Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / c30d2b5d4478b230246dcaaa9f1c533ca3304387 / . / docs / dyn / cloudkms_v1.projects.locations.keyRings.html
blob: ff8e1576c4ed53d2ec5a96e1aade9730c0ca96e0 [file] [log] [blame]
Sai Cheemalapatic30d2b52017-03-13 12:12:03 -0400[diff] [blame^]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="cloudkms_v1.html">Google Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys()</a></code>
79</p>
80<p class="firstline">Returns the cryptoKeys Resource.</p>
81
82<p class="toc_element">
83 <code><a href="#create">create(parent=None, body, keyRingId=None, x__xgafv=None)</a></code></p>
84<p class="firstline">Create a new KeyRing in a given Project and Location.</p>
85<p class="toc_element">
86 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
87<p class="firstline">Returns metadata for a given KeyRing.</p>
88<p class="toc_element">
89 <code><a href="#getIamPolicy">getIamPolicy(resource=None, x__xgafv=None)</a></code></p>
90<p class="firstline">Gets the access control policy for a resource.</p>
91<p class="toc_element">
92 <code><a href="#list">list(parent=None, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p>
93<p class="firstline">Lists KeyRings.</p>
94<p class="toc_element">
95 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
96<p class="firstline">Retrieves the next page of results.</p>
97<p class="toc_element">
98 <code><a href="#setIamPolicy">setIamPolicy(resource=None, body, x__xgafv=None)</a></code></p>
99<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>
100<p class="toc_element">
101 <code><a href="#testIamPermissions">testIamPermissions(resource=None, body, x__xgafv=None)</a></code></p>
102<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
103<h3>Method Details</h3>
104<div class="method">
105 <code class="details" id="create">create(parent=None, body, keyRingId=None, x__xgafv=None)</code>
106 <pre>Create a new KeyRing in a given Project and Location.
107
108Args:
109 parent: string, Required. The resource name of the location associated with the
110KeyRings, in the format `projects/*/locations/*`. (required)
111 body: object, The request body. (required)
112 The object takes the form of:
113
114{ # A KeyRing is a toplevel logical grouping of CryptoKeys.
115 "createTime": "A String", # Output only. The time at which this KeyRing was created.
116 "name": "A String", # Output only. The resource name for the KeyRing in the format
117 # `projects/*/locations/*/keyRings/*`.
118}
119
120 keyRingId: string, Required. It must be unique within a location and match the regular
121expression `[a-zA-Z0-9_-]{1,63}`
122 x__xgafv: string, V1 error format.
123 Allowed values
124 1 - v1 error format
125 2 - v2 error format
126
127Returns:
128 An object of the form:
129
130 { # A KeyRing is a toplevel logical grouping of CryptoKeys.
131 "createTime": "A String", # Output only. The time at which this KeyRing was created.
132 "name": "A String", # Output only. The resource name for the KeyRing in the format
133 # `projects/*/locations/*/keyRings/*`.
134 }</pre>
135</div>
136
137<div class="method">
138 <code class="details" id="get">get(name, x__xgafv=None)</code>
139 <pre>Returns metadata for a given KeyRing.
140
141Args:
142 name: string, The name of the KeyRing to get. (required)
143 x__xgafv: string, V1 error format.
144 Allowed values
145 1 - v1 error format
146 2 - v2 error format
147
148Returns:
149 An object of the form:
150
151 { # A KeyRing is a toplevel logical grouping of CryptoKeys.
152 "createTime": "A String", # Output only. The time at which this KeyRing was created.
153 "name": "A String", # Output only. The resource name for the KeyRing in the format
154 # `projects/*/locations/*/keyRings/*`.
155 }</pre>
156</div>
157
158<div class="method">
159 <code class="details" id="getIamPolicy">getIamPolicy(resource=None, x__xgafv=None)</code>
160 <pre>Gets the access control policy for a resource.
161Returns an empty policy if the resource exists and does not have a policy
162set.
163
164Args:
165 resource: string, REQUIRED: The resource for which the policy is being requested.
166See the operation documentation for the appropriate value for this field. (required)
167 x__xgafv: string, V1 error format.
168 Allowed values
169 1 - v1 error format
170 2 - v2 error format
171
172Returns:
173 An object of the form:
174
175 { # Defines an Identity and Access Management (IAM) policy. It is used to
176 # specify access control policies for Cloud Platform resources.
177 #
178 #
179 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
180 # `members` to a `role`, where the members can be user accounts, Google groups,
181 # Google domains, and service accounts. A `role` is a named list of permissions
182 # defined by IAM.
183 #
184 # **Example**
185 #
186 # {
187 # "bindings": [
188 # {
189 # "role": "roles/owner",
190 # "members": [
191 # "user:mike@example.com",
192 # "group:admins@example.com",
193 # "domain:google.com",
194 # "serviceAccount:my-other-app@appspot.gserviceaccount.com",
195 # ]
196 # },
197 # {
198 # "role": "roles/viewer",
199 # "members": ["user:sean@example.com"]
200 # }
201 # ]
202 # }
203 #
204 # For a description of IAM and its features, see the
205 # [IAM developer's guide](https://cloud.google.com/iam).
206 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
207 { # Specifies the audit configuration for a service.
208 # It consists of which permission types are logged, and what identities, if
209 # any, are exempted from logging.
210 # An AuditConifg must have one or more AuditLogConfigs.
211 #
212 # If there are AuditConfigs for both `allServices` and a specific service,
213 # the union of the two AuditConfigs is used for that service: the log_types
214 # specified in each AuditConfig are enabled, and the exempted_members in each
215 # AuditConfig are exempted.
216 # Example Policy with multiple AuditConfigs:
217 # {
218 # "audit_configs": [
219 # {
220 # "service": "allServices"
221 # "audit_log_configs": [
222 # {
223 # "log_type": "DATA_READ",
224 # "exempted_members": [
225 # "user:foo@gmail.com"
226 # ]
227 # },
228 # {
229 # "log_type": "DATA_WRITE",
230 # },
231 # {
232 # "log_type": "ADMIN_READ",
233 # }
234 # ]
235 # },
236 # {
237 # "service": "fooservice@googleapis.com"
238 # "audit_log_configs": [
239 # {
240 # "log_type": "DATA_READ",
241 # },
242 # {
243 # "log_type": "DATA_WRITE",
244 # "exempted_members": [
245 # "user:bar@gmail.com"
246 # ]
247 # }
248 # ]
249 # }
250 # ]
251 # }
252 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
253 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
254 # bar@gmail.com from DATA_WRITE logging.
255 "exemptedMembers": [
256 "A String",
257 ],
258 "auditLogConfigs": [ # The configuration for logging of each type of permission.
259 # Next ID: 4
260 { # Provides the configuration for logging a type of permissions.
261 # Example:
262 #
263 # {
264 # "audit_log_configs": [
265 # {
266 # "log_type": "DATA_READ",
267 # "exempted_members": [
268 # "user:foo@gmail.com"
269 # ]
270 # },
271 # {
272 # "log_type": "DATA_WRITE",
273 # }
274 # ]
275 # }
276 #
277 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
278 # foo@gmail.com from DATA_READ logging.
279 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
280 # permission.
281 # Follows the same format of Binding.members.
282 "A String",
283 ],
284 "logType": "A String", # The log type that this config enables.
285 },
286 ],
287 "service": "A String", # Specifies a service that will be enabled for audit logging.
288 # For example, `resourcemanager`, `storage`, `compute`.
289 # `allServices` is a special value that covers all services.
290 },
291 ],
292 "version": 42, # Version of the `Policy`. The default version is 0.
293 "rules": [ # If more than one rule is specified, the rules are applied in the following
294 # manner:
295 # - All matching LOG rules are always applied.
296 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied.
297 # Logging will be applied if one or more matching rule requires logging.
298 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is
299 # granted.
300 # Logging will be applied if one or more matching rule requires logging.
301 # - Otherwise, if no rule applies, permission is denied.
302 { # A rule to be applied in a Policy.
303 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches
304 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
305 # The format for in and not_in entries is the same as for members in a
306 # Binding (see google/iam/v1/policy.proto).
307 "A String",
308 ],
309 "description": "A String", # Human-readable description of the rule.
310 "in": [ # If one or more 'in' clauses are specified, the rule matches if
311 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
312 "A String",
313 ],
314 "action": "A String", # Required
315 "conditions": [ # Additional restrictions that must be met
316 { # A condition to be met.
317 "iam": "A String", # Trusted attributes supplied by the IAM system.
318 "svc": "A String", # Trusted attributes discharged by the service.
319 "value": "A String", # DEPRECATED. Use 'values' instead.
320 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses
321 # the IAM system for access control.
322 "values": [ # The objects of the condition. This is mutually exclusive with 'value'.
323 "A String",
324 ],
325 "op": "A String", # An operator to apply the subject with.
326 },
327 ],
328 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries
329 # that match the LOG action.
330 { # Specifies what kind of log the caller must write
331 # Increment a streamz counter with the specified metric and field names.
332 #
333 # Metric names should start with a '/', generally be lowercase-only,
334 # and end in "_count". Field names should not contain an initial slash.
335 # The actual exported metric names will have "/iam/policy" prepended.
336 #
337 # Field names correspond to IAM request parameters and field values are
338 # their respective values.
339 #
340 # At present the only supported field names are
341 # - "iam_principal", corresponding to IAMContext.principal;
342 # - "" (empty string), resulting in one aggretated counter with no field.
343 #
344 # Examples:
345 # counter { metric: "/debug_access_count" field: "iam_principal" }
346 # ==> increment counter /iam/policy/backend_debug_access_count
347 # {iam_principal=[value of IAMContext.principal]}
348 #
349 # At this time we do not support:
350 # * multiple field names (though this may be supported in the future)
351 # * decrementing the counter
352 # * incrementing it by anything other than 1
353 "counter": { # Options for counters # Counter options.
354 "field": "A String", # The field value to attribute.
355 "metric": "A String", # The metric to update.
356 },
357 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
358 },
359 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
360 },
361 },
362 ],
363 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>'
364 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions,
365 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
366 "A String",
367 ],
368 },
369 ],
370 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
371 # prevent simultaneous updates of a policy from overwriting each other.
372 # It is strongly suggested that systems make use of the `etag` in the
373 # read-modify-write cycle to perform policy updates in order to avoid race
374 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
375 # systems are expected to put that etag in the request to `setIamPolicy` to
376 # ensure that their change will be applied to the same version of the policy.
377 #
378 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
379 # policy is overwritten blindly.
380 "bindings": [ # Associates a list of `members` to a `role`.
381 # Multiple `bindings` must not be specified for the same `role`.
382 # `bindings` with no members will result in an error.
383 { # Associates `members` with a `role`.
384 "role": "A String", # Role that is assigned to `members`.
385 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
386 # Required
387 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
388 # `members` can have the following values:
389 #
390 # * `allUsers`: A special identifier that represents anyone who is
391 # on the internet; with or without a Google account.
392 #
393 # * `allAuthenticatedUsers`: A special identifier that represents anyone
394 # who is authenticated with a Google account or a service account.
395 #
396 # * `user:{emailid}`: An email address that represents a specific Google
397 # account. For example, `alice@gmail.com` or `joe@example.com`.
398 #
399 #
400 # * `serviceAccount:{emailid}`: An email address that represents a service
401 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
402 #
403 # * `group:{emailid}`: An email address that represents a Google group.
404 # For example, `admins@example.com`.
405 #
406 # * `domain:{domain}`: A Google Apps domain name that represents all the
407 # users of that domain. For example, `google.com` or `example.com`.
408 #
409 "A String",
410 ],
411 },
412 ],
413 "iamOwned": True or False,
414 }</pre>
415</div>
416
417<div class="method">
418 <code class="details" id="list">list(parent=None, pageToken=None, x__xgafv=None, pageSize=None)</code>
419 <pre>Lists KeyRings.
420
421Args:
422 parent: string, Required. The resource name of the location associated with the
423KeyRings, in the format `projects/*/locations/*`. (required)
424 pageToken: string, Optional pagination token, returned earlier via
425ListKeyRingsResponse.next_page_token.
426 x__xgafv: string, V1 error format.
427 Allowed values
428 1 - v1 error format
429 2 - v2 error format
430 pageSize: integer, Optional limit on the number of KeyRings to include in the
431response. Further KeyRings can subsequently be obtained by
432including the ListKeyRingsResponse.next_page_token in a subsequent
433request. If unspecified, the server will pick an appropriate default.
434
435Returns:
436 An object of the form:
437
438 { # Response message for KeyManagementService.ListKeyRings.
439 "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in
440 # ListKeyRingsRequest.page_token to retrieve the next page of results.
441 "totalSize": 42, # The total number of KeyRings that matched the query.
442 "keyRings": [ # The list of KeyRings.
443 { # A KeyRing is a toplevel logical grouping of CryptoKeys.
444 "createTime": "A String", # Output only. The time at which this KeyRing was created.
445 "name": "A String", # Output only. The resource name for the KeyRing in the format
446 # `projects/*/locations/*/keyRings/*`.
447 },
448 ],
449 }</pre>
450</div>
451
452<div class="method">
453 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
454 <pre>Retrieves the next page of results.
455
456Args:
457 previous_request: The request for the previous page. (required)
458 previous_response: The response from the request for the previous page. (required)
459
460Returns:
461 A request object that you can call 'execute()' on to request the next
462 page. Returns None if there are no more items in the collection.
463 </pre>
464</div>
465
466<div class="method">
467 <code class="details" id="setIamPolicy">setIamPolicy(resource=None, body, x__xgafv=None)</code>
468 <pre>Sets the access control policy on the specified resource. Replaces any
469existing policy.
470
471Args:
472 resource: string, REQUIRED: The resource for which the policy is being specified.
473See the operation documentation for the appropriate value for this field. (required)
474 body: object, The request body. (required)
475 The object takes the form of:
476
477{ # Request message for `SetIamPolicy` method.
478 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of
479 # the policy is limited to a few 10s of KB. An empty policy is a
480 # valid policy but certain Cloud Platform services (such as Projects)
481 # might reject them.
482 # specify access control policies for Cloud Platform resources.
483 #
484 #
485 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
486 # `members` to a `role`, where the members can be user accounts, Google groups,
487 # Google domains, and service accounts. A `role` is a named list of permissions
488 # defined by IAM.
489 #
490 # **Example**
491 #
492 # {
493 # "bindings": [
494 # {
495 # "role": "roles/owner",
496 # "members": [
497 # "user:mike@example.com",
498 # "group:admins@example.com",
499 # "domain:google.com",
500 # "serviceAccount:my-other-app@appspot.gserviceaccount.com",
501 # ]
502 # },
503 # {
504 # "role": "roles/viewer",
505 # "members": ["user:sean@example.com"]
506 # }
507 # ]
508 # }
509 #
510 # For a description of IAM and its features, see the
511 # [IAM developer's guide](https://cloud.google.com/iam).
512 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
513 { # Specifies the audit configuration for a service.
514 # It consists of which permission types are logged, and what identities, if
515 # any, are exempted from logging.
516 # An AuditConifg must have one or more AuditLogConfigs.
517 #
518 # If there are AuditConfigs for both `allServices` and a specific service,
519 # the union of the two AuditConfigs is used for that service: the log_types
520 # specified in each AuditConfig are enabled, and the exempted_members in each
521 # AuditConfig are exempted.
522 # Example Policy with multiple AuditConfigs:
523 # {
524 # "audit_configs": [
525 # {
526 # "service": "allServices"
527 # "audit_log_configs": [
528 # {
529 # "log_type": "DATA_READ",
530 # "exempted_members": [
531 # "user:foo@gmail.com"
532 # ]
533 # },
534 # {
535 # "log_type": "DATA_WRITE",
536 # },
537 # {
538 # "log_type": "ADMIN_READ",
539 # }
540 # ]
541 # },
542 # {
543 # "service": "fooservice@googleapis.com"
544 # "audit_log_configs": [
545 # {
546 # "log_type": "DATA_READ",
547 # },
548 # {
549 # "log_type": "DATA_WRITE",
550 # "exempted_members": [
551 # "user:bar@gmail.com"
552 # ]
553 # }
554 # ]
555 # }
556 # ]
557 # }
558 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
559 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
560 # bar@gmail.com from DATA_WRITE logging.
561 "exemptedMembers": [
562 "A String",
563 ],
564 "auditLogConfigs": [ # The configuration for logging of each type of permission.
565 # Next ID: 4
566 { # Provides the configuration for logging a type of permissions.
567 # Example:
568 #
569 # {
570 # "audit_log_configs": [
571 # {
572 # "log_type": "DATA_READ",
573 # "exempted_members": [
574 # "user:foo@gmail.com"
575 # ]
576 # },
577 # {
578 # "log_type": "DATA_WRITE",
579 # }
580 # ]
581 # }
582 #
583 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
584 # foo@gmail.com from DATA_READ logging.
585 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
586 # permission.
587 # Follows the same format of Binding.members.
588 "A String",
589 ],
590 "logType": "A String", # The log type that this config enables.
591 },
592 ],
593 "service": "A String", # Specifies a service that will be enabled for audit logging.
594 # For example, `resourcemanager`, `storage`, `compute`.
595 # `allServices` is a special value that covers all services.
596 },
597 ],
598 "version": 42, # Version of the `Policy`. The default version is 0.
599 "rules": [ # If more than one rule is specified, the rules are applied in the following
600 # manner:
601 # - All matching LOG rules are always applied.
602 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied.
603 # Logging will be applied if one or more matching rule requires logging.
604 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is
605 # granted.
606 # Logging will be applied if one or more matching rule requires logging.
607 # - Otherwise, if no rule applies, permission is denied.
608 { # A rule to be applied in a Policy.
609 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches
610 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
611 # The format for in and not_in entries is the same as for members in a
612 # Binding (see google/iam/v1/policy.proto).
613 "A String",
614 ],
615 "description": "A String", # Human-readable description of the rule.
616 "in": [ # If one or more 'in' clauses are specified, the rule matches if
617 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
618 "A String",
619 ],
620 "action": "A String", # Required
621 "conditions": [ # Additional restrictions that must be met
622 { # A condition to be met.
623 "iam": "A String", # Trusted attributes supplied by the IAM system.
624 "svc": "A String", # Trusted attributes discharged by the service.
625 "value": "A String", # DEPRECATED. Use 'values' instead.
626 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses
627 # the IAM system for access control.
628 "values": [ # The objects of the condition. This is mutually exclusive with 'value'.
629 "A String",
630 ],
631 "op": "A String", # An operator to apply the subject with.
632 },
633 ],
634 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries
635 # that match the LOG action.
636 { # Specifies what kind of log the caller must write
637 # Increment a streamz counter with the specified metric and field names.
638 #
639 # Metric names should start with a '/', generally be lowercase-only,
640 # and end in "_count". Field names should not contain an initial slash.
641 # The actual exported metric names will have "/iam/policy" prepended.
642 #
643 # Field names correspond to IAM request parameters and field values are
644 # their respective values.
645 #
646 # At present the only supported field names are
647 # - "iam_principal", corresponding to IAMContext.principal;
648 # - "" (empty string), resulting in one aggretated counter with no field.
649 #
650 # Examples:
651 # counter { metric: "/debug_access_count" field: "iam_principal" }
652 # ==> increment counter /iam/policy/backend_debug_access_count
653 # {iam_principal=[value of IAMContext.principal]}
654 #
655 # At this time we do not support:
656 # * multiple field names (though this may be supported in the future)
657 # * decrementing the counter
658 # * incrementing it by anything other than 1
659 "counter": { # Options for counters # Counter options.
660 "field": "A String", # The field value to attribute.
661 "metric": "A String", # The metric to update.
662 },
663 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
664 },
665 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
666 },
667 },
668 ],
669 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>'
670 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions,
671 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
672 "A String",
673 ],
674 },
675 ],
676 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
677 # prevent simultaneous updates of a policy from overwriting each other.
678 # It is strongly suggested that systems make use of the `etag` in the
679 # read-modify-write cycle to perform policy updates in order to avoid race
680 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
681 # systems are expected to put that etag in the request to `setIamPolicy` to
682 # ensure that their change will be applied to the same version of the policy.
683 #
684 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
685 # policy is overwritten blindly.
686 "bindings": [ # Associates a list of `members` to a `role`.
687 # Multiple `bindings` must not be specified for the same `role`.
688 # `bindings` with no members will result in an error.
689 { # Associates `members` with a `role`.
690 "role": "A String", # Role that is assigned to `members`.
691 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
692 # Required
693 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
694 # `members` can have the following values:
695 #
696 # * `allUsers`: A special identifier that represents anyone who is
697 # on the internet; with or without a Google account.
698 #
699 # * `allAuthenticatedUsers`: A special identifier that represents anyone
700 # who is authenticated with a Google account or a service account.
701 #
702 # * `user:{emailid}`: An email address that represents a specific Google
703 # account. For example, `alice@gmail.com` or `joe@example.com`.
704 #
705 #
706 # * `serviceAccount:{emailid}`: An email address that represents a service
707 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
708 #
709 # * `group:{emailid}`: An email address that represents a Google group.
710 # For example, `admins@example.com`.
711 #
712 # * `domain:{domain}`: A Google Apps domain name that represents all the
713 # users of that domain. For example, `google.com` or `example.com`.
714 #
715 "A String",
716 ],
717 },
718 ],
719 "iamOwned": True or False,
720 },
721 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
722 # the fields in the mask will be modified. If no mask is provided, a default
723 # mask is used:
724 # paths: "bindings, etag"
725 # This field is only used by Cloud IAM.
726 }
727
728 x__xgafv: string, V1 error format.
729 Allowed values
730 1 - v1 error format
731 2 - v2 error format
732
733Returns:
734 An object of the form:
735
736 { # Defines an Identity and Access Management (IAM) policy. It is used to
737 # specify access control policies for Cloud Platform resources.
738 #
739 #
740 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
741 # `members` to a `role`, where the members can be user accounts, Google groups,
742 # Google domains, and service accounts. A `role` is a named list of permissions
743 # defined by IAM.
744 #
745 # **Example**
746 #
747 # {
748 # "bindings": [
749 # {
750 # "role": "roles/owner",
751 # "members": [
752 # "user:mike@example.com",
753 # "group:admins@example.com",
754 # "domain:google.com",
755 # "serviceAccount:my-other-app@appspot.gserviceaccount.com",
756 # ]
757 # },
758 # {
759 # "role": "roles/viewer",
760 # "members": ["user:sean@example.com"]
761 # }
762 # ]
763 # }
764 #
765 # For a description of IAM and its features, see the
766 # [IAM developer's guide](https://cloud.google.com/iam).
767 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
768 { # Specifies the audit configuration for a service.
769 # It consists of which permission types are logged, and what identities, if
770 # any, are exempted from logging.
771 # An AuditConifg must have one or more AuditLogConfigs.
772 #
773 # If there are AuditConfigs for both `allServices` and a specific service,
774 # the union of the two AuditConfigs is used for that service: the log_types
775 # specified in each AuditConfig are enabled, and the exempted_members in each
776 # AuditConfig are exempted.
777 # Example Policy with multiple AuditConfigs:
778 # {
779 # "audit_configs": [
780 # {
781 # "service": "allServices"
782 # "audit_log_configs": [
783 # {
784 # "log_type": "DATA_READ",
785 # "exempted_members": [
786 # "user:foo@gmail.com"
787 # ]
788 # },
789 # {
790 # "log_type": "DATA_WRITE",
791 # },
792 # {
793 # "log_type": "ADMIN_READ",
794 # }
795 # ]
796 # },
797 # {
798 # "service": "fooservice@googleapis.com"
799 # "audit_log_configs": [
800 # {
801 # "log_type": "DATA_READ",
802 # },
803 # {
804 # "log_type": "DATA_WRITE",
805 # "exempted_members": [
806 # "user:bar@gmail.com"
807 # ]
808 # }
809 # ]
810 # }
811 # ]
812 # }
813 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
814 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
815 # bar@gmail.com from DATA_WRITE logging.
816 "exemptedMembers": [
817 "A String",
818 ],
819 "auditLogConfigs": [ # The configuration for logging of each type of permission.
820 # Next ID: 4
821 { # Provides the configuration for logging a type of permissions.
822 # Example:
823 #
824 # {
825 # "audit_log_configs": [
826 # {
827 # "log_type": "DATA_READ",
828 # "exempted_members": [
829 # "user:foo@gmail.com"
830 # ]
831 # },
832 # {
833 # "log_type": "DATA_WRITE",
834 # }
835 # ]
836 # }
837 #
838 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
839 # foo@gmail.com from DATA_READ logging.
840 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
841 # permission.
842 # Follows the same format of Binding.members.
843 "A String",
844 ],
845 "logType": "A String", # The log type that this config enables.
846 },
847 ],
848 "service": "A String", # Specifies a service that will be enabled for audit logging.
849 # For example, `resourcemanager`, `storage`, `compute`.
850 # `allServices` is a special value that covers all services.
851 },
852 ],
853 "version": 42, # Version of the `Policy`. The default version is 0.
854 "rules": [ # If more than one rule is specified, the rules are applied in the following
855 # manner:
856 # - All matching LOG rules are always applied.
857 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied.
858 # Logging will be applied if one or more matching rule requires logging.
859 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is
860 # granted.
861 # Logging will be applied if one or more matching rule requires logging.
862 # - Otherwise, if no rule applies, permission is denied.
863 { # A rule to be applied in a Policy.
864 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches
865 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
866 # The format for in and not_in entries is the same as for members in a
867 # Binding (see google/iam/v1/policy.proto).
868 "A String",
869 ],
870 "description": "A String", # Human-readable description of the rule.
871 "in": [ # If one or more 'in' clauses are specified, the rule matches if
872 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
873 "A String",
874 ],
875 "action": "A String", # Required
876 "conditions": [ # Additional restrictions that must be met
877 { # A condition to be met.
878 "iam": "A String", # Trusted attributes supplied by the IAM system.
879 "svc": "A String", # Trusted attributes discharged by the service.
880 "value": "A String", # DEPRECATED. Use 'values' instead.
881 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses
882 # the IAM system for access control.
883 "values": [ # The objects of the condition. This is mutually exclusive with 'value'.
884 "A String",
885 ],
886 "op": "A String", # An operator to apply the subject with.
887 },
888 ],
889 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries
890 # that match the LOG action.
891 { # Specifies what kind of log the caller must write
892 # Increment a streamz counter with the specified metric and field names.
893 #
894 # Metric names should start with a '/', generally be lowercase-only,
895 # and end in "_count". Field names should not contain an initial slash.
896 # The actual exported metric names will have "/iam/policy" prepended.
897 #
898 # Field names correspond to IAM request parameters and field values are
899 # their respective values.
900 #
901 # At present the only supported field names are
902 # - "iam_principal", corresponding to IAMContext.principal;
903 # - "" (empty string), resulting in one aggretated counter with no field.
904 #
905 # Examples:
906 # counter { metric: "/debug_access_count" field: "iam_principal" }
907 # ==> increment counter /iam/policy/backend_debug_access_count
908 # {iam_principal=[value of IAMContext.principal]}
909 #
910 # At this time we do not support:
911 # * multiple field names (though this may be supported in the future)
912 # * decrementing the counter
913 # * incrementing it by anything other than 1
914 "counter": { # Options for counters # Counter options.
915 "field": "A String", # The field value to attribute.
916 "metric": "A String", # The metric to update.
917 },
918 "dataAccess": { # Write a Data Access (Gin) log # Data access options.
919 },
920 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
921 },
922 },
923 ],
924 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>'
925 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions,
926 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
927 "A String",
928 ],
929 },
930 ],
931 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
932 # prevent simultaneous updates of a policy from overwriting each other.
933 # It is strongly suggested that systems make use of the `etag` in the
934 # read-modify-write cycle to perform policy updates in order to avoid race
935 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
936 # systems are expected to put that etag in the request to `setIamPolicy` to
937 # ensure that their change will be applied to the same version of the policy.
938 #
939 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
940 # policy is overwritten blindly.
941 "bindings": [ # Associates a list of `members` to a `role`.
942 # Multiple `bindings` must not be specified for the same `role`.
943 # `bindings` with no members will result in an error.
944 { # Associates `members` with a `role`.
945 "role": "A String", # Role that is assigned to `members`.
946 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
947 # Required
948 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
949 # `members` can have the following values:
950 #
951 # * `allUsers`: A special identifier that represents anyone who is
952 # on the internet; with or without a Google account.
953 #
954 # * `allAuthenticatedUsers`: A special identifier that represents anyone
955 # who is authenticated with a Google account or a service account.
956 #
957 # * `user:{emailid}`: An email address that represents a specific Google
958 # account. For example, `alice@gmail.com` or `joe@example.com`.
959 #
960 #
961 # * `serviceAccount:{emailid}`: An email address that represents a service
962 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
963 #
964 # * `group:{emailid}`: An email address that represents a Google group.
965 # For example, `admins@example.com`.
966 #
967 # * `domain:{domain}`: A Google Apps domain name that represents all the
968 # users of that domain. For example, `google.com` or `example.com`.
969 #
970 "A String",
971 ],
972 },
973 ],
974 "iamOwned": True or False,
975 }</pre>
976</div>
977
978<div class="method">
979 <code class="details" id="testIamPermissions">testIamPermissions(resource=None, body, x__xgafv=None)</code>
980 <pre>Returns permissions that a caller has on the specified resource.
981If the resource does not exist, this will return an empty set of
982permissions, not a NOT_FOUND error.
983
984Note: This operation is designed to be used for building permission-aware
985UIs and command-line tools, not for authorization checking. This operation
986may "fail open" without warning.
987
988Args:
989 resource: string, REQUIRED: The resource for which the policy detail is being requested.
990See the operation documentation for the appropriate value for this field. (required)
991 body: object, The request body. (required)
992 The object takes the form of:
993
994{ # Request message for `TestIamPermissions` method.
995 "permissions": [ # The set of permissions to check for the `resource`. Permissions with
996 # wildcards (such as '*' or 'storage.*') are not allowed. For more
997 # information see
998 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
999 "A String",
1000 ],
1001 }
1002
1003 x__xgafv: string, V1 error format.
1004 Allowed values
1005 1 - v1 error format
1006 2 - v2 error format
1007
1008Returns:
1009 An object of the form:
1010
1011 { # Response message for `TestIamPermissions` method.
1012 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
1013 # allowed.
1014 "A String",
1015 ],
1016 }</pre>
1017</div>
1018
1019</body></html>