Blame - docs/dyn/compute_alpha.licenseCodes.html - platform/external/python/google-api-python-client

2019-06-14 16:50:42 -0700

[diff] [blame]

83

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

84

<code><a href="#getIamPolicy">getIamPolicy(project, resource, optionsRequestedPolicyVersion=None)</a></code></p>

85

<p class="firstline">Gets the access control policy for a resource. May be empty if no such policy or resource exists. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

86

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

87

<code><a href="#setIamPolicy">setIamPolicy(project, resource, body=None)</a></code></p>

88

<p class="firstline">Sets the access control policy on the specified resource. Replaces any existing policy. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

89

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

90

<code><a href="#testIamPermissions">testIamPermissions(project, resource, body=None)</a></code></p>

91

<p class="firstline">Returns permissions that a caller has on the specified resource. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

92

<h3>Method Details</h3>

93

Dmitry Frenkel

3e17f89

2020-10-06 16:46:05 -0700

[diff] [blame]

94

<code class="details" id="close">close()</code>

95

<pre>Close httplib2 connections.</pre>

</div>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

99

<code class="details" id="get">get(project, licenseCode)</code>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

100

<pre>Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

101

102

Args:

103

project: string, Project ID for this request. (required)

104

licenseCode: string, Number corresponding to the License code resource to return. (required)

105

106

Returns:

107

An object of the form:

108

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

109

{ # Represents a License Code resource.

110

#

111

# A License Code is a unique identifier used to represent a license resource. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images. (== resource_for {$api_version}.licenseCodes ==)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

112

"creationTimestamp": "A String", # [Output Only] Creation timestamp in RFC3339 text format.

113

"description": "A String", # [Output Only] Description of this License Code.

114

"id": "A String", # [Output Only] The unique identifier for the resource. This identifier is defined by the server.

115

"kind": "compute#licenseCode", # [Output Only] Type of resource. Always compute#licenseCode for licenses.

116

"licenseAlias": [ # [Output Only] URL and description aliases of Licenses with the same License Code.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

117

{

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

118

"description": "A String", # [Output Only] Description of this License Code.

119

"selfLink": "A String", # [Output Only] URL of license corresponding to this License Code.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

120

},

121

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

122

"name": "A String", # [Output Only] Name of the resource. The name is 1-20 characters long and must be a valid 64 bit integer.

123

"selfLink": "A String", # [Output Only] Server-defined URL for the resource.

124

"state": "A String", # [Output Only] Current state of this License Code.

125

"transferable": True or False, # [Output Only] If true, the license will remain attached when creating images or snapshots from disks. Otherwise, the license is not transferred.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

130

<code class="details" id="getIamPolicy">getIamPolicy(project, resource, optionsRequestedPolicyVersion=None)</code>

131

<pre>Gets the access control policy for a resource. May be empty if no such policy or resource exists. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

132

133

Args:

134

project: string, Project ID for this request. (required)

135

resource: string, Name or id of the resource for this request. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

136

optionsRequestedPolicyVersion: integer, Requested IAM Policy version.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

137

138

Returns:

139

An object of the form:

140

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

141

{ # An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

142

#

143

#

144

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

145

# A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

146

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

147

# For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

148

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

149

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

150

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

151

# { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

152

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

153

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

154

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

155

# bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

156

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

157

# For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

158

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

159

{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

160

#

161

# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

162

#

163

# Example Policy with multiple AuditConfigs:

164

#

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

165

# { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

166

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

167

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

168

"auditLogConfigs": [ # The configuration for logging of each type of permission.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

169

{ # Provides the configuration for logging a type of permissions. Example:

170

#

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

171

# { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

172

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

173

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.

174

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].

175

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

176

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

177

"ignoreChildExemptions": True or False,

178

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

179

},

180

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

"exemptedMembers": [

"A String",

],

"service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

185

},

186

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

187

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

188

{ # Associates `members` with a `role`.

Yoshi Automation Bot

2020-11-25 07:50:41 -0800

[diff] [blame]

189

"bindingId": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

190

"condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.

191

#

192

# If the condition evaluates to `true`, then this binding applies to the current request.

193

#

194

# If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.

195

#

196

# To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

197

#

198

# Example (Comparison):

199

#

200

# title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"

201

#

202

# Example (Equality):

203

#

204

# title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"

209

#

210

# Example (Data Manipulation):

211

#

212

# title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"

213

#

214

# The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

215

"description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

216

"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.

217

"location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

218

"title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

219

},

220

"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

221

#

222

# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.

223

#

224

# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.

225

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

226

# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

#

#

# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.

231

#

232

# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.

233

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

234

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding.

235

#

236

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding.

237

#

238

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding.

239

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

240

#

241

#

242

# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

243

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

244

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

245

"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

246

},

247

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

248

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.

249

#

250

# **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.

251

"iamOwned": True or False,

252

"rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.

253

{ # A rule to be applied in a Policy.

254

"action": "A String", # Required

255

"conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.

256

{ # A condition to be met.

257

"iam": "A String", # Trusted attributes supplied by the IAM system.

258

"op": "A String", # An operator to apply the subject with.

259

"svc": "A String", # Trusted attributes discharged by the service.

260

"sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.

261

"values": [ # The objects of the condition.

"A String",

],

},

],

"description": "A String", # Human-readable description of the rule.

267

"ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.

268

"A String",

269

],

270

"logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.

271

{ # Specifies what kind of log the caller must write

272

"cloudAudit": { # Write a Cloud Audit log # Cloud audit options.

273

"authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.

274

"permissionType": "A String", # The type of the permission that was checked.

275

},

276

"logName": "A String", # The log_name to populate in the Cloud Audit Record.

277

},

278

"counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.

279

#

280

# Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.

281

#

282

# Field names correspond to IAM request parameters and field values are their respective values.

283

#

284

# Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.

285

#

286

# Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}

287

"customFields": [ # Custom fields.

288

{ # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.

289

"name": "A String", # Name is the field name.

290

"value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.

291

},

292

],

293

"field": "A String", # The field value to attribute.

294

"metric": "A String", # The metric to update.

295

},

296

"dataAccess": { # Write a Data Access (Gin) log # Data access options.

297

"logMode": "A String",

},

},

],

"notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.

302

"A String",

303

],

304

"permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.

"A String",

],

},

],

"version": 42, # Specifies the format of the policy.

310

#

311

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.

312

#

313

# Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:

314

#

315

# * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions

316

#

317

# **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.

318

#

319

# If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.

320

#

321

# To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

326

<code class="details" id="setIamPolicy">setIamPolicy(project, resource, body=None)</code>

327

<pre>Sets the access control policy on the specified resource. Replaces any existing policy. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

328

329

Args:

330

project: string, Project ID for this request. (required)

331

resource: string, Name or id of the resource for this request. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

332

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

333

The object takes the form of:

334

335

{

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

336

"bindings": [ # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify bindings.

337

{ # Associates `members` with a `role`.

Yoshi Automation Bot

2020-11-25 07:50:41 -0800

[diff] [blame]

338

"bindingId": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

339

"condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.

340

#

341

# If the condition evaluates to `true`, then this binding applies to the current request.

342

#

343

# If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.

344

#

345

# To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

346

#

347

# Example (Comparison):

348

#

349

# title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"

350

#

351

# Example (Equality):

352

#

353

# title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"

358

#

359

# Example (Data Manipulation):

360

#

361

# title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"

362

#

363

# The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

364

"description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

365

"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.

366

"location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

367

"title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

368

},

369

"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:

370

#

371

# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.

372

#

373

# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.

374

#

375

# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` .

#

#

#

# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.

380

#

381

# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.

382

#

383

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding.

384

#

385

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding.

386

#

387

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding.

#

#

#

# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.

392

"A String",

393

],

394

"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

395

},

396

],

397

"etag": "A String", # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag.

398

"policy": { # An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. # REQUIRED: The complete policy to be applied to the 'resource'. The size of the policy is limited to a few 10s of KB. An empty policy is in general a valid policy but certain services (like Projects) might reject them.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

399

#

400

#

401

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

402

# A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

403

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

404

# For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

405

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

406

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

407

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

408

# { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

409

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

410

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

411

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

412

# bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

413

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

414

# For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

415

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

416

{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

417

#

418

# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

419

#

420

# Example Policy with multiple AuditConfigs:

421

#

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

422

# { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

423

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

424

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

425

"auditLogConfigs": [ # The configuration for logging of each type of permission.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

426

{ # Provides the configuration for logging a type of permissions. Example:

427

#

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

428

# { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

429

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

430

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.

431

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].

432

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

433

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

434

"ignoreChildExemptions": True or False,

435

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

436

},

437

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

"exemptedMembers": [

"A String",

],

"service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

442

},

443

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

444

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

445

{ # Associates `members` with a `role`.

Yoshi Automation Bot

2020-11-25 07:50:41 -0800

[diff] [blame]

446

"bindingId": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

447

"condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.

448

#

449

# If the condition evaluates to `true`, then this binding applies to the current request.

450

#

451

# If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.

452

#

453

# To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

454

#

455

# Example (Comparison):

456

#

457

# title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"

458

#

459

# Example (Equality):

460

#

461

# title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"

466

#

467

# Example (Data Manipulation):

468

#

469

# title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"

470

#

471

# The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

472

"description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

473

"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.

474

"location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

475

"title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

476

},

477

"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

478

#

479

# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.

480

#

481

# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.

482

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

483

# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

#

#

# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.

488

#

489

# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.

490

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

491

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding.

492

#

493

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding.

494

#

495

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding.

496

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

497

#

498

#

499

# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

500

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

501

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

502

"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

503

},

504

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

505

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.

506

#

507

# **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.

508

"iamOwned": True or False,

509

"rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.

510

{ # A rule to be applied in a Policy.

511

"action": "A String", # Required

512

"conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.

513

{ # A condition to be met.

514

"iam": "A String", # Trusted attributes supplied by the IAM system.

515

"op": "A String", # An operator to apply the subject with.

516

"svc": "A String", # Trusted attributes discharged by the service.

517

"sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.

518

"values": [ # The objects of the condition.

"A String",

],

},

],

"description": "A String", # Human-readable description of the rule.

524

"ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.

525

"A String",

526

],

527

"logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.

528

{ # Specifies what kind of log the caller must write

529

"cloudAudit": { # Write a Cloud Audit log # Cloud audit options.

530

"authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.

531

"permissionType": "A String", # The type of the permission that was checked.

532

},

533

"logName": "A String", # The log_name to populate in the Cloud Audit Record.

534

},

535

"counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.

536

#

537

# Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.

538

#

539

# Field names correspond to IAM request parameters and field values are their respective values.

540

#

541

# Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.

542

#

543

# Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}

544

"customFields": [ # Custom fields.

545

{ # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.

546

"name": "A String", # Name is the field name.

547

"value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.

548

},

549

],

550

"field": "A String", # The field value to attribute.

551

"metric": "A String", # The metric to update.

552

},

553

"dataAccess": { # Write a Data Access (Gin) log # Data access options.

554

"logMode": "A String",

},

},

],

"notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.

559

"A String",

560

],

561

"permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.

562

"A String",

563

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

564

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

565

],

566

"version": 42, # Specifies the format of the policy.

567

#

568

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.

569

#

570

# Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:

571

#

572

# * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions

573

#

574

# **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.

575

#

576

# If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.

577

#

578

# To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

579

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}

Returns:

An object of the form:

585

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

586

{ # An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

587

#

588

#

589

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

590

# A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

591

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

592

# For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

593

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

594

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

595

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

596

# { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

597

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

598

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

599

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

600

# bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

601

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

602

# For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

603

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

604

{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

605

#

606

# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

607

#

608

# Example Policy with multiple AuditConfigs:

609

#

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

610

# { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

611

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

612

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

613

"auditLogConfigs": [ # The configuration for logging of each type of permission.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

614

{ # Provides the configuration for logging a type of permissions. Example:

615

#

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

616

# { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

617

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

618

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.

619

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].

620

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

621

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

622

"ignoreChildExemptions": True or False,

623

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

624

},

625

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

"exemptedMembers": [

"A String",

],

"service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

630

},

631

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

632

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

633

{ # Associates `members` with a `role`.

Yoshi Automation Bot

2020-11-25 07:50:41 -0800

[diff] [blame]

634

"bindingId": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

635

"condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. # The condition that is associated with this binding.

636

#

637

# If the condition evaluates to `true`, then this binding applies to the current request.

638

#

639

# If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding.

640

#

641

# To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

642

#

643

# Example (Comparison):

644

#

645

# title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100"

646

#

647

# Example (Equality):

648

#

649

# title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'"

654

#

655

# Example (Data Manipulation):

656

#

657

# title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)"

658

#

659

# The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

660

"description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

661

"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.

662

"location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

663

"title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

664

},

665

"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

666

#

667

# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.

668

#

669

# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.

670

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

671

# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

#

#

# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.

676

#

677

# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.

678

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

679

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding.

680

#

681

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding.

682

#

683

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding.

684

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

685

#

686

#

687

# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

688

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

689

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

690

"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

691

},

692

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

693

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.

694

#

695

# **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.

696

"iamOwned": True or False,

697

"rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.

698

{ # A rule to be applied in a Policy.

699

"action": "A String", # Required

700

"conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.

701

{ # A condition to be met.

702

"iam": "A String", # Trusted attributes supplied by the IAM system.

703

"op": "A String", # An operator to apply the subject with.

704

"svc": "A String", # Trusted attributes discharged by the service.

705

"sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.

706

"values": [ # The objects of the condition.

"A String",

],

},

],

"description": "A String", # Human-readable description of the rule.

712

"ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.

713

"A String",

714

],

715

"logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.

716

{ # Specifies what kind of log the caller must write

717

"cloudAudit": { # Write a Cloud Audit log # Cloud audit options.

718

"authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.

719

"permissionType": "A String", # The type of the permission that was checked.

720

},

721

"logName": "A String", # The log_name to populate in the Cloud Audit Record.

722

},

723

"counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.

724

#

725

# Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.

726

#

727

# Field names correspond to IAM request parameters and field values are their respective values.

728

#

729

# Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.

730

#

731

# Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]}

732

"customFields": [ # Custom fields.

733

{ # Custom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields.

734

"name": "A String", # Name is the field name.

735

"value": "A String", # Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext.

736

},

737

],

738

"field": "A String", # The field value to attribute.

739

"metric": "A String", # The metric to update.

740

},

741

"dataAccess": { # Write a Data Access (Gin) log # Data access options.

742

"logMode": "A String",

},

},

],

"notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.

747

"A String",

748

],

749

"permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.

"A String",

],

},

],

"version": 42, # Specifies the format of the policy.

755

#

756

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected.

757

#

758

# Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations:

759

#

760

# * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions

761

#

762

# **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.

763

#

764

# If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.

765

#

766

# To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

771

<code class="details" id="testIamPermissions">testIamPermissions(project, resource, body=None)</code>

772

<pre>Returns permissions that a caller has on the specified resource. Caution This resource is intended for use only by third-party partners who are creating Cloud Marketplace images.

Bu Sun Kim