Blame - docs/dyn/cloudasset_v1.v1.html - platform/external/python/google-api-python-client

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Batch gets the update history of assets that overlap a time window.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#exportAssets">exportAssets(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

82

<p class="firstline">Exports assets with time and resource types to a given Cloud Storage</p>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

83

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

84

<code><a href="#searchAllIamPolicies">searchAllIamPolicies(scope, query=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

85

<p class="firstline">Searches all the IAM policies within the given accessible scope (e.g., a</p>

86

87

<code><a href="#searchAllIamPolicies_next">searchAllIamPolicies_next(previous_request, previous_response)</a></code></p>

88

<p class="firstline">Retrieves the next page of results.</p>

89

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

90

<code><a href="#searchAllResources">searchAllResources(scope, orderBy=None, query=None, assetTypes=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

91

<p class="firstline">Searches all the resources within the given accessible scope (e.g., a</p>

92

93

<code><a href="#searchAllResources_next">searchAllResources_next(previous_request, previous_response)</a></code></p>

94

<p class="firstline">Retrieves the next page of results.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

95

<h3>Method Details</h3>

96

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

97

<code class="details" id="batchGetAssetsHistory">batchGetAssetsHistory(parent, assetNames=None, contentType=None, readTimeWindow_endTime=None, readTimeWindow_startTime=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

98

<pre>Batch gets the update history of assets that overlap a time window.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

99

For IAM_POLICY content, this API outputs history when the asset and its

100

attached IAM POLICY both exist. This can create gaps in the output history.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

101

Otherwise, this API outputs history with asset in both non-delete or

102

deleted status.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

103

If a specified asset does not exist, this API returns an INVALID_ARGUMENT

error.

Args:

parent: string, Required. The relative name of the root asset. It can only be an

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

108

organization number (such as "organizations/123"), a project ID (such as

109

"projects/my-project-id")", or a project number (such as "projects/12345"). (required)

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

110

assetNames: string, A list of the full names of the assets.

111

See: https://cloud.google.com/asset-inventory/docs/resource-name-format

112

Example:

113

114

`//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.

115

116

The request becomes a no-op if the asset name list is empty, and the max

117

size of the asset name list is 100 in one request. (repeated)

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

118

contentType: string, Optional. The content type.

119

readTimeWindow_endTime: string, End time of the time window (inclusive). If not specified, the current

120

timestamp is used instead.

121

readTimeWindow_startTime: string, Start time of the time window (exclusive).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

122

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

129

130

{ # Batch get assets history response.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

131

"assets": [ # A list of assets with valid time windows.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

132

{ # An asset in Google Cloud and its temporal metadata, including the time window

133

# when it was observed and its status during that window.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

134

"deleted": True or False, # Whether the asset has been deleted or not.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

135

"priorAsset": { # An asset in Google Cloud. An asset can be any resource in the Google Cloud # Prior copy of the asset. Populated if prior_asset_state is PRESENT.

136

# Currently this is only set for responses in Real-Time Feed.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

137

# [resource

138

# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),

139

# a resource outside the Google Cloud resource hierarchy (such as Google

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

140

# Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).

141

# See [Supported asset

142

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)

143

# for more information.

144

"iamPolicy": { # An Identity and Access Management (IAM) policy, which specifies access # A representation of the Cloud IAM policy set on a Google Cloud resource.

145

# There can be a maximum of one Cloud IAM policy set on any given resource.

146

# In addition, Cloud IAM policies inherit their granted access scope from any

147

# policies set on parent resources in the resource hierarchy. Therefore, the

148

# effectively policy is the union of both the policy set on this resource

149

# and each policy set on all of the resource's ancestry resource levels in

150

# the hierarchy. See

151

# [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for

152

# more information.

153

# controls for Google Cloud resources.

154

#

155

#

156

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

157

# `members` to a single `role`. Members can be user accounts, service accounts,

158

# Google groups, and domains (such as G Suite). A `role` is a named list of

159

# permissions; each `role` can be an IAM predefined role or a user-created

160

# custom role.

161

#

162

# For some types of Google Cloud resources, a `binding` can also specify a

163

# `condition`, which is a logical expression that allows access to a resource

164

# only if the expression evaluates to `true`. A condition can add constraints

165

# based on attributes of the request, the resource, or both. To learn which

166

# resources support conditions in their IAM policies, see the

167

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

175

# "members": [

176

# "user:mike@example.com",

177

# "group:admins@example.com",

178

# "domain:google.com",

179

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

184

# "members": [

185

# "user:eve@example.com"

186

# ],

187

# "condition": {

188

# "title": "expirable access",

189

# "description": "Does not grant access after Sep 2020",

190

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

203

# - group:admins@example.com

204

# - domain:google.com

205

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

206

# role: roles/resourcemanager.organizationAdmin

207

# - members:

208

# - user:eve@example.com

209

# role: roles/resourcemanager.organizationViewer

210

# condition:

211

# title: expirable access

212

# description: Does not grant access after Sep 2020

213

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

214

# - etag: BwWWja0YfJA=

215

# - version: 3

216

#

217

# For a description of IAM and its features, see the

218

# [IAM documentation](https://cloud.google.com/iam/docs/).

219

"version": 42, # Specifies the format of the policy.

220

#

221

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

222

# are rejected.

223

#

224

# Any operation that affects conditional role bindings must specify version

225

# `3`. This requirement applies to the following operations:

226

#

227

# * Getting a policy that includes a conditional role binding

228

# * Adding a conditional role binding to a policy

229

# * Changing a conditional role binding in a policy

230

# * Removing any role binding, with or without a condition, from a policy

231

# that includes conditions

232

#

233

# **Important:** If you use IAM Conditions, you must include the `etag` field

234

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

235

# you to overwrite a version `3` policy with a version `1` policy, and all of

236

# the conditions in the version `3` policy are lost.

237

#

238

# If a policy does not include any conditions, operations on that policy may

239

# specify any valid version or leave the field unset.

240

#

241

# To learn which resources support conditions in their IAM policies, see the

242

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

243

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

244

{ # Specifies the audit configuration for a service.

245

# The configuration determines which permission types are logged, and what

246

# identities, if any, are exempted from logging.

247

# An AuditConfig must have one or more AuditLogConfigs.

248

#

249

# If there are AuditConfigs for both `allServices` and a specific service,

250

# the union of the two AuditConfigs is used for that service: the log_types

251

# specified in each AuditConfig are enabled, and the exempted_members in each

252

# AuditLogConfig are exempted.

253

#

254

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices",

260

# "audit_log_configs": [

261

# {

262

# "log_type": "DATA_READ",

263

# "exempted_members": [

264

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE"

269

# },

270

# {

271

# "log_type": "ADMIN_READ"

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com",

277

# "audit_log_configs": [

278

# {

279

# "log_type": "DATA_READ"

280

# },

281

# {

282

# "log_type": "DATA_WRITE",

283

# "exempted_members": [

284

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

293

# logging. It also exempts jose@example.com from DATA_READ logging, and

294

# aliya@example.com from DATA_WRITE logging.

295

"service": "A String", # Specifies a service that will be enabled for audit logging.

296

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

297

# `allServices` is a special value that covers all services.

298

"auditLogConfigs": [ # The configuration for logging of each type of permission.

299

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

304

# {

305

# "log_type": "DATA_READ",

306

# "exempted_members": [

307

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE"

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

317

# jose@example.com from DATA_READ logging.

318

"logType": "A String", # The log type that this config enables.

319

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

320

# permission.

321

# Follows the same format of Binding.members.

322

"A String",

323

],

324

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

325

],

326

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

327

],

328

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

329

# `condition` that determines how and when the `bindings` are applied. Each

330

# of the `bindings` must contain at least one member.

331

{ # Associates `members` with a `role`.

332

"role": "A String", # Role that is assigned to `members`.

333

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

334

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

335

# `members` can have the following values:

336

#

337

# * `allUsers`: A special identifier that represents anyone who is

338

# on the internet; with or without a Google account.

339

#

340

# * `allAuthenticatedUsers`: A special identifier that represents anyone

341

# who is authenticated with a Google account or a service account.

342

#

343

# * `user:{emailid}`: An email address that represents a specific Google

344

# account. For example, `alice@example.com` .

345

#

346

#

347

# * `serviceAccount:{emailid}`: An email address that represents a service

348

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

349

#

350

# * `group:{emailid}`: An email address that represents a Google group.

351

# For example, `admins@example.com`.

352

#

353

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

354

# identifier) representing a user that has been recently deleted. For

355

# example, `alice@example.com?uid=123456789012345678901`. If the user is

356

# recovered, this value reverts to `user:{emailid}` and the recovered user

357

# retains the role in the binding.

358

#

359

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

360

# unique identifier) representing a service account that has been recently

361

# deleted. For example,

362

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

363

# If the service account is undeleted, this value reverts to

364

# `serviceAccount:{emailid}` and the undeleted service account retains the

365

# role in the binding.

366

#

367

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

368

# identifier) representing a Google group that has been recently

369

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

370

# the group is recovered, this value reverts to `group:{emailid}` and the

371

# recovered group retains the role in the binding.

372

#

373

#

374

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

375

# users of that domain. For example, `google.com` or `example.com`.

376

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

377

"A String",

378

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

379

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

380

#

381

# If the condition evaluates to `true`, then this binding applies to the

382

# current request.

383

#

384

# If the condition evaluates to `false`, then this binding does not apply to

385

# the current request. However, a different role binding might grant the same

386

# role to one or more of the members in this binding.

387

#

388

# To learn which resources support conditions in their IAM policies, see the

389

# [IAM

390

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

391

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

392

# are documented at https://github.com/google/cel-spec.

393

#

394

# Example (Comparison):

395

#

396

# title: "Summary size limit"

397

# description: "Determines if a summary is less than 100 chars"

398

# expression: "document.summary.size() < 100"

399

#

400

# Example (Equality):

401

#

402

# title: "Requestor is owner"

403

# description: "Determines if requestor is the document owner"

404

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

409

# description: "Determine whether the document should be publicly visible"

410

# expression: "document.type != 'private' && document.type != 'internal'"

411

#

412

# Example (Data Manipulation):

413

#

414

# title: "Notification string"

415

# description: "Create a notification string with a timestamp."

416

# expression: "'New message received at ' + string(document.create_time)"

417

#

418

# The exact variables and functions that may be referenced within an expression

419

# are determined by the service that evaluates it. See the service

420

# documentation for additional information.

421

"description": "A String", # Optional. Description of the expression. This is a longer text which

422

# describes the expression, e.g. when hovered over it in a UI.

423

"location": "A String", # Optional. String indicating the location of the expression for error

424

# reporting, e.g. a file name and a position in the file.

425

"expression": "A String", # Textual representation of an expression in Common Expression Language

426

# syntax.

427

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

428

# its purpose. This can be used e.g. in UIs which allow to enter the

429

# expression.

430

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

431

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

432

],

433

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

434

# prevent simultaneous updates of a policy from overwriting each other.

435

# It is strongly suggested that systems make use of the `etag` in the

436

# read-modify-write cycle to perform policy updates in order to avoid race

437

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

438

# systems are expected to put that etag in the request to `setIamPolicy` to

439

# ensure that their change will be applied to the same version of the policy.

440

#

441

# **Important:** If you use IAM Conditions, you must include the `etag` field

442

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

443

# you to overwrite a version `3` policy with a version `1` policy, and all of

444

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

445

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

446

"assetType": "A String", # The type of the asset. Example: `compute.googleapis.com/Disk`

447

#

448

# See [Supported asset

449

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)

450

# for more information.

451

"ancestors": [ # The ancestry path of an asset in Google Cloud [resource

452

# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),

453

# represented as a list of relative resource names. An ancestry path starts

454

# with the closest ancestor in the hierarchy and ends at root. If the asset

455

# is a project, folder, or organization, the ancestry path starts from the

456

# asset itself.

457

#

458

# Example: `["projects/123456789", "folders/5432", "organizations/1234"]`

459

"A String",

460

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

461

"resource": { # A representation of a Google Cloud resource. # A representation of the resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

462

"resourceUrl": "A String", # The REST URL for accessing the resource. An HTTP `GET` request using this

463

# URL returns the resource itself. Example:

464

# `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`

465

#

466

# This value is unspecified for resources without a REST API.

467

"discoveryName": "A String", # The JSON schema name listed in the discovery document. Example:

468

# `Project`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

469

#

470

# This value is unspecified for resources that do not have an API based on a

471

# discovery document, such as Cloud Bigtable.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

472

"discoveryDocumentUri": "A String", # The URL of the discovery document containing the resource's JSON schema.

473

# Example:

474

# `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest`

475

#

476

# This value is unspecified for resources that do not have an API based on a

477

# discovery document, such as Cloud Bigtable.

478

"data": { # The content of the resource, in which some sensitive fields are removed

479

# and may not be present.

480

"a_key": "", # Properties of the object.

481

},

482

"version": "A String", # The API version. Example: `v1`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

483

"parent": "A String", # The full name of the immediate parent of this resource. See

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

484

# [Resource

485

# Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)

486

# for more information.

487

#

488

# For Google Cloud assets, this value is the parent resource defined in the

489

# [Cloud IAM policy

490

# hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

491

# Example:

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

492

# `//cloudresourcemanager.googleapis.com/projects/my_project_123`

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

493

#

494

# For third-party assets, this field may be set differently.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

495

"location": "A String", # The location of the resource in Google Cloud, such as its zone and region.

496

# For more information, see https://cloud.google.com/about/locations/.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

497

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

498

"accessPolicy": { # `AccessPolicy` is a container for `AccessLevels` (which define the necessary # Please also refer to the [access policy user

499

# guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).

500

# attributes to use Google Cloud services) and `ServicePerimeters` (which

501

# define regions of services able to freely pass data within a perimeter). An

502

# access policy is globally visible within an organization, and the

503

# restrictions it specifies apply to all projects within an organization.

504

"parent": "A String", # Required. The parent of this `AccessPolicy` in the Cloud Resource

505

# Hierarchy. Currently immutable once created. Format:

506

# `organizations/{organization_id}`

507

"title": "A String", # Required. Human readable title. Does not affect behavior.

508

"name": "A String", # Output only. Resource name of the `AccessPolicy`. Format:

509

# `accessPolicies/{policy_id}`

510

"etag": "A String", # Output only. An opaque identifier for the current version of the

511

# `AccessPolicy`. This will always be a strongly validated etag, meaning that

512

# two Access Polices will be identical if and only if their etags are

513

# identical. Clients should not expect this to be in any specific format.

514

},

515

"accessLevel": { # An `AccessLevel` is a label that can be applied to requests to Google Cloud # Please also refer to the [access level user

516

# guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).

517

# services, along with a list of requirements necessary for the label to be

518

# applied.

519

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

520

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

521

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

522

# granted this `AccessLevel`. If AND is used, each `Condition` in

523

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

524

# is used, at least one `Condition` in `conditions` must be satisfied for the

525

# `AccessLevel` to be applied. Default behavior is AND.

526

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

527

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

528

# AND over its fields. So a Condition is true if: 1) the request IP is from one

529

# of the listed subnetworks AND 2) the originating device complies with the

530

# listed device policy AND 3) all listed access levels are granted AND 4) the

531

# request was sent at a time allowed by the DateTimeRestriction.

532

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

533

# resource name. Referencing an `AccessLevel` which does not exist is an

534

# error. All access levels listed must be granted for the Condition

535

# to be true. Example:

536

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

537

"A String",

538

],

539

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

540

# Condition to be true. If not specified, all devices are allowed.

541

# given access level. A `DevicePolicy` specifies requirements for requests from

542

# devices to be granted access levels, it does not do any enforcement on the

543

# device. `DevicePolicy` acts as an AND over all specified fields, and each

544

# repeated field is an OR over its elements. Any unset fields are ignored. For

545

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

546

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

547

# true for requests originating from encrypted Linux desktops and encrypted

548

# Windows desktops.

549

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

550

# Defaults to `false`.

551

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

552

{ # A restriction on the OS type and version of devices making requests.

553

"osType": "A String", # Required. The allowed OS type.

554

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

555

# satisfies the constraint. Format: `"major.minor.patch"`.

556

# Examples: `"10.5.301"`, `"9.2.1"`.

557

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

558

# Verifications includes requirements that the device is enterprise-managed,

559

# conformant to domain policies, and the caller has permission to call

560

# the API targeted by the request.

561

},

562

],

563

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

564

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

# levels.

"A String",

],

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

569

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

"A String",

],

},

"members": [ # The request must be made by one of the provided user or service

574

# accounts. Groups are not supported.

575

# Syntax:

576

# `user:{emailid}`

577

# `serviceAccount:{emailid}`

578

# If not specified, a request may come from any user.

579

"A String",

580

],

581

"regions": [ # The request must originate from one of the provided countries/regions.

582

# Must be valid ISO 3166-1 alpha-2 codes.

583

"A String",

584

],

585

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

586

# a CIDR IP address block, the specified IP address portion must be properly

587

# truncated (i.e. all the host bits must be zero) or the input is considered

588

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

589

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

590

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

591

# the listed subnets in order for this Condition to be true. If empty, all IP

592

# addresses are allowed.

593

"A String",

594

],

595

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

596

# its non-empty fields, each field must be false for the Condition overall to

597

# be satisfied. Defaults to false.

},

],

},

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

602

# must begin with a letter and only include alphanumeric and '_'. Format:

603

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

604

# of the `short_name` component is 50 characters.

605

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

606

# to represent the necessary conditions for the level to apply to a request.

607

# See CEL spec at: https://github.com/google/cel-spec

608

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

609

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

610

# are documented at https://github.com/google/cel-spec.

611

#

612

# Example (Comparison):

613

#

614

# title: "Summary size limit"

615

# description: "Determines if a summary is less than 100 chars"

616

# expression: "document.summary.size() < 100"

617

#

618

# Example (Equality):

619

#

620

# title: "Requestor is owner"

621

# description: "Determines if requestor is the document owner"

622

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

627

# description: "Determine whether the document should be publicly visible"

628

# expression: "document.type != 'private' && document.type != 'internal'"

629

#

630

# Example (Data Manipulation):

631

#

632

# title: "Notification string"

633

# description: "Create a notification string with a timestamp."

634

# expression: "'New message received at ' + string(document.create_time)"

635

#

636

# The exact variables and functions that may be referenced within an expression

637

# are determined by the service that evaluates it. See the service

638

# documentation for additional information.

639

"description": "A String", # Optional. Description of the expression. This is a longer text which

640

# describes the expression, e.g. when hovered over it in a UI.

641

"location": "A String", # Optional. String indicating the location of the expression for error

642

# reporting, e.g. a file name and a position in the file.

643

"expression": "A String", # Textual representation of an expression in Common Expression Language

644

# syntax.

645

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

646

# its purpose. This can be used e.g. in UIs which allow to enter the

# expression.

},

},

"title": "A String", # Human readable title. Must be unique within the Policy.

651

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

652

"orgPolicy": [ # A representation of an [organization

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

653

# policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).

654

# There can be more than one organization policy with different constraints

655

# set on a given resource.

656

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

657

# for configurations of Cloud Platform resources.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

658

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

659

# concurrency control.

660

#

661

# When the `Policy` is returned from either a `GetPolicy` or a

662

# `ListOrgPolicy` request, this `etag` indicates the version of the current

663

# `Policy` to use when executing a read-modify-write loop.

664

#

665

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

666

# `etag` will be unset.

667

#

668

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

669

# that was returned from a `GetOrgPolicy` request as part of a

670

# read-modify-write loop for concurrency control. Not setting the `etag`in a

671

# `SetOrgPolicy` request will result in an unconditional write of the

672

# `Policy`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

673

"version": 42, # Version of the `Policy`. Default version is 0;

674

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

675

# `Constraint` type.

676

# `constraint_default` enforcement behavior of the specific `Constraint` at

677

# this resource.

678

#

679

# Suppose that `constraint_default` is set to `ALLOW` for the

680

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

681

# foo.com sets a `Policy` at their Organization resource node that restricts

682

# the allowed service activations to deny all service activations. They

683

# could then set a `Policy` with the `policy_type` `restore_default` on

684

# several experimental projects, restoring the `constraint_default`

685

# enforcement of the `Constraint` for only those projects, allowing those

686

# projects to have all services activated.

687

},

688

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

689

# server, not specified by the caller, and represents the last time a call to

690

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

691

# be ignored.

692

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

693

# `constraints/serviceuser.services`.

694

#

695

# A [list of available

696

# constraints](/resource-manager/docs/organization-policy/org-policy-constraints)

697

# is available.

698

#

699

# Immutable after creation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

700

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

701

# resource.

702

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

703

# configuration is acceptable.

704

#

705

# Suppose you have a `Constraint`

706

# `constraints/compute.disableSerialPortAccess` with `constraint_default`

707

# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following

708

# behavior:

709

# - If the `Policy` at this resource has enforced set to `false`, serial

710

# port connection attempts will be allowed.

711

# - If the `Policy` at this resource has enforced set to `true`, serial

712

# port connection attempts will be refused.

713

# - If the `Policy` at this resource is `RestoreDefault`, serial port

714

# connection attempts will be allowed.

715

# - If no `Policy` is set at this resource or anywhere higher in the

716

# resource hierarchy, serial port connection attempts will be allowed.

717

# - If no `Policy` is set at this resource, but one exists higher in the

718

# resource hierarchy, the behavior is as if the`Policy` were set at

719

# this resource.

720

#

721

# The following examples demonstrate the different possible layerings:

722

#

723

# Example 1 (nearest `Constraint` wins):

724

# `organizations/foo` has a `Policy` with:

725

# {enforced: false}

726

# `projects/bar` has no `Policy` set.

727

# The constraint at `projects/bar` and `organizations/foo` will not be

728

# enforced.

729

#

730

# Example 2 (enforcement gets replaced):

731

# `organizations/foo` has a `Policy` with:

732

# {enforced: false}

733

# `projects/bar` has a `Policy` with:

734

# {enforced: true}

735

# The constraint at `organizations/foo` is not enforced.

736

# The constraint at `projects/bar` is enforced.

737

#

738

# Example 3 (RestoreDefault):

739

# `organizations/foo` has a `Policy` with:

740

# {enforced: true}

741

# `projects/bar` has a `Policy` with:

742

# {RestoreDefault: {}}

743

# The constraint at `organizations/foo` is enforced.

744

# The constraint at `projects/bar` is not enforced, because

745

# `constraint_default` for the `Constraint` is `ALLOW`.

746

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

747

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

748

# resource.

749

#

750

# `ListPolicy` can define specific values and subtrees of Cloud Resource

751

# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that

752

# are allowed or denied by setting the `allowed_values` and `denied_values`

753

# fields. This is achieved by using the `under:` and optional `is:` prefixes.

754

# The `under:` prefix is used to denote resource subtree values.

755

# The `is:` prefix is used to denote specific values, and is required only

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

756

# if the value contains a ":". Values prefixed with "is:" are treated the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

757

# same as values with no prefix.

758

# Ancestry subtrees must be in one of the following formats:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

759

# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"

760

# - "folders/<folder-id>", e.g. "folders/1234"

761

# - "organizations/<organization-id>", e.g. "organizations/1234"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

762

# The `supports_under` field of the associated `Constraint` defines whether

763

# ancestry prefixes can be used. You can set `allowed_values` and

764

# `denied_values` in the same `Policy` if `all_values` is

765

# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all

766

# values. If `all_values` is set to either `ALLOW` or `DENY`,

767

# `allowed_values` and `denied_values` must be unset.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

768

"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`

769

# is set to `ALL_VALUES_UNSPECIFIED`.

770

"A String",

771

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

772

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

773

#

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

774

# By default, a `ListPolicy` set at a resource supersedes any `Policy` set

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

775

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

776

# set to `true`, then the values from the effective `Policy` of the parent

777

# resource are inherited, meaning the values set in this `Policy` are

778

# added to the values inherited up the hierarchy.

779

#

780

# Setting `Policy` hierarchies that inherit both allowed values and denied

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

781

# values isn't recommended in most circumstances to keep the configuration

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

782

# simple and understandable. However, it is possible to set a `Policy` with

783

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

784

# In this case, the values that are allowed must be in `allowed_values` and

785

# not present in `denied_values`.

786

#

787

# For example, suppose you have a `Constraint`

788

# `constraints/serviceuser.services`, which has a `constraint_type` of

789

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

790

# Suppose that at the Organization level, a `Policy` is applied that

791

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

792

# `Policy` is applied to a project below the Organization that has

793

# `inherit_from_parent` set to `false` and field all_values set to DENY,

794

# then an attempt to activate any API will be denied.

795

#

796

# The following examples demonstrate different possible layerings for

797

# `projects/bar` parented by `organizations/foo`:

798

#

799

# Example 1 (no inherited values):

800

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

801

# {allowed_values: "E1" allowed_values:"E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

802

# `projects/bar` has `inherit_from_parent` `false` and values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

803

# {allowed_values: "E3" allowed_values: "E4"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

804

# The accepted values at `organizations/foo` are `E1`, `E2`.

805

# The accepted values at `projects/bar` are `E3`, and `E4`.

806

#

807

# Example 2 (inherited values):

808

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

809

# {allowed_values: "E1" allowed_values:"E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

810

# `projects/bar` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

811

# {value: "E3" value: "E4" inherit_from_parent: true}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

812

# The accepted values at `organizations/foo` are `E1`, `E2`.

813

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

814

#

815

# Example 3 (inheriting both allowed and denied values):

816

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

817

# {allowed_values: "E1" allowed_values: "E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

818

# `projects/bar` has a `Policy` with:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

819

# {denied_values: "E1"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

820

# The accepted values at `organizations/foo` are `E1`, `E2`.

821

# The value accepted at `projects/bar` is `E2`.

822

#

823

# Example 4 (RestoreDefault):

824

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

825

# {allowed_values: "E1" allowed_values:"E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

826

# `projects/bar` has a `Policy` with values:

827

# {RestoreDefault: {}}

828

# The accepted values at `organizations/foo` are `E1`, `E2`.

829

# The accepted values at `projects/bar` are either all or none depending on

830

# the value of `constraint_default` (if `ALLOW`, all; if

831

# `DENY`, none).

832

#

833

# Example 5 (no policy inherits parent policy):

834

# `organizations/foo` has no `Policy` set.

835

# `projects/bar` has no `Policy` set.

836

# The accepted values at both levels are either all or none depending on

837

# the value of `constraint_default` (if `ALLOW`, all; if

838

# `DENY`, none).

839

#

840

# Example 6 (ListConstraint allowing all):

841

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

842

# {allowed_values: "E1" allowed_values: "E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

843

# `projects/bar` has a `Policy` with:

844

# {all: ALLOW}

845

# The accepted values at `organizations/foo` are `E1`, E2`.

846

# Any value is accepted at `projects/bar`.

847

#

848

# Example 7 (ListConstraint allowing none):

849

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

850

# {allowed_values: "E1" allowed_values: "E2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

851

# `projects/bar` has a `Policy` with:

852

# {all: DENY}

853

# The accepted values at `organizations/foo` are `E1`, E2`.

854

# No value is accepted at `projects/bar`.

855

#

856

# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):

857

# Given the following resource hierarchy

858

# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},

859

# `organizations/foo` has a `Policy` with values:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

860

# {allowed_values: "under:organizations/O1"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

861

# `projects/bar` has a `Policy` with:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

862

# {allowed_values: "under:projects/P3"}

863

# {denied_values: "under:folders/F2"}

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

864

# The accepted values at `organizations/foo` are `organizations/O1`,

865

# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,

866

# `projects/P3`.

867

# The accepted values at `projects/bar` are `organizations/O1`,

868

# `folders/F1`, `projects/P1`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

869

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

870

# that matches the value specified in this `Policy`. If `suggested_value`

871

# is not set, it will inherit the value specified higher in the hierarchy,

872

# unless `inherit_from_parent` is `false`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

873

"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`

874

# is set to `ALL_VALUES_UNSPECIFIED`.

875

"A String",

876

],

877

"allValues": "A String", # The policy all_values state.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

878

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

879

},

880

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

881

"name": "A String", # The full name of the asset. Example:

882

# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`

883

#

884

# See [Resource

885

# names](https://cloud.google.com/apis/design/resource_names#full_resource_name)

886

# for more information.

887

"updateTime": "A String", # The last update timestamp of an asset. update_time is updated when

888

# create/update/delete operation is performed.

889

"servicePerimeter": { # `ServicePerimeter` describes a set of Google Cloud resources which can freely # Please also refer to the [service perimeter user

890

# guide](https://cloud.google.com/vpc-service-controls/docs/overview).

891

# import and export data amongst themselves, but not export outside of the

892

# `ServicePerimeter`. If a request with a source within this `ServicePerimeter`

893

# has a target outside of the `ServicePerimeter`, the request will be blocked.

894

# Otherwise the request is allowed. There are two types of Service Perimeter -

895

# Regular and Bridge. Regular Service Perimeters cannot overlap, a single

896

# Google Cloud project can only belong to a single regular Service Perimeter.

897

# Service Perimeter Bridges can contain only Google Cloud projects as members,

898

# a single Google Cloud project may belong to multiple Service Perimeter

899

# Bridges.

900

"title": "A String", # Human readable title. Must be unique within the Policy.

901

"perimeterType": "A String", # Perimeter type indicator. A single project is

902

# allowed to be a member of single regular perimeter, but multiple service

903

# perimeter bridges. A project cannot be a included in a perimeter bridge

904

# without being included in regular perimeter. For perimeter bridges,

905

# the restricted service list as well as access level lists must be

906

# empty.

907

"status": { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Current ServicePerimeter configuration. Specifies sets of resources,

908

# restricted services and access levels that determine perimeter

909

# content and boundaries.

910

# describe specific Service Perimeter configuration.

911

"resources": [ # A list of Google Cloud resources that are inside of the service perimeter.

912

# Currently only projects are allowed. Format: `projects/{project_number}`

913

"A String",

914

],

915

"restrictedServices": [ # Google Cloud services that are subject to the Service Perimeter

916

# restrictions. For example, if `storage.googleapis.com` is specified, access

917

# to the storage buckets inside the perimeter must meet the perimeter's

918

# access restrictions.

919

"A String",

920

],

921

"accessLevels": [ # A list of `AccessLevel` resource names that allow resources within the

922

# `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed

923

# must be in the same policy as this `ServicePerimeter`. Referencing a

924

# nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are

925

# listed, resources within the perimeter can only be accessed via Google

926

# Cloud calls with request origins within the perimeter. Example:

927

# `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`.

928

# For Service Perimeter Bridge, must be empty.

929

"A String",

930

],

931

"vpcAccessibleServices": { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.

932

# Perimeter.

933

"allowedServices": [ # The list of APIs usable within the Service Perimeter. Must be empty

934

# unless 'enable_restriction' is True.

935

"A String",

936

],

937

"enableRestriction": True or False, # Whether to restrict API calls within the Service Perimeter to the list of

938

# APIs specified in 'allowed_services'.

939

},

940

},

941

"name": "A String", # Required. Resource name for the ServicePerimeter. The `short_name`

942

# component must begin with a letter and only include alphanumeric and '_'.

943

# Format: `accessPolicies/{policy_id}/servicePerimeters/{short_name}`

944

"useExplicitDryRunSpec": True or False, # Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly

945

# exists for all Service Perimeters, and that spec is identical to the

946

# status for those Service Perimeters. When this flag is set, it inhibits the

947

# generation of the implicit spec, thereby allowing the user to explicitly

948

# provide a configuration ("spec") to use in a dry-run version of the Service

949

# Perimeter. This allows the user to test changes to the enforced config

950

# ("status") without actually enforcing them. This testing is done through

951

# analyzing the differences between currently enforced and suggested

952

# restrictions. use_explicit_dry_run_spec must bet set to True if any of the

953

# fields in the spec are set to non-default values.

954

"spec": { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Proposed (or dry run) ServicePerimeter configuration. This configuration

955

# allows to specify and test ServicePerimeter configuration without enforcing

956

# actual access restrictions. Only allowed to be set when the

957

# "use_explicit_dry_run_spec" flag is set.

958

# describe specific Service Perimeter configuration.

959

"resources": [ # A list of Google Cloud resources that are inside of the service perimeter.

960

# Currently only projects are allowed. Format: `projects/{project_number}`

961

"A String",

962

],

963

"restrictedServices": [ # Google Cloud services that are subject to the Service Perimeter

964

# restrictions. For example, if `storage.googleapis.com` is specified, access

965

# to the storage buckets inside the perimeter must meet the perimeter's

966

# access restrictions.

967

"A String",

968

],

969

"accessLevels": [ # A list of `AccessLevel` resource names that allow resources within the

970

# `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed

971

# must be in the same policy as this `ServicePerimeter`. Referencing a

972

# nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are

973

# listed, resources within the perimeter can only be accessed via Google

974

# Cloud calls with request origins within the perimeter. Example:

975

# `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`.

976

# For Service Perimeter Bridge, must be empty.

977

"A String",

978

],

979

"vpcAccessibleServices": { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.

980

# Perimeter.

981

"allowedServices": [ # The list of APIs usable within the Service Perimeter. Must be empty

982

# unless 'enable_restriction' is True.

983

"A String",

984

],

985

"enableRestriction": True or False, # Whether to restrict API calls within the Service Perimeter to the list of

986

# APIs specified in 'allowed_services'.

987

},

988

},

989

"description": "A String", # Description of the `ServicePerimeter` and its use. Does not affect

# behavior.

},

},

"asset": { # An asset in Google Cloud. An asset can be any resource in the Google Cloud # An asset in Google Cloud.

994

# [resource

995

# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),

996

# a resource outside the Google Cloud resource hierarchy (such as Google

997

# Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).

998

# See [Supported asset

999

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)

1000

# for more information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1001

"iamPolicy": { # An Identity and Access Management (IAM) policy, which specifies access # A representation of the Cloud IAM policy set on a Google Cloud resource.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1002

# There can be a maximum of one Cloud IAM policy set on any given resource.

1003

# In addition, Cloud IAM policies inherit their granted access scope from any

1004

# policies set on parent resources in the resource hierarchy. Therefore, the

1005

# effectively policy is the union of both the policy set on this resource

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1006

# and each policy set on all of the resource's ancestry resource levels in

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1007

# the hierarchy. See

1008

# [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for

1009

# more information.

1010

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1011

#

1012

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1013

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1014

# `members` to a single `role`. Members can be user accounts, service accounts,

1015

# Google groups, and domains (such as G Suite). A `role` is a named list of

1016

# permissions; each `role` can be an IAM predefined role or a user-created

1017

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1018

#

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1019

# For some types of Google Cloud resources, a `binding` can also specify a

1020

# `condition`, which is a logical expression that allows access to a resource

1021

# only if the expression evaluates to `true`. A condition can add constraints

1022

# based on attributes of the request, the resource, or both. To learn which

1023

# resources support conditions in their IAM policies, see the

1024

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1025

#

1026

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1027

#

1028

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1029

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1030

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1031

# "role": "roles/resourcemanager.organizationAdmin",

1032

# "members": [

1033

# "user:mike@example.com",

1034

# "group:admins@example.com",

1035

# "domain:google.com",

1036

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1037

# ]

1038

# },

1039

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1040

# "role": "roles/resourcemanager.organizationViewer",

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1041

# "members": [

1042

# "user:eve@example.com"

1043

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1044

# "condition": {

1045

# "title": "expirable access",

1046

# "description": "Does not grant access after Sep 2020",

1047

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1048

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1049

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1050

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1051

# "etag": "BwWWja0YfJA=",

1052

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1053

# }

1054

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1055

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

1060

# - group:admins@example.com

1061

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1062

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1063

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1064

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1065

# - user:eve@example.com

1066

# role: roles/resourcemanager.organizationViewer

1067

# condition:

1068

# title: expirable access

1069

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1070

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1071

# - etag: BwWWja0YfJA=

1072

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1073

#

1074

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1075

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1076

"version": 42, # Specifies the format of the policy.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1077

#

1078

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1079

# are rejected.

1080

#

1081

# Any operation that affects conditional role bindings must specify version

1082

# `3`. This requirement applies to the following operations:

1083

#

1084

# * Getting a policy that includes a conditional role binding

1085

# * Adding a conditional role binding to a policy

1086

# * Changing a conditional role binding in a policy

1087

# * Removing any role binding, with or without a condition, from a policy

1088

# that includes conditions

1089

#

1090

# **Important:** If you use IAM Conditions, you must include the `etag` field

1091

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1092

# you to overwrite a version `3` policy with a version `1` policy, and all of

1093

# the conditions in the version `3` policy are lost.

1094

#

1095

# If a policy does not include any conditions, operations on that policy may

1096

# specify any valid version or leave the field unset.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1097

#

1098

# To learn which resources support conditions in their IAM policies, see the

1099

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1100

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1101

{ # Specifies the audit configuration for a service.

1102

# The configuration determines which permission types are logged, and what

1103

# identities, if any, are exempted from logging.

1104

# An AuditConfig must have one or more AuditLogConfigs.

1105

#

1106

# If there are AuditConfigs for both `allServices` and a specific service,

1107

# the union of the two AuditConfigs is used for that service: the log_types

1108

# specified in each AuditConfig are enabled, and the exempted_members in each

1109

# AuditLogConfig are exempted.

1110

#

1111

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1116

# "service": "allServices",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1117

# "audit_log_configs": [

1118

# {

1119

# "log_type": "DATA_READ",

1120

# "exempted_members": [

1121

# "user:jose@example.com"

1122

# ]

1123

# },

1124

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1125

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1126

# },

1127

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1128

# "log_type": "ADMIN_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# },

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1133

# "service": "sampleservice.googleapis.com",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1134

# "audit_log_configs": [

1135

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1136

# "log_type": "DATA_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1137

# },

1138

# {

1139

# "log_type": "DATA_WRITE",

1140

# "exempted_members": [

1141

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1150

# logging. It also exempts jose@example.com from DATA_READ logging, and

1151

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1152

"service": "A String", # Specifies a service that will be enabled for audit logging.

1153

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1154

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1155

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1156

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1161

# {

1162

# "log_type": "DATA_READ",

1163

# "exempted_members": [

1164

# "user:jose@example.com"

1165

# ]

1166

# },

1167

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1168

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1174

# jose@example.com from DATA_READ logging.

1175

"logType": "A String", # The log type that this config enables.

1176

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1177

# permission.

1178

# Follows the same format of Binding.members.

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1183

},

1184

],

1185

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1186

# `condition` that determines how and when the `bindings` are applied. Each

1187

# of the `bindings` must contain at least one member.

1188

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1189

"role": "A String", # Role that is assigned to `members`.

1190

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1191

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1192

# `members` can have the following values:

1193

#

1194

# * `allUsers`: A special identifier that represents anyone who is

1195

# on the internet; with or without a Google account.

1196

#

1197

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1198

# who is authenticated with a Google account or a service account.

1199

#

1200

# * `user:{emailid}`: An email address that represents a specific Google

1201

# account. For example, `alice@example.com` .

1202

#

1203

#

1204

# * `serviceAccount:{emailid}`: An email address that represents a service

1205

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1206

#

1207

# * `group:{emailid}`: An email address that represents a Google group.

1208

# For example, `admins@example.com`.

1209

#

1210

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1211

# identifier) representing a user that has been recently deleted. For

1212

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1213

# recovered, this value reverts to `user:{emailid}` and the recovered user

1214

# retains the role in the binding.

1215

#

1216

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1217

# unique identifier) representing a service account that has been recently

1218

# deleted. For example,

1219

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1220

# If the service account is undeleted, this value reverts to

1221

# `serviceAccount:{emailid}` and the undeleted service account retains the

1222

# role in the binding.

1223

#

1224

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1225

# identifier) representing a Google group that has been recently

1226

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1227

# the group is recovered, this value reverts to `group:{emailid}` and the

1228

# recovered group retains the role in the binding.

1229

#

1230

#

1231

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1232

# users of that domain. For example, `google.com` or `example.com`.

1233

#

1234

"A String",

1235

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1236

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1237

#

1238

# If the condition evaluates to `true`, then this binding applies to the

1239

# current request.

1240

#

1241

# If the condition evaluates to `false`, then this binding does not apply to

1242

# the current request. However, a different role binding might grant the same

1243

# role to one or more of the members in this binding.

1244

#

1245

# To learn which resources support conditions in their IAM policies, see the

1246

# [IAM

1247

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1248

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1249

# are documented at https://github.com/google/cel-spec.

1250

#

1251

# Example (Comparison):

1252

#

1253

# title: "Summary size limit"

1254

# description: "Determines if a summary is less than 100 chars"

1255

# expression: "document.summary.size() < 100"

1256

#

1257

# Example (Equality):

1258

#

1259

# title: "Requestor is owner"

1260

# description: "Determines if requestor is the document owner"

1261

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1266

# description: "Determine whether the document should be publicly visible"

1267

# expression: "document.type != 'private' && document.type != 'internal'"

1268

#

1269

# Example (Data Manipulation):

1270

#

1271

# title: "Notification string"

1272

# description: "Create a notification string with a timestamp."

1273

# expression: "'New message received at ' + string(document.create_time)"

1274

#

1275

# The exact variables and functions that may be referenced within an expression

1276

# are determined by the service that evaluates it. See the service

1277

# documentation for additional information.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1278

"description": "A String", # Optional. Description of the expression. This is a longer text which

1279

# describes the expression, e.g. when hovered over it in a UI.

1280

"location": "A String", # Optional. String indicating the location of the expression for error

1281

# reporting, e.g. a file name and a position in the file.

1282

"expression": "A String", # Textual representation of an expression in Common Expression Language

1283

# syntax.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1284

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1285

# its purpose. This can be used e.g. in UIs which allow to enter the

1286

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1287

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1288

},

1289

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1290

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1291

# prevent simultaneous updates of a policy from overwriting each other.

1292

# It is strongly suggested that systems make use of the `etag` in the

1293

# read-modify-write cycle to perform policy updates in order to avoid race

1294

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1295

# systems are expected to put that etag in the request to `setIamPolicy` to

1296

# ensure that their change will be applied to the same version of the policy.

1297

#

1298

# **Important:** If you use IAM Conditions, you must include the `etag` field

1299

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1300

# you to overwrite a version `3` policy with a version `1` policy, and all of

1301

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1302

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1303

"assetType": "A String", # The type of the asset. Example: `compute.googleapis.com/Disk`

1304

#

1305

# See [Supported asset

1306

# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)

1307

# for more information.

1308

"ancestors": [ # The ancestry path of an asset in Google Cloud [resource

1309

# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),

1310

# represented as a list of relative resource names. An ancestry path starts

1311

# with the closest ancestor in the hierarchy and ends at root. If the asset

1312

# is a project, folder, or organization, the ancestry path starts from the

1313

# asset itself.

1314

#

1315

# Example: `["projects/123456789", "folders/5432", "organizations/1234"]`

1316

"A String",

1317

],

1318

"resource": { # A representation of a Google Cloud resource. # A representation of the resource.

1319

"resourceUrl": "A String", # The REST URL for accessing the resource. An HTTP `GET` request using this

1320

# URL returns the resource itself. Example:

1321

# `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`

1322

#

1323

# This value is unspecified for resources without a REST API.

1324

"discoveryName": "A String", # The JSON schema name listed in the discovery document. Example:

1325

# `Project`

1326

#

1327

# This value is unspecified for resources that do not have an API based on a

1328

# discovery document, such as Cloud Bigtable.

1329

"discoveryDocumentUri": "A String", # The URL of the discovery document containing the resource's JSON schema.

1330

# Example:

1331

# `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest`

1332

#

1333

# This value is unspecified for resources that do not have an API based on a

1334

# discovery document, such as Cloud Bigtable.

1335

"data": { # The content of the resource, in which some sensitive fields are removed

1336

# and may not be present.

1337

"a_key": "", # Properties of the object.

1338

},

1339

"version": "A String", # The API version. Example: `v1`

1340

"parent": "A String", # The full name of the immediate parent of this resource. See

1341

# [Resource

1342

# Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)

1343

# for more information.

1344

#

1345

# For Google Cloud assets, this value is the parent resource defined in the

1346

# [Cloud IAM policy

1347

# hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).

1348

# Example:

1349

# `//cloudresourcemanager.googleapis.com/projects/my_project_123`

1350

#

1351

# For third-party assets, this field may be set differently.

1352

"location": "A String", # The location of the resource in Google Cloud, such as its zone and region.

1353

# For more information, see https://cloud.google.com/about/locations/.

1354

},

1355

"accessPolicy": { # `AccessPolicy` is a container for `AccessLevels` (which define the necessary # Please also refer to the [access policy user

1356

# guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).

1357

# attributes to use Google Cloud services) and `ServicePerimeters` (which

1358

# define regions of services able to freely pass data within a perimeter). An

1359

# access policy is globally visible within an organization, and the

1360

# restrictions it specifies apply to all projects within an organization.

1361

"parent": "A String", # Required. The parent of this `AccessPolicy` in the Cloud Resource

1362

# Hierarchy. Currently immutable once created. Format:

1363

# `organizations/{organization_id}`

1364

"title": "A String", # Required. Human readable title. Does not affect behavior.

1365

"name": "A String", # Output only. Resource name of the `AccessPolicy`. Format:

1366

# `accessPolicies/{policy_id}`

1367

"etag": "A String", # Output only. An opaque identifier for the current version of the

1368

# `AccessPolicy`. This will always be a strongly validated etag, meaning that

1369

# two Access Polices will be identical if and only if their etags are

1370

# identical. Clients should not expect this to be in any specific format.

1371

},

1372

"accessLevel": { # An `AccessLevel` is a label that can be applied to requests to Google Cloud # Please also refer to the [access level user

1373

# guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1374

# services, along with a list of requirements necessary for the label to be

1375

# applied.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1376

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1377

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1378

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

1379

# granted this `AccessLevel`. If AND is used, each `Condition` in

1380

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

1381

# is used, at least one `Condition` in `conditions` must be satisfied for the

1382

# `AccessLevel` to be applied. Default behavior is AND.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1383

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

1384

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

1385

# AND over its fields. So a Condition is true if: 1) the request IP is from one

1386

# of the listed subnetworks AND 2) the originating device complies with the

1387

# listed device policy AND 3) all listed access levels are granted AND 4) the

1388

# request was sent at a time allowed by the DateTimeRestriction.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1389

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

1390

# resource name. Referencing an `AccessLevel` which does not exist is an

1391

# error. All access levels listed must be granted for the Condition

1392

# to be true. Example:

1393

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

1394

"A String",

1395

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1396

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

1397

# Condition to be true. If not specified, all devices are allowed.

1398

# given access level. A `DevicePolicy` specifies requirements for requests from

1399

# devices to be granted access levels, it does not do any enforcement on the

1400

# device. `DevicePolicy` acts as an AND over all specified fields, and each

1401

# repeated field is an OR over its elements. Any unset fields are ignored. For

1402

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

1403

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

1404

# true for requests originating from encrypted Linux desktops and encrypted

1405

# Windows desktops.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1406

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

1407

# Defaults to `false`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1408

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

1409

{ # A restriction on the OS type and version of devices making requests.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1410

"osType": "A String", # Required. The allowed OS type.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1411

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

1412

# satisfies the constraint. Format: `"major.minor.patch"`.

1413

# Examples: `"10.5.301"`, `"9.2.1"`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1414

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

1415

# Verifications includes requirements that the device is enterprise-managed,

1416

# conformant to domain policies, and the caller has permission to call

1417

# the API targeted by the request.

1418

},

1419

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1420

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1421

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

1422

# levels.

1423

"A String",

1424

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1425

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

1426

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

1427

"A String",

1428

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1429

},

1430

"members": [ # The request must be made by one of the provided user or service

1431

# accounts. Groups are not supported.

1432

# Syntax:

1433

# `user:{emailid}`

1434

# `serviceAccount:{emailid}`

1435

# If not specified, a request may come from any user.

1436

"A String",

1437

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1438

"regions": [ # The request must originate from one of the provided countries/regions.

1439

# Must be valid ISO 3166-1 alpha-2 codes.

1440

"A String",

1441

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1442

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

1443

# a CIDR IP address block, the specified IP address portion must be properly

1444

# truncated (i.e. all the host bits must be zero) or the input is considered

1445

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

1446

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

1447

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

1448

# the listed subnets in order for this Condition to be true. If empty, all IP

1449

# addresses are allowed.

1450

"A String",

1451

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1452

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

1453

# its non-empty fields, each field must be false for the Condition overall to

1454

# be satisfied. Defaults to false.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1455

},

1456

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1457

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1458

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

1459

# must begin with a letter and only include alphanumeric and '_'. Format:

1460

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

1461

# of the `short_name` component is 50 characters.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1462

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1463

# to represent the necessary conditions for the level to apply to a request.

1464

# See CEL spec at: https://github.com/google/cel-spec

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1465

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1466

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1467

# are documented at https://github.com/google/cel-spec.

1468

#

1469

# Example (Comparison):

1470

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1471

# title: "Summary size limit"

1472

# description: "Determines if a summary is less than 100 chars"

1473

# expression: "document.summary.size() < 100"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1474

#

1475

# Example (Equality):

1476

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1477

# title: "Requestor is owner"

1478

# description: "Determines if requestor is the document owner"

1479

# expression: "document.owner == request.auth.claims.email"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1480

#

1481

# Example (Logic):

1482

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1483

# title: "Public documents"

1484

# description: "Determine whether the document should be publicly visible"

1485

# expression: "document.type != 'private' && document.type != 'internal'"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1486

#

1487

# Example (Data Manipulation):

1488

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1489

# title: "Notification string"

1490

# description: "Create a notification string with a timestamp."

1491

# expression: "'New message received at ' + string(document.create_time)"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1492

#

1493

# The exact variables and functions that may be referenced within an expression

1494

# are determined by the service that evaluates it. See the service

1495

# documentation for additional information.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1496

"description": "A String", # Optional. Description of the expression. This is a longer text which

1497

# describes the expression, e.g. when hovered over it in a UI.

1498

"location": "A String", # Optional. String indicating the location of the expression for error

1499

# reporting, e.g. a file name and a position in the file.

1500

"expression": "A String", # Textual representation of an expression in Common Expression Language

1501

# syntax.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1502

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1503

# its purpose. This can be used e.g. in UIs which allow to enter the

1504

# expression.

1505

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1506

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1507

"title": "A String", # Human readable title. Must be unique within the Policy.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1508

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1509

"orgPolicy": [ # A representation of an [organization

1510

# policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).

1511

# There can be more than one organization policy with different constraints

1512

# set on a given resource.

1513

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

1514

# for configurations of Cloud Platform resources.

1515

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

1516

# concurrency control.

1517

#

1518

# When the `Policy` is returned from either a `GetPolicy` or a

1519

# `ListOrgPolicy` request, this `etag` indicates the version of the current

1520

# `Policy` to use when executing a read-modify-write loop.

1521

#

1522

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

1523

# `etag` will be unset.

1524

#

1525

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

1526

# that was returned from a `GetOrgPolicy` request as part of a

1527

# read-modify-write loop for concurrency control. Not setting the `etag`in a

1528

# `SetOrgPolicy` request will result in an unconditional write of the

1529

# `Policy`.

1530

"version": 42, # Version of the `Policy`. Default version is 0;

1531

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

1532

# `Constraint` type.

1533

# `constraint_default` enforcement behavior of the specific `Constraint` at

1534

# this resource.

1535

#

1536

# Suppose that `constraint_default` is set to `ALLOW` for the

1537

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

1538

# foo.com sets a `Policy` at their Organization resource node that restricts

1539

# the allowed service activations to deny all service activations. They

1540

# could then set a `Policy` with the `policy_type` `restore_default` on

1541

# several experimental projects, restoring the `constraint_default`

1542

# enforcement of the `Constraint` for only those projects, allowing those

1543

# projects to have all services activated.

1544

},

1545

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

1546

# server, not specified by the caller, and represents the last time a call to

1547

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

1548

# be ignored.

1549

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

1550

# `constraints/serviceuser.services`.

1551

#

1552

# A [list of available

1553

# constraints](/resource-manager/docs/organization-policy/org-policy-constraints)

1554

# is available.

1555

#

1556

# Immutable after creation.

1557

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

1558

# resource.

1559

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

1560

# configuration is acceptable.

1561

#

1562

# Suppose you have a `Constraint`

1563

# `constraints/compute.disableSerialPortAccess` with `constraint_default`

1564

# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following

1565

# behavior:

1566

# - If the `Policy` at this resource has enforced set to `false`, serial

1567

# port connection attempts will be allowed.

1568

# - If the `Policy` at this resource has enforced set to `true`, serial

1569

# port connection attempts will be refused.

1570

# - If the `Policy` at this resource is `RestoreDefault`, serial port

1571

# connection attempts will be allowed.

1572

# - If no `Policy` is set at this resource or anywhere higher in the

1573

# resource hierarchy, serial port connection attempts will be allowed.

1574

# - If no `Policy` is set at this resource, but one exists higher in the

1575

# resource hierarchy, the behavior is as if the`Policy` were set at

1576

# this resource.

1577

#

1578

# The following examples demonstrate the different possible layerings:

1579

#

1580

# Example 1 (nearest `Constraint` wins):

1581

# `organizations/foo` has a `Policy` with:

1582

# {enforced: false}

1583

# `projects/bar` has no `Policy` set.

1584

# The constraint at `projects/bar` and `organizations/foo` will not be

1585

# enforced.

1586

#

1587

# Example 2 (enforcement gets replaced):

1588

# `organizations/foo` has a `Policy` with:

1589

# {enforced: false}

1590

# `projects/bar` has a `Policy` with:

1591

# {enforced: true}

1592

# The constraint at `organizations/foo` is not enforced.

1593

# The constraint at `projects/bar` is enforced.

1594

#

1595

# Example 3 (RestoreDefault):

1596

# `organizations/foo` has a `Policy` with:

1597

# {enforced: true}

1598

# `projects/bar` has a `Policy` with:

1599

# {RestoreDefault: {}}

1600

# The constraint at `organizations/foo` is enforced.

1601

# The constraint at `projects/bar` is not enforced, because

1602

# `constraint_default` for the `Constraint` is `ALLOW`.

1603

},

1604

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

1605

# resource.

1606

#

1607

# `ListPolicy` can define specific values and subtrees of Cloud Resource

1608

# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that

1609

# are allowed or denied by setting the `allowed_values` and `denied_values`

1610

# fields. This is achieved by using the `under:` and optional `is:` prefixes.

1611

# The `under:` prefix is used to denote resource subtree values.

1612

# The `is:` prefix is used to denote specific values, and is required only

1613

# if the value contains a ":". Values prefixed with "is:" are treated the

1614

# same as values with no prefix.

1615

# Ancestry subtrees must be in one of the following formats:

1616

# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"

1617

# - "folders/<folder-id>", e.g. "folders/1234"

1618

# - "organizations/<organization-id>", e.g. "organizations/1234"

1619

# The `supports_under` field of the associated `Constraint` defines whether

1620

# ancestry prefixes can be used. You can set `allowed_values` and

1621

# `denied_values` in the same `Policy` if `all_values` is

1622

# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all

1623

# values. If `all_values` is set to either `ALLOW` or `DENY`,

1624

# `allowed_values` and `denied_values` must be unset.

1625

"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`

1626

# is set to `ALL_VALUES_UNSPECIFIED`.

1627

"A String",

1628

],

1629

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

1630

#

1631

# By default, a `ListPolicy` set at a resource supersedes any `Policy` set

1632

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

1633

# set to `true`, then the values from the effective `Policy` of the parent

1634

# resource are inherited, meaning the values set in this `Policy` are

1635

# added to the values inherited up the hierarchy.

1636

#

1637

# Setting `Policy` hierarchies that inherit both allowed values and denied

1638

# values isn't recommended in most circumstances to keep the configuration

1639

# simple and understandable. However, it is possible to set a `Policy` with

1640

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

1641

# In this case, the values that are allowed must be in `allowed_values` and

1642

# not present in `denied_values`.

1643

#

1644

# For example, suppose you have a `Constraint`

1645

# `constraints/serviceuser.services`, which has a `constraint_type` of

1646

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

1647

# Suppose that at the Organization level, a `Policy` is applied that

1648

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

1649

# `Policy` is applied to a project below the Organization that has

1650

# `inherit_from_parent` set to `false` and field all_values set to DENY,

1651

# then an attempt to activate any API will be denied.

1652

#

1653

# The following examples demonstrate different possible layerings for

1654

# `projects/bar` parented by `organizations/foo`:

1655

#

1656

# Example 1 (no inherited values):

1657

# `organizations/foo` has a `Policy` with values:

1658

# {allowed_values: "E1" allowed_values:"E2"}

1659

# `projects/bar` has `inherit_from_parent` `false` and values:

1660

# {allowed_values: "E3" allowed_values: "E4"}

1661

# The accepted values at `organizations/foo` are `E1`, `E2`.

1662

# The accepted values at `projects/bar` are `E3`, and `E4`.

1663

#

1664

# Example 2 (inherited values):

1665

# `organizations/foo` has a `Policy` with values:

1666

# {allowed_values: "E1" allowed_values:"E2"}

1667

# `projects/bar` has a `Policy` with values:

1668

# {value: "E3" value: "E4" inherit_from_parent: true}

1669

# The accepted values at `organizations/foo` are `E1`, `E2`.

1670

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

1671

#

1672

# Example 3 (inheriting both allowed and denied values):

1673

# `organizations/foo` has a `Policy` with values:

1674

# {allowed_values: "E1" allowed_values: "E2"}

1675

# `projects/bar` has a `Policy` with:

1676

# {denied_values: "E1"}

1677

# The accepted values at `organizations/foo` are `E1`, `E2`.

1678

# The value accepted at `projects/bar` is `E2`.

1679

#

1680

# Example 4 (RestoreDefault):

1681

# `organizations/foo` has a `Policy` with values:

1682

# {allowed_values: "E1" allowed_values:"E2"}

1683

# `projects/bar` has a `Policy` with values:

1684

# {RestoreDefault: {}}

1685

# The accepted values at `organizations/foo` are `E1`, `E2`.

1686

# The accepted values at `projects/bar` are either all or none depending on

1687

# the value of `constraint_default` (if `ALLOW`, all; if

1688

# `DENY`, none).

1689

#

1690

# Example 5 (no policy inherits parent policy):

1691

# `organizations/foo` has no `Policy` set.

1692

# `projects/bar` has no `Policy` set.

1693

# The accepted values at both levels are either all or none depending on

1694

# the value of `constraint_default` (if `ALLOW`, all; if

1695

# `DENY`, none).

1696

#

1697

# Example 6 (ListConstraint allowing all):

1698

# `organizations/foo` has a `Policy` with values:

1699

# {allowed_values: "E1" allowed_values: "E2"}

1700

# `projects/bar` has a `Policy` with:

1701

# {all: ALLOW}

1702

# The accepted values at `organizations/foo` are `E1`, E2`.

1703

# Any value is accepted at `projects/bar`.

1704

#

1705

# Example 7 (ListConstraint allowing none):

1706

# `organizations/foo` has a `Policy` with values:

1707

# {allowed_values: "E1" allowed_values: "E2"}

1708

# `projects/bar` has a `Policy` with:

1709

# {all: DENY}

1710

# The accepted values at `organizations/foo` are `E1`, E2`.

1711

# No value is accepted at `projects/bar`.

1712

#

1713

# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):

1714

# Given the following resource hierarchy

1715

# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},

1716

# `organizations/foo` has a `Policy` with values:

1717

# {allowed_values: "under:organizations/O1"}

1718

# `projects/bar` has a `Policy` with:

1719

# {allowed_values: "under:projects/P3"}

1720

# {denied_values: "under:folders/F2"}

1721

# The accepted values at `organizations/foo` are `organizations/O1`,

1722

# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,

1723

# `projects/P3`.

1724

# The accepted values at `projects/bar` are `organizations/O1`,

1725

# `folders/F1`, `projects/P1`.

1726

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

1727

# that matches the value specified in this `Policy`. If `suggested_value`

1728

# is not set, it will inherit the value specified higher in the hierarchy,

1729

# unless `inherit_from_parent` is `false`.

1730

"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`

1731

# is set to `ALL_VALUES_UNSPECIFIED`.

1732

"A String",

1733

],

1734

"allValues": "A String", # The policy all_values state.

1735

},

1736

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1737

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1738

"name": "A String", # The full name of the asset. Example:

1739

# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`

1740

#

1741

# See [Resource

1742

# names](https://cloud.google.com/apis/design/resource_names#full_resource_name)

1743

# for more information.

1744

"updateTime": "A String", # The last update timestamp of an asset. update_time is updated when

1745

# create/update/delete operation is performed.

1746

"servicePerimeter": { # `ServicePerimeter` describes a set of Google Cloud resources which can freely # Please also refer to the [service perimeter user

1747

# guide](https://cloud.google.com/vpc-service-controls/docs/overview).

1748

# import and export data amongst themselves, but not export outside of the

1749

# `ServicePerimeter`. If a request with a source within this `ServicePerimeter`

1750

# has a target outside of the `ServicePerimeter`, the request will be blocked.

1751

# Otherwise the request is allowed. There are two types of Service Perimeter -

1752

# Regular and Bridge. Regular Service Perimeters cannot overlap, a single

1753

# Google Cloud project can only belong to a single regular Service Perimeter.

1754

# Service Perimeter Bridges can contain only Google Cloud projects as members,

1755

# a single Google Cloud project may belong to multiple Service Perimeter

1756

# Bridges.

1757

"title": "A String", # Human readable title. Must be unique within the Policy.

1758

"perimeterType": "A String", # Perimeter type indicator. A single project is

1759

# allowed to be a member of single regular perimeter, but multiple service

1760

# perimeter bridges. A project cannot be a included in a perimeter bridge

1761

# without being included in regular perimeter. For perimeter bridges,

1762

# the restricted service list as well as access level lists must be

1763

# empty.

1764

"status": { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Current ServicePerimeter configuration. Specifies sets of resources,

1765

# restricted services and access levels that determine perimeter

1766

# content and boundaries.

1767

# describe specific Service Perimeter configuration.

1768

"resources": [ # A list of Google Cloud resources that are inside of the service perimeter.

1769

# Currently only projects are allowed. Format: `projects/{project_number}`

1770

"A String",

1771

],

1772

"restrictedServices": [ # Google Cloud services that are subject to the Service Perimeter

1773

# restrictions. For example, if `storage.googleapis.com` is specified, access

1774

# to the storage buckets inside the perimeter must meet the perimeter's

1775

# access restrictions.

1776

"A String",

1777

],

1778

"accessLevels": [ # A list of `AccessLevel` resource names that allow resources within the

1779

# `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed

1780

# must be in the same policy as this `ServicePerimeter`. Referencing a

1781

# nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are

1782

# listed, resources within the perimeter can only be accessed via Google

1783

# Cloud calls with request origins within the perimeter. Example:

1784

# `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`.

1785

# For Service Perimeter Bridge, must be empty.

1786

"A String",

1787

],

1788

"vpcAccessibleServices": { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.

1789

# Perimeter.

1790

"allowedServices": [ # The list of APIs usable within the Service Perimeter. Must be empty

1791

# unless 'enable_restriction' is True.

1792

"A String",

1793

],

1794

"enableRestriction": True or False, # Whether to restrict API calls within the Service Perimeter to the list of

1795

# APIs specified in 'allowed_services'.

1796

},

1797

},

1798

"name": "A String", # Required. Resource name for the ServicePerimeter. The `short_name`

1799

# component must begin with a letter and only include alphanumeric and '_'.

1800

# Format: `accessPolicies/{policy_id}/servicePerimeters/{short_name}`

1801

"useExplicitDryRunSpec": True or False, # Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly

1802

# exists for all Service Perimeters, and that spec is identical to the

1803

# status for those Service Perimeters. When this flag is set, it inhibits the

1804

# generation of the implicit spec, thereby allowing the user to explicitly

1805

# provide a configuration ("spec") to use in a dry-run version of the Service

1806

# Perimeter. This allows the user to test changes to the enforced config

1807

# ("status") without actually enforcing them. This testing is done through

1808

# analyzing the differences between currently enforced and suggested

1809

# restrictions. use_explicit_dry_run_spec must bet set to True if any of the

1810

# fields in the spec are set to non-default values.

1811

"spec": { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Proposed (or dry run) ServicePerimeter configuration. This configuration

1812

# allows to specify and test ServicePerimeter configuration without enforcing

1813

# actual access restrictions. Only allowed to be set when the

1814

# "use_explicit_dry_run_spec" flag is set.

1815

# describe specific Service Perimeter configuration.

1816

"resources": [ # A list of Google Cloud resources that are inside of the service perimeter.

1817

# Currently only projects are allowed. Format: `projects/{project_number}`

1818

"A String",

1819

],

1820

"restrictedServices": [ # Google Cloud services that are subject to the Service Perimeter

1821

# restrictions. For example, if `storage.googleapis.com` is specified, access

1822

# to the storage buckets inside the perimeter must meet the perimeter's

1823

# access restrictions.

1824

"A String",

1825

],

1826

"accessLevels": [ # A list of `AccessLevel` resource names that allow resources within the

1827

# `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed

1828

# must be in the same policy as this `ServicePerimeter`. Referencing a

1829

# nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are

1830

# listed, resources within the perimeter can only be accessed via Google

1831

# Cloud calls with request origins within the perimeter. Example:

1832

# `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`.

1833

# For Service Perimeter Bridge, must be empty.

1834

"A String",

1835

],

1836

"vpcAccessibleServices": { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.

1837

# Perimeter.

1838

"allowedServices": [ # The list of APIs usable within the Service Perimeter. Must be empty

1839

# unless 'enable_restriction' is True.

1840

"A String",

1841

],

1842

"enableRestriction": True or False, # Whether to restrict API calls within the Service Perimeter to the list of

1843

# APIs specified in 'allowed_services'.

1844

},

1845

},

1846

"description": "A String", # Description of the `ServicePerimeter` and its use. Does not affect

# behavior.

},

},

"priorAssetState": "A String", # State of prior_asset.

1851

"window": { # A time window specified by its `start_time` and `end_time`. # The time window when the asset data and state was observed.

1852

"endTime": "A String", # End time of the time window (inclusive). If not specified, the current

1853

# timestamp is used instead.

1854

"startTime": "A String", # Start time of the time window (exclusive).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1862

<code class="details" id="exportAssets">exportAssets(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1863

<pre>Exports assets with time and resource types to a given Cloud Storage

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1864

location/BigQuery table. For Cloud Storage location destinations, the

1865

output format is newline-delimited JSON. Each line represents a

1866

google.cloud.asset.v1.Asset in the JSON format; for BigQuery table

1867

destinations, the output table stores the fields in asset proto as columns.

1868

This API implements the google.longrunning.Operation API

1869

, which allows you to keep track of the export. We recommend intervals of

1870

at least 2 seconds with exponential retry to poll the export operation

1871

result. For regular-size resource parent, the export operation usually

1872

finishes within 5 minutes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1873

1874

Args:

1875

parent: string, Required. The relative name of the root asset. This can only be an

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1876

organization number (such as "organizations/123"), a project ID (such as

1877

"projects/my-project-id"), or a project number (such as "projects/12345"),

1878

or a folder number (such as "folders/123"). (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1879

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1880

The object takes the form of:

1881

1882

{ # Export asset request.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1883

"outputConfig": { # Output configuration for export assets destination. # Required. Output configuration indicating where the results will be output to.

1884

"bigqueryDestination": { # A BigQuery destination for exporting assets to. # Destination on BigQuery. The output table stores the fields in asset

1885

# proto as columns in BigQuery.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1886

"dataset": "A String", # Required. The BigQuery dataset in format

1887

# "projects/projectId/datasets/datasetId", to which the snapshot result

1888

# should be exported. If this dataset does not exist, the export call returns

1889

# an INVALID_ARGUMENT error.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1890

"table": "A String", # Required. The BigQuery table to which the snapshot result should be

1891

# written. If this table does not exist, a new table with the given name

1892

# will be created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1893

"force": True or False, # If the destination table already exists and this flag is `TRUE`, the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1894

# table will be overwritten by the contents of assets snapshot. If the flag

1895

# is `FALSE` or unset and the destination table already exists, the export

1896

# call returns an INVALID_ARGUMEMT error.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1897

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1898

"gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1899

"uri": "A String", # The uri of the Cloud Storage object. It's the same uri that is used by

1900

# gsutil. Example: "gs://bucket_name/object_name". See [Viewing and

1901

# Editing Object

1902

# Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)

1903

# for more information.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1904

"uriPrefix": "A String", # The uri prefix of all generated Cloud Storage objects. Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1905

# "gs://bucket_name/object_name_prefix". Each object uri is in format:

1906

# "gs://bucket_name/object_name_prefix/<asset type>/<shard number> and only

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1907

# contains assets for that type. <shard number> starts from 0. Example:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1908

# "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1909

# the first shard of output objects containing all

1910

# compute.googleapis.com/Disk assets. An INVALID_ARGUMENT error will be

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1911

# returned if file with the same name "gs://bucket_name/object_name_prefix"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1912

# already exists.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1913

},

1914

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1915

"readTime": "A String", # Timestamp to take an asset snapshot. This can only be set to a timestamp

1916

# between the current time and the current time minus 35 days (inclusive).

1917

# If not specified, the current time will be used. Due to delays in resource

1918

# data collection and indexing, there is a volatile window during which

1919

# running the same query may get different results.

1920

"contentType": "A String", # Asset content type. If not specified, no content but the asset name will be

1921

# returned.

1922

"assetTypes": [ # A list of asset types to take a snapshot for. For example:

1923

# "compute.googleapis.com/Disk".

1924

#

1925

# Regular expressions are also supported. For example:

1926

#

1927

# * "compute.googleapis.com.*" snapshots resources whose asset type starts

1928

# with "compute.googleapis.com".

1929

# * ".*Instance" snapshots resources whose asset type ends with "Instance".

1930

# * ".*Instance.*" snapshots resources whose asset type contains "Instance".

1931

#

1932

# See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported

1933

# regular expression syntax. If the regular expression does not match any

1934

# supported asset type, an INVALID_ARGUMENT error will be returned.

1935

#

1936

# If specified, only matching assets will be returned, otherwise, it will

1937

# snapshot all asset types. See [Introduction to Cloud Asset

1938

# Inventory](https://cloud.google.com/asset-inventory/docs/overview)

1939

# for all supported asset types.

1940

"A String",

1941

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1942

}

1943

1944

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1951

1952

{ # This resource represents a long-running operation that is the result of a

1953

# network API call.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1954

"response": { # The normal response of the operation in case of success. If the original

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1955

# method returns no data on success, such as `Delete`, the response is

1956

# `google.protobuf.Empty`. If the original method is standard

1957

# `Get`/`Create`/`Update`, the response should be the resource. For other

1958

# methods, the response should have the type `XxxResponse`, where `Xxx`

1959

# is the original method name. For example, if the original method name

1960

# is `TakeSnapshot()`, the inferred response type is

1961

# `TakeSnapshotResponse`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1962

"a_key": "", # Properties of the object. Contains field @type with type URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1963

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1964

"done": True or False, # If the value is `false`, it means the operation is still in progress.

1965

# If `true`, the operation is completed, and either `error` or `response` is

1966

# available.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1967

"name": "A String", # The server-assigned name, which is only unique within the same service that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1968

# originally returns it. If you use the default HTTP mapping, the

1969

# `name` should be a resource name ending with `operations/{unique_id}`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1970

"metadata": { # Service-specific metadata associated with the operation. It typically

1971

# contains progress information and common metadata such as create time.

1972

# Some services might not provide such metadata. Any method that returns a

1973

# long-running operation should document the metadata type, if any.

1974

"a_key": "", # Properties of the object. Contains field @type with type URL.

1975

},

1976

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

1977

# different programming environments, including REST APIs and RPC APIs. It is

1978

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1979

# three pieces of data: error code, error message, and error details.

1980

#

1981

# You can find out more about this error model and how to work with it in the

1982

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1983

"details": [ # A list of messages that carry the error details. There is a common set of

1984

# message types for APIs to use.

1985

{

1986

"a_key": "", # Properties of the object. Contains field @type with type URL.

1987

},

1988

],

1989

"message": "A String", # A developer-facing error message, which should be in English. Any

1990

# user-facing error message should be localized and sent in the

1991

# google.rpc.Status.details field, or localized by the client.

1992

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1993

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1997

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1998

<code class="details" id="searchAllIamPolicies">searchAllIamPolicies(scope, query=None, pageToken=None, pageSize=None, x__xgafv=None)</code>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1999

<pre>Searches all the IAM policies within the given accessible scope (e.g., a

2000

project, a folder or an organization). Callers should have

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2001

`cloud.assets.SearchAllIamPolicies` permission upon the requested scope,

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2002

otherwise the request will be rejected.

2003

2004

Args:

2005

scope: string, Required. A scope can be a project, a folder or an organization. The search is

2006

limited to the IAM policies within the `scope`.

2007

2008

The allowed values are:

2009

2010

* projects/{PROJECT_ID}

2011

* projects/{PROJECT_NUMBER}

2012

* folders/{FOLDER_NUMBER}

2013

* organizations/{ORGANIZATION_NUMBER} (required)

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2014

query: string, Optional. The query statement. An empty query can be specified to search all the IAM

2015

policies within the given `scope`.

Examples:

* `policy : "amy@gmail.com"` to find Cloud IAM policy bindings that

2020

specify user "amy@gmail.com".

2021

* `policy : "roles/compute.admin"` to find Cloud IAM policy bindings that

2022

specify the Compute Admin role.

2023

* `policy.role.permissions : "storage.buckets.update"` to find Cloud IAM

2024

policy bindings that specify a role containing "storage.buckets.update"

2025

permission.

2026

* `resource : "organizations/123"` to find Cloud IAM policy bindings that

2027

are set on "organizations/123".

2028

* `(resource : ("organizations/123" OR "folders/1234") AND policy : "amy")`

2029

to find Cloud IAM policy bindings that are set on "organizations/123" or

2030

"folders/1234", and also specify user "amy".

2031

2032

See [how to construct a

2033

query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)

2034

for more details.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2035

pageToken: string, Optional. If present, retrieve the next batch of results from the preceding call to

2036

this method. `page_token` must be the value of `next_page_token` from the

2037

previous response. The values of all other method parameters must be

2038

identical to those in the previous call.

2039

pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even

2040

if a larger value is given. If set to zero, server will pick an appropriate

2041

default. Returned results may be fewer than requested. When this happens,

2042

there could be more results as long as `next_page_token` is returned.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2043

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2050

2051

{ # Search all IAM policies response.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2052

"results": [ # A list of IamPolicy that match the search query. Related information such

2053

# as the associated resource is returned along with the policy.

2054

{ # A result of IAM Policy search, containing information of an IAM policy.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2055

"project": "A String", # The project that the associated GCP resource belongs to, in the form of

2056

# projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM

2057

# instance, Cloud Storage bucket), the project field will indicate the

2058

# project that contains the resource. If an IAM policy is set on a folder or

2059

# orgnization, the project field will be empty.

2060

#

2061

# To search against the `project`:

2062

#

2063

# * specify the `scope` field as this project in your search request.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2064

"resource": "A String", # The full resource name of the resource associated with this IAM policy.

2065

# Example:

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2066

# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2067

# See [Cloud Asset Inventory Resource Name

2068

# Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)

2069

# for more information.

2070

#

2071

# To search against the `resource`:

2072

#

2073

# * use a field query. Example: `resource : "organizations/123"`

2074

"explanation": { # Explanation about the IAM policy search result. # Explanation about the IAM policy search result. It contains additional

2075

# information to explain why the search result matches the query.

2076

"matchedPermissions": { # The map from roles to their included permissions that match the

2077

# permission query (i.e., a query containing `policy.role.permissions:`).

2078

# Example: if query `policy.role.permissions : "compute.disk.get"`

2079

# matches a policy binding that contains owner role, the

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2080

# matched_permissions will be `{"roles/owner": ["compute.disk.get"]}`. The

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2081

# roles can also be found in the returned `policy` bindings. Note that the

2082

# map is populated only for requests with permission queries.

2083

"a_key": { # IAM permissions

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2084

"permissions": [ # A list of permissions. A sample permission string: `compute.disk.get`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

"A String",

],

},

},

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2090

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # The IAM policy directly set on the given resource. Note that the original

2091

# IAM policy can contain multiple bindings. This only contains the bindings

2092

# that match the given query. For queries that don't contain a constrain on

2093

# policies (e.g., an empty query), this contains all the bindings.

2094

#

2095

# To search against the `policy` bindings:

2096

#

2097

# * use a field query, as following:

2098

# - query by the policy contained members. Example:

2099

# `policy : "amy@gmail.com"`

2100

# - query by the policy contained roles. Example:

2101

# `policy : "roles/compute.admin"`

2102

# - query by the policy contained roles' implied permissions. Example:

2103

# `policy.role.permissions : "compute.instances.create"`

2104

# controls for Google Cloud resources.

2105

#

2106

#

2107

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2108

# `members` to a single `role`. Members can be user accounts, service accounts,

2109

# Google groups, and domains (such as G Suite). A `role` is a named list of

2110

# permissions; each `role` can be an IAM predefined role or a user-created

2111

# custom role.

2112

#

2113

# For some types of Google Cloud resources, a `binding` can also specify a

2114

# `condition`, which is a logical expression that allows access to a resource

2115

# only if the expression evaluates to `true`. A condition can add constraints

2116

# based on attributes of the request, the resource, or both. To learn which

2117

# resources support conditions in their IAM policies, see the

2118

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

2126

# "members": [

2127

# "user:mike@example.com",

2128

# "group:admins@example.com",

2129

# "domain:google.com",

2130

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

2135

# "members": [

2136

# "user:eve@example.com"

2137

# ],

2138

# "condition": {

2139

# "title": "expirable access",

2140

# "description": "Does not grant access after Sep 2020",

2141

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

2154

# - group:admins@example.com

2155

# - domain:google.com

2156

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2157

# role: roles/resourcemanager.organizationAdmin

2158

# - members:

2159

# - user:eve@example.com

2160

# role: roles/resourcemanager.organizationViewer

2161

# condition:

2162

# title: expirable access

2163

# description: Does not grant access after Sep 2020

2164

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

2165

# - etag: BwWWja0YfJA=

2166

# - version: 3

2167

#

2168

# For a description of IAM and its features, see the

2169

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2170

"version": 42, # Specifies the format of the policy.

2171

#

2172

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2173

# are rejected.

2174

#

2175

# Any operation that affects conditional role bindings must specify version

2176

# `3`. This requirement applies to the following operations:

2177

#

2178

# * Getting a policy that includes a conditional role binding

2179

# * Adding a conditional role binding to a policy

2180

# * Changing a conditional role binding in a policy

2181

# * Removing any role binding, with or without a condition, from a policy

2182

# that includes conditions

2183

#

2184

# **Important:** If you use IAM Conditions, you must include the `etag` field

2185

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2186

# you to overwrite a version `3` policy with a version `1` policy, and all of

2187

# the conditions in the version `3` policy are lost.

2188

#

2189

# If a policy does not include any conditions, operations on that policy may

2190

# specify any valid version or leave the field unset.

2191

#

2192

# To learn which resources support conditions in their IAM policies, see the

2193

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2194

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

2195

{ # Specifies the audit configuration for a service.

2196

# The configuration determines which permission types are logged, and what

2197

# identities, if any, are exempted from logging.

2198

# An AuditConfig must have one or more AuditLogConfigs.

2199

#

2200

# If there are AuditConfigs for both `allServices` and a specific service,

2201

# the union of the two AuditConfigs is used for that service: the log_types

2202

# specified in each AuditConfig are enabled, and the exempted_members in each

2203

# AuditLogConfig are exempted.

2204

#

2205

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2210

# "service": "allServices",

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2211

# "audit_log_configs": [

2212

# {

2213

# "log_type": "DATA_READ",

2214

# "exempted_members": [

2215

# "user:jose@example.com"

2216

# ]

2217

# },

2218

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2219

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2220

# },

2221

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2222

# "log_type": "ADMIN_READ"

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

# }

# ]

# },

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2227

# "service": "sampleservice.googleapis.com",

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2228

# "audit_log_configs": [

2229

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2230

# "log_type": "DATA_READ"

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2231

# },

2232

# {

2233

# "log_type": "DATA_WRITE",

2234

# "exempted_members": [

2235

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

2244

# logging. It also exempts jose@example.com from DATA_READ logging, and

2245

# aliya@example.com from DATA_WRITE logging.

2246

"service": "A String", # Specifies a service that will be enabled for audit logging.

2247

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

2248

# `allServices` is a special value that covers all services.

2249

"auditLogConfigs": [ # The configuration for logging of each type of permission.

2250

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

2255

# {

2256

# "log_type": "DATA_READ",

2257

# "exempted_members": [

2258

# "user:jose@example.com"

2259

# ]

2260

# },

2261

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2262

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

2268

# jose@example.com from DATA_READ logging.

2269

"logType": "A String", # The log type that this config enables.

2270

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

2271

# permission.

2272

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

2280

# `condition` that determines how and when the `bindings` are applied. Each

2281

# of the `bindings` must contain at least one member.

2282

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2283

"role": "A String", # Role that is assigned to `members`.

2284

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2285

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

2286

# `members` can have the following values:

2287

#

2288

# * `allUsers`: A special identifier that represents anyone who is

2289

# on the internet; with or without a Google account.

2290

#

2291

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2292

# who is authenticated with a Google account or a service account.

2293

#

2294

# * `user:{emailid}`: An email address that represents a specific Google

2295

# account. For example, `alice@example.com` .

2296

#

2297

#

2298

# * `serviceAccount:{emailid}`: An email address that represents a service

2299

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2300

#

2301

# * `group:{emailid}`: An email address that represents a Google group.

2302

# For example, `admins@example.com`.

2303

#

2304

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

2305

# identifier) representing a user that has been recently deleted. For

2306

# example, `alice@example.com?uid=123456789012345678901`. If the user is

2307

# recovered, this value reverts to `user:{emailid}` and the recovered user

2308

# retains the role in the binding.

2309

#

2310

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

2311

# unique identifier) representing a service account that has been recently

2312

# deleted. For example,

2313

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

2314

# If the service account is undeleted, this value reverts to

2315

# `serviceAccount:{emailid}` and the undeleted service account retains the

2316

# role in the binding.

2317

#

2318

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

2319

# identifier) representing a Google group that has been recently

2320

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

2321

# the group is recovered, this value reverts to `group:{emailid}` and the

2322

# recovered group retains the role in the binding.

2323

#

2324

#

2325

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

2326

# users of that domain. For example, `google.com` or `example.com`.

2327

#

2328

"A String",

2329

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2330

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

2331

#

2332

# If the condition evaluates to `true`, then this binding applies to the

2333

# current request.

2334

#

2335

# If the condition evaluates to `false`, then this binding does not apply to

2336

# the current request. However, a different role binding might grant the same

2337

# role to one or more of the members in this binding.

2338

#

2339

# To learn which resources support conditions in their IAM policies, see the

2340

# [IAM

2341

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2342

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

2343

# are documented at https://github.com/google/cel-spec.

2344

#

2345

# Example (Comparison):

2346

#

2347

# title: "Summary size limit"

2348

# description: "Determines if a summary is less than 100 chars"

2349

# expression: "document.summary.size() < 100"

2350

#

2351

# Example (Equality):

2352

#

2353

# title: "Requestor is owner"

2354

# description: "Determines if requestor is the document owner"

2355

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

2360

# description: "Determine whether the document should be publicly visible"

2361

# expression: "document.type != 'private' && document.type != 'internal'"

2362

#

2363

# Example (Data Manipulation):

2364

#

2365

# title: "Notification string"

2366

# description: "Create a notification string with a timestamp."

2367

# expression: "'New message received at ' + string(document.create_time)"

2368

#

2369

# The exact variables and functions that may be referenced within an expression

2370

# are determined by the service that evaluates it. See the service

2371

# documentation for additional information.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2372

"description": "A String", # Optional. Description of the expression. This is a longer text which

2373

# describes the expression, e.g. when hovered over it in a UI.

2374

"location": "A String", # Optional. String indicating the location of the expression for error

2375

# reporting, e.g. a file name and a position in the file.

2376

"expression": "A String", # Textual representation of an expression in Common Expression Language

2377

# syntax.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2378

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

2379

# its purpose. This can be used e.g. in UIs which allow to enter the

2380

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2381

},

2382

},

2383

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2384

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2385

# prevent simultaneous updates of a policy from overwriting each other.

2386

# It is strongly suggested that systems make use of the `etag` in the

2387

# read-modify-write cycle to perform policy updates in order to avoid race

2388

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2389

# systems are expected to put that etag in the request to `setIamPolicy` to

2390

# ensure that their change will be applied to the same version of the policy.

2391

#

2392

# **Important:** If you use IAM Conditions, you must include the `etag` field

2393

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2394

# you to overwrite a version `3` policy with a version `1` policy, and all of

2395

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2396

},

2397

},

2398

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2399

"nextPageToken": "A String", # Set if there are more results than those appearing in this response; to get

2400

# the next set of results, call this method again, using this value as the

2401

# `page_token`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="searchAllIamPolicies_next">searchAllIamPolicies_next(previous_request, previous_response)</code>

2407

<pre>Retrieves the next page of results.

2408

2409

Args:

2410

previous_request: The request for the previous page. (required)

2411

previous_response: The response from the request for the previous page. (required)

2412

2413

Returns:

2414

A request object that you can call 'execute()' on to request the next

2415

page. Returns None if there are no more items in the collection.

</pre>

</div>

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2420

<code class="details" id="searchAllResources">searchAllResources(scope, orderBy=None, query=None, assetTypes=None, pageToken=None, pageSize=None, x__xgafv=None)</code>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2421

<pre>Searches all the resources within the given accessible scope (e.g., a

2422

project, a folder or an organization). Callers should have

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2423

`cloud.assets.SearchAllResources` permission upon the requested scope,

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2424

otherwise the request will be rejected.

2425

2426

Args:

2427

scope: string, Required. A scope can be a project, a folder or an organization. The search is

2428

limited to the resources within the `scope`.

2429

2430

The allowed values are:

2431

2432

* projects/{PROJECT_ID}

2433

* projects/{PROJECT_NUMBER}

2434

* folders/{FOLDER_NUMBER}

2435

* organizations/{ORGANIZATION_NUMBER} (required)

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2436

orderBy: string, Optional. A comma separated list of fields specifying the sorting order of the

2437

results. The default order is ascending. Add " DESC" after the field name

2438

to indicate descending order. Redundant space characters are ignored.

2439

Example: "location DESC, name". Only string fields in the response are

2440

sortable, including `name`, `displayName`, `description`, `location`. All

2441

the other fields such as repeated fields (e.g., `networkTags`), map

2442

fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)

2443

are not supported.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2444

query: string, Optional. The query statement. An empty query can be specified to search all the

2445

resources of certain `asset_types` within the given `scope`.

Examples:

* `name : "Important"` to find Cloud resources whose name contains

2450

"Important" as a word.

2451

* `displayName : "Impor*"` to find Cloud resources whose display name

2452

contains "Impor" as a word prefix.

2453

* `description : "*por*"` to find Cloud resources whose description

2454

contains "por" as a substring.

2455

* `location : "us-west*"` to find Cloud resources whose location is

2456

prefixed with "us-west".

2457

* `labels : "prod"` to find Cloud resources whose labels contain "prod" as

2458

a key or value.

2459

* `labels.env : "prod"` to find Cloud resources which have a label "env"

2460

and its value is "prod".

2461

* `labels.env : *` to find Cloud resources which have a label "env".

2462

* `"Important"` to find Cloud resources which contain "Important" as a word

2463

in any of the searchable fields.

2464

* `"Impor*"` to find Cloud resources which contain "Impor" as a word prefix

2465

in any of the searchable fields.

2466

* `"*por*"` to find Cloud resources which contain "por" as a substring in

2467

any of the searchable fields.

2468

* `("Important" AND location : ("us-west1" OR "global"))` to find Cloud

2469

resources which contain "Important" as a word in any of the searchable

2470

fields and are also located in the "us-west1" region or the "global"

2471

location.

2472

2473

See [how to construct a

2474

query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)

2475

for more details.

2476

assetTypes: string, Optional. A list of asset types that this request searches for. If empty, it will

2477

search all the [searchable asset

2478

types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). (repeated)

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2479

pageToken: string, Optional. If present, then retrieve the next batch of results from the preceding call

2480

to this method. `page_token` must be the value of `next_page_token` from

2481

the previous response. The values of all other method parameters, must be

2482

identical to those in the previous call.

2483

pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even

2484

if a larger value is given. If set to zero, server will pick an appropriate

2485

default. Returned results may be fewer than requested. When this happens,

2486

there could be more results as long as `next_page_token` is returned.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2487

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2494

2495

{ # Search all resources response.

2496

"nextPageToken": "A String", # If there are more results than those appearing in this response, then

2497

# `next_page_token` is included. To get the next set of results, call this

2498

# method again using the value of `next_page_token` as `page_token`.

2499

"results": [ # A list of Resources that match the search query. It contains the resource

2500

# standard metadata information.

2501

{ # A result of Resource Search, containing information of a cloud resoure.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2502

"networkTags": [ # Network tags associated with this resource. Like labels, network tags are a

2503

# type of annotations used to group GCP resources. See [Labelling GCP

2504

# resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)

2505

# for more information.

2506

#

2507

# To search against the `network_tags`:

2508

#

2509

# * use a field query. Example: `networkTags : "internal"`

2510

# * use a free text query. Example: `"internal"`

2511

"A String",

2512

],

2513

"assetType": "A String", # The type of this resource. Example: `compute.googleapis.com/Disk`.

2514

#

2515

# To search against the `asset_type`:

2516

#

2517

# * specify the `asset_type` field in your search request.

2518

"displayName": "A String", # The display name of this resource.

2519

#

2520

# To search against the `display_name`:

2521

#

2522

# * use a field query. Example: `displayName : "My Instance"`

2523

# * use a free text query. Example: `"My Instance"`

2524

"name": "A String", # The full resource name of this resource. Example:

2525

# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.

2526

# See [Cloud Asset Inventory Resource Name

2527

# Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)

2528

# for more information.

2529

#

2530

# To search against the `name`:

2531

#

2532

# * use a field query. Example: `name : "instance1"`

2533

# * use a free text query. Example: `"instance1"`

2534

"description": "A String", # One or more paragraphs of text description of this resource. Maximum length

2535

# could be up to 1M bytes.

2536

#

2537

# To search against the `description`:

2538

#

2539

# * use a field query. Example: `description : "*important instance*"`

2540

# * use a free text query. Example: `"*important instance*"`

2541

"project": "A String", # The project that this resource belongs to, in the form of

2542

# projects/{PROJECT_NUMBER}.

2543

#

2544

# To search against the `project`:

2545

#

2546

# * specify the `scope` field as this project in your search request.

2547

"location": "A String", # Location can be `global`, regional like `us-east1`, or zonal like

2548

# `us-west1-b`.

2549

#

2550

# To search against the `location`:

2551

#

2552

# * use a field query. Example: `location : "us-west*"`

2553

# * use a free text query. Example: `"us-west*"`

2554

"additionalAttributes": { # The additional attributes of this resource. The attributes may vary from

2555

# one resource type to another. Examples: `projectId` for Project,

2556

# `dnsName` for DNS ManagedZone. This field contains a subset of the resource

2557

# metadata fields that are returned by the List or Get APIs provided by the

2558

# corresponding GCP service (e.g., Compute Engine). see [API

2559

# references](https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_resource_types)

2560

# of CAIS supported resource types. You can search values of these fields

2561

# through free text search. However, you should not consume the field

2562

# programically as the field names and values may change as the GCP service

2563

# (e.g., Compute Engine) updates to a new incompatible API version.

2564

#

2565

# To search against the `additional_attributes`:

2566

#

2567

# * use a free text query to match the attributes values. Example: to search

2568

# `additional_attributes = { dnsName: "foobar" }`, you can issue a query

2569

# `"foobar"`.

2570

"a_key": "", # Properties of the object.

2571

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2572

"labels": { # Labels associated with this resource. See [Labelling and grouping GCP

2573

# resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)

2574

# for more information.

2575

#

2576

# To search against the `labels`:

2577

#

2578

# * use a field query, as following:

2579

# - query on any label's key or value. Example: `labels : "prod"`

2580

# - query by a given label. Example: `labels.env : "prod"`

2581

# - query by a given label'sexistence. Example: `labels.env : *`

2582

# * use a free text query. Example: `"prod"`

2583

"a_key": "A String",

2584

},

Bu Sun Kim