre>Exports IAM policy analysis based on the specified request. This API

699

implements the google.longrunning.Operation API allowing you to keep

700

track of the export. The metadata contains the request to help callers to

701

map responses to requests.

702

703

Args:

704

parent: string, Required. The relative name of the root asset. Only resources and IAM policies within

705

the parent will be analyzed. This can only be an organization number (such

706

as "organizations/123") or a folder number (such as "folders/123"). (required)

707

body: object, The request body.

708

The object takes the form of:

709

710

{ # A request message for AssetService.ExportIamPolicyAnalysis.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

711

"options": { # Contains request options. # Optional. The request options.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

712

"analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to

713

# resources via service account impersonation. This is a very expensive

714

# operation, because many derived queries will be executed.

715

#

716

# For example, if the request analyzes for which resources user A has

717

# permission P, and there's an IAM policy states user A has

718

# iam.serviceAccounts.getAccessToken permission to a service account SA,

719

# and there's another IAM policy states service account SA has permission P

720

# to a GCP folder F, then user A potentially has access to the GCP folder

721

# F. And those advanced analysis results will be included in

722

# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

723

#

724

# Another example, if the request analyzes for who has

725

# permission P to a GCP folder F, and there's an IAM policy states user A

726

# has iam.serviceAccounts.actAs permission to a service account SA, and

727

# there's another IAM policy states service account SA has permission P to

728

# the GCP folder F, then user A potentially has access to the GCP folder

729

# F. And those advanced analysis results will be included in

730

# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.

731

#

732

# Default is false.

733

"expandResources": True or False, # Optional. If true, the resource section of the result will expand any

734

# resource attached to an IAM policy to include resources lower in the

735

# resource hierarchy.

736

#

737

# For example, if the request analyzes for which resources user A has

738

# permission P, and the results include an IAM policy with P on a GCP

739

# folder, the results will also include resources in that folder with

740

# permission P.

741

#

742

# If resource_selector is specified, the resource section of the result

743

# will be determined by the selector, and this flag will have no effect.

744

# Default is false.

745

"outputGroupEdges": True or False, # Optional. If true, the result will output group identity edges, starting

746

# from the binding's group members, to any expanded identities.

747

# Default is false.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

748

"outputResourceEdges": True or False, # Optional. If true, the result will output resource edges, starting

749

# from the policy attached resource, to any expanded resources.

750

# Default is false.

751

"expandRoles": True or False, # Optional. If true, the access section of result will expand any roles

752

# appearing in IAM policy bindings to include their permissions.

753

#

754

# If access_selector is specified, the access section of the result

755

# will be determined by the selector, and this flag will have no effect.

756

#

757

# Default is false.

758

"expandGroups": True or False, # Optional. If true, the identities section of the result will expand any

759

# Google groups appearing in an IAM policy binding.

760

#

761

# If identity_selector is specified, the identity in the result will

762

# be determined by the selector, and this flag will have no effect.

#

# Default is false.

},

"outputConfig": { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to.

767

"gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage.

768

"uri": "A String", # Required. The uri of the Cloud Storage object. It's the same uri that is used by

769

# gsutil. For example: "gs://bucket_name/object_name". See [Viewing and

770

# Editing Object

771

# Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)

772

# for more information.

773

},

774

},

775

"analysisQuery": { # IAM policy analysis query message. # Required. The request query.

776

"parent": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within

777

# the parent will be analyzed. This can only be an organization number (such

778

# as "organizations/123") or a folder number (such as "folders/123").

779

"resourceSelector": { # Specifies the resource to analyze for access policies, which may be set # Optional. Specifies a resource for analysis. Leaving it empty means ANY.

780

# directly on the resource, or on ancestors such as organizations, folders or

781

# projects. At least one of ResourceSelector, IdentitySelector or

782

# AccessSelector must be specified in a request.

783

"fullResourceName": "A String", # Required. The [full resource

784

# name](https://cloud.google.com/apis/design/resource_names#full_resource_name)

785

# .

786

},

787

"accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the # Optional. Specifies roles or permissions for analysis. Leaving it empty

788

# means ANY.

789

# identities possessing them and the resources they control. If multiple

790

# values are specified, results will include identities and resources

791

# matching any of them.

792

"roles": [ # Optional. The roles to appear in result.

793

"A String",

794

],

795

"permissions": [ # Optional. The permissions to appear in result.

"A String",

],

},

"identitySelector": { # Specifies an identity for which to determine resource access, based on # Optional. Specifies an identity for analysis. Leaving it empty means ANY.

800

# roles assigned either directly to them or to the groups they belong to,

801

# directly or indirectly.

802

"identity": "A String", # Required. The identity appear in the form of members in

803

# [IAM policy

804

# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).

805

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

816

817

{ # This resource represents a long-running operation that is the result of a

818

# network API call.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

819

"name": "A String", # The server-assigned name, which is only unique within the same service that

820

# originally returns it. If you use the default HTTP mapping, the

821

# `name` should be a resource name ending with `operations/{unique_id}`.

822

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

823

# different programming environments, including REST APIs and RPC APIs. It is

824

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

825

# three pieces of data: error code, error message, and error details.

826

#

827

# You can find out more about this error model and how to work with it in the

828

# [API Design Guide](https://cloud.google.com/apis/design/errors).

829

"message": "A String", # A developer-facing error message, which should be in English. Any

830

# user-facing error message should be localized and sent in the

831

# google.rpc.Status.details field, or localized by the client.

832

"details": [ # A list of messages that carry the error details. There is a common set of

833

# message types for APIs to use.

834

{

835

"a_key": "", # Properties of the object. Contains field @type with type URL.

836

},

837

],

838

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

839

},

840

"metadata": { # Service-specific metadata associated with the operation. It typically

841

# contains progress information and common metadata such as create time.

842

# Some services might not provide such metadata. Any method that returns a

843

# long-running operation should document the metadata type, if any.

844

"a_key": "", # Properties of the object. Contains field @type with type URL.

845

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

846

"done": True or False, # If the value is `false`, it means the operation is still in progress.

847

# If `true`, the operation is completed, and either `error` or `response` is

848

# available.

849

"response": { # The normal response of the operation in case of success. If the original

850

# method returns no data on success, such as `Delete`, the response is

851

# `google.protobuf.Empty`. If the original method is standard

852

# `Get`/`Create`/`Update`, the response should be the resource. For other

853

# methods, the response should have the type `XxxResponse`, where `Xxx`

854

# is the original method name. For example, if the original method name

855

# is `TakeSnapshot()`, the inferred response type is

856

# `TakeSnapshotResponse`.

857

"a_key": "", # Properties of the object. Contains field @type with type URL.

858

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

</body></html>