Blame - docs/dyn/cloudasset_v1.v1.html - platform/external/python/google-api-python-client

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Batch gets the update history of assets that overlap a time window.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#exportAssets">exportAssets(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

82

<p class="firstline">Exports assets with time and resource types to a given Cloud Storage</p>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

83

84

<code><a href="#searchAllIamPolicies">searchAllIamPolicies(scope, pageToken=None, pageSize=None, query=None, x__xgafv=None)</a></code></p>

85

<p class="firstline">Searches all the IAM policies within the given accessible scope (e.g., a</p>

86

87

<code><a href="#searchAllIamPolicies_next">searchAllIamPolicies_next(previous_request, previous_response)</a></code></p>

88

<p class="firstline">Retrieves the next page of results.</p>

89

90

<code><a href="#searchAllResources">searchAllResources(scope, pageToken=None, pageSize=None, query=None, assetTypes=None, orderBy=None, x__xgafv=None)</a></code></p>

91

<p class="firstline">Searches all the resources within the given accessible scope (e.g., a</p>

92

93

<code><a href="#searchAllResources_next">searchAllResources_next(previous_request, previous_response)</a></code></p>

94

<p class="firstline">Retrieves the next page of results.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

95

<h3>Method Details</h3>

96

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

97

<code class="details" id="batchGetAssetsHistory">batchGetAssetsHistory(parent, contentType=None, readTimeWindow_endTime=None, readTimeWindow_startTime=None, assetNames=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

98

<pre>Batch gets the update history of assets that overlap a time window.

99

For RESOURCE content, this API outputs history with asset in both

100

non-delete or deleted status.

101

For IAM_POLICY content, this API outputs history when the asset and its

102

attached IAM POLICY both exist. This can create gaps in the output history.

103

If a specified asset does not exist, this API returns an INVALID_ARGUMENT

error.

Args:

parent: string, Required. The relative name of the root asset. It can only be an

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

108

organization number (such as "organizations/123"), a project ID (such as

109

"projects/my-project-id")", or a project number (such as "projects/12345"). (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

110

contentType: string, Optional. The content type.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

111

readTimeWindow_endTime: string, End time of the time window (inclusive). If not specified, the current

112

timestamp is used instead.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

113

readTimeWindow_startTime: string, Start time of the time window (exclusive).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

114

assetNames: string, A list of the full names of the assets.

115

See: https://cloud.google.com/asset-inventory/docs/resource-name-format

116

Example:

117

118

`//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.

119

120

The request becomes a no-op if the asset name list is empty, and the max

121

size of the asset name list is 100 in one request. (repeated)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

122

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

129

130

{ # Batch get assets history response.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

131

"assets": [ # A list of assets with valid time windows.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

132

{ # An asset in Google Cloud and its temporal metadata, including the time window

133

# when it was observed and its status during that window.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

134

"deleted": True or False, # Whether the asset has been deleted or not.

135

"window": { # A time window specified by its "start_time" and "end_time". # The time window when the asset data and state was observed.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

136

"startTime": "A String", # Start time of the time window (exclusive).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

137

"endTime": "A String", # End time of the time window (inclusive). If not specified, the current

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

138

# timestamp is used instead.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

139

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

140

"asset": { # An asset in Google Cloud. An asset can be any resource in the Google Cloud # An asset in Google Cloud.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

141

# [resource

142

# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),

143

# a resource outside the Google Cloud resource hierarchy (such as Google

144

# Kubernetes Engine clusters and objects), or a Cloud IAM policy.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

145

"servicePerimeter": { # `ServicePerimeter` describes a set of Google Cloud resources which can freely

146

# import and export data amongst themselves, but not export outside of the

147

# `ServicePerimeter`. If a request with a source within this `ServicePerimeter`

148

# has a target outside of the `ServicePerimeter`, the request will be blocked.

149

# Otherwise the request is allowed. There are two types of Service Perimeter -

150

# Regular and Bridge. Regular Service Perimeters cannot overlap, a single

151

# Google Cloud project can only belong to a single regular Service Perimeter.

152

# Service Perimeter Bridges can contain only Google Cloud projects as members,

153

# a single Google Cloud project may belong to multiple Service Perimeter

154

# Bridges.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

155

"spec": { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Proposed (or dry run) ServicePerimeter configuration. This configuration

156

# allows to specify and test ServicePerimeter configuration without enforcing

157

# actual access restrictions. Only allowed to be set when the

158

# "use_explicit_dry_run_spec" flag is set.

159

# describe specific Service Perimeter configuration.

160

"accessLevels": [ # A list of `AccessLevel` resource names that allow resources within the

161

# `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed

162

# must be in the same policy as this `ServicePerimeter`. Referencing a

163

# nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are

164

# listed, resources within the perimeter can only be accessed via Google

165

# Cloud calls with request origins within the perimeter. Example:

166

# `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`.

167

# For Service Perimeter Bridge, must be empty.

168

"A String",

169

],

170

"restrictedServices": [ # Google Cloud services that are subject to the Service Perimeter

171

# restrictions. For example, if `storage.googleapis.com` is specified, access

172

# to the storage buckets inside the perimeter must meet the perimeter's

173

# access restrictions.

174

"A String",

175

],

176

"vpcAccessibleServices": { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.

177

# Perimeter.

178

"enableRestriction": True or False, # Whether to restrict API calls within the Service Perimeter to the list of

179

# APIs specified in 'allowed_services'.

180

"allowedServices": [ # The list of APIs usable within the Service Perimeter. Must be empty

181

# unless 'enable_restriction' is True.

"A String",

],

},

"resources": [ # A list of Google Cloud resources that are inside of the service perimeter.

186

# Currently only projects are allowed. Format: `projects/{project_number}`

187

"A String",

188

],

189

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

190

"name": "A String", # Required. Resource name for the ServicePerimeter. The `short_name`

191

# component must begin with a letter and only include alphanumeric and '_'.

192

# Format: `accessPolicies/{policy_id}/servicePerimeters/{short_name}`

193

"perimeterType": "A String", # Perimeter type indicator. A single project is

194

# allowed to be a member of single regular perimeter, but multiple service

195

# perimeter bridges. A project cannot be a included in a perimeter bridge

196

# without being included in regular perimeter. For perimeter bridges,

197

# the restricted service list as well as access level lists must be

198

# empty.

199

"title": "A String", # Human readable title. Must be unique within the Policy.

200

"useExplicitDryRunSpec": True or False, # Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly

201

# exists for all Service Perimeters, and that spec is identical to the

202

# status for those Service Perimeters. When this flag is set, it inhibits the

203

# generation of the implicit spec, thereby allowing the user to explicitly

204

# provide a configuration ("spec") to use in a dry-run version of the Service

205

# Perimeter. This allows the user to test changes to the enforced config

206

# ("status") without actually enforcing them. This testing is done through

207

# analyzing the differences between currently enforced and suggested

208

# restrictions. use_explicit_dry_run_spec must bet set to True if any of the

209

# fields in the spec are set to non-default values.

210

"description": "A String", # Description of the `ServicePerimeter` and its use. Does not affect

211

# behavior.

212

"status": { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Current ServicePerimeter configuration. Specifies sets of resources,

213

# restricted services and access levels that determine perimeter

214

# content and boundaries.

215

# describe specific Service Perimeter configuration.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

216

"accessLevels": [ # A list of `AccessLevel` resource names that allow resources within the

217

# `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed

218

# must be in the same policy as this `ServicePerimeter`. Referencing a

219

# nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are

220

# listed, resources within the perimeter can only be accessed via Google

221

# Cloud calls with request origins within the perimeter. Example:

222

# `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`.

223

# For Service Perimeter Bridge, must be empty.

224

"A String",

225

],

226

"restrictedServices": [ # Google Cloud services that are subject to the Service Perimeter

227

# restrictions. For example, if `storage.googleapis.com` is specified, access

228

# to the storage buckets inside the perimeter must meet the perimeter's

229

# access restrictions.

230

"A String",

231

],

232

"vpcAccessibleServices": { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.

233

# Perimeter.

234

"enableRestriction": True or False, # Whether to restrict API calls within the Service Perimeter to the list of

235

# APIs specified in 'allowed_services'.

236

"allowedServices": [ # The list of APIs usable within the Service Perimeter. Must be empty

237

# unless 'enable_restriction' is True.

238

"A String",

239

],

240

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

241

"resources": [ # A list of Google Cloud resources that are inside of the service perimeter.

242

# Currently only projects are allowed. Format: `projects/{project_number}`

243

"A String",

244

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

245

},

246

},

247

"resource": { # A representation of a Google Cloud resource. # A representation of the resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

248

"discoveryDocumentUri": "A String", # The URL of the discovery document containing the resource's JSON schema.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

249

# Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

250

# "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest"

251

#

252

# This value is unspecified for resources that do not have an API based on a

253

# discovery document, such as Cloud Bigtable.

254

"parent": "A String", # The full name of the immediate parent of this resource. See

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

255

# [Resource

256

# Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)

257

# for more information.

258

#

259

# For Google Cloud assets, this value is the parent resource defined in the

260

# [Cloud IAM policy

261

# hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

262

# Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

263

# "//cloudresourcemanager.googleapis.com/projects/my_project_123"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

264

#

265

# For third-party assets, this field may be set differently.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

266

"resourceUrl": "A String", # The REST URL for accessing the resource. An HTTP `GET` request using this

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

267

# URL returns the resource itself. Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

268

# "https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

269

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

270

# This value is unspecified for resources without a REST API.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

271

"discoveryName": "A String", # The JSON schema name listed in the discovery document. Example:

272

# "Project"

273

#

274

# This value is unspecified for resources that do not have an API based on a

275

# discovery document, such as Cloud Bigtable.

276

"version": "A String", # The API version. Example: "v1"

277

"location": "A String", # The location of the resource in Google Cloud, such as its zone and region.

278

# For more information, see https://cloud.google.com/about/locations/.

279

"data": { # The content of the resource, in which some sensitive fields are removed

280

# and may not be present.

281

"a_key": "", # Properties of the object.

282

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

283

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

284

"name": "A String", # The full name of the asset. Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

285

# "//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

286

#

287

# See [Resource

288

# names](https://cloud.google.com/apis/design/resource_names#full_resource_name)

289

# for more information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

290

"orgPolicy": [ # A representation of an [organization

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

291

# policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).

292

# There can be more than one organization policy with different constraints

293

# set on a given resource.

294

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

295

# for configurations of Cloud Platform resources.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

296

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

297

# concurrency control.

298

#

299

# When the `Policy` is returned from either a `GetPolicy` or a

300

# `ListOrgPolicy` request, this `etag` indicates the version of the current

301

# `Policy` to use when executing a read-modify-write loop.

302

#

303

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

304

# `etag` will be unset.

305

#

306

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

307

# that was returned from a `GetOrgPolicy` request as part of a

308

# read-modify-write loop for concurrency control. Not setting the `etag`in a

309

# `SetOrgPolicy` request will result in an unconditional write of the

310

# `Policy`.

311

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

312

# resource.

313

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

314

# configuration is acceptable.

315

#

316

# Suppose you have a `Constraint`

317

# `constraints/compute.disableSerialPortAccess` with `constraint_default`

318

# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following

319

# behavior:

320

# - If the `Policy` at this resource has enforced set to `false`, serial

321

# port connection attempts will be allowed.

322

# - If the `Policy` at this resource has enforced set to `true`, serial

323

# port connection attempts will be refused.

324

# - If the `Policy` at this resource is `RestoreDefault`, serial port

325

# connection attempts will be allowed.

326

# - If no `Policy` is set at this resource or anywhere higher in the

327

# resource hierarchy, serial port connection attempts will be allowed.

328

# - If no `Policy` is set at this resource, but one exists higher in the

329

# resource hierarchy, the behavior is as if the`Policy` were set at

330

# this resource.

331

#

332

# The following examples demonstrate the different possible layerings:

333

#

334

# Example 1 (nearest `Constraint` wins):

335

# `organizations/foo` has a `Policy` with:

336

# {enforced: false}

337

# `projects/bar` has no `Policy` set.

338

# The constraint at `projects/bar` and `organizations/foo` will not be

339

# enforced.

340

#

341

# Example 2 (enforcement gets replaced):

342

# `organizations/foo` has a `Policy` with:

343

# {enforced: false}

344

# `projects/bar` has a `Policy` with:

345

# {enforced: true}

346

# The constraint at `organizations/foo` is not enforced.

347

# The constraint at `projects/bar` is enforced.

348

#

349

# Example 3 (RestoreDefault):

350

# `organizations/foo` has a `Policy` with:

351

# {enforced: true}

352

# `projects/bar` has a `Policy` with:

353

# {RestoreDefault: {}}

354

# The constraint at `organizations/foo` is enforced.

355

# The constraint at `projects/bar` is not enforced, because

356

# `constraint_default` for the `Constraint` is `ALLOW`.

357

},

358

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

359

# `constraints/serviceuser.services`.

360

#

361

# Immutable after creation.

362

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

363

# server, not specified by the caller, and represents the last time a call to

364

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

365

# be ignored.

366

"version": 42, # Version of the `Policy`. Default version is 0;

367

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

368

# `Constraint` type.

369

# `constraint_default` enforcement behavior of the specific `Constraint` at

370

# this resource.

371

#

372

# Suppose that `constraint_default` is set to `ALLOW` for the

373

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

374

# foo.com sets a `Policy` at their Organization resource node that restricts

375

# the allowed service activations to deny all service activations. They

376

# could then set a `Policy` with the `policy_type` `restore_default` on

377

# several experimental projects, restoring the `constraint_default`

378

# enforcement of the `Constraint` for only those projects, allowing those

379

# projects to have all services activated.

380

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

381

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

382

# resource.

383

#

384

# `ListPolicy` can define specific values and subtrees of Cloud Resource

385

# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that

386

# are allowed or denied by setting the `allowed_values` and `denied_values`

387

# fields. This is achieved by using the `under:` and optional `is:` prefixes.

388

# The `under:` prefix is used to denote resource subtree values.

389

# The `is:` prefix is used to denote specific values, and is required only

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

390

# if the value contains a ":". Values prefixed with "is:" are treated the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

391

# same as values with no prefix.

392

# Ancestry subtrees must be in one of the following formats:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

393

# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"

394

# - "folders/<folder-id>", e.g. "folders/1234"

395

# - "organizations/<organization-id>", e.g. "organizations/1234"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

396

# The `supports_under` field of the associated `Constraint` defines whether

397

# ancestry prefixes can be used. You can set `allowed_values` and

398

# `denied_values` in the same `Policy` if `all_values` is

399

# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all

400

# values. If `all_values` is set to either `ALLOW` or `DENY`,

401

# `allowed_values` and `denied_values` must be unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

402

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

403

# that matches the value specified in this `Policy`. If `suggested_value`

404

# is not set, it will inherit the value specified higher in the hierarchy,

405

# unless `inherit_from_parent` is `false`.

406

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

407

#

408

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

409

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

410

# set to `true`, then the values from the effective `Policy` of the parent

411

# resource are inherited, meaning the values set in this `Policy` are

412

# added to the values inherited up the hierarchy.

413

#

414

# Setting `Policy` hierarchies that inherit both allowed values and denied

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

415

# values isn't recommended in most circumstances to keep the configuration

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

416

# simple and understandable. However, it is possible to set a `Policy` with

417

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

418

# In this case, the values that are allowed must be in `allowed_values` and

419

# not present in `denied_values`.

420

#

421

# For example, suppose you have a `Constraint`

422

# `constraints/serviceuser.services`, which has a `constraint_type` of

423

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

424

# Suppose that at the Organization level, a `Policy` is applied that

425

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

426

# `Policy` is applied to a project below the Organization that has

427

# `inherit_from_parent` set to `false` and field all_values set to DENY,

428

# then an attempt to activate any API will be denied.

429

#

430

# The following examples demonstrate different possible layerings for

431

# `projects/bar` parented by `organizations/foo`:

432

#

433

# Example 1 (no inherited values):

434

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

435

# {allowed_values: "E1" allowed_values:"E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

436

# `projects/bar` has `inherit_from_parent` `false` and values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

437

# {allowed_values: "E3" allowed_values: "E4"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

438

# The accepted values at `organizations/foo` are `E1`, `E2`.

439

# The accepted values at `projects/bar` are `E3`, and `E4`.

440

#

441

# Example 2 (inherited values):

442

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

443

# {allowed_values: "E1" allowed_values:"E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

444

# `projects/bar` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

445

# {value: "E3" value: "E4" inherit_from_parent: true}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

446

# The accepted values at `organizations/foo` are `E1`, `E2`.

447

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

448

#

449

# Example 3 (inheriting both allowed and denied values):

450

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

451

# {allowed_values: "E1" allowed_values: "E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

452

# `projects/bar` has a `Policy` with:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

453

# {denied_values: "E1"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

454

# The accepted values at `organizations/foo` are `E1`, `E2`.

455

# The value accepted at `projects/bar` is `E2`.

456

#

457

# Example 4 (RestoreDefault):

458

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

459

# {allowed_values: "E1" allowed_values:"E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

460

# `projects/bar` has a `Policy` with values:

461

# {RestoreDefault: {}}

462

# The accepted values at `organizations/foo` are `E1`, `E2`.

463

# The accepted values at `projects/bar` are either all or none depending on

464

# the value of `constraint_default` (if `ALLOW`, all; if

465

# `DENY`, none).

466

#

467

# Example 5 (no policy inherits parent policy):

468

# `organizations/foo` has no `Policy` set.

469

# `projects/bar` has no `Policy` set.

470

# The accepted values at both levels are either all or none depending on

471

# the value of `constraint_default` (if `ALLOW`, all; if

472

# `DENY`, none).

473

#

474

# Example 6 (ListConstraint allowing all):

475

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

476

# {allowed_values: "E1" allowed_values: "E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

477

# `projects/bar` has a `Policy` with:

478

# {all: ALLOW}

479

# The accepted values at `organizations/foo` are `E1`, E2`.

480

# Any value is accepted at `projects/bar`.

481

#

482

# Example 7 (ListConstraint allowing none):

483

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

484

# {allowed_values: "E1" allowed_values: "E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

485

# `projects/bar` has a `Policy` with:

486

# {all: DENY}

487

# The accepted values at `organizations/foo` are `E1`, E2`.

488

# No value is accepted at `projects/bar`.

489

#

490

# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):

491

# Given the following resource hierarchy

492

# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},

493

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

494

# {allowed_values: "under:organizations/O1"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

495

# `projects/bar` has a `Policy` with:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

496

# {allowed_values: "under:projects/P3"}

497

# {denied_values: "under:folders/F2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

498

# The accepted values at `organizations/foo` are `organizations/O1`,

499

# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,

500

# `projects/P3`.

501

# The accepted values at `projects/bar` are `organizations/O1`,

502

# `folders/F1`, `projects/P1`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

503

"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`

504

# is set to `ALL_VALUES_UNSPECIFIED`.

505

"A String",

506

],

507

"allValues": "A String", # The policy all_values state.

508

"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`

509

# is set to `ALL_VALUES_UNSPECIFIED`.

510

"A String",

511

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

512

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

513

},

514

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

515

"iamPolicy": { # An Identity and Access Management (IAM) policy, which specifies access # A representation of the Cloud IAM policy set on a Google Cloud resource.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

516

# There can be a maximum of one Cloud IAM policy set on any given resource.

517

# In addition, Cloud IAM policies inherit their granted access scope from any

518

# policies set on parent resources in the resource hierarchy. Therefore, the

519

# effectively policy is the union of both the policy set on this resource

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

520

# and each policy set on all of the resource's ancestry resource levels in

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

521

# the hierarchy. See

522

# [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for

523

# more information.

524

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

525

#

526

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

527

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

528

# `members` to a single `role`. Members can be user accounts, service accounts,

529

# Google groups, and domains (such as G Suite). A `role` is a named list of

530

# permissions; each `role` can be an IAM predefined role or a user-created

531

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

532

#

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

533

# For some types of Google Cloud resources, a `binding` can also specify a

534

# `condition`, which is a logical expression that allows access to a resource

535

# only if the expression evaluates to `true`. A condition can add constraints

536

# based on attributes of the request, the resource, or both. To learn which

537

# resources support conditions in their IAM policies, see the

538

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

539

#

540

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

541

#

542

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

543

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

544

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

545

# "role": "roles/resourcemanager.organizationAdmin",

546

# "members": [

547

# "user:mike@example.com",

548

# "group:admins@example.com",

549

# "domain:google.com",

550

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

551

# ]

552

# },

553

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

554

# "role": "roles/resourcemanager.organizationViewer",

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

555

# "members": [

556

# "user:eve@example.com"

557

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

558

# "condition": {

559

# "title": "expirable access",

560

# "description": "Does not grant access after Sep 2020",

561

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

562

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

563

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

564

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

565

# "etag": "BwWWja0YfJA=",

566

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

567

# }

568

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

569

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

574

# - group:admins@example.com

575

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

576

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

577

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

578

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

579

# - user:eve@example.com

580

# role: roles/resourcemanager.organizationViewer

581

# condition:

582

# title: expirable access

583

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

584

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

585

# - etag: BwWWja0YfJA=

586

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

587

#

588

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

589

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

590

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

591

# prevent simultaneous updates of a policy from overwriting each other.

592

# It is strongly suggested that systems make use of the `etag` in the

593

# read-modify-write cycle to perform policy updates in order to avoid race

594

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

595

# systems are expected to put that etag in the request to `setIamPolicy` to

596

# ensure that their change will be applied to the same version of the policy.

597

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

598

# **Important:** If you use IAM Conditions, you must include the `etag` field

599

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

600

# you to overwrite a version `3` policy with a version `1` policy, and all of

601

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

602

"version": 42, # Specifies the format of the policy.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

603

#

604

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

605

# are rejected.

606

#

607

# Any operation that affects conditional role bindings must specify version

608

# `3`. This requirement applies to the following operations:

609

#

610

# * Getting a policy that includes a conditional role binding

611

# * Adding a conditional role binding to a policy

612

# * Changing a conditional role binding in a policy

613

# * Removing any role binding, with or without a condition, from a policy

614

# that includes conditions

615

#

616

# **Important:** If you use IAM Conditions, you must include the `etag` field

617

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

618

# you to overwrite a version `3` policy with a version `1` policy, and all of

619

# the conditions in the version `3` policy are lost.

620

#

621

# If a policy does not include any conditions, operations on that policy may

622

# specify any valid version or leave the field unset.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

623

#

624

# To learn which resources support conditions in their IAM policies, see the

625

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

626

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

627

{ # Specifies the audit configuration for a service.

628

# The configuration determines which permission types are logged, and what

629

# identities, if any, are exempted from logging.

630

# An AuditConfig must have one or more AuditLogConfigs.

631

#

632

# If there are AuditConfigs for both `allServices` and a specific service,

633

# the union of the two AuditConfigs is used for that service: the log_types

634

# specified in each AuditConfig are enabled, and the exempted_members in each

635

# AuditLogConfig are exempted.

636

#

637

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

643

# "audit_log_configs": [

644

# {

645

# "log_type": "DATA_READ",

646

# "exempted_members": [

647

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

652

# },

653

# {

654

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

660

# "audit_log_configs": [

661

# {

662

# "log_type": "DATA_READ",

663

# },

664

# {

665

# "log_type": "DATA_WRITE",

666

# "exempted_members": [

667

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

676

# logging. It also exempts jose@example.com from DATA_READ logging, and

677

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

678

"service": "A String", # Specifies a service that will be enabled for audit logging.

679

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

680

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

681

"auditLogConfigs": [ # The configuration for logging of each type of permission.

682

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

687

# {

688

# "log_type": "DATA_READ",

689

# "exempted_members": [

690

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

700

# jose@example.com from DATA_READ logging.

701

"logType": "A String", # The log type that this config enables.

702

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

703

# permission.

704

# Follows the same format of Binding.members.

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

709

},

710

],

711

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

712

# `condition` that determines how and when the `bindings` are applied. Each

713

# of the `bindings` must contain at least one member.

714

{ # Associates `members` with a `role`.

715

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

716

# `members` can have the following values:

717

#

718

# * `allUsers`: A special identifier that represents anyone who is

719

# on the internet; with or without a Google account.

720

#

721

# * `allAuthenticatedUsers`: A special identifier that represents anyone

722

# who is authenticated with a Google account or a service account.

723

#

724

# * `user:{emailid}`: An email address that represents a specific Google

725

# account. For example, `alice@example.com` .

726

#

727

#

728

# * `serviceAccount:{emailid}`: An email address that represents a service

729

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

730

#

731

# * `group:{emailid}`: An email address that represents a Google group.

732

# For example, `admins@example.com`.

733

#

734

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

735

# identifier) representing a user that has been recently deleted. For

736

# example, `alice@example.com?uid=123456789012345678901`. If the user is

737

# recovered, this value reverts to `user:{emailid}` and the recovered user

738

# retains the role in the binding.

739

#

740

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

741

# unique identifier) representing a service account that has been recently

742

# deleted. For example,

743

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

744

# If the service account is undeleted, this value reverts to

745

# `serviceAccount:{emailid}` and the undeleted service account retains the

746

# role in the binding.

747

#

748

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

749

# identifier) representing a Google group that has been recently

750

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

751

# the group is recovered, this value reverts to `group:{emailid}` and the

752

# recovered group retains the role in the binding.

753

#

754

#

755

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

756

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

761

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

762

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

763

#

764

# If the condition evaluates to `true`, then this binding applies to the

765

# current request.

766

#

767

# If the condition evaluates to `false`, then this binding does not apply to

768

# the current request. However, a different role binding might grant the same

769

# role to one or more of the members in this binding.

770

#

771

# To learn which resources support conditions in their IAM policies, see the

772

# [IAM

773

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

774

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

775

# are documented at https://github.com/google/cel-spec.

776

#

777

# Example (Comparison):

778

#

779

# title: "Summary size limit"

780

# description: "Determines if a summary is less than 100 chars"

781

# expression: "document.summary.size() < 100"

782

#

783

# Example (Equality):

784

#

785

# title: "Requestor is owner"

786

# description: "Determines if requestor is the document owner"

787

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

792

# description: "Determine whether the document should be publicly visible"

793

# expression: "document.type != 'private' && document.type != 'internal'"

794

#

795

# Example (Data Manipulation):

796

#

797

# title: "Notification string"

798

# description: "Create a notification string with a timestamp."

799

# expression: "'New message received at ' + string(document.create_time)"

800

#

801

# The exact variables and functions that may be referenced within an expression

802

# are determined by the service that evaluates it. See the service

803

# documentation for additional information.

804

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

805

# its purpose. This can be used e.g. in UIs which allow to enter the

806

# expression.

807

"location": "A String", # Optional. String indicating the location of the expression for error

808

# reporting, e.g. a file name and a position in the file.

809

"description": "A String", # Optional. Description of the expression. This is a longer text which

810

# describes the expression, e.g. when hovered over it in a UI.

811

"expression": "A String", # Textual representation of an expression in Common Expression Language

812

# syntax.

813

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

814

},

815

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

816

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

817

"accessLevel": { # An `AccessLevel` is a label that can be applied to requests to Google Cloud

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

818

# services, along with a list of requirements necessary for the label to be

819

# applied.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

820

"title": "A String", # Human readable title. Must be unique within the Policy.

821

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

822

# must begin with a letter and only include alphanumeric and '_'. Format:

823

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

824

# of the `short_name` component is 50 characters.

825

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

826

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

827

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

828

# AND over its fields. So a Condition is true if: 1) the request IP is from one

829

# of the listed subnetworks AND 2) the originating device complies with the

830

# listed device policy AND 3) all listed access levels are granted AND 4) the

831

# request was sent at a time allowed by the DateTimeRestriction.

832

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

833

# Condition to be true. If not specified, all devices are allowed.

834

# given access level. A `DevicePolicy` specifies requirements for requests from

835

# devices to be granted access levels, it does not do any enforcement on the

836

# device. `DevicePolicy` acts as an AND over all specified fields, and each

837

# repeated field is an OR over its elements. Any unset fields are ignored. For

838

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

839

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

840

# true for requests originating from encrypted Linux desktops and encrypted

841

# Windows desktops.

842

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

843

{ # A restriction on the OS type and version of devices making requests.

844

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

845

# satisfies the constraint. Format: `"major.minor.patch"`.

846

# Examples: `"10.5.301"`, `"9.2.1"`.

847

"osType": "A String", # Required. The allowed OS type.

848

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

849

# Verifications includes requirements that the device is enterprise-managed,

850

# conformant to domain policies, and the caller has permission to call

851

# the API targeted by the request.

852

},

853

],

854

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

855

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

856

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

857

# Defaults to `false`.

858

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

859

"A String",

860

],

861

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

# levels.

"A String",

],

},

"members": [ # The request must be made by one of the provided user or service

867

# accounts. Groups are not supported.

868

# Syntax:

869

# `user:{emailid}`

870

# `serviceAccount:{emailid}`

871

# If not specified, a request may come from any user.

872

"A String",

873

],

874

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

875

# its non-empty fields, each field must be false for the Condition overall to

876

# be satisfied. Defaults to false.

877

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

878

# a CIDR IP address block, the specified IP address portion must be properly

879

# truncated (i.e. all the host bits must be zero) or the input is considered

880

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

881

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

882

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

883

# the listed subnets in order for this Condition to be true. If empty, all IP

884

# addresses are allowed.

885

"A String",

886

],

887

"regions": [ # The request must originate from one of the provided countries/regions.

888

# Must be valid ISO 3166-1 alpha-2 codes.

889

"A String",

890

],

891

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

892

# resource name. Referencing an `AccessLevel` which does not exist is an

893

# error. All access levels listed must be granted for the Condition

894

# to be true. Example:

895

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

"A String",

],

},

],

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

901

# granted this `AccessLevel`. If AND is used, each `Condition` in

902

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

903

# is used, at least one `Condition` in `conditions` must be satisfied for the

904

# `AccessLevel` to be applied. Default behavior is AND.

905

},

906

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

907

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

908

# to represent the necessary conditions for the level to apply to a request.

909

# See CEL spec at: https://github.com/google/cel-spec

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

910

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

911

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

912

# are documented at https://github.com/google/cel-spec.

913

#

914

# Example (Comparison):

915

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

916

# title: "Summary size limit"

917

# description: "Determines if a summary is less than 100 chars"

918

# expression: "document.summary.size() < 100"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

919

#

920

# Example (Equality):

921

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

922

# title: "Requestor is owner"

923

# description: "Determines if requestor is the document owner"

924

# expression: "document.owner == request.auth.claims.email"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

925

#

926

# Example (Logic):

927

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

928

# title: "Public documents"

929

# description: "Determine whether the document should be publicly visible"

930

# expression: "document.type != 'private' && document.type != 'internal'"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

931

#

932

# Example (Data Manipulation):

933

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

934

# title: "Notification string"

935

# description: "Create a notification string with a timestamp."

936

# expression: "'New message received at ' + string(document.create_time)"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

937

#

938

# The exact variables and functions that may be referenced within an expression

939

# are determined by the service that evaluates it. See the service

940

# documentation for additional information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

941

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

942

# its purpose. This can be used e.g. in UIs which allow to enter the

943

# expression.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

944

"location": "A String", # Optional. String indicating the location of the expression for error

945

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

946

"description": "A String", # Optional. Description of the expression. This is a longer text which

947

# describes the expression, e.g. when hovered over it in a UI.

948

"expression": "A String", # Textual representation of an expression in Common Expression Language

949

# syntax.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

950

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

951

},

952

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

953

"assetType": "A String", # The type of the asset. Example: "compute.googleapis.com/Disk"

954

#

955

# See [Supported asset

956

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)

957

# for more information.

958

"accessPolicy": { # `AccessPolicy` is a container for `AccessLevels` (which define the necessary

959

# attributes to use Google Cloud services) and `ServicePerimeters` (which

960

# define regions of services able to freely pass data within a perimeter). An

961

# access policy is globally visible within an organization, and the

962

# restrictions it specifies apply to all projects within an organization.

963

"etag": "A String", # Output only. An opaque identifier for the current version of the

964

# `AccessPolicy`. This will always be a strongly validated etag, meaning that

965

# two Access Polices will be identical if and only if their etags are

966

# identical. Clients should not expect this to be in any specific format.

967

"parent": "A String", # Required. The parent of this `AccessPolicy` in the Cloud Resource

968

# Hierarchy. Currently immutable once created. Format:

969

# `organizations/{organization_id}`

970

"title": "A String", # Required. Human readable title. Does not affect behavior.

971

"name": "A String", # Output only. Resource name of the `AccessPolicy`. Format:

972

# `accessPolicies/{policy_id}`

973

},

974

"ancestors": [ # The ancestry path of an asset in Google Cloud [resource

975

# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),

976

# represented as a list of relative resource names. An ancestry path starts

977

# with the closest ancestor in the hierarchy and ends at root. If the asset

978

# is a project, folder, or organization, the ancestry path starts from the

979

# asset itself.

980

#

981

# Example: `["projects/123456789", "folders/5432", "organizations/1234"]`

982

"A String",

983

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

991

<code class="details" id="exportAssets">exportAssets(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

992

<pre>Exports assets with time and resource types to a given Cloud Storage

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

993

location. The output format is newline-delimited JSON. Each line represents

994

a google.cloud.asset.v1.Asset in the JSON format.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

995

This API implements the google.longrunning.Operation API allowing you

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

996

to keep track of the export. We recommend intervals of at least 2 seconds

997

with exponential retry to poll the export operation result. For

998

regular-size resource parent, the export operation usually finishes within

999

5 minutes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1000

1001

Args:

1002

parent: string, Required. The relative name of the root asset. This can only be an

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1003

organization number (such as "organizations/123"), a project ID (such as

1004

"projects/my-project-id"), or a project number (such as "projects/12345"),

1005

or a folder number (such as "folders/123"). (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1006

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1007

The object takes the form of:

1008

1009

{ # Export asset request.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1010

"assetTypes": [ # A list of asset types of which to take a snapshot for. Example:

1011

# "compute.googleapis.com/Disk". If specified, only matching assets will be

1012

# returned. See [Introduction to Cloud Asset

1013

# Inventory](https://cloud.google.com/asset-inventory/docs/overview)

1014

# for all supported asset types.

1015

"A String",

1016

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1017

"readTime": "A String", # Timestamp to take an asset snapshot. This can only be set to a timestamp

1018

# between the current time and the current time minus 35 days (inclusive).

1019

# If not specified, the current time will be used. Due to delays in resource

1020

# data collection and indexing, there is a volatile window during which

1021

# running the same query may get different results.

1022

"contentType": "A String", # Asset content type. If not specified, no content but the asset name will be

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1023

# returned.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1024

"outputConfig": { # Output configuration for export assets destination. # Required. Output configuration indicating where the results will be output

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1025

# to. All results will be in newline delimited JSON format.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1026

"bigqueryDestination": { # A BigQuery destination. # Destination on BigQuery. The output table stores the fields in asset

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1027

# proto as columns in BigQuery. The resource/iam_policy field is converted

1028

# to a record with each field to a column, except metadata to a single JSON

1029

# string.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1030

"dataset": "A String", # Required. The BigQuery dataset in format

1031

# "projects/projectId/datasets/datasetId", to which the snapshot result

1032

# should be exported. If this dataset does not exist, the export call returns

1033

# an INVALID_ARGUMENT error.

1034

"force": True or False, # If the destination table already exists and this flag is `TRUE`, the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1035

# table will be overwritten by the contents of assets snapshot. If the flag

1036

# is `FALSE` or unset and the destination table already exists, the export

1037

# call returns an INVALID_ARGUMEMT error.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1038

"table": "A String", # Required. The BigQuery table to which the snapshot result should be

1039

# written. If this table does not exist, a new table with the given name

1040

# will be created.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1041

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1042

"gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1043

"uriPrefix": "A String", # The uri prefix of all generated Cloud Storage objects. Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1044

# "gs://bucket_name/object_name_prefix". Each object uri is in format:

1045

# "gs://bucket_name/object_name_prefix/<asset type>/<shard number> and only

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1046

# contains assets for that type. <shard number> starts from 0. Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1047

# "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1048

# the first shard of output objects containing all

1049

# compute.googleapis.com/Disk assets. An INVALID_ARGUMENT error will be

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1050

# returned if file with the same name "gs://bucket_name/object_name_prefix"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1051

# already exists.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1052

"uri": "A String", # The uri of the Cloud Storage object. It's the same uri that is used by

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1053

# gsutil. Example: "gs://bucket_name/object_name". See [Viewing and

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1054

# Editing Object

1055

# Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)

1056

# for more information.

1057

},

1058

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1059

}

1060

1061

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1068

1069

{ # This resource represents a long-running operation that is the result of a

1070

# network API call.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1071

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

1072

# different programming environments, including REST APIs and RPC APIs. It is

1073

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1074

# three pieces of data: error code, error message, and error details.

1075

#

1076

# You can find out more about this error model and how to work with it in the

1077

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1078

"message": "A String", # A developer-facing error message, which should be in English. Any

1079

# user-facing error message should be localized and sent in the

1080

# google.rpc.Status.details field, or localized by the client.

1081

"details": [ # A list of messages that carry the error details. There is a common set of

1082

# message types for APIs to use.

1083

{

1084

"a_key": "", # Properties of the object. Contains field @type with type URL.

1085

},

1086

],

1087

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1088

},

1089

"metadata": { # Service-specific metadata associated with the operation. It typically

1090

# contains progress information and common metadata such as create time.

1091

# Some services might not provide such metadata. Any method that returns a

1092

# long-running operation should document the metadata type, if any.

1093

"a_key": "", # Properties of the object. Contains field @type with type URL.

1094

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1095

"done": True or False, # If the value is `false`, it means the operation is still in progress.

1096

# If `true`, the operation is completed, and either `error` or `response` is

1097

# available.

1098

"response": { # The normal response of the operation in case of success. If the original

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1099

# method returns no data on success, such as `Delete`, the response is

1100

# `google.protobuf.Empty`. If the original method is standard

1101

# `Get`/`Create`/`Update`, the response should be the resource. For other

1102

# methods, the response should have the type `XxxResponse`, where `Xxx`

1103

# is the original method name. For example, if the original method name

1104

# is `TakeSnapshot()`, the inferred response type is

1105

# `TakeSnapshotResponse`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1106

"a_key": "", # Properties of the object. Contains field @type with type URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1107

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1108

"name": "A String", # The server-assigned name, which is only unique within the same service that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1109

# originally returns it. If you use the default HTTP mapping, the

1110

# `name` should be a resource name ending with `operations/{unique_id}`.

Bu Sun Kim