blob: 02b636cfc3a00d9eb30f79d58f52441bb9bde636 [file] [log] [blame]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="cloudasset_v1.html">Cloud Asset API</a> . <a href="cloudasset_v1.v1.html">v1</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
Bu Sun Kimd059ad82020-07-22 17:02:09 -070078 <code><a href="#batchGetAssetsHistory">batchGetAssetsHistory(parent, assetNames=None, contentType=None, readTimeWindow_endTime=None, readTimeWindow_startTime=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070079<p class="firstline">Batch gets the update history of assets that overlap a time window.</p>
80<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -070081 <code><a href="#exportAssets">exportAssets(parent, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070082<p class="firstline">Exports assets with time and resource types to a given Cloud Storage</p>
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -070083<p class="toc_element">
Bu Sun Kimd059ad82020-07-22 17:02:09 -070084 <code><a href="#searchAllIamPolicies">searchAllIamPolicies(scope, query=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -070085<p class="firstline">Searches all the IAM policies within the given accessible scope (e.g., a</p>
86<p class="toc_element">
87 <code><a href="#searchAllIamPolicies_next">searchAllIamPolicies_next(previous_request, previous_response)</a></code></p>
88<p class="firstline">Retrieves the next page of results.</p>
89<p class="toc_element">
Bu Sun Kimd059ad82020-07-22 17:02:09 -070090 <code><a href="#searchAllResources">searchAllResources(scope, orderBy=None, query=None, assetTypes=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -070091<p class="firstline">Searches all the resources within the given accessible scope (e.g., a</p>
92<p class="toc_element">
93 <code><a href="#searchAllResources_next">searchAllResources_next(previous_request, previous_response)</a></code></p>
94<p class="firstline">Retrieves the next page of results.</p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070095<h3>Method Details</h3>
96<div class="method">
Bu Sun Kimd059ad82020-07-22 17:02:09 -070097 <code class="details" id="batchGetAssetsHistory">batchGetAssetsHistory(parent, assetNames=None, contentType=None, readTimeWindow_endTime=None, readTimeWindow_startTime=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070098 <pre>Batch gets the update history of assets that overlap a time window.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -070099For IAM_POLICY content, this API outputs history when the asset and its
100attached IAM POLICY both exist. This can create gaps in the output history.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700101Otherwise, this API outputs history with asset in both non-delete or
102deleted status.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700103If a specified asset does not exist, this API returns an INVALID_ARGUMENT
104error.
105
106Args:
107 parent: string, Required. The relative name of the root asset. It can only be an
Bu Sun Kim65020912020-05-20 12:08:20 -0700108organization number (such as &quot;organizations/123&quot;), a project ID (such as
109&quot;projects/my-project-id&quot;)&quot;, or a project number (such as &quot;projects/12345&quot;). (required)
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700110 assetNames: string, A list of the full names of the assets.
111See: https://cloud.google.com/asset-inventory/docs/resource-name-format
112Example:
113
114`//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
115
116The request becomes a no-op if the asset name list is empty, and the max
117size of the asset name list is 100 in one request. (repeated)
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700118 contentType: string, Optional. The content type.
119 readTimeWindow_endTime: string, End time of the time window (inclusive). If not specified, the current
120timestamp is used instead.
121 readTimeWindow_startTime: string, Start time of the time window (exclusive).
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700122 x__xgafv: string, V1 error format.
123 Allowed values
124 1 - v1 error format
125 2 - v2 error format
126
127Returns:
128 An object of the form:
129
130 { # Batch get assets history response.
Bu Sun Kim65020912020-05-20 12:08:20 -0700131 &quot;assets&quot;: [ # A list of assets with valid time windows.
Dan O'Mearadd494642020-05-01 07:42:23 -0700132 { # An asset in Google Cloud and its temporal metadata, including the time window
133 # when it was observed and its status during that window.
Bu Sun Kim65020912020-05-20 12:08:20 -0700134 &quot;deleted&quot;: True or False, # Whether the asset has been deleted or not.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700135 &quot;priorAsset&quot;: { # An asset in Google Cloud. An asset can be any resource in the Google Cloud # Prior copy of the asset. Populated if prior_asset_state is PRESENT.
136 # Currently this is only set for responses in Real-Time Feed.
Dan O'Mearadd494642020-05-01 07:42:23 -0700137 # [resource
138 # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
139 # a resource outside the Google Cloud resource hierarchy (such as Google
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700140 # Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).
141 # See [Supported asset
142 # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
143 # for more information.
144 &quot;iamPolicy&quot;: { # An Identity and Access Management (IAM) policy, which specifies access # A representation of the Cloud IAM policy set on a Google Cloud resource.
145 # There can be a maximum of one Cloud IAM policy set on any given resource.
146 # In addition, Cloud IAM policies inherit their granted access scope from any
147 # policies set on parent resources in the resource hierarchy. Therefore, the
148 # effectively policy is the union of both the policy set on this resource
149 # and each policy set on all of the resource&#x27;s ancestry resource levels in
150 # the hierarchy. See
151 # [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for
152 # more information.
153 # controls for Google Cloud resources.
154 #
155 #
156 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
157 # `members` to a single `role`. Members can be user accounts, service accounts,
158 # Google groups, and domains (such as G Suite). A `role` is a named list of
159 # permissions; each `role` can be an IAM predefined role or a user-created
160 # custom role.
161 #
162 # For some types of Google Cloud resources, a `binding` can also specify a
163 # `condition`, which is a logical expression that allows access to a resource
164 # only if the expression evaluates to `true`. A condition can add constraints
165 # based on attributes of the request, the resource, or both. To learn which
166 # resources support conditions in their IAM policies, see the
167 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
168 #
169 # **JSON example:**
170 #
171 # {
172 # &quot;bindings&quot;: [
173 # {
174 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
175 # &quot;members&quot;: [
176 # &quot;user:mike@example.com&quot;,
177 # &quot;group:admins@example.com&quot;,
178 # &quot;domain:google.com&quot;,
179 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
180 # ]
181 # },
182 # {
183 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
184 # &quot;members&quot;: [
185 # &quot;user:eve@example.com&quot;
186 # ],
187 # &quot;condition&quot;: {
188 # &quot;title&quot;: &quot;expirable access&quot;,
189 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
190 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
191 # }
192 # }
193 # ],
194 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
195 # &quot;version&quot;: 3
196 # }
197 #
198 # **YAML example:**
199 #
200 # bindings:
201 # - members:
202 # - user:mike@example.com
203 # - group:admins@example.com
204 # - domain:google.com
205 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
206 # role: roles/resourcemanager.organizationAdmin
207 # - members:
208 # - user:eve@example.com
209 # role: roles/resourcemanager.organizationViewer
210 # condition:
211 # title: expirable access
212 # description: Does not grant access after Sep 2020
213 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
214 # - etag: BwWWja0YfJA=
215 # - version: 3
216 #
217 # For a description of IAM and its features, see the
218 # [IAM documentation](https://cloud.google.com/iam/docs/).
219 &quot;version&quot;: 42, # Specifies the format of the policy.
220 #
221 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
222 # are rejected.
223 #
224 # Any operation that affects conditional role bindings must specify version
225 # `3`. This requirement applies to the following operations:
226 #
227 # * Getting a policy that includes a conditional role binding
228 # * Adding a conditional role binding to a policy
229 # * Changing a conditional role binding in a policy
230 # * Removing any role binding, with or without a condition, from a policy
231 # that includes conditions
232 #
233 # **Important:** If you use IAM Conditions, you must include the `etag` field
234 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
235 # you to overwrite a version `3` policy with a version `1` policy, and all of
236 # the conditions in the version `3` policy are lost.
237 #
238 # If a policy does not include any conditions, operations on that policy may
239 # specify any valid version or leave the field unset.
240 #
241 # To learn which resources support conditions in their IAM policies, see the
242 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
243 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
244 { # Specifies the audit configuration for a service.
245 # The configuration determines which permission types are logged, and what
246 # identities, if any, are exempted from logging.
247 # An AuditConfig must have one or more AuditLogConfigs.
248 #
249 # If there are AuditConfigs for both `allServices` and a specific service,
250 # the union of the two AuditConfigs is used for that service: the log_types
251 # specified in each AuditConfig are enabled, and the exempted_members in each
252 # AuditLogConfig are exempted.
253 #
254 # Example Policy with multiple AuditConfigs:
255 #
256 # {
257 # &quot;audit_configs&quot;: [
258 # {
259 # &quot;service&quot;: &quot;allServices&quot;,
260 # &quot;audit_log_configs&quot;: [
261 # {
262 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
263 # &quot;exempted_members&quot;: [
264 # &quot;user:jose@example.com&quot;
265 # ]
266 # },
267 # {
268 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
269 # },
270 # {
271 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;
272 # }
273 # ]
274 # },
275 # {
276 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;,
277 # &quot;audit_log_configs&quot;: [
278 # {
279 # &quot;log_type&quot;: &quot;DATA_READ&quot;
280 # },
281 # {
282 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
283 # &quot;exempted_members&quot;: [
284 # &quot;user:aliya@example.com&quot;
285 # ]
286 # }
287 # ]
288 # }
289 # ]
290 # }
291 #
292 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
293 # logging. It also exempts jose@example.com from DATA_READ logging, and
294 # aliya@example.com from DATA_WRITE logging.
295 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
296 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
297 # `allServices` is a special value that covers all services.
298 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
299 { # Provides the configuration for logging a type of permissions.
300 # Example:
301 #
302 # {
303 # &quot;audit_log_configs&quot;: [
304 # {
305 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
306 # &quot;exempted_members&quot;: [
307 # &quot;user:jose@example.com&quot;
308 # ]
309 # },
310 # {
311 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
312 # }
313 # ]
314 # }
315 #
316 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
317 # jose@example.com from DATA_READ logging.
318 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
319 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
320 # permission.
321 # Follows the same format of Binding.members.
322 &quot;A String&quot;,
323 ],
324 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700325 ],
326 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700327 ],
328 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
329 # `condition` that determines how and when the `bindings` are applied. Each
330 # of the `bindings` must contain at least one member.
331 { # Associates `members` with a `role`.
332 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
333 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
334 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
335 # `members` can have the following values:
336 #
337 # * `allUsers`: A special identifier that represents anyone who is
338 # on the internet; with or without a Google account.
339 #
340 # * `allAuthenticatedUsers`: A special identifier that represents anyone
341 # who is authenticated with a Google account or a service account.
342 #
343 # * `user:{emailid}`: An email address that represents a specific Google
344 # account. For example, `alice@example.com` .
345 #
346 #
347 # * `serviceAccount:{emailid}`: An email address that represents a service
348 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
349 #
350 # * `group:{emailid}`: An email address that represents a Google group.
351 # For example, `admins@example.com`.
352 #
353 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
354 # identifier) representing a user that has been recently deleted. For
355 # example, `alice@example.com?uid=123456789012345678901`. If the user is
356 # recovered, this value reverts to `user:{emailid}` and the recovered user
357 # retains the role in the binding.
358 #
359 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
360 # unique identifier) representing a service account that has been recently
361 # deleted. For example,
362 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
363 # If the service account is undeleted, this value reverts to
364 # `serviceAccount:{emailid}` and the undeleted service account retains the
365 # role in the binding.
366 #
367 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
368 # identifier) representing a Google group that has been recently
369 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
370 # the group is recovered, this value reverts to `group:{emailid}` and the
371 # recovered group retains the role in the binding.
372 #
373 #
374 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
375 # users of that domain. For example, `google.com` or `example.com`.
376 #
Bu Sun Kim65020912020-05-20 12:08:20 -0700377 &quot;A String&quot;,
378 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700379 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
380 #
381 # If the condition evaluates to `true`, then this binding applies to the
382 # current request.
383 #
384 # If the condition evaluates to `false`, then this binding does not apply to
385 # the current request. However, a different role binding might grant the same
386 # role to one or more of the members in this binding.
387 #
388 # To learn which resources support conditions in their IAM policies, see the
389 # [IAM
390 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
391 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
392 # are documented at https://github.com/google/cel-spec.
393 #
394 # Example (Comparison):
395 #
396 # title: &quot;Summary size limit&quot;
397 # description: &quot;Determines if a summary is less than 100 chars&quot;
398 # expression: &quot;document.summary.size() &lt; 100&quot;
399 #
400 # Example (Equality):
401 #
402 # title: &quot;Requestor is owner&quot;
403 # description: &quot;Determines if requestor is the document owner&quot;
404 # expression: &quot;document.owner == request.auth.claims.email&quot;
405 #
406 # Example (Logic):
407 #
408 # title: &quot;Public documents&quot;
409 # description: &quot;Determine whether the document should be publicly visible&quot;
410 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
411 #
412 # Example (Data Manipulation):
413 #
414 # title: &quot;Notification string&quot;
415 # description: &quot;Create a notification string with a timestamp.&quot;
416 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
417 #
418 # The exact variables and functions that may be referenced within an expression
419 # are determined by the service that evaluates it. See the service
420 # documentation for additional information.
421 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
422 # describes the expression, e.g. when hovered over it in a UI.
423 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
424 # reporting, e.g. a file name and a position in the file.
425 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
426 # syntax.
427 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
428 # its purpose. This can be used e.g. in UIs which allow to enter the
429 # expression.
430 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700431 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700432 ],
433 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
434 # prevent simultaneous updates of a policy from overwriting each other.
435 # It is strongly suggested that systems make use of the `etag` in the
436 # read-modify-write cycle to perform policy updates in order to avoid race
437 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
438 # systems are expected to put that etag in the request to `setIamPolicy` to
439 # ensure that their change will be applied to the same version of the policy.
440 #
441 # **Important:** If you use IAM Conditions, you must include the `etag` field
442 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
443 # you to overwrite a version `3` policy with a version `1` policy, and all of
444 # the conditions in the version `3` policy are lost.
Bu Sun Kim65020912020-05-20 12:08:20 -0700445 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700446 &quot;assetType&quot;: &quot;A String&quot;, # The type of the asset. Example: `compute.googleapis.com/Disk`
447 #
448 # See [Supported asset
449 # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
450 # for more information.
451 &quot;ancestors&quot;: [ # The ancestry path of an asset in Google Cloud [resource
452 # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
453 # represented as a list of relative resource names. An ancestry path starts
454 # with the closest ancestor in the hierarchy and ends at root. If the asset
455 # is a project, folder, or organization, the ancestry path starts from the
456 # asset itself.
457 #
458 # Example: `[&quot;projects/123456789&quot;, &quot;folders/5432&quot;, &quot;organizations/1234&quot;]`
459 &quot;A String&quot;,
460 ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700461 &quot;resource&quot;: { # A representation of a Google Cloud resource. # A representation of the resource.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700462 &quot;resourceUrl&quot;: &quot;A String&quot;, # The REST URL for accessing the resource. An HTTP `GET` request using this
463 # URL returns the resource itself. Example:
464 # `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`
465 #
466 # This value is unspecified for resources without a REST API.
467 &quot;discoveryName&quot;: &quot;A String&quot;, # The JSON schema name listed in the discovery document. Example:
468 # `Project`
Bu Sun Kim65020912020-05-20 12:08:20 -0700469 #
470 # This value is unspecified for resources that do not have an API based on a
471 # discovery document, such as Cloud Bigtable.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700472 &quot;discoveryDocumentUri&quot;: &quot;A String&quot;, # The URL of the discovery document containing the resource&#x27;s JSON schema.
473 # Example:
474 # `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest`
475 #
476 # This value is unspecified for resources that do not have an API based on a
477 # discovery document, such as Cloud Bigtable.
478 &quot;data&quot;: { # The content of the resource, in which some sensitive fields are removed
479 # and may not be present.
480 &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
481 },
482 &quot;version&quot;: &quot;A String&quot;, # The API version. Example: `v1`
Bu Sun Kim65020912020-05-20 12:08:20 -0700483 &quot;parent&quot;: &quot;A String&quot;, # The full name of the immediate parent of this resource. See
Dan O'Mearadd494642020-05-01 07:42:23 -0700484 # [Resource
485 # Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
486 # for more information.
487 #
488 # For Google Cloud assets, this value is the parent resource defined in the
489 # [Cloud IAM policy
490 # hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700491 # Example:
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700492 # `//cloudresourcemanager.googleapis.com/projects/my_project_123`
Dan O'Mearadd494642020-05-01 07:42:23 -0700493 #
494 # For third-party assets, this field may be set differently.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700495 &quot;location&quot;: &quot;A String&quot;, # The location of the resource in Google Cloud, such as its zone and region.
496 # For more information, see https://cloud.google.com/about/locations/.
Dan O'Mearadd494642020-05-01 07:42:23 -0700497 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700498 &quot;accessPolicy&quot;: { # `AccessPolicy` is a container for `AccessLevels` (which define the necessary # Please also refer to the [access policy user
499 # guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
500 # attributes to use Google Cloud services) and `ServicePerimeters` (which
501 # define regions of services able to freely pass data within a perimeter). An
502 # access policy is globally visible within an organization, and the
503 # restrictions it specifies apply to all projects within an organization.
504 &quot;parent&quot;: &quot;A String&quot;, # Required. The parent of this `AccessPolicy` in the Cloud Resource
505 # Hierarchy. Currently immutable once created. Format:
506 # `organizations/{organization_id}`
507 &quot;title&quot;: &quot;A String&quot;, # Required. Human readable title. Does not affect behavior.
508 &quot;name&quot;: &quot;A String&quot;, # Output only. Resource name of the `AccessPolicy`. Format:
509 # `accessPolicies/{policy_id}`
510 &quot;etag&quot;: &quot;A String&quot;, # Output only. An opaque identifier for the current version of the
511 # `AccessPolicy`. This will always be a strongly validated etag, meaning that
512 # two Access Polices will be identical if and only if their etags are
513 # identical. Clients should not expect this to be in any specific format.
514 },
515 &quot;accessLevel&quot;: { # An `AccessLevel` is a label that can be applied to requests to Google Cloud # Please also refer to the [access level user
516 # guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).
517 # services, along with a list of requirements necessary for the label to be
518 # applied.
519 &quot;description&quot;: &quot;A String&quot;, # Description of the `AccessLevel` and its use. Does not affect behavior.
520 &quot;basic&quot;: { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.
521 &quot;combiningFunction&quot;: &quot;A String&quot;, # How the `conditions` list should be combined to determine if a request is
522 # granted this `AccessLevel`. If AND is used, each `Condition` in
523 # `conditions` must be satisfied for the `AccessLevel` to be applied. If OR
524 # is used, at least one `Condition` in `conditions` must be satisfied for the
525 # `AccessLevel` to be applied. Default behavior is AND.
526 &quot;conditions&quot;: [ # Required. A list of requirements for the `AccessLevel` to be granted.
527 { # A condition necessary for an `AccessLevel` to be granted. The Condition is an
528 # AND over its fields. So a Condition is true if: 1) the request IP is from one
529 # of the listed subnetworks AND 2) the originating device complies with the
530 # listed device policy AND 3) all listed access levels are granted AND 4) the
531 # request was sent at a time allowed by the DateTimeRestriction.
532 &quot;requiredAccessLevels&quot;: [ # A list of other access levels defined in the same `Policy`, referenced by
533 # resource name. Referencing an `AccessLevel` which does not exist is an
534 # error. All access levels listed must be granted for the Condition
535 # to be true. Example:
536 # &quot;`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME&quot;`
537 &quot;A String&quot;,
538 ],
539 &quot;devicePolicy&quot;: { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the
540 # Condition to be true. If not specified, all devices are allowed.
541 # given access level. A `DevicePolicy` specifies requirements for requests from
542 # devices to be granted access levels, it does not do any enforcement on the
543 # device. `DevicePolicy` acts as an AND over all specified fields, and each
544 # repeated field is an OR over its elements. Any unset fields are ignored. For
545 # example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
546 # DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
547 # true for requests originating from encrypted Linux desktops and encrypted
548 # Windows desktops.
549 &quot;requireScreenlock&quot;: True or False, # Whether or not screenlock is required for the DevicePolicy to be true.
550 # Defaults to `false`.
551 &quot;osConstraints&quot;: [ # Allowed OS versions, an empty list allows all types and all versions.
552 { # A restriction on the OS type and version of devices making requests.
553 &quot;osType&quot;: &quot;A String&quot;, # Required. The allowed OS type.
554 &quot;minimumVersion&quot;: &quot;A String&quot;, # The minimum allowed OS version. If not set, any version of this OS
555 # satisfies the constraint. Format: `&quot;major.minor.patch&quot;`.
556 # Examples: `&quot;10.5.301&quot;`, `&quot;9.2.1&quot;`.
557 &quot;requireVerifiedChromeOs&quot;: True or False, # Only allows requests from devices with a verified Chrome OS.
558 # Verifications includes requirements that the device is enterprise-managed,
559 # conformant to domain policies, and the caller has permission to call
560 # the API targeted by the request.
561 },
562 ],
563 &quot;requireAdminApproval&quot;: True or False, # Whether the device needs to be approved by the customer admin.
564 &quot;allowedDeviceManagementLevels&quot;: [ # Allowed device management levels, an empty list allows all management
565 # levels.
566 &quot;A String&quot;,
567 ],
568 &quot;requireCorpOwned&quot;: True or False, # Whether the device needs to be corp owned.
569 &quot;allowedEncryptionStatuses&quot;: [ # Allowed encryptions statuses, an empty list allows all statuses.
570 &quot;A String&quot;,
571 ],
572 },
573 &quot;members&quot;: [ # The request must be made by one of the provided user or service
574 # accounts. Groups are not supported.
575 # Syntax:
576 # `user:{emailid}`
577 # `serviceAccount:{emailid}`
578 # If not specified, a request may come from any user.
579 &quot;A String&quot;,
580 ],
581 &quot;regions&quot;: [ # The request must originate from one of the provided countries/regions.
582 # Must be valid ISO 3166-1 alpha-2 codes.
583 &quot;A String&quot;,
584 ],
585 &quot;ipSubnetworks&quot;: [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for
586 # a CIDR IP address block, the specified IP address portion must be properly
587 # truncated (i.e. all the host bits must be zero) or the input is considered
588 # malformed. For example, &quot;192.0.2.0/24&quot; is accepted but &quot;192.0.2.1/24&quot; is
589 # not. Similarly, for IPv6, &quot;2001:db8::/32&quot; is accepted whereas
590 # &quot;2001:db8::1/32&quot; is not. The originating IP of a request must be in one of
591 # the listed subnets in order for this Condition to be true. If empty, all IP
592 # addresses are allowed.
593 &quot;A String&quot;,
594 ],
595 &quot;negate&quot;: True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over
596 # its non-empty fields, each field must be false for the Condition overall to
597 # be satisfied. Defaults to false.
598 },
599 ],
600 },
601 &quot;name&quot;: &quot;A String&quot;, # Required. Resource name for the Access Level. The `short_name` component
602 # must begin with a letter and only include alphanumeric and &#x27;_&#x27;. Format:
603 # `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length
604 # of the `short_name` component is 50 characters.
605 &quot;custom&quot;: { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.
606 # to represent the necessary conditions for the level to apply to a request.
607 # See CEL spec at: https://github.com/google/cel-spec
608 &quot;expr&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.
609 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
610 # are documented at https://github.com/google/cel-spec.
611 #
612 # Example (Comparison):
613 #
614 # title: &quot;Summary size limit&quot;
615 # description: &quot;Determines if a summary is less than 100 chars&quot;
616 # expression: &quot;document.summary.size() &lt; 100&quot;
617 #
618 # Example (Equality):
619 #
620 # title: &quot;Requestor is owner&quot;
621 # description: &quot;Determines if requestor is the document owner&quot;
622 # expression: &quot;document.owner == request.auth.claims.email&quot;
623 #
624 # Example (Logic):
625 #
626 # title: &quot;Public documents&quot;
627 # description: &quot;Determine whether the document should be publicly visible&quot;
628 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
629 #
630 # Example (Data Manipulation):
631 #
632 # title: &quot;Notification string&quot;
633 # description: &quot;Create a notification string with a timestamp.&quot;
634 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
635 #
636 # The exact variables and functions that may be referenced within an expression
637 # are determined by the service that evaluates it. See the service
638 # documentation for additional information.
639 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
640 # describes the expression, e.g. when hovered over it in a UI.
641 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
642 # reporting, e.g. a file name and a position in the file.
643 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
644 # syntax.
645 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
646 # its purpose. This can be used e.g. in UIs which allow to enter the
647 # expression.
648 },
649 },
650 &quot;title&quot;: &quot;A String&quot;, # Human readable title. Must be unique within the Policy.
651 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700652 &quot;orgPolicy&quot;: [ # A representation of an [organization
Dan O'Mearadd494642020-05-01 07:42:23 -0700653 # policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).
654 # There can be more than one organization policy with different constraints
655 # set on a given resource.
656 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
657 # for configurations of Cloud Platform resources.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700658 &quot;etag&quot;: &quot;A String&quot;, # An opaque tag indicating the current version of the `Policy`, used for
659 # concurrency control.
660 #
661 # When the `Policy` is returned from either a `GetPolicy` or a
662 # `ListOrgPolicy` request, this `etag` indicates the version of the current
663 # `Policy` to use when executing a read-modify-write loop.
664 #
665 # When the `Policy` is returned from a `GetEffectivePolicy` request, the
666 # `etag` will be unset.
667 #
668 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
669 # that was returned from a `GetOrgPolicy` request as part of a
670 # read-modify-write loop for concurrency control. Not setting the `etag`in a
671 # `SetOrgPolicy` request will result in an unconditional write of the
672 # `Policy`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700673 &quot;version&quot;: 42, # Version of the `Policy`. Default version is 0;
674 &quot;restoreDefault&quot;: { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
675 # `Constraint` type.
676 # `constraint_default` enforcement behavior of the specific `Constraint` at
677 # this resource.
678 #
679 # Suppose that `constraint_default` is set to `ALLOW` for the
680 # `Constraint` `constraints/serviceuser.services`. Suppose that organization
681 # foo.com sets a `Policy` at their Organization resource node that restricts
682 # the allowed service activations to deny all service activations. They
683 # could then set a `Policy` with the `policy_type` `restore_default` on
684 # several experimental projects, restoring the `constraint_default`
685 # enforcement of the `Constraint` for only those projects, allowing those
686 # projects to have all services activated.
687 },
688 &quot;updateTime&quot;: &quot;A String&quot;, # The time stamp the `Policy` was previously updated. This is set by the
689 # server, not specified by the caller, and represents the last time a call to
690 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
691 # be ignored.
692 &quot;constraint&quot;: &quot;A String&quot;, # The name of the `Constraint` the `Policy` is configuring, for example,
693 # `constraints/serviceuser.services`.
694 #
695 # A [list of available
696 # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
697 # is available.
698 #
699 # Immutable after creation.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700700 &quot;booleanPolicy&quot;: { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
701 # resource.
702 &quot;enforced&quot;: True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
703 # configuration is acceptable.
704 #
705 # Suppose you have a `Constraint`
706 # `constraints/compute.disableSerialPortAccess` with `constraint_default`
707 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
708 # behavior:
709 # - If the `Policy` at this resource has enforced set to `false`, serial
710 # port connection attempts will be allowed.
711 # - If the `Policy` at this resource has enforced set to `true`, serial
712 # port connection attempts will be refused.
713 # - If the `Policy` at this resource is `RestoreDefault`, serial port
714 # connection attempts will be allowed.
715 # - If no `Policy` is set at this resource or anywhere higher in the
716 # resource hierarchy, serial port connection attempts will be allowed.
717 # - If no `Policy` is set at this resource, but one exists higher in the
718 # resource hierarchy, the behavior is as if the`Policy` were set at
719 # this resource.
720 #
721 # The following examples demonstrate the different possible layerings:
722 #
723 # Example 1 (nearest `Constraint` wins):
724 # `organizations/foo` has a `Policy` with:
725 # {enforced: false}
726 # `projects/bar` has no `Policy` set.
727 # The constraint at `projects/bar` and `organizations/foo` will not be
728 # enforced.
729 #
730 # Example 2 (enforcement gets replaced):
731 # `organizations/foo` has a `Policy` with:
732 # {enforced: false}
733 # `projects/bar` has a `Policy` with:
734 # {enforced: true}
735 # The constraint at `organizations/foo` is not enforced.
736 # The constraint at `projects/bar` is enforced.
737 #
738 # Example 3 (RestoreDefault):
739 # `organizations/foo` has a `Policy` with:
740 # {enforced: true}
741 # `projects/bar` has a `Policy` with:
742 # {RestoreDefault: {}}
743 # The constraint at `organizations/foo` is enforced.
744 # The constraint at `projects/bar` is not enforced, because
745 # `constraint_default` for the `Constraint` is `ALLOW`.
746 },
Bu Sun Kim65020912020-05-20 12:08:20 -0700747 &quot;listPolicy&quot;: { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
Dan O'Mearadd494642020-05-01 07:42:23 -0700748 # resource.
749 #
750 # `ListPolicy` can define specific values and subtrees of Cloud Resource
751 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
752 # are allowed or denied by setting the `allowed_values` and `denied_values`
753 # fields. This is achieved by using the `under:` and optional `is:` prefixes.
754 # The `under:` prefix is used to denote resource subtree values.
755 # The `is:` prefix is used to denote specific values, and is required only
Bu Sun Kim65020912020-05-20 12:08:20 -0700756 # if the value contains a &quot;:&quot;. Values prefixed with &quot;is:&quot; are treated the
Dan O'Mearadd494642020-05-01 07:42:23 -0700757 # same as values with no prefix.
758 # Ancestry subtrees must be in one of the following formats:
Bu Sun Kim65020912020-05-20 12:08:20 -0700759 # - &quot;projects/&lt;project-id&gt;&quot;, e.g. &quot;projects/tokyo-rain-123&quot;
760 # - &quot;folders/&lt;folder-id&gt;&quot;, e.g. &quot;folders/1234&quot;
761 # - &quot;organizations/&lt;organization-id&gt;&quot;, e.g. &quot;organizations/1234&quot;
Dan O'Mearadd494642020-05-01 07:42:23 -0700762 # The `supports_under` field of the associated `Constraint` defines whether
763 # ancestry prefixes can be used. You can set `allowed_values` and
764 # `denied_values` in the same `Policy` if `all_values` is
765 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
766 # values. If `all_values` is set to either `ALLOW` or `DENY`,
767 # `allowed_values` and `denied_values` must be unset.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700768 &quot;allowedValues&quot;: [ # List of values allowed at this resource. Can only be set if `all_values`
769 # is set to `ALL_VALUES_UNSPECIFIED`.
770 &quot;A String&quot;,
771 ],
Bu Sun Kim65020912020-05-20 12:08:20 -0700772 &quot;inheritFromParent&quot;: True or False, # Determines the inheritance behavior for this `Policy`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700773 #
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700774 # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
Dan O'Mearadd494642020-05-01 07:42:23 -0700775 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
776 # set to `true`, then the values from the effective `Policy` of the parent
777 # resource are inherited, meaning the values set in this `Policy` are
778 # added to the values inherited up the hierarchy.
779 #
780 # Setting `Policy` hierarchies that inherit both allowed values and denied
Bu Sun Kim65020912020-05-20 12:08:20 -0700781 # values isn&#x27;t recommended in most circumstances to keep the configuration
Dan O'Mearadd494642020-05-01 07:42:23 -0700782 # simple and understandable. However, it is possible to set a `Policy` with
783 # `allowed_values` set that inherits a `Policy` with `denied_values` set.
784 # In this case, the values that are allowed must be in `allowed_values` and
785 # not present in `denied_values`.
786 #
787 # For example, suppose you have a `Constraint`
788 # `constraints/serviceuser.services`, which has a `constraint_type` of
789 # `list_constraint`, and with `constraint_default` set to `ALLOW`.
790 # Suppose that at the Organization level, a `Policy` is applied that
791 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
792 # `Policy` is applied to a project below the Organization that has
793 # `inherit_from_parent` set to `false` and field all_values set to DENY,
794 # then an attempt to activate any API will be denied.
795 #
796 # The following examples demonstrate different possible layerings for
797 # `projects/bar` parented by `organizations/foo`:
798 #
799 # Example 1 (no inherited values):
800 # `organizations/foo` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700801 # {allowed_values: &quot;E1&quot; allowed_values:&quot;E2&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700802 # `projects/bar` has `inherit_from_parent` `false` and values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700803 # {allowed_values: &quot;E3&quot; allowed_values: &quot;E4&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700804 # The accepted values at `organizations/foo` are `E1`, `E2`.
805 # The accepted values at `projects/bar` are `E3`, and `E4`.
806 #
807 # Example 2 (inherited values):
808 # `organizations/foo` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700809 # {allowed_values: &quot;E1&quot; allowed_values:&quot;E2&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700810 # `projects/bar` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700811 # {value: &quot;E3&quot; value: &quot;E4&quot; inherit_from_parent: true}
Dan O'Mearadd494642020-05-01 07:42:23 -0700812 # The accepted values at `organizations/foo` are `E1`, `E2`.
813 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
814 #
815 # Example 3 (inheriting both allowed and denied values):
816 # `organizations/foo` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700817 # {allowed_values: &quot;E1&quot; allowed_values: &quot;E2&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700818 # `projects/bar` has a `Policy` with:
Bu Sun Kim65020912020-05-20 12:08:20 -0700819 # {denied_values: &quot;E1&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700820 # The accepted values at `organizations/foo` are `E1`, `E2`.
821 # The value accepted at `projects/bar` is `E2`.
822 #
823 # Example 4 (RestoreDefault):
824 # `organizations/foo` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700825 # {allowed_values: &quot;E1&quot; allowed_values:&quot;E2&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700826 # `projects/bar` has a `Policy` with values:
827 # {RestoreDefault: {}}
828 # The accepted values at `organizations/foo` are `E1`, `E2`.
829 # The accepted values at `projects/bar` are either all or none depending on
830 # the value of `constraint_default` (if `ALLOW`, all; if
831 # `DENY`, none).
832 #
833 # Example 5 (no policy inherits parent policy):
834 # `organizations/foo` has no `Policy` set.
835 # `projects/bar` has no `Policy` set.
836 # The accepted values at both levels are either all or none depending on
837 # the value of `constraint_default` (if `ALLOW`, all; if
838 # `DENY`, none).
839 #
840 # Example 6 (ListConstraint allowing all):
841 # `organizations/foo` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700842 # {allowed_values: &quot;E1&quot; allowed_values: &quot;E2&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700843 # `projects/bar` has a `Policy` with:
844 # {all: ALLOW}
845 # The accepted values at `organizations/foo` are `E1`, E2`.
846 # Any value is accepted at `projects/bar`.
847 #
848 # Example 7 (ListConstraint allowing none):
849 # `organizations/foo` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700850 # {allowed_values: &quot;E1&quot; allowed_values: &quot;E2&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700851 # `projects/bar` has a `Policy` with:
852 # {all: DENY}
853 # The accepted values at `organizations/foo` are `E1`, E2`.
854 # No value is accepted at `projects/bar`.
855 #
856 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
857 # Given the following resource hierarchy
858 # O1-&gt;{F1, F2}; F1-&gt;{P1}; F2-&gt;{P2, P3},
859 # `organizations/foo` has a `Policy` with values:
Bu Sun Kim65020912020-05-20 12:08:20 -0700860 # {allowed_values: &quot;under:organizations/O1&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700861 # `projects/bar` has a `Policy` with:
Bu Sun Kim65020912020-05-20 12:08:20 -0700862 # {allowed_values: &quot;under:projects/P3&quot;}
863 # {denied_values: &quot;under:folders/F2&quot;}
Dan O'Mearadd494642020-05-01 07:42:23 -0700864 # The accepted values at `organizations/foo` are `organizations/O1`,
865 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
866 # `projects/P3`.
867 # The accepted values at `projects/bar` are `organizations/O1`,
868 # `folders/F1`, `projects/P1`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700869 &quot;suggestedValue&quot;: &quot;A String&quot;, # Optional. The Google Cloud Console will try to default to a configuration
870 # that matches the value specified in this `Policy`. If `suggested_value`
871 # is not set, it will inherit the value specified higher in the hierarchy,
872 # unless `inherit_from_parent` is `false`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -0700873 &quot;deniedValues&quot;: [ # List of values denied at this resource. Can only be set if `all_values`
874 # is set to `ALL_VALUES_UNSPECIFIED`.
875 &quot;A String&quot;,
876 ],
877 &quot;allValues&quot;: &quot;A String&quot;, # The policy all_values state.
Bu Sun Kim65020912020-05-20 12:08:20 -0700878 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700879 },
880 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -0700881 &quot;name&quot;: &quot;A String&quot;, # The full name of the asset. Example:
882 # `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
883 #
884 # See [Resource
885 # names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
886 # for more information.
887 &quot;updateTime&quot;: &quot;A String&quot;, # The last update timestamp of an asset. update_time is updated when
888 # create/update/delete operation is performed.
889 &quot;servicePerimeter&quot;: { # `ServicePerimeter` describes a set of Google Cloud resources which can freely # Please also refer to the [service perimeter user
890 # guide](https://cloud.google.com/vpc-service-controls/docs/overview).
891 # import and export data amongst themselves, but not export outside of the
892 # `ServicePerimeter`. If a request with a source within this `ServicePerimeter`
893 # has a target outside of the `ServicePerimeter`, the request will be blocked.
894 # Otherwise the request is allowed. There are two types of Service Perimeter -
895 # Regular and Bridge. Regular Service Perimeters cannot overlap, a single
896 # Google Cloud project can only belong to a single regular Service Perimeter.
897 # Service Perimeter Bridges can contain only Google Cloud projects as members,
898 # a single Google Cloud project may belong to multiple Service Perimeter
899 # Bridges.
900 &quot;title&quot;: &quot;A String&quot;, # Human readable title. Must be unique within the Policy.
901 &quot;perimeterType&quot;: &quot;A String&quot;, # Perimeter type indicator. A single project is
902 # allowed to be a member of single regular perimeter, but multiple service
903 # perimeter bridges. A project cannot be a included in a perimeter bridge
904 # without being included in regular perimeter. For perimeter bridges,
905 # the restricted service list as well as access level lists must be
906 # empty.
907 &quot;status&quot;: { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Current ServicePerimeter configuration. Specifies sets of resources,
908 # restricted services and access levels that determine perimeter
909 # content and boundaries.
910 # describe specific Service Perimeter configuration.
911 &quot;resources&quot;: [ # A list of Google Cloud resources that are inside of the service perimeter.
912 # Currently only projects are allowed. Format: `projects/{project_number}`
913 &quot;A String&quot;,
914 ],
915 &quot;restrictedServices&quot;: [ # Google Cloud services that are subject to the Service Perimeter
916 # restrictions. For example, if `storage.googleapis.com` is specified, access
917 # to the storage buckets inside the perimeter must meet the perimeter&#x27;s
918 # access restrictions.
919 &quot;A String&quot;,
920 ],
921 &quot;accessLevels&quot;: [ # A list of `AccessLevel` resource names that allow resources within the
922 # `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed
923 # must be in the same policy as this `ServicePerimeter`. Referencing a
924 # nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are
925 # listed, resources within the perimeter can only be accessed via Google
926 # Cloud calls with request origins within the perimeter. Example:
927 # `&quot;accessPolicies/MY_POLICY/accessLevels/MY_LEVEL&quot;`.
928 # For Service Perimeter Bridge, must be empty.
929 &quot;A String&quot;,
930 ],
931 &quot;vpcAccessibleServices&quot;: { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.
932 # Perimeter.
933 &quot;allowedServices&quot;: [ # The list of APIs usable within the Service Perimeter. Must be empty
934 # unless &#x27;enable_restriction&#x27; is True.
935 &quot;A String&quot;,
936 ],
937 &quot;enableRestriction&quot;: True or False, # Whether to restrict API calls within the Service Perimeter to the list of
938 # APIs specified in &#x27;allowed_services&#x27;.
939 },
940 },
941 &quot;name&quot;: &quot;A String&quot;, # Required. Resource name for the ServicePerimeter. The `short_name`
942 # component must begin with a letter and only include alphanumeric and &#x27;_&#x27;.
943 # Format: `accessPolicies/{policy_id}/servicePerimeters/{short_name}`
944 &quot;useExplicitDryRunSpec&quot;: True or False, # Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly
945 # exists for all Service Perimeters, and that spec is identical to the
946 # status for those Service Perimeters. When this flag is set, it inhibits the
947 # generation of the implicit spec, thereby allowing the user to explicitly
948 # provide a configuration (&quot;spec&quot;) to use in a dry-run version of the Service
949 # Perimeter. This allows the user to test changes to the enforced config
950 # (&quot;status&quot;) without actually enforcing them. This testing is done through
951 # analyzing the differences between currently enforced and suggested
952 # restrictions. use_explicit_dry_run_spec must bet set to True if any of the
953 # fields in the spec are set to non-default values.
954 &quot;spec&quot;: { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Proposed (or dry run) ServicePerimeter configuration. This configuration
955 # allows to specify and test ServicePerimeter configuration without enforcing
956 # actual access restrictions. Only allowed to be set when the
957 # &quot;use_explicit_dry_run_spec&quot; flag is set.
958 # describe specific Service Perimeter configuration.
959 &quot;resources&quot;: [ # A list of Google Cloud resources that are inside of the service perimeter.
960 # Currently only projects are allowed. Format: `projects/{project_number}`
961 &quot;A String&quot;,
962 ],
963 &quot;restrictedServices&quot;: [ # Google Cloud services that are subject to the Service Perimeter
964 # restrictions. For example, if `storage.googleapis.com` is specified, access
965 # to the storage buckets inside the perimeter must meet the perimeter&#x27;s
966 # access restrictions.
967 &quot;A String&quot;,
968 ],
969 &quot;accessLevels&quot;: [ # A list of `AccessLevel` resource names that allow resources within the
970 # `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed
971 # must be in the same policy as this `ServicePerimeter`. Referencing a
972 # nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are
973 # listed, resources within the perimeter can only be accessed via Google
974 # Cloud calls with request origins within the perimeter. Example:
975 # `&quot;accessPolicies/MY_POLICY/accessLevels/MY_LEVEL&quot;`.
976 # For Service Perimeter Bridge, must be empty.
977 &quot;A String&quot;,
978 ],
979 &quot;vpcAccessibleServices&quot;: { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.
980 # Perimeter.
981 &quot;allowedServices&quot;: [ # The list of APIs usable within the Service Perimeter. Must be empty
982 # unless &#x27;enable_restriction&#x27; is True.
983 &quot;A String&quot;,
984 ],
985 &quot;enableRestriction&quot;: True or False, # Whether to restrict API calls within the Service Perimeter to the list of
986 # APIs specified in &#x27;allowed_services&#x27;.
987 },
988 },
989 &quot;description&quot;: &quot;A String&quot;, # Description of the `ServicePerimeter` and its use. Does not affect
990 # behavior.
991 },
992 },
993 &quot;asset&quot;: { # An asset in Google Cloud. An asset can be any resource in the Google Cloud # An asset in Google Cloud.
994 # [resource
995 # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
996 # a resource outside the Google Cloud resource hierarchy (such as Google
997 # Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).
998 # See [Supported asset
999 # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
1000 # for more information.
Bu Sun Kim65020912020-05-20 12:08:20 -07001001 &quot;iamPolicy&quot;: { # An Identity and Access Management (IAM) policy, which specifies access # A representation of the Cloud IAM policy set on a Google Cloud resource.
Dan O'Mearadd494642020-05-01 07:42:23 -07001002 # There can be a maximum of one Cloud IAM policy set on any given resource.
1003 # In addition, Cloud IAM policies inherit their granted access scope from any
1004 # policies set on parent resources in the resource hierarchy. Therefore, the
1005 # effectively policy is the union of both the policy set on this resource
Bu Sun Kim65020912020-05-20 12:08:20 -07001006 # and each policy set on all of the resource&#x27;s ancestry resource levels in
Dan O'Mearadd494642020-05-01 07:42:23 -07001007 # the hierarchy. See
1008 # [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for
1009 # more information.
1010 # controls for Google Cloud resources.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001011 #
1012 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001013 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
1014 # `members` to a single `role`. Members can be user accounts, service accounts,
1015 # Google groups, and domains (such as G Suite). A `role` is a named list of
1016 # permissions; each `role` can be an IAM predefined role or a user-created
1017 # custom role.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001018 #
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001019 # For some types of Google Cloud resources, a `binding` can also specify a
1020 # `condition`, which is a logical expression that allows access to a resource
1021 # only if the expression evaluates to `true`. A condition can add constraints
1022 # based on attributes of the request, the resource, or both. To learn which
1023 # resources support conditions in their IAM policies, see the
1024 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Dan O'Mearadd494642020-05-01 07:42:23 -07001025 #
1026 # **JSON example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001027 #
1028 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001029 # &quot;bindings&quot;: [
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001030 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001031 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
1032 # &quot;members&quot;: [
1033 # &quot;user:mike@example.com&quot;,
1034 # &quot;group:admins@example.com&quot;,
1035 # &quot;domain:google.com&quot;,
1036 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001037 # ]
1038 # },
1039 # {
Bu Sun Kim65020912020-05-20 12:08:20 -07001040 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001041 # &quot;members&quot;: [
1042 # &quot;user:eve@example.com&quot;
1043 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -07001044 # &quot;condition&quot;: {
1045 # &quot;title&quot;: &quot;expirable access&quot;,
1046 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
1047 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
Dan O'Mearadd494642020-05-01 07:42:23 -07001048 # }
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001049 # }
Dan O'Mearadd494642020-05-01 07:42:23 -07001050 # ],
Bu Sun Kim65020912020-05-20 12:08:20 -07001051 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
1052 # &quot;version&quot;: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001053 # }
1054 #
Dan O'Mearadd494642020-05-01 07:42:23 -07001055 # **YAML example:**
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001056 #
1057 # bindings:
1058 # - members:
1059 # - user:mike@example.com
1060 # - group:admins@example.com
1061 # - domain:google.com
Dan O'Mearadd494642020-05-01 07:42:23 -07001062 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
1063 # role: roles/resourcemanager.organizationAdmin
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001064 # - members:
Dan O'Mearadd494642020-05-01 07:42:23 -07001065 # - user:eve@example.com
1066 # role: roles/resourcemanager.organizationViewer
1067 # condition:
1068 # title: expirable access
1069 # description: Does not grant access after Sep 2020
Bu Sun Kim65020912020-05-20 12:08:20 -07001070 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
Dan O'Mearadd494642020-05-01 07:42:23 -07001071 # - etag: BwWWja0YfJA=
1072 # - version: 3
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001073 #
1074 # For a description of IAM and its features, see the
Dan O'Mearadd494642020-05-01 07:42:23 -07001075 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim65020912020-05-20 12:08:20 -07001076 &quot;version&quot;: 42, # Specifies the format of the policy.
Dan O'Mearadd494642020-05-01 07:42:23 -07001077 #
1078 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
1079 # are rejected.
1080 #
1081 # Any operation that affects conditional role bindings must specify version
1082 # `3`. This requirement applies to the following operations:
1083 #
1084 # * Getting a policy that includes a conditional role binding
1085 # * Adding a conditional role binding to a policy
1086 # * Changing a conditional role binding in a policy
1087 # * Removing any role binding, with or without a condition, from a policy
1088 # that includes conditions
1089 #
1090 # **Important:** If you use IAM Conditions, you must include the `etag` field
1091 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1092 # you to overwrite a version `3` policy with a version `1` policy, and all of
1093 # the conditions in the version `3` policy are lost.
1094 #
1095 # If a policy does not include any conditions, operations on that policy may
1096 # specify any valid version or leave the field unset.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001097 #
1098 # To learn which resources support conditions in their IAM policies, see the
1099 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
Bu Sun Kim65020912020-05-20 12:08:20 -07001100 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
1101 { # Specifies the audit configuration for a service.
1102 # The configuration determines which permission types are logged, and what
1103 # identities, if any, are exempted from logging.
1104 # An AuditConfig must have one or more AuditLogConfigs.
1105 #
1106 # If there are AuditConfigs for both `allServices` and a specific service,
1107 # the union of the two AuditConfigs is used for that service: the log_types
1108 # specified in each AuditConfig are enabled, and the exempted_members in each
1109 # AuditLogConfig are exempted.
1110 #
1111 # Example Policy with multiple AuditConfigs:
1112 #
1113 # {
1114 # &quot;audit_configs&quot;: [
1115 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001116 # &quot;service&quot;: &quot;allServices&quot;,
Bu Sun Kim65020912020-05-20 12:08:20 -07001117 # &quot;audit_log_configs&quot;: [
1118 # {
1119 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1120 # &quot;exempted_members&quot;: [
1121 # &quot;user:jose@example.com&quot;
1122 # ]
1123 # },
1124 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001125 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
Bu Sun Kim65020912020-05-20 12:08:20 -07001126 # },
1127 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001128 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;
Bu Sun Kim65020912020-05-20 12:08:20 -07001129 # }
1130 # ]
1131 # },
1132 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001133 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;,
Bu Sun Kim65020912020-05-20 12:08:20 -07001134 # &quot;audit_log_configs&quot;: [
1135 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001136 # &quot;log_type&quot;: &quot;DATA_READ&quot;
Bu Sun Kim65020912020-05-20 12:08:20 -07001137 # },
1138 # {
1139 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
1140 # &quot;exempted_members&quot;: [
1141 # &quot;user:aliya@example.com&quot;
1142 # ]
1143 # }
1144 # ]
1145 # }
1146 # ]
1147 # }
1148 #
1149 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
1150 # logging. It also exempts jose@example.com from DATA_READ logging, and
1151 # aliya@example.com from DATA_WRITE logging.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001152 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
1153 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
1154 # `allServices` is a special value that covers all services.
Bu Sun Kim65020912020-05-20 12:08:20 -07001155 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
1156 { # Provides the configuration for logging a type of permissions.
1157 # Example:
1158 #
1159 # {
1160 # &quot;audit_log_configs&quot;: [
1161 # {
1162 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
1163 # &quot;exempted_members&quot;: [
1164 # &quot;user:jose@example.com&quot;
1165 # ]
1166 # },
1167 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001168 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
Bu Sun Kim65020912020-05-20 12:08:20 -07001169 # }
1170 # ]
1171 # }
1172 #
1173 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
1174 # jose@example.com from DATA_READ logging.
1175 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
1176 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
1177 # permission.
1178 # Follows the same format of Binding.members.
1179 &quot;A String&quot;,
1180 ],
1181 },
1182 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001183 },
1184 ],
1185 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
1186 # `condition` that determines how and when the `bindings` are applied. Each
1187 # of the `bindings` must contain at least one member.
1188 { # Associates `members` with a `role`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001189 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
1190 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001191 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
1192 # `members` can have the following values:
1193 #
1194 # * `allUsers`: A special identifier that represents anyone who is
1195 # on the internet; with or without a Google account.
1196 #
1197 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1198 # who is authenticated with a Google account or a service account.
1199 #
1200 # * `user:{emailid}`: An email address that represents a specific Google
1201 # account. For example, `alice@example.com` .
1202 #
1203 #
1204 # * `serviceAccount:{emailid}`: An email address that represents a service
1205 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1206 #
1207 # * `group:{emailid}`: An email address that represents a Google group.
1208 # For example, `admins@example.com`.
1209 #
1210 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
1211 # identifier) representing a user that has been recently deleted. For
1212 # example, `alice@example.com?uid=123456789012345678901`. If the user is
1213 # recovered, this value reverts to `user:{emailid}` and the recovered user
1214 # retains the role in the binding.
1215 #
1216 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
1217 # unique identifier) representing a service account that has been recently
1218 # deleted. For example,
1219 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
1220 # If the service account is undeleted, this value reverts to
1221 # `serviceAccount:{emailid}` and the undeleted service account retains the
1222 # role in the binding.
1223 #
1224 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
1225 # identifier) representing a Google group that has been recently
1226 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
1227 # the group is recovered, this value reverts to `group:{emailid}` and the
1228 # recovered group retains the role in the binding.
1229 #
1230 #
1231 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
1232 # users of that domain. For example, `google.com` or `example.com`.
1233 #
1234 &quot;A String&quot;,
1235 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001236 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
1237 #
1238 # If the condition evaluates to `true`, then this binding applies to the
1239 # current request.
1240 #
1241 # If the condition evaluates to `false`, then this binding does not apply to
1242 # the current request. However, a different role binding might grant the same
1243 # role to one or more of the members in this binding.
1244 #
1245 # To learn which resources support conditions in their IAM policies, see the
1246 # [IAM
1247 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
1248 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1249 # are documented at https://github.com/google/cel-spec.
1250 #
1251 # Example (Comparison):
1252 #
1253 # title: &quot;Summary size limit&quot;
1254 # description: &quot;Determines if a summary is less than 100 chars&quot;
1255 # expression: &quot;document.summary.size() &lt; 100&quot;
1256 #
1257 # Example (Equality):
1258 #
1259 # title: &quot;Requestor is owner&quot;
1260 # description: &quot;Determines if requestor is the document owner&quot;
1261 # expression: &quot;document.owner == request.auth.claims.email&quot;
1262 #
1263 # Example (Logic):
1264 #
1265 # title: &quot;Public documents&quot;
1266 # description: &quot;Determine whether the document should be publicly visible&quot;
1267 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
1268 #
1269 # Example (Data Manipulation):
1270 #
1271 # title: &quot;Notification string&quot;
1272 # description: &quot;Create a notification string with a timestamp.&quot;
1273 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
1274 #
1275 # The exact variables and functions that may be referenced within an expression
1276 # are determined by the service that evaluates it. See the service
1277 # documentation for additional information.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001278 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
1279 # describes the expression, e.g. when hovered over it in a UI.
1280 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
1281 # reporting, e.g. a file name and a position in the file.
1282 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
1283 # syntax.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001284 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
1285 # its purpose. This can be used e.g. in UIs which allow to enter the
1286 # expression.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001287 },
Bu Sun Kim65020912020-05-20 12:08:20 -07001288 },
1289 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001290 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
1291 # prevent simultaneous updates of a policy from overwriting each other.
1292 # It is strongly suggested that systems make use of the `etag` in the
1293 # read-modify-write cycle to perform policy updates in order to avoid race
1294 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1295 # systems are expected to put that etag in the request to `setIamPolicy` to
1296 # ensure that their change will be applied to the same version of the policy.
1297 #
1298 # **Important:** If you use IAM Conditions, you must include the `etag` field
1299 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
1300 # you to overwrite a version `3` policy with a version `1` policy, and all of
1301 # the conditions in the version `3` policy are lost.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001302 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001303 &quot;assetType&quot;: &quot;A String&quot;, # The type of the asset. Example: `compute.googleapis.com/Disk`
1304 #
1305 # See [Supported asset
1306 # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
1307 # for more information.
1308 &quot;ancestors&quot;: [ # The ancestry path of an asset in Google Cloud [resource
1309 # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
1310 # represented as a list of relative resource names. An ancestry path starts
1311 # with the closest ancestor in the hierarchy and ends at root. If the asset
1312 # is a project, folder, or organization, the ancestry path starts from the
1313 # asset itself.
1314 #
1315 # Example: `[&quot;projects/123456789&quot;, &quot;folders/5432&quot;, &quot;organizations/1234&quot;]`
1316 &quot;A String&quot;,
1317 ],
1318 &quot;resource&quot;: { # A representation of a Google Cloud resource. # A representation of the resource.
1319 &quot;resourceUrl&quot;: &quot;A String&quot;, # The REST URL for accessing the resource. An HTTP `GET` request using this
1320 # URL returns the resource itself. Example:
1321 # `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`
1322 #
1323 # This value is unspecified for resources without a REST API.
1324 &quot;discoveryName&quot;: &quot;A String&quot;, # The JSON schema name listed in the discovery document. Example:
1325 # `Project`
1326 #
1327 # This value is unspecified for resources that do not have an API based on a
1328 # discovery document, such as Cloud Bigtable.
1329 &quot;discoveryDocumentUri&quot;: &quot;A String&quot;, # The URL of the discovery document containing the resource&#x27;s JSON schema.
1330 # Example:
1331 # `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest`
1332 #
1333 # This value is unspecified for resources that do not have an API based on a
1334 # discovery document, such as Cloud Bigtable.
1335 &quot;data&quot;: { # The content of the resource, in which some sensitive fields are removed
1336 # and may not be present.
1337 &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
1338 },
1339 &quot;version&quot;: &quot;A String&quot;, # The API version. Example: `v1`
1340 &quot;parent&quot;: &quot;A String&quot;, # The full name of the immediate parent of this resource. See
1341 # [Resource
1342 # Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
1343 # for more information.
1344 #
1345 # For Google Cloud assets, this value is the parent resource defined in the
1346 # [Cloud IAM policy
1347 # hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
1348 # Example:
1349 # `//cloudresourcemanager.googleapis.com/projects/my_project_123`
1350 #
1351 # For third-party assets, this field may be set differently.
1352 &quot;location&quot;: &quot;A String&quot;, # The location of the resource in Google Cloud, such as its zone and region.
1353 # For more information, see https://cloud.google.com/about/locations/.
1354 },
1355 &quot;accessPolicy&quot;: { # `AccessPolicy` is a container for `AccessLevels` (which define the necessary # Please also refer to the [access policy user
1356 # guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
1357 # attributes to use Google Cloud services) and `ServicePerimeters` (which
1358 # define regions of services able to freely pass data within a perimeter). An
1359 # access policy is globally visible within an organization, and the
1360 # restrictions it specifies apply to all projects within an organization.
1361 &quot;parent&quot;: &quot;A String&quot;, # Required. The parent of this `AccessPolicy` in the Cloud Resource
1362 # Hierarchy. Currently immutable once created. Format:
1363 # `organizations/{organization_id}`
1364 &quot;title&quot;: &quot;A String&quot;, # Required. Human readable title. Does not affect behavior.
1365 &quot;name&quot;: &quot;A String&quot;, # Output only. Resource name of the `AccessPolicy`. Format:
1366 # `accessPolicies/{policy_id}`
1367 &quot;etag&quot;: &quot;A String&quot;, # Output only. An opaque identifier for the current version of the
1368 # `AccessPolicy`. This will always be a strongly validated etag, meaning that
1369 # two Access Polices will be identical if and only if their etags are
1370 # identical. Clients should not expect this to be in any specific format.
1371 },
1372 &quot;accessLevel&quot;: { # An `AccessLevel` is a label that can be applied to requests to Google Cloud # Please also refer to the [access level user
1373 # guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).
Dan O'Mearadd494642020-05-01 07:42:23 -07001374 # services, along with a list of requirements necessary for the label to be
1375 # applied.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001376 &quot;description&quot;: &quot;A String&quot;, # Description of the `AccessLevel` and its use. Does not affect behavior.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001377 &quot;basic&quot;: { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001378 &quot;combiningFunction&quot;: &quot;A String&quot;, # How the `conditions` list should be combined to determine if a request is
1379 # granted this `AccessLevel`. If AND is used, each `Condition` in
1380 # `conditions` must be satisfied for the `AccessLevel` to be applied. If OR
1381 # is used, at least one `Condition` in `conditions` must be satisfied for the
1382 # `AccessLevel` to be applied. Default behavior is AND.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001383 &quot;conditions&quot;: [ # Required. A list of requirements for the `AccessLevel` to be granted.
1384 { # A condition necessary for an `AccessLevel` to be granted. The Condition is an
1385 # AND over its fields. So a Condition is true if: 1) the request IP is from one
1386 # of the listed subnetworks AND 2) the originating device complies with the
1387 # listed device policy AND 3) all listed access levels are granted AND 4) the
1388 # request was sent at a time allowed by the DateTimeRestriction.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001389 &quot;requiredAccessLevels&quot;: [ # A list of other access levels defined in the same `Policy`, referenced by
1390 # resource name. Referencing an `AccessLevel` which does not exist is an
1391 # error. All access levels listed must be granted for the Condition
1392 # to be true. Example:
1393 # &quot;`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME&quot;`
1394 &quot;A String&quot;,
1395 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001396 &quot;devicePolicy&quot;: { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the
1397 # Condition to be true. If not specified, all devices are allowed.
1398 # given access level. A `DevicePolicy` specifies requirements for requests from
1399 # devices to be granted access levels, it does not do any enforcement on the
1400 # device. `DevicePolicy` acts as an AND over all specified fields, and each
1401 # repeated field is an OR over its elements. Any unset fields are ignored. For
1402 # example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
1403 # DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
1404 # true for requests originating from encrypted Linux desktops and encrypted
1405 # Windows desktops.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001406 &quot;requireScreenlock&quot;: True or False, # Whether or not screenlock is required for the DevicePolicy to be true.
1407 # Defaults to `false`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001408 &quot;osConstraints&quot;: [ # Allowed OS versions, an empty list allows all types and all versions.
1409 { # A restriction on the OS type and version of devices making requests.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001410 &quot;osType&quot;: &quot;A String&quot;, # Required. The allowed OS type.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001411 &quot;minimumVersion&quot;: &quot;A String&quot;, # The minimum allowed OS version. If not set, any version of this OS
1412 # satisfies the constraint. Format: `&quot;major.minor.patch&quot;`.
1413 # Examples: `&quot;10.5.301&quot;`, `&quot;9.2.1&quot;`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001414 &quot;requireVerifiedChromeOs&quot;: True or False, # Only allows requests from devices with a verified Chrome OS.
1415 # Verifications includes requirements that the device is enterprise-managed,
1416 # conformant to domain policies, and the caller has permission to call
1417 # the API targeted by the request.
1418 },
1419 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001420 &quot;requireAdminApproval&quot;: True or False, # Whether the device needs to be approved by the customer admin.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001421 &quot;allowedDeviceManagementLevels&quot;: [ # Allowed device management levels, an empty list allows all management
1422 # levels.
1423 &quot;A String&quot;,
1424 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001425 &quot;requireCorpOwned&quot;: True or False, # Whether the device needs to be corp owned.
1426 &quot;allowedEncryptionStatuses&quot;: [ # Allowed encryptions statuses, an empty list allows all statuses.
1427 &quot;A String&quot;,
1428 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001429 },
1430 &quot;members&quot;: [ # The request must be made by one of the provided user or service
1431 # accounts. Groups are not supported.
1432 # Syntax:
1433 # `user:{emailid}`
1434 # `serviceAccount:{emailid}`
1435 # If not specified, a request may come from any user.
1436 &quot;A String&quot;,
1437 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001438 &quot;regions&quot;: [ # The request must originate from one of the provided countries/regions.
1439 # Must be valid ISO 3166-1 alpha-2 codes.
1440 &quot;A String&quot;,
1441 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001442 &quot;ipSubnetworks&quot;: [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for
1443 # a CIDR IP address block, the specified IP address portion must be properly
1444 # truncated (i.e. all the host bits must be zero) or the input is considered
1445 # malformed. For example, &quot;192.0.2.0/24&quot; is accepted but &quot;192.0.2.1/24&quot; is
1446 # not. Similarly, for IPv6, &quot;2001:db8::/32&quot; is accepted whereas
1447 # &quot;2001:db8::1/32&quot; is not. The originating IP of a request must be in one of
1448 # the listed subnets in order for this Condition to be true. If empty, all IP
1449 # addresses are allowed.
1450 &quot;A String&quot;,
1451 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001452 &quot;negate&quot;: True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over
1453 # its non-empty fields, each field must be false for the Condition overall to
1454 # be satisfied. Defaults to false.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001455 },
1456 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001457 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001458 &quot;name&quot;: &quot;A String&quot;, # Required. Resource name for the Access Level. The `short_name` component
1459 # must begin with a letter and only include alphanumeric and &#x27;_&#x27;. Format:
1460 # `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length
1461 # of the `short_name` component is 50 characters.
Bu Sun Kim65020912020-05-20 12:08:20 -07001462 &quot;custom&quot;: { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.
Dan O'Mearadd494642020-05-01 07:42:23 -07001463 # to represent the necessary conditions for the level to apply to a request.
1464 # See CEL spec at: https://github.com/google/cel-spec
Bu Sun Kim65020912020-05-20 12:08:20 -07001465 &quot;expr&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.
Dan O'Mearadd494642020-05-01 07:42:23 -07001466 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
1467 # are documented at https://github.com/google/cel-spec.
1468 #
1469 # Example (Comparison):
1470 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001471 # title: &quot;Summary size limit&quot;
1472 # description: &quot;Determines if a summary is less than 100 chars&quot;
1473 # expression: &quot;document.summary.size() &lt; 100&quot;
Dan O'Mearadd494642020-05-01 07:42:23 -07001474 #
1475 # Example (Equality):
1476 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001477 # title: &quot;Requestor is owner&quot;
1478 # description: &quot;Determines if requestor is the document owner&quot;
1479 # expression: &quot;document.owner == request.auth.claims.email&quot;
Dan O'Mearadd494642020-05-01 07:42:23 -07001480 #
1481 # Example (Logic):
1482 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001483 # title: &quot;Public documents&quot;
1484 # description: &quot;Determine whether the document should be publicly visible&quot;
1485 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
Dan O'Mearadd494642020-05-01 07:42:23 -07001486 #
1487 # Example (Data Manipulation):
1488 #
Bu Sun Kim65020912020-05-20 12:08:20 -07001489 # title: &quot;Notification string&quot;
1490 # description: &quot;Create a notification string with a timestamp.&quot;
1491 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
Dan O'Mearadd494642020-05-01 07:42:23 -07001492 #
1493 # The exact variables and functions that may be referenced within an expression
1494 # are determined by the service that evaluates it. See the service
1495 # documentation for additional information.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001496 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
1497 # describes the expression, e.g. when hovered over it in a UI.
1498 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
1499 # reporting, e.g. a file name and a position in the file.
1500 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
1501 # syntax.
Bu Sun Kim65020912020-05-20 12:08:20 -07001502 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
Dan O'Mearadd494642020-05-01 07:42:23 -07001503 # its purpose. This can be used e.g. in UIs which allow to enter the
1504 # expression.
1505 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001506 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001507 &quot;title&quot;: &quot;A String&quot;, # Human readable title. Must be unique within the Policy.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001508 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001509 &quot;orgPolicy&quot;: [ # A representation of an [organization
1510 # policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).
1511 # There can be more than one organization policy with different constraints
1512 # set on a given resource.
1513 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
1514 # for configurations of Cloud Platform resources.
1515 &quot;etag&quot;: &quot;A String&quot;, # An opaque tag indicating the current version of the `Policy`, used for
1516 # concurrency control.
1517 #
1518 # When the `Policy` is returned from either a `GetPolicy` or a
1519 # `ListOrgPolicy` request, this `etag` indicates the version of the current
1520 # `Policy` to use when executing a read-modify-write loop.
1521 #
1522 # When the `Policy` is returned from a `GetEffectivePolicy` request, the
1523 # `etag` will be unset.
1524 #
1525 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
1526 # that was returned from a `GetOrgPolicy` request as part of a
1527 # read-modify-write loop for concurrency control. Not setting the `etag`in a
1528 # `SetOrgPolicy` request will result in an unconditional write of the
1529 # `Policy`.
1530 &quot;version&quot;: 42, # Version of the `Policy`. Default version is 0;
1531 &quot;restoreDefault&quot;: { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
1532 # `Constraint` type.
1533 # `constraint_default` enforcement behavior of the specific `Constraint` at
1534 # this resource.
1535 #
1536 # Suppose that `constraint_default` is set to `ALLOW` for the
1537 # `Constraint` `constraints/serviceuser.services`. Suppose that organization
1538 # foo.com sets a `Policy` at their Organization resource node that restricts
1539 # the allowed service activations to deny all service activations. They
1540 # could then set a `Policy` with the `policy_type` `restore_default` on
1541 # several experimental projects, restoring the `constraint_default`
1542 # enforcement of the `Constraint` for only those projects, allowing those
1543 # projects to have all services activated.
1544 },
1545 &quot;updateTime&quot;: &quot;A String&quot;, # The time stamp the `Policy` was previously updated. This is set by the
1546 # server, not specified by the caller, and represents the last time a call to
1547 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
1548 # be ignored.
1549 &quot;constraint&quot;: &quot;A String&quot;, # The name of the `Constraint` the `Policy` is configuring, for example,
1550 # `constraints/serviceuser.services`.
1551 #
1552 # A [list of available
1553 # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
1554 # is available.
1555 #
1556 # Immutable after creation.
1557 &quot;booleanPolicy&quot;: { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
1558 # resource.
1559 &quot;enforced&quot;: True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
1560 # configuration is acceptable.
1561 #
1562 # Suppose you have a `Constraint`
1563 # `constraints/compute.disableSerialPortAccess` with `constraint_default`
1564 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
1565 # behavior:
1566 # - If the `Policy` at this resource has enforced set to `false`, serial
1567 # port connection attempts will be allowed.
1568 # - If the `Policy` at this resource has enforced set to `true`, serial
1569 # port connection attempts will be refused.
1570 # - If the `Policy` at this resource is `RestoreDefault`, serial port
1571 # connection attempts will be allowed.
1572 # - If no `Policy` is set at this resource or anywhere higher in the
1573 # resource hierarchy, serial port connection attempts will be allowed.
1574 # - If no `Policy` is set at this resource, but one exists higher in the
1575 # resource hierarchy, the behavior is as if the`Policy` were set at
1576 # this resource.
1577 #
1578 # The following examples demonstrate the different possible layerings:
1579 #
1580 # Example 1 (nearest `Constraint` wins):
1581 # `organizations/foo` has a `Policy` with:
1582 # {enforced: false}
1583 # `projects/bar` has no `Policy` set.
1584 # The constraint at `projects/bar` and `organizations/foo` will not be
1585 # enforced.
1586 #
1587 # Example 2 (enforcement gets replaced):
1588 # `organizations/foo` has a `Policy` with:
1589 # {enforced: false}
1590 # `projects/bar` has a `Policy` with:
1591 # {enforced: true}
1592 # The constraint at `organizations/foo` is not enforced.
1593 # The constraint at `projects/bar` is enforced.
1594 #
1595 # Example 3 (RestoreDefault):
1596 # `organizations/foo` has a `Policy` with:
1597 # {enforced: true}
1598 # `projects/bar` has a `Policy` with:
1599 # {RestoreDefault: {}}
1600 # The constraint at `organizations/foo` is enforced.
1601 # The constraint at `projects/bar` is not enforced, because
1602 # `constraint_default` for the `Constraint` is `ALLOW`.
1603 },
1604 &quot;listPolicy&quot;: { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
1605 # resource.
1606 #
1607 # `ListPolicy` can define specific values and subtrees of Cloud Resource
1608 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
1609 # are allowed or denied by setting the `allowed_values` and `denied_values`
1610 # fields. This is achieved by using the `under:` and optional `is:` prefixes.
1611 # The `under:` prefix is used to denote resource subtree values.
1612 # The `is:` prefix is used to denote specific values, and is required only
1613 # if the value contains a &quot;:&quot;. Values prefixed with &quot;is:&quot; are treated the
1614 # same as values with no prefix.
1615 # Ancestry subtrees must be in one of the following formats:
1616 # - &quot;projects/&lt;project-id&gt;&quot;, e.g. &quot;projects/tokyo-rain-123&quot;
1617 # - &quot;folders/&lt;folder-id&gt;&quot;, e.g. &quot;folders/1234&quot;
1618 # - &quot;organizations/&lt;organization-id&gt;&quot;, e.g. &quot;organizations/1234&quot;
1619 # The `supports_under` field of the associated `Constraint` defines whether
1620 # ancestry prefixes can be used. You can set `allowed_values` and
1621 # `denied_values` in the same `Policy` if `all_values` is
1622 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
1623 # values. If `all_values` is set to either `ALLOW` or `DENY`,
1624 # `allowed_values` and `denied_values` must be unset.
1625 &quot;allowedValues&quot;: [ # List of values allowed at this resource. Can only be set if `all_values`
1626 # is set to `ALL_VALUES_UNSPECIFIED`.
1627 &quot;A String&quot;,
1628 ],
1629 &quot;inheritFromParent&quot;: True or False, # Determines the inheritance behavior for this `Policy`.
1630 #
1631 # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
1632 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
1633 # set to `true`, then the values from the effective `Policy` of the parent
1634 # resource are inherited, meaning the values set in this `Policy` are
1635 # added to the values inherited up the hierarchy.
1636 #
1637 # Setting `Policy` hierarchies that inherit both allowed values and denied
1638 # values isn&#x27;t recommended in most circumstances to keep the configuration
1639 # simple and understandable. However, it is possible to set a `Policy` with
1640 # `allowed_values` set that inherits a `Policy` with `denied_values` set.
1641 # In this case, the values that are allowed must be in `allowed_values` and
1642 # not present in `denied_values`.
1643 #
1644 # For example, suppose you have a `Constraint`
1645 # `constraints/serviceuser.services`, which has a `constraint_type` of
1646 # `list_constraint`, and with `constraint_default` set to `ALLOW`.
1647 # Suppose that at the Organization level, a `Policy` is applied that
1648 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
1649 # `Policy` is applied to a project below the Organization that has
1650 # `inherit_from_parent` set to `false` and field all_values set to DENY,
1651 # then an attempt to activate any API will be denied.
1652 #
1653 # The following examples demonstrate different possible layerings for
1654 # `projects/bar` parented by `organizations/foo`:
1655 #
1656 # Example 1 (no inherited values):
1657 # `organizations/foo` has a `Policy` with values:
1658 # {allowed_values: &quot;E1&quot; allowed_values:&quot;E2&quot;}
1659 # `projects/bar` has `inherit_from_parent` `false` and values:
1660 # {allowed_values: &quot;E3&quot; allowed_values: &quot;E4&quot;}
1661 # The accepted values at `organizations/foo` are `E1`, `E2`.
1662 # The accepted values at `projects/bar` are `E3`, and `E4`.
1663 #
1664 # Example 2 (inherited values):
1665 # `organizations/foo` has a `Policy` with values:
1666 # {allowed_values: &quot;E1&quot; allowed_values:&quot;E2&quot;}
1667 # `projects/bar` has a `Policy` with values:
1668 # {value: &quot;E3&quot; value: &quot;E4&quot; inherit_from_parent: true}
1669 # The accepted values at `organizations/foo` are `E1`, `E2`.
1670 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
1671 #
1672 # Example 3 (inheriting both allowed and denied values):
1673 # `organizations/foo` has a `Policy` with values:
1674 # {allowed_values: &quot;E1&quot; allowed_values: &quot;E2&quot;}
1675 # `projects/bar` has a `Policy` with:
1676 # {denied_values: &quot;E1&quot;}
1677 # The accepted values at `organizations/foo` are `E1`, `E2`.
1678 # The value accepted at `projects/bar` is `E2`.
1679 #
1680 # Example 4 (RestoreDefault):
1681 # `organizations/foo` has a `Policy` with values:
1682 # {allowed_values: &quot;E1&quot; allowed_values:&quot;E2&quot;}
1683 # `projects/bar` has a `Policy` with values:
1684 # {RestoreDefault: {}}
1685 # The accepted values at `organizations/foo` are `E1`, `E2`.
1686 # The accepted values at `projects/bar` are either all or none depending on
1687 # the value of `constraint_default` (if `ALLOW`, all; if
1688 # `DENY`, none).
1689 #
1690 # Example 5 (no policy inherits parent policy):
1691 # `organizations/foo` has no `Policy` set.
1692 # `projects/bar` has no `Policy` set.
1693 # The accepted values at both levels are either all or none depending on
1694 # the value of `constraint_default` (if `ALLOW`, all; if
1695 # `DENY`, none).
1696 #
1697 # Example 6 (ListConstraint allowing all):
1698 # `organizations/foo` has a `Policy` with values:
1699 # {allowed_values: &quot;E1&quot; allowed_values: &quot;E2&quot;}
1700 # `projects/bar` has a `Policy` with:
1701 # {all: ALLOW}
1702 # The accepted values at `organizations/foo` are `E1`, E2`.
1703 # Any value is accepted at `projects/bar`.
1704 #
1705 # Example 7 (ListConstraint allowing none):
1706 # `organizations/foo` has a `Policy` with values:
1707 # {allowed_values: &quot;E1&quot; allowed_values: &quot;E2&quot;}
1708 # `projects/bar` has a `Policy` with:
1709 # {all: DENY}
1710 # The accepted values at `organizations/foo` are `E1`, E2`.
1711 # No value is accepted at `projects/bar`.
1712 #
1713 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
1714 # Given the following resource hierarchy
1715 # O1-&gt;{F1, F2}; F1-&gt;{P1}; F2-&gt;{P2, P3},
1716 # `organizations/foo` has a `Policy` with values:
1717 # {allowed_values: &quot;under:organizations/O1&quot;}
1718 # `projects/bar` has a `Policy` with:
1719 # {allowed_values: &quot;under:projects/P3&quot;}
1720 # {denied_values: &quot;under:folders/F2&quot;}
1721 # The accepted values at `organizations/foo` are `organizations/O1`,
1722 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
1723 # `projects/P3`.
1724 # The accepted values at `projects/bar` are `organizations/O1`,
1725 # `folders/F1`, `projects/P1`.
1726 &quot;suggestedValue&quot;: &quot;A String&quot;, # Optional. The Google Cloud Console will try to default to a configuration
1727 # that matches the value specified in this `Policy`. If `suggested_value`
1728 # is not set, it will inherit the value specified higher in the hierarchy,
1729 # unless `inherit_from_parent` is `false`.
1730 &quot;deniedValues&quot;: [ # List of values denied at this resource. Can only be set if `all_values`
1731 # is set to `ALL_VALUES_UNSPECIFIED`.
1732 &quot;A String&quot;,
1733 ],
1734 &quot;allValues&quot;: &quot;A String&quot;, # The policy all_values state.
1735 },
1736 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001737 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001738 &quot;name&quot;: &quot;A String&quot;, # The full name of the asset. Example:
1739 # `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
1740 #
1741 # See [Resource
1742 # names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
1743 # for more information.
1744 &quot;updateTime&quot;: &quot;A String&quot;, # The last update timestamp of an asset. update_time is updated when
1745 # create/update/delete operation is performed.
1746 &quot;servicePerimeter&quot;: { # `ServicePerimeter` describes a set of Google Cloud resources which can freely # Please also refer to the [service perimeter user
1747 # guide](https://cloud.google.com/vpc-service-controls/docs/overview).
1748 # import and export data amongst themselves, but not export outside of the
1749 # `ServicePerimeter`. If a request with a source within this `ServicePerimeter`
1750 # has a target outside of the `ServicePerimeter`, the request will be blocked.
1751 # Otherwise the request is allowed. There are two types of Service Perimeter -
1752 # Regular and Bridge. Regular Service Perimeters cannot overlap, a single
1753 # Google Cloud project can only belong to a single regular Service Perimeter.
1754 # Service Perimeter Bridges can contain only Google Cloud projects as members,
1755 # a single Google Cloud project may belong to multiple Service Perimeter
1756 # Bridges.
1757 &quot;title&quot;: &quot;A String&quot;, # Human readable title. Must be unique within the Policy.
1758 &quot;perimeterType&quot;: &quot;A String&quot;, # Perimeter type indicator. A single project is
1759 # allowed to be a member of single regular perimeter, but multiple service
1760 # perimeter bridges. A project cannot be a included in a perimeter bridge
1761 # without being included in regular perimeter. For perimeter bridges,
1762 # the restricted service list as well as access level lists must be
1763 # empty.
1764 &quot;status&quot;: { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Current ServicePerimeter configuration. Specifies sets of resources,
1765 # restricted services and access levels that determine perimeter
1766 # content and boundaries.
1767 # describe specific Service Perimeter configuration.
1768 &quot;resources&quot;: [ # A list of Google Cloud resources that are inside of the service perimeter.
1769 # Currently only projects are allowed. Format: `projects/{project_number}`
1770 &quot;A String&quot;,
1771 ],
1772 &quot;restrictedServices&quot;: [ # Google Cloud services that are subject to the Service Perimeter
1773 # restrictions. For example, if `storage.googleapis.com` is specified, access
1774 # to the storage buckets inside the perimeter must meet the perimeter&#x27;s
1775 # access restrictions.
1776 &quot;A String&quot;,
1777 ],
1778 &quot;accessLevels&quot;: [ # A list of `AccessLevel` resource names that allow resources within the
1779 # `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed
1780 # must be in the same policy as this `ServicePerimeter`. Referencing a
1781 # nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are
1782 # listed, resources within the perimeter can only be accessed via Google
1783 # Cloud calls with request origins within the perimeter. Example:
1784 # `&quot;accessPolicies/MY_POLICY/accessLevels/MY_LEVEL&quot;`.
1785 # For Service Perimeter Bridge, must be empty.
1786 &quot;A String&quot;,
1787 ],
1788 &quot;vpcAccessibleServices&quot;: { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.
1789 # Perimeter.
1790 &quot;allowedServices&quot;: [ # The list of APIs usable within the Service Perimeter. Must be empty
1791 # unless &#x27;enable_restriction&#x27; is True.
1792 &quot;A String&quot;,
1793 ],
1794 &quot;enableRestriction&quot;: True or False, # Whether to restrict API calls within the Service Perimeter to the list of
1795 # APIs specified in &#x27;allowed_services&#x27;.
1796 },
1797 },
1798 &quot;name&quot;: &quot;A String&quot;, # Required. Resource name for the ServicePerimeter. The `short_name`
1799 # component must begin with a letter and only include alphanumeric and &#x27;_&#x27;.
1800 # Format: `accessPolicies/{policy_id}/servicePerimeters/{short_name}`
1801 &quot;useExplicitDryRunSpec&quot;: True or False, # Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly
1802 # exists for all Service Perimeters, and that spec is identical to the
1803 # status for those Service Perimeters. When this flag is set, it inhibits the
1804 # generation of the implicit spec, thereby allowing the user to explicitly
1805 # provide a configuration (&quot;spec&quot;) to use in a dry-run version of the Service
1806 # Perimeter. This allows the user to test changes to the enforced config
1807 # (&quot;status&quot;) without actually enforcing them. This testing is done through
1808 # analyzing the differences between currently enforced and suggested
1809 # restrictions. use_explicit_dry_run_spec must bet set to True if any of the
1810 # fields in the spec are set to non-default values.
1811 &quot;spec&quot;: { # `ServicePerimeterConfig` specifies a set of Google Cloud resources that # Proposed (or dry run) ServicePerimeter configuration. This configuration
1812 # allows to specify and test ServicePerimeter configuration without enforcing
1813 # actual access restrictions. Only allowed to be set when the
1814 # &quot;use_explicit_dry_run_spec&quot; flag is set.
1815 # describe specific Service Perimeter configuration.
1816 &quot;resources&quot;: [ # A list of Google Cloud resources that are inside of the service perimeter.
1817 # Currently only projects are allowed. Format: `projects/{project_number}`
1818 &quot;A String&quot;,
1819 ],
1820 &quot;restrictedServices&quot;: [ # Google Cloud services that are subject to the Service Perimeter
1821 # restrictions. For example, if `storage.googleapis.com` is specified, access
1822 # to the storage buckets inside the perimeter must meet the perimeter&#x27;s
1823 # access restrictions.
1824 &quot;A String&quot;,
1825 ],
1826 &quot;accessLevels&quot;: [ # A list of `AccessLevel` resource names that allow resources within the
1827 # `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed
1828 # must be in the same policy as this `ServicePerimeter`. Referencing a
1829 # nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are
1830 # listed, resources within the perimeter can only be accessed via Google
1831 # Cloud calls with request origins within the perimeter. Example:
1832 # `&quot;accessPolicies/MY_POLICY/accessLevels/MY_LEVEL&quot;`.
1833 # For Service Perimeter Bridge, must be empty.
1834 &quot;A String&quot;,
1835 ],
1836 &quot;vpcAccessibleServices&quot;: { # Specifies how APIs are allowed to communicate within the Service # Configuration for APIs allowed within Perimeter.
1837 # Perimeter.
1838 &quot;allowedServices&quot;: [ # The list of APIs usable within the Service Perimeter. Must be empty
1839 # unless &#x27;enable_restriction&#x27; is True.
1840 &quot;A String&quot;,
1841 ],
1842 &quot;enableRestriction&quot;: True or False, # Whether to restrict API calls within the Service Perimeter to the list of
1843 # APIs specified in &#x27;allowed_services&#x27;.
1844 },
1845 },
1846 &quot;description&quot;: &quot;A String&quot;, # Description of the `ServicePerimeter` and its use. Does not affect
1847 # behavior.
1848 },
1849 },
1850 &quot;priorAssetState&quot;: &quot;A String&quot;, # State of prior_asset.
1851 &quot;window&quot;: { # A time window specified by its `start_time` and `end_time`. # The time window when the asset data and state was observed.
1852 &quot;endTime&quot;: &quot;A String&quot;, # End time of the time window (inclusive). If not specified, the current
1853 # timestamp is used instead.
1854 &quot;startTime&quot;: &quot;A String&quot;, # Start time of the time window (exclusive).
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001855 },
1856 },
1857 ],
1858 }</pre>
1859</div>
1860
1861<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -07001862 <code class="details" id="exportAssets">exportAssets(parent, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001863 <pre>Exports assets with time and resource types to a given Cloud Storage
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001864location/BigQuery table. For Cloud Storage location destinations, the
1865output format is newline-delimited JSON. Each line represents a
1866google.cloud.asset.v1.Asset in the JSON format; for BigQuery table
1867destinations, the output table stores the fields in asset proto as columns.
1868This API implements the google.longrunning.Operation API
1869, which allows you to keep track of the export. We recommend intervals of
1870at least 2 seconds with exponential retry to poll the export operation
1871result. For regular-size resource parent, the export operation usually
1872finishes within 5 minutes.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001873
1874Args:
1875 parent: string, Required. The relative name of the root asset. This can only be an
Bu Sun Kim65020912020-05-20 12:08:20 -07001876organization number (such as &quot;organizations/123&quot;), a project ID (such as
1877&quot;projects/my-project-id&quot;), or a project number (such as &quot;projects/12345&quot;),
1878or a folder number (such as &quot;folders/123&quot;). (required)
Dan O'Mearadd494642020-05-01 07:42:23 -07001879 body: object, The request body.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001880 The object takes the form of:
1881
1882{ # Export asset request.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001883 &quot;outputConfig&quot;: { # Output configuration for export assets destination. # Required. Output configuration indicating where the results will be output to.
1884 &quot;bigqueryDestination&quot;: { # A BigQuery destination for exporting assets to. # Destination on BigQuery. The output table stores the fields in asset
1885 # proto as columns in BigQuery.
Bu Sun Kim65020912020-05-20 12:08:20 -07001886 &quot;dataset&quot;: &quot;A String&quot;, # Required. The BigQuery dataset in format
1887 # &quot;projects/projectId/datasets/datasetId&quot;, to which the snapshot result
1888 # should be exported. If this dataset does not exist, the export call returns
1889 # an INVALID_ARGUMENT error.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001890 &quot;table&quot;: &quot;A String&quot;, # Required. The BigQuery table to which the snapshot result should be
1891 # written. If this table does not exist, a new table with the given name
1892 # will be created.
Bu Sun Kim65020912020-05-20 12:08:20 -07001893 &quot;force&quot;: True or False, # If the destination table already exists and this flag is `TRUE`, the
Dan O'Mearadd494642020-05-01 07:42:23 -07001894 # table will be overwritten by the contents of assets snapshot. If the flag
1895 # is `FALSE` or unset and the destination table already exists, the export
1896 # call returns an INVALID_ARGUMEMT error.
Dan O'Mearadd494642020-05-01 07:42:23 -07001897 },
Bu Sun Kim65020912020-05-20 12:08:20 -07001898 &quot;gcsDestination&quot;: { # A Cloud Storage location. # Destination on Cloud Storage.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001899 &quot;uri&quot;: &quot;A String&quot;, # The uri of the Cloud Storage object. It&#x27;s the same uri that is used by
1900 # gsutil. Example: &quot;gs://bucket_name/object_name&quot;. See [Viewing and
1901 # Editing Object
1902 # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
1903 # for more information.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001904 &quot;uriPrefix&quot;: &quot;A String&quot;, # The uri prefix of all generated Cloud Storage objects. Example:
Bu Sun Kim65020912020-05-20 12:08:20 -07001905 # &quot;gs://bucket_name/object_name_prefix&quot;. Each object uri is in format:
1906 # &quot;gs://bucket_name/object_name_prefix/&lt;asset type&gt;/&lt;shard number&gt; and only
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001907 # contains assets for that type. &lt;shard number&gt; starts from 0. Example:
Bu Sun Kim65020912020-05-20 12:08:20 -07001908 # &quot;gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0&quot; is
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001909 # the first shard of output objects containing all
1910 # compute.googleapis.com/Disk assets. An INVALID_ARGUMENT error will be
Bu Sun Kim65020912020-05-20 12:08:20 -07001911 # returned if file with the same name &quot;gs://bucket_name/object_name_prefix&quot;
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001912 # already exists.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001913 },
1914 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001915 &quot;readTime&quot;: &quot;A String&quot;, # Timestamp to take an asset snapshot. This can only be set to a timestamp
1916 # between the current time and the current time minus 35 days (inclusive).
1917 # If not specified, the current time will be used. Due to delays in resource
1918 # data collection and indexing, there is a volatile window during which
1919 # running the same query may get different results.
1920 &quot;contentType&quot;: &quot;A String&quot;, # Asset content type. If not specified, no content but the asset name will be
1921 # returned.
1922 &quot;assetTypes&quot;: [ # A list of asset types to take a snapshot for. For example:
1923 # &quot;compute.googleapis.com/Disk&quot;.
1924 #
1925 # Regular expressions are also supported. For example:
1926 #
1927 # * &quot;compute.googleapis.com.*&quot; snapshots resources whose asset type starts
1928 # with &quot;compute.googleapis.com&quot;.
1929 # * &quot;.*Instance&quot; snapshots resources whose asset type ends with &quot;Instance&quot;.
1930 # * &quot;.*Instance.*&quot; snapshots resources whose asset type contains &quot;Instance&quot;.
1931 #
1932 # See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported
1933 # regular expression syntax. If the regular expression does not match any
1934 # supported asset type, an INVALID_ARGUMENT error will be returned.
1935 #
1936 # If specified, only matching assets will be returned, otherwise, it will
1937 # snapshot all asset types. See [Introduction to Cloud Asset
1938 # Inventory](https://cloud.google.com/asset-inventory/docs/overview)
1939 # for all supported asset types.
1940 &quot;A String&quot;,
1941 ],
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001942 }
1943
1944 x__xgafv: string, V1 error format.
1945 Allowed values
1946 1 - v1 error format
1947 2 - v2 error format
1948
1949Returns:
1950 An object of the form:
1951
1952 { # This resource represents a long-running operation that is the result of a
1953 # network API call.
Bu Sun Kim65020912020-05-20 12:08:20 -07001954 &quot;response&quot;: { # The normal response of the operation in case of success. If the original
Dan O'Mearadd494642020-05-01 07:42:23 -07001955 # method returns no data on success, such as `Delete`, the response is
1956 # `google.protobuf.Empty`. If the original method is standard
1957 # `Get`/`Create`/`Update`, the response should be the resource. For other
1958 # methods, the response should have the type `XxxResponse`, where `Xxx`
1959 # is the original method name. For example, if the original method name
1960 # is `TakeSnapshot()`, the inferred response type is
1961 # `TakeSnapshotResponse`.
Bu Sun Kim65020912020-05-20 12:08:20 -07001962 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
Dan O'Mearadd494642020-05-01 07:42:23 -07001963 },
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001964 &quot;done&quot;: True or False, # If the value is `false`, it means the operation is still in progress.
1965 # If `true`, the operation is completed, and either `error` or `response` is
1966 # available.
Bu Sun Kim65020912020-05-20 12:08:20 -07001967 &quot;name&quot;: &quot;A String&quot;, # The server-assigned name, which is only unique within the same service that
Dan O'Mearadd494642020-05-01 07:42:23 -07001968 # originally returns it. If you use the default HTTP mapping, the
1969 # `name` should be a resource name ending with `operations/{unique_id}`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001970 &quot;metadata&quot;: { # Service-specific metadata associated with the operation. It typically
1971 # contains progress information and common metadata such as create time.
1972 # Some services might not provide such metadata. Any method that returns a
1973 # long-running operation should document the metadata type, if any.
1974 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
1975 },
1976 &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.
1977 # different programming environments, including REST APIs and RPC APIs. It is
1978 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
1979 # three pieces of data: error code, error message, and error details.
1980 #
1981 # You can find out more about this error model and how to work with it in the
1982 # [API Design Guide](https://cloud.google.com/apis/design/errors).
1983 &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of
1984 # message types for APIs to use.
1985 {
1986 &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
1987 },
1988 ],
1989 &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any
1990 # user-facing error message should be localized and sent in the
1991 # google.rpc.Status.details field, or localized by the client.
1992 &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
1993 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07001994 }</pre>
1995</div>
1996
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001997<div class="method">
Bu Sun Kimd059ad82020-07-22 17:02:09 -07001998 <code class="details" id="searchAllIamPolicies">searchAllIamPolicies(scope, query=None, pageToken=None, pageSize=None, x__xgafv=None)</code>
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07001999 <pre>Searches all the IAM policies within the given accessible scope (e.g., a
2000project, a folder or an organization). Callers should have
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002001`cloud.assets.SearchAllIamPolicies` permission upon the requested scope,
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002002otherwise the request will be rejected.
2003
2004Args:
2005 scope: string, Required. A scope can be a project, a folder or an organization. The search is
2006limited to the IAM policies within the `scope`.
2007
2008The allowed values are:
2009
2010* projects/{PROJECT_ID}
2011* projects/{PROJECT_NUMBER}
2012* folders/{FOLDER_NUMBER}
2013* organizations/{ORGANIZATION_NUMBER} (required)
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002014 query: string, Optional. The query statement. An empty query can be specified to search all the IAM
2015policies within the given `scope`.
2016
2017Examples:
2018
2019* `policy : &quot;amy@gmail.com&quot;` to find Cloud IAM policy bindings that
2020 specify user &quot;amy@gmail.com&quot;.
2021* `policy : &quot;roles/compute.admin&quot;` to find Cloud IAM policy bindings that
2022 specify the Compute Admin role.
2023* `policy.role.permissions : &quot;storage.buckets.update&quot;` to find Cloud IAM
2024 policy bindings that specify a role containing &quot;storage.buckets.update&quot;
2025 permission.
2026* `resource : &quot;organizations/123&quot;` to find Cloud IAM policy bindings that
2027 are set on &quot;organizations/123&quot;.
2028* `(resource : (&quot;organizations/123&quot; OR &quot;folders/1234&quot;) AND policy : &quot;amy&quot;)`
2029 to find Cloud IAM policy bindings that are set on &quot;organizations/123&quot; or
2030 &quot;folders/1234&quot;, and also specify user &quot;amy&quot;.
2031
2032See [how to construct a
2033query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
2034for more details.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002035 pageToken: string, Optional. If present, retrieve the next batch of results from the preceding call to
2036this method. `page_token` must be the value of `next_page_token` from the
2037previous response. The values of all other method parameters must be
2038identical to those in the previous call.
2039 pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even
2040if a larger value is given. If set to zero, server will pick an appropriate
2041default. Returned results may be fewer than requested. When this happens,
2042there could be more results as long as `next_page_token` is returned.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002043 x__xgafv: string, V1 error format.
2044 Allowed values
2045 1 - v1 error format
2046 2 - v2 error format
2047
2048Returns:
2049 An object of the form:
2050
2051 { # Search all IAM policies response.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002052 &quot;results&quot;: [ # A list of IamPolicy that match the search query. Related information such
2053 # as the associated resource is returned along with the policy.
2054 { # A result of IAM Policy search, containing information of an IAM policy.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002055 &quot;project&quot;: &quot;A String&quot;, # The project that the associated GCP resource belongs to, in the form of
2056 # projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM
2057 # instance, Cloud Storage bucket), the project field will indicate the
2058 # project that contains the resource. If an IAM policy is set on a folder or
2059 # orgnization, the project field will be empty.
2060 #
2061 # To search against the `project`:
2062 #
2063 # * specify the `scope` field as this project in your search request.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002064 &quot;resource&quot;: &quot;A String&quot;, # The full resource name of the resource associated with this IAM policy.
2065 # Example:
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002066 # `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002067 # See [Cloud Asset Inventory Resource Name
2068 # Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
2069 # for more information.
2070 #
2071 # To search against the `resource`:
2072 #
2073 # * use a field query. Example: `resource : &quot;organizations/123&quot;`
2074 &quot;explanation&quot;: { # Explanation about the IAM policy search result. # Explanation about the IAM policy search result. It contains additional
2075 # information to explain why the search result matches the query.
2076 &quot;matchedPermissions&quot;: { # The map from roles to their included permissions that match the
2077 # permission query (i.e., a query containing `policy.role.permissions:`).
2078 # Example: if query `policy.role.permissions : &quot;compute.disk.get&quot;`
2079 # matches a policy binding that contains owner role, the
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002080 # matched_permissions will be `{&quot;roles/owner&quot;: [&quot;compute.disk.get&quot;]}`. The
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002081 # roles can also be found in the returned `policy` bindings. Note that the
2082 # map is populated only for requests with permission queries.
2083 &quot;a_key&quot;: { # IAM permissions
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002084 &quot;permissions&quot;: [ # A list of permissions. A sample permission string: `compute.disk.get`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002085 &quot;A String&quot;,
2086 ],
2087 },
2088 },
2089 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002090 &quot;policy&quot;: { # An Identity and Access Management (IAM) policy, which specifies access # The IAM policy directly set on the given resource. Note that the original
2091 # IAM policy can contain multiple bindings. This only contains the bindings
2092 # that match the given query. For queries that don&#x27;t contain a constrain on
2093 # policies (e.g., an empty query), this contains all the bindings.
2094 #
2095 # To search against the `policy` bindings:
2096 #
2097 # * use a field query, as following:
2098 # - query by the policy contained members. Example:
2099 # `policy : &quot;amy@gmail.com&quot;`
2100 # - query by the policy contained roles. Example:
2101 # `policy : &quot;roles/compute.admin&quot;`
2102 # - query by the policy contained roles&#x27; implied permissions. Example:
2103 # `policy.role.permissions : &quot;compute.instances.create&quot;`
2104 # controls for Google Cloud resources.
2105 #
2106 #
2107 # A `Policy` is a collection of `bindings`. A `binding` binds one or more
2108 # `members` to a single `role`. Members can be user accounts, service accounts,
2109 # Google groups, and domains (such as G Suite). A `role` is a named list of
2110 # permissions; each `role` can be an IAM predefined role or a user-created
2111 # custom role.
2112 #
2113 # For some types of Google Cloud resources, a `binding` can also specify a
2114 # `condition`, which is a logical expression that allows access to a resource
2115 # only if the expression evaluates to `true`. A condition can add constraints
2116 # based on attributes of the request, the resource, or both. To learn which
2117 # resources support conditions in their IAM policies, see the
2118 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
2119 #
2120 # **JSON example:**
2121 #
2122 # {
2123 # &quot;bindings&quot;: [
2124 # {
2125 # &quot;role&quot;: &quot;roles/resourcemanager.organizationAdmin&quot;,
2126 # &quot;members&quot;: [
2127 # &quot;user:mike@example.com&quot;,
2128 # &quot;group:admins@example.com&quot;,
2129 # &quot;domain:google.com&quot;,
2130 # &quot;serviceAccount:my-project-id@appspot.gserviceaccount.com&quot;
2131 # ]
2132 # },
2133 # {
2134 # &quot;role&quot;: &quot;roles/resourcemanager.organizationViewer&quot;,
2135 # &quot;members&quot;: [
2136 # &quot;user:eve@example.com&quot;
2137 # ],
2138 # &quot;condition&quot;: {
2139 # &quot;title&quot;: &quot;expirable access&quot;,
2140 # &quot;description&quot;: &quot;Does not grant access after Sep 2020&quot;,
2141 # &quot;expression&quot;: &quot;request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)&quot;,
2142 # }
2143 # }
2144 # ],
2145 # &quot;etag&quot;: &quot;BwWWja0YfJA=&quot;,
2146 # &quot;version&quot;: 3
2147 # }
2148 #
2149 # **YAML example:**
2150 #
2151 # bindings:
2152 # - members:
2153 # - user:mike@example.com
2154 # - group:admins@example.com
2155 # - domain:google.com
2156 # - serviceAccount:my-project-id@appspot.gserviceaccount.com
2157 # role: roles/resourcemanager.organizationAdmin
2158 # - members:
2159 # - user:eve@example.com
2160 # role: roles/resourcemanager.organizationViewer
2161 # condition:
2162 # title: expirable access
2163 # description: Does not grant access after Sep 2020
2164 # expression: request.time &lt; timestamp(&#x27;2020-10-01T00:00:00.000Z&#x27;)
2165 # - etag: BwWWja0YfJA=
2166 # - version: 3
2167 #
2168 # For a description of IAM and its features, see the
2169 # [IAM documentation](https://cloud.google.com/iam/docs/).
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002170 &quot;version&quot;: 42, # Specifies the format of the policy.
2171 #
2172 # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
2173 # are rejected.
2174 #
2175 # Any operation that affects conditional role bindings must specify version
2176 # `3`. This requirement applies to the following operations:
2177 #
2178 # * Getting a policy that includes a conditional role binding
2179 # * Adding a conditional role binding to a policy
2180 # * Changing a conditional role binding in a policy
2181 # * Removing any role binding, with or without a condition, from a policy
2182 # that includes conditions
2183 #
2184 # **Important:** If you use IAM Conditions, you must include the `etag` field
2185 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
2186 # you to overwrite a version `3` policy with a version `1` policy, and all of
2187 # the conditions in the version `3` policy are lost.
2188 #
2189 # If a policy does not include any conditions, operations on that policy may
2190 # specify any valid version or leave the field unset.
2191 #
2192 # To learn which resources support conditions in their IAM policies, see the
2193 # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
2194 &quot;auditConfigs&quot;: [ # Specifies cloud audit logging configuration for this policy.
2195 { # Specifies the audit configuration for a service.
2196 # The configuration determines which permission types are logged, and what
2197 # identities, if any, are exempted from logging.
2198 # An AuditConfig must have one or more AuditLogConfigs.
2199 #
2200 # If there are AuditConfigs for both `allServices` and a specific service,
2201 # the union of the two AuditConfigs is used for that service: the log_types
2202 # specified in each AuditConfig are enabled, and the exempted_members in each
2203 # AuditLogConfig are exempted.
2204 #
2205 # Example Policy with multiple AuditConfigs:
2206 #
2207 # {
2208 # &quot;audit_configs&quot;: [
2209 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002210 # &quot;service&quot;: &quot;allServices&quot;,
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002211 # &quot;audit_log_configs&quot;: [
2212 # {
2213 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
2214 # &quot;exempted_members&quot;: [
2215 # &quot;user:jose@example.com&quot;
2216 # ]
2217 # },
2218 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002219 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002220 # },
2221 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002222 # &quot;log_type&quot;: &quot;ADMIN_READ&quot;
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002223 # }
2224 # ]
2225 # },
2226 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002227 # &quot;service&quot;: &quot;sampleservice.googleapis.com&quot;,
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002228 # &quot;audit_log_configs&quot;: [
2229 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002230 # &quot;log_type&quot;: &quot;DATA_READ&quot;
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002231 # },
2232 # {
2233 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;,
2234 # &quot;exempted_members&quot;: [
2235 # &quot;user:aliya@example.com&quot;
2236 # ]
2237 # }
2238 # ]
2239 # }
2240 # ]
2241 # }
2242 #
2243 # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
2244 # logging. It also exempts jose@example.com from DATA_READ logging, and
2245 # aliya@example.com from DATA_WRITE logging.
2246 &quot;service&quot;: &quot;A String&quot;, # Specifies a service that will be enabled for audit logging.
2247 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
2248 # `allServices` is a special value that covers all services.
2249 &quot;auditLogConfigs&quot;: [ # The configuration for logging of each type of permission.
2250 { # Provides the configuration for logging a type of permissions.
2251 # Example:
2252 #
2253 # {
2254 # &quot;audit_log_configs&quot;: [
2255 # {
2256 # &quot;log_type&quot;: &quot;DATA_READ&quot;,
2257 # &quot;exempted_members&quot;: [
2258 # &quot;user:jose@example.com&quot;
2259 # ]
2260 # },
2261 # {
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002262 # &quot;log_type&quot;: &quot;DATA_WRITE&quot;
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002263 # }
2264 # ]
2265 # }
2266 #
2267 # This enables &#x27;DATA_READ&#x27; and &#x27;DATA_WRITE&#x27; logging, while exempting
2268 # jose@example.com from DATA_READ logging.
2269 &quot;logType&quot;: &quot;A String&quot;, # The log type that this config enables.
2270 &quot;exemptedMembers&quot;: [ # Specifies the identities that do not cause logging for this type of
2271 # permission.
2272 # Follows the same format of Binding.members.
2273 &quot;A String&quot;,
2274 ],
2275 },
2276 ],
2277 },
2278 ],
2279 &quot;bindings&quot;: [ # Associates a list of `members` to a `role`. Optionally, may specify a
2280 # `condition` that determines how and when the `bindings` are applied. Each
2281 # of the `bindings` must contain at least one member.
2282 { # Associates `members` with a `role`.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002283 &quot;role&quot;: &quot;A String&quot;, # Role that is assigned to `members`.
2284 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002285 &quot;members&quot;: [ # Specifies the identities requesting access for a Cloud Platform resource.
2286 # `members` can have the following values:
2287 #
2288 # * `allUsers`: A special identifier that represents anyone who is
2289 # on the internet; with or without a Google account.
2290 #
2291 # * `allAuthenticatedUsers`: A special identifier that represents anyone
2292 # who is authenticated with a Google account or a service account.
2293 #
2294 # * `user:{emailid}`: An email address that represents a specific Google
2295 # account. For example, `alice@example.com` .
2296 #
2297 #
2298 # * `serviceAccount:{emailid}`: An email address that represents a service
2299 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
2300 #
2301 # * `group:{emailid}`: An email address that represents a Google group.
2302 # For example, `admins@example.com`.
2303 #
2304 # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
2305 # identifier) representing a user that has been recently deleted. For
2306 # example, `alice@example.com?uid=123456789012345678901`. If the user is
2307 # recovered, this value reverts to `user:{emailid}` and the recovered user
2308 # retains the role in the binding.
2309 #
2310 # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
2311 # unique identifier) representing a service account that has been recently
2312 # deleted. For example,
2313 # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
2314 # If the service account is undeleted, this value reverts to
2315 # `serviceAccount:{emailid}` and the undeleted service account retains the
2316 # role in the binding.
2317 #
2318 # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
2319 # identifier) representing a Google group that has been recently
2320 # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
2321 # the group is recovered, this value reverts to `group:{emailid}` and the
2322 # recovered group retains the role in the binding.
2323 #
2324 #
2325 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
2326 # users of that domain. For example, `google.com` or `example.com`.
2327 #
2328 &quot;A String&quot;,
2329 ],
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002330 &quot;condition&quot;: { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
2331 #
2332 # If the condition evaluates to `true`, then this binding applies to the
2333 # current request.
2334 #
2335 # If the condition evaluates to `false`, then this binding does not apply to
2336 # the current request. However, a different role binding might grant the same
2337 # role to one or more of the members in this binding.
2338 #
2339 # To learn which resources support conditions in their IAM policies, see the
2340 # [IAM
2341 # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
2342 # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
2343 # are documented at https://github.com/google/cel-spec.
2344 #
2345 # Example (Comparison):
2346 #
2347 # title: &quot;Summary size limit&quot;
2348 # description: &quot;Determines if a summary is less than 100 chars&quot;
2349 # expression: &quot;document.summary.size() &lt; 100&quot;
2350 #
2351 # Example (Equality):
2352 #
2353 # title: &quot;Requestor is owner&quot;
2354 # description: &quot;Determines if requestor is the document owner&quot;
2355 # expression: &quot;document.owner == request.auth.claims.email&quot;
2356 #
2357 # Example (Logic):
2358 #
2359 # title: &quot;Public documents&quot;
2360 # description: &quot;Determine whether the document should be publicly visible&quot;
2361 # expression: &quot;document.type != &#x27;private&#x27; &amp;&amp; document.type != &#x27;internal&#x27;&quot;
2362 #
2363 # Example (Data Manipulation):
2364 #
2365 # title: &quot;Notification string&quot;
2366 # description: &quot;Create a notification string with a timestamp.&quot;
2367 # expression: &quot;&#x27;New message received at &#x27; + string(document.create_time)&quot;
2368 #
2369 # The exact variables and functions that may be referenced within an expression
2370 # are determined by the service that evaluates it. See the service
2371 # documentation for additional information.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002372 &quot;description&quot;: &quot;A String&quot;, # Optional. Description of the expression. This is a longer text which
2373 # describes the expression, e.g. when hovered over it in a UI.
2374 &quot;location&quot;: &quot;A String&quot;, # Optional. String indicating the location of the expression for error
2375 # reporting, e.g. a file name and a position in the file.
2376 &quot;expression&quot;: &quot;A String&quot;, # Textual representation of an expression in Common Expression Language
2377 # syntax.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002378 &quot;title&quot;: &quot;A String&quot;, # Optional. Title for the expression, i.e. a short string describing
2379 # its purpose. This can be used e.g. in UIs which allow to enter the
2380 # expression.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002381 },
2382 },
2383 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002384 &quot;etag&quot;: &quot;A String&quot;, # `etag` is used for optimistic concurrency control as a way to help
2385 # prevent simultaneous updates of a policy from overwriting each other.
2386 # It is strongly suggested that systems make use of the `etag` in the
2387 # read-modify-write cycle to perform policy updates in order to avoid race
2388 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
2389 # systems are expected to put that etag in the request to `setIamPolicy` to
2390 # ensure that their change will be applied to the same version of the policy.
2391 #
2392 # **Important:** If you use IAM Conditions, you must include the `etag` field
2393 # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
2394 # you to overwrite a version `3` policy with a version `1` policy, and all of
2395 # the conditions in the version `3` policy are lost.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002396 },
2397 },
2398 ],
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002399 &quot;nextPageToken&quot;: &quot;A String&quot;, # Set if there are more results than those appearing in this response; to get
2400 # the next set of results, call this method again, using this value as the
2401 # `page_token`.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002402 }</pre>
2403</div>
2404
2405<div class="method">
2406 <code class="details" id="searchAllIamPolicies_next">searchAllIamPolicies_next(previous_request, previous_response)</code>
2407 <pre>Retrieves the next page of results.
2408
2409Args:
2410 previous_request: The request for the previous page. (required)
2411 previous_response: The response from the request for the previous page. (required)
2412
2413Returns:
2414 A request object that you can call &#x27;execute()&#x27; on to request the next
2415 page. Returns None if there are no more items in the collection.
2416 </pre>
2417</div>
2418
2419<div class="method">
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002420 <code class="details" id="searchAllResources">searchAllResources(scope, orderBy=None, query=None, assetTypes=None, pageToken=None, pageSize=None, x__xgafv=None)</code>
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002421 <pre>Searches all the resources within the given accessible scope (e.g., a
2422project, a folder or an organization). Callers should have
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002423`cloud.assets.SearchAllResources` permission upon the requested scope,
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002424otherwise the request will be rejected.
2425
2426Args:
2427 scope: string, Required. A scope can be a project, a folder or an organization. The search is
2428limited to the resources within the `scope`.
2429
2430The allowed values are:
2431
2432* projects/{PROJECT_ID}
2433* projects/{PROJECT_NUMBER}
2434* folders/{FOLDER_NUMBER}
2435* organizations/{ORGANIZATION_NUMBER} (required)
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002436 orderBy: string, Optional. A comma separated list of fields specifying the sorting order of the
2437results. The default order is ascending. Add &quot; DESC&quot; after the field name
2438to indicate descending order. Redundant space characters are ignored.
2439Example: &quot;location DESC, name&quot;. Only string fields in the response are
2440sortable, including `name`, `displayName`, `description`, `location`. All
2441the other fields such as repeated fields (e.g., `networkTags`), map
2442fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
2443are not supported.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002444 query: string, Optional. The query statement. An empty query can be specified to search all the
2445resources of certain `asset_types` within the given `scope`.
2446
2447Examples:
2448
2449* `name : &quot;Important&quot;` to find Cloud resources whose name contains
2450 &quot;Important&quot; as a word.
2451* `displayName : &quot;Impor*&quot;` to find Cloud resources whose display name
2452 contains &quot;Impor&quot; as a word prefix.
2453* `description : &quot;*por*&quot;` to find Cloud resources whose description
2454 contains &quot;por&quot; as a substring.
2455* `location : &quot;us-west*&quot;` to find Cloud resources whose location is
2456 prefixed with &quot;us-west&quot;.
2457* `labels : &quot;prod&quot;` to find Cloud resources whose labels contain &quot;prod&quot; as
2458 a key or value.
2459* `labels.env : &quot;prod&quot;` to find Cloud resources which have a label &quot;env&quot;
2460 and its value is &quot;prod&quot;.
2461* `labels.env : *` to find Cloud resources which have a label &quot;env&quot;.
2462* `&quot;Important&quot;` to find Cloud resources which contain &quot;Important&quot; as a word
2463 in any of the searchable fields.
2464* `&quot;Impor*&quot;` to find Cloud resources which contain &quot;Impor&quot; as a word prefix
2465 in any of the searchable fields.
2466* `&quot;*por*&quot;` to find Cloud resources which contain &quot;por&quot; as a substring in
2467 any of the searchable fields.
2468* `(&quot;Important&quot; AND location : (&quot;us-west1&quot; OR &quot;global&quot;))` to find Cloud
2469 resources which contain &quot;Important&quot; as a word in any of the searchable
2470 fields and are also located in the &quot;us-west1&quot; region or the &quot;global&quot;
2471 location.
2472
2473See [how to construct a
2474query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
2475for more details.
2476 assetTypes: string, Optional. A list of asset types that this request searches for. If empty, it will
2477search all the [searchable asset
2478types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). (repeated)
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002479 pageToken: string, Optional. If present, then retrieve the next batch of results from the preceding call
2480to this method. `page_token` must be the value of `next_page_token` from
2481the previous response. The values of all other method parameters, must be
2482identical to those in the previous call.
2483 pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even
2484if a larger value is given. If set to zero, server will pick an appropriate
2485default. Returned results may be fewer than requested. When this happens,
2486there could be more results as long as `next_page_token` is returned.
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002487 x__xgafv: string, V1 error format.
2488 Allowed values
2489 1 - v1 error format
2490 2 - v2 error format
2491
2492Returns:
2493 An object of the form:
2494
2495 { # Search all resources response.
2496 &quot;nextPageToken&quot;: &quot;A String&quot;, # If there are more results than those appearing in this response, then
2497 # `next_page_token` is included. To get the next set of results, call this
2498 # method again using the value of `next_page_token` as `page_token`.
2499 &quot;results&quot;: [ # A list of Resources that match the search query. It contains the resource
2500 # standard metadata information.
2501 { # A result of Resource Search, containing information of a cloud resoure.
Bu Sun Kimd059ad82020-07-22 17:02:09 -07002502 &quot;networkTags&quot;: [ # Network tags associated with this resource. Like labels, network tags are a
2503 # type of annotations used to group GCP resources. See [Labelling GCP
2504 # resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
2505 # for more information.
2506 #
2507 # To search against the `network_tags`:
2508 #
2509 # * use a field query. Example: `networkTags : &quot;internal&quot;`
2510 # * use a free text query. Example: `&quot;internal&quot;`
2511 &quot;A String&quot;,
2512 ],
2513 &quot;assetType&quot;: &quot;A String&quot;, # The type of this resource. Example: `compute.googleapis.com/Disk`.
2514 #
2515 # To search against the `asset_type`:
2516 #
2517 # * specify the `asset_type` field in your search request.
2518 &quot;displayName&quot;: &quot;A String&quot;, # The display name of this resource.
2519 #
2520 # To search against the `display_name`:
2521 #
2522 # * use a field query. Example: `displayName : &quot;My Instance&quot;`
2523 # * use a free text query. Example: `&quot;My Instance&quot;`
2524 &quot;name&quot;: &quot;A String&quot;, # The full resource name of this resource. Example:
2525 # `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
2526 # See [Cloud Asset Inventory Resource Name
2527 # Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
2528 # for more information.
2529 #
2530 # To search against the `name`:
2531 #
2532 # * use a field query. Example: `name : &quot;instance1&quot;`
2533 # * use a free text query. Example: `&quot;instance1&quot;`
2534 &quot;description&quot;: &quot;A String&quot;, # One or more paragraphs of text description of this resource. Maximum length
2535 # could be up to 1M bytes.
2536 #
2537 # To search against the `description`:
2538 #
2539 # * use a field query. Example: `description : &quot;*important instance*&quot;`
2540 # * use a free text query. Example: `&quot;*important instance*&quot;`
2541 &quot;project&quot;: &quot;A String&quot;, # The project that this resource belongs to, in the form of
2542 # projects/{PROJECT_NUMBER}.
2543 #
2544 # To search against the `project`:
2545 #
2546 # * specify the `scope` field as this project in your search request.
2547 &quot;location&quot;: &quot;A String&quot;, # Location can be `global`, regional like `us-east1`, or zonal like
2548 # `us-west1-b`.
2549 #
2550 # To search against the `location`:
2551 #
2552 # * use a field query. Example: `location : &quot;us-west*&quot;`
2553 # * use a free text query. Example: `&quot;us-west*&quot;`
2554 &quot;additionalAttributes&quot;: { # The additional attributes of this resource. The attributes may vary from
2555 # one resource type to another. Examples: `projectId` for Project,
2556 # `dnsName` for DNS ManagedZone. This field contains a subset of the resource
2557 # metadata fields that are returned by the List or Get APIs provided by the
2558 # corresponding GCP service (e.g., Compute Engine). see [API
2559 # references](https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_resource_types)
2560 # of CAIS supported resource types. You can search values of these fields
2561 # through free text search. However, you should not consume the field
2562 # programically as the field names and values may change as the GCP service
2563 # (e.g., Compute Engine) updates to a new incompatible API version.
2564 #
2565 # To search against the `additional_attributes`:
2566 #
2567 # * use a free text query to match the attributes values. Example: to search
2568 # `additional_attributes = { dnsName: &quot;foobar&quot; }`, you can issue a query
2569 # `&quot;foobar&quot;`.
2570 &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
2571 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002572 &quot;labels&quot;: { # Labels associated with this resource. See [Labelling and grouping GCP
2573 # resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
2574 # for more information.
2575 #
2576 # To search against the `labels`:
2577 #
2578 # * use a field query, as following:
2579 # - query on any label&#x27;s key or value. Example: `labels : &quot;prod&quot;`
2580 # - query by a given label. Example: `labels.env : &quot;prod&quot;`
2581 # - query by a given label&#x27;sexistence. Example: `labels.env : *`
2582 # * use a free text query. Example: `&quot;prod&quot;`
2583 &quot;a_key&quot;: &quot;A String&quot;,
2584 },
Bu Sun Kim4ed7d3f2020-05-27 12:20:54 -07002585 },
2586 ],
2587 }</pre>
2588</div>
2589
2590<div class="method">
2591 <code class="details" id="searchAllResources_next">searchAllResources_next(previous_request, previous_response)</code>
2592 <pre>Retrieves the next page of results.
2593
2594Args:
2595 previous_request: The request for the previous page. (required)
2596 previous_response: The response from the request for the previous page. (required)
2597
2598Returns:
2599 A request object that you can call &#x27;execute()&#x27; on to request the next
2600 page. Returns None if there are no more items in the collection.
2601 </pre>
2602</div>
2603
Bu Sun Kim715bd7f2019-06-14 16:50:42 -07002604</body></html>