Blame - docs/dyn/bigtableadmin_v2.projects.instances.clusters.backups.html - platform/external/python/google-api-python-client

<h1><a href="bigtableadmin_v2.html">Cloud Bigtable Admin API</a> . <a href="bigtableadmin_v2.projects.html">projects</a> . <a href="bigtableadmin_v2.projects.instances.html">instances</a> . <a href="bigtableadmin_v2.projects.instances.clusters.html">clusters</a> . <a href="bigtableadmin_v2.projects.instances.clusters.backups.html">backups</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

79

<p class="firstline">Gets the access control policy for a Table resource.</p>

80

81

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

82

<p class="firstline">Sets the access control policy on a Table resource.</p>

83

84

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

85

<p class="firstline">Returns permissions that the caller has on the specified table resource.</p>

86

<h3>Method Details</h3>

87

88

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

89

<pre>Gets the access control policy for a Table resource.

90

Returns an empty policy if the resource exists but does not have a policy

set.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

95

See the operation documentation for the appropriate value for this field. (required)

96

body: object, The request body.

97

The object takes the form of:

98

99

{ # Request message for `GetIamPolicy` method.

100

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

101

# `GetIamPolicy`. This field is only used by Cloud IAM.

102

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

103

#

104

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

105

# rejected.

106

#

107

# Requests for policies with any conditional bindings must specify version 3.

108

# Policies without any conditional bindings may specify any valid value or

109

# leave the field unset.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

120

121

{ # An Identity and Access Management (IAM) policy, which specifies access

122

# controls for Google Cloud resources.

123

#

124

#

125

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

126

# `members` to a single `role`. Members can be user accounts, service accounts,

127

# Google groups, and domains (such as G Suite). A `role` is a named list of

128

# permissions; each `role` can be an IAM predefined role or a user-created

129

# custom role.

130

#

131

# Optionally, a `binding` can specify a `condition`, which is a logical

132

# expression that allows access to a resource only if the expression evaluates

133

# to `true`. A condition can add constraints based on attributes of the

134

# request, the resource, or both.

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

142

# "members": [

143

# "user:mike@example.com",

144

# "group:admins@example.com",

145

# "domain:google.com",

146

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

151

# "members": ["user:eve@example.com"],

152

# "condition": {

153

# "title": "expirable access",

154

# "description": "Does not grant access after Sep 2020",

155

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

168

# - group:admins@example.com

169

# - domain:google.com

170

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

171

# role: roles/resourcemanager.organizationAdmin

172

# - members:

173

# - user:eve@example.com

174

# role: roles/resourcemanager.organizationViewer

175

# condition:

176

# title: expirable access

177

# description: Does not grant access after Sep 2020

178

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

179

# - etag: BwWWja0YfJA=

180

# - version: 3

181

#

182

# For a description of IAM and its features, see the

183

# [IAM documentation](https://cloud.google.com/iam/docs/).

184

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

185

# prevent simultaneous updates of a policy from overwriting each other.

186

# It is strongly suggested that systems make use of the `etag` in the

187

# read-modify-write cycle to perform policy updates in order to avoid race

188

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

189

# systems are expected to put that etag in the request to `setIamPolicy` to

190

# ensure that their change will be applied to the same version of the policy.

191

#

192

# **Important:** If you use IAM Conditions, you must include the `etag` field

193

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

194

# you to overwrite a version `3` policy with a version `1` policy, and all of

195

# the conditions in the version `3` policy are lost.

196

"version": 42, # Specifies the format of the policy.

197

#

198

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

199

# are rejected.

200

#

201

# Any operation that affects conditional role bindings must specify version

202

# `3`. This requirement applies to the following operations:

203

#

204

# * Getting a policy that includes a conditional role binding

205

# * Adding a conditional role binding to a policy

206

# * Changing a conditional role binding in a policy

207

# * Removing any role binding, with or without a condition, from a policy

208

# that includes conditions

209

#

210

# **Important:** If you use IAM Conditions, you must include the `etag` field

211

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

212

# you to overwrite a version `3` policy with a version `1` policy, and all of

213

# the conditions in the version `3` policy are lost.

214

#

215

# If a policy does not include any conditions, operations on that policy may

216

# specify any valid version or leave the field unset.

217

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

218

{ # Specifies the audit configuration for a service.

219

# The configuration determines which permission types are logged, and what

220

# identities, if any, are exempted from logging.

221

# An AuditConfig must have one or more AuditLogConfigs.

222

#

223

# If there are AuditConfigs for both `allServices` and a specific service,

224

# the union of the two AuditConfigs is used for that service: the log_types

225

# specified in each AuditConfig are enabled, and the exempted_members in each

226

# AuditLogConfig are exempted.

227

#

228

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

234

# "audit_log_configs": [

235

# {

236

# "log_type": "DATA_READ",

237

# "exempted_members": [

238

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

243

# },

244

# {

245

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

251

# "audit_log_configs": [

252

# {

253

# "log_type": "DATA_READ",

254

# },

255

# {

256

# "log_type": "DATA_WRITE",

257

# "exempted_members": [

258

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

267

# logging. It also exempts jose@example.com from DATA_READ logging, and

268

# aliya@example.com from DATA_WRITE logging.

269

"service": "A String", # Specifies a service that will be enabled for audit logging.

270

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

271

# `allServices` is a special value that covers all services.

272

"auditLogConfigs": [ # The configuration for logging of each type of permission.

273

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

278

# {

279

# "log_type": "DATA_READ",

280

# "exempted_members": [

281

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

291

# jose@example.com from DATA_READ logging.

292

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

293

# permission.

294

# Follows the same format of Binding.members.

295

"A String",

296

],

297

"logType": "A String", # The log type that this config enables.

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

303

# `condition` that determines how and when the `bindings` are applied. Each

304

# of the `bindings` must contain at least one member.

305

{ # Associates `members` with a `role`.

306

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

307

# NOTE: An unsatisfied condition will not allow user access via current

308

# binding. Different bindings, including their conditions, are examined

309

# independently.

310

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

311

# are documented at https://github.com/google/cel-spec.

312

#

313

# Example (Comparison):

314

#

315

# title: "Summary size limit"

316

# description: "Determines if a summary is less than 100 chars"

317

# expression: "document.summary.size() < 100"

318

#

319

# Example (Equality):

320

#

321

# title: "Requestor is owner"

322

# description: "Determines if requestor is the document owner"

323

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

328

# description: "Determine whether the document should be publicly visible"

329

# expression: "document.type != 'private' && document.type != 'internal'"

330

#

331

# Example (Data Manipulation):

332

#

333

# title: "Notification string"

334

# description: "Create a notification string with a timestamp."

335

# expression: "'New message received at ' + string(document.create_time)"

336

#

337

# The exact variables and functions that may be referenced within an expression

338

# are determined by the service that evaluates it. See the service

339

# documentation for additional information.

340

"description": "A String", # Optional. Description of the expression. This is a longer text which

341

# describes the expression, e.g. when hovered over it in a UI.

342

"expression": "A String", # Textual representation of an expression in Common Expression Language

343

# syntax.

344

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

345

# its purpose. This can be used e.g. in UIs which allow to enter the

346

# expression.

347

"location": "A String", # Optional. String indicating the location of the expression for error

348

# reporting, e.g. a file name and a position in the file.

349

},

350

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

351

# `members` can have the following values:

352

#

353

# * `allUsers`: A special identifier that represents anyone who is

354

# on the internet; with or without a Google account.

355

#

356

# * `allAuthenticatedUsers`: A special identifier that represents anyone

357

# who is authenticated with a Google account or a service account.

358

#

359

# * `user:{emailid}`: An email address that represents a specific Google

360

# account. For example, `alice@example.com` .

361

#

362

#

363

# * `serviceAccount:{emailid}`: An email address that represents a service

364

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

365

#

366

# * `group:{emailid}`: An email address that represents a Google group.

367

# For example, `admins@example.com`.

368

#

369

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

370

# identifier) representing a user that has been recently deleted. For

371

# example, `alice@example.com?uid=123456789012345678901`. If the user is

372

# recovered, this value reverts to `user:{emailid}` and the recovered user

373

# retains the role in the binding.

374

#

375

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

376

# unique identifier) representing a service account that has been recently

377

# deleted. For example,

378

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

379

# If the service account is undeleted, this value reverts to

380

# `serviceAccount:{emailid}` and the undeleted service account retains the

381

# role in the binding.

382

#

383

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

384

# identifier) representing a Google group that has been recently

385

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

386

# the group is recovered, this value reverts to `group:{emailid}` and the

387

# recovered group retains the role in the binding.

388

#

389

#

390

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

391

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

396

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

},

],

}</pre>

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

404

<pre>Sets the access control policy on a Table resource.

405

Replaces any existing policy.

406

407

Args:

408

resource: string, REQUIRED: The resource for which the policy is being specified.

409

See the operation documentation for the appropriate value for this field. (required)

410

body: object, The request body.

411

The object takes the form of:

412

413

{ # Request message for `SetIamPolicy` method.

414

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

415

# the policy is limited to a few 10s of KB. An empty policy is a

416

# valid policy but certain Cloud Platform services (such as Projects)

417

# might reject them.

418

# controls for Google Cloud resources.

419

#

420

#

421

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

422

# `members` to a single `role`. Members can be user accounts, service accounts,

423

# Google groups, and domains (such as G Suite). A `role` is a named list of

424

# permissions; each `role` can be an IAM predefined role or a user-created

425

# custom role.

426

#

427

# Optionally, a `binding` can specify a `condition`, which is a logical

428

# expression that allows access to a resource only if the expression evaluates

429

# to `true`. A condition can add constraints based on attributes of the

430

# request, the resource, or both.

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

438

# "members": [

439

# "user:mike@example.com",

440

# "group:admins@example.com",

441

# "domain:google.com",

442

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

447

# "members": ["user:eve@example.com"],

448

# "condition": {

449

# "title": "expirable access",

450

# "description": "Does not grant access after Sep 2020",

451

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

464

# - group:admins@example.com

465

# - domain:google.com

466

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

467

# role: roles/resourcemanager.organizationAdmin

468

# - members:

469

# - user:eve@example.com

470

# role: roles/resourcemanager.organizationViewer

471

# condition:

472

# title: expirable access

473

# description: Does not grant access after Sep 2020

474

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

475

# - etag: BwWWja0YfJA=

476

# - version: 3

477

#

478

# For a description of IAM and its features, see the

479

# [IAM documentation](https://cloud.google.com/iam/docs/).

480

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

481

# prevent simultaneous updates of a policy from overwriting each other.

482

# It is strongly suggested that systems make use of the `etag` in the

483

# read-modify-write cycle to perform policy updates in order to avoid race

484

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

485

# systems are expected to put that etag in the request to `setIamPolicy` to

486

# ensure that their change will be applied to the same version of the policy.

487

#

488

# **Important:** If you use IAM Conditions, you must include the `etag` field

489

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

490

# you to overwrite a version `3` policy with a version `1` policy, and all of

491

# the conditions in the version `3` policy are lost.

492

"version": 42, # Specifies the format of the policy.

493

#

494

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

495

# are rejected.

496

#

497

# Any operation that affects conditional role bindings must specify version

498

# `3`. This requirement applies to the following operations:

499

#

500

# * Getting a policy that includes a conditional role binding

501

# * Adding a conditional role binding to a policy

502

# * Changing a conditional role binding in a policy

503

# * Removing any role binding, with or without a condition, from a policy

504

# that includes conditions

505

#

506

# **Important:** If you use IAM Conditions, you must include the `etag` field

507

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

508

# you to overwrite a version `3` policy with a version `1` policy, and all of

509

# the conditions in the version `3` policy are lost.

510

#

511

# If a policy does not include any conditions, operations on that policy may

512

# specify any valid version or leave the field unset.

513

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

514

{ # Specifies the audit configuration for a service.

515

# The configuration determines which permission types are logged, and what

516

# identities, if any, are exempted from logging.

517

# An AuditConfig must have one or more AuditLogConfigs.

518

#

519

# If there are AuditConfigs for both `allServices` and a specific service,

520

# the union of the two AuditConfigs is used for that service: the log_types

521

# specified in each AuditConfig are enabled, and the exempted_members in each

522

# AuditLogConfig are exempted.

523

#

524

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

530

# "audit_log_configs": [

531

# {

532

# "log_type": "DATA_READ",

533

# "exempted_members": [

534

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

539

# },

540

# {

541

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

547

# "audit_log_configs": [

548

# {

549

# "log_type": "DATA_READ",

550

# },

551

# {

552

# "log_type": "DATA_WRITE",

553

# "exempted_members": [

554

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

563

# logging. It also exempts jose@example.com from DATA_READ logging, and

564

# aliya@example.com from DATA_WRITE logging.

565

"service": "A String", # Specifies a service that will be enabled for audit logging.

566

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

567

# `allServices` is a special value that covers all services.

568

"auditLogConfigs": [ # The configuration for logging of each type of permission.

569

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

574

# {

575

# "log_type": "DATA_READ",

576

# "exempted_members": [

577

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

587

# jose@example.com from DATA_READ logging.

588

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

589

# permission.

590

# Follows the same format of Binding.members.

591

"A String",

592

],

593

"logType": "A String", # The log type that this config enables.

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

599

# `condition` that determines how and when the `bindings` are applied. Each

600

# of the `bindings` must contain at least one member.

601

{ # Associates `members` with a `role`.

602

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

603

# NOTE: An unsatisfied condition will not allow user access via current

604

# binding. Different bindings, including their conditions, are examined

605

# independently.

606

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

607

# are documented at https://github.com/google/cel-spec.

608

#

609

# Example (Comparison):

610

#

611

# title: "Summary size limit"

612

# description: "Determines if a summary is less than 100 chars"

613

# expression: "document.summary.size() < 100"

614

#

615

# Example (Equality):

616

#

617

# title: "Requestor is owner"

618

# description: "Determines if requestor is the document owner"

619

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

624

# description: "Determine whether the document should be publicly visible"

625

# expression: "document.type != 'private' && document.type != 'internal'"

626

#

627

# Example (Data Manipulation):

628

#

629

# title: "Notification string"

630

# description: "Create a notification string with a timestamp."

631

# expression: "'New message received at ' + string(document.create_time)"

632

#

633

# The exact variables and functions that may be referenced within an expression

634

# are determined by the service that evaluates it. See the service

635

# documentation for additional information.

636

"description": "A String", # Optional. Description of the expression. This is a longer text which

637

# describes the expression, e.g. when hovered over it in a UI.

638

"expression": "A String", # Textual representation of an expression in Common Expression Language

639

# syntax.

640

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

641

# its purpose. This can be used e.g. in UIs which allow to enter the

642

# expression.

643

"location": "A String", # Optional. String indicating the location of the expression for error

644

# reporting, e.g. a file name and a position in the file.

645

},

646

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

647

# `members` can have the following values:

648

#

649

# * `allUsers`: A special identifier that represents anyone who is

650

# on the internet; with or without a Google account.

651

#

652

# * `allAuthenticatedUsers`: A special identifier that represents anyone

653

# who is authenticated with a Google account or a service account.

654

#

655

# * `user:{emailid}`: An email address that represents a specific Google

656

# account. For example, `alice@example.com` .

657

#

658

#

659

# * `serviceAccount:{emailid}`: An email address that represents a service

660

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

661

#

662

# * `group:{emailid}`: An email address that represents a Google group.

663

# For example, `admins@example.com`.

664

#

665

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

666

# identifier) representing a user that has been recently deleted. For

667

# example, `alice@example.com?uid=123456789012345678901`. If the user is

668

# recovered, this value reverts to `user:{emailid}` and the recovered user

669

# retains the role in the binding.

670

#

671

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

672

# unique identifier) representing a service account that has been recently

673

# deleted. For example,

674

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

675

# If the service account is undeleted, this value reverts to

676

# `serviceAccount:{emailid}` and the undeleted service account retains the

677

# role in the binding.

678

#

679

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

680

# identifier) representing a Google group that has been recently

681

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

682

# the group is recovered, this value reverts to `group:{emailid}` and the

683

# recovered group retains the role in the binding.

684

#

685

#

686

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

687

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

692

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

},

],

},

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

697

# the fields in the mask will be modified. If no mask is provided, the

698

# following default mask is used:

699

# paths: "bindings, etag"

700

# This field is only used by Cloud IAM.

701

}

702

703

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

710

711

{ # An Identity and Access Management (IAM) policy, which specifies access

712

# controls for Google Cloud resources.

713

#

714

#

715

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

716

# `members` to a single `role`. Members can be user accounts, service accounts,

717

# Google groups, and domains (such as G Suite). A `role` is a named list of

718

# permissions; each `role` can be an IAM predefined role or a user-created

719

# custom role.

720

#

721

# Optionally, a `binding` can specify a `condition`, which is a logical

722

# expression that allows access to a resource only if the expression evaluates

723

# to `true`. A condition can add constraints based on attributes of the

724

# request, the resource, or both.

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

732

# "members": [

733

# "user:mike@example.com",

734

# "group:admins@example.com",

735

# "domain:google.com",

736

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

741

# "members": ["user:eve@example.com"],

742

# "condition": {

743

# "title": "expirable access",

744

# "description": "Does not grant access after Sep 2020",

745

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

758

# - group:admins@example.com

759

# - domain:google.com

760

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

761

# role: roles/resourcemanager.organizationAdmin

762

# - members:

763

# - user:eve@example.com

764

# role: roles/resourcemanager.organizationViewer

765

# condition:

766

# title: expirable access

767

# description: Does not grant access after Sep 2020

768

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

769

# - etag: BwWWja0YfJA=

770

# - version: 3

771

#

772

# For a description of IAM and its features, see the

773

# [IAM documentation](https://cloud.google.com/iam/docs/).

774

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

775

# prevent simultaneous updates of a policy from overwriting each other.

776

# It is strongly suggested that systems make use of the `etag` in the

777

# read-modify-write cycle to perform policy updates in order to avoid race

778

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

779

# systems are expected to put that etag in the request to `setIamPolicy` to

780

# ensure that their change will be applied to the same version of the policy.

781

#

782

# **Important:** If you use IAM Conditions, you must include the `etag` field

783

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

784

# you to overwrite a version `3` policy with a version `1` policy, and all of

785

# the conditions in the version `3` policy are lost.

786

"version": 42, # Specifies the format of the policy.

787

#

788

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

789

# are rejected.

790

#

791

# Any operation that affects conditional role bindings must specify version

792

# `3`. This requirement applies to the following operations:

793

#

794

# * Getting a policy that includes a conditional role binding

795

# * Adding a conditional role binding to a policy

796

# * Changing a conditional role binding in a policy

797

# * Removing any role binding, with or without a condition, from a policy

798

# that includes conditions

799

#

800

# **Important:** If you use IAM Conditions, you must include the `etag` field

801

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

802

# you to overwrite a version `3` policy with a version `1` policy, and all of

803

# the conditions in the version `3` policy are lost.

804

#

805

# If a policy does not include any conditions, operations on that policy may

806

# specify any valid version or leave the field unset.

807

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

808

{ # Specifies the audit configuration for a service.

809

# The configuration determines which permission types are logged, and what

810

# identities, if any, are exempted from logging.

811

# An AuditConfig must have one or more AuditLogConfigs.

812

#

813

# If there are AuditConfigs for both `allServices` and a specific service,

814

# the union of the two AuditConfigs is used for that service: the log_types

815

# specified in each AuditConfig are enabled, and the exempted_members in each

816

# AuditLogConfig are exempted.

817

#

818

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

824

# "audit_log_configs": [

825

# {

826

# "log_type": "DATA_READ",

827

# "exempted_members": [

828

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

833

# },

834

# {

835

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

841

# "audit_log_configs": [

842

# {

843

# "log_type": "DATA_READ",

844

# },

845

# {

846

# "log_type": "DATA_WRITE",

847

# "exempted_members": [

848

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

857

# logging. It also exempts jose@example.com from DATA_READ logging, and

858

# aliya@example.com from DATA_WRITE logging.

859

"service": "A String", # Specifies a service that will be enabled for audit logging.

860

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

861

# `allServices` is a special value that covers all services.

862

"auditLogConfigs": [ # The configuration for logging of each type of permission.

863

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

868

# {

869

# "log_type": "DATA_READ",

870

# "exempted_members": [

871

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

881

# jose@example.com from DATA_READ logging.

882

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

883

# permission.

884

# Follows the same format of Binding.members.

885

"A String",

886

],

887

"logType": "A String", # The log type that this config enables.

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

893

# `condition` that determines how and when the `bindings` are applied. Each

894

# of the `bindings` must contain at least one member.

895

{ # Associates `members` with a `role`.

896

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

897

# NOTE: An unsatisfied condition will not allow user access via current

898

# binding. Different bindings, including their conditions, are examined

899

# independently.

900

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

901

# are documented at https://github.com/google/cel-spec.

902

#

903

# Example (Comparison):

904

#

905

# title: "Summary size limit"

906

# description: "Determines if a summary is less than 100 chars"

907

# expression: "document.summary.size() < 100"

908

#

909

# Example (Equality):

910

#

911

# title: "Requestor is owner"

912

# description: "Determines if requestor is the document owner"

913

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

918

# description: "Determine whether the document should be publicly visible"

919

# expression: "document.type != 'private' && document.type != 'internal'"

920

#

921

# Example (Data Manipulation):

922

#

923

# title: "Notification string"

924

# description: "Create a notification string with a timestamp."

925

# expression: "'New message received at ' + string(document.create_time)"

926

#

927

# The exact variables and functions that may be referenced within an expression

928

# are determined by the service that evaluates it. See the service

929

# documentation for additional information.

930

"description": "A String", # Optional. Description of the expression. This is a longer text which

931

# describes the expression, e.g. when hovered over it in a UI.

932

"expression": "A String", # Textual representation of an expression in Common Expression Language

933

# syntax.

934

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

935

# its purpose. This can be used e.g. in UIs which allow to enter the

936

# expression.

937

"location": "A String", # Optional. String indicating the location of the expression for error

938

# reporting, e.g. a file name and a position in the file.

939

},

940

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

941

# `members` can have the following values:

942

#

943

# * `allUsers`: A special identifier that represents anyone who is

944

# on the internet; with or without a Google account.

945

#

946

# * `allAuthenticatedUsers`: A special identifier that represents anyone

947

# who is authenticated with a Google account or a service account.

948

#

949

# * `user:{emailid}`: An email address that represents a specific Google

950

# account. For example, `alice@example.com` .

951

#

952

#

953

# * `serviceAccount:{emailid}`: An email address that represents a service

954

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

955

#

956

# * `group:{emailid}`: An email address that represents a Google group.

957

# For example, `admins@example.com`.

958

#

959

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

960

# identifier) representing a user that has been recently deleted. For

961

# example, `alice@example.com?uid=123456789012345678901`. If the user is

962

# recovered, this value reverts to `user:{emailid}` and the recovered user

963

# retains the role in the binding.

964

#

965

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

966

# unique identifier) representing a service account that has been recently

967

# deleted. For example,

968

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

969

# If the service account is undeleted, this value reverts to

970

# `serviceAccount:{emailid}` and the undeleted service account retains the

971

# role in the binding.

972

#

973

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

974

# identifier) representing a Google group that has been recently

975

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

976

# the group is recovered, this value reverts to `group:{emailid}` and the

977

# recovered group retains the role in the binding.

978

#

979

#

980

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

981

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

986

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

},

],

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

994

<pre>Returns permissions that the caller has on the specified table resource.

995

996

Args:

997

resource: string, REQUIRED: The resource for which the policy detail is being requested.

998

See the operation documentation for the appropriate value for this field. (required)

999

body: object, The request body.

1000

The object takes the form of:

1001

1002

{ # Request message for `TestIamPermissions` method.

1003

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

1004

# wildcards (such as '*' or 'storage.*') are not allowed. For more

1005

# information see

1006

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

"A String",

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1018

1019

{ # Response message for `TestIamPermissions` method.

1020

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

# allowed.

"A String",

],

}</pre>

</div>

</body></html>