Blame - docs/dyn/iap_v1.v1.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

419

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

420

"resource": { # IAM resource to check permission on

421

"type": "A String", # The public resource type name of the resource on which conditions will be

422

# evaluated. It is configured using the official_name of the ResourceType as

423

# defined in service configurations under //configs/cloud/resourcetypes.

424

# For example, the official_name for GCP projects is set as

425

# 'cloudresourcemanager.googleapis.com/Project' according to

426

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

427

# For details see go/iam-conditions-integration-guide.

428

"labels": { # The service defined labels of the resource on which the conditions will be

429

# evaluated. The semantics - including the key names - are vague to IAM.

430

# If the effective condition has a reference to a `resource.labels[foo]`

431

# construct, IAM consults with this map to retrieve the values associated

432

# with `foo` key for Conditions evaluation. If the provided key is not found

433

# in the labels map, the condition would evaluate to false.

434

#

435

# This field is in limited use. If your intended use case is not expected

436

# to express resource.labels attribute in IAM Conditions, leave this field

437

# empty. Before planning on using this attribute please:

438

# * Read go/iam-conditions-labels-comm and ensure your service can meet the

439

# data availability and management requirements.

440

# * Talk to iam-conditions-eng@ about your use case.

441

"a_key": "A String",

442

},

443

"service": "A String", # The name of the service this resource belongs to. It is configured using

444

# the official_service_name of the Service as defined in service

445

# configurations under //configs/cloud/resourcetypes.

446

# For example, the official_service_name of cloud resource manager service

447

# is set as 'cloudresourcemanager.googleapis.com' according to

448

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

449

"name": "A String", # Name of the resource on which conditions will be evaluated.

450

# Must use the Relative Resource Name of the resource, which is the URI

451

# path of the resource without the leading "/". Examples are

452

# "projects/_/buckets/[BUCKET-ID]" for storage buckets or

453

# "projects/[PROJECT-ID]/global/firewalls/[FIREWALL-ID]" for a firewall.

454

#

455

# This field is required for evaluating conditions with rules on resource

456

# names. For a `list` permission check, the resource.name value must be set

457

# to the parent resource. If the parent resource is a project, this field

458

# should be left unset.

459

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

460

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

461

"oauthSettings": { # Configuration for OAuth login&consent flow behavior as well as for OAuth # Settings to configure IAP's OAuth behavior.

462

# Credentials.

463

"clientId": "A String", # OAuth 2.0 client ID used in the OAuth flow to generate an access token. If

464

# this field is set, you can skip obtaining the OAuth credentials in this

465

# step:

466

# https://developers.google.com/identity/protocols/OAuth2?hl=en_US#1.-obtain-oauth-2.0-credentials-from-the-google-api-console.

467

# However, this could allow for client sharing. The risks of client sharing

468

# are outlined here:

469

# https://cloud.google.com/iap/docs/sharing-oauth-clients#risks.

470

"loginHint": "A String", # Domain hint to send as hd=? parameter in OAuth request flow. Enables

471

# redirect to primary IDP by skipping Google's login screen.

472

# https://developers.google.com/identity/protocols/OpenIDConnect#hd-param

473

# Note: IAP does not verify that the id token's hd claim matches this value

474

# since access behavior is managed by IAM policies.

475

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

476

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

477

"name": "A String", # Required. The resource name of the IAP protected resource.

478

}</pre>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

483

<pre>Sets the access control policy for an Identity-Aware Proxy protected

484

resource. Replaces any existing policy.

485

More information about managing access via IAP can be found at:

486

https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api

487

488

Args:

489

resource: string, REQUIRED: The resource for which the policy is being specified.

490

See the operation documentation for the appropriate value for this field. (required)

491

body: object, The request body.

492

The object takes the form of:

493

494

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

495

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

496

# the policy is limited to a few 10s of KB. An empty policy is a

497

# valid policy but certain Cloud Platform services (such as Projects)

498

# might reject them.

499

# controls for Google Cloud resources.

500

#

501

#

502

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

503

# `members` to a single `role`. Members can be user accounts, service accounts,

504

# Google groups, and domains (such as G Suite). A `role` is a named list of

505

# permissions; each `role` can be an IAM predefined role or a user-created

506

# custom role.

507

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

508

# For some types of Google Cloud resources, a `binding` can also specify a

509

# `condition`, which is a logical expression that allows access to a resource

510

# only if the expression evaluates to `true`. A condition can add constraints

511

# based on attributes of the request, the resource, or both. To learn which

512

# resources support conditions in their IAM policies, see the

513

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

#

# **JSON example:**

#

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

518

# "bindings": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

519

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

520

# "role": "roles/resourcemanager.organizationAdmin",

521

# "members": [

522

# "user:mike@example.com",

523

# "group:admins@example.com",

524

# "domain:google.com",

525

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

526

# ]

527

# },

528

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

529

# "role": "roles/resourcemanager.organizationViewer",

530

# "members": [

531

# "user:eve@example.com"

532

# ],

533

# "condition": {

534

# "title": "expirable access",

535

# "description": "Does not grant access after Sep 2020",

536

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

537

# }

538

# }

539

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

540

# "etag": "BwWWja0YfJA=",

541

# "version": 3

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

549

# - group:admins@example.com

550

# - domain:google.com

551

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

552

# role: roles/resourcemanager.organizationAdmin

553

# - members:

554

# - user:eve@example.com

555

# role: roles/resourcemanager.organizationViewer

556

# condition:

557

# title: expirable access

558

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

559

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

560

# - etag: BwWWja0YfJA=

561

# - version: 3

562

#

563

# For a description of IAM and its features, see the

564

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

565

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

566

# prevent simultaneous updates of a policy from overwriting each other.

567

# It is strongly suggested that systems make use of the `etag` in the

568

# read-modify-write cycle to perform policy updates in order to avoid race

569

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

570

# systems are expected to put that etag in the request to `setIamPolicy` to

571

# ensure that their change will be applied to the same version of the policy.

572

#

573

# **Important:** If you use IAM Conditions, you must include the `etag` field

574

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

575

# you to overwrite a version `3` policy with a version `1` policy, and all of

576

# the conditions in the version `3` policy are lost.

577

"version": 42, # Specifies the format of the policy.

578

#

579

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

580

# are rejected.

581

#

582

# Any operation that affects conditional role bindings must specify version

583

# `3`. This requirement applies to the following operations:

584

#

585

# * Getting a policy that includes a conditional role binding

586

# * Adding a conditional role binding to a policy

587

# * Changing a conditional role binding in a policy

588

# * Removing any role binding, with or without a condition, from a policy

589

# that includes conditions

590

#

591

# **Important:** If you use IAM Conditions, you must include the `etag` field

592

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

593

# you to overwrite a version `3` policy with a version `1` policy, and all of

594

# the conditions in the version `3` policy are lost.

595

#

596

# If a policy does not include any conditions, operations on that policy may

597

# specify any valid version or leave the field unset.

598

#

599

# To learn which resources support conditions in their IAM policies, see the

600

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

601

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

602

# `condition` that determines how and when the `bindings` are applied. Each

603

# of the `bindings` must contain at least one member.

604

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

605

"role": "A String", # Role that is assigned to `members`.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

606

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

607

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

608

#

609

# If the condition evaluates to `true`, then this binding applies to the

610

# current request.

611

#

612

# If the condition evaluates to `false`, then this binding does not apply to

613

# the current request. However, a different role binding might grant the same

614

# role to one or more of the members in this binding.

615

#

616

# To learn which resources support conditions in their IAM policies, see the

617

# [IAM

618

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

619

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

620

# are documented at https://github.com/google/cel-spec.

621

#

622

# Example (Comparison):

623

#

624

# title: "Summary size limit"

625

# description: "Determines if a summary is less than 100 chars"

626

# expression: "document.summary.size() < 100"

627

#

628

# Example (Equality):

629

#

630

# title: "Requestor is owner"

631

# description: "Determines if requestor is the document owner"

632

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

637

# description: "Determine whether the document should be publicly visible"

638

# expression: "document.type != 'private' && document.type != 'internal'"

639

#

640

# Example (Data Manipulation):

641

#

642

# title: "Notification string"

643

# description: "Create a notification string with a timestamp."

644

# expression: "'New message received at ' + string(document.create_time)"

645

#

646

# The exact variables and functions that may be referenced within an expression

647

# are determined by the service that evaluates it. See the service

648

# documentation for additional information.

649

"expression": "A String", # Textual representation of an expression in Common Expression Language

650

# syntax.

651

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

652

# its purpose. This can be used e.g. in UIs which allow to enter the

653

# expression.

654

"location": "A String", # Optional. String indicating the location of the expression for error

655

# reporting, e.g. a file name and a position in the file.

656

"description": "A String", # Optional. Description of the expression. This is a longer text which

657

# describes the expression, e.g. when hovered over it in a UI.

658

},

659

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

660

# `members` can have the following values:

661

#

662

# * `allUsers`: A special identifier that represents anyone who is

663

# on the internet; with or without a Google account.

664

#

665

# * `allAuthenticatedUsers`: A special identifier that represents anyone

666

# who is authenticated with a Google account or a service account.

667

#

668

# * `user:{emailid}`: An email address that represents a specific Google

669

# account. For example, `alice@example.com` .

670

#

671

#

672

# * `serviceAccount:{emailid}`: An email address that represents a service

673

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

674

#

675

# * `group:{emailid}`: An email address that represents a Google group.

676

# For example, `admins@example.com`.

677

#

678

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

679

# identifier) representing a user that has been recently deleted. For

680

# example, `alice@example.com?uid=123456789012345678901`. If the user is

681

# recovered, this value reverts to `user:{emailid}` and the recovered user

682

# retains the role in the binding.

683

#

684

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

685

# unique identifier) representing a service account that has been recently

686

# deleted. For example,

687

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

688

# If the service account is undeleted, this value reverts to

689

# `serviceAccount:{emailid}` and the undeleted service account retains the

690

# role in the binding.

691

#

692

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

693

# identifier) representing a Google group that has been recently

694

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

695

# the group is recovered, this value reverts to `group:{emailid}` and the

696

# recovered group retains the role in the binding.

697

#

698

#

699

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

700

# users of that domain. For example, `google.com` or `example.com`.

701

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

702

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

703

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

704

},

705

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

716

717

{ # An Identity and Access Management (IAM) policy, which specifies access

718

# controls for Google Cloud resources.

719

#

720

#

721

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

722

# `members` to a single `role`. Members can be user accounts, service accounts,

723

# Google groups, and domains (such as G Suite). A `role` is a named list of

724

# permissions; each `role` can be an IAM predefined role or a user-created

725

# custom role.

726

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

727

# For some types of Google Cloud resources, a `binding` can also specify a

728

# `condition`, which is a logical expression that allows access to a resource

729

# only if the expression evaluates to `true`. A condition can add constraints

730

# based on attributes of the request, the resource, or both. To learn which

731

# resources support conditions in their IAM policies, see the

732

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

#

# **JSON example:**

#

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

737

# "bindings": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

738

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

739

# "role": "roles/resourcemanager.organizationAdmin",

740

# "members": [

741

# "user:mike@example.com",

742

# "group:admins@example.com",

743

# "domain:google.com",

744

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

745

# ]

746

# },

747

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

748

# "role": "roles/resourcemanager.organizationViewer",

749

# "members": [

750

# "user:eve@example.com"

751

# ],

752

# "condition": {

753

# "title": "expirable access",

754

# "description": "Does not grant access after Sep 2020",

755

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

756

# }

757

# }

758

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

759

# "etag": "BwWWja0YfJA=",

760

# "version": 3

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

768

# - group:admins@example.com

769

# - domain:google.com

770

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

771

# role: roles/resourcemanager.organizationAdmin

772

# - members:

773

# - user:eve@example.com

774

# role: roles/resourcemanager.organizationViewer

775

# condition:

776

# title: expirable access

777

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

778

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

779

# - etag: BwWWja0YfJA=

780

# - version: 3

781

#

782

# For a description of IAM and its features, see the

783

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

784

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

785

# prevent simultaneous updates of a policy from overwriting each other.

786

# It is strongly suggested that systems make use of the `etag` in the

787

# read-modify-write cycle to perform policy updates in order to avoid race

788

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

789

# systems are expected to put that etag in the request to `setIamPolicy` to

790

# ensure that their change will be applied to the same version of the policy.

791

#

792

# **Important:** If you use IAM Conditions, you must include the `etag` field

793

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

794

# you to overwrite a version `3` policy with a version `1` policy, and all of

795

# the conditions in the version `3` policy are lost.

796

"version": 42, # Specifies the format of the policy.

797

#

798

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

799

# are rejected.

800

#

801

# Any operation that affects conditional role bindings must specify version

802

# `3`. This requirement applies to the following operations:

803

#

804

# * Getting a policy that includes a conditional role binding

805

# * Adding a conditional role binding to a policy

806

# * Changing a conditional role binding in a policy

807

# * Removing any role binding, with or without a condition, from a policy

808

# that includes conditions

809

#

810

# **Important:** If you use IAM Conditions, you must include the `etag` field

811

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

812

# you to overwrite a version `3` policy with a version `1` policy, and all of

813

# the conditions in the version `3` policy are lost.

814

#

815

# If a policy does not include any conditions, operations on that policy may

816

# specify any valid version or leave the field unset.

817

#

818

# To learn which resources support conditions in their IAM policies, see the

819

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

820

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

821

# `condition` that determines how and when the `bindings` are applied. Each

822

# of the `bindings` must contain at least one member.

823

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

824

"role": "A String", # Role that is assigned to `members`.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

825

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

826

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

827

#

828

# If the condition evaluates to `true`, then this binding applies to the

829

# current request.

830

#

831

# If the condition evaluates to `false`, then this binding does not apply to

832

# the current request. However, a different role binding might grant the same

833

# role to one or more of the members in this binding.

834

#

835

# To learn which resources support conditions in their IAM policies, see the

836

# [IAM

837

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

838

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

839

# are documented at https://github.com/google/cel-spec.

840

#

841

# Example (Comparison):

842

#

843

# title: "Summary size limit"

844

# description: "Determines if a summary is less than 100 chars"

845

# expression: "document.summary.size() < 100"

846

#

847

# Example (Equality):

848

#

849

# title: "Requestor is owner"

850

# description: "Determines if requestor is the document owner"

851

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

856

# description: "Determine whether the document should be publicly visible"

857

# expression: "document.type != 'private' && document.type != 'internal'"

858

#

859

# Example (Data Manipulation):

860

#

861

# title: "Notification string"

862

# description: "Create a notification string with a timestamp."

863

# expression: "'New message received at ' + string(document.create_time)"

864

#

865

# The exact variables and functions that may be referenced within an expression

866

# are determined by the service that evaluates it. See the service

867

# documentation for additional information.

868

"expression": "A String", # Textual representation of an expression in Common Expression Language

869

# syntax.

870

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

871

# its purpose. This can be used e.g. in UIs which allow to enter the

872

# expression.

873

"location": "A String", # Optional. String indicating the location of the expression for error

874

# reporting, e.g. a file name and a position in the file.

875

"description": "A String", # Optional. Description of the expression. This is a longer text which

876

# describes the expression, e.g. when hovered over it in a UI.

877

},

878

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

879

# `members` can have the following values:

880

#

881

# * `allUsers`: A special identifier that represents anyone who is

882

# on the internet; with or without a Google account.

883

#

884

# * `allAuthenticatedUsers`: A special identifier that represents anyone

885

# who is authenticated with a Google account or a service account.

886

#

887

# * `user:{emailid}`: An email address that represents a specific Google

888

# account. For example, `alice@example.com` .

889

#

890

#

891

# * `serviceAccount:{emailid}`: An email address that represents a service

892

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

893

#

894

# * `group:{emailid}`: An email address that represents a Google group.

895

# For example, `admins@example.com`.

896

#

897

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

898

# identifier) representing a user that has been recently deleted. For

899

# example, `alice@example.com?uid=123456789012345678901`. If the user is

900

# recovered, this value reverts to `user:{emailid}` and the recovered user

901

# retains the role in the binding.

902

#

903

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

904

# unique identifier) representing a service account that has been recently

905

# deleted. For example,

906

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

907

# If the service account is undeleted, this value reverts to

908

# `serviceAccount:{emailid}` and the undeleted service account retains the

909

# role in the binding.

910

#

911

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

912

# identifier) representing a Google group that has been recently

913

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

914

# the group is recovered, this value reverts to `group:{emailid}` and the

915

# recovered group retains the role in the binding.

916

#

917

#

918

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

919

# users of that domain. For example, `google.com` or `example.com`.

920

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

921

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

922

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

923

},

924

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

930

<pre>Returns permissions that a caller has on the Identity-Aware Proxy protected

931

resource.

932

More information about managing access via IAP can be found at:

933

https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api

934

935

Args:

936

resource: string, REQUIRED: The resource for which the policy detail is being requested.

937

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

938

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

939

The object takes the form of:

940

941

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

942

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

943

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

944

# information see

945

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

946

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

957

958

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

959

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

960

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

961

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

966

967

<code class="details" id="updateIapSettings">updateIapSettings(name, body=None, updateMask=None, x__xgafv=None)</code>

968

<pre>Updates the IAP settings on a particular IAP protected resource. It

969

replaces all fields unless the `update_mask` is set.

970

971

Args:

972

name: string, Required. The resource name of the IAP protected resource. (required)

973

body: object, The request body.

974

The object takes the form of:

975

976

{ # The IAP configurable settings.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

977

"applicationSettings": { # Wrapper over application specific settings for IAP. # Top level wrapper for all application related settings in IAP

978

"csmSettings": { # Configuration for RCTokens generated for CSM workloads protected by IAP. # Settings to configure IAP's behavior for a CSM mesh.

979

# RCTokens are IAP generated JWTs that can be verified at the application. The

980

# RCToken is primarily used for ISTIO deployments, and can be scoped to a

981

# single mesh by configuring the audience field accordingly

982

"rctokenAud": "A String", # Audience claim set in the generated RCToken. This value is not validated by

983

# IAP.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

984

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

985

"cookieDomain": "A String", # The Domain value to set for cookies generated by IAP. This value is not

986

# validated by the API, but will be ignored at runtime if invalid.

987

"accessDeniedPageSettings": { # Custom content configuration for access denied page. # Customization for Access Denied page.

988

# IAP allows customers to define a custom URI to use as the error page when

989

# access is denied to users. If IAP prevents access to this page, the default

990

# IAP error page will be displayed instead.

991

"accessDeniedPageUri": "A String", # The URI to be redirected to when access is denied.

992

},

993

},

994

"accessSettings": { # Access related settings for IAP protected apps. # Top level wrapper for all access related setting in IAP

995

"corsSettings": { # Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS # Configuration to allow cross-origin requests via IAP.

996

# call to bypass authentication and authorization.

997

"allowHttpOptions": True or False, # Configuration to allow HTTP OPTIONS calls to skip authorization. If

998

# undefined, IAP will not apply any special logic to OPTIONS requests.

999

},

1000

"gcipSettings": { # Allows customers to configure tenant_id for GCIP instance per-app. # GCIP claims and endpoint configurations for 3p identity providers.

1001

"loginPageUri": "A String", # Login page URI associated with the GCIP tenants.

1002

# Typically, all resources within the same project share the same login page,

1003

# though it could be overridden at the sub resource level.

1004

"tenantIds": [ # GCIP tenant ids that are linked to the IAP resource.

1005

# tenant_ids could be a string beginning with a number character to indicate

1006

# authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>

1007

# to indicate authenticating with GCIP agent flow.

1008

# If agent flow is used, tenant_ids should only contain one single element,

1009

# while for tenant flow, tenant_ids can contain multiple elements.

"A String",

],

},

"policyDelegationSettings": { # PolicyDelegationConfig allows google-internal teams to use IAP for apps # Settings to configure Policy delegation for apps hosted in tenant projects.

1014

# INTERNAL_ONLY.

1015

# hosted in a tenant project. Using these settings, the app can delegate

1016

# permission check to happen against the linked customer project.

1017

# This is only ever supposed to be used by google internal teams, hence the

1018

# restriction on the proto.

1019

"iamServiceName": "A String", # The DNS name of the service (e.g. "resourcemanager.googleapis.com").

1020

# This should be the domain name part of the full resource names (see

1021

# https://aip.dev/122#full-resource-names), which is usually

1022

# the same as IamServiceSpec.service of the service where the resource type

1023

# is defined.

1024

"iamPermission": "A String", # Permission to check in IAM.

1025

"policyName": { # Policy name to be checked

1026

"type": "A String", # Valid values for type might be 'gce', 'gcs', 'project', 'account' etc.

1027

"id": "A String",

1028

"region": "A String", # For Cloud IAM:

1029

# The location of the Policy.

1030

# Must be empty or "global" for Policies owned by global IAM. Must name a

1031

# region from prodspec/cloud-iam-cloudspec for Regional IAM Policies, see

1032

# go/iam-faq#where-is-iam-currently-deployed.

1033

#

1034

# For Local IAM:

1035

# This field should be set to "local".

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1036

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1037

"resource": { # IAM resource to check permission on

1038

"type": "A String", # The public resource type name of the resource on which conditions will be

1039

# evaluated. It is configured using the official_name of the ResourceType as

1040

# defined in service configurations under //configs/cloud/resourcetypes.

1041

# For example, the official_name for GCP projects is set as

1042

# 'cloudresourcemanager.googleapis.com/Project' according to

1043

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1044

# For details see go/iam-conditions-integration-guide.

1045

"labels": { # The service defined labels of the resource on which the conditions will be

1046

# evaluated. The semantics - including the key names - are vague to IAM.

1047

# If the effective condition has a reference to a `resource.labels[foo]`

1048

# construct, IAM consults with this map to retrieve the values associated

1049

# with `foo` key for Conditions evaluation. If the provided key is not found

1050

# in the labels map, the condition would evaluate to false.

1051

#

1052

# This field is in limited use. If your intended use case is not expected

1053

# to express resource.labels attribute in IAM Conditions, leave this field

1054

# empty. Before planning on using this attribute please:

1055

# * Read go/iam-conditions-labels-comm and ensure your service can meet the

1056

# data availability and management requirements.

1057

# * Talk to iam-conditions-eng@ about your use case.

1058

"a_key": "A String",

1059

},

1060

"service": "A String", # The name of the service this resource belongs to. It is configured using

1061

# the official_service_name of the Service as defined in service

1062

# configurations under //configs/cloud/resourcetypes.

1063

# For example, the official_service_name of cloud resource manager service

1064

# is set as 'cloudresourcemanager.googleapis.com' according to

1065

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1066

"name": "A String", # Name of the resource on which conditions will be evaluated.

1067

# Must use the Relative Resource Name of the resource, which is the URI

1068

# path of the resource without the leading "/". Examples are

1069

# "projects/_/buckets/[BUCKET-ID]" for storage buckets or

1070

# "projects/[PROJECT-ID]/global/firewalls/[FIREWALL-ID]" for a firewall.

1071

#

1072

# This field is required for evaluating conditions with rules on resource

1073

# names. For a `list` permission check, the resource.name value must be set

1074

# to the parent resource. If the parent resource is a project, this field

1075

# should be left unset.

1076

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1077

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1078

"oauthSettings": { # Configuration for OAuth login&consent flow behavior as well as for OAuth # Settings to configure IAP's OAuth behavior.

1079

# Credentials.

1080

"clientId": "A String", # OAuth 2.0 client ID used in the OAuth flow to generate an access token. If

1081

# this field is set, you can skip obtaining the OAuth credentials in this

1082

# step:

1083

# https://developers.google.com/identity/protocols/OAuth2?hl=en_US#1.-obtain-oauth-2.0-credentials-from-the-google-api-console.

1084

# However, this could allow for client sharing. The risks of client sharing

1085

# are outlined here:

1086

# https://cloud.google.com/iap/docs/sharing-oauth-clients#risks.

1087

"loginHint": "A String", # Domain hint to send as hd=? parameter in OAuth request flow. Enables

1088

# redirect to primary IDP by skipping Google's login screen.

1089

# https://developers.google.com/identity/protocols/OpenIDConnect#hd-param

1090

# Note: IAP does not verify that the id token's hd claim matches this value

1091

# since access behavior is managed by IAM policies.

1092

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1093

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1094

"name": "A String", # Required. The resource name of the IAP protected resource.

1095

}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1096

1097

updateMask: string, The field mask specifying which IAP settings should be updated.

1098

If omitted, the all of the settings are updated. See

1099

https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

1100

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1107

1108

{ # The IAP configurable settings.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1109

"applicationSettings": { # Wrapper over application specific settings for IAP. # Top level wrapper for all application related settings in IAP

1110

"csmSettings": { # Configuration for RCTokens generated for CSM workloads protected by IAP. # Settings to configure IAP's behavior for a CSM mesh.

1111

# RCTokens are IAP generated JWTs that can be verified at the application. The

1112

# RCToken is primarily used for ISTIO deployments, and can be scoped to a

1113

# single mesh by configuring the audience field accordingly

1114

"rctokenAud": "A String", # Audience claim set in the generated RCToken. This value is not validated by

1115

# IAP.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1116

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1117

"cookieDomain": "A String", # The Domain value to set for cookies generated by IAP. This value is not

1118

# validated by the API, but will be ignored at runtime if invalid.

1119

"accessDeniedPageSettings": { # Custom content configuration for access denied page. # Customization for Access Denied page.

1120

# IAP allows customers to define a custom URI to use as the error page when

1121

# access is denied to users. If IAP prevents access to this page, the default

1122

# IAP error page will be displayed instead.

1123

"accessDeniedPageUri": "A String", # The URI to be redirected to when access is denied.

1124

},

1125

},

1126

"accessSettings": { # Access related settings for IAP protected apps. # Top level wrapper for all access related setting in IAP

1127

"corsSettings": { # Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS # Configuration to allow cross-origin requests via IAP.

1128

# call to bypass authentication and authorization.

1129

"allowHttpOptions": True or False, # Configuration to allow HTTP OPTIONS calls to skip authorization. If

1130

# undefined, IAP will not apply any special logic to OPTIONS requests.

1131

},

1132

"gcipSettings": { # Allows customers to configure tenant_id for GCIP instance per-app. # GCIP claims and endpoint configurations for 3p identity providers.

1133

"loginPageUri": "A String", # Login page URI associated with the GCIP tenants.

1134

# Typically, all resources within the same project share the same login page,

1135

# though it could be overridden at the sub resource level.

1136

"tenantIds": [ # GCIP tenant ids that are linked to the IAP resource.

1137

# tenant_ids could be a string beginning with a number character to indicate

1138

# authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>

1139

# to indicate authenticating with GCIP agent flow.

1140

# If agent flow is used, tenant_ids should only contain one single element,

1141

# while for tenant flow, tenant_ids can contain multiple elements.

"A String",

],

},

"policyDelegationSettings": { # PolicyDelegationConfig allows google-internal teams to use IAP for apps # Settings to configure Policy delegation for apps hosted in tenant projects.

1146

# INTERNAL_ONLY.

1147

# hosted in a tenant project. Using these settings, the app can delegate

1148

# permission check to happen against the linked customer project.

1149

# This is only ever supposed to be used by google internal teams, hence the

1150

# restriction on the proto.

1151

"iamServiceName": "A String", # The DNS name of the service (e.g. "resourcemanager.googleapis.com").

1152

# This should be the domain name part of the full resource names (see

1153

# https://aip.dev/122#full-resource-names), which is usually

1154

# the same as IamServiceSpec.service of the service where the resource type

1155

# is defined.

1156

"iamPermission": "A String", # Permission to check in IAM.

1157

"policyName": { # Policy name to be checked

1158

"type": "A String", # Valid values for type might be 'gce', 'gcs', 'project', 'account' etc.

1159

"id": "A String",

1160

"region": "A String", # For Cloud IAM:

1161

# The location of the Policy.

1162

# Must be empty or "global" for Policies owned by global IAM. Must name a

1163

# region from prodspec/cloud-iam-cloudspec for Regional IAM Policies, see

1164

# go/iam-faq#where-is-iam-currently-deployed.

1165

#

1166

# For Local IAM:

1167

# This field should be set to "local".

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1168

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1169

"resource": { # IAM resource to check permission on

1170

"type": "A String", # The public resource type name of the resource on which conditions will be

1171

# evaluated. It is configured using the official_name of the ResourceType as

1172

# defined in service configurations under //configs/cloud/resourcetypes.

1173

# For example, the official_name for GCP projects is set as

1174

# 'cloudresourcemanager.googleapis.com/Project' according to

1175

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1176

# For details see go/iam-conditions-integration-guide.

1177

"labels": { # The service defined labels of the resource on which the conditions will be

1178

# evaluated. The semantics - including the key names - are vague to IAM.

1179

# If the effective condition has a reference to a `resource.labels[foo]`

1180

# construct, IAM consults with this map to retrieve the values associated

1181

# with `foo` key for Conditions evaluation. If the provided key is not found

1182

# in the labels map, the condition would evaluate to false.

1183

#

1184

# This field is in limited use. If your intended use case is not expected

1185

# to express resource.labels attribute in IAM Conditions, leave this field

1186

# empty. Before planning on using this attribute please:

1187

# * Read go/iam-conditions-labels-comm and ensure your service can meet the

1188

# data availability and management requirements.

1189

# * Talk to iam-conditions-eng@ about your use case.

1190

"a_key": "A String",

1191

},

1192

"service": "A String", # The name of the service this resource belongs to. It is configured using

1193

# the official_service_name of the Service as defined in service

1194

# configurations under //configs/cloud/resourcetypes.

1195

# For example, the official_service_name of cloud resource manager service

1196

# is set as 'cloudresourcemanager.googleapis.com' according to

1197

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1198

"name": "A String", # Name of the resource on which conditions will be evaluated.

1199

# Must use the Relative Resource Name of the resource, which is the URI

1200

# path of the resource without the leading "/". Examples are

1201

# "projects/_/buckets/[BUCKET-ID]" for storage buckets or

1202

# "projects/[PROJECT-ID]/global/firewalls/[FIREWALL-ID]" for a firewall.

1203

#

1204

# This field is required for evaluating conditions with rules on resource

1205

# names. For a `list` permission check, the resource.name value must be set

1206

# to the parent resource. If the parent resource is a project, this field

1207

# should be left unset.

1208

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1209

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1210

"oauthSettings": { # Configuration for OAuth login&consent flow behavior as well as for OAuth # Settings to configure IAP's OAuth behavior.

1211

# Credentials.

1212

"clientId": "A String", # OAuth 2.0 client ID used in the OAuth flow to generate an access token. If

1213

# this field is set, you can skip obtaining the OAuth credentials in this

1214

# step:

1215

# https://developers.google.com/identity/protocols/OAuth2?hl=en_US#1.-obtain-oauth-2.0-credentials-from-the-google-api-console.

1216

# However, this could allow for client sharing. The risks of client sharing

1217

# are outlined here:

1218

# https://cloud.google.com/iap/docs/sharing-oauth-clients#risks.

1219

"loginHint": "A String", # Domain hint to send as hd=? parameter in OAuth request flow. Enables

1220

# redirect to primary IDP by skipping Google's login screen.

1221

# https://developers.google.com/identity/protocols/OpenIDConnect#hd-param

1222

# Note: IAP does not verify that the id token's hd claim matches this value

1223

# since access behavior is managed by IAM policies.

1224

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1225

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1226

"name": "A String", # Required. The resource name of the IAP protected resource.

1227

}</pre>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1228

</div>

1229

Bu Sun Kim