Blame - docs/dyn/secretmanager_v1.projects.secrets.html - platform/external/python/google-api-python-client

<h1><a href="secretmanager_v1.html">Secret Manager API</a> . <a href="secretmanager_v1.projects.html">projects</a> . <a href="secretmanager_v1.projects.secrets.html">secrets</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="secretmanager_v1.projects.secrets.versions.html">versions()</a></code>

79

</p>

80

<p class="firstline">Returns the versions Resource.</p>

81

82

83

<code><a href="#addVersion">addVersion(parent, body=None, x__xgafv=None)</a></code></p>

84

<p class="firstline">Creates a new SecretVersion containing secret data and attaches</p>

85

86

<code><a href="#create">create(parent, body=None, secretId=None, x__xgafv=None)</a></code></p>

87

<p class="firstline">Creates a new Secret containing no SecretVersions.</p>

88

89

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

90

<p class="firstline">Deletes a Secret.</p>

91

92

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

93

<p class="firstline">Gets metadata for a given Secret.</p>

94

95

<code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>

96

<p class="firstline">Gets the access control policy for a secret.</p>

97

98

<code><a href="#list">list(parent, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

99

<p class="firstline">Lists Secrets.</p>

100

101

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

102

<p class="firstline">Retrieves the next page of results.</p>

103

104

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

105

<p class="firstline">Updates metadata of an existing Secret.</p>

106

107

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

108

<p class="firstline">Sets the access control policy on the specified secret. Replaces any</p>

109

110

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

111

<p class="firstline">Returns permissions that a caller has for the specified secret.</p>

112

<h3>Method Details</h3>

113

114

<code class="details" id="addVersion">addVersion(parent, body=None, x__xgafv=None)</code>

115

<pre>Creates a new SecretVersion containing secret data and attaches

116

it to an existing Secret.

117

118

Args:

119

parent: string, Required. The resource name of the Secret to associate with the

120

SecretVersion in the format `projects/*/secrets/*`. (required)

121

body: object, The request body.

122

The object takes the form of:

123

124

{ # Request message for SecretManagerService.AddSecretVersion.

125

"payload": { # A secret payload resource in the Secret Manager API. This contains the # Required. The secret payload of the SecretVersion.

126

# sensitive secret payload that is associated with a SecretVersion.

127

"data": "A String", # The secret data. Must be no larger than 64KiB.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

138

139

{ # A secret version resource in the Secret Manager API.

140

"destroyTime": "A String", # Output only. The time this SecretVersion was destroyed.

141

# Only present if state is

142

# DESTROYED.

143

"createTime": "A String", # Output only. The time at which the SecretVersion was created.

144

"state": "A String", # Output only. The current state of the SecretVersion.

145

"name": "A String", # Output only. The resource name of the SecretVersion in the

146

# format `projects/*/secrets/*/versions/*`.

147

#

148

# SecretVersion IDs in a Secret start at 1 and

149

# are incremented for each subsequent version of the secret.

}</pre>

</div>

<code class="details" id="create">create(parent, body=None, secretId=None, x__xgafv=None)</code>

155

<pre>Creates a new Secret containing no SecretVersions.

156

157

Args:

158

parent: string, Required. The resource name of the project to associate with the

159

Secret, in the format `projects/*`. (required)

160

body: object, The request body.

161

The object takes the form of:

162

163

{ # A Secret is a logical secret whose value and versions can

164

# be accessed.

165

#

166

# A Secret is made up of zero or more SecretVersions that

167

# represent the secret data.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

168

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

169

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

170

#

171

# The replication policy cannot be changed after the Secret has been created.

172

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

173

# locations specified in Secret.replication.user_managed.replicas

174

"replicas": [ # Required. The list of Replicas for this Secret.

175

#

176

# Cannot be empty.

177

{ # Represents a Replica for this Secret.

178

"location": "A String", # The canonical IDs of the location to replicate data.

179

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

188

"labels": { # The labels assigned to this Secret.

189

#

190

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

191

# of maximum 128 bytes, and must conform to the following PCRE regular

192

# expression: `\p{Ll}\p{Lo}{0,62}`

193

#

194

# Label values must be between 0 and 63 characters long, have a UTF-8

195

# encoding of maximum 128 bytes, and must conform to the following PCRE

196

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

197

#

198

# No more than 64 labels can be assigned to a given resource.

199

"a_key": "A String",

200

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

201

}

202

203

secretId: string, Required. This must be unique within the project.

204

205

A secret ID is a string with a maximum length of 255 characters and can

206

contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and

207

underscore (`_`) characters.

208

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

215

216

{ # A Secret is a logical secret whose value and versions can

217

# be accessed.

218

#

219

# A Secret is made up of zero or more SecretVersions that

220

# represent the secret data.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

221

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

222

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

223

#

224

# The replication policy cannot be changed after the Secret has been created.

225

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

226

# locations specified in Secret.replication.user_managed.replicas

227

"replicas": [ # Required. The list of Replicas for this Secret.

228

#

229

# Cannot be empty.

230

{ # Represents a Replica for this Secret.

231

"location": "A String", # The canonical IDs of the location to replicate data.

232

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

241

"labels": { # The labels assigned to this Secret.

242

#

243

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

244

# of maximum 128 bytes, and must conform to the following PCRE regular

245

# expression: `\p{Ll}\p{Lo}{0,62}`

246

#

247

# Label values must be between 0 and 63 characters long, have a UTF-8

248

# encoding of maximum 128 bytes, and must conform to the following PCRE

249

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

250

#

251

# No more than 64 labels can be assigned to a given resource.

252

"a_key": "A String",

253

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

259

<pre>Deletes a Secret.

260

261

Args:

262

name: string, Required. The resource name of the Secret to delete in the format

263

`projects/*/secrets/*`. (required)

264

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

271

272

{ # A generic empty message that you can re-use to avoid defining duplicated

273

# empty messages in your APIs. A typical example is to use it as the request

274

# or the response type of an API method. For instance:

275

#

276

# service Foo {

277

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

278

# }

279

#

280

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

286

<pre>Gets metadata for a given Secret.

287

288

Args:

289

name: string, Required. The resource name of the Secret, in the format `projects/*/secrets/*`. (required)

290

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

297

298

{ # A Secret is a logical secret whose value and versions can

299

# be accessed.

300

#

301

# A Secret is made up of zero or more SecretVersions that

302

# represent the secret data.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

303

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

304

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

305

#

306

# The replication policy cannot be changed after the Secret has been created.

307

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

308

# locations specified in Secret.replication.user_managed.replicas

309

"replicas": [ # Required. The list of Replicas for this Secret.

310

#

311

# Cannot be empty.

312

{ # Represents a Replica for this Secret.

313

"location": "A String", # The canonical IDs of the location to replicate data.

314

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

323

"labels": { # The labels assigned to this Secret.

324

#

325

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

326

# of maximum 128 bytes, and must conform to the following PCRE regular

327

# expression: `\p{Ll}\p{Lo}{0,62}`

328

#

329

# Label values must be between 0 and 63 characters long, have a UTF-8

330

# encoding of maximum 128 bytes, and must conform to the following PCRE

331

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

332

#

333

# No more than 64 labels can be assigned to a given resource.

334

"a_key": "A String",

335

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>

341

<pre>Gets the access control policy for a secret.

342

Returns empty policy if the secret exists and does not have a policy set.

343

344

Args:

345

resource: string, REQUIRED: The resource for which the policy is being requested.

346

See the operation documentation for the appropriate value for this field. (required)

347

options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.

348

349

Valid values are 0, 1, and 3. Requests specifying an invalid value will be

350

rejected.

351

352

Requests for policies with any conditional bindings must specify version 3.

353

Policies without any conditional bindings may specify any valid value or

354

leave the field unset.

355

356

To learn which resources support conditions in their IAM policies, see the

357

[IAM

358

documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

359

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

366

367

{ # An Identity and Access Management (IAM) policy, which specifies access

368

# controls for Google Cloud resources.

369

#

370

#

371

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

372

# `members` to a single `role`. Members can be user accounts, service accounts,

373

# Google groups, and domains (such as G Suite). A `role` is a named list of

374

# permissions; each `role` can be an IAM predefined role or a user-created

375

# custom role.

376

#

377

# For some types of Google Cloud resources, a `binding` can also specify a

378

# `condition`, which is a logical expression that allows access to a resource

379

# only if the expression evaluates to `true`. A condition can add constraints

380

# based on attributes of the request, the resource, or both. To learn which

381

# resources support conditions in their IAM policies, see the

382

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

390

# "members": [

391

# "user:mike@example.com",

392

# "group:admins@example.com",

393

# "domain:google.com",

394

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

399

# "members": [

400

# "user:eve@example.com"

401

# ],

402

# "condition": {

403

# "title": "expirable access",

404

# "description": "Does not grant access after Sep 2020",

405

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

418

# - group:admins@example.com

419

# - domain:google.com

420

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

421

# role: roles/resourcemanager.organizationAdmin

422

# - members:

423

# - user:eve@example.com

424

# role: roles/resourcemanager.organizationViewer

425

# condition:

426

# title: expirable access

427

# description: Does not grant access after Sep 2020

428

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

429

# - etag: BwWWja0YfJA=

430

# - version: 3

431

#

432

# For a description of IAM and its features, see the

433

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

434

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

435

# `condition` that determines how and when the `bindings` are applied. Each

436

# of the `bindings` must contain at least one member.

437

{ # Associates `members` with a `role`.

438

"role": "A String", # Role that is assigned to `members`.

439

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

440

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

441

#

442

# If the condition evaluates to `true`, then this binding applies to the

443

# current request.

444

#

445

# If the condition evaluates to `false`, then this binding does not apply to

446

# the current request. However, a different role binding might grant the same

447

# role to one or more of the members in this binding.

448

#

449

# To learn which resources support conditions in their IAM policies, see the

450

# [IAM

451

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

452

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

453

# are documented at https://github.com/google/cel-spec.

454

#

455

# Example (Comparison):

456

#

457

# title: "Summary size limit"

458

# description: "Determines if a summary is less than 100 chars"

459

# expression: "document.summary.size() < 100"

460

#

461

# Example (Equality):

462

#

463

# title: "Requestor is owner"

464

# description: "Determines if requestor is the document owner"

465

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

470

# description: "Determine whether the document should be publicly visible"

471

# expression: "document.type != 'private' && document.type != 'internal'"

472

#

473

# Example (Data Manipulation):

474

#

475

# title: "Notification string"

476

# description: "Create a notification string with a timestamp."

477

# expression: "'New message received at ' + string(document.create_time)"

478

#

479

# The exact variables and functions that may be referenced within an expression

480

# are determined by the service that evaluates it. See the service

481

# documentation for additional information.

482

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

483

# its purpose. This can be used e.g. in UIs which allow to enter the

484

# expression.

485

"location": "A String", # Optional. String indicating the location of the expression for error

486

# reporting, e.g. a file name and a position in the file.

487

"description": "A String", # Optional. Description of the expression. This is a longer text which

488

# describes the expression, e.g. when hovered over it in a UI.

489

"expression": "A String", # Textual representation of an expression in Common Expression Language

490

# syntax.

491

},

492

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

493

# `members` can have the following values:

494

#

495

# * `allUsers`: A special identifier that represents anyone who is

496

# on the internet; with or without a Google account.

497

#

498

# * `allAuthenticatedUsers`: A special identifier that represents anyone

499

# who is authenticated with a Google account or a service account.

500

#

501

# * `user:{emailid}`: An email address that represents a specific Google

502

# account. For example, `alice@example.com` .

503

#

504

#

505

# * `serviceAccount:{emailid}`: An email address that represents a service

506

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

507

#

508

# * `group:{emailid}`: An email address that represents a Google group.

509

# For example, `admins@example.com`.

510

#

511

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

512

# identifier) representing a user that has been recently deleted. For

513

# example, `alice@example.com?uid=123456789012345678901`. If the user is

514

# recovered, this value reverts to `user:{emailid}` and the recovered user

515

# retains the role in the binding.

516

#

517

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

518

# unique identifier) representing a service account that has been recently

519

# deleted. For example,

520

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

521

# If the service account is undeleted, this value reverts to

522

# `serviceAccount:{emailid}` and the undeleted service account retains the

523

# role in the binding.

524

#

525

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

526

# identifier) representing a Google group that has been recently

527

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

528

# the group is recovered, this value reverts to `group:{emailid}` and the

529

# recovered group retains the role in the binding.

530

#

531

#

532

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

533

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

540

# prevent simultaneous updates of a policy from overwriting each other.

541

# It is strongly suggested that systems make use of the `etag` in the

542

# read-modify-write cycle to perform policy updates in order to avoid race

543

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

544

# systems are expected to put that etag in the request to `setIamPolicy` to

545

# ensure that their change will be applied to the same version of the policy.

546

#

547

# **Important:** If you use IAM Conditions, you must include the `etag` field

548

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

549

# you to overwrite a version `3` policy with a version `1` policy, and all of

550

# the conditions in the version `3` policy are lost.

551

"version": 42, # Specifies the format of the policy.

552

#

553

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

554

# are rejected.

555

#

556

# Any operation that affects conditional role bindings must specify version

557

# `3`. This requirement applies to the following operations:

558

#

559

# * Getting a policy that includes a conditional role binding

560

# * Adding a conditional role binding to a policy

561

# * Changing a conditional role binding in a policy

562

# * Removing any role binding, with or without a condition, from a policy

563

# that includes conditions

564

#

565

# **Important:** If you use IAM Conditions, you must include the `etag` field

566

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

567

# you to overwrite a version `3` policy with a version `1` policy, and all of

568

# the conditions in the version `3` policy are lost.

569

#

570

# If a policy does not include any conditions, operations on that policy may

571

# specify any valid version or leave the field unset.

572

#

573

# To learn which resources support conditions in their IAM policies, see the

574

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

575

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

576

{ # Specifies the audit configuration for a service.

577

# The configuration determines which permission types are logged, and what

578

# identities, if any, are exempted from logging.

579

# An AuditConfig must have one or more AuditLogConfigs.

580

#

581

# If there are AuditConfigs for both `allServices` and a specific service,

582

# the union of the two AuditConfigs is used for that service: the log_types

583

# specified in each AuditConfig are enabled, and the exempted_members in each

584

# AuditLogConfig are exempted.

585

#

586

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

592

# "audit_log_configs": [

593

# {

594

# "log_type": "DATA_READ",

595

# "exempted_members": [

596

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

601

# },

602

# {

603

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

609

# "audit_log_configs": [

610

# {

611

# "log_type": "DATA_READ",

612

# },

613

# {

614

# "log_type": "DATA_WRITE",

615

# "exempted_members": [

616

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

625

# logging. It also exempts jose@example.com from DATA_READ logging, and

626

# aliya@example.com from DATA_WRITE logging.

627

"service": "A String", # Specifies a service that will be enabled for audit logging.

628

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

629

# `allServices` is a special value that covers all services.

630

"auditLogConfigs": [ # The configuration for logging of each type of permission.

631

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

636

# {

637

# "log_type": "DATA_READ",

638

# "exempted_members": [

639

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

649

# jose@example.com from DATA_READ logging.

650

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

651

# permission.

652

# Follows the same format of Binding.members.

653

"A String",

654

],

655

"logType": "A String", # The log type that this config enables.

},

],

},

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="list">list(parent, pageToken=None, pageSize=None, x__xgafv=None)</code>

<pre>Lists Secrets.

Args:

parent: string, Required. The resource name of the project associated with the

669

Secrets, in the format `projects/*`. (required)

670

pageToken: string, Optional. Pagination token, returned earlier via

671

ListSecretsResponse.next_page_token.

672

pageSize: integer, Optional. The maximum number of results to be returned in a single page. If

673

set to 0, the server decides the number of results to return. If the

674

number is greater than 25000, it is capped at 25000.

675

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

682

683

{ # Response message for SecretManagerService.ListSecrets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

684

"secrets": [ # The list of Secrets sorted in reverse by create_time (newest

685

# first).

686

{ # A Secret is a logical secret whose value and versions can

687

# be accessed.

688

#

689

# A Secret is made up of zero or more SecretVersions that

690

# represent the secret data.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

691

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

692

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

693

#

694

# The replication policy cannot be changed after the Secret has been created.

695

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

696

# locations specified in Secret.replication.user_managed.replicas

697

"replicas": [ # Required. The list of Replicas for this Secret.

698

#

699

# Cannot be empty.

700

{ # Represents a Replica for this Secret.

701

"location": "A String", # The canonical IDs of the location to replicate data.

702

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

711

"labels": { # The labels assigned to this Secret.

712

#

713

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

714

# of maximum 128 bytes, and must conform to the following PCRE regular

715

# expression: `\p{Ll}\p{Lo}{0,62}`

716

#

717

# Label values must be between 0 and 63 characters long, have a UTF-8

718

# encoding of maximum 128 bytes, and must conform to the following PCRE

719

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

720

#

721

# No more than 64 labels can be assigned to a given resource.

722

"a_key": "A String",

723

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

724

},

725

],

726

"nextPageToken": "A String", # A token to retrieve the next page of results. Pass this value in

727

# ListSecretsRequest.page_token to retrieve the next page.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

728

"totalSize": 42, # The total number of Secrets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

734

<pre>Retrieves the next page of results.

735

736

Args:

737

previous_request: The request for the previous page. (required)

738

previous_response: The response from the request for the previous page. (required)

739

740

Returns:

741

A request object that you can call 'execute()' on to request the next

742

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

748

<pre>Updates metadata of an existing Secret.

749

750

Args:

751

name: string, Output only. The resource name of the Secret in the format `projects/*/secrets/*`. (required)

752

body: object, The request body.

753

The object takes the form of:

754

755

{ # A Secret is a logical secret whose value and versions can

756

# be accessed.

757

#

758

# A Secret is made up of zero or more SecretVersions that

759

# represent the secret data.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

760

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

761

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

762

#

763

# The replication policy cannot be changed after the Secret has been created.

764

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

765

# locations specified in Secret.replication.user_managed.replicas

766

"replicas": [ # Required. The list of Replicas for this Secret.

767

#

768

# Cannot be empty.

769

{ # Represents a Replica for this Secret.

770

"location": "A String", # The canonical IDs of the location to replicate data.

771

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

780

"labels": { # The labels assigned to this Secret.

781

#

782

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

783

# of maximum 128 bytes, and must conform to the following PCRE regular

784

# expression: `\p{Ll}\p{Lo}{0,62}`

785

#

786

# Label values must be between 0 and 63 characters long, have a UTF-8

787

# encoding of maximum 128 bytes, and must conform to the following PCRE

788

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

789

#

790

# No more than 64 labels can be assigned to a given resource.

791

"a_key": "A String",

792

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

793

}

794

795

updateMask: string, Required. Specifies the fields to be updated.

796

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

803

804

{ # A Secret is a logical secret whose value and versions can

805

# be accessed.

806

#

807

# A Secret is made up of zero or more SecretVersions that

808

# represent the secret data.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

809

"name": "A String", # Output only. The resource name of the Secret in the format `projects/*/secrets/*`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

810

"replication": { # A policy that defines the replication configuration of data. # Required. Immutable. The replication policy of the secret data attached to the Secret.

811

#

812

# The replication policy cannot be changed after the Secret has been created.

813

"userManaged": { # A replication policy that replicates the Secret payload into the # The Secret will only be replicated into the locations specified.

814

# locations specified in Secret.replication.user_managed.replicas

815

"replicas": [ # Required. The list of Replicas for this Secret.

816

#

817

# Cannot be empty.

818

{ # Represents a Replica for this Secret.

819

"location": "A String", # The canonical IDs of the location to replicate data.

820

# For example: `"us-east1"`.

},

],

},

"automatic": { # A replication policy that replicates the Secret payload without any # The Secret will automatically be replicated without any restrictions.

# restrictions.

},

},

"createTime": "A String", # Output only. The time at which the Secret was created.

829

"labels": { # The labels assigned to this Secret.

830

#

831

# Label keys must be between 1 and 63 characters long, have a UTF-8 encoding

832

# of maximum 128 bytes, and must conform to the following PCRE regular

833

# expression: `\p{Ll}\p{Lo}{0,62}`

834

#

835

# Label values must be between 0 and 63 characters long, have a UTF-8

836

# encoding of maximum 128 bytes, and must conform to the following PCRE

837

# regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}`

838

#

839

# No more than 64 labels can be assigned to a given resource.

840

"a_key": "A String",

841

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

847

<pre>Sets the access control policy on the specified secret. Replaces any

848

existing policy.

849

850

Permissions on SecretVersions are enforced according

851

to the policy set on the associated Secret.

852

853

Args:

854

resource: string, REQUIRED: The resource for which the policy is being specified.

855

See the operation documentation for the appropriate value for this field. (required)

856

body: object, The request body.

857

The object takes the form of:

858

859

{ # Request message for `SetIamPolicy` method.

860

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

861

# the policy is limited to a few 10s of KB. An empty policy is a

862

# valid policy but certain Cloud Platform services (such as Projects)

863

# might reject them.

864

# controls for Google Cloud resources.

865

#

866

#

867

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

868

# `members` to a single `role`. Members can be user accounts, service accounts,

869

# Google groups, and domains (such as G Suite). A `role` is a named list of

870

# permissions; each `role` can be an IAM predefined role or a user-created

871

# custom role.

872

#

873

# For some types of Google Cloud resources, a `binding` can also specify a

874

# `condition`, which is a logical expression that allows access to a resource

875

# only if the expression evaluates to `true`. A condition can add constraints

876

# based on attributes of the request, the resource, or both. To learn which

877

# resources support conditions in their IAM policies, see the

878

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

886

# "members": [

887

# "user:mike@example.com",

888

# "group:admins@example.com",

889

# "domain:google.com",

890

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

895

# "members": [

896

# "user:eve@example.com"

897

# ],

898

# "condition": {

899

# "title": "expirable access",

900

# "description": "Does not grant access after Sep 2020",

901

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

914

# - group:admins@example.com

915

# - domain:google.com

916

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

917

# role: roles/resourcemanager.organizationAdmin

918

# - members:

919

# - user:eve@example.com

920

# role: roles/resourcemanager.organizationViewer

921

# condition:

922

# title: expirable access

923

# description: Does not grant access after Sep 2020

924

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

925

# - etag: BwWWja0YfJA=

926

# - version: 3

927

#

928

# For a description of IAM and its features, see the

929

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

930

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

931

# `condition` that determines how and when the `bindings` are applied. Each

932

# of the `bindings` must contain at least one member.

933

{ # Associates `members` with a `role`.

934

"role": "A String", # Role that is assigned to `members`.

935

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

936

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

937

#

938

# If the condition evaluates to `true`, then this binding applies to the

939

# current request.

940

#

941

# If the condition evaluates to `false`, then this binding does not apply to

942

# the current request. However, a different role binding might grant the same

943

# role to one or more of the members in this binding.

944

#

945

# To learn which resources support conditions in their IAM policies, see the

946

# [IAM

947

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

948

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

949

# are documented at https://github.com/google/cel-spec.

950

#

951

# Example (Comparison):

952

#

953

# title: "Summary size limit"

954

# description: "Determines if a summary is less than 100 chars"

955

# expression: "document.summary.size() < 100"

956

#

957

# Example (Equality):

958

#

959

# title: "Requestor is owner"

960

# description: "Determines if requestor is the document owner"

961

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

966

# description: "Determine whether the document should be publicly visible"

967

# expression: "document.type != 'private' && document.type != 'internal'"

968

#

969

# Example (Data Manipulation):

970

#

971

# title: "Notification string"

972

# description: "Create a notification string with a timestamp."

973

# expression: "'New message received at ' + string(document.create_time)"

974

#

975

# The exact variables and functions that may be referenced within an expression

976

# are determined by the service that evaluates it. See the service

977

# documentation for additional information.

978

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

979

# its purpose. This can be used e.g. in UIs which allow to enter the

980

# expression.

981

"location": "A String", # Optional. String indicating the location of the expression for error

982

# reporting, e.g. a file name and a position in the file.

983

"description": "A String", # Optional. Description of the expression. This is a longer text which

984

# describes the expression, e.g. when hovered over it in a UI.

985

"expression": "A String", # Textual representation of an expression in Common Expression Language

986

# syntax.

987

},

988

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

989

# `members` can have the following values:

990

#

991

# * `allUsers`: A special identifier that represents anyone who is

992

# on the internet; with or without a Google account.

993

#

994

# * `allAuthenticatedUsers`: A special identifier that represents anyone

995

# who is authenticated with a Google account or a service account.

996

#

997

# * `user:{emailid}`: An email address that represents a specific Google

998

# account. For example, `alice@example.com` .

999

#

1000

#

1001

# * `serviceAccount:{emailid}`: An email address that represents a service

1002

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1003

#

1004

# * `group:{emailid}`: An email address that represents a Google group.

1005

# For example, `admins@example.com`.

1006

#

1007

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1008

# identifier) representing a user that has been recently deleted. For

1009

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1010

# recovered, this value reverts to `user:{emailid}` and the recovered user

1011

# retains the role in the binding.

1012

#

1013

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1014

# unique identifier) representing a service account that has been recently

1015

# deleted. For example,

1016

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1017

# If the service account is undeleted, this value reverts to

1018

# `serviceAccount:{emailid}` and the undeleted service account retains the

1019

# role in the binding.

1020

#

1021

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1022

# identifier) representing a Google group that has been recently

1023

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1024

# the group is recovered, this value reverts to `group:{emailid}` and the

1025

# recovered group retains the role in the binding.

1026

#

1027

#

1028

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1029

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1036

# prevent simultaneous updates of a policy from overwriting each other.

1037

# It is strongly suggested that systems make use of the `etag` in the

1038

# read-modify-write cycle to perform policy updates in order to avoid race

1039

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1040

# systems are expected to put that etag in the request to `setIamPolicy` to

1041

# ensure that their change will be applied to the same version of the policy.

1042

#

1043

# **Important:** If you use IAM Conditions, you must include the `etag` field

1044

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1045

# you to overwrite a version `3` policy with a version `1` policy, and all of

1046

# the conditions in the version `3` policy are lost.

1047

"version": 42, # Specifies the format of the policy.

1048

#

1049

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1050

# are rejected.

1051

#

1052

# Any operation that affects conditional role bindings must specify version

1053

# `3`. This requirement applies to the following operations:

1054

#

1055

# * Getting a policy that includes a conditional role binding

1056

# * Adding a conditional role binding to a policy

1057

# * Changing a conditional role binding in a policy

1058

# * Removing any role binding, with or without a condition, from a policy

1059

# that includes conditions

1060

#

1061

# **Important:** If you use IAM Conditions, you must include the `etag` field

1062

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1063

# you to overwrite a version `3` policy with a version `1` policy, and all of

1064

# the conditions in the version `3` policy are lost.

1065

#

1066

# If a policy does not include any conditions, operations on that policy may

1067

# specify any valid version or leave the field unset.

1068

#

1069

# To learn which resources support conditions in their IAM policies, see the

1070

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1071

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1072

{ # Specifies the audit configuration for a service.

1073

# The configuration determines which permission types are logged, and what

1074

# identities, if any, are exempted from logging.

1075

# An AuditConfig must have one or more AuditLogConfigs.

1076

#

1077

# If there are AuditConfigs for both `allServices` and a specific service,

1078

# the union of the two AuditConfigs is used for that service: the log_types

1079

# specified in each AuditConfig are enabled, and the exempted_members in each

1080

# AuditLogConfig are exempted.

1081

#

1082

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

1088

# "audit_log_configs": [

1089

# {

1090

# "log_type": "DATA_READ",

1091

# "exempted_members": [

1092

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1097

# },

1098

# {

1099

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

1105

# "audit_log_configs": [

1106

# {

1107

# "log_type": "DATA_READ",

1108

# },

1109

# {

1110

# "log_type": "DATA_WRITE",

1111

# "exempted_members": [

1112

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1121

# logging. It also exempts jose@example.com from DATA_READ logging, and

1122

# aliya@example.com from DATA_WRITE logging.

1123

"service": "A String", # Specifies a service that will be enabled for audit logging.

1124

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1125

# `allServices` is a special value that covers all services.

1126

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1127

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1132

# {

1133

# "log_type": "DATA_READ",

1134

# "exempted_members": [

1135

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1145

# jose@example.com from DATA_READ logging.

1146

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1147

# permission.

1148

# Follows the same format of Binding.members.

1149

"A String",

1150

],

1151

"logType": "A String", # The log type that this config enables.

},

],

},

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1156

},

1157

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

1158

# the fields in the mask will be modified. If no mask is provided, the

1159

# following default mask is used:

1160

#

1161

# `paths: "bindings, etag"`

1162

}

1163

1164

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1171

1172

{ # An Identity and Access Management (IAM) policy, which specifies access

1173

# controls for Google Cloud resources.

1174

#

1175

#

1176

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1177

# `members` to a single `role`. Members can be user accounts, service accounts,

1178

# Google groups, and domains (such as G Suite). A `role` is a named list of

1179

# permissions; each `role` can be an IAM predefined role or a user-created

1180

# custom role.

1181

#

1182

# For some types of Google Cloud resources, a `binding` can also specify a

1183

# `condition`, which is a logical expression that allows access to a resource

1184

# only if the expression evaluates to `true`. A condition can add constraints

1185

# based on attributes of the request, the resource, or both. To learn which

1186

# resources support conditions in their IAM policies, see the

1187

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

1195

# "members": [

1196

# "user:mike@example.com",

1197

# "group:admins@example.com",

1198

# "domain:google.com",

1199

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

1204

# "members": [

1205

# "user:eve@example.com"

1206

# ],

1207

# "condition": {

1208

# "title": "expirable access",

1209

# "description": "Does not grant access after Sep 2020",

1210

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

1223

# - group:admins@example.com

1224

# - domain:google.com

1225

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1226

# role: roles/resourcemanager.organizationAdmin

1227

# - members:

1228

# - user:eve@example.com

1229

# role: roles/resourcemanager.organizationViewer

1230

# condition:

1231

# title: expirable access

1232

# description: Does not grant access after Sep 2020

1233

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

1234

# - etag: BwWWja0YfJA=

1235

# - version: 3

1236

#

1237

# For a description of IAM and its features, see the

1238

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1239

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1240

# `condition` that determines how and when the `bindings` are applied. Each

1241

# of the `bindings` must contain at least one member.

1242

{ # Associates `members` with a `role`.

1243

"role": "A String", # Role that is assigned to `members`.

1244

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1245

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1246

#

1247

# If the condition evaluates to `true`, then this binding applies to the

1248

# current request.

1249

#

1250

# If the condition evaluates to `false`, then this binding does not apply to

1251

# the current request. However, a different role binding might grant the same

1252

# role to one or more of the members in this binding.

1253

#

1254

# To learn which resources support conditions in their IAM policies, see the

1255

# [IAM

1256

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1257

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1258

# are documented at https://github.com/google/cel-spec.

1259

#

1260

# Example (Comparison):

1261

#

1262

# title: "Summary size limit"

1263

# description: "Determines if a summary is less than 100 chars"

1264

# expression: "document.summary.size() < 100"

1265

#

1266

# Example (Equality):

1267

#

1268

# title: "Requestor is owner"

1269

# description: "Determines if requestor is the document owner"

1270

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1275

# description: "Determine whether the document should be publicly visible"

1276

# expression: "document.type != 'private' && document.type != 'internal'"

1277

#

1278

# Example (Data Manipulation):

1279

#

1280

# title: "Notification string"

1281

# description: "Create a notification string with a timestamp."

1282

# expression: "'New message received at ' + string(document.create_time)"

1283

#

1284

# The exact variables and functions that may be referenced within an expression

1285

# are determined by the service that evaluates it. See the service

1286

# documentation for additional information.

1287

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1288

# its purpose. This can be used e.g. in UIs which allow to enter the

1289

# expression.

1290

"location": "A String", # Optional. String indicating the location of the expression for error

1291

# reporting, e.g. a file name and a position in the file.

1292

"description": "A String", # Optional. Description of the expression. This is a longer text which

1293

# describes the expression, e.g. when hovered over it in a UI.

1294

"expression": "A String", # Textual representation of an expression in Common Expression Language

1295

# syntax.

1296

},

1297

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1298

# `members` can have the following values:

1299

#

1300

# * `allUsers`: A special identifier that represents anyone who is

1301

# on the internet; with or without a Google account.

1302

#

1303

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1304

# who is authenticated with a Google account or a service account.

1305

#

1306

# * `user:{emailid}`: An email address that represents a specific Google

1307

# account. For example, `alice@example.com` .

1308

#

1309

#

1310

# * `serviceAccount:{emailid}`: An email address that represents a service

1311

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1312

#

1313

# * `group:{emailid}`: An email address that represents a Google group.

1314

# For example, `admins@example.com`.

1315

#

1316

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1317

# identifier) representing a user that has been recently deleted. For

1318

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1319

# recovered, this value reverts to `user:{emailid}` and the recovered user

1320

# retains the role in the binding.

1321

#

1322

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1323

# unique identifier) representing a service account that has been recently

1324

# deleted. For example,

1325

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1326

# If the service account is undeleted, this value reverts to

1327

# `serviceAccount:{emailid}` and the undeleted service account retains the

1328

# role in the binding.

1329

#

1330

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1331

# identifier) representing a Google group that has been recently

1332

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1333

# the group is recovered, this value reverts to `group:{emailid}` and the

1334

# recovered group retains the role in the binding.

1335

#

1336

#

1337

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1338

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1345

# prevent simultaneous updates of a policy from overwriting each other.

1346

# It is strongly suggested that systems make use of the `etag` in the

1347

# read-modify-write cycle to perform policy updates in order to avoid race

1348

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1349

# systems are expected to put that etag in the request to `setIamPolicy` to

1350

# ensure that their change will be applied to the same version of the policy.

1351

#

1352

# **Important:** If you use IAM Conditions, you must include the `etag` field

1353

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1354

# you to overwrite a version `3` policy with a version `1` policy, and all of

1355

# the conditions in the version `3` policy are lost.

1356

"version": 42, # Specifies the format of the policy.

1357

#

1358

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1359

# are rejected.

1360

#

1361

# Any operation that affects conditional role bindings must specify version

1362

# `3`. This requirement applies to the following operations:

1363

#

1364

# * Getting a policy that includes a conditional role binding

1365

# * Adding a conditional role binding to a policy

1366

# * Changing a conditional role binding in a policy

1367

# * Removing any role binding, with or without a condition, from a policy

1368

# that includes conditions

1369

#

1370

# **Important:** If you use IAM Conditions, you must include the `etag` field

1371

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1372

# you to overwrite a version `3` policy with a version `1` policy, and all of

1373

# the conditions in the version `3` policy are lost.

1374

#

1375

# If a policy does not include any conditions, operations on that policy may

1376

# specify any valid version or leave the field unset.

1377

#

1378

# To learn which resources support conditions in their IAM policies, see the

1379

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1380

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1381

{ # Specifies the audit configuration for a service.

1382

# The configuration determines which permission types are logged, and what

1383

# identities, if any, are exempted from logging.

1384

# An AuditConfig must have one or more AuditLogConfigs.

1385

#

1386

# If there are AuditConfigs for both `allServices` and a specific service,

1387

# the union of the two AuditConfigs is used for that service: the log_types

1388

# specified in each AuditConfig are enabled, and the exempted_members in each

1389

# AuditLogConfig are exempted.

1390

#

1391

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

1397

# "audit_log_configs": [

1398

# {

1399

# "log_type": "DATA_READ",

1400

# "exempted_members": [

1401

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1406

# },

1407

# {

1408

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

1414

# "audit_log_configs": [

1415

# {

1416

# "log_type": "DATA_READ",

1417

# },

1418

# {

1419

# "log_type": "DATA_WRITE",

1420

# "exempted_members": [

1421

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1430

# logging. It also exempts jose@example.com from DATA_READ logging, and

1431

# aliya@example.com from DATA_WRITE logging.

1432

"service": "A String", # Specifies a service that will be enabled for audit logging.

1433

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1434

# `allServices` is a special value that covers all services.

1435

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1436

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1441

# {

1442

# "log_type": "DATA_READ",

1443

# "exempted_members": [

1444

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1454

# jose@example.com from DATA_READ logging.

1455

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1456

# permission.

1457

# Follows the same format of Binding.members.

1458

"A String",

1459

],

1460

"logType": "A String", # The log type that this config enables.

},

],

},

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

1470

<pre>Returns permissions that a caller has for the specified secret.

1471

If the secret does not exist, this call returns an empty set of

1472

permissions, not a NOT_FOUND error.

1473

1474

Note: This operation is designed to be used for building permission-aware

1475

UIs and command-line tools, not for authorization checking. This operation

1476

may "fail open" without warning.

1477

1478

Args:

1479

resource: string, REQUIRED: The resource for which the policy detail is being requested.

1480

See the operation documentation for the appropriate value for this field. (required)

1481

body: object, The request body.

1482

The object takes the form of:

1483

1484

{ # Request message for `TestIamPermissions` method.

1485

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

1486

# wildcards (such as '*' or 'storage.*') are not allowed. For more

1487

# information see

1488

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

"A String",

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1500

1501

{ # Response message for `TestIamPermissions` method.

1502

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

# allowed.

"A String",

],

}</pre>

</div>

</body></html>