Blame - docs/dyn/bigtableadmin_v2.projects.instances.clusters.backups.html - platform/external/python/google-api-python-client

<h1><a href="bigtableadmin_v2.html">Cloud Bigtable Admin API</a> . <a href="bigtableadmin_v2.projects.html">projects</a> . <a href="bigtableadmin_v2.projects.instances.html">instances</a> . <a href="bigtableadmin_v2.projects.instances.clusters.html">clusters</a> . <a href="bigtableadmin_v2.projects.instances.clusters.backups.html">backups</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

79

<p class="firstline">Gets the access control policy for a Table resource.</p>

80

81

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

82

<p class="firstline">Sets the access control policy on a Table resource.</p>

83

84

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

85

<p class="firstline">Returns permissions that the caller has on the specified table resource.</p>

86

<h3>Method Details</h3>

87

88

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

89

<pre>Gets the access control policy for a Table resource.

90

Returns an empty policy if the resource exists but does not have a policy

set.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

95

See the operation documentation for the appropriate value for this field. (required)

96

body: object, The request body.

97

The object takes the form of:

98

99

{ # Request message for `GetIamPolicy` method.

100

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

101

# `GetIamPolicy`. This field is only used by Cloud IAM.

102

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

103

#

104

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

105

# rejected.

106

#

107

# Requests for policies with any conditional bindings must specify version 3.

108

# Policies without any conditional bindings may specify any valid value or

109

# leave the field unset.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

120

121

{ # An Identity and Access Management (IAM) policy, which specifies access

122

# controls for Google Cloud resources.

123

#

124

#

125

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

126

# `members` to a single `role`. Members can be user accounts, service accounts,

127

# Google groups, and domains (such as G Suite). A `role` is a named list of

128

# permissions; each `role` can be an IAM predefined role or a user-created

129

# custom role.

130

#

131

# Optionally, a `binding` can specify a `condition`, which is a logical

132

# expression that allows access to a resource only if the expression evaluates

133

# to `true`. A condition can add constraints based on attributes of the

134

# request, the resource, or both.

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

142

# "members": [

143

# "user:mike@example.com",

144

# "group:admins@example.com",

145

# "domain:google.com",

146

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

151

# "members": ["user:eve@example.com"],

152

# "condition": {

153

# "title": "expirable access",

154

# "description": "Does not grant access after Sep 2020",

155

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

168

# - group:admins@example.com

169

# - domain:google.com

170

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

171

# role: roles/resourcemanager.organizationAdmin

172

# - members:

173

# - user:eve@example.com

174

# role: roles/resourcemanager.organizationViewer

175

# condition:

176

# title: expirable access

177

# description: Does not grant access after Sep 2020

178

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

179

# - etag: BwWWja0YfJA=

180

# - version: 3

181

#

182

# For a description of IAM and its features, see the

183

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

184

"version": 42, # Specifies the format of the policy.

185

#

186

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

187

# are rejected.

188

#

189

# Any operation that affects conditional role bindings must specify version

190

# `3`. This requirement applies to the following operations:

191

#

192

# * Getting a policy that includes a conditional role binding

193

# * Adding a conditional role binding to a policy

194

# * Changing a conditional role binding in a policy

195

# * Removing any role binding, with or without a condition, from a policy

196

# that includes conditions

197

#

198

# **Important:** If you use IAM Conditions, you must include the `etag` field

199

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

200

# you to overwrite a version `3` policy with a version `1` policy, and all of

201

# the conditions in the version `3` policy are lost.

202

#

203

# If a policy does not include any conditions, operations on that policy may

204

# specify any valid version or leave the field unset.

205

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

206

{ # Specifies the audit configuration for a service.

207

# The configuration determines which permission types are logged, and what

208

# identities, if any, are exempted from logging.

209

# An AuditConfig must have one or more AuditLogConfigs.

210

#

211

# If there are AuditConfigs for both `allServices` and a specific service,

212

# the union of the two AuditConfigs is used for that service: the log_types

213

# specified in each AuditConfig are enabled, and the exempted_members in each

214

# AuditLogConfig are exempted.

215

#

216

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

222

# "audit_log_configs": [

223

# {

224

# "log_type": "DATA_READ",

225

# "exempted_members": [

226

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

231

# },

232

# {

233

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

239

# "audit_log_configs": [

240

# {

241

# "log_type": "DATA_READ",

242

# },

243

# {

244

# "log_type": "DATA_WRITE",

245

# "exempted_members": [

246

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

255

# logging. It also exempts jose@example.com from DATA_READ logging, and

256

# aliya@example.com from DATA_WRITE logging.

257

"service": "A String", # Specifies a service that will be enabled for audit logging.

258

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

259

# `allServices` is a special value that covers all services.

260

"auditLogConfigs": [ # The configuration for logging of each type of permission.

261

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

266

# {

267

# "log_type": "DATA_READ",

268

# "exempted_members": [

269

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

279

# jose@example.com from DATA_READ logging.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

280

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

281

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

282

# permission.

283

# Follows the same format of Binding.members.

284

"A String",

285

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

291

# `condition` that determines how and when the `bindings` are applied. Each

292

# of the `bindings` must contain at least one member.

293

{ # Associates `members` with a `role`.

294

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

295

# NOTE: An unsatisfied condition will not allow user access via current

296

# binding. Different bindings, including their conditions, are examined

297

# independently.

298

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

299

# are documented at https://github.com/google/cel-spec.

300

#

301

# Example (Comparison):

302

#

303

# title: "Summary size limit"

304

# description: "Determines if a summary is less than 100 chars"

305

# expression: "document.summary.size() < 100"

306

#

307

# Example (Equality):

308

#

309

# title: "Requestor is owner"

310

# description: "Determines if requestor is the document owner"

311

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

316

# description: "Determine whether the document should be publicly visible"

317

# expression: "document.type != 'private' && document.type != 'internal'"

318

#

319

# Example (Data Manipulation):

320

#

321

# title: "Notification string"

322

# description: "Create a notification string with a timestamp."

323

# expression: "'New message received at ' + string(document.create_time)"

324

#

325

# The exact variables and functions that may be referenced within an expression

326

# are determined by the service that evaluates it. See the service

327

# documentation for additional information.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

328

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

329

# its purpose. This can be used e.g. in UIs which allow to enter the

330

# expression.

331

"location": "A String", # Optional. String indicating the location of the expression for error

332

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

333

"description": "A String", # Optional. Description of the expression. This is a longer text which

334

# describes the expression, e.g. when hovered over it in a UI.

335

"expression": "A String", # Textual representation of an expression in Common Expression Language

336

# syntax.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

337

},

338

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

339

# `members` can have the following values:

340

#

341

# * `allUsers`: A special identifier that represents anyone who is

342

# on the internet; with or without a Google account.

343

#

344

# * `allAuthenticatedUsers`: A special identifier that represents anyone

345

# who is authenticated with a Google account or a service account.

346

#

347

# * `user:{emailid}`: An email address that represents a specific Google

348

# account. For example, `alice@example.com` .

349

#

350

#

351

# * `serviceAccount:{emailid}`: An email address that represents a service

352

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

353

#

354

# * `group:{emailid}`: An email address that represents a Google group.

355

# For example, `admins@example.com`.

356

#

357

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

358

# identifier) representing a user that has been recently deleted. For

359

# example, `alice@example.com?uid=123456789012345678901`. If the user is

360

# recovered, this value reverts to `user:{emailid}` and the recovered user

361

# retains the role in the binding.

362

#

363

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

364

# unique identifier) representing a service account that has been recently

365

# deleted. For example,

366

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

367

# If the service account is undeleted, this value reverts to

368

# `serviceAccount:{emailid}` and the undeleted service account retains the

369

# role in the binding.

370

#

371

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

372

# identifier) representing a Google group that has been recently

373

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

374

# the group is recovered, this value reverts to `group:{emailid}` and the

375

# recovered group retains the role in the binding.

376

#

377

#

378

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

379

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

384

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

385

},

386

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

387

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

388

# prevent simultaneous updates of a policy from overwriting each other.

389

# It is strongly suggested that systems make use of the `etag` in the

390

# read-modify-write cycle to perform policy updates in order to avoid race

391

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

392

# systems are expected to put that etag in the request to `setIamPolicy` to

393

# ensure that their change will be applied to the same version of the policy.

394

#

395

# **Important:** If you use IAM Conditions, you must include the `etag` field

396

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

397

# you to overwrite a version `3` policy with a version `1` policy, and all of

398

# the conditions in the version `3` policy are lost.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

404

<pre>Sets the access control policy on a Table resource.

405

Replaces any existing policy.

406

407

Args:

408

resource: string, REQUIRED: The resource for which the policy is being specified.

409

See the operation documentation for the appropriate value for this field. (required)

410

body: object, The request body.

411

The object takes the form of:

412

413

{ # Request message for `SetIamPolicy` method.

414

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

415

# the policy is limited to a few 10s of KB. An empty policy is a

416

# valid policy but certain Cloud Platform services (such as Projects)

417

# might reject them.

418

# controls for Google Cloud resources.

419

#

420

#

421

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

422

# `members` to a single `role`. Members can be user accounts, service accounts,

423

# Google groups, and domains (such as G Suite). A `role` is a named list of

424

# permissions; each `role` can be an IAM predefined role or a user-created

425

# custom role.

426

#

427

# Optionally, a `binding` can specify a `condition`, which is a logical

428

# expression that allows access to a resource only if the expression evaluates

429

# to `true`. A condition can add constraints based on attributes of the

430

# request, the resource, or both.

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

438

# "members": [

439

# "user:mike@example.com",

440

# "group:admins@example.com",

441

# "domain:google.com",

442

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

447

# "members": ["user:eve@example.com"],

448

# "condition": {

449

# "title": "expirable access",

450

# "description": "Does not grant access after Sep 2020",

451

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

464

# - group:admins@example.com

465

# - domain:google.com

466

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

467

# role: roles/resourcemanager.organizationAdmin

468

# - members:

469

# - user:eve@example.com

470

# role: roles/resourcemanager.organizationViewer

471

# condition:

472

# title: expirable access

473

# description: Does not grant access after Sep 2020

474

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

475

# - etag: BwWWja0YfJA=

476

# - version: 3

477

#

478

# For a description of IAM and its features, see the

479

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

480

"version": 42, # Specifies the format of the policy.

481

#

482

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

483

# are rejected.

484

#

485

# Any operation that affects conditional role bindings must specify version

486

# `3`. This requirement applies to the following operations:

487

#

488

# * Getting a policy that includes a conditional role binding

489

# * Adding a conditional role binding to a policy

490

# * Changing a conditional role binding in a policy

491

# * Removing any role binding, with or without a condition, from a policy

492

# that includes conditions

493

#

494

# **Important:** If you use IAM Conditions, you must include the `etag` field

495

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

496

# you to overwrite a version `3` policy with a version `1` policy, and all of

497

# the conditions in the version `3` policy are lost.

498

#

499

# If a policy does not include any conditions, operations on that policy may

500

# specify any valid version or leave the field unset.

501

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

502

{ # Specifies the audit configuration for a service.

503

# The configuration determines which permission types are logged, and what

504

# identities, if any, are exempted from logging.

505

# An AuditConfig must have one or more AuditLogConfigs.

506

#

507

# If there are AuditConfigs for both `allServices` and a specific service,

508

# the union of the two AuditConfigs is used for that service: the log_types

509

# specified in each AuditConfig are enabled, and the exempted_members in each

510

# AuditLogConfig are exempted.

511

#

512

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

518

# "audit_log_configs": [

519

# {

520

# "log_type": "DATA_READ",

521

# "exempted_members": [

522

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

527

# },

528

# {

529

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

535

# "audit_log_configs": [

536

# {

537

# "log_type": "DATA_READ",

538

# },

539

# {

540

# "log_type": "DATA_WRITE",

541

# "exempted_members": [

542

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

551

# logging. It also exempts jose@example.com from DATA_READ logging, and

552

# aliya@example.com from DATA_WRITE logging.

553

"service": "A String", # Specifies a service that will be enabled for audit logging.

554

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

555

# `allServices` is a special value that covers all services.

556

"auditLogConfigs": [ # The configuration for logging of each type of permission.

557

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

562

# {

563

# "log_type": "DATA_READ",

564

# "exempted_members": [

565

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

575

# jose@example.com from DATA_READ logging.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

576

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

577

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

578

# permission.

579

# Follows the same format of Binding.members.

580

"A String",

581

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

587

# `condition` that determines how and when the `bindings` are applied. Each

588

# of the `bindings` must contain at least one member.

589

{ # Associates `members` with a `role`.

590

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

591

# NOTE: An unsatisfied condition will not allow user access via current

592

# binding. Different bindings, including their conditions, are examined

593

# independently.

594

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

595

# are documented at https://github.com/google/cel-spec.

596

#

597

# Example (Comparison):

598

#

599

# title: "Summary size limit"

600

# description: "Determines if a summary is less than 100 chars"

601

# expression: "document.summary.size() < 100"

602

#

603

# Example (Equality):

604

#

605

# title: "Requestor is owner"

606

# description: "Determines if requestor is the document owner"

607

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

612

# description: "Determine whether the document should be publicly visible"

613

# expression: "document.type != 'private' && document.type != 'internal'"

614

#

615

# Example (Data Manipulation):

616

#

617

# title: "Notification string"

618

# description: "Create a notification string with a timestamp."

619

# expression: "'New message received at ' + string(document.create_time)"

620

#

621

# The exact variables and functions that may be referenced within an expression

622

# are determined by the service that evaluates it. See the service

623

# documentation for additional information.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

624

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

625

# its purpose. This can be used e.g. in UIs which allow to enter the

626

# expression.

627

"location": "A String", # Optional. String indicating the location of the expression for error

628

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

629

"description": "A String", # Optional. Description of the expression. This is a longer text which

630

# describes the expression, e.g. when hovered over it in a UI.

631

"expression": "A String", # Textual representation of an expression in Common Expression Language

632

# syntax.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

633

},

634

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

635

# `members` can have the following values:

636

#

637

# * `allUsers`: A special identifier that represents anyone who is

638

# on the internet; with or without a Google account.

639

#

640

# * `allAuthenticatedUsers`: A special identifier that represents anyone

641

# who is authenticated with a Google account or a service account.

642

#

643

# * `user:{emailid}`: An email address that represents a specific Google

644

# account. For example, `alice@example.com` .

645

#

646

#

647

# * `serviceAccount:{emailid}`: An email address that represents a service

648

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

649

#

650

# * `group:{emailid}`: An email address that represents a Google group.

651

# For example, `admins@example.com`.

652

#

653

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

654

# identifier) representing a user that has been recently deleted. For

655

# example, `alice@example.com?uid=123456789012345678901`. If the user is

656

# recovered, this value reverts to `user:{emailid}` and the recovered user

657

# retains the role in the binding.

658

#

659

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

660

# unique identifier) representing a service account that has been recently

661

# deleted. For example,

662

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

663

# If the service account is undeleted, this value reverts to

664

# `serviceAccount:{emailid}` and the undeleted service account retains the

665

# role in the binding.

666

#

667

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

668

# identifier) representing a Google group that has been recently

669

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

670

# the group is recovered, this value reverts to `group:{emailid}` and the

671

# recovered group retains the role in the binding.

672

#

673

#

674

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

675

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

680

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

681

},

682

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

683

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

684

# prevent simultaneous updates of a policy from overwriting each other.

685

# It is strongly suggested that systems make use of the `etag` in the

686

# read-modify-write cycle to perform policy updates in order to avoid race

687

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

688

# systems are expected to put that etag in the request to `setIamPolicy` to

689

# ensure that their change will be applied to the same version of the policy.

690

#

691

# **Important:** If you use IAM Conditions, you must include the `etag` field

692

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

693

# you to overwrite a version `3` policy with a version `1` policy, and all of

694

# the conditions in the version `3` policy are lost.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

695

},

696

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

697

# the fields in the mask will be modified. If no mask is provided, the

698

# following default mask is used:

699

# paths: "bindings, etag"

700

# This field is only used by Cloud IAM.

701

}

702

703

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

710

711

{ # An Identity and Access Management (IAM) policy, which specifies access

712

# controls for Google Cloud resources.

713

#

714

#

715

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

716

# `members` to a single `role`. Members can be user accounts, service accounts,

717

# Google groups, and domains (such as G Suite). A `role` is a named list of

718

# permissions; each `role` can be an IAM predefined role or a user-created

719

# custom role.

720

#

721

# Optionally, a `binding` can specify a `condition`, which is a logical

722

# expression that allows access to a resource only if the expression evaluates

723

# to `true`. A condition can add constraints based on attributes of the

724

# request, the resource, or both.

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

732

# "members": [

733

# "user:mike@example.com",

734

# "group:admins@example.com",

735

# "domain:google.com",

736

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

741

# "members": ["user:eve@example.com"],

742

# "condition": {

743

# "title": "expirable access",

744

# "description": "Does not grant access after Sep 2020",

745

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

758

# - group:admins@example.com

759

# - domain:google.com

760

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

761

# role: roles/resourcemanager.organizationAdmin

762

# - members:

763

# - user:eve@example.com

764

# role: roles/resourcemanager.organizationViewer

765

# condition:

766

# title: expirable access

767

# description: Does not grant access after Sep 2020

768

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

769

# - etag: BwWWja0YfJA=

770

# - version: 3

771

#

772

# For a description of IAM and its features, see the

773

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

774

"version": 42, # Specifies the format of the policy.

775

#

776

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

777

# are rejected.

778

#

779

# Any operation that affects conditional role bindings must specify version

780

# `3`. This requirement applies to the following operations:

781

#

782

# * Getting a policy that includes a conditional role binding

783

# * Adding a conditional role binding to a policy

784

# * Changing a conditional role binding in a policy

785

# * Removing any role binding, with or without a condition, from a policy

786

# that includes conditions

787

#

788

# **Important:** If you use IAM Conditions, you must include the `etag` field

789

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

790

# you to overwrite a version `3` policy with a version `1` policy, and all of

791

# the conditions in the version `3` policy are lost.

792

#

793

# If a policy does not include any conditions, operations on that policy may

794

# specify any valid version or leave the field unset.

795

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

796

{ # Specifies the audit configuration for a service.

797

# The configuration determines which permission types are logged, and what

798

# identities, if any, are exempted from logging.

799

# An AuditConfig must have one or more AuditLogConfigs.

800

#

801

# If there are AuditConfigs for both `allServices` and a specific service,

802

# the union of the two AuditConfigs is used for that service: the log_types

803

# specified in each AuditConfig are enabled, and the exempted_members in each

804

# AuditLogConfig are exempted.

805

#

806

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

812

# "audit_log_configs": [

813

# {

814

# "log_type": "DATA_READ",

815

# "exempted_members": [

816

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

821

# },

822

# {

823

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

829

# "audit_log_configs": [

830

# {

831

# "log_type": "DATA_READ",

832

# },

833

# {

834

# "log_type": "DATA_WRITE",

835

# "exempted_members": [

836

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

845

# logging. It also exempts jose@example.com from DATA_READ logging, and

846

# aliya@example.com from DATA_WRITE logging.

847

"service": "A String", # Specifies a service that will be enabled for audit logging.

848

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

849

# `allServices` is a special value that covers all services.

850

"auditLogConfigs": [ # The configuration for logging of each type of permission.

851

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

856

# {

857

# "log_type": "DATA_READ",

858

# "exempted_members": [

859

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

869

# jose@example.com from DATA_READ logging.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

870

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

871

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

872

# permission.

873

# Follows the same format of Binding.members.

874

"A String",

875

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

881

# `condition` that determines how and when the `bindings` are applied. Each

882

# of the `bindings` must contain at least one member.

883

{ # Associates `members` with a `role`.

884

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

885

# NOTE: An unsatisfied condition will not allow user access via current

886

# binding. Different bindings, including their conditions, are examined

887

# independently.

888

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

889

# are documented at https://github.com/google/cel-spec.

890

#

891

# Example (Comparison):

892

#

893

# title: "Summary size limit"

894

# description: "Determines if a summary is less than 100 chars"

895

# expression: "document.summary.size() < 100"

896

#

897

# Example (Equality):

898

#

899

# title: "Requestor is owner"

900

# description: "Determines if requestor is the document owner"

901

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

906

# description: "Determine whether the document should be publicly visible"

907

# expression: "document.type != 'private' && document.type != 'internal'"

908

#

909

# Example (Data Manipulation):

910

#

911

# title: "Notification string"

912

# description: "Create a notification string with a timestamp."

913

# expression: "'New message received at ' + string(document.create_time)"

914

#

915

# The exact variables and functions that may be referenced within an expression

916

# are determined by the service that evaluates it. See the service

917

# documentation for additional information.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

918

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

919

# its purpose. This can be used e.g. in UIs which allow to enter the

920

# expression.

921

"location": "A String", # Optional. String indicating the location of the expression for error

922

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

923

"description": "A String", # Optional. Description of the expression. This is a longer text which

924

# describes the expression, e.g. when hovered over it in a UI.

925

"expression": "A String", # Textual representation of an expression in Common Expression Language

926

# syntax.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

927

},

928

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

929

# `members` can have the following values:

930

#

931

# * `allUsers`: A special identifier that represents anyone who is

932

# on the internet; with or without a Google account.

933

#

934

# * `allAuthenticatedUsers`: A special identifier that represents anyone

935

# who is authenticated with a Google account or a service account.

936

#

937

# * `user:{emailid}`: An email address that represents a specific Google

938

# account. For example, `alice@example.com` .

939

#

940

#

941

# * `serviceAccount:{emailid}`: An email address that represents a service

942

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

943

#

944

# * `group:{emailid}`: An email address that represents a Google group.

945

# For example, `admins@example.com`.

946

#

947

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

948

# identifier) representing a user that has been recently deleted. For

949

# example, `alice@example.com?uid=123456789012345678901`. If the user is

950

# recovered, this value reverts to `user:{emailid}` and the recovered user

951

# retains the role in the binding.

952

#

953

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

954

# unique identifier) representing a service account that has been recently

955

# deleted. For example,

956

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

957

# If the service account is undeleted, this value reverts to

958

# `serviceAccount:{emailid}` and the undeleted service account retains the

959

# role in the binding.

960

#

961

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

962

# identifier) representing a Google group that has been recently

963

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

964

# the group is recovered, this value reverts to `group:{emailid}` and the

965

# recovered group retains the role in the binding.

966

#

967

#

968

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

969

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

974

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

975

},

976

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

977

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

978

# prevent simultaneous updates of a policy from overwriting each other.

979

# It is strongly suggested that systems make use of the `etag` in the

980

# read-modify-write cycle to perform policy updates in order to avoid race

981

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

982

# systems are expected to put that etag in the request to `setIamPolicy` to

983

# ensure that their change will be applied to the same version of the policy.

984

#

985

# **Important:** If you use IAM Conditions, you must include the `etag` field

986

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

987

# you to overwrite a version `3` policy with a version `1` policy, and all of

988

# the conditions in the version `3` policy are lost.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

994

<pre>Returns permissions that the caller has on the specified table resource.

995

996

Args:

997

resource: string, REQUIRED: The resource for which the policy detail is being requested.

998

See the operation documentation for the appropriate value for this field. (required)

999

body: object, The request body.

1000

The object takes the form of:

1001

1002

{ # Request message for `TestIamPermissions` method.

1003

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

1004

# wildcards (such as '*' or 'storage.*') are not allowed. For more

1005

# information see

1006

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

"A String",

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1018

1019

{ # Response message for `TestIamPermissions` method.

1020

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

# allowed.

"A String",

],

}</pre>

</div>

</body></html>