Blame - docs/dyn/iap_v1.v1.html - platform/external/python/google-api-python-client

2020-05-27 12:20:54 -0700

[diff] [blame]

401

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

402

"iamPermission": "A String", # Permission to check in IAM.

403

"resource": { # IAM resource to check permission on

404

"type": "A String", # The public resource type name of the resource on which conditions will be

405

# evaluated. It is configured using the official_name of the ResourceType as

406

# defined in service configurations under //configs/cloud/resourcetypes.

407

# For example, the official_name for GCP projects is set as

408

# 'cloudresourcemanager.googleapis.com/Project' according to

409

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

410

# For details see go/iam-conditions-integration-guide.

411

"service": "A String", # The name of the service this resource belongs to. It is configured using

412

# the official_service_name of the Service as defined in service

413

# configurations under //configs/cloud/resourcetypes.

414

# For example, the official_service_name of cloud resource manager service

415

# is set as 'cloudresourcemanager.googleapis.com' according to

416

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

417

"name": "A String", # Name of the resource on which conditions will be evaluated.

418

# Must use the Relative Resource Name of the resource, which is the URI

419

# path of the resource without the leading "/". Examples are

420

# "projects/_/buckets/[BUCKET-ID]" for storage buckets or

421

# "projects/[PROJECT-ID]/global/firewalls/[FIREWALL-ID]" for a firewall.

422

#

423

# This field is required for evaluating conditions with rules on resource

424

# names. For a `list` permission check, the resource.name value must be set

425

# to the parent resource. If the parent resource is a project, this field

426

# should be left unset.

427

"labels": { # The service defined labels of the resource on which the conditions will be

428

# evaluated. The semantics - including the key names - are vague to IAM.

429

# If the effective condition has a reference to a `resource.labels[foo]`

430

# construct, IAM consults with this map to retrieve the values associated

431

# with `foo` key for Conditions evaluation. If the provided key is not found

432

# in the labels map, the condition would evaluate to false.

433

#

434

# This field is in limited use. If your intended use case is not expected

435

# to express resource.labels attribute in IAM Conditions, leave this field

436

# empty. Before planning on using this attribute please:

437

# * Read go/iam-conditions-labels-comm and ensure your service can meet the

438

# data availability and management requirements.

439

# * Talk to iam-conditions-eng@ about your use case.

440

"a_key": "A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

441

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

442

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

443

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

444

"gcipSettings": { # Allows customers to configure tenant_id for GCIP instance per-app. # GCIP claims and endpoint configurations for 3p identity providers.

445

"loginPageUri": "A String", # Login page URI associated with the GCIP tenants.

446

# Typically, all resources within the same project share the same login page,

447

# though it could be overridden at the sub resource level.

448

"tenantIds": [ # GCIP tenant ids that are linked to the IAP resource.

449

# tenant_ids could be a string beginning with a number character to indicate

450

# authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>

451

# to indicate authenticating with GCIP agent flow.

452

# If agent flow is used, tenant_ids should only contain one single element,

453

# while for tenant flow, tenant_ids can contain multiple elements.

454

"A String",

455

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

456

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

457

"corsSettings": { # Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS # Configuration to allow cross-origin requests via IAP.

458

# call to bypass authentication and authorization.

459

"allowHttpOptions": True or False, # Configuration to allow HTTP OPTIONS calls to skip authorization. If

460

# undefined, IAP will not apply any special logic to OPTIONS requests.

461

},

462

"oauthSettings": { # Configuration for OAuth login&consent flow behavior as well as for OAuth # Settings to configure IAP's OAuth behavior.

463

# Credentials.

464

"clientId": "A String", # OAuth 2.0 client ID used in the OAuth flow to generate an access token. If

465

# this field is set, you can skip obtaining the OAuth credentials in this

466

# step:

467

# https://developers.google.com/identity/protocols/OAuth2?hl=en_US#1.-obtain-oauth-2.0-credentials-from-the-google-api-console.

468

# However, this could allow for client sharing. The risks of client sharing

469

# are outlined here:

470

# https://cloud.google.com/iap/docs/sharing-oauth-clients#risks.

471

"loginHint": "A String", # Domain hint to send as hd=? parameter in OAuth request flow. Enables

472

# redirect to primary IDP by skipping Google's login screen.

473

# https://developers.google.com/identity/protocols/OpenIDConnect#hd-param

474

# Note: IAP does not verify that the id token's hd claim matches this value

475

# since access behavior is managed by IAM policies.

476

},

477

},

478

}</pre>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

483

<pre>Sets the access control policy for an Identity-Aware Proxy protected

484

resource. Replaces any existing policy.

485

More information about managing access via IAP can be found at:

486

https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api

487

488

Args:

489

resource: string, REQUIRED: The resource for which the policy is being specified.

490

See the operation documentation for the appropriate value for this field. (required)

491

body: object, The request body.

492

The object takes the form of:

493

494

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

495

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

496

# the policy is limited to a few 10s of KB. An empty policy is a

497

# valid policy but certain Cloud Platform services (such as Projects)

498

# might reject them.

499

# controls for Google Cloud resources.

500

#

501

#

502

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

503

# `members` to a single `role`. Members can be user accounts, service accounts,

504

# Google groups, and domains (such as G Suite). A `role` is a named list of

505

# permissions; each `role` can be an IAM predefined role or a user-created

506

# custom role.

507

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

508

# For some types of Google Cloud resources, a `binding` can also specify a

509

# `condition`, which is a logical expression that allows access to a resource

510

# only if the expression evaluates to `true`. A condition can add constraints

511

# based on attributes of the request, the resource, or both. To learn which

512

# resources support conditions in their IAM policies, see the

513

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

#

# **JSON example:**

#

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

518

# "bindings": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

519

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

520

# "role": "roles/resourcemanager.organizationAdmin",

521

# "members": [

522

# "user:mike@example.com",

523

# "group:admins@example.com",

524

# "domain:google.com",

525

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

526

# ]

527

# },

528

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

529

# "role": "roles/resourcemanager.organizationViewer",

530

# "members": [

531

# "user:eve@example.com"

532

# ],

533

# "condition": {

534

# "title": "expirable access",

535

# "description": "Does not grant access after Sep 2020",

536

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

537

# }

538

# }

539

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

540

# "etag": "BwWWja0YfJA=",

541

# "version": 3

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

549

# - group:admins@example.com

550

# - domain:google.com

551

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

552

# role: roles/resourcemanager.organizationAdmin

553

# - members:

554

# - user:eve@example.com

555

# role: roles/resourcemanager.organizationViewer

556

# condition:

557

# title: expirable access

558

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

559

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

560

# - etag: BwWWja0YfJA=

561

# - version: 3

562

#

563

# For a description of IAM and its features, see the

564

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

565

"version": 42, # Specifies the format of the policy.

566

#

567

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

568

# are rejected.

569

#

570

# Any operation that affects conditional role bindings must specify version

571

# `3`. This requirement applies to the following operations:

572

#

573

# * Getting a policy that includes a conditional role binding

574

# * Adding a conditional role binding to a policy

575

# * Changing a conditional role binding in a policy

576

# * Removing any role binding, with or without a condition, from a policy

577

# that includes conditions

578

#

579

# **Important:** If you use IAM Conditions, you must include the `etag` field

580

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

581

# you to overwrite a version `3` policy with a version `1` policy, and all of

582

# the conditions in the version `3` policy are lost.

583

#

584

# If a policy does not include any conditions, operations on that policy may

585

# specify any valid version or leave the field unset.

586

#

587

# To learn which resources support conditions in their IAM policies, see the

588

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

589

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

590

# `condition` that determines how and when the `bindings` are applied. Each

591

# of the `bindings` must contain at least one member.

592

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

593

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

594

#

595

# If the condition evaluates to `true`, then this binding applies to the

596

# current request.

597

#

598

# If the condition evaluates to `false`, then this binding does not apply to

599

# the current request. However, a different role binding might grant the same

600

# role to one or more of the members in this binding.

601

#

602

# To learn which resources support conditions in their IAM policies, see the

603

# [IAM

604

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

605

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

606

# are documented at https://github.com/google/cel-spec.

607

#

608

# Example (Comparison):

609

#

610

# title: "Summary size limit"

611

# description: "Determines if a summary is less than 100 chars"

612

# expression: "document.summary.size() < 100"

613

#

614

# Example (Equality):

615

#

616

# title: "Requestor is owner"

617

# description: "Determines if requestor is the document owner"

618

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

623

# description: "Determine whether the document should be publicly visible"

624

# expression: "document.type != 'private' && document.type != 'internal'"

625

#

626

# Example (Data Manipulation):

627

#

628

# title: "Notification string"

629

# description: "Create a notification string with a timestamp."

630

# expression: "'New message received at ' + string(document.create_time)"

631

#

632

# The exact variables and functions that may be referenced within an expression

633

# are determined by the service that evaluates it. See the service

634

# documentation for additional information.

635

"description": "A String", # Optional. Description of the expression. This is a longer text which

636

# describes the expression, e.g. when hovered over it in a UI.

637

"location": "A String", # Optional. String indicating the location of the expression for error

638

# reporting, e.g. a file name and a position in the file.

639

"expression": "A String", # Textual representation of an expression in Common Expression Language

640

# syntax.

641

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

642

# its purpose. This can be used e.g. in UIs which allow to enter the

643

# expression.

644

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

645

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

646

# `members` can have the following values:

647

#

648

# * `allUsers`: A special identifier that represents anyone who is

649

# on the internet; with or without a Google account.

650

#

651

# * `allAuthenticatedUsers`: A special identifier that represents anyone

652

# who is authenticated with a Google account or a service account.

653

#

654

# * `user:{emailid}`: An email address that represents a specific Google

655

# account. For example, `alice@example.com` .

656

#

657

#

658

# * `serviceAccount:{emailid}`: An email address that represents a service

659

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

660

#

661

# * `group:{emailid}`: An email address that represents a Google group.

662

# For example, `admins@example.com`.

663

#

664

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

665

# identifier) representing a user that has been recently deleted. For

666

# example, `alice@example.com?uid=123456789012345678901`. If the user is

667

# recovered, this value reverts to `user:{emailid}` and the recovered user

668

# retains the role in the binding.

669

#

670

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

671

# unique identifier) representing a service account that has been recently

672

# deleted. For example,

673

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

674

# If the service account is undeleted, this value reverts to

675

# `serviceAccount:{emailid}` and the undeleted service account retains the

676

# role in the binding.

677

#

678

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

679

# identifier) representing a Google group that has been recently

680

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

681

# the group is recovered, this value reverts to `group:{emailid}` and the

682

# recovered group retains the role in the binding.

683

#

684

#

685

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

686

# users of that domain. For example, `google.com` or `example.com`.

687

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

688

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

689

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

690

"role": "A String", # Role that is assigned to `members`.

691

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

692

},

693

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

694

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

695

# prevent simultaneous updates of a policy from overwriting each other.

696

# It is strongly suggested that systems make use of the `etag` in the

697

# read-modify-write cycle to perform policy updates in order to avoid race

698

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

699

# systems are expected to put that etag in the request to `setIamPolicy` to

700

# ensure that their change will be applied to the same version of the policy.

701

#

702

# **Important:** If you use IAM Conditions, you must include the `etag` field

703

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

704

# you to overwrite a version `3` policy with a version `1` policy, and all of

705

# the conditions in the version `3` policy are lost.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

716

717

{ # An Identity and Access Management (IAM) policy, which specifies access

718

# controls for Google Cloud resources.

719

#

720

#

721

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

722

# `members` to a single `role`. Members can be user accounts, service accounts,

723

# Google groups, and domains (such as G Suite). A `role` is a named list of

724

# permissions; each `role` can be an IAM predefined role or a user-created

725

# custom role.

726

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

727

# For some types of Google Cloud resources, a `binding` can also specify a

728

# `condition`, which is a logical expression that allows access to a resource

729

# only if the expression evaluates to `true`. A condition can add constraints

730

# based on attributes of the request, the resource, or both. To learn which

731

# resources support conditions in their IAM policies, see the

732

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

#

# **JSON example:**

#

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

737

# "bindings": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

738

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

739

# "role": "roles/resourcemanager.organizationAdmin",

740

# "members": [

741

# "user:mike@example.com",

742

# "group:admins@example.com",

743

# "domain:google.com",

744

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

745

# ]

746

# },

747

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

748

# "role": "roles/resourcemanager.organizationViewer",

749

# "members": [

750

# "user:eve@example.com"

751

# ],

752

# "condition": {

753

# "title": "expirable access",

754

# "description": "Does not grant access after Sep 2020",

755

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

756

# }

757

# }

758

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

759

# "etag": "BwWWja0YfJA=",

760

# "version": 3

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

768

# - group:admins@example.com

769

# - domain:google.com

770

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

771

# role: roles/resourcemanager.organizationAdmin

772

# - members:

773

# - user:eve@example.com

774

# role: roles/resourcemanager.organizationViewer

775

# condition:

776

# title: expirable access

777

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

778

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

779

# - etag: BwWWja0YfJA=

780

# - version: 3

781

#

782

# For a description of IAM and its features, see the

783

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

784

"version": 42, # Specifies the format of the policy.

785

#

786

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

787

# are rejected.

788

#

789

# Any operation that affects conditional role bindings must specify version

790

# `3`. This requirement applies to the following operations:

791

#

792

# * Getting a policy that includes a conditional role binding

793

# * Adding a conditional role binding to a policy

794

# * Changing a conditional role binding in a policy

795

# * Removing any role binding, with or without a condition, from a policy

796

# that includes conditions

797

#

798

# **Important:** If you use IAM Conditions, you must include the `etag` field

799

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

800

# you to overwrite a version `3` policy with a version `1` policy, and all of

801

# the conditions in the version `3` policy are lost.

802

#

803

# If a policy does not include any conditions, operations on that policy may

804

# specify any valid version or leave the field unset.

805

#

806

# To learn which resources support conditions in their IAM policies, see the

807

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

808

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

809

# `condition` that determines how and when the `bindings` are applied. Each

810

# of the `bindings` must contain at least one member.

811

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

812

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

813

#

814

# If the condition evaluates to `true`, then this binding applies to the

815

# current request.

816

#

817

# If the condition evaluates to `false`, then this binding does not apply to

818

# the current request. However, a different role binding might grant the same

819

# role to one or more of the members in this binding.

820

#

821

# To learn which resources support conditions in their IAM policies, see the

822

# [IAM

823

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

824

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

825

# are documented at https://github.com/google/cel-spec.

826

#

827

# Example (Comparison):

828

#

829

# title: "Summary size limit"

830

# description: "Determines if a summary is less than 100 chars"

831

# expression: "document.summary.size() < 100"

832

#

833

# Example (Equality):

834

#

835

# title: "Requestor is owner"

836

# description: "Determines if requestor is the document owner"

837

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

842

# description: "Determine whether the document should be publicly visible"

843

# expression: "document.type != 'private' && document.type != 'internal'"

844

#

845

# Example (Data Manipulation):

846

#

847

# title: "Notification string"

848

# description: "Create a notification string with a timestamp."

849

# expression: "'New message received at ' + string(document.create_time)"

850

#

851

# The exact variables and functions that may be referenced within an expression

852

# are determined by the service that evaluates it. See the service

853

# documentation for additional information.

854

"description": "A String", # Optional. Description of the expression. This is a longer text which

855

# describes the expression, e.g. when hovered over it in a UI.

856

"location": "A String", # Optional. String indicating the location of the expression for error

857

# reporting, e.g. a file name and a position in the file.

858

"expression": "A String", # Textual representation of an expression in Common Expression Language

859

# syntax.

860

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

861

# its purpose. This can be used e.g. in UIs which allow to enter the

862

# expression.

863

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

864

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

865

# `members` can have the following values:

866

#

867

# * `allUsers`: A special identifier that represents anyone who is

868

# on the internet; with or without a Google account.

869

#

870

# * `allAuthenticatedUsers`: A special identifier that represents anyone

871

# who is authenticated with a Google account or a service account.

872

#

873

# * `user:{emailid}`: An email address that represents a specific Google

874

# account. For example, `alice@example.com` .

875

#

876

#

877

# * `serviceAccount:{emailid}`: An email address that represents a service

878

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

879

#

880

# * `group:{emailid}`: An email address that represents a Google group.

881

# For example, `admins@example.com`.

882

#

883

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

884

# identifier) representing a user that has been recently deleted. For

885

# example, `alice@example.com?uid=123456789012345678901`. If the user is

886

# recovered, this value reverts to `user:{emailid}` and the recovered user

887

# retains the role in the binding.

888

#

889

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

890

# unique identifier) representing a service account that has been recently

891

# deleted. For example,

892

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

893

# If the service account is undeleted, this value reverts to

894

# `serviceAccount:{emailid}` and the undeleted service account retains the

895

# role in the binding.

896

#

897

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

898

# identifier) representing a Google group that has been recently

899

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

900

# the group is recovered, this value reverts to `group:{emailid}` and the

901

# recovered group retains the role in the binding.

902

#

903

#

904

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

905

# users of that domain. For example, `google.com` or `example.com`.

906

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

907

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

908

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

909

"role": "A String", # Role that is assigned to `members`.

910

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

911

},

912

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

913

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

914

# prevent simultaneous updates of a policy from overwriting each other.

915

# It is strongly suggested that systems make use of the `etag` in the

916

# read-modify-write cycle to perform policy updates in order to avoid race

917

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

918

# systems are expected to put that etag in the request to `setIamPolicy` to

919

# ensure that their change will be applied to the same version of the policy.

920

#

921

# **Important:** If you use IAM Conditions, you must include the `etag` field

922

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

923

# you to overwrite a version `3` policy with a version `1` policy, and all of

924

# the conditions in the version `3` policy are lost.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

930

<pre>Returns permissions that a caller has on the Identity-Aware Proxy protected

931

resource.

932

More information about managing access via IAP can be found at:

933

https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api

934

935

Args:

936

resource: string, REQUIRED: The resource for which the policy detail is being requested.

937

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

938

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

939

The object takes the form of:

940

941

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

942

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

943

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

944

# information see

945

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

946

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

957

958

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

959

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

960

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

961

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

966

967

<code class="details" id="updateIapSettings">updateIapSettings(name, body=None, updateMask=None, x__xgafv=None)</code>

968

<pre>Updates the IAP settings on a particular IAP protected resource. It

969

replaces all fields unless the `update_mask` is set.

970

971

Args:

972

name: string, Required. The resource name of the IAP protected resource. (required)

973

body: object, The request body.

974

The object takes the form of:

975

976

{ # The IAP configurable settings.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

977

"name": "A String", # Required. The resource name of the IAP protected resource.

978

"applicationSettings": { # Wrapper over application specific settings for IAP. # Top level wrapper for all application related settings in IAP

979

"accessDeniedPageSettings": { # Custom content configuration for access denied page. # Customization for Access Denied page.

980

# IAP allows customers to define a custom URI to use as the error page when

981

# access is denied to users. If IAP prevents access to this page, the default

982

# IAP error page will be displayed instead.

983

"accessDeniedPageUri": "A String", # The URI to be redirected to when access is denied.

984

},

985

"csmSettings": { # Configuration for RCTokens generated for CSM workloads protected by IAP. # Settings to configure IAP's behavior for a CSM mesh.

986

# RCTokens are IAP generated JWTs that can be verified at the application. The

987

# RCToken is primarily used for ISTIO deployments, and can be scoped to a

988

# single mesh by configuring the audience field accordingly

989

"rctokenAud": "A String", # Audience claim set in the generated RCToken. This value is not validated by

990

# IAP.

991

},

992

"cookieDomain": "A String", # The Domain value to set for cookies generated by IAP. This value is not

993

# validated by the API, but will be ignored at runtime if invalid.

994

},

995

"accessSettings": { # Access related settings for IAP protected apps. # Top level wrapper for all access related setting in IAP

996

"policyDelegationSettings": { # PolicyDelegationConfig allows google-internal teams to use IAP for apps # Settings to configure Policy delegation for apps hosted in tenant projects.

997

# INTERNAL_ONLY.

998

# hosted in a tenant project. Using these settings, the app can delegate

999

# permission check to happen against the linked customer project.

1000

# This is only ever supposed to be used by google internal teams, hence the

1001

# restriction on the proto.

1002

"iamServiceName": "A String", # The DNS name of the service (e.g. "resourcemanager.googleapis.com").

1003

# This should be the domain name part of the full resource names (see

1004

# https://aip.dev/122#full-resource-names), which is usually

1005

# the same as IamServiceSpec.service of the service where the resource type

1006

# is defined.

1007

"policyName": { # Policy name to be checked

1008

"id": "A String",

1009

"region": "A String", # For Cloud IAM:

1010

# The location of the Policy.

1011

# Must be empty or "global" for Policies owned by global IAM. Must name a

1012

# region from prodspec/cloud-iam-cloudspec for Regional IAM Policies, see

1013

# go/iam-faq#where-is-iam-currently-deployed.

1014

#

1015

# For Local IAM:

1016

# This field should be set to "local".

1017

"type": "A String", # Valid values for type might be 'gce', 'gcs', 'project', 'account' etc.

1018

},

1019

"iamPermission": "A String", # Permission to check in IAM.

1020

"resource": { # IAM resource to check permission on

1021

"type": "A String", # The public resource type name of the resource on which conditions will be

1022

# evaluated. It is configured using the official_name of the ResourceType as

1023

# defined in service configurations under //configs/cloud/resourcetypes.

1024

# For example, the official_name for GCP projects is set as

1025

# 'cloudresourcemanager.googleapis.com/Project' according to

1026

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1027

# For details see go/iam-conditions-integration-guide.

1028

"service": "A String", # The name of the service this resource belongs to. It is configured using

1029

# the official_service_name of the Service as defined in service

1030

# configurations under //configs/cloud/resourcetypes.

1031

# For example, the official_service_name of cloud resource manager service

1032

# is set as 'cloudresourcemanager.googleapis.com' according to

1033

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1034

"name": "A String", # Name of the resource on which conditions will be evaluated.

1035

# Must use the Relative Resource Name of the resource, which is the URI

1036

# path of the resource without the leading "/". Examples are

1037

# "projects/_/buckets/[BUCKET-ID]" for storage buckets or

1038

# "projects/[PROJECT-ID]/global/firewalls/[FIREWALL-ID]" for a firewall.

1039

#

1040

# This field is required for evaluating conditions with rules on resource

1041

# names. For a `list` permission check, the resource.name value must be set

1042

# to the parent resource. If the parent resource is a project, this field

1043

# should be left unset.

1044

"labels": { # The service defined labels of the resource on which the conditions will be

1045

# evaluated. The semantics - including the key names - are vague to IAM.

1046

# If the effective condition has a reference to a `resource.labels[foo]`

1047

# construct, IAM consults with this map to retrieve the values associated

1048

# with `foo` key for Conditions evaluation. If the provided key is not found

1049

# in the labels map, the condition would evaluate to false.

1050

#

1051

# This field is in limited use. If your intended use case is not expected

1052

# to express resource.labels attribute in IAM Conditions, leave this field

1053

# empty. Before planning on using this attribute please:

1054

# * Read go/iam-conditions-labels-comm and ensure your service can meet the

1055

# data availability and management requirements.

1056

# * Talk to iam-conditions-eng@ about your use case.

"a_key": "A String",

},

},

},

"gcipSettings": { # Allows customers to configure tenant_id for GCIP instance per-app. # GCIP claims and endpoint configurations for 3p identity providers.

1062

"loginPageUri": "A String", # Login page URI associated with the GCIP tenants.

1063

# Typically, all resources within the same project share the same login page,

1064

# though it could be overridden at the sub resource level.

1065

"tenantIds": [ # GCIP tenant ids that are linked to the IAP resource.

1066

# tenant_ids could be a string beginning with a number character to indicate

1067

# authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>

1068

# to indicate authenticating with GCIP agent flow.

1069

# If agent flow is used, tenant_ids should only contain one single element,

1070

# while for tenant flow, tenant_ids can contain multiple elements.

"A String",

],

},

"corsSettings": { # Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS # Configuration to allow cross-origin requests via IAP.

1075

# call to bypass authentication and authorization.

1076

"allowHttpOptions": True or False, # Configuration to allow HTTP OPTIONS calls to skip authorization. If

1077

# undefined, IAP will not apply any special logic to OPTIONS requests.

1078

},

1079

"oauthSettings": { # Configuration for OAuth login&consent flow behavior as well as for OAuth # Settings to configure IAP's OAuth behavior.

1080

# Credentials.

1081

"clientId": "A String", # OAuth 2.0 client ID used in the OAuth flow to generate an access token. If

1082

# this field is set, you can skip obtaining the OAuth credentials in this

1083

# step:

1084

# https://developers.google.com/identity/protocols/OAuth2?hl=en_US#1.-obtain-oauth-2.0-credentials-from-the-google-api-console.

1085

# However, this could allow for client sharing. The risks of client sharing

1086

# are outlined here:

1087

# https://cloud.google.com/iap/docs/sharing-oauth-clients#risks.

1088

"loginHint": "A String", # Domain hint to send as hd=? parameter in OAuth request flow. Enables

1089

# redirect to primary IDP by skipping Google's login screen.

1090

# https://developers.google.com/identity/protocols/OpenIDConnect#hd-param

1091

# Note: IAP does not verify that the id token's hd claim matches this value

1092

# since access behavior is managed by IAM policies.

},

},

}

updateMask: string, The field mask specifying which IAP settings should be updated.

1098

If omitted, the all of the settings are updated. See

1099

https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

1100

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1107

1108

{ # The IAP configurable settings.

1109

"name": "A String", # Required. The resource name of the IAP protected resource.

1110

"applicationSettings": { # Wrapper over application specific settings for IAP. # Top level wrapper for all application related settings in IAP

1111

"accessDeniedPageSettings": { # Custom content configuration for access denied page. # Customization for Access Denied page.

1112

# IAP allows customers to define a custom URI to use as the error page when

1113

# access is denied to users. If IAP prevents access to this page, the default

1114

# IAP error page will be displayed instead.

1115

"accessDeniedPageUri": "A String", # The URI to be redirected to when access is denied.

1116

},

1117

"csmSettings": { # Configuration for RCTokens generated for CSM workloads protected by IAP. # Settings to configure IAP's behavior for a CSM mesh.

1118

# RCTokens are IAP generated JWTs that can be verified at the application. The

1119

# RCToken is primarily used for ISTIO deployments, and can be scoped to a

1120

# single mesh by configuring the audience field accordingly

1121

"rctokenAud": "A String", # Audience claim set in the generated RCToken. This value is not validated by

1122

# IAP.

1123

},

1124

"cookieDomain": "A String", # The Domain value to set for cookies generated by IAP. This value is not

1125

# validated by the API, but will be ignored at runtime if invalid.

1126

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1127

"accessSettings": { # Access related settings for IAP protected apps. # Top level wrapper for all access related setting in IAP

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1128

"policyDelegationSettings": { # PolicyDelegationConfig allows google-internal teams to use IAP for apps # Settings to configure Policy delegation for apps hosted in tenant projects.

1129

# INTERNAL_ONLY.

1130

# hosted in a tenant project. Using these settings, the app can delegate

1131

# permission check to happen against the linked customer project.

1132

# This is only ever supposed to be used by google internal teams, hence the

1133

# restriction on the proto.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1134

"iamServiceName": "A String", # The DNS name of the service (e.g. "resourcemanager.googleapis.com").

1135

# This should be the domain name part of the full resource names (see

1136

# https://aip.dev/122#full-resource-names), which is usually

1137

# the same as IamServiceSpec.service of the service where the resource type

1138

# is defined.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1139

"policyName": { # Policy name to be checked

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1140

"id": "A String",

1141

"region": "A String", # For Cloud IAM:

1142

# The location of the Policy.

1143

# Must be empty or "global" for Policies owned by global IAM. Must name a

1144

# region from prodspec/cloud-iam-cloudspec for Regional IAM Policies, see

1145

# go/iam-faq#where-is-iam-currently-deployed.

1146

#

1147

# For Local IAM:

1148

# This field should be set to "local".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1149

"type": "A String", # Valid values for type might be 'gce', 'gcs', 'project', 'account' etc.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1150

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1151

"iamPermission": "A String", # Permission to check in IAM.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1152

"resource": { # IAM resource to check permission on

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1153

"type": "A String", # The public resource type name of the resource on which conditions will be

1154

# evaluated. It is configured using the official_name of the ResourceType as

1155

# defined in service configurations under //configs/cloud/resourcetypes.

1156

# For example, the official_name for GCP projects is set as

1157

# 'cloudresourcemanager.googleapis.com/Project' according to

1158

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1159

# For details see go/iam-conditions-integration-guide.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1160

"service": "A String", # The name of the service this resource belongs to. It is configured using

1161

# the official_service_name of the Service as defined in service

1162

# configurations under //configs/cloud/resourcetypes.

1163

# For example, the official_service_name of cloud resource manager service

1164

# is set as 'cloudresourcemanager.googleapis.com' according to

1165

# //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml

1166

"name": "A String", # Name of the resource on which conditions will be evaluated.

1167

# Must use the Relative Resource Name of the resource, which is the URI

1168

# path of the resource without the leading "/". Examples are

1169

# "projects/_/buckets/[BUCKET-ID]" for storage buckets or

1170

# "projects/[PROJECT-ID]/global/firewalls/[FIREWALL-ID]" for a firewall.

1171

#

1172

# This field is required for evaluating conditions with rules on resource

1173

# names. For a `list` permission check, the resource.name value must be set

1174

# to the parent resource. If the parent resource is a project, this field

1175

# should be left unset.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1176

"labels": { # The service defined labels of the resource on which the conditions will be

1177

# evaluated. The semantics - including the key names - are vague to IAM.

1178

# If the effective condition has a reference to a `resource.labels[foo]`

1179

# construct, IAM consults with this map to retrieve the values associated

1180

# with `foo` key for Conditions evaluation. If the provided key is not found

1181

# in the labels map, the condition would evaluate to false.

1182

#

1183

# This field is in limited use. If your intended use case is not expected

1184

# to express resource.labels attribute in IAM Conditions, leave this field

1185

# empty. Before planning on using this attribute please:

1186

# * Read go/iam-conditions-labels-comm and ensure your service can meet the

1187

# data availability and management requirements.

1188

# * Talk to iam-conditions-eng@ about your use case.

1189

"a_key": "A String",

1190

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1191

},

Bu Sun Kim