Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / 3bf2781e29cb828409f3a8a21939323286524569 / . / docs / dyn / compute_alpha.licenseCodes.html
blob: 87efa1208118b572fc2c69781102b6ad9c2fc522 [file] [log] [blame]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="compute_alpha.html">Compute Engine API</a> . <a href="compute_alpha.licenseCodes.html">licenseCodes</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="#get">get(project, licenseCode)</a></code></p>
79<p class="firstline">Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code.</p>
80<p class="toc_element">
81 <code><a href="#getIamPolicy">getIamPolicy(project, resource)</a></code></p>
82<p class="firstline">Gets the access control policy for a resource. May be empty if no such policy or resource exists.</p>
83<p class="toc_element">
84 <code><a href="#setIamPolicy">setIamPolicy(project, resource, body)</a></code></p>
85<p class="firstline">Sets the access control policy on the specified resource. Replaces any existing policy.</p>
86<p class="toc_element">
87 <code><a href="#testIamPermissions">testIamPermissions(project, resource, body)</a></code></p>
88<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
89<h3>Method Details</h3>
90<div class="method">
91 <code class="details" id="get">get(project, licenseCode)</code>
92 <pre>Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code.
93
94Args:
95 project: string, Project ID for this request. (required)
96 licenseCode: string, Number corresponding to the License code resource to return. (required)
97
98Returns:
99 An object of the form:
100
101 {
102 "kind": "compute#licenseCode", # [Output Only] Type of resource. Always compute#licenseCode for licenses.
103 "description": "A String", # [Output Only] Description of this License Code.
104 "transferable": True or False, # [Output Only] If true, the license will remain attached when creating images or snapshots from disks. Otherwise, the license is not transferred.
105 "state": "A String", # [Output Only] Current state of this License Code.
106 "licenseAlias": [ # [Output Only] URL and description aliases of Licenses with the same License Code.
107 {
108 "description": "A String", # [Output Only] Description of this License Code.
109 "selfLink": "A String", # [Output Only] URL of license corresponding to this License Code.
110 },
111 ],
112 "creationTimestamp": "A String", # [Output Only] Creation timestamp in RFC3339 text format.
113 "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is defined by the server.
114 "selfLink": "A String", # [Output Only] Server-defined URL for the resource.
115 "name": "A String", # [Output Only] Name of the resource. The name is 1-20 characters long and must be a valid 64 bit integer.
116 }</pre>
117</div>
118
119<div class="method">
120 <code class="details" id="getIamPolicy">getIamPolicy(project, resource)</code>
121 <pre>Gets the access control policy for a resource. May be empty if no such policy or resource exists.
122
123Args:
124 project: string, Project ID for this request. (required)
125 resource: string, Name or id of the resource for this request. (required)
126
127Returns:
128 An object of the form:
129
130 { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.
131 #
132 #
133 #
134 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
135 #
136 # **JSON Example**
137 #
138 # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
139 #
140 # **YAML Example**
141 #
142 # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
143 #
144 #
145 #
146 # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
147 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
148 { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
149 #
150 # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
151 #
152 # Example Policy with multiple AuditConfigs:
153 #
154 # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
155 #
156 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
157 "exemptedMembers": [
158 "A String",
159 ],
160 "auditLogConfigs": [ # The configuration for logging of each type of permission.
161 { # Provides the configuration for logging a type of permissions. Example:
162 #
163 # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
164 #
165 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
166 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
167 "A String",
168 ],
169 "logType": "A String", # The log type that this config enables.
170 },
171 ],
172 "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
173 },
174 ],
175 "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
176 { # A rule to be applied in a Policy.
177 "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
178 { # Specifies what kind of log the caller must write
179 "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
180 #
181 # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
182 #
183 # Field names correspond to IAM request parameters and field values are their respective values.
184 #
185 # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
186 #
187 # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
188 #
189 # At this time we do not support multiple field names (though this may be supported in the future).
190 "field": "A String", # The field value to attribute.
191 "metric": "A String", # The metric to update.
192 },
193 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
194 "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
195 },
196 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
197 "logName": "A String", # The log_name to populate in the Cloud Audit Record.
198 "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
199 "permissionType": "A String", # The type of the permission that was checked.
200 },
201 },
202 },
203 ],
204 "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
205 "A String",
206 ],
207 "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
208 "A String",
209 ],
210 "action": "A String", # Required
211 "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
212 "A String",
213 ],
214 "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
215 { # A condition to be met.
216 "iam": "A String", # Trusted attributes supplied by the IAM system.
217 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
218 "values": [ # The objects of the condition.
219 "A String",
220 ],
221 "svc": "A String", # Trusted attributes discharged by the service.
222 "op": "A String", # An operator to apply the subject with.
223 },
224 ],
225 "description": "A String", # Human-readable description of the rule.
226 },
227 ],
228 "version": 42, # Deprecated.
229 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
230 #
231 # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
232 "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
233 { # Associates `members` with a `role`.
234 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
235 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
236 #
237 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
238 #
239 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
240 #
241 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
242 #
243 #
244 #
245 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
246 #
247 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
248 #
249 #
250 #
251 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
252 "A String",
253 ],
254 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
255 #
256 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
257 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
258 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
259 #
260 # The application context of the containing message determines which well-known feature set of CEL is supported.
261 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
262 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
263 },
264 },
265 ],
266 "iamOwned": True or False,
267 }</pre>
268</div>
269
270<div class="method">
271 <code class="details" id="setIamPolicy">setIamPolicy(project, resource, body)</code>
272 <pre>Sets the access control policy on the specified resource. Replaces any existing policy.
273
274Args:
275 project: string, Project ID for this request. (required)
276 resource: string, Name or id of the resource for this request. (required)
277 body: object, The request body. (required)
278 The object takes the form of:
279
280{
281 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. # REQUIRED: The complete policy to be applied to the 'resource'. The size of the policy is limited to a few 10s of KB. An empty policy is in general a valid policy but certain services (like Projects) might reject them.
282 #
283 #
284 #
285 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
286 #
287 # **JSON Example**
288 #
289 # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
290 #
291 # **YAML Example**
292 #
293 # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
294 #
295 #
296 #
297 # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
298 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
299 { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
300 #
301 # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
302 #
303 # Example Policy with multiple AuditConfigs:
304 #
305 # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
306 #
307 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
308 "exemptedMembers": [
309 "A String",
310 ],
311 "auditLogConfigs": [ # The configuration for logging of each type of permission.
312 { # Provides the configuration for logging a type of permissions. Example:
313 #
314 # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
315 #
316 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
317 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
318 "A String",
319 ],
320 "logType": "A String", # The log type that this config enables.
321 },
322 ],
323 "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
324 },
325 ],
326 "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
327 { # A rule to be applied in a Policy.
328 "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
329 { # Specifies what kind of log the caller must write
330 "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
331 #
332 # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
333 #
334 # Field names correspond to IAM request parameters and field values are their respective values.
335 #
336 # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
337 #
338 # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
339 #
340 # At this time we do not support multiple field names (though this may be supported in the future).
341 "field": "A String", # The field value to attribute.
342 "metric": "A String", # The metric to update.
343 },
344 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
345 "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
346 },
347 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
348 "logName": "A String", # The log_name to populate in the Cloud Audit Record.
349 "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
350 "permissionType": "A String", # The type of the permission that was checked.
351 },
352 },
353 },
354 ],
355 "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
356 "A String",
357 ],
358 "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
359 "A String",
360 ],
361 "action": "A String", # Required
362 "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
363 "A String",
364 ],
365 "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
366 { # A condition to be met.
367 "iam": "A String", # Trusted attributes supplied by the IAM system.
368 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
369 "values": [ # The objects of the condition.
370 "A String",
371 ],
372 "svc": "A String", # Trusted attributes discharged by the service.
373 "op": "A String", # An operator to apply the subject with.
374 },
375 ],
376 "description": "A String", # Human-readable description of the rule.
377 },
378 ],
379 "version": 42, # Deprecated.
380 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
381 #
382 # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
383 "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
384 { # Associates `members` with a `role`.
385 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
386 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
387 #
388 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
389 #
390 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
391 #
392 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
393 #
394 #
395 #
396 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
397 #
398 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
399 #
400 #
401 #
402 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
403 "A String",
404 ],
405 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
406 #
407 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
408 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
409 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
410 #
411 # The application context of the containing message determines which well-known feature set of CEL is supported.
412 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
413 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
414 },
415 },
416 ],
417 "iamOwned": True or False,
418 },
419 "bindings": [ # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify bindings.
420 { # Associates `members` with a `role`.
421 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
422 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
423 #
424 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
425 #
426 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
427 #
428 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
429 #
430 #
431 #
432 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
433 #
434 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
435 #
436 #
437 #
438 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
439 "A String",
440 ],
441 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
442 #
443 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
444 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
445 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
446 #
447 # The application context of the containing message determines which well-known feature set of CEL is supported.
448 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
449 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
450 },
451 },
452 ],
453 "etag": "A String", # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag.
454 }
455
456
457Returns:
458 An object of the form:
459
460 { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.
461 #
462 #
463 #
464 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
465 #
466 # **JSON Example**
467 #
468 # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
469 #
470 # **YAML Example**
471 #
472 # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
473 #
474 #
475 #
476 # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
477 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
478 { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
479 #
480 # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
481 #
482 # Example Policy with multiple AuditConfigs:
483 #
484 # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
485 #
486 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
487 "exemptedMembers": [
488 "A String",
489 ],
490 "auditLogConfigs": [ # The configuration for logging of each type of permission.
491 { # Provides the configuration for logging a type of permissions. Example:
492 #
493 # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
494 #
495 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
496 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
497 "A String",
498 ],
499 "logType": "A String", # The log type that this config enables.
500 },
501 ],
502 "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
503 },
504 ],
505 "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
506 { # A rule to be applied in a Policy.
507 "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
508 { # Specifies what kind of log the caller must write
509 "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
510 #
511 # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
512 #
513 # Field names correspond to IAM request parameters and field values are their respective values.
514 #
515 # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
516 #
517 # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
518 #
519 # At this time we do not support multiple field names (though this may be supported in the future).
520 "field": "A String", # The field value to attribute.
521 "metric": "A String", # The metric to update.
522 },
523 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
524 "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
525 },
526 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
527 "logName": "A String", # The log_name to populate in the Cloud Audit Record.
528 "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
529 "permissionType": "A String", # The type of the permission that was checked.
530 },
531 },
532 },
533 ],
534 "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
535 "A String",
536 ],
537 "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
538 "A String",
539 ],
540 "action": "A String", # Required
541 "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
542 "A String",
543 ],
544 "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
545 { # A condition to be met.
546 "iam": "A String", # Trusted attributes supplied by the IAM system.
547 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
548 "values": [ # The objects of the condition.
549 "A String",
550 ],
551 "svc": "A String", # Trusted attributes discharged by the service.
552 "op": "A String", # An operator to apply the subject with.
553 },
554 ],
555 "description": "A String", # Human-readable description of the rule.
556 },
557 ],
558 "version": 42, # Deprecated.
559 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
560 #
561 # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
562 "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
563 { # Associates `members` with a `role`.
564 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
565 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
566 #
567 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
568 #
569 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
570 #
571 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
572 #
573 #
574 #
575 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
576 #
577 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
578 #
579 #
580 #
581 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
582 "A String",
583 ],
584 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
585 #
586 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
587 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
588 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
589 #
590 # The application context of the containing message determines which well-known feature set of CEL is supported.
591 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
592 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
593 },
594 },
595 ],
596 "iamOwned": True or False,
597 }</pre>
598</div>
599
600<div class="method">
601 <code class="details" id="testIamPermissions">testIamPermissions(project, resource, body)</code>
602 <pre>Returns permissions that a caller has on the specified resource.
603
604Args:
605 project: string, Project ID for this request. (required)
606 resource: string, Name or id of the resource for this request. (required)
607 body: object, The request body. (required)
608 The object takes the form of:
609
610{
611 "permissions": [ # The set of permissions to check for the 'resource'. Permissions with wildcards (such as '*' or 'storage.*') are not allowed.
612 "A String",
613 ],
614 }
615
616
617Returns:
618 An object of the form:
619
620 {
621 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
622 "A String",
623 ],
624 }</pre>
625</div>
626
627</body></html>