Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / c30d2b5d4478b230246dcaaa9f1c533ca3304387 / . / docs / dyn / cloudkms_v1.projects.locations.keyRings.cryptoKeys.html
blob: 7f859522283de59e461bf51ee607aa23c5a3623f [file] [log] [blame]
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400[diff] [blame^]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="cloudkms_v1.html">Google Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a> . <a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.html">cryptoKeyVersions()</a></code>
79</p>
80<p class="firstline">Returns the cryptoKeyVersions Resource.</p>
81
82<p class="toc_element">
83 <code><a href="#create">create(parent=None, body, cryptoKeyId=None, x__xgafv=None)</a></code></p>
84<p class="firstline">Create a new CryptoKey within a KeyRing.</p>
85<p class="toc_element">
86 <code><a href="#decrypt">decrypt(name=None, body, x__xgafv=None)</a></code></p>
87<p class="firstline">Decrypt data that was protected by Encrypt.</p>
88<p class="toc_element">
89 <code><a href="#encrypt">encrypt(name=None, body, x__xgafv=None)</a></code></p>
90<p class="firstline">Encrypt data, so that it can only be recovered by a call to Decrypt.</p>
91<p class="toc_element">
92 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
93<p class="firstline">Returns metadata for a given CryptoKey, as well as its</p>
94<p class="toc_element">
95 <code><a href="#getIamPolicy">getIamPolicy(resource=None, x__xgafv=None)</a></code></p>
96<p class="firstline">Gets the access control policy for a resource.</p>
97<p class="toc_element">
98 <code><a href="#list">list(parent=None, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p>
99<p class="firstline">Lists CryptoKeys.</p>
100<p class="toc_element">
101 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
102<p class="firstline">Retrieves the next page of results.</p>
103<p class="toc_element">
104 <code><a href="#patch">patch(name=None, body, updateMask=None, x__xgafv=None)</a></code></p>
105<p class="firstline">Update a CryptoKey.</p>
106<p class="toc_element">
107 <code><a href="#setIamPolicy">setIamPolicy(resource=None, body, x__xgafv=None)</a></code></p>
108<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>
109<p class="toc_element">
110 <code><a href="#testIamPermissions">testIamPermissions(resource=None, body, x__xgafv=None)</a></code></p>
111<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
112<p class="toc_element">
113 <code><a href="#updatePrimaryVersion">updatePrimaryVersion(name, body, x__xgafv=None)</a></code></p>
114<p class="firstline">Update the version of a CryptoKey that will be used in Encrypt</p>
115<h3>Method Details</h3>
116<div class="method">
117 <code class="details" id="create">create(parent=None, body, cryptoKeyId=None, x__xgafv=None)</code>
118 <pre>Create a new CryptoKey within a KeyRing.
119
120CryptoKey.purpose is required.
121
122Args:
123 parent: string, Required. The name of the KeyRing associated with the
124CryptoKeys. (required)
125 body: object, The request body. (required)
126 The object takes the form of:
127
128{ # A CryptoKey represents a logical key that can be used for cryptographic
129 # operations.
130 #
131 # A CryptoKey is made up of one or more versions, which
132 # represent the actual key material used in cryptographic operations.
133 "name": "A String", # Output only. The resource name for this CryptoKey in the format
134 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
135 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
136 # automatically rotates a key. Must be at least one day.
137 #
138 # If rotation_period is set, next_rotation_time must also be set.
139 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
140 # by Encrypt when this CryptoKey is given
141 # in EncryptRequest.name.
142 #
143 # The CryptoKey's primary version can be updated via
144 # UpdateCryptoKeyPrimaryVersion.
145 # associated key material.
146 #
147 # It can be used for cryptographic operations either directly, or via its
148 # parent CryptoKey, in which case the server will choose the appropriate
149 # version for the operation.
150 "state": "A String", # The current state of the CryptoKeyVersion.
151 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
152 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
153 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
154 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
155 # for destruction. Only present if state is
156 # DESTROY_SCHEDULED.
157 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
158 # destroyed. Only present if state is
159 # DESTROYED.
160 },
161 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable
162 # purpose is ENCRYPT_DECRYPT.
163 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
164 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
165 #
166 # 1. Create a new version of this CryptoKey.
167 # 2. Mark the new version as primary.
168 #
169 # Key rotations performed manually via
170 # CreateCryptoKeyVersion and
171 # UpdateCryptoKeyPrimaryVersion
172 # do not affect next_rotation_time.
173}
174
175 cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular
176expression `[a-zA-Z0-9_-]{1,63}`
177 x__xgafv: string, V1 error format.
178 Allowed values
179 1 - v1 error format
180 2 - v2 error format
181
182Returns:
183 An object of the form:
184
185 { # A CryptoKey represents a logical key that can be used for cryptographic
186 # operations.
187 #
188 # A CryptoKey is made up of one or more versions, which
189 # represent the actual key material used in cryptographic operations.
190 "name": "A String", # Output only. The resource name for this CryptoKey in the format
191 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
192 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
193 # automatically rotates a key. Must be at least one day.
194 #
195 # If rotation_period is set, next_rotation_time must also be set.
196 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
197 # by Encrypt when this CryptoKey is given
198 # in EncryptRequest.name.
199 #
200 # The CryptoKey's primary version can be updated via
201 # UpdateCryptoKeyPrimaryVersion.
202 # associated key material.
203 #
204 # It can be used for cryptographic operations either directly, or via its
205 # parent CryptoKey, in which case the server will choose the appropriate
206 # version for the operation.
207 "state": "A String", # The current state of the CryptoKeyVersion.
208 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
209 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
210 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
211 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
212 # for destruction. Only present if state is
213 # DESTROY_SCHEDULED.
214 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
215 # destroyed. Only present if state is
216 # DESTROYED.
217 },
218 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable
219 # purpose is ENCRYPT_DECRYPT.
220 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
221 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
222 #
223 # 1. Create a new version of this CryptoKey.
224 # 2. Mark the new version as primary.
225 #
226 # Key rotations performed manually via
227 # CreateCryptoKeyVersion and
228 # UpdateCryptoKeyPrimaryVersion
229 # do not affect next_rotation_time.
230 }</pre>
231</div>
232
233<div class="method">
234 <code class="details" id="decrypt">decrypt(name=None, body, x__xgafv=None)</code>
235 <pre>Decrypt data that was protected by Encrypt.
236
237Args:
238 name: string, Required. The resource name of the CryptoKey to use for decryption.
239The server will choose the appropriate version. (required)
240 body: object, The request body. (required)
241 The object takes the form of:
242
243{ # Request message for KeyManagementService.Decrypt.
244 "ciphertext": "A String", # Required. The encrypted data originally returned in
245 # EncryptResponse.ciphertext.
246 "additionalAuthenticatedData": "A String", # Optional data that must match the data originally supplied in
247 # EncryptRequest.additional_authenticated_data.
248 }
249
250 x__xgafv: string, V1 error format.
251 Allowed values
252 1 - v1 error format
253 2 - v2 error format
254
255Returns:
256 An object of the form:
257
258 { # Response message for KeyManagementService.Decrypt.
259 "plaintext": "A String", # The decrypted data originally supplied in EncryptRequest.plaintext.
260 }</pre>
261</div>
262
263<div class="method">
264 <code class="details" id="encrypt">encrypt(name=None, body, x__xgafv=None)</code>
265 <pre>Encrypt data, so that it can only be recovered by a call to Decrypt.
266
267Args:
268 name: string, Required. The resource name of the CryptoKey or CryptoKeyVersion
269to use for encryption.
270
271If a CryptoKey is specified, the server will use its
272primary version. (required)
273 body: object, The request body. (required)
274 The object takes the form of:
275
276{ # Request message for KeyManagementService.Encrypt.
277 "plaintext": "A String", # Required. The data to encrypt. Must be no larger than 64KiB.
278 "additionalAuthenticatedData": "A String", # Optional data that, if specified, must also be provided during decryption
279 # through DecryptRequest.additional_authenticated_data. Must be no
280 # larger than 64KiB.
281 }
282
283 x__xgafv: string, V1 error format.
284 Allowed values
285 1 - v1 error format
286 2 - v2 error format
287
288Returns:
289 An object of the form:
290
291 { # Response message for KeyManagementService.Encrypt.
292 "ciphertext": "A String", # The encrypted data.
293 "name": "A String", # The resource name of the CryptoKeyVersion used in encryption.
294 }</pre>
295</div>
296
297<div class="method">
298 <code class="details" id="get">get(name, x__xgafv=None)</code>
299 <pre>Returns metadata for a given CryptoKey, as well as its
300primary CryptoKeyVersion.
301
302Args:
303 name: string, The name of the CryptoKey to get. (required)
304 x__xgafv: string, V1 error format.
305 Allowed values
306 1 - v1 error format
307 2 - v2 error format
308
309Returns:
310 An object of the form:
311
312 { # A CryptoKey represents a logical key that can be used for cryptographic
313 # operations.
314 #
315 # A CryptoKey is made up of one or more versions, which
316 # represent the actual key material used in cryptographic operations.
317 "name": "A String", # Output only. The resource name for this CryptoKey in the format
318 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
319 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
320 # automatically rotates a key. Must be at least one day.
321 #
322 # If rotation_period is set, next_rotation_time must also be set.
323 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
324 # by Encrypt when this CryptoKey is given
325 # in EncryptRequest.name.
326 #
327 # The CryptoKey's primary version can be updated via
328 # UpdateCryptoKeyPrimaryVersion.
329 # associated key material.
330 #
331 # It can be used for cryptographic operations either directly, or via its
332 # parent CryptoKey, in which case the server will choose the appropriate
333 # version for the operation.
334 "state": "A String", # The current state of the CryptoKeyVersion.
335 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
336 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
337 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
338 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
339 # for destruction. Only present if state is
340 # DESTROY_SCHEDULED.
341 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
342 # destroyed. Only present if state is
343 # DESTROYED.
344 },
345 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable
346 # purpose is ENCRYPT_DECRYPT.
347 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
348 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
349 #
350 # 1. Create a new version of this CryptoKey.
351 # 2. Mark the new version as primary.
352 #
353 # Key rotations performed manually via
354 # CreateCryptoKeyVersion and
355 # UpdateCryptoKeyPrimaryVersion
356 # do not affect next_rotation_time.
357 }</pre>
358</div>
359
360<div class="method">
361 <code class="details" id="getIamPolicy">getIamPolicy(resource=None, x__xgafv=None)</code>
362 <pre>Gets the access control policy for a resource.
363Returns an empty policy if the resource exists and does not have a policy
364set.
365
366Args:
367 resource: string, REQUIRED: The resource for which the policy is being requested.
368See the operation documentation for the appropriate value for this field. (required)
369 x__xgafv: string, V1 error format.
370 Allowed values
371 1 - v1 error format
372 2 - v2 error format
373
374Returns:
375 An object of the form:
376
377 { # Defines an Identity and Access Management (IAM) policy. It is used to
378 # specify access control policies for Cloud Platform resources.
379 #
380 #
381 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
382 # `members` to a `role`, where the members can be user accounts, Google groups,
383 # Google domains, and service accounts. A `role` is a named list of permissions
384 # defined by IAM.
385 #
386 # **Example**
387 #
388 # {
389 # "bindings": [
390 # {
391 # "role": "roles/owner",
392 # "members": [
393 # "user:mike@example.com",
394 # "group:admins@example.com",
395 # "domain:google.com",
396 # "serviceAccount:my-other-app@appspot.gserviceaccount.com",
397 # ]
398 # },
399 # {
400 # "role": "roles/viewer",
401 # "members": ["user:sean@example.com"]
402 # }
403 # ]
404 # }
405 #
406 # For a description of IAM and its features, see the
407 # [IAM developer's guide](https://cloud.google.com/iam).
408 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
409 { # Specifies the audit configuration for a service.
410 # It consists of which permission types are logged, and what identities, if
411 # any, are exempted from logging.
412 # An AuditConifg must have one or more AuditLogConfigs.
413 #
414 # If there are AuditConfigs for both `allServices` and a specific service,
415 # the union of the two AuditConfigs is used for that service: the log_types
416 # specified in each AuditConfig are enabled, and the exempted_members in each
417 # AuditConfig are exempted.
418 # Example Policy with multiple AuditConfigs:
419 # {
420 # "audit_configs": [
421 # {
422 # "service": "allServices"
423 # "audit_log_configs": [
424 # {
425 # "log_type": "DATA_READ",
426 # "exempted_members": [
427 # "user:foo@gmail.com"
428 # ]
429 # },
430 # {
431 # "log_type": "DATA_WRITE",
432 # },
433 # {
434 # "log_type": "ADMIN_READ",
435 # }
436 # ]
437 # },
438 # {
439 # "service": "fooservice@googleapis.com"
440 # "audit_log_configs": [
441 # {
442 # "log_type": "DATA_READ",
443 # },
444 # {
445 # "log_type": "DATA_WRITE",
446 # "exempted_members": [
447 # "user:bar@gmail.com"
448 # ]
449 # }
450 # ]
451 # }
452 # ]
453 # }
454 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
455 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
456 # bar@gmail.com from DATA_WRITE logging.
457 "exemptedMembers": [
458 "A String",
459 ],
460 "auditLogConfigs": [ # The configuration for logging of each type of permission.
461 # Next ID: 4
462 { # Provides the configuration for logging a type of permissions.
463 # Example:
464 #
465 # {
466 # "audit_log_configs": [
467 # {
468 # "log_type": "DATA_READ",
469 # "exempted_members": [
470 # "user:foo@gmail.com"
471 # ]
472 # },
473 # {
474 # "log_type": "DATA_WRITE",
475 # }
476 # ]
477 # }
478 #
479 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
480 # foo@gmail.com from DATA_READ logging.
481 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
482 # permission.
483 # Follows the same format of Binding.members.
484 "A String",
485 ],
486 "logType": "A String", # The log type that this config enables.
487 },
488 ],
489 "service": "A String", # Specifies a service that will be enabled for audit logging.
490 # For example, `resourcemanager`, `storage`, `compute`.
491 # `allServices` is a special value that covers all services.
492 },
493 ],
494 "version": 42, # Version of the `Policy`. The default version is 0.
495 "rules": [ # If more than one rule is specified, the rules are applied in the following
496 # manner:
497 # - All matching LOG rules are always applied.
498 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied.
499 # Logging will be applied if one or more matching rule requires logging.
500 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is
501 # granted.
502 # Logging will be applied if one or more matching rule requires logging.
503 # - Otherwise, if no rule applies, permission is denied.
504 { # A rule to be applied in a Policy.
505 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches
506 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
507 # The format for in and not_in entries is the same as for members in a
508 # Binding (see google/iam/v1/policy.proto).
509 "A String",
510 ],
511 "description": "A String", # Human-readable description of the rule.
512 "in": [ # If one or more 'in' clauses are specified, the rule matches if
513 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
514 "A String",
515 ],
516 "action": "A String", # Required
517 "conditions": [ # Additional restrictions that must be met
518 { # A condition to be met.
519 "iam": "A String", # Trusted attributes supplied by the IAM system.
520 "svc": "A String", # Trusted attributes discharged by the service.
521 "value": "A String", # DEPRECATED. Use 'values' instead.
522 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses
523 # the IAM system for access control.
524 "values": [ # The objects of the condition. This is mutually exclusive with 'value'.
525 "A String",
526 ],
527 "op": "A String", # An operator to apply the subject with.
528 },
529 ],
530 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries
531 # that match the LOG action.
532 { # Specifies what kind of log the caller must write
533 # Increment a streamz counter with the specified metric and field names.
534 #
535 # Metric names should start with a '/', generally be lowercase-only,
536 # and end in "_count". Field names should not contain an initial slash.
537 # The actual exported metric names will have "/iam/policy" prepended.
538 #
539 # Field names correspond to IAM request parameters and field values are
540 # their respective values.
541 #
542 # At present the only supported field names are
543 # - "iam_principal", corresponding to IAMContext.principal;
544 # - "" (empty string), resulting in one aggretated counter with no field.
545 #
546 # Examples:
547 # counter { metric: "/debug_access_count" field: "iam_principal" }
548 # ==> increment counter /iam/policy/backend_debug_access_count
549 # {iam_principal=[value of IAMContext.principal]}
550 #
551 # At this time we do not support:
552 # * multiple field names (though this may be supported in the future)
553 # * decrementing the counter
554 # * incrementing it by anything other than 1
555 "counter": { # Options for counters # Counter options.
556 "field": "A String", # The field value to attribute.
557 "metric": "A String", # The metric to update.
558 },
559 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
560 },
561 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
562 },
563 },
564 ],
565 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>'
566 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions,
567 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
568 "A String",
569 ],
570 },
571 ],
572 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
573 # prevent simultaneous updates of a policy from overwriting each other.
574 # It is strongly suggested that systems make use of the `etag` in the
575 # read-modify-write cycle to perform policy updates in order to avoid race
576 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
577 # systems are expected to put that etag in the request to `setIamPolicy` to
578 # ensure that their change will be applied to the same version of the policy.
579 #
580 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
581 # policy is overwritten blindly.
582 "bindings": [ # Associates a list of `members` to a `role`.
583 # Multiple `bindings` must not be specified for the same `role`.
584 # `bindings` with no members will result in an error.
585 { # Associates `members` with a `role`.
586 "role": "A String", # Role that is assigned to `members`.
587 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
588 # Required
589 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
590 # `members` can have the following values:
591 #
592 # * `allUsers`: A special identifier that represents anyone who is
593 # on the internet; with or without a Google account.
594 #
595 # * `allAuthenticatedUsers`: A special identifier that represents anyone
596 # who is authenticated with a Google account or a service account.
597 #
598 # * `user:{emailid}`: An email address that represents a specific Google
599 # account. For example, `alice@gmail.com` or `joe@example.com`.
600 #
601 #
602 # * `serviceAccount:{emailid}`: An email address that represents a service
603 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
604 #
605 # * `group:{emailid}`: An email address that represents a Google group.
606 # For example, `admins@example.com`.
607 #
608 # * `domain:{domain}`: A Google Apps domain name that represents all the
609 # users of that domain. For example, `google.com` or `example.com`.
610 #
611 "A String",
612 ],
613 },
614 ],
615 "iamOwned": True or False,
616 }</pre>
617</div>
618
619<div class="method">
620 <code class="details" id="list">list(parent=None, pageToken=None, x__xgafv=None, pageSize=None)</code>
621 <pre>Lists CryptoKeys.
622
623Args:
624 parent: string, Required. The resource name of the KeyRing to list, in the format
625`projects/*/locations/*/keyRings/*`. (required)
626 pageToken: string, Optional pagination token, returned earlier via
627ListCryptoKeysResponse.next_page_token.
628 x__xgafv: string, V1 error format.
629 Allowed values
630 1 - v1 error format
631 2 - v2 error format
632 pageSize: integer, Optional limit on the number of CryptoKeys to include in the
633response. Further CryptoKeys can subsequently be obtained by
634including the ListCryptoKeysResponse.next_page_token in a subsequent
635request. If unspecified, the server will pick an appropriate default.
636
637Returns:
638 An object of the form:
639
640 { # Response message for KeyManagementService.ListCryptoKeys.
641 "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in
642 # ListCryptoKeysRequest.page_token to retrieve the next page of results.
643 "cryptoKeys": [ # The list of CryptoKeys.
644 { # A CryptoKey represents a logical key that can be used for cryptographic
645 # operations.
646 #
647 # A CryptoKey is made up of one or more versions, which
648 # represent the actual key material used in cryptographic operations.
649 "name": "A String", # Output only. The resource name for this CryptoKey in the format
650 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
651 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
652 # automatically rotates a key. Must be at least one day.
653 #
654 # If rotation_period is set, next_rotation_time must also be set.
655 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
656 # by Encrypt when this CryptoKey is given
657 # in EncryptRequest.name.
658 #
659 # The CryptoKey's primary version can be updated via
660 # UpdateCryptoKeyPrimaryVersion.
661 # associated key material.
662 #
663 # It can be used for cryptographic operations either directly, or via its
664 # parent CryptoKey, in which case the server will choose the appropriate
665 # version for the operation.
666 "state": "A String", # The current state of the CryptoKeyVersion.
667 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
668 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
669 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
670 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
671 # for destruction. Only present if state is
672 # DESTROY_SCHEDULED.
673 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
674 # destroyed. Only present if state is
675 # DESTROYED.
676 },
677 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable
678 # purpose is ENCRYPT_DECRYPT.
679 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
680 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
681 #
682 # 1. Create a new version of this CryptoKey.
683 # 2. Mark the new version as primary.
684 #
685 # Key rotations performed manually via
686 # CreateCryptoKeyVersion and
687 # UpdateCryptoKeyPrimaryVersion
688 # do not affect next_rotation_time.
689 },
690 ],
691 "totalSize": 42, # The total number of CryptoKeys that matched the query.
692 }</pre>
693</div>
694
695<div class="method">
696 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
697 <pre>Retrieves the next page of results.
698
699Args:
700 previous_request: The request for the previous page. (required)
701 previous_response: The response from the request for the previous page. (required)
702
703Returns:
704 A request object that you can call 'execute()' on to request the next
705 page. Returns None if there are no more items in the collection.
706 </pre>
707</div>
708
709<div class="method">
710 <code class="details" id="patch">patch(name=None, body, updateMask=None, x__xgafv=None)</code>
711 <pre>Update a CryptoKey.
712
713Args:
714 name: string, Output only. The resource name for this CryptoKey in the format
715`projects/*/locations/*/keyRings/*/cryptoKeys/*`. (required)
716 body: object, The request body. (required)
717 The object takes the form of:
718
719{ # A CryptoKey represents a logical key that can be used for cryptographic
720 # operations.
721 #
722 # A CryptoKey is made up of one or more versions, which
723 # represent the actual key material used in cryptographic operations.
724 "name": "A String", # Output only. The resource name for this CryptoKey in the format
725 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
726 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
727 # automatically rotates a key. Must be at least one day.
728 #
729 # If rotation_period is set, next_rotation_time must also be set.
730 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
731 # by Encrypt when this CryptoKey is given
732 # in EncryptRequest.name.
733 #
734 # The CryptoKey's primary version can be updated via
735 # UpdateCryptoKeyPrimaryVersion.
736 # associated key material.
737 #
738 # It can be used for cryptographic operations either directly, or via its
739 # parent CryptoKey, in which case the server will choose the appropriate
740 # version for the operation.
741 "state": "A String", # The current state of the CryptoKeyVersion.
742 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
743 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
744 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
745 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
746 # for destruction. Only present if state is
747 # DESTROY_SCHEDULED.
748 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
749 # destroyed. Only present if state is
750 # DESTROYED.
751 },
752 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable
753 # purpose is ENCRYPT_DECRYPT.
754 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
755 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
756 #
757 # 1. Create a new version of this CryptoKey.
758 # 2. Mark the new version as primary.
759 #
760 # Key rotations performed manually via
761 # CreateCryptoKeyVersion and
762 # UpdateCryptoKeyPrimaryVersion
763 # do not affect next_rotation_time.
764}
765
766 updateMask: string, Required list of fields to be updated in this request.
767 x__xgafv: string, V1 error format.
768 Allowed values
769 1 - v1 error format
770 2 - v2 error format
771
772Returns:
773 An object of the form:
774
775 { # A CryptoKey represents a logical key that can be used for cryptographic
776 # operations.
777 #
778 # A CryptoKey is made up of one or more versions, which
779 # represent the actual key material used in cryptographic operations.
780 "name": "A String", # Output only. The resource name for this CryptoKey in the format
781 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
782 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
783 # automatically rotates a key. Must be at least one day.
784 #
785 # If rotation_period is set, next_rotation_time must also be set.
786 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
787 # by Encrypt when this CryptoKey is given
788 # in EncryptRequest.name.
789 #
790 # The CryptoKey's primary version can be updated via
791 # UpdateCryptoKeyPrimaryVersion.
792 # associated key material.
793 #
794 # It can be used for cryptographic operations either directly, or via its
795 # parent CryptoKey, in which case the server will choose the appropriate
796 # version for the operation.
797 "state": "A String", # The current state of the CryptoKeyVersion.
798 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
799 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
800 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
801 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
802 # for destruction. Only present if state is
803 # DESTROY_SCHEDULED.
804 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
805 # destroyed. Only present if state is
806 # DESTROYED.
807 },
808 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable
809 # purpose is ENCRYPT_DECRYPT.
810 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
811 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
812 #
813 # 1. Create a new version of this CryptoKey.
814 # 2. Mark the new version as primary.
815 #
816 # Key rotations performed manually via
817 # CreateCryptoKeyVersion and
818 # UpdateCryptoKeyPrimaryVersion
819 # do not affect next_rotation_time.
820 }</pre>
821</div>
822
823<div class="method">
824 <code class="details" id="setIamPolicy">setIamPolicy(resource=None, body, x__xgafv=None)</code>
825 <pre>Sets the access control policy on the specified resource. Replaces any
826existing policy.
827
828Args:
829 resource: string, REQUIRED: The resource for which the policy is being specified.
830See the operation documentation for the appropriate value for this field. (required)
831 body: object, The request body. (required)
832 The object takes the form of:
833
834{ # Request message for `SetIamPolicy` method.
835 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of
836 # the policy is limited to a few 10s of KB. An empty policy is a
837 # valid policy but certain Cloud Platform services (such as Projects)
838 # might reject them.
839 # specify access control policies for Cloud Platform resources.
840 #
841 #
842 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
843 # `members` to a `role`, where the members can be user accounts, Google groups,
844 # Google domains, and service accounts. A `role` is a named list of permissions
845 # defined by IAM.
846 #
847 # **Example**
848 #
849 # {
850 # "bindings": [
851 # {
852 # "role": "roles/owner",
853 # "members": [
854 # "user:mike@example.com",
855 # "group:admins@example.com",
856 # "domain:google.com",
857 # "serviceAccount:my-other-app@appspot.gserviceaccount.com",
858 # ]
859 # },
860 # {
861 # "role": "roles/viewer",
862 # "members": ["user:sean@example.com"]
863 # }
864 # ]
865 # }
866 #
867 # For a description of IAM and its features, see the
868 # [IAM developer's guide](https://cloud.google.com/iam).
869 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
870 { # Specifies the audit configuration for a service.
871 # It consists of which permission types are logged, and what identities, if
872 # any, are exempted from logging.
873 # An AuditConifg must have one or more AuditLogConfigs.
874 #
875 # If there are AuditConfigs for both `allServices` and a specific service,
876 # the union of the two AuditConfigs is used for that service: the log_types
877 # specified in each AuditConfig are enabled, and the exempted_members in each
878 # AuditConfig are exempted.
879 # Example Policy with multiple AuditConfigs:
880 # {
881 # "audit_configs": [
882 # {
883 # "service": "allServices"
884 # "audit_log_configs": [
885 # {
886 # "log_type": "DATA_READ",
887 # "exempted_members": [
888 # "user:foo@gmail.com"
889 # ]
890 # },
891 # {
892 # "log_type": "DATA_WRITE",
893 # },
894 # {
895 # "log_type": "ADMIN_READ",
896 # }
897 # ]
898 # },
899 # {
900 # "service": "fooservice@googleapis.com"
901 # "audit_log_configs": [
902 # {
903 # "log_type": "DATA_READ",
904 # },
905 # {
906 # "log_type": "DATA_WRITE",
907 # "exempted_members": [
908 # "user:bar@gmail.com"
909 # ]
910 # }
911 # ]
912 # }
913 # ]
914 # }
915 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
916 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
917 # bar@gmail.com from DATA_WRITE logging.
918 "exemptedMembers": [
919 "A String",
920 ],
921 "auditLogConfigs": [ # The configuration for logging of each type of permission.
922 # Next ID: 4
923 { # Provides the configuration for logging a type of permissions.
924 # Example:
925 #
926 # {
927 # "audit_log_configs": [
928 # {
929 # "log_type": "DATA_READ",
930 # "exempted_members": [
931 # "user:foo@gmail.com"
932 # ]
933 # },
934 # {
935 # "log_type": "DATA_WRITE",
936 # }
937 # ]
938 # }
939 #
940 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
941 # foo@gmail.com from DATA_READ logging.
942 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
943 # permission.
944 # Follows the same format of Binding.members.
945 "A String",
946 ],
947 "logType": "A String", # The log type that this config enables.
948 },
949 ],
950 "service": "A String", # Specifies a service that will be enabled for audit logging.
951 # For example, `resourcemanager`, `storage`, `compute`.
952 # `allServices` is a special value that covers all services.
953 },
954 ],
955 "version": 42, # Version of the `Policy`. The default version is 0.
956 "rules": [ # If more than one rule is specified, the rules are applied in the following
957 # manner:
958 # - All matching LOG rules are always applied.
959 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied.
960 # Logging will be applied if one or more matching rule requires logging.
961 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is
962 # granted.
963 # Logging will be applied if one or more matching rule requires logging.
964 # - Otherwise, if no rule applies, permission is denied.
965 { # A rule to be applied in a Policy.
966 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches
967 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
968 # The format for in and not_in entries is the same as for members in a
969 # Binding (see google/iam/v1/policy.proto).
970 "A String",
971 ],
972 "description": "A String", # Human-readable description of the rule.
973 "in": [ # If one or more 'in' clauses are specified, the rule matches if
974 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
975 "A String",
976 ],
977 "action": "A String", # Required
978 "conditions": [ # Additional restrictions that must be met
979 { # A condition to be met.
980 "iam": "A String", # Trusted attributes supplied by the IAM system.
981 "svc": "A String", # Trusted attributes discharged by the service.
982 "value": "A String", # DEPRECATED. Use 'values' instead.
983 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses
984 # the IAM system for access control.
985 "values": [ # The objects of the condition. This is mutually exclusive with 'value'.
986 "A String",
987 ],
988 "op": "A String", # An operator to apply the subject with.
989 },
990 ],
991 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries
992 # that match the LOG action.
993 { # Specifies what kind of log the caller must write
994 # Increment a streamz counter with the specified metric and field names.
995 #
996 # Metric names should start with a '/', generally be lowercase-only,
997 # and end in "_count". Field names should not contain an initial slash.
998 # The actual exported metric names will have "/iam/policy" prepended.
999 #
1000 # Field names correspond to IAM request parameters and field values are
1001 # their respective values.
1002 #
1003 # At present the only supported field names are
1004 # - "iam_principal", corresponding to IAMContext.principal;
1005 # - "" (empty string), resulting in one aggretated counter with no field.
1006 #
1007 # Examples:
1008 # counter { metric: "/debug_access_count" field: "iam_principal" }
1009 # ==> increment counter /iam/policy/backend_debug_access_count
1010 # {iam_principal=[value of IAMContext.principal]}
1011 #
1012 # At this time we do not support:
1013 # * multiple field names (though this may be supported in the future)
1014 # * decrementing the counter
1015 # * incrementing it by anything other than 1
1016 "counter": { # Options for counters # Counter options.
1017 "field": "A String", # The field value to attribute.
1018 "metric": "A String", # The metric to update.
1019 },
1020 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
1021 },
1022 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
1023 },
1024 },
1025 ],
1026 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>'
1027 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions,
1028 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
1029 "A String",
1030 ],
1031 },
1032 ],
1033 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
1034 # prevent simultaneous updates of a policy from overwriting each other.
1035 # It is strongly suggested that systems make use of the `etag` in the
1036 # read-modify-write cycle to perform policy updates in order to avoid race
1037 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1038 # systems are expected to put that etag in the request to `setIamPolicy` to
1039 # ensure that their change will be applied to the same version of the policy.
1040 #
1041 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
1042 # policy is overwritten blindly.
1043 "bindings": [ # Associates a list of `members` to a `role`.
1044 # Multiple `bindings` must not be specified for the same `role`.
1045 # `bindings` with no members will result in an error.
1046 { # Associates `members` with a `role`.
1047 "role": "A String", # Role that is assigned to `members`.
1048 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
1049 # Required
1050 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
1051 # `members` can have the following values:
1052 #
1053 # * `allUsers`: A special identifier that represents anyone who is
1054 # on the internet; with or without a Google account.
1055 #
1056 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1057 # who is authenticated with a Google account or a service account.
1058 #
1059 # * `user:{emailid}`: An email address that represents a specific Google
1060 # account. For example, `alice@gmail.com` or `joe@example.com`.
1061 #
1062 #
1063 # * `serviceAccount:{emailid}`: An email address that represents a service
1064 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1065 #
1066 # * `group:{emailid}`: An email address that represents a Google group.
1067 # For example, `admins@example.com`.
1068 #
1069 # * `domain:{domain}`: A Google Apps domain name that represents all the
1070 # users of that domain. For example, `google.com` or `example.com`.
1071 #
1072 "A String",
1073 ],
1074 },
1075 ],
1076 "iamOwned": True or False,
1077 },
1078 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
1079 # the fields in the mask will be modified. If no mask is provided, a default
1080 # mask is used:
1081 # paths: "bindings, etag"
1082 # This field is only used by Cloud IAM.
1083 }
1084
1085 x__xgafv: string, V1 error format.
1086 Allowed values
1087 1 - v1 error format
1088 2 - v2 error format
1089
1090Returns:
1091 An object of the form:
1092
1093 { # Defines an Identity and Access Management (IAM) policy. It is used to
1094 # specify access control policies for Cloud Platform resources.
1095 #
1096 #
1097 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
1098 # `members` to a `role`, where the members can be user accounts, Google groups,
1099 # Google domains, and service accounts. A `role` is a named list of permissions
1100 # defined by IAM.
1101 #
1102 # **Example**
1103 #
1104 # {
1105 # "bindings": [
1106 # {
1107 # "role": "roles/owner",
1108 # "members": [
1109 # "user:mike@example.com",
1110 # "group:admins@example.com",
1111 # "domain:google.com",
1112 # "serviceAccount:my-other-app@appspot.gserviceaccount.com",
1113 # ]
1114 # },
1115 # {
1116 # "role": "roles/viewer",
1117 # "members": ["user:sean@example.com"]
1118 # }
1119 # ]
1120 # }
1121 #
1122 # For a description of IAM and its features, see the
1123 # [IAM developer's guide](https://cloud.google.com/iam).
1124 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
1125 { # Specifies the audit configuration for a service.
1126 # It consists of which permission types are logged, and what identities, if
1127 # any, are exempted from logging.
1128 # An AuditConifg must have one or more AuditLogConfigs.
1129 #
1130 # If there are AuditConfigs for both `allServices` and a specific service,
1131 # the union of the two AuditConfigs is used for that service: the log_types
1132 # specified in each AuditConfig are enabled, and the exempted_members in each
1133 # AuditConfig are exempted.
1134 # Example Policy with multiple AuditConfigs:
1135 # {
1136 # "audit_configs": [
1137 # {
1138 # "service": "allServices"
1139 # "audit_log_configs": [
1140 # {
1141 # "log_type": "DATA_READ",
1142 # "exempted_members": [
1143 # "user:foo@gmail.com"
1144 # ]
1145 # },
1146 # {
1147 # "log_type": "DATA_WRITE",
1148 # },
1149 # {
1150 # "log_type": "ADMIN_READ",
1151 # }
1152 # ]
1153 # },
1154 # {
1155 # "service": "fooservice@googleapis.com"
1156 # "audit_log_configs": [
1157 # {
1158 # "log_type": "DATA_READ",
1159 # },
1160 # {
1161 # "log_type": "DATA_WRITE",
1162 # "exempted_members": [
1163 # "user:bar@gmail.com"
1164 # ]
1165 # }
1166 # ]
1167 # }
1168 # ]
1169 # }
1170 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
1171 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
1172 # bar@gmail.com from DATA_WRITE logging.
1173 "exemptedMembers": [
1174 "A String",
1175 ],
1176 "auditLogConfigs": [ # The configuration for logging of each type of permission.
1177 # Next ID: 4
1178 { # Provides the configuration for logging a type of permissions.
1179 # Example:
1180 #
1181 # {
1182 # "audit_log_configs": [
1183 # {
1184 # "log_type": "DATA_READ",
1185 # "exempted_members": [
1186 # "user:foo@gmail.com"
1187 # ]
1188 # },
1189 # {
1190 # "log_type": "DATA_WRITE",
1191 # }
1192 # ]
1193 # }
1194 #
1195 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
1196 # foo@gmail.com from DATA_READ logging.
1197 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
1198 # permission.
1199 # Follows the same format of Binding.members.
1200 "A String",
1201 ],
1202 "logType": "A String", # The log type that this config enables.
1203 },
1204 ],
1205 "service": "A String", # Specifies a service that will be enabled for audit logging.
1206 # For example, `resourcemanager`, `storage`, `compute`.
1207 # `allServices` is a special value that covers all services.
1208 },
1209 ],
1210 "version": 42, # Version of the `Policy`. The default version is 0.
1211 "rules": [ # If more than one rule is specified, the rules are applied in the following
1212 # manner:
1213 # - All matching LOG rules are always applied.
1214 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied.
1215 # Logging will be applied if one or more matching rule requires logging.
1216 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is
1217 # granted.
1218 # Logging will be applied if one or more matching rule requires logging.
1219 # - Otherwise, if no rule applies, permission is denied.
1220 { # A rule to be applied in a Policy.
1221 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches
1222 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
1223 # The format for in and not_in entries is the same as for members in a
1224 # Binding (see google/iam/v1/policy.proto).
1225 "A String",
1226 ],
1227 "description": "A String", # Human-readable description of the rule.
1228 "in": [ # If one or more 'in' clauses are specified, the rule matches if
1229 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
1230 "A String",
1231 ],
1232 "action": "A String", # Required
1233 "conditions": [ # Additional restrictions that must be met
1234 { # A condition to be met.
1235 "iam": "A String", # Trusted attributes supplied by the IAM system.
1236 "svc": "A String", # Trusted attributes discharged by the service.
1237 "value": "A String", # DEPRECATED. Use 'values' instead.
1238 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses
1239 # the IAM system for access control.
1240 "values": [ # The objects of the condition. This is mutually exclusive with 'value'.
1241 "A String",
1242 ],
1243 "op": "A String", # An operator to apply the subject with.
1244 },
1245 ],
1246 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries
1247 # that match the LOG action.
1248 { # Specifies what kind of log the caller must write
1249 # Increment a streamz counter with the specified metric and field names.
1250 #
1251 # Metric names should start with a '/', generally be lowercase-only,
1252 # and end in "_count". Field names should not contain an initial slash.
1253 # The actual exported metric names will have "/iam/policy" prepended.
1254 #
1255 # Field names correspond to IAM request parameters and field values are
1256 # their respective values.
1257 #
1258 # At present the only supported field names are
1259 # - "iam_principal", corresponding to IAMContext.principal;
1260 # - "" (empty string), resulting in one aggretated counter with no field.
1261 #
1262 # Examples:
1263 # counter { metric: "/debug_access_count" field: "iam_principal" }
1264 # ==> increment counter /iam/policy/backend_debug_access_count
1265 # {iam_principal=[value of IAMContext.principal]}
1266 #
1267 # At this time we do not support:
1268 # * multiple field names (though this may be supported in the future)
1269 # * decrementing the counter
1270 # * incrementing it by anything other than 1
1271 "counter": { # Options for counters # Counter options.
1272 "field": "A String", # The field value to attribute.
1273 "metric": "A String", # The metric to update.
1274 },
1275 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
1276 },
1277 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
1278 },
1279 },
1280 ],
1281 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>'
1282 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions,
1283 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
1284 "A String",
1285 ],
1286 },
1287 ],
1288 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
1289 # prevent simultaneous updates of a policy from overwriting each other.
1290 # It is strongly suggested that systems make use of the `etag` in the
1291 # read-modify-write cycle to perform policy updates in order to avoid race
1292 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
1293 # systems are expected to put that etag in the request to `setIamPolicy` to
1294 # ensure that their change will be applied to the same version of the policy.
1295 #
1296 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
1297 # policy is overwritten blindly.
1298 "bindings": [ # Associates a list of `members` to a `role`.
1299 # Multiple `bindings` must not be specified for the same `role`.
1300 # `bindings` with no members will result in an error.
1301 { # Associates `members` with a `role`.
1302 "role": "A String", # Role that is assigned to `members`.
1303 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
1304 # Required
1305 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
1306 # `members` can have the following values:
1307 #
1308 # * `allUsers`: A special identifier that represents anyone who is
1309 # on the internet; with or without a Google account.
1310 #
1311 # * `allAuthenticatedUsers`: A special identifier that represents anyone
1312 # who is authenticated with a Google account or a service account.
1313 #
1314 # * `user:{emailid}`: An email address that represents a specific Google
1315 # account. For example, `alice@gmail.com` or `joe@example.com`.
1316 #
1317 #
1318 # * `serviceAccount:{emailid}`: An email address that represents a service
1319 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
1320 #
1321 # * `group:{emailid}`: An email address that represents a Google group.
1322 # For example, `admins@example.com`.
1323 #
1324 # * `domain:{domain}`: A Google Apps domain name that represents all the
1325 # users of that domain. For example, `google.com` or `example.com`.
1326 #
1327 "A String",
1328 ],
1329 },
1330 ],
1331 "iamOwned": True or False,
1332 }</pre>
1333</div>
1334
1335<div class="method">
1336 <code class="details" id="testIamPermissions">testIamPermissions(resource=None, body, x__xgafv=None)</code>
1337 <pre>Returns permissions that a caller has on the specified resource.
1338If the resource does not exist, this will return an empty set of
1339permissions, not a NOT_FOUND error.
1340
1341Note: This operation is designed to be used for building permission-aware
1342UIs and command-line tools, not for authorization checking. This operation
1343may "fail open" without warning.
1344
1345Args:
1346 resource: string, REQUIRED: The resource for which the policy detail is being requested.
1347See the operation documentation for the appropriate value for this field. (required)
1348 body: object, The request body. (required)
1349 The object takes the form of:
1350
1351{ # Request message for `TestIamPermissions` method.
1352 "permissions": [ # The set of permissions to check for the `resource`. Permissions with
1353 # wildcards (such as '*' or 'storage.*') are not allowed. For more
1354 # information see
1355 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
1356 "A String",
1357 ],
1358 }
1359
1360 x__xgafv: string, V1 error format.
1361 Allowed values
1362 1 - v1 error format
1363 2 - v2 error format
1364
1365Returns:
1366 An object of the form:
1367
1368 { # Response message for `TestIamPermissions` method.
1369 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
1370 # allowed.
1371 "A String",
1372 ],
1373 }</pre>
1374</div>
1375
1376<div class="method">
1377 <code class="details" id="updatePrimaryVersion">updatePrimaryVersion(name, body, x__xgafv=None)</code>
1378 <pre>Update the version of a CryptoKey that will be used in Encrypt
1379
1380Args:
1381 name: string, The resource name of the CryptoKey to update. (required)
1382 body: object, The request body. (required)
1383 The object takes the form of:
1384
1385{ # Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.
1386 "cryptoKeyVersionId": "A String", # The id of the child CryptoKeyVersion to use as primary.
1387 }
1388
1389 x__xgafv: string, V1 error format.
1390 Allowed values
1391 1 - v1 error format
1392 2 - v2 error format
1393
1394Returns:
1395 An object of the form:
1396
1397 { # A CryptoKey represents a logical key that can be used for cryptographic
1398 # operations.
1399 #
1400 # A CryptoKey is made up of one or more versions, which
1401 # represent the actual key material used in cryptographic operations.
1402 "name": "A String", # Output only. The resource name for this CryptoKey in the format
1403 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
1404 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service
1405 # automatically rotates a key. Must be at least one day.
1406 #
1407 # If rotation_period is set, next_rotation_time must also be set.
1408 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used
1409 # by Encrypt when this CryptoKey is given
1410 # in EncryptRequest.name.
1411 #
1412 # The CryptoKey's primary version can be updated via
1413 # UpdateCryptoKeyPrimaryVersion.
1414 # associated key material.
1415 #
1416 # It can be used for cryptographic operations either directly, or via its
1417 # parent CryptoKey, in which case the server will choose the appropriate
1418 # version for the operation.
1419 "state": "A String", # The current state of the CryptoKeyVersion.
1420 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created.
1421 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format
1422 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
1423 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled
1424 # for destruction. Only present if state is
1425 # DESTROY_SCHEDULED.
1426 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was
1427 # destroyed. Only present if state is
1428 # DESTROYED.
1429 },
1430 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable
1431 # purpose is ENCRYPT_DECRYPT.
1432 "createTime": "A String", # Output only. The time at which this CryptoKey was created.
1433 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically:
1434 #
1435 # 1. Create a new version of this CryptoKey.
1436 # 2. Mark the new version as primary.
1437 #
1438 # Key rotations performed manually via
1439 # CreateCryptoKeyVersion and
1440 # UpdateCryptoKeyPrimaryVersion
1441 # do not affect next_rotation_time.
1442 }</pre>
1443</div>
1444
1445</body></html>