Blame - docs/dyn/servicemanagement_v1.services.consumers.html - platform/external/python/google-api-python-client

2017-03-13 12:12:03 -0400

[diff] [blame]

76

<h2>Instance Methods</h2>

77

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

78

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

79

<p class="firstline">Gets the access control policy for a resource.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

82

<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>

83

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

84

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

85

<p class="firstline">Returns permissions that a caller has on the specified resource.</p>

86

<h3>Method Details</h3>

87

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

88

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

89

<pre>Gets the access control policy for a resource.

90

Returns an empty policy if the resource exists and does not have a policy

set.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

95

See the operation documentation for the appropriate value for this field. (required)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

96

body: object, The request body.

Sai Cheemalapati

4ba8c23

2017-06-06 18:46:08 -0400

[diff] [blame]

97

The object takes the form of:

98

99

{ # Request message for `GetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

100

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

101

# `GetIamPolicy`.

102

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

103

#

104

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

105

# rejected.

106

#

107

# Requests for policies with any conditional bindings must specify version 3.

108

# Policies without any conditional bindings may specify any valid value or

109

# leave the field unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

110

#

111

# To learn which resources support conditions in their IAM policies, see the

112

# [IAM

113

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

114

},

Sai Cheemalapati

4ba8c23

2017-06-06 18:46:08 -0400

[diff] [blame]

115

}

116

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

117

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

124

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

125

{ # An Identity and Access Management (IAM) policy, which specifies access

126

# controls for Google Cloud resources.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

127

#

128

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

129

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

130

# `members` to a single `role`. Members can be user accounts, service accounts,

131

# Google groups, and domains (such as G Suite). A `role` is a named list of

132

# permissions; each `role` can be an IAM predefined role or a user-created

133

# custom role.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

134

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

135

# For some types of Google Cloud resources, a `binding` can also specify a

136

# `condition`, which is a logical expression that allows access to a resource

137

# only if the expression evaluates to `true`. A condition can add constraints

138

# based on attributes of the request, the resource, or both. To learn which

139

# resources support conditions in their IAM policies, see the

140

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

141

#

142

# **JSON example:**

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

143

#

144

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

145

# "bindings": [

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

146

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

147

# "role": "roles/resourcemanager.organizationAdmin",

148

# "members": [

149

# "user:mike@example.com",

150

# "group:admins@example.com",

151

# "domain:google.com",

152

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

153

# ]

154

# },

155

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

156

# "role": "roles/resourcemanager.organizationViewer",

157

# "members": [

158

# "user:eve@example.com"

159

# ],

160

# "condition": {

161

# "title": "expirable access",

162

# "description": "Does not grant access after Sep 2020",

163

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

164

# }

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

165

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

166

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

167

# "etag": "BwWWja0YfJA=",

168

# "version": 3

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

169

# }

170

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

171

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

176

# - group:admins@example.com

177

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

178

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

179

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

180

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

181

# - user:eve@example.com

182

# role: roles/resourcemanager.organizationViewer

183

# condition:

184

# title: expirable access

185

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

186

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

187

# - etag: BwWWja0YfJA=

188

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

189

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

190

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

191

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

192

"version": 42, # Specifies the format of the policy.

193

#

194

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

195

# are rejected.

196

#

197

# Any operation that affects conditional role bindings must specify version

198

# `3`. This requirement applies to the following operations:

199

#

200

# * Getting a policy that includes a conditional role binding

201

# * Adding a conditional role binding to a policy

202

# * Changing a conditional role binding in a policy

203

# * Removing any role binding, with or without a condition, from a policy

204

# that includes conditions

205

#

206

# **Important:** If you use IAM Conditions, you must include the `etag` field

207

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

208

# you to overwrite a version `3` policy with a version `1` policy, and all of

209

# the conditions in the version `3` policy are lost.

210

#

211

# If a policy does not include any conditions, operations on that policy may

212

# specify any valid version or leave the field unset.

213

#

214

# To learn which resources support conditions in their IAM policies, see the

215

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

216

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

217

# prevent simultaneous updates of a policy from overwriting each other.

218

# It is strongly suggested that systems make use of the `etag` in the

219

# read-modify-write cycle to perform policy updates in order to avoid race

220

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

221

# systems are expected to put that etag in the request to `setIamPolicy` to

222

# ensure that their change will be applied to the same version of the policy.

223

#

224

# **Important:** If you use IAM Conditions, you must include the `etag` field

225

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

226

# you to overwrite a version `3` policy with a version `1` policy, and all of

227

# the conditions in the version `3` policy are lost.

228

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

229

# `condition` that determines how and when the `bindings` are applied. Each

230

# of the `bindings` must contain at least one member.

231

{ # Associates `members` with a `role`.

232

"role": "A String", # Role that is assigned to `members`.

233

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

234

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

235

#

236

# If the condition evaluates to `true`, then this binding applies to the

237

# current request.

238

#

239

# If the condition evaluates to `false`, then this binding does not apply to

240

# the current request. However, a different role binding might grant the same

241

# role to one or more of the members in this binding.

242

#

243

# To learn which resources support conditions in their IAM policies, see the

244

# [IAM

245

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

246

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

247

# are documented at https://github.com/google/cel-spec.

248

#

249

# Example (Comparison):

250

#

251

# title: "Summary size limit"

252

# description: "Determines if a summary is less than 100 chars"

253

# expression: "document.summary.size() < 100"

254

#

255

# Example (Equality):

256

#

257

# title: "Requestor is owner"

258

# description: "Determines if requestor is the document owner"

259

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

264

# description: "Determine whether the document should be publicly visible"

265

# expression: "document.type != 'private' && document.type != 'internal'"

266

#

267

# Example (Data Manipulation):

268

#

269

# title: "Notification string"

270

# description: "Create a notification string with a timestamp."

271

# expression: "'New message received at ' + string(document.create_time)"

272

#

273

# The exact variables and functions that may be referenced within an expression

274

# are determined by the service that evaluates it. See the service

275

# documentation for additional information.

276

"expression": "A String", # Textual representation of an expression in Common Expression Language

277

# syntax.

278

"location": "A String", # Optional. String indicating the location of the expression for error

279

# reporting, e.g. a file name and a position in the file.

280

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

281

# its purpose. This can be used e.g. in UIs which allow to enter the

282

# expression.

283

"description": "A String", # Optional. Description of the expression. This is a longer text which

284

# describes the expression, e.g. when hovered over it in a UI.

285

},

286

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

287

# `members` can have the following values:

288

#

289

# * `allUsers`: A special identifier that represents anyone who is

290

# on the internet; with or without a Google account.

291

#

292

# * `allAuthenticatedUsers`: A special identifier that represents anyone

293

# who is authenticated with a Google account or a service account.

294

#

295

# * `user:{emailid}`: An email address that represents a specific Google

296

# account. For example, `alice@example.com` .

297

#

298

#

299

# * `serviceAccount:{emailid}`: An email address that represents a service

300

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

301

#

302

# * `group:{emailid}`: An email address that represents a Google group.

303

# For example, `admins@example.com`.

304

#

305

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

306

# identifier) representing a user that has been recently deleted. For

307

# example, `alice@example.com?uid=123456789012345678901`. If the user is

308

# recovered, this value reverts to `user:{emailid}` and the recovered user

309

# retains the role in the binding.

310

#

311

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

312

# unique identifier) representing a service account that has been recently

313

# deleted. For example,

314

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

315

# If the service account is undeleted, this value reverts to

316

# `serviceAccount:{emailid}` and the undeleted service account retains the

317

# role in the binding.

318

#

319

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

320

# identifier) representing a Google group that has been recently

321

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

322

# the group is recovered, this value reverts to `group:{emailid}` and the

323

# recovered group retains the role in the binding.

324

#

325

#

326

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

327

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

333

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

334

{ # Specifies the audit configuration for a service.

335

# The configuration determines which permission types are logged, and what

336

# identities, if any, are exempted from logging.

337

# An AuditConfig must have one or more AuditLogConfigs.

338

#

339

# If there are AuditConfigs for both `allServices` and a specific service,

340

# the union of the two AuditConfigs is used for that service: the log_types

341

# specified in each AuditConfig are enabled, and the exempted_members in each

342

# AuditLogConfig are exempted.

343

#

344

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

350

# "audit_log_configs": [

351

# {

352

# "log_type": "DATA_READ",

353

# "exempted_members": [

354

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

359

# },

360

# {

361

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

367

# "audit_log_configs": [

368

# {

369

# "log_type": "DATA_READ",

370

# },

371

# {

372

# "log_type": "DATA_WRITE",

373

# "exempted_members": [

374

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

383

# logging. It also exempts jose@example.com from DATA_READ logging, and

384

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

385

"service": "A String", # Specifies a service that will be enabled for audit logging.

386

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

387

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

388

"auditLogConfigs": [ # The configuration for logging of each type of permission.

389

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

394

# {

395

# "log_type": "DATA_READ",

396

# "exempted_members": [

397

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

407

# jose@example.com from DATA_READ logging.

408

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

409

# permission.

410

# Follows the same format of Binding.members.

411

"A String",

412

],

413

"logType": "A String", # The log type that this config enables.

414

},

415

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

416

},

417

],

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

422

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

423

<pre>Sets the access control policy on the specified resource. Replaces any

424

existing policy.

425

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

426

Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

427

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

428

Args:

429

resource: string, REQUIRED: The resource for which the policy is being specified.

430

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

431

body: object, The request body.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

432

The object takes the form of:

433

434

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

435

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

436

# the policy is limited to a few 10s of KB. An empty policy is a

437

# valid policy but certain Cloud Platform services (such as Projects)

438

# might reject them.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

439

# controls for Google Cloud resources.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

440

#

441

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

442

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

443

# `members` to a single `role`. Members can be user accounts, service accounts,

444

# Google groups, and domains (such as G Suite). A `role` is a named list of

445

# permissions; each `role` can be an IAM predefined role or a user-created

446

# custom role.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

447

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

448

# For some types of Google Cloud resources, a `binding` can also specify a

449

# `condition`, which is a logical expression that allows access to a resource

450

# only if the expression evaluates to `true`. A condition can add constraints

451

# based on attributes of the request, the resource, or both. To learn which

452

# resources support conditions in their IAM policies, see the

453

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

454

#

455

# **JSON example:**

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

456

#

457

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

458

# "bindings": [

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

459

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

460

# "role": "roles/resourcemanager.organizationAdmin",

461

# "members": [

462

# "user:mike@example.com",

463

# "group:admins@example.com",

464

# "domain:google.com",

465

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

466

# ]

467

# },

468

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

469

# "role": "roles/resourcemanager.organizationViewer",

470

# "members": [

471

# "user:eve@example.com"

472

# ],

473

# "condition": {

474

# "title": "expirable access",

475

# "description": "Does not grant access after Sep 2020",

476

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

477

# }

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

478

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

479

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

480

# "etag": "BwWWja0YfJA=",

481

# "version": 3

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

482

# }

483

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

484

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

489

# - group:admins@example.com

490

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

491

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

492

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

493

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

494

# - user:eve@example.com

495

# role: roles/resourcemanager.organizationViewer

496

# condition:

497

# title: expirable access

498

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

499

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

500

# - etag: BwWWja0YfJA=

501

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

502

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

503

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

504

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

505

"version": 42, # Specifies the format of the policy.

506

#

507

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

508

# are rejected.

509

#

510

# Any operation that affects conditional role bindings must specify version

511

# `3`. This requirement applies to the following operations:

512

#

513

# * Getting a policy that includes a conditional role binding

514

# * Adding a conditional role binding to a policy

515

# * Changing a conditional role binding in a policy

516

# * Removing any role binding, with or without a condition, from a policy

517

# that includes conditions

518

#

519

# **Important:** If you use IAM Conditions, you must include the `etag` field

520

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

521

# you to overwrite a version `3` policy with a version `1` policy, and all of

522

# the conditions in the version `3` policy are lost.

523

#

524

# If a policy does not include any conditions, operations on that policy may

525

# specify any valid version or leave the field unset.

526

#

527

# To learn which resources support conditions in their IAM policies, see the

528

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

529

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

530

# prevent simultaneous updates of a policy from overwriting each other.

531

# It is strongly suggested that systems make use of the `etag` in the

532

# read-modify-write cycle to perform policy updates in order to avoid race

533

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

534

# systems are expected to put that etag in the request to `setIamPolicy` to

535

# ensure that their change will be applied to the same version of the policy.

536

#

537

# **Important:** If you use IAM Conditions, you must include the `etag` field

538

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

539

# you to overwrite a version `3` policy with a version `1` policy, and all of

540

# the conditions in the version `3` policy are lost.

541

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

542

# `condition` that determines how and when the `bindings` are applied. Each

543

# of the `bindings` must contain at least one member.

544

{ # Associates `members` with a `role`.

545

"role": "A String", # Role that is assigned to `members`.

546

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

547

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

548

#

549

# If the condition evaluates to `true`, then this binding applies to the

550

# current request.

551

#

552

# If the condition evaluates to `false`, then this binding does not apply to

553

# the current request. However, a different role binding might grant the same

554

# role to one or more of the members in this binding.

555

#

556

# To learn which resources support conditions in their IAM policies, see the

557

# [IAM

558

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

559

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

560

# are documented at https://github.com/google/cel-spec.

561

#

562

# Example (Comparison):

563

#

564

# title: "Summary size limit"

565

# description: "Determines if a summary is less than 100 chars"

566

# expression: "document.summary.size() < 100"

567

#

568

# Example (Equality):

569

#

570

# title: "Requestor is owner"

571

# description: "Determines if requestor is the document owner"

572

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

577

# description: "Determine whether the document should be publicly visible"

578

# expression: "document.type != 'private' && document.type != 'internal'"

579

#

580

# Example (Data Manipulation):

581

#

582

# title: "Notification string"

583

# description: "Create a notification string with a timestamp."

584

# expression: "'New message received at ' + string(document.create_time)"

585

#

586

# The exact variables and functions that may be referenced within an expression

587

# are determined by the service that evaluates it. See the service

588

# documentation for additional information.

589

"expression": "A String", # Textual representation of an expression in Common Expression Language

590

# syntax.

591

"location": "A String", # Optional. String indicating the location of the expression for error

592

# reporting, e.g. a file name and a position in the file.

593

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

594

# its purpose. This can be used e.g. in UIs which allow to enter the

595

# expression.

596

"description": "A String", # Optional. Description of the expression. This is a longer text which

597

# describes the expression, e.g. when hovered over it in a UI.

598

},

599

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

600

# `members` can have the following values:

601

#

602

# * `allUsers`: A special identifier that represents anyone who is

603

# on the internet; with or without a Google account.

604

#

605

# * `allAuthenticatedUsers`: A special identifier that represents anyone

606

# who is authenticated with a Google account or a service account.

607

#

608

# * `user:{emailid}`: An email address that represents a specific Google

609

# account. For example, `alice@example.com` .

610

#

611

#

612

# * `serviceAccount:{emailid}`: An email address that represents a service

613

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

614

#

615

# * `group:{emailid}`: An email address that represents a Google group.

616

# For example, `admins@example.com`.

617

#

618

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

619

# identifier) representing a user that has been recently deleted. For

620

# example, `alice@example.com?uid=123456789012345678901`. If the user is

621

# recovered, this value reverts to `user:{emailid}` and the recovered user

622

# retains the role in the binding.

623

#

624

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

625

# unique identifier) representing a service account that has been recently

626

# deleted. For example,

627

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

628

# If the service account is undeleted, this value reverts to

629

# `serviceAccount:{emailid}` and the undeleted service account retains the

630

# role in the binding.

631

#

632

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

633

# identifier) representing a Google group that has been recently

634

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

635

# the group is recovered, this value reverts to `group:{emailid}` and the

636

# recovered group retains the role in the binding.

637

#

638

#

639

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

640

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

646

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

647

{ # Specifies the audit configuration for a service.

648

# The configuration determines which permission types are logged, and what

649

# identities, if any, are exempted from logging.

650

# An AuditConfig must have one or more AuditLogConfigs.

651

#

652

# If there are AuditConfigs for both `allServices` and a specific service,

653

# the union of the two AuditConfigs is used for that service: the log_types

654

# specified in each AuditConfig are enabled, and the exempted_members in each

655

# AuditLogConfig are exempted.

656

#

657

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

663

# "audit_log_configs": [

664

# {

665

# "log_type": "DATA_READ",

666

# "exempted_members": [

667

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

672

# },

673

# {

674

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

680

# "audit_log_configs": [

681

# {

682

# "log_type": "DATA_READ",

683

# },

684

# {

685

# "log_type": "DATA_WRITE",

686

# "exempted_members": [

687

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

696

# logging. It also exempts jose@example.com from DATA_READ logging, and

697

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

698

"service": "A String", # Specifies a service that will be enabled for audit logging.

699

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

700

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

701

"auditLogConfigs": [ # The configuration for logging of each type of permission.

702

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

707

# {

708

# "log_type": "DATA_READ",

709

# "exempted_members": [

710

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

720

# jose@example.com from DATA_READ logging.

721

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

722

# permission.

723

# Follows the same format of Binding.members.

724

"A String",

725

],

726

"logType": "A String", # The log type that this config enables.

727

},

728

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

729

},

730

],

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

731

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

732

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

733

# the fields in the mask will be modified. If no mask is provided, the

734

# following default mask is used:

735

#

736

# `paths: "bindings, etag"`

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

737

}

738

739

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

746

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

747

{ # An Identity and Access Management (IAM) policy, which specifies access

748

# controls for Google Cloud resources.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

749

#

750

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

751

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

752

# `members` to a single `role`. Members can be user accounts, service accounts,

753

# Google groups, and domains (such as G Suite). A `role` is a named list of

754

# permissions; each `role` can be an IAM predefined role or a user-created

755

# custom role.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

756

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

757

# For some types of Google Cloud resources, a `binding` can also specify a

758

# `condition`, which is a logical expression that allows access to a resource

759

# only if the expression evaluates to `true`. A condition can add constraints

760

# based on attributes of the request, the resource, or both. To learn which

761

# resources support conditions in their IAM policies, see the

762

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

763

#

764

# **JSON example:**

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

765

#

766

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

767

# "bindings": [

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

768

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

769

# "role": "roles/resourcemanager.organizationAdmin",

770

# "members": [

771

# "user:mike@example.com",

772

# "group:admins@example.com",

773

# "domain:google.com",

774

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

775

# ]

776

# },

777

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

778

# "role": "roles/resourcemanager.organizationViewer",

779

# "members": [

780

# "user:eve@example.com"

781

# ],

782

# "condition": {

783

# "title": "expirable access",

784

# "description": "Does not grant access after Sep 2020",

785

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

786

# }

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

787

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

788

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

789

# "etag": "BwWWja0YfJA=",

790

# "version": 3

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

791

# }

792

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

793

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

798

# - group:admins@example.com

799

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

800

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

801

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

802

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

803

# - user:eve@example.com

804

# role: roles/resourcemanager.organizationViewer

805

# condition:

806

# title: expirable access

807

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

808

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

809

# - etag: BwWWja0YfJA=

810

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

811

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

812

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

813

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

814

"version": 42, # Specifies the format of the policy.

815

#

816

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

817

# are rejected.

818

#

819

# Any operation that affects conditional role bindings must specify version

820

# `3`. This requirement applies to the following operations:

821

#

822

# * Getting a policy that includes a conditional role binding

823

# * Adding a conditional role binding to a policy

824

# * Changing a conditional role binding in a policy

825

# * Removing any role binding, with or without a condition, from a policy

826

# that includes conditions

827

#

828

# **Important:** If you use IAM Conditions, you must include the `etag` field

829

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

830

# you to overwrite a version `3` policy with a version `1` policy, and all of

831

# the conditions in the version `3` policy are lost.

832

#

833

# If a policy does not include any conditions, operations on that policy may

834

# specify any valid version or leave the field unset.

835

#

836

# To learn which resources support conditions in their IAM policies, see the

837

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

838

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

839

# prevent simultaneous updates of a policy from overwriting each other.

840

# It is strongly suggested that systems make use of the `etag` in the

841

# read-modify-write cycle to perform policy updates in order to avoid race

842

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

843

# systems are expected to put that etag in the request to `setIamPolicy` to

844

# ensure that their change will be applied to the same version of the policy.

845

#

846

# **Important:** If you use IAM Conditions, you must include the `etag` field

847

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

848

# you to overwrite a version `3` policy with a version `1` policy, and all of

849

# the conditions in the version `3` policy are lost.

850

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

851

# `condition` that determines how and when the `bindings` are applied. Each

852

# of the `bindings` must contain at least one member.

853

{ # Associates `members` with a `role`.

854

"role": "A String", # Role that is assigned to `members`.

855

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

856

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

857

#

858

# If the condition evaluates to `true`, then this binding applies to the

859

# current request.

860

#

861

# If the condition evaluates to `false`, then this binding does not apply to

862

# the current request. However, a different role binding might grant the same

863

# role to one or more of the members in this binding.

864

#

865

# To learn which resources support conditions in their IAM policies, see the

866

# [IAM

867

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

868

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

869

# are documented at https://github.com/google/cel-spec.

870

#

871

# Example (Comparison):

872

#

873

# title: "Summary size limit"

874

# description: "Determines if a summary is less than 100 chars"

875

# expression: "document.summary.size() < 100"

876

#

877

# Example (Equality):

878

#

879

# title: "Requestor is owner"

880

# description: "Determines if requestor is the document owner"

881

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

886

# description: "Determine whether the document should be publicly visible"

887

# expression: "document.type != 'private' && document.type != 'internal'"

888

#

889

# Example (Data Manipulation):

890

#

891

# title: "Notification string"

892

# description: "Create a notification string with a timestamp."

893

# expression: "'New message received at ' + string(document.create_time)"

894

#

895

# The exact variables and functions that may be referenced within an expression

896

# are determined by the service that evaluates it. See the service

897

# documentation for additional information.

898

"expression": "A String", # Textual representation of an expression in Common Expression Language

899

# syntax.

900

"location": "A String", # Optional. String indicating the location of the expression for error

901

# reporting, e.g. a file name and a position in the file.

902

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

903

# its purpose. This can be used e.g. in UIs which allow to enter the

904

# expression.

905

"description": "A String", # Optional. Description of the expression. This is a longer text which

906

# describes the expression, e.g. when hovered over it in a UI.

907

},

908

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

909

# `members` can have the following values:

910

#

911

# * `allUsers`: A special identifier that represents anyone who is

912

# on the internet; with or without a Google account.

913

#

914

# * `allAuthenticatedUsers`: A special identifier that represents anyone

915

# who is authenticated with a Google account or a service account.

916

#

917

# * `user:{emailid}`: An email address that represents a specific Google

918

# account. For example, `alice@example.com` .

919

#

920

#

921

# * `serviceAccount:{emailid}`: An email address that represents a service

922

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

923

#

924

# * `group:{emailid}`: An email address that represents a Google group.

925

# For example, `admins@example.com`.

926

#

927

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

928

# identifier) representing a user that has been recently deleted. For

929

# example, `alice@example.com?uid=123456789012345678901`. If the user is

930

# recovered, this value reverts to `user:{emailid}` and the recovered user

931

# retains the role in the binding.

932

#

933

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

934

# unique identifier) representing a service account that has been recently

935

# deleted. For example,

936

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

937

# If the service account is undeleted, this value reverts to

938

# `serviceAccount:{emailid}` and the undeleted service account retains the

939

# role in the binding.

940

#

941

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

942

# identifier) representing a Google group that has been recently

943

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

944

# the group is recovered, this value reverts to `group:{emailid}` and the

945

# recovered group retains the role in the binding.

946

#

947

#

948

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

949

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

955

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

956

{ # Specifies the audit configuration for a service.

957

# The configuration determines which permission types are logged, and what

958

# identities, if any, are exempted from logging.

959

# An AuditConfig must have one or more AuditLogConfigs.

960

#

961

# If there are AuditConfigs for both `allServices` and a specific service,

962

# the union of the two AuditConfigs is used for that service: the log_types

963

# specified in each AuditConfig are enabled, and the exempted_members in each

964

# AuditLogConfig are exempted.

965

#

966

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

972

# "audit_log_configs": [

973

# {

974

# "log_type": "DATA_READ",

975

# "exempted_members": [

976

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

981

# },

982

# {

983

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

989

# "audit_log_configs": [

990

# {

991

# "log_type": "DATA_READ",

992

# },

993

# {

994

# "log_type": "DATA_WRITE",

995

# "exempted_members": [

996

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1005

# logging. It also exempts jose@example.com from DATA_READ logging, and

1006

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1007

"service": "A String", # Specifies a service that will be enabled for audit logging.

1008

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1009

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1010

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1011

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1016

# {

1017

# "log_type": "DATA_READ",

1018

# "exempted_members": [

1019

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1029

# jose@example.com from DATA_READ logging.

1030

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1031

# permission.

1032

# Follows the same format of Binding.members.

1033

"A String",

1034

],

1035

"logType": "A String", # The log type that this config enables.

1036

},

1037

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1038

},

1039

],

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1044

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1045

<pre>Returns permissions that a caller has on the specified resource.

1046

If the resource does not exist, this will return an empty set of

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1047

permissions, not a `NOT_FOUND` error.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1048

1049

Note: This operation is designed to be used for building permission-aware

1050

UIs and command-line tools, not for authorization checking. This operation

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1051

may "fail open" without warning.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1052

1053

Args:

1054

resource: string, REQUIRED: The resource for which the policy detail is being requested.

1055

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1056

body: object, The request body.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1057

The object takes the form of:

1058

1059

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1060

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

1061

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1062

# information see

1063

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1064

"A String",

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1075

1076

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1077

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1078

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1079

"A String",

Sai Cheemalapati