Blame - docs/dyn/secretmanager_v1beta1.projects.secrets.html - platform/external/python/google-api-python-client

<h1><a href="secretmanager_v1beta1.html">Secret Manager API</a> . <a href="secretmanager_v1beta1.projects.html">projects</a> . <a href="secretmanager_v1beta1.projects.secrets.html">secrets</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="secretmanager_v1beta1.projects.secrets.versions.html">versions()</a></code>

79

</p>

80

<p class="firstline">Returns the versions Resource.</p>

81

82

83

<code><a href="#addVersion">addVersion(parent, body=None, x__xgafv=None)</a></code></p>

84

<p class="firstline">Creates a new SecretVersion containing secret data and attaches</p>

85

86

<code><a href="#create">create(parent, body=None, secretId=None, x__xgafv=None)</a></code></p>

87

<p class="firstline">Creates a new Secret containing no SecretVersions.</p>

88

89

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

90

<p class="firstline">Deletes a Secret.</p>

91

92

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

93

<p class="firstline">Gets metadata for a given Secret.</p>

94

95

<code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>

96

<p class="firstline">Gets the access control policy for a secret.</p>

97

98

<code><a href="#list">list(parent, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

99

<p class="firstline">Lists Secrets.</p>

100

101

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

102

<p class="firstline">Retrieves the next page of results.</p>

103

104

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

105

<p class="firstline">Updates metadata of an existing Secret.</p>

106

107

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

108

<p class="firstline">Sets the access control policy on the specified secret. Replaces any</p>

109

110

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

111

<p class="firstline">Returns permissions that a caller has for the specified secret.</p>

112

<h3>Method Details</h3>

113

114

<code class="details" id="addVersion">addVersion(parent, body=None, x__xgafv=None)</code>

115

<pre>Creates a new SecretVersion containing secret data and attaches

116

it to an existing Secret.

117

118

Args:

119

parent: string, Required. The resource name of the Secret to associate with the

120

SecretVersion in the format `projects/*/secrets/*`. (required)

121

body: object, The request body.

122

The object takes the form of:

123

124

{ # Request message for SecretManagerService.AddSecretVersion.

125

"payload": { # A secret payload resource in the Secret Manager API. This contains the # Required. The secret payload of the SecretVersion.

126

# sensitive secret data that is associated with a SecretVersion.

127

"data": "A String", # The secret data. Must be no larger than 64KiB.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

138

139

{ # A secret version resource in the Secret Manager API.

140

"state": "A String", # Output only. The current state of the SecretVersion.

141

"name": "A String", # Output only. The resource name of the SecretVersion in the

142

# format `projects/*/secrets/*/versions/*`.

143

#

144

# SecretVersion IDs in a Secret start at 1 and

145

# are incremented for each subsequent version of the secret.

146

"destroyTime": "A String", # Output only. The time this SecretVersion was destroyed.

147

# Only present if state is

148

# DESTROYED.

149

"createTime": "A String", # Output only. The time at which the SecretVersion was created.

}</pre>

</div>

<code class="details" id="create">create(parent, body=None, secretId=None, x__xgafv=None)</code>

155

<pre>Creates a new Secret containing no SecretVersions.

156

157

Args:

158

parent: string, Required. The resource name of the project to associate with the

159

Secret, in the format `projects/*`. (required)

160

body: object, The request body.

161

The object takes the form of:

162

163

{ # A Secret is a logical secret whose value and versions can

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

164

# be accessed.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

165

#

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

166

# A Secret is made up of zero or more SecretVersions that

167

# represent the secret data.

168

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

169

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

170

#

171

# The replication policy cannot be changed after the Secret has been created.

172

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

173

# restrictions.

174

},

175

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

176

# locations specified in Secret.replication.user_managed.replicas

177

"replicas": [ # Required. The list of Replicas for this Secret.

178

#

179

# Cannot be empty.

180

{ # Represents a Replica for this Secret.

181

"location": "A String", # The canonical IDs of the location to replicate data.

182

# For example: `"us-east1"`.

183

},

184

],

185

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

186

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

187

"createTime": "A String", # Output only. The time at which the Secret was created.

188

"labels": { # The labels assigned to this Secret.

189

#

190

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

191

# of maximum 128 bytes, and must conform to the following PCRE regular

192

# expression: `\p{Ll}\p{Lo}{0,62}`

193

#

194

# Label values must be between 0 and 63 characters long, have a UTF-8

195

# encoding of maximum 128 bytes, and must conform to the following PCRE

196

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

197

#

198

# No more than 64 labels can be assigned to a given resource.

199

"a_key": "A String",

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

200

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

201

}

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

202

203

secretId: string, Required. This must be unique within the project.

204

205

A secret ID is a string with a maximum length of 255 characters and can

206

contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and

207

underscore (`_`) characters.

208

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

215

216

{ # A Secret is a logical secret whose value and versions can

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

217

# be accessed.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

218

#

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

219

# A Secret is made up of zero or more SecretVersions that

220

# represent the secret data.

221

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

222

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

223

#

224

# The replication policy cannot be changed after the Secret has been created.

225

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

226

# restrictions.

227

},

228

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

229

# locations specified in Secret.replication.user_managed.replicas

230

"replicas": [ # Required. The list of Replicas for this Secret.

231

#

232

# Cannot be empty.

233

{ # Represents a Replica for this Secret.

234

"location": "A String", # The canonical IDs of the location to replicate data.

235

# For example: `"us-east1"`.

236

},

237

],

238

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

239

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

240

"createTime": "A String", # Output only. The time at which the Secret was created.

241

"labels": { # The labels assigned to this Secret.

242

#

243

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

244

# of maximum 128 bytes, and must conform to the following PCRE regular

245

# expression: `\p{Ll}\p{Lo}{0,62}`

246

#

247

# Label values must be between 0 and 63 characters long, have a UTF-8

248

# encoding of maximum 128 bytes, and must conform to the following PCRE

249

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

250

#

251

# No more than 64 labels can be assigned to a given resource.

252

"a_key": "A String",

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

253

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

254

}</pre>

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

259

<pre>Deletes a Secret.

260

261

Args:

262

name: string, Required. The resource name of the Secret to delete in the format

263

`projects/*/secrets/*`. (required)

264

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

271

272

{ # A generic empty message that you can re-use to avoid defining duplicated

273

# empty messages in your APIs. A typical example is to use it as the request

274

# or the response type of an API method. For instance:

275

#

276

# service Foo {

277

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

278

# }

279

#

280

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

286

<pre>Gets metadata for a given Secret.

287

288

Args:

289

name: string, Required. The resource name of the Secret, in the format `projects/*/secrets/*`. (required)

290

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

297

298

{ # A Secret is a logical secret whose value and versions can

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

299

# be accessed.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

300

#

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

301

# A Secret is made up of zero or more SecretVersions that

302

# represent the secret data.

303

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

304

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

305

#

306

# The replication policy cannot be changed after the Secret has been created.

307

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

308

# restrictions.

309

},

310

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

311

# locations specified in Secret.replication.user_managed.replicas

312

"replicas": [ # Required. The list of Replicas for this Secret.

313

#

314

# Cannot be empty.

315

{ # Represents a Replica for this Secret.

316

"location": "A String", # The canonical IDs of the location to replicate data.

317

# For example: `"us-east1"`.

318

},

319

],

320

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

321

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

322

"createTime": "A String", # Output only. The time at which the Secret was created.

323

"labels": { # The labels assigned to this Secret.

324

#

325

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

326

# of maximum 128 bytes, and must conform to the following PCRE regular

327

# expression: `\p{Ll}\p{Lo}{0,62}`

328

#

329

# Label values must be between 0 and 63 characters long, have a UTF-8

330

# encoding of maximum 128 bytes, and must conform to the following PCRE

331

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

332

#

333

# No more than 64 labels can be assigned to a given resource.

334

"a_key": "A String",

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

335

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

336

}</pre>

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>

341

<pre>Gets the access control policy for a secret.

342

Returns empty policy if the secret exists and does not have a policy set.

343

344

Args:

345

resource: string, REQUIRED: The resource for which the policy is being requested.

346

See the operation documentation for the appropriate value for this field. (required)

347

options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.

348

349

Valid values are 0, 1, and 3. Requests specifying an invalid value will be

350

rejected.

351

352

Requests for policies with any conditional bindings must specify version 3.

353

Policies without any conditional bindings may specify any valid value or

354

leave the field unset.

355

356

To learn which resources support conditions in their IAM policies, see the

357

[IAM

358

documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

359

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

366

367

{ # An Identity and Access Management (IAM) policy, which specifies access

368

# controls for Google Cloud resources.

369

#

370

#

371

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

372

# `members` to a single `role`. Members can be user accounts, service accounts,

373

# Google groups, and domains (such as G Suite). A `role` is a named list of

374

# permissions; each `role` can be an IAM predefined role or a user-created

375

# custom role.

376

#

377

# For some types of Google Cloud resources, a `binding` can also specify a

378

# `condition`, which is a logical expression that allows access to a resource

379

# only if the expression evaluates to `true`. A condition can add constraints

380

# based on attributes of the request, the resource, or both. To learn which

381

# resources support conditions in their IAM policies, see the

382

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

390

# "members": [

391

# "user:mike@example.com",

392

# "group:admins@example.com",

393

# "domain:google.com",

394

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

399

# "members": [

400

# "user:eve@example.com"

401

# ],

402

# "condition": {

403

# "title": "expirable access",

404

# "description": "Does not grant access after Sep 2020",

405

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

418

# - group:admins@example.com

419

# - domain:google.com

420

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

421

# role: roles/resourcemanager.organizationAdmin

422

# - members:

423

# - user:eve@example.com

424

# role: roles/resourcemanager.organizationViewer

425

# condition:

426

# title: expirable access

427

# description: Does not grant access after Sep 2020

428

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

429

# - etag: BwWWja0YfJA=

430

# - version: 3

431

#

432

# For a description of IAM and its features, see the

433

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

434

"version": 42, # Specifies the format of the policy.

435

#

436

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

437

# are rejected.

438

#

439

# Any operation that affects conditional role bindings must specify version

440

# `3`. This requirement applies to the following operations:

441

#

442

# * Getting a policy that includes a conditional role binding

443

# * Adding a conditional role binding to a policy

444

# * Changing a conditional role binding in a policy

445

# * Removing any role binding, with or without a condition, from a policy

446

# that includes conditions

447

#

448

# **Important:** If you use IAM Conditions, you must include the `etag` field

449

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

450

# you to overwrite a version `3` policy with a version `1` policy, and all of

451

# the conditions in the version `3` policy are lost.

452

#

453

# If a policy does not include any conditions, operations on that policy may

454

# specify any valid version or leave the field unset.

455

#

456

# To learn which resources support conditions in their IAM policies, see the

457

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

458

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

459

{ # Specifies the audit configuration for a service.

460

# The configuration determines which permission types are logged, and what

461

# identities, if any, are exempted from logging.

462

# An AuditConfig must have one or more AuditLogConfigs.

463

#

464

# If there are AuditConfigs for both `allServices` and a specific service,

465

# the union of the two AuditConfigs is used for that service: the log_types

466

# specified in each AuditConfig are enabled, and the exempted_members in each

467

# AuditLogConfig are exempted.

468

#

469

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

475

# "audit_log_configs": [

476

# {

477

# "log_type": "DATA_READ",

478

# "exempted_members": [

479

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

484

# },

485

# {

486

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

492

# "audit_log_configs": [

493

# {

494

# "log_type": "DATA_READ",

495

# },

496

# {

497

# "log_type": "DATA_WRITE",

498

# "exempted_members": [

499

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

508

# logging. It also exempts jose@example.com from DATA_READ logging, and

509

# aliya@example.com from DATA_WRITE logging.

510

"service": "A String", # Specifies a service that will be enabled for audit logging.

511

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

512

# `allServices` is a special value that covers all services.

513

"auditLogConfigs": [ # The configuration for logging of each type of permission.

514

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

519

# {

520

# "log_type": "DATA_READ",

521

# "exempted_members": [

522

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

532

# jose@example.com from DATA_READ logging.

533

"logType": "A String", # The log type that this config enables.

534

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

535

# permission.

536

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

544

# `condition` that determines how and when the `bindings` are applied. Each

545

# of the `bindings` must contain at least one member.

546

{ # Associates `members` with a `role`.

547

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

548

#

549

# If the condition evaluates to `true`, then this binding applies to the

550

# current request.

551

#

552

# If the condition evaluates to `false`, then this binding does not apply to

553

# the current request. However, a different role binding might grant the same

554

# role to one or more of the members in this binding.

555

#

556

# To learn which resources support conditions in their IAM policies, see the

557

# [IAM

558

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

559

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

560

# are documented at https://github.com/google/cel-spec.

561

#

562

# Example (Comparison):

563

#

564

# title: "Summary size limit"

565

# description: "Determines if a summary is less than 100 chars"

566

# expression: "document.summary.size() < 100"

567

#

568

# Example (Equality):

569

#

570

# title: "Requestor is owner"

571

# description: "Determines if requestor is the document owner"

572

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

577

# description: "Determine whether the document should be publicly visible"

578

# expression: "document.type != 'private' && document.type != 'internal'"

579

#

580

# Example (Data Manipulation):

581

#

582

# title: "Notification string"

583

# description: "Create a notification string with a timestamp."

584

# expression: "'New message received at ' + string(document.create_time)"

585

#

586

# The exact variables and functions that may be referenced within an expression

587

# are determined by the service that evaluates it. See the service

588

# documentation for additional information.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

589

"expression": "A String", # Textual representation of an expression in Common Expression Language

590

# syntax.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

591

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

592

# its purpose. This can be used e.g. in UIs which allow to enter the

593

# expression.

594

"location": "A String", # Optional. String indicating the location of the expression for error

595

# reporting, e.g. a file name and a position in the file.

596

"description": "A String", # Optional. Description of the expression. This is a longer text which

597

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

598

},

599

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

600

# `members` can have the following values:

601

#

602

# * `allUsers`: A special identifier that represents anyone who is

603

# on the internet; with or without a Google account.

604

#

605

# * `allAuthenticatedUsers`: A special identifier that represents anyone

606

# who is authenticated with a Google account or a service account.

607

#

608

# * `user:{emailid}`: An email address that represents a specific Google

609

# account. For example, `alice@example.com` .

610

#

611

#

612

# * `serviceAccount:{emailid}`: An email address that represents a service

613

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

614

#

615

# * `group:{emailid}`: An email address that represents a Google group.

616

# For example, `admins@example.com`.

617

#

618

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

619

# identifier) representing a user that has been recently deleted. For

620

# example, `alice@example.com?uid=123456789012345678901`. If the user is

621

# recovered, this value reverts to `user:{emailid}` and the recovered user

622

# retains the role in the binding.

623

#

624

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

625

# unique identifier) representing a service account that has been recently

626

# deleted. For example,

627

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

628

# If the service account is undeleted, this value reverts to

629

# `serviceAccount:{emailid}` and the undeleted service account retains the

630

# role in the binding.

631

#

632

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

633

# identifier) representing a Google group that has been recently

634

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

635

# the group is recovered, this value reverts to `group:{emailid}` and the

636

# recovered group retains the role in the binding.

637

#

638

#

639

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

640

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

645

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

646

},

647

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

648

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

649

# prevent simultaneous updates of a policy from overwriting each other.

650

# It is strongly suggested that systems make use of the `etag` in the

651

# read-modify-write cycle to perform policy updates in order to avoid race

652

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

653

# systems are expected to put that etag in the request to `setIamPolicy` to

654

# ensure that their change will be applied to the same version of the policy.

655

#

656

# **Important:** If you use IAM Conditions, you must include the `etag` field

657

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

658

# you to overwrite a version `3` policy with a version `1` policy, and all of

659

# the conditions in the version `3` policy are lost.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="list">list(parent, pageToken=None, pageSize=None, x__xgafv=None)</code>

<pre>Lists Secrets.

Args:

parent: string, Required. The resource name of the project associated with the

669

Secrets, in the format `projects/*`. (required)

670

pageToken: string, Optional. Pagination token, returned earlier via

671

ListSecretsResponse.next_page_token.

672

pageSize: integer, Optional. The maximum number of results to be returned in a single page. If

673

set to 0, the server decides the number of results to return. If the

674

number is greater than 25000, it is capped at 25000.

675

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

682

683

{ # Response message for SecretManagerService.ListSecrets.

684

"secrets": [ # The list of Secrets sorted in reverse by create_time (newest

685

# first).

686

{ # A Secret is a logical secret whose value and versions can

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

687

# be accessed.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

688

#

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

689

# A Secret is made up of zero or more SecretVersions that

690

# represent the secret data.

691

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

692

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

693

#

694

# The replication policy cannot be changed after the Secret has been created.

695

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

696

# restrictions.

697

},

698

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

699

# locations specified in Secret.replication.user_managed.replicas

700

"replicas": [ # Required. The list of Replicas for this Secret.

701

#

702

# Cannot be empty.

703

{ # Represents a Replica for this Secret.

704

"location": "A String", # The canonical IDs of the location to replicate data.

705

# For example: `"us-east1"`.

706

},

707

],

708

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

709

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

710

"createTime": "A String", # Output only. The time at which the Secret was created.

711

"labels": { # The labels assigned to this Secret.

712

#

713

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

714

# of maximum 128 bytes, and must conform to the following PCRE regular

715

# expression: `\p{Ll}\p{Lo}{0,62}`

716

#

717

# Label values must be between 0 and 63 characters long, have a UTF-8

718

# encoding of maximum 128 bytes, and must conform to the following PCRE

719

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

720

#

721

# No more than 64 labels can be assigned to a given resource.

722

"a_key": "A String",

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

723

},

724

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

725

],

726

"nextPageToken": "A String", # A token to retrieve the next page of results. Pass this value in

727

# ListSecretsRequest.page_token to retrieve the next page.

728

"totalSize": 42, # The total number of Secrets.

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

734

<pre>Retrieves the next page of results.

735

736

Args:

737

previous_request: The request for the previous page. (required)

738

previous_response: The response from the request for the previous page. (required)

739

740

Returns:

741

A request object that you can call 'execute()' on to request the next

742

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

748

<pre>Updates metadata of an existing Secret.

749

750

Args:

751

name: string, Output only. The resource name of the Secret in the format `projects/*/secrets/*`. (required)

752

body: object, The request body.

753

The object takes the form of:

754

755

{ # A Secret is a logical secret whose value and versions can

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

756

# be accessed.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

757

#

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

758

# A Secret is made up of zero or more SecretVersions that

759

# represent the secret data.

760

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

761

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

762

#

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

763

# The replication policy cannot be changed after the Secret has been created.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

764

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

765

# restrictions.

766

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

767

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

768

# locations specified in Secret.replication.user_managed.replicas

769

"replicas": [ # Required. The list of Replicas for this Secret.

770

#

771

# Cannot be empty.

772

{ # Represents a Replica for this Secret.

773

"location": "A String", # The canonical IDs of the location to replicate data.

774

# For example: `"us-east1"`.

775

},

776

],

777

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

778

},

779

"createTime": "A String", # Output only. The time at which the Secret was created.

780

"labels": { # The labels assigned to this Secret.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

781

#

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

782

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

783

# of maximum 128 bytes, and must conform to the following PCRE regular

784

# expression: `\p{Ll}\p{Lo}{0,62}`

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

785

#

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

786

# Label values must be between 0 and 63 characters long, have a UTF-8

787

# encoding of maximum 128 bytes, and must conform to the following PCRE

788

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

789

#

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

790

# No more than 64 labels can be assigned to a given resource.

791

"a_key": "A String",

792

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

793

}

794

795

updateMask: string, Required. Specifies the fields to be updated.

796

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

803

804

{ # A Secret is a logical secret whose value and versions can

805

# be accessed.

806

#

807

# A Secret is made up of zero or more SecretVersions that

808

# represent the secret data.

809

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

810

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

811

#

812

# The replication policy cannot be changed after the Secret has been created.

813

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

814

# restrictions.

815

},

816

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

817

# locations specified in Secret.replication.user_managed.replicas

818

"replicas": [ # Required. The list of Replicas for this Secret.

819

#

820

# Cannot be empty.

821

{ # Represents a Replica for this Secret.

822

"location": "A String", # The canonical IDs of the location to replicate data.

823

# For example: `"us-east1"`.

},

],

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

829

"labels": { # The labels assigned to this Secret.

830

#

831

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

832

# of maximum 128 bytes, and must conform to the following PCRE regular

833

# expression: `\p{Ll}\p{Lo}{0,62}`

834

#

835

# Label values must be between 0 and 63 characters long, have a UTF-8

836

# encoding of maximum 128 bytes, and must conform to the following PCRE

837

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

838

#

839

# No more than 64 labels can be assigned to a given resource.

840

"a_key": "A String",

841

},

842

}</pre>

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

847

<pre>Sets the access control policy on the specified secret. Replaces any

848

existing policy.

849

850

Permissions on SecretVersions are enforced according

851

to the policy set on the associated Secret.

852

853

Args:

854

resource: string, REQUIRED: The resource for which the policy is being specified.

855

See the operation documentation for the appropriate value for this field. (required)

856

body: object, The request body.

857

The object takes the form of:

858

859

{ # Request message for `SetIamPolicy` method.

860

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

861

# the policy is limited to a few 10s of KB. An empty policy is a

862

# valid policy but certain Cloud Platform services (such as Projects)

863

# might reject them.

864

# controls for Google Cloud resources.

865

#

866

#

867

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

868

# `members` to a single `role`. Members can be user accounts, service accounts,

869

# Google groups, and domains (such as G Suite). A `role` is a named list of

870

# permissions; each `role` can be an IAM predefined role or a user-created

871

# custom role.

872

#

873

# For some types of Google Cloud resources, a `binding` can also specify a

874

# `condition`, which is a logical expression that allows access to a resource

875

# only if the expression evaluates to `true`. A condition can add constraints

876

# based on attributes of the request, the resource, or both. To learn which

877

# resources support conditions in their IAM policies, see the

878

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

886

# "members": [

887

# "user:mike@example.com",

888

# "group:admins@example.com",

889

# "domain:google.com",

890

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

895

# "members": [

896

# "user:eve@example.com"

897

# ],

898

# "condition": {

899

# "title": "expirable access",

900

# "description": "Does not grant access after Sep 2020",

901

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

914

# - group:admins@example.com

915

# - domain:google.com

916

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

917

# role: roles/resourcemanager.organizationAdmin

918

# - members:

919

# - user:eve@example.com

920

# role: roles/resourcemanager.organizationViewer

921

# condition:

922

# title: expirable access

923

# description: Does not grant access after Sep 2020

924

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

925

# - etag: BwWWja0YfJA=

926

# - version: 3

927

#

928

# For a description of IAM and its features, see the

929

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

930

"version": 42, # Specifies the format of the policy.

931

#

932

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

933

# are rejected.

934

#

935

# Any operation that affects conditional role bindings must specify version

936

# `3`. This requirement applies to the following operations:

937

#

938

# * Getting a policy that includes a conditional role binding

939

# * Adding a conditional role binding to a policy

940

# * Changing a conditional role binding in a policy

941

# * Removing any role binding, with or without a condition, from a policy

942

# that includes conditions

943

#

944

# **Important:** If you use IAM Conditions, you must include the `etag` field

945

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

946

# you to overwrite a version `3` policy with a version `1` policy, and all of

947

# the conditions in the version `3` policy are lost.

948

#

949

# If a policy does not include any conditions, operations on that policy may

950

# specify any valid version or leave the field unset.

951

#

952

# To learn which resources support conditions in their IAM policies, see the

953

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

954

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

955

{ # Specifies the audit configuration for a service.

956

# The configuration determines which permission types are logged, and what

957

# identities, if any, are exempted from logging.

958

# An AuditConfig must have one or more AuditLogConfigs.

959

#

960

# If there are AuditConfigs for both `allServices` and a specific service,

961

# the union of the two AuditConfigs is used for that service: the log_types

962

# specified in each AuditConfig are enabled, and the exempted_members in each

963

# AuditLogConfig are exempted.

964

#

965

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

971

# "audit_log_configs": [

972

# {

973

# "log_type": "DATA_READ",

974

# "exempted_members": [

975

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

980

# },

981

# {

982

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

988

# "audit_log_configs": [

989

# {

990

# "log_type": "DATA_READ",

991

# },

992

# {

993

# "log_type": "DATA_WRITE",

994

# "exempted_members": [

995

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1004

# logging. It also exempts jose@example.com from DATA_READ logging, and

1005

# aliya@example.com from DATA_WRITE logging.

1006

"service": "A String", # Specifies a service that will be enabled for audit logging.

1007

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1008

# `allServices` is a special value that covers all services.

1009

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1010

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1015

# {

1016

# "log_type": "DATA_READ",

1017

# "exempted_members": [

1018

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1028

# jose@example.com from DATA_READ logging.

1029

"logType": "A String", # The log type that this config enables.

1030

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1031

# permission.

1032

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1040

# `condition` that determines how and when the `bindings` are applied. Each

1041

# of the `bindings` must contain at least one member.

1042

{ # Associates `members` with a `role`.

1043

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1044

#

1045

# If the condition evaluates to `true`, then this binding applies to the

1046

# current request.

1047

#

1048

# If the condition evaluates to `false`, then this binding does not apply to

1049

# the current request. However, a different role binding might grant the same

1050

# role to one or more of the members in this binding.

1051

#

1052

# To learn which resources support conditions in their IAM policies, see the

1053

# [IAM

1054

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1055

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1056

# are documented at https://github.com/google/cel-spec.

1057

#

1058

# Example (Comparison):

1059

#

1060

# title: "Summary size limit"

1061

# description: "Determines if a summary is less than 100 chars"

1062

# expression: "document.summary.size() < 100"

1063

#

1064

# Example (Equality):

1065

#

1066

# title: "Requestor is owner"

1067

# description: "Determines if requestor is the document owner"

1068

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1073

# description: "Determine whether the document should be publicly visible"

1074

# expression: "document.type != 'private' && document.type != 'internal'"

1075

#

1076

# Example (Data Manipulation):

1077

#

1078

# title: "Notification string"

1079

# description: "Create a notification string with a timestamp."

1080

# expression: "'New message received at ' + string(document.create_time)"

1081

#

1082

# The exact variables and functions that may be referenced within an expression

1083

# are determined by the service that evaluates it. See the service

1084

# documentation for additional information.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

1085

"expression": "A String", # Textual representation of an expression in Common Expression Language

1086

# syntax.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1087

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1088

# its purpose. This can be used e.g. in UIs which allow to enter the

1089

# expression.

1090

"location": "A String", # Optional. String indicating the location of the expression for error

1091

# reporting, e.g. a file name and a position in the file.

1092

"description": "A String", # Optional. Description of the expression. This is a longer text which

1093

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1094

},

1095

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1096

# `members` can have the following values:

1097

#

1098

# * `allUsers`: A special identifier that represents anyone who is

1099

# on the internet; with or without a Google account.

1100

#

1101

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1102

# who is authenticated with a Google account or a service account.

1103

#

1104

# * `user:{emailid}`: An email address that represents a specific Google

1105

# account. For example, `alice@example.com` .

1106

#

1107

#

1108

# * `serviceAccount:{emailid}`: An email address that represents a service

1109

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1110

#

1111

# * `group:{emailid}`: An email address that represents a Google group.

1112

# For example, `admins@example.com`.

1113

#

1114

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1115

# identifier) representing a user that has been recently deleted. For

1116

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1117

# recovered, this value reverts to `user:{emailid}` and the recovered user

1118

# retains the role in the binding.

1119

#

1120

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1121

# unique identifier) representing a service account that has been recently

1122

# deleted. For example,

1123

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1124

# If the service account is undeleted, this value reverts to

1125

# `serviceAccount:{emailid}` and the undeleted service account retains the

1126

# role in the binding.

1127

#

1128

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1129

# identifier) representing a Google group that has been recently

1130

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1131

# the group is recovered, this value reverts to `group:{emailid}` and the

1132

# recovered group retains the role in the binding.

1133

#

1134

#

1135

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1136

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

1141

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1142

},

1143

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

1144

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1145

# prevent simultaneous updates of a policy from overwriting each other.

1146

# It is strongly suggested that systems make use of the `etag` in the

1147

# read-modify-write cycle to perform policy updates in order to avoid race

1148

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1149

# systems are expected to put that etag in the request to `setIamPolicy` to

1150

# ensure that their change will be applied to the same version of the policy.

1151

#

1152

# **Important:** If you use IAM Conditions, you must include the `etag` field

1153

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1154

# you to overwrite a version `3` policy with a version `1` policy, and all of

1155

# the conditions in the version `3` policy are lost.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1156

},

1157

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

1158

# the fields in the mask will be modified. If no mask is provided, the

1159

# following default mask is used:

1160

#

1161

# `paths: "bindings, etag"`

1162

}

1163

1164

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1171

1172

{ # An Identity and Access Management (IAM) policy, which specifies access

1173

# controls for Google Cloud resources.

1174

#

1175

#

1176

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1177

# `members` to a single `role`. Members can be user accounts, service accounts,

1178

# Google groups, and domains (such as G Suite). A `role` is a named list of

1179

# permissions; each `role` can be an IAM predefined role or a user-created

1180

# custom role.

1181

#

1182

# For some types of Google Cloud resources, a `binding` can also specify a

1183

# `condition`, which is a logical expression that allows access to a resource

1184

# only if the expression evaluates to `true`. A condition can add constraints

1185

# based on attributes of the request, the resource, or both. To learn which

1186

# resources support conditions in their IAM policies, see the

1187

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

1195

# "members": [

1196

# "user:mike@example.com",

1197

# "group:admins@example.com",

1198

# "domain:google.com",

1199

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

1204

# "members": [

1205

# "user:eve@example.com"

1206

# ],

1207

# "condition": {

1208

# "title": "expirable access",

1209

# "description": "Does not grant access after Sep 2020",

1210

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

1223

# - group:admins@example.com

1224

# - domain:google.com

1225

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1226

# role: roles/resourcemanager.organizationAdmin

1227

# - members:

1228

# - user:eve@example.com

1229

# role: roles/resourcemanager.organizationViewer

1230

# condition:

1231

# title: expirable access

1232

# description: Does not grant access after Sep 2020

1233

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

1234

# - etag: BwWWja0YfJA=

1235

# - version: 3

1236

#

1237

# For a description of IAM and its features, see the

1238

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1239

"version": 42, # Specifies the format of the policy.

1240

#

1241

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1242

# are rejected.

1243

#

1244

# Any operation that affects conditional role bindings must specify version

1245

# `3`. This requirement applies to the following operations:

1246

#

1247

# * Getting a policy that includes a conditional role binding

1248

# * Adding a conditional role binding to a policy

1249

# * Changing a conditional role binding in a policy

1250

# * Removing any role binding, with or without a condition, from a policy

1251

# that includes conditions

1252

#

1253

# **Important:** If you use IAM Conditions, you must include the `etag` field

1254

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1255

# you to overwrite a version `3` policy with a version `1` policy, and all of

1256

# the conditions in the version `3` policy are lost.

1257

#

1258

# If a policy does not include any conditions, operations on that policy may

1259

# specify any valid version or leave the field unset.

1260

#

1261

# To learn which resources support conditions in their IAM policies, see the

1262

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1263

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1264

{ # Specifies the audit configuration for a service.

1265

# The configuration determines which permission types are logged, and what

1266

# identities, if any, are exempted from logging.

1267

# An AuditConfig must have one or more AuditLogConfigs.

1268

#

1269

# If there are AuditConfigs for both `allServices` and a specific service,

1270

# the union of the two AuditConfigs is used for that service: the log_types

1271

# specified in each AuditConfig are enabled, and the exempted_members in each

1272

# AuditLogConfig are exempted.

1273

#

1274

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

1280

# "audit_log_configs": [

1281

# {

1282

# "log_type": "DATA_READ",

1283

# "exempted_members": [

1284

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1289

# },

1290

# {

1291

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

1297

# "audit_log_configs": [

1298

# {

1299

# "log_type": "DATA_READ",

1300

# },

1301

# {

1302

# "log_type": "DATA_WRITE",

1303

# "exempted_members": [

1304

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1313

# logging. It also exempts jose@example.com from DATA_READ logging, and

1314

# aliya@example.com from DATA_WRITE logging.

1315

"service": "A String", # Specifies a service that will be enabled for audit logging.

1316

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1317

# `allServices` is a special value that covers all services.

1318

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1319

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1324

# {

1325

# "log_type": "DATA_READ",

1326

# "exempted_members": [

1327

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1337

# jose@example.com from DATA_READ logging.

1338

"logType": "A String", # The log type that this config enables.

1339

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1340

# permission.

1341

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1349

# `condition` that determines how and when the `bindings` are applied. Each

1350

# of the `bindings` must contain at least one member.

1351

{ # Associates `members` with a `role`.

1352

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1353

#

1354

# If the condition evaluates to `true`, then this binding applies to the

1355

# current request.

1356

#

1357

# If the condition evaluates to `false`, then this binding does not apply to

1358

# the current request. However, a different role binding might grant the same

1359

# role to one or more of the members in this binding.

1360

#

1361

# To learn which resources support conditions in their IAM policies, see the

1362

# [IAM

1363

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1364

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1365

# are documented at https://github.com/google/cel-spec.

1366

#

1367

# Example (Comparison):

1368

#

1369

# title: "Summary size limit"

1370

# description: "Determines if a summary is less than 100 chars"

1371

# expression: "document.summary.size() < 100"

1372

#

1373

# Example (Equality):

1374

#

1375

# title: "Requestor is owner"

1376

# description: "Determines if requestor is the document owner"

1377

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1382

# description: "Determine whether the document should be publicly visible"

1383

# expression: "document.type != 'private' && document.type != 'internal'"

1384

#

1385

# Example (Data Manipulation):

1386

#

1387

# title: "Notification string"

1388

# description: "Create a notification string with a timestamp."

1389

# expression: "'New message received at ' + string(document.create_time)"

1390

#

1391

# The exact variables and functions that may be referenced within an expression

1392

# are determined by the service that evaluates it. See the service

1393

# documentation for additional information.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

1394

"expression": "A String", # Textual representation of an expression in Common Expression Language

1395

# syntax.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1396

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1397

# its purpose. This can be used e.g. in UIs which allow to enter the

1398

# expression.

1399

"location": "A String", # Optional. String indicating the location of the expression for error

1400

# reporting, e.g. a file name and a position in the file.

1401

"description": "A String", # Optional. Description of the expression. This is a longer text which

1402

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1403

},

1404

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1405

# `members` can have the following values:

1406

#

1407

# * `allUsers`: A special identifier that represents anyone who is

1408

# on the internet; with or without a Google account.

1409

#

1410

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1411

# who is authenticated with a Google account or a service account.

1412

#

1413

# * `user:{emailid}`: An email address that represents a specific Google

1414

# account. For example, `alice@example.com` .

1415

#

1416

#

1417

# * `serviceAccount:{emailid}`: An email address that represents a service

1418

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1419

#

1420

# * `group:{emailid}`: An email address that represents a Google group.

1421

# For example, `admins@example.com`.

1422

#

1423

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1424

# identifier) representing a user that has been recently deleted. For

1425

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1426

# recovered, this value reverts to `user:{emailid}` and the recovered user

1427

# retains the role in the binding.

1428

#

1429

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1430

# unique identifier) representing a service account that has been recently

1431

# deleted. For example,

1432

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1433

# If the service account is undeleted, this value reverts to

1434

# `serviceAccount:{emailid}` and the undeleted service account retains the

1435

# role in the binding.

1436

#

1437

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1438

# identifier) representing a Google group that has been recently

1439

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1440

# the group is recovered, this value reverts to `group:{emailid}` and the

1441

# recovered group retains the role in the binding.

1442

#

1443

#

1444

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1445

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

1450

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1451

},

1452

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame^]

1453

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1454

# prevent simultaneous updates of a policy from overwriting each other.

1455

# It is strongly suggested that systems make use of the `etag` in the

1456

# read-modify-write cycle to perform policy updates in order to avoid race

1457

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1458

# systems are expected to put that etag in the request to `setIamPolicy` to

1459

# ensure that their change will be applied to the same version of the policy.

1460

#

1461

# **Important:** If you use IAM Conditions, you must include the `etag` field

1462

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1463

# you to overwrite a version `3` policy with a version `1` policy, and all of

1464

# the conditions in the version `3` policy are lost.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

1470

<pre>Returns permissions that a caller has for the specified secret.

1471

If the secret does not exist, this call returns an empty set of

1472

permissions, not a NOT_FOUND error.

1473

1474

Note: This operation is designed to be used for building permission-aware

1475

UIs and command-line tools, not for authorization checking. This operation

1476

may "fail open" without warning.

1477

1478

Args:

1479

resource: string, REQUIRED: The resource for which the policy detail is being requested.

1480

See the operation documentation for the appropriate value for this field. (required)

1481

body: object, The request body.

1482

The object takes the form of:

1483

1484

{ # Request message for `TestIamPermissions` method.

1485

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

1486

# wildcards (such as '*' or 'storage.*') are not allowed. For more

1487

# information see

1488

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

"A String",

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1500

1501

{ # Response message for `TestIamPermissions` method.

1502

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

# allowed.

"A String",

],

}</pre>

</div>

</body></html>