Blame - docs/dyn/cloudresourcemanager_v1.projects.html - platform/external/python/google-api-python-client

2017-01-06 09:58:29 -0800

[diff] [blame]

382

"details": [ # A list of messages that carry the error details. There will be a

383

# common set of message types for APIs to use.

Sai Cheemalapati

ea3a5e1

2016-10-12 14:05:53 -0700

[diff] [blame]

384

{

385

"a_key": "", # Properties of the object. Contains field @type with type URL.

386

},

387

],

388

},

Sai Cheemalapati

ea3a5e1

2016-10-12 14:05:53 -0700

[diff] [blame]

}</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

393

<code class="details" id="delete">delete(projectId=None, x__xgafv=None)</code>

394

<pre>Marks the Project identified by the specified

395

`project_id` (for example, `my-project-123`) for deletion.

396

This method will only affect the Project if the following criteria are met:

397

398

+ The Project does not have a billing account associated with it.

399

+ The Project has a lifecycle state of

400

ACTIVE.

401

402

This method changes the Project's lifecycle state from

403

ACTIVE

404

to DELETE_REQUESTED.

405

The deletion starts at an unspecified time,

406

at which point the Project is no longer accessible.

407

408

Until the deletion completes, you can check the lifecycle state

409

checked by retrieving the Project with GetProject,

410

and the Project remains visible to ListProjects.

411

However, you cannot update the project.

412

413

After the deletion completes, the Project is not retrievable by

414

the GetProject and

415

ListProjects methods.

416

417

The caller must have modify permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

418

419

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

420

projectId: string, The Project ID (for example, `foo-bar-123`).

421

422

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

423

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

424

Allowed values

425

1 - v1 error format

426

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

427

428

Returns:

429

An object of the form:

430

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

431

{ # A generic empty message that you can re-use to avoid defining duplicated

432

# empty messages in your APIs. A typical example is to use it as the request

433

# or the response type of an API method. For instance:

434

#

435

# service Foo {

436

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

437

# }

438

#

439

# The JSON representation for `Empty` is empty JSON object `{}`.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

444

<code class="details" id="get">get(projectId=None, x__xgafv=None)</code>

445

<pre>Retrieves the Project identified by the specified

446

`project_id` (for example, `my-project-123`).

447

448

The caller must have read permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

449

450

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

451

projectId: string, The Project ID (for example, `my-project-123`).

452

453

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

454

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

455

Allowed values

456

1 - v1 error format

457

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

458

459

Returns:

460

An object of the form:

461

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

462

{ # A Project is a high-level Google Cloud Platform entity. It is a

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

463

# container for ACLs, APIs, App Engine Apps, VMs, and other

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

464

# Google Cloud Platform resources.

465

"name": "A String", # The user-assigned display name of the Project.

466

# It must be 4 to 30 characters.

467

# Allowed characters are: lowercase and uppercase letters, numbers,

468

# hyphen, single-quote, double-quote, space, and exclamation point.

469

#

470

# Example: <code>My Project</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

471

# Read-write.

472

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

473

#

474

# The only supported parent type is "organization". Once set, the parent

475

# cannot be modified. The `parent` can be set on creation or using the

476

# `UpdateProject` method; the end user must have the

477

# `resourcemanager.projects.create` permission on the parent.

478

#

479

# Read-write.

480

# Cloud Platform is a generic term for something you (a developer) may want to

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

481

# interact with through one of our API's. Some examples are an App Engine app,

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

482

# a Compute Engine instance, a Cloud SQL database, and so on.

483

"type": "A String", # Required field representing the resource type this id is for.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

484

# At present, the valid types are: "organization"

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

485

"id": "A String", # Required field for the type-specific id. This should correspond to the id

486

# used in the type-specific API's.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

487

},

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

488

"projectId": "A String", # The unique, user-assigned ID of the Project.

489

# It must be 6 to 30 lowercase letters, digits, or hyphens.

490

# It must start with a letter.

491

# Trailing hyphens are prohibited.

492

#

493

# Example: <code>tokyo-rain-123</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

494

# Read-only after creation.

495

"labels": { # The labels associated with this Project.

496

#

497

# Label keys must be between 1 and 63 characters long and must conform

498

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

499

#

500

# Label values must be between 0 and 63 characters long and must conform

501

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

502

#

503

# No more than 256 labels can be associated with a given resource.

504

#

505

# Clients should store labels in a representation such as JSON that does not

506

# depend on specific characters being disallowed.

507

#

508

# Example: <code>"environment" : "dev"</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

509

# Read-write.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

510

"a_key": "A String",

511

},

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

512

"projectNumber": "A String", # The number uniquely identifying the project.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

513

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

514

# Example: <code>415104041262</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

515

# Read-only.

516

"lifecycleState": "A String", # The Project lifecycle state.

517

#

518

# Read-only.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

519

"createTime": "A String", # Creation time.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

520

#

521

# Read-only.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

526

<code class="details" id="getAncestry">getAncestry(projectId=None, body, x__xgafv=None)</code>

527

<pre>Gets a list of ancestors in the resource hierarchy for the Project

528

identified by the specified `project_id` (for example, `my-project-123`).

529

530

The caller must have read permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

531

532

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

533

projectId: string, The Project ID (for example, `my-project-123`).

534

535

Required. (required)

536

body: object, The request body. (required)

537

The object takes the form of:

538

539

{ # The request sent to the

# GetAncestry

# method.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

551

552

{ # Response from the GetAncestry method.

553

"ancestor": [ # Ancestors are ordered from bottom to top of the resource hierarchy. The

554

# first ancestor is the project itself, followed by the project's parent,

555

# etc.

556

{ # Identifying information for a single ancestor of a project.

557

"resourceId": { # A container to reference an id for any resource type. A `resource` in Google # Resource id of the ancestor.

558

# Cloud Platform is a generic term for something you (a developer) may want to

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

559

# interact with through one of our API's. Some examples are an App Engine app,

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

560

# a Compute Engine instance, a Cloud SQL database, and so on.

561

"type": "A String", # Required field representing the resource type this id is for.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

562

# At present, the valid types are: "organization"

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

563

"id": "A String", # Required field for the type-specific id. This should correspond to the id

564

# used in the type-specific API's.

},

},

],

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

572

<code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code>

573

<pre>Gets the effective `Policy` on a resource. This is the result of merging

574

`Policies` in the resource hierarchy. The returned `Policy` will not have

575

an `etag`set because it is a computed `Policy` across multiple resources.

576

577

Args:

578

resource: string, The name of the resource to start computing the effective `Policy`. (required)

579

body: object, The request body. (required)

580

The object takes the form of:

581

582

{ # The request sent to the GetEffectiveOrgPolicy method.

583

"constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.

584

}

585

586

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

593

594

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

595

# for configurations of Cloud Platform resources.

596

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

597

# server, not specified by the caller, and represents the last time a call to

598

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

599

# be ignored.

600

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

601

# `constraints/serviceuser.services`.

602

#

603

# Immutable after creation.

604

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

605

# `Constraint` type.

606

# `constraint_default` enforcement behavior of the specific `Constraint` at

607

# this resource.

608

#

609

# Suppose that `constraint_default` is set to `ALLOW` for the

610

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

611

# foo.com sets a `Policy` at their Organization resource node that restricts

612

# the allowed service activations to deny all service activations. They

613

# could then set a `Policy` with the `policy_type` `restore_default` on

614

# several experimental projects, restoring the `constraint_default`

615

# enforcement of the `Constraint` for only those projects, allowing those

616

# projects to have all services activated.

617

},

618

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

619

# resource.

620

#

621

# A `ListPolicy` can define specific values that are allowed or denied by

622

# setting either the `allowed_values` or `denied_values` fields. It can also

623

# be used to allow or deny all values, by setting the `all_values` field. If

624

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

625

# or `denied_values` must be set (attempting to set both or neither will

626

# result in a failed request). If `all_values` is set to either `ALLOW` or

627

# `DENY`, `allowed_values` and `denied_values` must be unset.

628

"allValues": "A String", # The policy all_values state.

629

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

630

# set for `allowed_values` and `all_values` is set to

631

# `ALL_VALUES_UNSPECIFIED`.

632

"A String",

633

],

634

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

635

#

636

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

637

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

638

# set to `true`, then the values from the effective `Policy` of the parent

639

# resource are inherited, meaning the values set in this `Policy` are

640

# added to the values inherited up the hierarchy.

641

#

642

# Setting `Policy` hierarchies that inherit both allowed values and denied

643

# values isn't recommended in most circumstances to keep the configuration

644

# simple and understandable. However, it is possible to set a `Policy` with

645

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

646

# In this case, the values that are allowed must be in `allowed_values` and

647

# not present in `denied_values`.

648

#

649

# For example, suppose you have a `Constraint`

650

# `constraints/serviceuser.services`, which has a `constraint_type` of

651

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

652

# Suppose that at the Organization level, a `Policy` is applied that

653

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

654

# `Policy` is applied to a project below the Organization that has

655

# `inherit_from_parent` set to `false` and field all_values set to DENY,

656

# then an attempt to activate any API will be denied.

657

#

658

# The following examples demonstrate different possible layerings:

659

#

660

# Example 1 (no inherited values):

661

# `organizations/foo` has a `Policy` with values:

662

# {allowed_values: “E1” allowed_values:”E2”}

663

# ``projects/bar`` has `inherit_from_parent` `false` and values:

664

# {allowed_values: "E3" allowed_values: "E4"}

665

# The accepted values at `organizations/foo` are `E1`, `E2`.

666

# The accepted values at `projects/bar` are `E3`, and `E4`.

667

#

668

# Example 2 (inherited values):

669

# `organizations/foo` has a `Policy` with values:

670

# {allowed_values: “E1” allowed_values:”E2”}

671

# `projects/bar` has a `Policy` with values:

672

# {value: “E3” value: ”E4” inherit_from_parent: true}

673

# The accepted values at `organizations/foo` are `E1`, `E2`.

674

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

675

#

676

# Example 3 (inheriting both allowed and denied values):

677

# `organizations/foo` has a `Policy` with values:

678

# {allowed_values: "E1" allowed_values: "E2"}

679

# `projects/bar` has a `Policy` with:

680

# {denied_values: "E1"}

681

# The accepted values at `organizations/foo` are `E1`, `E2`.

682

# The value accepted at `projects/bar` is `E2`.

683

#

684

# Example 4 (RestoreDefault):

685

# `organizations/foo` has a `Policy` with values:

686

# {allowed_values: “E1” allowed_values:”E2”}

687

# `projects/bar` has a `Policy` with values:

688

# {RestoreDefault: {}}

689

# The accepted values at `organizations/foo` are `E1`, `E2`.

690

# The accepted values at `projects/bar` are either all or none depending on

691

# the value of `constraint_default` (if `ALLOW`, all; if

692

# `DENY`, none).

693

#

694

# Example 5 (no policy inherits parent policy):

695

# `organizations/foo` has no `Policy` set.

696

# `projects/bar` has no `Policy` set.

697

# The accepted values at both levels are either all or none depending on

698

# the value of `constraint_default` (if `ALLOW`, all; if

699

# `DENY`, none).

700

#

701

# Example 6 (ListConstraint allowing all):

702

# `organizations/foo` has a `Policy` with values:

703

# {allowed_values: “E1” allowed_values: ”E2”}

704

# `projects/bar` has a `Policy` with:

705

# {all: ALLOW}

706

# The accepted values at `organizations/foo` are `E1`, E2`.

707

# Any value is accepted at `projects/bar`.

708

#

709

# Example 7 (ListConstraint allowing none):

710

# `organizations/foo` has a `Policy` with values:

711

# {allowed_values: “E1” allowed_values: ”E2”}

712

# `projects/bar` has a `Policy` with:

713

# {all: DENY}

714

# The accepted values at `organizations/foo` are `E1`, E2`.

715

# No value is accepted at `projects/bar`.

716

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

717

# that matches the value specified in this `Policy`. If `suggested_value`

718

# is not set, it will inherit the value specified higher in the hierarchy,

719

# unless `inherit_from_parent` is `false`.

720

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

721

# set for `denied_values` and `all_values` is set to

722

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

727

# resource.

728

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

729

# configuration is acceptable.

730

#

731

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

732

# with `constraint_default` set to `ALLOW`. A `Policy` for that

733

# `Constraint` exhibits the following behavior:

734

# - If the `Policy` at this resource has enforced set to `false`, serial

735

# port connection attempts will be allowed.

736

# - If the `Policy` at this resource has enforced set to `true`, serial

737

# port connection attempts will be refused.

738

# - If the `Policy` at this resource is `RestoreDefault`, serial port

739

# connection attempts will be allowed.

740

# - If no `Policy` is set at this resource or anywhere higher in the

741

# resource hierarchy, serial port connection attempts will be allowed.

742

# - If no `Policy` is set at this resource, but one exists higher in the

743

# resource hierarchy, the behavior is as if the`Policy` were set at

744

# this resource.

745

#

746

# The following examples demonstrate the different possible layerings:

747

#

748

# Example 1 (nearest `Constraint` wins):

749

# `organizations/foo` has a `Policy` with:

750

# {enforced: false}

751

# `projects/bar` has no `Policy` set.

752

# The constraint at `projects/bar` and `organizations/foo` will not be

753

# enforced.

754

#

755

# Example 2 (enforcement gets replaced):

756

# `organizations/foo` has a `Policy` with:

757

# {enforced: false}

758

# `projects/bar` has a `Policy` with:

759

# {enforced: true}

760

# The constraint at `organizations/foo` is not enforced.

761

# The constraint at `projects/bar` is enforced.

762

#

763

# Example 3 (RestoreDefault):

764

# `organizations/foo` has a `Policy` with:

765

# {enforced: true}

766

# `projects/bar` has a `Policy` with:

767

# {RestoreDefault: {}}

768

# The constraint at `organizations/foo` is enforced.

769

# The constraint at `projects/bar` is not enforced, because

770

# `constraint_default` for the `Constraint` is `ALLOW`.

771

},

772

"version": 42, # Version of the `Policy`. Default version is 0;

773

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

774

# concurrency control.

775

#

776

# When the `Policy` is returned from either a `GetPolicy` or a

777

# `ListOrgPolicy` request, this `etag` indicates the version of the current

778

# `Policy` to use when executing a read-modify-write loop.

779

#

780

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

781

# `etag` will be unset.

782

#

783

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

784

# that was returned from a `GetOrgPolicy` request as part of a

785

# read-modify-write loop for concurrency control. Not setting the `etag`in a

786

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

<code class="details" id="getEffectiveOrgPolicyV1">getEffectiveOrgPolicyV1(resource, body, x__xgafv=None)</code>

793

<pre>Gets the effective `Policy` on a resource. This is the result of merging

794

`Policies` in the resource hierarchy. The returned `Policy` will not have

795

an `etag`set because it is a computed `Policy` across multiple resources.

796

797

Args:

798

resource: string, The name of the resource to start computing the effective `Policy`. (required)

799

body: object, The request body. (required)

800

The object takes the form of:

801

802

{ # The request sent to the GetEffectiveOrgPolicy method.

803

"constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.

804

}

805

806

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

813

814

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

815

# for configurations of Cloud Platform resources.

816

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

817

# server, not specified by the caller, and represents the last time a call to

818

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

819

# be ignored.

820

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

821

# `constraints/serviceuser.services`.

822

#

823

# Immutable after creation.

824

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

825

# `Constraint` type.

826

# `constraint_default` enforcement behavior of the specific `Constraint` at

827

# this resource.

828

#

829

# Suppose that `constraint_default` is set to `ALLOW` for the

830

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

831

# foo.com sets a `Policy` at their Organization resource node that restricts

832

# the allowed service activations to deny all service activations. They

833

# could then set a `Policy` with the `policy_type` `restore_default` on

834

# several experimental projects, restoring the `constraint_default`

835

# enforcement of the `Constraint` for only those projects, allowing those

836

# projects to have all services activated.

837

},

838

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

839

# resource.

840

#

841

# A `ListPolicy` can define specific values that are allowed or denied by

842

# setting either the `allowed_values` or `denied_values` fields. It can also

843

# be used to allow or deny all values, by setting the `all_values` field. If

844

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

845

# or `denied_values` must be set (attempting to set both or neither will

846

# result in a failed request). If `all_values` is set to either `ALLOW` or

847

# `DENY`, `allowed_values` and `denied_values` must be unset.

848

"allValues": "A String", # The policy all_values state.

849

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

850

# set for `allowed_values` and `all_values` is set to

851

# `ALL_VALUES_UNSPECIFIED`.

852

"A String",

853

],

854

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

855

#

856

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

857

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

858

# set to `true`, then the values from the effective `Policy` of the parent

859

# resource are inherited, meaning the values set in this `Policy` are

860

# added to the values inherited up the hierarchy.

861

#

862

# Setting `Policy` hierarchies that inherit both allowed values and denied

863

# values isn't recommended in most circumstances to keep the configuration

864

# simple and understandable. However, it is possible to set a `Policy` with

865

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

866

# In this case, the values that are allowed must be in `allowed_values` and

867

# not present in `denied_values`.

868

#

869

# For example, suppose you have a `Constraint`

870

# `constraints/serviceuser.services`, which has a `constraint_type` of

871

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

872

# Suppose that at the Organization level, a `Policy` is applied that

873

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

874

# `Policy` is applied to a project below the Organization that has

875

# `inherit_from_parent` set to `false` and field all_values set to DENY,

876

# then an attempt to activate any API will be denied.

877

#

878

# The following examples demonstrate different possible layerings:

879

#

880

# Example 1 (no inherited values):

881

# `organizations/foo` has a `Policy` with values:

882

# {allowed_values: “E1” allowed_values:”E2”}

883

# ``projects/bar`` has `inherit_from_parent` `false` and values:

884

# {allowed_values: "E3" allowed_values: "E4"}

885

# The accepted values at `organizations/foo` are `E1`, `E2`.

886

# The accepted values at `projects/bar` are `E3`, and `E4`.

887

#

888

# Example 2 (inherited values):

889

# `organizations/foo` has a `Policy` with values:

890

# {allowed_values: “E1” allowed_values:”E2”}

891

# `projects/bar` has a `Policy` with values:

892

# {value: “E3” value: ”E4” inherit_from_parent: true}

893

# The accepted values at `organizations/foo` are `E1`, `E2`.

894

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

895

#

896

# Example 3 (inheriting both allowed and denied values):

897

# `organizations/foo` has a `Policy` with values:

898

# {allowed_values: "E1" allowed_values: "E2"}

899

# `projects/bar` has a `Policy` with:

900

# {denied_values: "E1"}

901

# The accepted values at `organizations/foo` are `E1`, `E2`.

902

# The value accepted at `projects/bar` is `E2`.

903

#

904

# Example 4 (RestoreDefault):

905

# `organizations/foo` has a `Policy` with values:

906

# {allowed_values: “E1” allowed_values:”E2”}

907

# `projects/bar` has a `Policy` with values:

908

# {RestoreDefault: {}}

909

# The accepted values at `organizations/foo` are `E1`, `E2`.

910

# The accepted values at `projects/bar` are either all or none depending on

911

# the value of `constraint_default` (if `ALLOW`, all; if

912

# `DENY`, none).

913

#

914

# Example 5 (no policy inherits parent policy):

915

# `organizations/foo` has no `Policy` set.

916

# `projects/bar` has no `Policy` set.

917

# The accepted values at both levels are either all or none depending on

918

# the value of `constraint_default` (if `ALLOW`, all; if

919

# `DENY`, none).

920

#

921

# Example 6 (ListConstraint allowing all):

922

# `organizations/foo` has a `Policy` with values:

923

# {allowed_values: “E1” allowed_values: ”E2”}

924

# `projects/bar` has a `Policy` with:

925

# {all: ALLOW}

926

# The accepted values at `organizations/foo` are `E1`, E2`.

927

# Any value is accepted at `projects/bar`.

928

#

929

# Example 7 (ListConstraint allowing none):

930

# `organizations/foo` has a `Policy` with values:

931

# {allowed_values: “E1” allowed_values: ”E2”}

932

# `projects/bar` has a `Policy` with:

933

# {all: DENY}

934

# The accepted values at `organizations/foo` are `E1`, E2`.

935

# No value is accepted at `projects/bar`.

936

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

937

# that matches the value specified in this `Policy`. If `suggested_value`

938

# is not set, it will inherit the value specified higher in the hierarchy,

939

# unless `inherit_from_parent` is `false`.

940

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

941

# set for `denied_values` and `all_values` is set to

942

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

947

# resource.

948

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

949

# configuration is acceptable.

950

#

951

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

952

# with `constraint_default` set to `ALLOW`. A `Policy` for that

953

# `Constraint` exhibits the following behavior:

954

# - If the `Policy` at this resource has enforced set to `false`, serial

955

# port connection attempts will be allowed.

956

# - If the `Policy` at this resource has enforced set to `true`, serial

957

# port connection attempts will be refused.

958

# - If the `Policy` at this resource is `RestoreDefault`, serial port

959

# connection attempts will be allowed.

960

# - If no `Policy` is set at this resource or anywhere higher in the

961

# resource hierarchy, serial port connection attempts will be allowed.

962

# - If no `Policy` is set at this resource, but one exists higher in the

963

# resource hierarchy, the behavior is as if the`Policy` were set at

964

# this resource.

965

#

966

# The following examples demonstrate the different possible layerings:

967

#

968

# Example 1 (nearest `Constraint` wins):

969

# `organizations/foo` has a `Policy` with:

970

# {enforced: false}

971

# `projects/bar` has no `Policy` set.

972

# The constraint at `projects/bar` and `organizations/foo` will not be

973

# enforced.

974

#

975

# Example 2 (enforcement gets replaced):

976

# `organizations/foo` has a `Policy` with:

977

# {enforced: false}

978

# `projects/bar` has a `Policy` with:

979

# {enforced: true}

980

# The constraint at `organizations/foo` is not enforced.

981

# The constraint at `projects/bar` is enforced.

982

#

983

# Example 3 (RestoreDefault):

984

# `organizations/foo` has a `Policy` with:

985

# {enforced: true}

986

# `projects/bar` has a `Policy` with:

987

# {RestoreDefault: {}}

988

# The constraint at `organizations/foo` is enforced.

989

# The constraint at `projects/bar` is not enforced, because

990

# `constraint_default` for the `Constraint` is `ALLOW`.

991

},

992

"version": 42, # Version of the `Policy`. Default version is 0;

993

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

994

# concurrency control.

995

#

996

# When the `Policy` is returned from either a `GetPolicy` or a

997

# `ListOrgPolicy` request, this `etag` indicates the version of the current

998

# `Policy` to use when executing a read-modify-write loop.

999

#

1000

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

1001

# `etag` will be unset.

1002

#

1003

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

1004

# that was returned from a `GetOrgPolicy` request as part of a

1005

# read-modify-write loop for concurrency control. Not setting the `etag`in a

1006

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1012

<code class="details" id="getIamPolicy">getIamPolicy(resource=None, body, x__xgafv=None)</code>

1013

<pre>Returns the IAM access control policy for the specified Project.

1014

Permission is denied if the policy or the resource does not exist.

1015

1016

Args:

1017

resource: string, REQUIRED: The resource for which the policy is being requested.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1018

See the operation documentation for the appropriate value for this field. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1019

body: object, The request body. (required)

1020

The object takes the form of:

1021

1022

{ # Request message for `GetIamPolicy` method.

1023

}

1024

1025

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1026

Allowed values

1027

1 - v1 error format

1028

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1029

1030

Returns:

1031

An object of the form:

1032

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1033

{ # Defines an Identity and Access Management (IAM) policy. It is used to

1034

# specify access control policies for Cloud Platform resources.

1035

#

1036

#

1037

# A `Policy` consists of a list of `bindings`. A `Binding` binds a list of

1038

# `members` to a `role`, where the members can be user accounts, Google groups,

1039

# Google domains, and service accounts. A `role` is a named list of permissions

# defined by IAM.

#

# **Example**

#

# {

# "bindings": [

# {

# "role": "roles/owner",

1048

# "members": [

1049

# "user:mike@example.com",

1050

# "group:admins@example.com",

1051

# "domain:google.com",

1052

# "serviceAccount:my-other-app@appspot.gserviceaccount.com",

# ]

# },

# {

# "role": "roles/viewer",

1057

# "members": ["user:sean@example.com"]

# }

# ]

# }

#

# For a description of IAM and its features, see the

1063

# [IAM developer's guide](https://cloud.google.com/iam).

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1064

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1065

{ # Specifies the audit configuration for a service.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

1066

# The configuration determines which permission types are logged, and what

1067

# identities, if any, are exempted from logging.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1068

# An AuditConifg must have one or more AuditLogConfigs.

1069

#

1070

# If there are AuditConfigs for both `allServices` and a specific service,

1071

# the union of the two AuditConfigs is used for that service: the log_types

1072

# specified in each AuditConfig are enabled, and the exempted_members in each

1073

# AuditConfig are exempted.

1074

# Example Policy with multiple AuditConfigs:

# {

# "audit_configs": [

# {

# "service": "allServices"

1079

# "audit_log_configs": [

1080

# {

1081

# "log_type": "DATA_READ",

1082

# "exempted_members": [

1083

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1088

# },

1089

# {

1090

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "fooservice@googleapis.com"

1096

# "audit_log_configs": [

1097

# {

1098

# "log_type": "DATA_READ",

1099

# },

1100

# {

1101

# "log_type": "DATA_WRITE",

1102

# "exempted_members": [

1103

# "user:bar@gmail.com"

# ]

# }

# ]

# }

# ]

# }

# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1111

# logging. It also exempts foo@gmail.com from DATA_READ logging, and

1112

# bar@gmail.com from DATA_WRITE logging.

1113

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1114

# Next ID: 4

1115

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1120

# {

1121

# "log_type": "DATA_READ",

1122

# "exempted_members": [

1123

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1133

# foo@gmail.com from DATA_READ logging.

1134

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1135

# permission.

1136

# Follows the same format of Binding.members.

1137

"A String",

1138

],

1139

"logType": "A String", # The log type that this config enables.

1140

},

1141

],

1142

"service": "A String", # Specifies a service that will be enabled for audit logging.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

1143

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1144

# `allServices` is a special value that covers all services.

1145

},

1146

],

1147

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1148

# prevent simultaneous updates of a policy from overwriting each other.

1149

# It is strongly suggested that systems make use of the `etag` in the

1150

# read-modify-write cycle to perform policy updates in order to avoid race

1151

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1152

# systems are expected to put that etag in the request to `setIamPolicy` to

1153

# ensure that their change will be applied to the same version of the policy.

1154

#

1155

# If no `etag` is provided in the call to `setIamPolicy`, then the existing

1156

# policy is overwritten blindly.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1157

"bindings": [ # Associates a list of `members` to a `role`.

1158

# Multiple `bindings` must not be specified for the same `role`.

1159

# `bindings` with no members will result in an error.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1160

{ # Associates `members` with a `role`.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1161

"role": "A String", # Role that is assigned to `members`.

1162

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1163

# Required

1164

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1165

# `members` can have the following values:

1166

#

1167

# * `allUsers`: A special identifier that represents anyone who is

1168

# on the internet; with or without a Google account.

1169

#

1170

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1171

# who is authenticated with a Google account or a service account.

1172

#

1173

# * `user:{emailid}`: An email address that represents a specific Google

1174

# account. For example, `alice@gmail.com` or `joe@example.com`.

1175

#

1176

#

1177

# * `serviceAccount:{emailid}`: An email address that represents a service

1178

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1179

#

1180

# * `group:{emailid}`: An email address that represents a Google group.

1181

# For example, `admins@example.com`.

1182

#

1183

# * `domain:{domain}`: A Google Apps domain name that represents all the

1184

# users of that domain. For example, `google.com` or `example.com`.

1185

#

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

},

],

"version": 42, # Version of the `Policy`. The default version is 0.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

1195

<code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code>

1196

<pre>Gets a `Policy` on a resource.

1197

1198

If no `Policy` is set on the resource, a `Policy` is returned with default

1199

values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The

1200

`etag` value can be used with `SetOrgPolicy()` to create or update a

1201

`Policy` during read-modify-write.

1202

1203

Args:

1204

resource: string, Name of the resource the `Policy` is set on. (required)

1205

body: object, The request body. (required)

1206

The object takes the form of:

1207

1208

{ # The request sent to the GetOrgPolicy method.

1209

"constraint": "A String", # Name of the `Constraint` to get the `Policy`.

1210

}

1211

1212

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1219

1220

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

1221

# for configurations of Cloud Platform resources.

1222

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

1223

# server, not specified by the caller, and represents the last time a call to

1224

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

1225

# be ignored.

1226

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

1227

# `constraints/serviceuser.services`.

1228

#

1229

# Immutable after creation.

1230

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

1231

# `Constraint` type.

1232

# `constraint_default` enforcement behavior of the specific `Constraint` at

1233

# this resource.

1234

#

1235

# Suppose that `constraint_default` is set to `ALLOW` for the

1236

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

1237

# foo.com sets a `Policy` at their Organization resource node that restricts

1238

# the allowed service activations to deny all service activations. They

1239

# could then set a `Policy` with the `policy_type` `restore_default` on

1240

# several experimental projects, restoring the `constraint_default`

1241

# enforcement of the `Constraint` for only those projects, allowing those

1242

# projects to have all services activated.

1243

},

1244

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

1245

# resource.

1246

#

1247

# A `ListPolicy` can define specific values that are allowed or denied by

1248

# setting either the `allowed_values` or `denied_values` fields. It can also

1249

# be used to allow or deny all values, by setting the `all_values` field. If

1250

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

1251

# or `denied_values` must be set (attempting to set both or neither will

1252

# result in a failed request). If `all_values` is set to either `ALLOW` or

1253

# `DENY`, `allowed_values` and `denied_values` must be unset.

1254

"allValues": "A String", # The policy all_values state.

1255

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

1256

# set for `allowed_values` and `all_values` is set to

1257

# `ALL_VALUES_UNSPECIFIED`.

1258

"A String",

1259

],

1260

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

1261

#

1262

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

1263

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

1264

# set to `true`, then the values from the effective `Policy` of the parent

1265

# resource are inherited, meaning the values set in this `Policy` are

1266

# added to the values inherited up the hierarchy.

1267

#

1268

# Setting `Policy` hierarchies that inherit both allowed values and denied

1269

# values isn't recommended in most circumstances to keep the configuration

1270

# simple and understandable. However, it is possible to set a `Policy` with

1271

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

1272

# In this case, the values that are allowed must be in `allowed_values` and

1273

# not present in `denied_values`.

1274

#

1275

# For example, suppose you have a `Constraint`

1276

# `constraints/serviceuser.services`, which has a `constraint_type` of

1277

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

1278

# Suppose that at the Organization level, a `Policy` is applied that

1279

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

1280

# `Policy` is applied to a project below the Organization that has

1281

# `inherit_from_parent` set to `false` and field all_values set to DENY,

1282

# then an attempt to activate any API will be denied.

1283

#

1284

# The following examples demonstrate different possible layerings:

1285

#

1286

# Example 1 (no inherited values):

1287

# `organizations/foo` has a `Policy` with values:

1288

# {allowed_values: “E1” allowed_values:”E2”}

1289

# ``projects/bar`` has `inherit_from_parent` `false` and values:

1290

# {allowed_values: "E3" allowed_values: "E4"}

1291

# The accepted values at `organizations/foo` are `E1`, `E2`.

1292

# The accepted values at `projects/bar` are `E3`, and `E4`.

1293

#

1294

# Example 2 (inherited values):

1295

# `organizations/foo` has a `Policy` with values:

1296

# {allowed_values: “E1” allowed_values:”E2”}

1297

# `projects/bar` has a `Policy` with values:

1298

# {value: “E3” value: ”E4” inherit_from_parent: true}

1299

# The accepted values at `organizations/foo` are `E1`, `E2`.

1300

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

1301

#

1302

# Example 3 (inheriting both allowed and denied values):

1303

# `organizations/foo` has a `Policy` with values:

1304

# {allowed_values: "E1" allowed_values: "E2"}

1305

# `projects/bar` has a `Policy` with:

1306

# {denied_values: "E1"}

1307

# The accepted values at `organizations/foo` are `E1`, `E2`.

1308

# The value accepted at `projects/bar` is `E2`.

1309

#

1310

# Example 4 (RestoreDefault):

1311

# `organizations/foo` has a `Policy` with values:

1312

# {allowed_values: “E1” allowed_values:”E2”}

1313

# `projects/bar` has a `Policy` with values:

1314

# {RestoreDefault: {}}

1315

# The accepted values at `organizations/foo` are `E1`, `E2`.

1316

# The accepted values at `projects/bar` are either all or none depending on

1317

# the value of `constraint_default` (if `ALLOW`, all; if

1318

# `DENY`, none).

1319

#

1320

# Example 5 (no policy inherits parent policy):

1321

# `organizations/foo` has no `Policy` set.

1322

# `projects/bar` has no `Policy` set.

1323

# The accepted values at both levels are either all or none depending on

1324

# the value of `constraint_default` (if `ALLOW`, all; if

1325

# `DENY`, none).

1326

#

1327

# Example 6 (ListConstraint allowing all):

1328

# `organizations/foo` has a `Policy` with values:

1329

# {allowed_values: “E1” allowed_values: ”E2”}

1330

# `projects/bar` has a `Policy` with:

1331

# {all: ALLOW}

1332

# The accepted values at `organizations/foo` are `E1`, E2`.

1333

# Any value is accepted at `projects/bar`.

1334

#

1335

# Example 7 (ListConstraint allowing none):

1336

# `organizations/foo` has a `Policy` with values:

1337

# {allowed_values: “E1” allowed_values: ”E2”}

1338

# `projects/bar` has a `Policy` with:

1339

# {all: DENY}

1340

# The accepted values at `organizations/foo` are `E1`, E2`.

1341

# No value is accepted at `projects/bar`.

1342

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

1343

# that matches the value specified in this `Policy`. If `suggested_value`

1344

# is not set, it will inherit the value specified higher in the hierarchy,

1345

# unless `inherit_from_parent` is `false`.

1346

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

1347

# set for `denied_values` and `all_values` is set to

1348

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

1353

# resource.

1354

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

1355

# configuration is acceptable.

1356

#

1357

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

1358

# with `constraint_default` set to `ALLOW`. A `Policy` for that

1359

# `Constraint` exhibits the following behavior:

1360

# - If the `Policy` at this resource has enforced set to `false`, serial

1361

# port connection attempts will be allowed.

1362

# - If the `Policy` at this resource has enforced set to `true`, serial

1363

# port connection attempts will be refused.

1364

# - If the `Policy` at this resource is `RestoreDefault`, serial port

1365

# connection attempts will be allowed.

1366

# - If no `Policy` is set at this resource or anywhere higher in the

1367

# resource hierarchy, serial port connection attempts will be allowed.

1368

# - If no `Policy` is set at this resource, but one exists higher in the

1369

# resource hierarchy, the behavior is as if the`Policy` were set at

1370

# this resource.

1371

#

1372

# The following examples demonstrate the different possible layerings:

1373

#

1374

# Example 1 (nearest `Constraint` wins):

1375

# `organizations/foo` has a `Policy` with:

1376

# {enforced: false}

1377

# `projects/bar` has no `Policy` set.

1378

# The constraint at `projects/bar` and `organizations/foo` will not be

1379

# enforced.

1380

#

1381

# Example 2 (enforcement gets replaced):

1382

# `organizations/foo` has a `Policy` with:

1383

# {enforced: false}

1384

# `projects/bar` has a `Policy` with:

1385

# {enforced: true}

1386

# The constraint at `organizations/foo` is not enforced.

1387

# The constraint at `projects/bar` is enforced.

1388

#

1389

# Example 3 (RestoreDefault):

1390

# `organizations/foo` has a `Policy` with:

1391

# {enforced: true}

1392

# `projects/bar` has a `Policy` with:

1393

# {RestoreDefault: {}}

1394

# The constraint at `organizations/foo` is enforced.

1395

# The constraint at `projects/bar` is not enforced, because

1396

# `constraint_default` for the `Constraint` is `ALLOW`.

1397

},

1398

"version": 42, # Version of the `Policy`. Default version is 0;

1399

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

1400

# concurrency control.

1401

#

1402

# When the `Policy` is returned from either a `GetPolicy` or a

1403

# `ListOrgPolicy` request, this `etag` indicates the version of the current

1404

# `Policy` to use when executing a read-modify-write loop.

1405

#

1406

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

1407

# `etag` will be unset.

1408

#

1409

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

1410

# that was returned from a `GetOrgPolicy` request as part of a

1411

# read-modify-write loop for concurrency control. Not setting the `etag`in a

1412

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

<code class="details" id="getOrgPolicyV1">getOrgPolicyV1(resource, body, x__xgafv=None)</code>

1419

<pre>Gets a `Policy` on a resource.

1420

1421

If no `Policy` is set on the resource, a `Policy` is returned with default

1422

values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The

1423

`etag` value can be used with `SetOrgPolicy()` to create or update a

1424

`Policy` during read-modify-write.

1425

1426

Args:

1427

resource: string, Name of the resource the `Policy` is set on. (required)

1428

body: object, The request body. (required)

1429

The object takes the form of:

1430

1431

{ # The request sent to the GetOrgPolicy method.

1432

"constraint": "A String", # Name of the `Constraint` to get the `Policy`.

1433

}

1434

1435

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1442

1443

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

1444

# for configurations of Cloud Platform resources.

1445

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

1446

# server, not specified by the caller, and represents the last time a call to

1447

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

1448

# be ignored.

1449

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

1450

# `constraints/serviceuser.services`.

1451

#

1452

# Immutable after creation.

1453

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

1454

# `Constraint` type.

1455

# `constraint_default` enforcement behavior of the specific `Constraint` at

1456

# this resource.

1457

#

1458

# Suppose that `constraint_default` is set to `ALLOW` for the

1459

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

1460

# foo.com sets a `Policy` at their Organization resource node that restricts

1461

# the allowed service activations to deny all service activations. They

1462

# could then set a `Policy` with the `policy_type` `restore_default` on

1463

# several experimental projects, restoring the `constraint_default`

1464

# enforcement of the `Constraint` for only those projects, allowing those

1465

# projects to have all services activated.

1466

},

1467

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

1468

# resource.

1469

#

1470

# A `ListPolicy` can define specific values that are allowed or denied by

1471

# setting either the `allowed_values` or `denied_values` fields. It can also

1472

# be used to allow or deny all values, by setting the `all_values` field. If

1473

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

1474

# or `denied_values` must be set (attempting to set both or neither will

1475

# result in a failed request). If `all_values` is set to either `ALLOW` or

1476

# `DENY`, `allowed_values` and `denied_values` must be unset.

1477

"allValues": "A String", # The policy all_values state.

1478

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

1479

# set for `allowed_values` and `all_values` is set to

1480

# `ALL_VALUES_UNSPECIFIED`.

1481

"A String",

1482

],

1483

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

1484

#

1485

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

1486

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

1487

# set to `true`, then the values from the effective `Policy` of the parent

1488

# resource are inherited, meaning the values set in this `Policy` are

1489

# added to the values inherited up the hierarchy.

1490

#

1491

# Setting `Policy` hierarchies that inherit both allowed values and denied

1492

# values isn't recommended in most circumstances to keep the configuration

1493

# simple and understandable. However, it is possible to set a `Policy` with

1494

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

1495

# In this case, the values that are allowed must be in `allowed_values` and

1496

# not present in `denied_values`.

1497

#

1498

# For example, suppose you have a `Constraint`

1499

# `constraints/serviceuser.services`, which has a `constraint_type` of

1500

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

1501

# Suppose that at the Organization level, a `Policy` is applied that

1502

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

1503

# `Policy` is applied to a project below the Organization that has

1504

# `inherit_from_parent` set to `false` and field all_values set to DENY,

1505

# then an attempt to activate any API will be denied.

1506

#

1507

# The following examples demonstrate different possible layerings:

1508

#

1509

# Example 1 (no inherited values):

1510

# `organizations/foo` has a `Policy` with values:

1511

# {allowed_values: “E1” allowed_values:”E2”}

1512

# ``projects/bar`` has `inherit_from_parent` `false` and values:

1513

# {allowed_values: "E3" allowed_values: "E4"}

1514

# The accepted values at `organizations/foo` are `E1`, `E2`.

1515

# The accepted values at `projects/bar` are `E3`, and `E4`.

1516

#

1517

# Example 2 (inherited values):

1518

# `organizations/foo` has a `Policy` with values:

1519

# {allowed_values: “E1” allowed_values:”E2”}

1520

# `projects/bar` has a `Policy` with values:

1521

# {value: “E3” value: ”E4” inherit_from_parent: true}

1522

# The accepted values at `organizations/foo` are `E1`, `E2`.

1523

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

1524

#

1525

# Example 3 (inheriting both allowed and denied values):

1526

# `organizations/foo` has a `Policy` with values:

1527

# {allowed_values: "E1" allowed_values: "E2"}

1528

# `projects/bar` has a `Policy` with:

1529

# {denied_values: "E1"}

1530

# The accepted values at `organizations/foo` are `E1`, `E2`.

1531

# The value accepted at `projects/bar` is `E2`.

1532

#

1533

# Example 4 (RestoreDefault):

1534

# `organizations/foo` has a `Policy` with values:

1535

# {allowed_values: “E1” allowed_values:”E2”}

1536

# `projects/bar` has a `Policy` with values:

1537

# {RestoreDefault: {}}

1538

# The accepted values at `organizations/foo` are `E1`, `E2`.

1539

# The accepted values at `projects/bar` are either all or none depending on

1540

# the value of `constraint_default` (if `ALLOW`, all; if

1541

# `DENY`, none).

1542

#

1543

# Example 5 (no policy inherits parent policy):

1544

# `organizations/foo` has no `Policy` set.

1545

# `projects/bar` has no `Policy` set.

1546

# The accepted values at both levels are either all or none depending on

1547

# the value of `constraint_default` (if `ALLOW`, all; if

1548

# `DENY`, none).

1549

#

1550

# Example 6 (ListConstraint allowing all):

1551

# `organizations/foo` has a `Policy` with values:

1552

# {allowed_values: “E1” allowed_values: ”E2”}

1553

# `projects/bar` has a `Policy` with:

1554

# {all: ALLOW}

1555

# The accepted values at `organizations/foo` are `E1`, E2`.

1556

# Any value is accepted at `projects/bar`.

1557

#

1558

# Example 7 (ListConstraint allowing none):

1559

# `organizations/foo` has a `Policy` with values:

1560

# {allowed_values: “E1” allowed_values: ”E2”}

1561

# `projects/bar` has a `Policy` with:

1562

# {all: DENY}

1563

# The accepted values at `organizations/foo` are `E1`, E2`.

1564

# No value is accepted at `projects/bar`.

1565

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

1566

# that matches the value specified in this `Policy`. If `suggested_value`

1567

# is not set, it will inherit the value specified higher in the hierarchy,

1568

# unless `inherit_from_parent` is `false`.

1569

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

1570

# set for `denied_values` and `all_values` is set to

1571

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

1576

# resource.

1577

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

1578

# configuration is acceptable.

1579

#

1580

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

1581

# with `constraint_default` set to `ALLOW`. A `Policy` for that

1582

# `Constraint` exhibits the following behavior:

1583

# - If the `Policy` at this resource has enforced set to `false`, serial

1584

# port connection attempts will be allowed.

1585

# - If the `Policy` at this resource has enforced set to `true`, serial

1586

# port connection attempts will be refused.

1587

# - If the `Policy` at this resource is `RestoreDefault`, serial port

1588

# connection attempts will be allowed.

1589

# - If no `Policy` is set at this resource or anywhere higher in the

1590

# resource hierarchy, serial port connection attempts will be allowed.

1591

# - If no `Policy` is set at this resource, but one exists higher in the

1592

# resource hierarchy, the behavior is as if the`Policy` were set at

1593

# this resource.

1594

#

1595

# The following examples demonstrate the different possible layerings:

1596

#

1597

# Example 1 (nearest `Constraint` wins):

1598

# `organizations/foo` has a `Policy` with:

1599

# {enforced: false}

1600

# `projects/bar` has no `Policy` set.

1601

# The constraint at `projects/bar` and `organizations/foo` will not be

1602

# enforced.

1603

#

1604

# Example 2 (enforcement gets replaced):

1605

# `organizations/foo` has a `Policy` with:

1606

# {enforced: false}

1607

# `projects/bar` has a `Policy` with:

1608

# {enforced: true}

1609

# The constraint at `organizations/foo` is not enforced.

1610

# The constraint at `projects/bar` is enforced.

1611

#

1612

# Example 3 (RestoreDefault):

1613

# `organizations/foo` has a `Policy` with:

1614

# {enforced: true}

1615

# `projects/bar` has a `Policy` with:

1616

# {RestoreDefault: {}}

1617

# The constraint at `organizations/foo` is enforced.

1618

# The constraint at `projects/bar` is not enforced, because

1619

# `constraint_default` for the `Constraint` is `ALLOW`.

1620

},

1621

"version": 42, # Version of the `Policy`. Default version is 0;

1622

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

1623

# concurrency control.

1624

#

1625

# When the `Policy` is returned from either a `GetPolicy` or a

1626

# `ListOrgPolicy` request, this `etag` indicates the version of the current

1627

# `Policy` to use when executing a read-modify-write loop.

1628

#

1629

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

1630

# `etag` will be unset.

1631

#

1632

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

1633

# that was returned from a `GetOrgPolicy` request as part of a

1634

# read-modify-write loop for concurrency control. Not setting the `etag`in a

1635

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1641

<code class="details" id="list">list(pageSize=None, filter=None, pageToken=None, x__xgafv=None)</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1642

<pre>Lists Projects that are visible to the user and satisfy the

1643

specified filter. This method returns Projects in an unspecified order.

1644

New Projects do not necessarily appear at the end of the list.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1645

1646

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1647

pageSize: integer, The maximum number of Projects to return in the response.

1648

The server can return fewer Projects than requested.

1649

If unspecified, server picks an appropriate default.

1650

1651

Optional.

1652

filter: string, An expression for filtering the results of the request. Filter rules are

1653

case insensitive. The fields eligible for filtering are:

+ `name`

+ `id`

+ <code>labels.<em>key</em></code> where *key* is the name of a label

1658

1659

Some examples of using labels as filters:

|Filter|Description|

|------|-----------|

|name:*|The project has a name.|

1664

|name:Howl|The project's name is `Howl` or `howl`.|

1665

|name:HOWL|Equivalent to above.|

1666

|NAME:howl|Equivalent to above.|

1667

|labels.color:*|The project has the label `color`.|

1668

|labels.color:red|The project's label `color` has the value `red`.|

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

1669

|labels.color:red labels.size:big|The project's label `color` has the

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1670

value `red` and its label `size` has the value `big`.

1671

1672

Optional.

1673

pageToken: string, A pagination token returned from a previous call to ListProjects

1674

that indicates from where listing should continue.

1675

1676

Optional.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1677

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1678

Allowed values

1679

1 - v1 error format

1680

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1681

1682

Returns:

1683

An object of the form:

1684

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1685

{ # A page of the response received from the

# ListProjects

# method.

#

# A paginated response where more pages are available has

1690

# `next_page_token` set. This token can be used in a subsequent request to

1691

# retrieve the next request page.

1692

"nextPageToken": "A String", # Pagination token.

1693

#

1694

# If the result set is too large to fit in a single response, this token

1695

# is returned. It encodes the position of the current result cursor.

1696

# Feeding this value into a new list request with the `page_token` parameter

1697

# gives the next page of the results.

1698

#

1699

# When `next_page_token` is not filled in, there is no next page and

1700

# the list returned is the last page in the result set.

1701

#

1702

# Pagination tokens have a limited lifetime.

1703

"projects": [ # The list of Projects that matched the list filter. This list can

1704

# be paginated.

1705

{ # A Project is a high-level Google Cloud Platform entity. It is a

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1706

# container for ACLs, APIs, App Engine Apps, VMs, and other

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1707

# Google Cloud Platform resources.

1708

"name": "A String", # The user-assigned display name of the Project.

1709

# It must be 4 to 30 characters.

1710

# Allowed characters are: lowercase and uppercase letters, numbers,

1711

# hyphen, single-quote, double-quote, space, and exclamation point.

1712

#

1713

# Example: <code>My Project</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1714

# Read-write.

1715

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

1716

#

1717

# The only supported parent type is "organization". Once set, the parent

1718

# cannot be modified. The `parent` can be set on creation or using the

1719

# `UpdateProject` method; the end user must have the

1720

# `resourcemanager.projects.create` permission on the parent.

1721

#

1722

# Read-write.

1723

# Cloud Platform is a generic term for something you (a developer) may want to

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1724

# interact with through one of our API's. Some examples are an App Engine app,

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1725

# a Compute Engine instance, a Cloud SQL database, and so on.

1726

"type": "A String", # Required field representing the resource type this id is for.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1727

# At present, the valid types are: "organization"

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1728

"id": "A String", # Required field for the type-specific id. This should correspond to the id

1729

# used in the type-specific API's.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1730

},

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1731

"projectId": "A String", # The unique, user-assigned ID of the Project.

1732

# It must be 6 to 30 lowercase letters, digits, or hyphens.

1733

# It must start with a letter.

1734

# Trailing hyphens are prohibited.

1735

#

1736

# Example: <code>tokyo-rain-123</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1737

# Read-only after creation.

1738

"labels": { # The labels associated with this Project.

1739

#

1740

# Label keys must be between 1 and 63 characters long and must conform

1741

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

1742

#

1743

# Label values must be between 0 and 63 characters long and must conform

1744

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

1745

#

1746

# No more than 256 labels can be associated with a given resource.

1747

#

1748

# Clients should store labels in a representation such as JSON that does not

1749

# depend on specific characters being disallowed.

1750

#

1751

# Example: <code>"environment" : "dev"</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1752

# Read-write.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

1753

"a_key": "A String",

1754

},

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1755

"projectNumber": "A String", # The number uniquely identifying the project.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1756

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1757

# Example: <code>415104041262</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1758

# Read-only.

1759

"lifecycleState": "A String", # The Project lifecycle state.

1760

#

1761

# Read-only.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

1762

"createTime": "A String", # Creation time.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

1763

#

1764

# Read-only.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

},

],

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

1771

<code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code>

1772

<pre>Lists `Constraints` that could be applied on the specified resource.

1773

1774

Args:

1775

resource: string, Name of the resource to list `Constraints` for. (required)

1776

body: object, The request body. (required)

1777

The object takes the form of:

1778

1779

{ # The request sent to the [ListAvailableOrgPolicyConstraints]

1780

# google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.

1781

"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported

1782

# and will be ignored. The server may at any point start using this field.

1783

"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will

1784

# be ignored. The server may at any point start using this field to limit

# page size.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1795

1796

{ # The response returned from the ListAvailableOrgPolicyConstraints method.

1797

# Returns all `Constraints` that could be set at this level of the hierarchy

1798

# (contrast with the response from `ListPolicies`, which returns all policies

1799

# which are set).

1800

"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.

1801

"constraints": [ # The collection of constraints that are settable on the request resource.

1802

{ # A `Constraint` describes a way in which a resource's configuration can be

1803

# restricted. For example, it controls which cloud services can be activated

1804

# across an organization, or whether a Compute Engine instance can have

1805

# serial port connections established. `Constraints` can be configured by the

1806

# organization's policy adminstrator to fit the needs of the organzation by

1807

# setting Policies for `Constraints` at different locations in the

1808

# organization's resource hierarchy. Policies are inherited down the resource

1809

# hierarchy from higher levels, but can also be overridden. For details about

1810

# the inheritance rules please read about

1811

# Policies.

1812

#

1813

# `Constraints` have a default behavior determined by the `constraint_default`

1814

# field, which is the enforcement behavior that is used in the absence of a

1815

# `Policy` being defined or inherited for the resource in question.

1816

"constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.

1817

"displayName": "A String", # The human readable name.

1818

#

1819

# Mutable.

1820

"name": "A String", # Immutable value, required to globally be unique. For example,

1821

# `constraints/serviceuser.services`

1822

"booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.

1823

#

1824

# For example a constraint `constraints/compute.disableSerialPortAccess`.

1825

# If it is enforced on a VM instance, serial port connections will not be

1826

# opened to that instance.

1827

},

1828

"version": 42, # Version of the `Constraint`. Default version is 0;

1829

"listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.

1830

# configured by an Organization's policy administrator with a `Policy`.

1831

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

1832

# that matches the value specified in this `Constraint`.

1833

},

1834

"description": "A String", # Detailed description of what this `Constraint` controls as well as how and

1835

# where it is enforced.

#

# Mutable.

},

],

}</pre>

</div>

<code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code>

1845

<pre>Retrieves the next page of results.

1846

1847

Args:

1848

previous_request: The request for the previous page. (required)

1849

previous_response: The response from the request for the previous page. (required)

1850

1851

Returns:

1852

A request object that you can call 'execute()' on to request the next

1853

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code>

1859

<pre>Lists all the `Policies` set for a particular resource.

1860

1861

Args:

1862

resource: string, Name of the resource to list Policies for. (required)

1863

body: object, The request body. (required)

1864

The object takes the form of:

1865

1866

{ # The request sent to the ListOrgPolicies method.

1867

"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported

1868

# and will be ignored. The server may at any point start using this field.

1869

"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will

1870

# be ignored. The server may at any point start using this field to limit

# page size.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1881

1882

{ # The response returned from the ListOrgPolicies method. It will be empty

1883

# if no `Policies` are set on the resource.

1884

"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but

1885

# the server may at any point start supplying a valid token.

1886

"policies": [ # The `Policies` that are set on the resource. It will be empty if no

1887

# `Policies` are set.

1888

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

1889

# for configurations of Cloud Platform resources.

1890

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

1891

# server, not specified by the caller, and represents the last time a call to

1892

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

1893

# be ignored.

1894

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

1895

# `constraints/serviceuser.services`.

1896

#

1897

# Immutable after creation.

1898

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

1899

# `Constraint` type.

1900

# `constraint_default` enforcement behavior of the specific `Constraint` at

1901

# this resource.

1902

#

1903

# Suppose that `constraint_default` is set to `ALLOW` for the

1904

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

1905

# foo.com sets a `Policy` at their Organization resource node that restricts

1906

# the allowed service activations to deny all service activations. They

1907

# could then set a `Policy` with the `policy_type` `restore_default` on

1908

# several experimental projects, restoring the `constraint_default`

1909

# enforcement of the `Constraint` for only those projects, allowing those

1910

# projects to have all services activated.

1911

},

1912

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

1913

# resource.

1914

#

1915

# A `ListPolicy` can define specific values that are allowed or denied by

1916

# setting either the `allowed_values` or `denied_values` fields. It can also

1917

# be used to allow or deny all values, by setting the `all_values` field. If

1918

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

1919

# or `denied_values` must be set (attempting to set both or neither will

1920

# result in a failed request). If `all_values` is set to either `ALLOW` or

1921

# `DENY`, `allowed_values` and `denied_values` must be unset.

1922

"allValues": "A String", # The policy all_values state.

1923

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

1924

# set for `allowed_values` and `all_values` is set to

1925

# `ALL_VALUES_UNSPECIFIED`.

1926

"A String",

1927

],

1928

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

1929

#

1930

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

1931

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

1932

# set to `true`, then the values from the effective `Policy` of the parent

1933

# resource are inherited, meaning the values set in this `Policy` are

1934

# added to the values inherited up the hierarchy.

1935

#

1936

# Setting `Policy` hierarchies that inherit both allowed values and denied

1937

# values isn't recommended in most circumstances to keep the configuration

1938

# simple and understandable. However, it is possible to set a `Policy` with

1939

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

1940

# In this case, the values that are allowed must be in `allowed_values` and

1941

# not present in `denied_values`.

1942

#

1943

# For example, suppose you have a `Constraint`

1944

# `constraints/serviceuser.services`, which has a `constraint_type` of

1945

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

1946

# Suppose that at the Organization level, a `Policy` is applied that

1947

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

1948

# `Policy` is applied to a project below the Organization that has

1949

# `inherit_from_parent` set to `false` and field all_values set to DENY,

1950

# then an attempt to activate any API will be denied.

1951

#

1952

# The following examples demonstrate different possible layerings:

1953

#

1954

# Example 1 (no inherited values):

1955

# `organizations/foo` has a `Policy` with values:

1956

# {allowed_values: “E1” allowed_values:”E2”}

1957

# ``projects/bar`` has `inherit_from_parent` `false` and values:

1958

# {allowed_values: "E3" allowed_values: "E4"}

1959

# The accepted values at `organizations/foo` are `E1`, `E2`.

1960

# The accepted values at `projects/bar` are `E3`, and `E4`.

1961

#

1962

# Example 2 (inherited values):

1963

# `organizations/foo` has a `Policy` with values:

1964

# {allowed_values: “E1” allowed_values:”E2”}

1965

# `projects/bar` has a `Policy` with values:

1966

# {value: “E3” value: ”E4” inherit_from_parent: true}

1967

# The accepted values at `organizations/foo` are `E1`, `E2`.

1968

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

1969

#

1970

# Example 3 (inheriting both allowed and denied values):

1971

# `organizations/foo` has a `Policy` with values:

1972

# {allowed_values: "E1" allowed_values: "E2"}

1973

# `projects/bar` has a `Policy` with:

1974

# {denied_values: "E1"}

1975

# The accepted values at `organizations/foo` are `E1`, `E2`.

1976

# The value accepted at `projects/bar` is `E2`.

1977

#

1978

# Example 4 (RestoreDefault):

1979

# `organizations/foo` has a `Policy` with values:

1980

# {allowed_values: “E1” allowed_values:”E2”}

1981

# `projects/bar` has a `Policy` with values:

1982

# {RestoreDefault: {}}

1983

# The accepted values at `organizations/foo` are `E1`, `E2`.

1984

# The accepted values at `projects/bar` are either all or none depending on

1985

# the value of `constraint_default` (if `ALLOW`, all; if

1986

# `DENY`, none).

1987

#

1988

# Example 5 (no policy inherits parent policy):

1989

# `organizations/foo` has no `Policy` set.

1990

# `projects/bar` has no `Policy` set.

1991

# The accepted values at both levels are either all or none depending on

1992

# the value of `constraint_default` (if `ALLOW`, all; if

1993

# `DENY`, none).

1994

#

1995

# Example 6 (ListConstraint allowing all):

1996

# `organizations/foo` has a `Policy` with values:

1997

# {allowed_values: “E1” allowed_values: ”E2”}

1998

# `projects/bar` has a `Policy` with:

1999

# {all: ALLOW}

2000

# The accepted values at `organizations/foo` are `E1`, E2`.

2001

# Any value is accepted at `projects/bar`.

2002

#

2003

# Example 7 (ListConstraint allowing none):

2004

# `organizations/foo` has a `Policy` with values:

2005

# {allowed_values: “E1” allowed_values: ”E2”}

2006

# `projects/bar` has a `Policy` with:

2007

# {all: DENY}

2008

# The accepted values at `organizations/foo` are `E1`, E2`.

2009

# No value is accepted at `projects/bar`.

2010

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

2011

# that matches the value specified in this `Policy`. If `suggested_value`

2012

# is not set, it will inherit the value specified higher in the hierarchy,

2013

# unless `inherit_from_parent` is `false`.

2014

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

2015

# set for `denied_values` and `all_values` is set to

2016

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

2021

# resource.

2022

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

2023

# configuration is acceptable.

2024

#

2025

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

2026

# with `constraint_default` set to `ALLOW`. A `Policy` for that

2027

# `Constraint` exhibits the following behavior:

2028

# - If the `Policy` at this resource has enforced set to `false`, serial

2029

# port connection attempts will be allowed.

2030

# - If the `Policy` at this resource has enforced set to `true`, serial

2031

# port connection attempts will be refused.

2032

# - If the `Policy` at this resource is `RestoreDefault`, serial port

2033

# connection attempts will be allowed.

2034

# - If no `Policy` is set at this resource or anywhere higher in the

2035

# resource hierarchy, serial port connection attempts will be allowed.

2036

# - If no `Policy` is set at this resource, but one exists higher in the

2037

# resource hierarchy, the behavior is as if the`Policy` were set at

2038

# this resource.

2039

#

2040

# The following examples demonstrate the different possible layerings:

2041

#

2042

# Example 1 (nearest `Constraint` wins):

2043

# `organizations/foo` has a `Policy` with:

2044

# {enforced: false}

2045

# `projects/bar` has no `Policy` set.

2046

# The constraint at `projects/bar` and `organizations/foo` will not be

2047

# enforced.

2048

#

2049

# Example 2 (enforcement gets replaced):

2050

# `organizations/foo` has a `Policy` with:

2051

# {enforced: false}

2052

# `projects/bar` has a `Policy` with:

2053

# {enforced: true}

2054

# The constraint at `organizations/foo` is not enforced.

2055

# The constraint at `projects/bar` is enforced.

2056

#

2057

# Example 3 (RestoreDefault):

2058

# `organizations/foo` has a `Policy` with:

2059

# {enforced: true}

2060

# `projects/bar` has a `Policy` with:

2061

# {RestoreDefault: {}}

2062

# The constraint at `organizations/foo` is enforced.

2063

# The constraint at `projects/bar` is not enforced, because

2064

# `constraint_default` for the `Constraint` is `ALLOW`.

2065

},

2066

"version": 42, # Version of the `Policy`. Default version is 0;

2067

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

2068

# concurrency control.

2069

#

2070

# When the `Policy` is returned from either a `GetPolicy` or a

2071

# `ListOrgPolicy` request, this `etag` indicates the version of the current

2072

# `Policy` to use when executing a read-modify-write loop.

2073

#

2074

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

2075

# `etag` will be unset.

2076

#

2077

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

2078

# that was returned from a `GetOrgPolicy` request as part of a

2079

# read-modify-write loop for concurrency control. Not setting the `etag`in a

2080

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

},

],

}</pre>

</div>

<code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code>

2089

<pre>Retrieves the next page of results.

2090

2091

Args:

2092

previous_request: The request for the previous page. (required)

2093

previous_response: The response from the request for the previous page. (required)

2094

2095

Returns:

2096

A request object that you can call 'execute()' on to request the next

2097

page. Returns None if there are no more items in the collection.

</pre>

</div>

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2102

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

2103

<pre>Retrieves the next page of results.

2104

2105

Args:

2106

previous_request: The request for the previous page. (required)

2107

previous_response: The response from the request for the previous page. (required)

2108

2109

Returns:

2110

A request object that you can call 'execute()' on to request the next

2111

page. Returns None if there are no more items in the collection.

</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2116

<code class="details" id="setIamPolicy">setIamPolicy(resource=None, body, x__xgafv=None)</code>

2117

<pre>Sets the IAM access control policy for the specified Project. Replaces

2118

any existing policy.

2119

2120

The following constraints apply when using `setIamPolicy()`:

2121

2122

+ Project does not support `allUsers` and `allAuthenticatedUsers` as

2123

`members` in a `Binding` of a `Policy`.

2124

2125

+ The owner role can be granted only to `user` and `serviceAccount`.

2126

2127

+ Service accounts can be made owners of a project directly

2128

without any restrictions. However, to be added as an owner, a user must be

2129

invited via Cloud Platform console and must accept the invitation.

2130

2131

+ A user cannot be granted the owner role using `setIamPolicy()`. The user

2132

must be granted the owner role using the Cloud Platform Console and must

2133

explicitly accept the invitation.

2134

2135

+ Invitations to grant the owner role cannot be sent using

2136

`setIamPolicy()`;

2137

they must be sent only using the Cloud Platform Console.

2138

2139

+ Membership changes that leave the project without any owners that have

2140

accepted the Terms of Service (ToS) will be rejected.

2141

2142

+ There must be at least one owner who has accepted the Terms of

2143

Service (ToS) agreement in the policy. Calling `setIamPolicy()` to

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

2144

remove the last ToS-accepted owner from the policy will fail. This

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2145

restriction also applies to legacy projects that no longer have owners

2146

who have accepted the ToS. Edits to IAM policies will be rejected until

2147

the lack of a ToS-accepting owner is rectified.

2148

2149

+ Calling this method requires enabling the App Engine Admin API.

2150

2151

Note: Removing service accounts from policies or changing their roles

2152

can render services completely inoperable. It is important to understand

2153

how the service account is being used before removing or updating its

2154

roles.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2155

2156

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2157

resource: string, REQUIRED: The resource for which the policy is being specified.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2158

See the operation documentation for the appropriate value for this field. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2159

body: object, The request body. (required)

2160

The object takes the form of:

2161

2162

{ # Request message for `SetIamPolicy` method.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2163

"policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of

2164

# the policy is limited to a few 10s of KB. An empty policy is a

2165

# valid policy but certain Cloud Platform services (such as Projects)

2166

# might reject them.

2167

# specify access control policies for Cloud Platform resources.

2168

#

2169

#

2170

# A `Policy` consists of a list of `bindings`. A `Binding` binds a list of

2171

# `members` to a `role`, where the members can be user accounts, Google groups,

2172

# Google domains, and service accounts. A `role` is a named list of permissions

# defined by IAM.

#

# **Example**

#

# {

# "bindings": [

# {

# "role": "roles/owner",

2181

# "members": [

2182

# "user:mike@example.com",

2183

# "group:admins@example.com",

2184

# "domain:google.com",

2185

# "serviceAccount:my-other-app@appspot.gserviceaccount.com",

# ]

# },

# {

# "role": "roles/viewer",

2190

# "members": ["user:sean@example.com"]

# }

# ]

# }

#

# For a description of IAM and its features, see the

2196

# [IAM developer's guide](https://cloud.google.com/iam).

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2197

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

2198

{ # Specifies the audit configuration for a service.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

2199

# The configuration determines which permission types are logged, and what

2200

# identities, if any, are exempted from logging.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2201

# An AuditConifg must have one or more AuditLogConfigs.

2202

#

2203

# If there are AuditConfigs for both `allServices` and a specific service,

2204

# the union of the two AuditConfigs is used for that service: the log_types

2205

# specified in each AuditConfig are enabled, and the exempted_members in each

2206

# AuditConfig are exempted.

2207

# Example Policy with multiple AuditConfigs:

# {

# "audit_configs": [

# {

# "service": "allServices"

2212

# "audit_log_configs": [

2213

# {

2214

# "log_type": "DATA_READ",

2215

# "exempted_members": [

2216

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

2221

# },

2222

# {

2223

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "fooservice@googleapis.com"

2229

# "audit_log_configs": [

2230

# {

2231

# "log_type": "DATA_READ",

2232

# },

2233

# {

2234

# "log_type": "DATA_WRITE",

2235

# "exempted_members": [

2236

# "user:bar@gmail.com"

# ]

# }

# ]

# }

# ]

# }

# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

2244

# logging. It also exempts foo@gmail.com from DATA_READ logging, and

2245

# bar@gmail.com from DATA_WRITE logging.

2246

"auditLogConfigs": [ # The configuration for logging of each type of permission.

2247

# Next ID: 4

2248

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

2253

# {

2254

# "log_type": "DATA_READ",

2255

# "exempted_members": [

2256

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

2266

# foo@gmail.com from DATA_READ logging.

2267

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

2268

# permission.

2269

# Follows the same format of Binding.members.

2270

"A String",

2271

],

2272

"logType": "A String", # The log type that this config enables.

2273

},

2274

],

2275

"service": "A String", # Specifies a service that will be enabled for audit logging.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

2276

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2277

# `allServices` is a special value that covers all services.

2278

},

2279

],

2280

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2281

# prevent simultaneous updates of a policy from overwriting each other.

2282

# It is strongly suggested that systems make use of the `etag` in the

2283

# read-modify-write cycle to perform policy updates in order to avoid race

2284

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2285

# systems are expected to put that etag in the request to `setIamPolicy` to

2286

# ensure that their change will be applied to the same version of the policy.

2287

#

2288

# If no `etag` is provided in the call to `setIamPolicy`, then the existing

2289

# policy is overwritten blindly.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2290

"bindings": [ # Associates a list of `members` to a `role`.

2291

# Multiple `bindings` must not be specified for the same `role`.

2292

# `bindings` with no members will result in an error.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2293

{ # Associates `members` with a `role`.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2294

"role": "A String", # Role that is assigned to `members`.

2295

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

2296

# Required

2297

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

2298

# `members` can have the following values:

2299

#

2300

# * `allUsers`: A special identifier that represents anyone who is

2301

# on the internet; with or without a Google account.

2302

#

2303

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2304

# who is authenticated with a Google account or a service account.

2305

#

2306

# * `user:{emailid}`: An email address that represents a specific Google

2307

# account. For example, `alice@gmail.com` or `joe@example.com`.

2308

#

2309

#

2310

# * `serviceAccount:{emailid}`: An email address that represents a service

2311

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2312

#

2313

# * `group:{emailid}`: An email address that represents a Google group.

2314

# For example, `admins@example.com`.

2315

#

2316

# * `domain:{domain}`: A Google Apps domain name that represents all the

2317

# users of that domain. For example, `google.com` or `example.com`.

2318

#

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

},

],

"version": 42, # Version of the `Policy`. The default version is 0.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2324

},

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2325

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

2326

# the fields in the mask will be modified. If no mask is provided, the

2327

# following default mask is used:

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2328

# paths: "bindings, etag"

2329

# This field is only used by Cloud IAM.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2330

}

2331

2332

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2333

Allowed values

2334

1 - v1 error format

2335

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2336

2337

Returns:

2338

An object of the form:

2339

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2340

{ # Defines an Identity and Access Management (IAM) policy. It is used to

2341

# specify access control policies for Cloud Platform resources.

2342

#

2343

#

2344

# A `Policy` consists of a list of `bindings`. A `Binding` binds a list of

2345

# `members` to a `role`, where the members can be user accounts, Google groups,

2346

# Google domains, and service accounts. A `role` is a named list of permissions

# defined by IAM.

#

# **Example**

#

# {

# "bindings": [

# {

# "role": "roles/owner",

2355

# "members": [

2356

# "user:mike@example.com",

2357

# "group:admins@example.com",

2358

# "domain:google.com",

2359

# "serviceAccount:my-other-app@appspot.gserviceaccount.com",

# ]

# },

# {

# "role": "roles/viewer",

2364

# "members": ["user:sean@example.com"]

# }

# ]

# }

#

# For a description of IAM and its features, see the

2370

# [IAM developer's guide](https://cloud.google.com/iam).

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2371

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

2372

{ # Specifies the audit configuration for a service.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

2373

# The configuration determines which permission types are logged, and what

2374

# identities, if any, are exempted from logging.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2375

# An AuditConifg must have one or more AuditLogConfigs.

2376

#

2377

# If there are AuditConfigs for both `allServices` and a specific service,

2378

# the union of the two AuditConfigs is used for that service: the log_types

2379

# specified in each AuditConfig are enabled, and the exempted_members in each

2380

# AuditConfig are exempted.

2381

# Example Policy with multiple AuditConfigs:

# {

# "audit_configs": [

# {

# "service": "allServices"

2386

# "audit_log_configs": [

2387

# {

2388

# "log_type": "DATA_READ",

2389

# "exempted_members": [

2390

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

2395

# },

2396

# {

2397

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "fooservice@googleapis.com"

2403

# "audit_log_configs": [

2404

# {

2405

# "log_type": "DATA_READ",

2406

# },

2407

# {

2408

# "log_type": "DATA_WRITE",

2409

# "exempted_members": [

2410

# "user:bar@gmail.com"

# ]

# }

# ]

# }

# ]

# }

# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

2418

# logging. It also exempts foo@gmail.com from DATA_READ logging, and

2419

# bar@gmail.com from DATA_WRITE logging.

2420

"auditLogConfigs": [ # The configuration for logging of each type of permission.

2421

# Next ID: 4

2422

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

2427

# {

2428

# "log_type": "DATA_READ",

2429

# "exempted_members": [

2430

# "user:foo@gmail.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

2440

# foo@gmail.com from DATA_READ logging.

2441

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

2442

# permission.

2443

# Follows the same format of Binding.members.

2444

"A String",

2445

],

2446

"logType": "A String", # The log type that this config enables.

2447

},

2448

],

2449

"service": "A String", # Specifies a service that will be enabled for audit logging.

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

2450

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

2451

# `allServices` is a special value that covers all services.

2452

},

2453

],

2454

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2455

# prevent simultaneous updates of a policy from overwriting each other.

2456

# It is strongly suggested that systems make use of the `etag` in the

2457

# read-modify-write cycle to perform policy updates in order to avoid race

2458

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2459

# systems are expected to put that etag in the request to `setIamPolicy` to

2460

# ensure that their change will be applied to the same version of the policy.

2461

#

2462

# If no `etag` is provided in the call to `setIamPolicy`, then the existing

2463

# policy is overwritten blindly.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2464

"bindings": [ # Associates a list of `members` to a `role`.

2465

# Multiple `bindings` must not be specified for the same `role`.

2466

# `bindings` with no members will result in an error.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

2467

{ # Associates `members` with a `role`.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

2468

"role": "A String", # Role that is assigned to `members`.

2469

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

2470

# Required

2471

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

2472

# `members` can have the following values:

2473

#

2474

# * `allUsers`: A special identifier that represents anyone who is

2475

# on the internet; with or without a Google account.

2476

#

2477

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2478

# who is authenticated with a Google account or a service account.

2479

#

2480

# * `user:{emailid}`: An email address that represents a specific Google

2481

# account. For example, `alice@gmail.com` or `joe@example.com`.

2482

#

2483

#

2484

# * `serviceAccount:{emailid}`: An email address that represents a service

2485

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2486

#

2487

# * `group:{emailid}`: An email address that represents a Google group.

2488

# For example, `admins@example.com`.

2489

#

2490

# * `domain:{domain}`: A Google Apps domain name that represents all the

2491

# users of that domain. For example, `google.com` or `example.com`.

2492

#

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

},

],

"version": 42, # Version of the `Policy`. The default version is 0.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Sai Cheemalapati

2017-03-24 15:06:46 -0700

[diff] [blame^]

2502

<code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code>

2503

<pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for

2504

that `Constraint` on the resource if one does not exist.

2505

2506

Not supplying an `etag` on the request `Policy` results in an unconditional

2507

write of the `Policy`.

2508

2509

Args:

2510

resource: string, Resource name of the resource to attach the `Policy`. (required)

2511

body: object, The request body. (required)

2512

The object takes the form of:

2513

2514

{ # The request sent to the SetOrgPolicyRequest method.

2515

"policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.

2516

# for configurations of Cloud Platform resources.

2517

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

2518

# server, not specified by the caller, and represents the last time a call to

2519

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

2520

# be ignored.

2521

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

2522

# `constraints/serviceuser.services`.

2523

#

2524

# Immutable after creation.

2525

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

2526

# `Constraint` type.

2527

# `constraint_default` enforcement behavior of the specific `Constraint` at

2528

# this resource.

2529

#

2530

# Suppose that `constraint_default` is set to `ALLOW` for the

2531

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

2532

# foo.com sets a `Policy` at their Organization resource node that restricts

2533

# the allowed service activations to deny all service activations. They

2534

# could then set a `Policy` with the `policy_type` `restore_default` on

2535

# several experimental projects, restoring the `constraint_default`

2536

# enforcement of the `Constraint` for only those projects, allowing those

2537

# projects to have all services activated.

2538

},

2539

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

2540

# resource.

2541

#

2542

# A `ListPolicy` can define specific values that are allowed or denied by

2543

# setting either the `allowed_values` or `denied_values` fields. It can also

2544

# be used to allow or deny all values, by setting the `all_values` field. If

2545

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

2546

# or `denied_values` must be set (attempting to set both or neither will

2547

# result in a failed request). If `all_values` is set to either `ALLOW` or

2548

# `DENY`, `allowed_values` and `denied_values` must be unset.

2549

"allValues": "A String", # The policy all_values state.

2550

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

2551

# set for `allowed_values` and `all_values` is set to

2552

# `ALL_VALUES_UNSPECIFIED`.

2553

"A String",

2554

],

2555

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

2556

#

2557

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

2558

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

2559

# set to `true`, then the values from the effective `Policy` of the parent

2560

# resource are inherited, meaning the values set in this `Policy` are

2561

# added to the values inherited up the hierarchy.

2562

#

2563

# Setting `Policy` hierarchies that inherit both allowed values and denied

2564

# values isn't recommended in most circumstances to keep the configuration

2565

# simple and understandable. However, it is possible to set a `Policy` with

2566

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

2567

# In this case, the values that are allowed must be in `allowed_values` and

2568

# not present in `denied_values`.

2569

#

2570

# For example, suppose you have a `Constraint`

2571

# `constraints/serviceuser.services`, which has a `constraint_type` of

2572

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

2573

# Suppose that at the Organization level, a `Policy` is applied that

2574

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

2575

# `Policy` is applied to a project below the Organization that has

2576

# `inherit_from_parent` set to `false` and field all_values set to DENY,

2577

# then an attempt to activate any API will be denied.

2578

#

2579

# The following examples demonstrate different possible layerings:

2580

#

2581

# Example 1 (no inherited values):

2582

# `organizations/foo` has a `Policy` with values:

2583

# {allowed_values: “E1” allowed_values:”E2”}

2584

# ``projects/bar`` has `inherit_from_parent` `false` and values:

2585

# {allowed_values: "E3" allowed_values: "E4"}

2586

# The accepted values at `organizations/foo` are `E1`, `E2`.

2587

# The accepted values at `projects/bar` are `E3`, and `E4`.

2588

#

2589

# Example 2 (inherited values):

2590

# `organizations/foo` has a `Policy` with values:

2591

# {allowed_values: “E1” allowed_values:”E2”}

2592

# `projects/bar` has a `Policy` with values:

2593

# {value: “E3” value: ”E4” inherit_from_parent: true}

2594

# The accepted values at `organizations/foo` are `E1`, `E2`.

2595

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

2596

#

2597

# Example 3 (inheriting both allowed and denied values):

2598

# `organizations/foo` has a `Policy` with values:

2599

# {allowed_values: "E1" allowed_values: "E2"}

2600

# `projects/bar` has a `Policy` with:

2601

# {denied_values: "E1"}

2602

# The accepted values at `organizations/foo` are `E1`, `E2`.

2603

# The value accepted at `projects/bar` is `E2`.

2604

#

2605

# Example 4 (RestoreDefault):

2606

# `organizations/foo` has a `Policy` with values:

2607

# {allowed_values: “E1” allowed_values:”E2”}

2608

# `projects/bar` has a `Policy` with values:

2609

# {RestoreDefault: {}}

2610

# The accepted values at `organizations/foo` are `E1`, `E2`.

2611

# The accepted values at `projects/bar` are either all or none depending on

2612

# the value of `constraint_default` (if `ALLOW`, all; if

2613

# `DENY`, none).

2614

#

2615

# Example 5 (no policy inherits parent policy):

2616

# `organizations/foo` has no `Policy` set.

2617

# `projects/bar` has no `Policy` set.

2618

# The accepted values at both levels are either all or none depending on

2619

# the value of `constraint_default` (if `ALLOW`, all; if

2620

# `DENY`, none).

2621

#

2622

# Example 6 (ListConstraint allowing all):

2623

# `organizations/foo` has a `Policy` with values:

2624

# {allowed_values: “E1” allowed_values: ”E2”}

2625

# `projects/bar` has a `Policy` with:

2626

# {all: ALLOW}

2627

# The accepted values at `organizations/foo` are `E1`, E2`.

2628

# Any value is accepted at `projects/bar`.

2629

#

2630

# Example 7 (ListConstraint allowing none):

2631

# `organizations/foo` has a `Policy` with values:

2632

# {allowed_values: “E1” allowed_values: ”E2”}

2633

# `projects/bar` has a `Policy` with:

2634

# {all: DENY}

2635

# The accepted values at `organizations/foo` are `E1`, E2`.

2636

# No value is accepted at `projects/bar`.

2637

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

2638

# that matches the value specified in this `Policy`. If `suggested_value`

2639

# is not set, it will inherit the value specified higher in the hierarchy,

2640

# unless `inherit_from_parent` is `false`.

2641

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

2642

# set for `denied_values` and `all_values` is set to

2643

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

2648

# resource.

2649

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

2650

# configuration is acceptable.

2651

#

2652

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

2653

# with `constraint_default` set to `ALLOW`. A `Policy` for that

2654

# `Constraint` exhibits the following behavior:

2655

# - If the `Policy` at this resource has enforced set to `false`, serial

2656

# port connection attempts will be allowed.

2657

# - If the `Policy` at this resource has enforced set to `true`, serial

2658

# port connection attempts will be refused.

2659

# - If the `Policy` at this resource is `RestoreDefault`, serial port

2660

# connection attempts will be allowed.

2661

# - If no `Policy` is set at this resource or anywhere higher in the

2662

# resource hierarchy, serial port connection attempts will be allowed.

2663

# - If no `Policy` is set at this resource, but one exists higher in the

2664

# resource hierarchy, the behavior is as if the`Policy` were set at

2665

# this resource.

2666

#

2667

# The following examples demonstrate the different possible layerings:

2668

#

2669

# Example 1 (nearest `Constraint` wins):

2670

# `organizations/foo` has a `Policy` with:

2671

# {enforced: false}

2672

# `projects/bar` has no `Policy` set.

2673

# The constraint at `projects/bar` and `organizations/foo` will not be

2674

# enforced.

2675

#

2676

# Example 2 (enforcement gets replaced):

2677

# `organizations/foo` has a `Policy` with:

2678

# {enforced: false}

2679

# `projects/bar` has a `Policy` with:

2680

# {enforced: true}

2681

# The constraint at `organizations/foo` is not enforced.

2682

# The constraint at `projects/bar` is enforced.

2683

#

2684

# Example 3 (RestoreDefault):

2685

# `organizations/foo` has a `Policy` with:

2686

# {enforced: true}

2687

# `projects/bar` has a `Policy` with:

2688

# {RestoreDefault: {}}

2689

# The constraint at `organizations/foo` is enforced.

2690

# The constraint at `projects/bar` is not enforced, because

2691

# `constraint_default` for the `Constraint` is `ALLOW`.

2692

},

2693

"version": 42, # Version of the `Policy`. Default version is 0;

2694

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

2695

# concurrency control.

2696

#

2697

# When the `Policy` is returned from either a `GetPolicy` or a

2698

# `ListOrgPolicy` request, this `etag` indicates the version of the current

2699

# `Policy` to use when executing a read-modify-write loop.

2700

#

2701

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

2702

# `etag` will be unset.

2703

#

2704

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

2705

# that was returned from a `GetOrgPolicy` request as part of a

2706

# read-modify-write loop for concurrency control. Not setting the `etag`in a

2707

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2719

2720

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

2721

# for configurations of Cloud Platform resources.

2722

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

2723

# server, not specified by the caller, and represents the last time a call to

2724

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

2725

# be ignored.

2726

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

2727

# `constraints/serviceuser.services`.

2728

#

2729

# Immutable after creation.

2730

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

2731

# `Constraint` type.

2732

# `constraint_default` enforcement behavior of the specific `Constraint` at

2733

# this resource.

2734

#

2735

# Suppose that `constraint_default` is set to `ALLOW` for the

2736

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

2737

# foo.com sets a `Policy` at their Organization resource node that restricts

2738

# the allowed service activations to deny all service activations. They

2739

# could then set a `Policy` with the `policy_type` `restore_default` on

2740

# several experimental projects, restoring the `constraint_default`

2741

# enforcement of the `Constraint` for only those projects, allowing those

2742

# projects to have all services activated.

2743

},

2744

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

2745

# resource.

2746

#

2747

# A `ListPolicy` can define specific values that are allowed or denied by

2748

# setting either the `allowed_values` or `denied_values` fields. It can also

2749

# be used to allow or deny all values, by setting the `all_values` field. If

2750

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

2751

# or `denied_values` must be set (attempting to set both or neither will

2752

# result in a failed request). If `all_values` is set to either `ALLOW` or

2753

# `DENY`, `allowed_values` and `denied_values` must be unset.

2754

"allValues": "A String", # The policy all_values state.

2755

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

2756

# set for `allowed_values` and `all_values` is set to

2757

# `ALL_VALUES_UNSPECIFIED`.

2758

"A String",

2759

],

2760

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

2761

#

2762

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

2763

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

2764

# set to `true`, then the values from the effective `Policy` of the parent

2765

# resource are inherited, meaning the values set in this `Policy` are

2766

# added to the values inherited up the hierarchy.

2767

#

2768

# Setting `Policy` hierarchies that inherit both allowed values and denied

2769

# values isn't recommended in most circumstances to keep the configuration

2770

# simple and understandable. However, it is possible to set a `Policy` with

2771

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

2772

# In this case, the values that are allowed must be in `allowed_values` and

2773

# not present in `denied_values`.

2774

#

2775

# For example, suppose you have a `Constraint`

2776

# `constraints/serviceuser.services`, which has a `constraint_type` of

2777

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

2778

# Suppose that at the Organization level, a `Policy` is applied that

2779

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

2780

# `Policy` is applied to a project below the Organization that has

2781

# `inherit_from_parent` set to `false` and field all_values set to DENY,

2782

# then an attempt to activate any API will be denied.

2783

#

2784

# The following examples demonstrate different possible layerings:

2785

#

2786

# Example 1 (no inherited values):

2787

# `organizations/foo` has a `Policy` with values:

2788

# {allowed_values: “E1” allowed_values:”E2”}

2789

# ``projects/bar`` has `inherit_from_parent` `false` and values:

2790

# {allowed_values: "E3" allowed_values: "E4"}

2791

# The accepted values at `organizations/foo` are `E1`, `E2`.

2792

# The accepted values at `projects/bar` are `E3`, and `E4`.

2793

#

2794

# Example 2 (inherited values):

2795

# `organizations/foo` has a `Policy` with values:

2796

# {allowed_values: “E1” allowed_values:”E2”}

2797

# `projects/bar` has a `Policy` with values:

2798

# {value: “E3” value: ”E4” inherit_from_parent: true}

2799

# The accepted values at `organizations/foo` are `E1`, `E2`.

2800

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

2801

#

2802

# Example 3 (inheriting both allowed and denied values):

2803

# `organizations/foo` has a `Policy` with values:

2804

# {allowed_values: "E1" allowed_values: "E2"}

2805

# `projects/bar` has a `Policy` with:

2806

# {denied_values: "E1"}

2807

# The accepted values at `organizations/foo` are `E1`, `E2`.

2808

# The value accepted at `projects/bar` is `E2`.

2809

#

2810

# Example 4 (RestoreDefault):

2811

# `organizations/foo` has a `Policy` with values:

2812

# {allowed_values: “E1” allowed_values:”E2”}

2813

# `projects/bar` has a `Policy` with values:

2814

# {RestoreDefault: {}}

2815

# The accepted values at `organizations/foo` are `E1`, `E2`.

2816

# The accepted values at `projects/bar` are either all or none depending on

2817

# the value of `constraint_default` (if `ALLOW`, all; if

2818

# `DENY`, none).

2819

#

2820

# Example 5 (no policy inherits parent policy):

2821

# `organizations/foo` has no `Policy` set.

2822

# `projects/bar` has no `Policy` set.

2823

# The accepted values at both levels are either all or none depending on

2824

# the value of `constraint_default` (if `ALLOW`, all; if

2825

# `DENY`, none).

2826

#

2827

# Example 6 (ListConstraint allowing all):

2828

# `organizations/foo` has a `Policy` with values:

2829

# {allowed_values: “E1” allowed_values: ”E2”}

2830

# `projects/bar` has a `Policy` with:

2831

# {all: ALLOW}

2832

# The accepted values at `organizations/foo` are `E1`, E2`.

2833

# Any value is accepted at `projects/bar`.

2834

#

2835

# Example 7 (ListConstraint allowing none):

2836

# `organizations/foo` has a `Policy` with values:

2837

# {allowed_values: “E1” allowed_values: ”E2”}

2838

# `projects/bar` has a `Policy` with:

2839

# {all: DENY}

2840

# The accepted values at `organizations/foo` are `E1`, E2`.

2841

# No value is accepted at `projects/bar`.

2842

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

2843

# that matches the value specified in this `Policy`. If `suggested_value`

2844

# is not set, it will inherit the value specified higher in the hierarchy,

2845

# unless `inherit_from_parent` is `false`.

2846

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

2847

# set for `denied_values` and `all_values` is set to

2848

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

2853

# resource.

2854

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

2855

# configuration is acceptable.

2856

#

2857

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

2858

# with `constraint_default` set to `ALLOW`. A `Policy` for that

2859

# `Constraint` exhibits the following behavior:

2860

# - If the `Policy` at this resource has enforced set to `false`, serial

2861

# port connection attempts will be allowed.

2862

# - If the `Policy` at this resource has enforced set to `true`, serial

2863

# port connection attempts will be refused.

2864

# - If the `Policy` at this resource is `RestoreDefault`, serial port

2865

# connection attempts will be allowed.

2866

# - If no `Policy` is set at this resource or anywhere higher in the

2867

# resource hierarchy, serial port connection attempts will be allowed.

2868

# - If no `Policy` is set at this resource, but one exists higher in the

2869

# resource hierarchy, the behavior is as if the`Policy` were set at

2870

# this resource.

2871

#

2872

# The following examples demonstrate the different possible layerings:

2873

#

2874

# Example 1 (nearest `Constraint` wins):

2875

# `organizations/foo` has a `Policy` with:

2876

# {enforced: false}

2877

# `projects/bar` has no `Policy` set.

2878

# The constraint at `projects/bar` and `organizations/foo` will not be

2879

# enforced.

2880

#

2881

# Example 2 (enforcement gets replaced):

2882

# `organizations/foo` has a `Policy` with:

2883

# {enforced: false}

2884

# `projects/bar` has a `Policy` with:

2885

# {enforced: true}

2886

# The constraint at `organizations/foo` is not enforced.

2887

# The constraint at `projects/bar` is enforced.

2888

#

2889

# Example 3 (RestoreDefault):

2890

# `organizations/foo` has a `Policy` with:

2891

# {enforced: true}

2892

# `projects/bar` has a `Policy` with:

2893

# {RestoreDefault: {}}

2894

# The constraint at `organizations/foo` is enforced.

2895

# The constraint at `projects/bar` is not enforced, because

2896

# `constraint_default` for the `Constraint` is `ALLOW`.

2897

},

2898

"version": 42, # Version of the `Policy`. Default version is 0;

2899

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

2900

# concurrency control.

2901

#

2902

# When the `Policy` is returned from either a `GetPolicy` or a

2903

# `ListOrgPolicy` request, this `etag` indicates the version of the current

2904

# `Policy` to use when executing a read-modify-write loop.

2905

#

2906

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

2907

# `etag` will be unset.

2908

#

2909

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

2910

# that was returned from a `GetOrgPolicy` request as part of a

2911

# read-modify-write loop for concurrency control. Not setting the `etag`in a

2912

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

<code class="details" id="setOrgPolicyV1">setOrgPolicyV1(resource, body, x__xgafv=None)</code>

2919

<pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for

2920

that `Constraint` on the resource if one does not exist.

2921

2922

Not supplying an `etag` on the request `Policy` results in an unconditional

2923

write of the `Policy`.

2924

2925

Args:

2926

resource: string, Resource name of the resource to attach the `Policy`. (required)

2927

body: object, The request body. (required)

2928

The object takes the form of:

2929

2930

{ # The request sent to the SetOrgPolicyRequest method.

2931

"policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.

2932

# for configurations of Cloud Platform resources.

2933

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

2934

# server, not specified by the caller, and represents the last time a call to

2935

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

2936

# be ignored.

2937

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

2938

# `constraints/serviceuser.services`.

2939

#

2940

# Immutable after creation.

2941

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

2942

# `Constraint` type.

2943

# `constraint_default` enforcement behavior of the specific `Constraint` at

2944

# this resource.

2945

#

2946

# Suppose that `constraint_default` is set to `ALLOW` for the

2947

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

2948

# foo.com sets a `Policy` at their Organization resource node that restricts

2949

# the allowed service activations to deny all service activations. They

2950

# could then set a `Policy` with the `policy_type` `restore_default` on

2951

# several experimental projects, restoring the `constraint_default`

2952

# enforcement of the `Constraint` for only those projects, allowing those

2953

# projects to have all services activated.

2954

},

2955

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

2956

# resource.

2957

#

2958

# A `ListPolicy` can define specific values that are allowed or denied by

2959

# setting either the `allowed_values` or `denied_values` fields. It can also

2960

# be used to allow or deny all values, by setting the `all_values` field. If

2961

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

2962

# or `denied_values` must be set (attempting to set both or neither will

2963

# result in a failed request). If `all_values` is set to either `ALLOW` or

2964

# `DENY`, `allowed_values` and `denied_values` must be unset.

2965

"allValues": "A String", # The policy all_values state.

2966

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

2967

# set for `allowed_values` and `all_values` is set to

2968

# `ALL_VALUES_UNSPECIFIED`.

2969

"A String",

2970

],

2971

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

2972

#

2973

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

2974

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

2975

# set to `true`, then the values from the effective `Policy` of the parent

2976

# resource are inherited, meaning the values set in this `Policy` are

2977

# added to the values inherited up the hierarchy.

2978

#

2979

# Setting `Policy` hierarchies that inherit both allowed values and denied

2980

# values isn't recommended in most circumstances to keep the configuration

2981

# simple and understandable. However, it is possible to set a `Policy` with

2982

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

2983

# In this case, the values that are allowed must be in `allowed_values` and

2984

# not present in `denied_values`.

2985

#

2986

# For example, suppose you have a `Constraint`

2987

# `constraints/serviceuser.services`, which has a `constraint_type` of

2988

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

2989

# Suppose that at the Organization level, a `Policy` is applied that

2990

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

2991

# `Policy` is applied to a project below the Organization that has

2992

# `inherit_from_parent` set to `false` and field all_values set to DENY,

2993

# then an attempt to activate any API will be denied.

2994

#

2995

# The following examples demonstrate different possible layerings:

2996

#

2997

# Example 1 (no inherited values):

2998

# `organizations/foo` has a `Policy` with values:

2999

# {allowed_values: “E1” allowed_values:”E2”}

3000

# ``projects/bar`` has `inherit_from_parent` `false` and values:

3001

# {allowed_values: "E3" allowed_values: "E4"}

3002

# The accepted values at `organizations/foo` are `E1`, `E2`.

3003

# The accepted values at `projects/bar` are `E3`, and `E4`.

3004

#

3005

# Example 2 (inherited values):

3006

# `organizations/foo` has a `Policy` with values:

3007

# {allowed_values: “E1” allowed_values:”E2”}

3008

# `projects/bar` has a `Policy` with values:

3009

# {value: “E3” value: ”E4” inherit_from_parent: true}

3010

# The accepted values at `organizations/foo` are `E1`, `E2`.

3011

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

3012

#

3013

# Example 3 (inheriting both allowed and denied values):

3014

# `organizations/foo` has a `Policy` with values:

3015

# {allowed_values: "E1" allowed_values: "E2"}

3016

# `projects/bar` has a `Policy` with:

3017

# {denied_values: "E1"}

3018

# The accepted values at `organizations/foo` are `E1`, `E2`.

3019

# The value accepted at `projects/bar` is `E2`.

3020

#

3021

# Example 4 (RestoreDefault):

3022

# `organizations/foo` has a `Policy` with values:

3023

# {allowed_values: “E1” allowed_values:”E2”}

3024

# `projects/bar` has a `Policy` with values:

3025

# {RestoreDefault: {}}

3026

# The accepted values at `organizations/foo` are `E1`, `E2`.

3027

# The accepted values at `projects/bar` are either all or none depending on

3028

# the value of `constraint_default` (if `ALLOW`, all; if

3029

# `DENY`, none).

3030

#

3031

# Example 5 (no policy inherits parent policy):

3032

# `organizations/foo` has no `Policy` set.

3033

# `projects/bar` has no `Policy` set.

3034

# The accepted values at both levels are either all or none depending on

3035

# the value of `constraint_default` (if `ALLOW`, all; if

3036

# `DENY`, none).

3037

#

3038

# Example 6 (ListConstraint allowing all):

3039

# `organizations/foo` has a `Policy` with values:

3040

# {allowed_values: “E1” allowed_values: ”E2”}

3041

# `projects/bar` has a `Policy` with:

3042

# {all: ALLOW}

3043

# The accepted values at `organizations/foo` are `E1`, E2`.

3044

# Any value is accepted at `projects/bar`.

3045

#

3046

# Example 7 (ListConstraint allowing none):

3047

# `organizations/foo` has a `Policy` with values:

3048

# {allowed_values: “E1” allowed_values: ”E2”}

3049

# `projects/bar` has a `Policy` with:

3050

# {all: DENY}

3051

# The accepted values at `organizations/foo` are `E1`, E2`.

3052

# No value is accepted at `projects/bar`.

3053

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

3054

# that matches the value specified in this `Policy`. If `suggested_value`

3055

# is not set, it will inherit the value specified higher in the hierarchy,

3056

# unless `inherit_from_parent` is `false`.

3057

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

3058

# set for `denied_values` and `all_values` is set to

3059

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

3064

# resource.

3065

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

3066

# configuration is acceptable.

3067

#

3068

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

3069

# with `constraint_default` set to `ALLOW`. A `Policy` for that

3070

# `Constraint` exhibits the following behavior:

3071

# - If the `Policy` at this resource has enforced set to `false`, serial

3072

# port connection attempts will be allowed.

3073

# - If the `Policy` at this resource has enforced set to `true`, serial

3074

# port connection attempts will be refused.

3075

# - If the `Policy` at this resource is `RestoreDefault`, serial port

3076

# connection attempts will be allowed.

3077

# - If no `Policy` is set at this resource or anywhere higher in the

3078

# resource hierarchy, serial port connection attempts will be allowed.

3079

# - If no `Policy` is set at this resource, but one exists higher in the

3080

# resource hierarchy, the behavior is as if the`Policy` were set at

3081

# this resource.

3082

#

3083

# The following examples demonstrate the different possible layerings:

3084

#

3085

# Example 1 (nearest `Constraint` wins):

3086

# `organizations/foo` has a `Policy` with:

3087

# {enforced: false}

3088

# `projects/bar` has no `Policy` set.

3089

# The constraint at `projects/bar` and `organizations/foo` will not be

3090

# enforced.

3091

#

3092

# Example 2 (enforcement gets replaced):

3093

# `organizations/foo` has a `Policy` with:

3094

# {enforced: false}

3095

# `projects/bar` has a `Policy` with:

3096

# {enforced: true}

3097

# The constraint at `organizations/foo` is not enforced.

3098

# The constraint at `projects/bar` is enforced.

3099

#

3100

# Example 3 (RestoreDefault):

3101

# `organizations/foo` has a `Policy` with:

3102

# {enforced: true}

3103

# `projects/bar` has a `Policy` with:

3104

# {RestoreDefault: {}}

3105

# The constraint at `organizations/foo` is enforced.

3106

# The constraint at `projects/bar` is not enforced, because

3107

# `constraint_default` for the `Constraint` is `ALLOW`.

3108

},

3109

"version": 42, # Version of the `Policy`. Default version is 0;

3110

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

3111

# concurrency control.

3112

#

3113

# When the `Policy` is returned from either a `GetPolicy` or a

3114

# `ListOrgPolicy` request, this `etag` indicates the version of the current

3115

# `Policy` to use when executing a read-modify-write loop.

3116

#

3117

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

3118

# `etag` will be unset.

3119

#

3120

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

3121

# that was returned from a `GetOrgPolicy` request as part of a

3122

# read-modify-write loop for concurrency control. Not setting the `etag`in a

3123

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3135

3136

{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`

3137

# for configurations of Cloud Platform resources.

3138

"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the

3139

# server, not specified by the caller, and represents the last time a call to

3140

# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will

3141

# be ignored.

3142

"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,

3143

# `constraints/serviceuser.services`.

3144

#

3145

# Immutable after creation.

3146

"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of

3147

# `Constraint` type.

3148

# `constraint_default` enforcement behavior of the specific `Constraint` at

3149

# this resource.

3150

#

3151

# Suppose that `constraint_default` is set to `ALLOW` for the

3152

# `Constraint` `constraints/serviceuser.services`. Suppose that organization

3153

# foo.com sets a `Policy` at their Organization resource node that restricts

3154

# the allowed service activations to deny all service activations. They

3155

# could then set a `Policy` with the `policy_type` `restore_default` on

3156

# several experimental projects, restoring the `constraint_default`

3157

# enforcement of the `Constraint` for only those projects, allowing those

3158

# projects to have all services activated.

3159

},

3160

"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.

3161

# resource.

3162

#

3163

# A `ListPolicy` can define specific values that are allowed or denied by

3164

# setting either the `allowed_values` or `denied_values` fields. It can also

3165

# be used to allow or deny all values, by setting the `all_values` field. If

3166

# `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values`

3167

# or `denied_values` must be set (attempting to set both or neither will

3168

# result in a failed request). If `all_values` is set to either `ALLOW` or

3169

# `DENY`, `allowed_values` and `denied_values` must be unset.

3170

"allValues": "A String", # The policy all_values state.

3171

"deniedValues": [ # List of values denied at this resource. Can only be set if no values are

3172

# set for `allowed_values` and `all_values` is set to

3173

# `ALL_VALUES_UNSPECIFIED`.

3174

"A String",

3175

],

3176

"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.

3177

#

3178

# By default, a `ListPolicy` set at a resource supercedes any `Policy` set

3179

# anywhere up the resource hierarchy. However, if `inherit_from_parent` is

3180

# set to `true`, then the values from the effective `Policy` of the parent

3181

# resource are inherited, meaning the values set in this `Policy` are

3182

# added to the values inherited up the hierarchy.

3183

#

3184

# Setting `Policy` hierarchies that inherit both allowed values and denied

3185

# values isn't recommended in most circumstances to keep the configuration

3186

# simple and understandable. However, it is possible to set a `Policy` with

3187

# `allowed_values` set that inherits a `Policy` with `denied_values` set.

3188

# In this case, the values that are allowed must be in `allowed_values` and

3189

# not present in `denied_values`.

3190

#

3191

# For example, suppose you have a `Constraint`

3192

# `constraints/serviceuser.services`, which has a `constraint_type` of

3193

# `list_constraint`, and with `constraint_default` set to `ALLOW`.

3194

# Suppose that at the Organization level, a `Policy` is applied that

3195

# restricts the allowed API activations to {`E1`, `E2`}. Then, if a

3196

# `Policy` is applied to a project below the Organization that has

3197

# `inherit_from_parent` set to `false` and field all_values set to DENY,

3198

# then an attempt to activate any API will be denied.

3199

#

3200

# The following examples demonstrate different possible layerings:

3201

#

3202

# Example 1 (no inherited values):

3203

# `organizations/foo` has a `Policy` with values:

3204

# {allowed_values: “E1” allowed_values:”E2”}

3205

# ``projects/bar`` has `inherit_from_parent` `false` and values:

3206

# {allowed_values: "E3" allowed_values: "E4"}

3207

# The accepted values at `organizations/foo` are `E1`, `E2`.

3208

# The accepted values at `projects/bar` are `E3`, and `E4`.

3209

#

3210

# Example 2 (inherited values):

3211

# `organizations/foo` has a `Policy` with values:

3212

# {allowed_values: “E1” allowed_values:”E2”}

3213

# `projects/bar` has a `Policy` with values:

3214

# {value: “E3” value: ”E4” inherit_from_parent: true}

3215

# The accepted values at `organizations/foo` are `E1`, `E2`.

3216

# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.

3217

#

3218

# Example 3 (inheriting both allowed and denied values):

3219

# `organizations/foo` has a `Policy` with values:

3220

# {allowed_values: "E1" allowed_values: "E2"}

3221

# `projects/bar` has a `Policy` with:

3222

# {denied_values: "E1"}

3223

# The accepted values at `organizations/foo` are `E1`, `E2`.

3224

# The value accepted at `projects/bar` is `E2`.

3225

#

3226

# Example 4 (RestoreDefault):

3227

# `organizations/foo` has a `Policy` with values:

3228

# {allowed_values: “E1” allowed_values:”E2”}

3229

# `projects/bar` has a `Policy` with values:

3230

# {RestoreDefault: {}}

3231

# The accepted values at `organizations/foo` are `E1`, `E2`.

3232

# The accepted values at `projects/bar` are either all or none depending on

3233

# the value of `constraint_default` (if `ALLOW`, all; if

3234

# `DENY`, none).

3235

#

3236

# Example 5 (no policy inherits parent policy):

3237

# `organizations/foo` has no `Policy` set.

3238

# `projects/bar` has no `Policy` set.

3239

# The accepted values at both levels are either all or none depending on

3240

# the value of `constraint_default` (if `ALLOW`, all; if

3241

# `DENY`, none).

3242

#

3243

# Example 6 (ListConstraint allowing all):

3244

# `organizations/foo` has a `Policy` with values:

3245

# {allowed_values: “E1” allowed_values: ”E2”}

3246

# `projects/bar` has a `Policy` with:

3247

# {all: ALLOW}

3248

# The accepted values at `organizations/foo` are `E1`, E2`.

3249

# Any value is accepted at `projects/bar`.

3250

#

3251

# Example 7 (ListConstraint allowing none):

3252

# `organizations/foo` has a `Policy` with values:

3253

# {allowed_values: “E1” allowed_values: ”E2”}

3254

# `projects/bar` has a `Policy` with:

3255

# {all: DENY}

3256

# The accepted values at `organizations/foo` are `E1`, E2`.

3257

# No value is accepted at `projects/bar`.

3258

"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration

3259

# that matches the value specified in this `Policy`. If `suggested_value`

3260

# is not set, it will inherit the value specified higher in the hierarchy,

3261

# unless `inherit_from_parent` is `false`.

3262

"allowedValues": [ # List of values allowed at this resource. an only be set if no values are

3263

# set for `denied_values` and `all_values` is set to

3264

# `ALL_VALUES_UNSPECIFIED`.

"A String",

],

},

"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.

3269

# resource.

3270

"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any

3271

# configuration is acceptable.

3272

#

3273

# Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess`

3274

# with `constraint_default` set to `ALLOW`. A `Policy` for that

3275

# `Constraint` exhibits the following behavior:

3276

# - If the `Policy` at this resource has enforced set to `false`, serial

3277

# port connection attempts will be allowed.

3278

# - If the `Policy` at this resource has enforced set to `true`, serial

3279

# port connection attempts will be refused.

3280

# - If the `Policy` at this resource is `RestoreDefault`, serial port

3281

# connection attempts will be allowed.

3282

# - If no `Policy` is set at this resource or anywhere higher in the

3283

# resource hierarchy, serial port connection attempts will be allowed.

3284

# - If no `Policy` is set at this resource, but one exists higher in the

3285

# resource hierarchy, the behavior is as if the`Policy` were set at

3286

# this resource.

3287

#

3288

# The following examples demonstrate the different possible layerings:

3289

#

3290

# Example 1 (nearest `Constraint` wins):

3291

# `organizations/foo` has a `Policy` with:

3292

# {enforced: false}

3293

# `projects/bar` has no `Policy` set.

3294

# The constraint at `projects/bar` and `organizations/foo` will not be

3295

# enforced.

3296

#

3297

# Example 2 (enforcement gets replaced):

3298

# `organizations/foo` has a `Policy` with:

3299

# {enforced: false}

3300

# `projects/bar` has a `Policy` with:

3301

# {enforced: true}

3302

# The constraint at `organizations/foo` is not enforced.

3303

# The constraint at `projects/bar` is enforced.

3304

#

3305

# Example 3 (RestoreDefault):

3306

# `organizations/foo` has a `Policy` with:

3307

# {enforced: true}

3308

# `projects/bar` has a `Policy` with:

3309

# {RestoreDefault: {}}

3310

# The constraint at `organizations/foo` is enforced.

3311

# The constraint at `projects/bar` is not enforced, because

3312

# `constraint_default` for the `Constraint` is `ALLOW`.

3313

},

3314

"version": 42, # Version of the `Policy`. Default version is 0;

3315

"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for

3316

# concurrency control.

3317

#

3318

# When the `Policy` is returned from either a `GetPolicy` or a

3319

# `ListOrgPolicy` request, this `etag` indicates the version of the current

3320

# `Policy` to use when executing a read-modify-write loop.

3321

#

3322

# When the `Policy` is returned from a `GetEffectivePolicy` request, the

3323

# `etag` will be unset.

3324

#

3325

# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value

3326

# that was returned from a `GetOrgPolicy` request as part of a

3327

# read-modify-write loop for concurrency control. Not setting the `etag`in a

3328

# `SetOrgPolicy` request will result in an unconditional write of the

# `Policy`.

}</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3334

<code class="details" id="testIamPermissions">testIamPermissions(resource=None, body, x__xgafv=None)</code>

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3335

<pre>Returns permissions that a caller has on the specified Project.

3336

3337

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3338

resource: string, REQUIRED: The resource for which the policy detail is being requested.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3339

See the operation documentation for the appropriate value for this field. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3340

body: object, The request body. (required)

3341

The object takes the form of:

3342

3343

{ # Request message for `TestIamPermissions` method.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3344

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

3345

# wildcards (such as '*' or 'storage.*') are not allowed. For more

3346

# information see

3347

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

}

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3353

Allowed values

3354

1 - v1 error format

3355

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3356

3357

Returns:

3358

An object of the form:

3359

3360

{ # Response message for `TestIamPermissions` method.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3361

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

3362

# allowed.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

"A String",

],

}</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3369

<code class="details" id="undelete">undelete(projectId=None, body, x__xgafv=None)</code>

3370

<pre>Restores the Project identified by the specified

3371

`project_id` (for example, `my-project-123`).

3372

You can only use this method for a Project that has a lifecycle state of

3373

DELETE_REQUESTED.

3374

After deletion starts, the Project cannot be restored.

3375

3376

The caller must have modify permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3377

3378

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3379

projectId: string, The project ID (for example, `foo-bar-123`).

3380

3381

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3382

body: object, The request body. (required)

3383

The object takes the form of:

3384

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3385

{ # The request sent to the UndeleteProject

3386

# method.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3387

}

3388

3389

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3390

Allowed values

3391

1 - v1 error format

3392

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3393

3394

Returns:

3395

An object of the form:

3396

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3397

{ # A generic empty message that you can re-use to avoid defining duplicated

3398

# empty messages in your APIs. A typical example is to use it as the request

3399

# or the response type of an API method. For instance:

3400

#

3401

# service Foo {

3402

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

3403

# }

3404

#

3405

# The JSON representation for `Empty` is empty JSON object `{}`.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

}</pre>

</div>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3410

<code class="details" id="update">update(projectId=None, body, x__xgafv=None)</code>

3411

<pre>Updates the attributes of the Project identified by the specified

3412

`project_id` (for example, `my-project-123`).

3413

3414

The caller must have modify permissions for this Project.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3415

3416

Args:

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3417

projectId: string, The project ID (for example, `my-project-123`).

3418

3419

Required. (required)

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3420

body: object, The request body. (required)

3421

The object takes the form of:

3422

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3423

{ # A Project is a high-level Google Cloud Platform entity. It is a

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3424

# container for ACLs, APIs, App Engine Apps, VMs, and other

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3425

# Google Cloud Platform resources.

3426

"name": "A String", # The user-assigned display name of the Project.

3427

# It must be 4 to 30 characters.

3428

# Allowed characters are: lowercase and uppercase letters, numbers,

3429

# hyphen, single-quote, double-quote, space, and exclamation point.

3430

#

3431

# Example: <code>My Project</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3432

# Read-write.

3433

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

3434

#

3435

# The only supported parent type is "organization". Once set, the parent

3436

# cannot be modified. The `parent` can be set on creation or using the

3437

# `UpdateProject` method; the end user must have the

3438

# `resourcemanager.projects.create` permission on the parent.

3439

#

3440

# Read-write.

3441

# Cloud Platform is a generic term for something you (a developer) may want to

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3442

# interact with through one of our API's. Some examples are an App Engine app,

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3443

# a Compute Engine instance, a Cloud SQL database, and so on.

3444

"type": "A String", # Required field representing the resource type this id is for.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3445

# At present, the valid types are: "organization"

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3446

"id": "A String", # Required field for the type-specific id. This should correspond to the id

3447

# used in the type-specific API's.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3448

},

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3449

"projectId": "A String", # The unique, user-assigned ID of the Project.

3450

# It must be 6 to 30 lowercase letters, digits, or hyphens.

3451

# It must start with a letter.

3452

# Trailing hyphens are prohibited.

3453

#

3454

# Example: <code>tokyo-rain-123</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3455

# Read-only after creation.

3456

"labels": { # The labels associated with this Project.

3457

#

3458

# Label keys must be between 1 and 63 characters long and must conform

3459

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

3460

#

3461

# Label values must be between 0 and 63 characters long and must conform

3462

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

3463

#

3464

# No more than 256 labels can be associated with a given resource.

3465

#

3466

# Clients should store labels in a representation such as JSON that does not

3467

# depend on specific characters being disallowed.

3468

#

3469

# Example: <code>"environment" : "dev"</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3470

# Read-write.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3471

"a_key": "A String",

3472

},

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3473

"projectNumber": "A String", # The number uniquely identifying the project.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3474

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3475

# Example: <code>415104041262</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3476

# Read-only.

3477

"lifecycleState": "A String", # The Project lifecycle state.

3478

#

3479

# Read-only.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3480

"createTime": "A String", # Creation time.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3481

#

3482

# Read-only.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3483

}

3484

3485

x__xgafv: string, V1 error format.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3486

Allowed values

3487

1 - v1 error format

3488

2 - v2 error format

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3489

3490

Returns:

3491

An object of the form:

3492

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3493

{ # A Project is a high-level Google Cloud Platform entity. It is a

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3494

# container for ACLs, APIs, App Engine Apps, VMs, and other

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3495

# Google Cloud Platform resources.

3496

"name": "A String", # The user-assigned display name of the Project.

3497

# It must be 4 to 30 characters.

3498

# Allowed characters are: lowercase and uppercase letters, numbers,

3499

# hyphen, single-quote, double-quote, space, and exclamation point.

3500

#

3501

# Example: <code>My Project</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3502

# Read-write.

3503

"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.

3504

#

3505

# The only supported parent type is "organization". Once set, the parent

3506

# cannot be modified. The `parent` can be set on creation or using the

3507

# `UpdateProject` method; the end user must have the

3508

# `resourcemanager.projects.create` permission on the parent.

3509

#

3510

# Read-write.

3511

# Cloud Platform is a generic term for something you (a developer) may want to

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3512

# interact with through one of our API's. Some examples are an App Engine app,

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3513

# a Compute Engine instance, a Cloud SQL database, and so on.

3514

"type": "A String", # Required field representing the resource type this id is for.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3515

# At present, the valid types are: "organization"

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3516

"id": "A String", # Required field for the type-specific id. This should correspond to the id

3517

# used in the type-specific API's.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3518

},

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3519

"projectId": "A String", # The unique, user-assigned ID of the Project.

3520

# It must be 6 to 30 lowercase letters, digits, or hyphens.

3521

# It must start with a letter.

3522

# Trailing hyphens are prohibited.

3523

#

3524

# Example: <code>tokyo-rain-123</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3525

# Read-only after creation.

3526

"labels": { # The labels associated with this Project.

3527

#

3528

# Label keys must be between 1 and 63 characters long and must conform

3529

# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.

3530

#

3531

# Label values must be between 0 and 63 characters long and must conform

3532

# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?.

3533

#

3534

# No more than 256 labels can be associated with a given resource.

3535

#

3536

# Clients should store labels in a representation such as JSON that does not

3537

# depend on specific characters being disallowed.

3538

#

3539

# Example: <code>"environment" : "dev"</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3540

# Read-write.

Jon Wayne Parrott

2016-05-19 10:54:38 -0700

[diff] [blame]

3541

"a_key": "A String",

3542

},

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3543

"projectNumber": "A String", # The number uniquely identifying the project.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3544

#

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3545

# Example: <code>415104041262</code>

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3546

# Read-only.

3547

"lifecycleState": "A String", # The Project lifecycle state.

3548

#

3549

# Read-only.

Sai Cheemalapati

2017-03-13 12:12:03 -0400

[diff] [blame]

3550

"createTime": "A String", # Creation time.

Jon Wayne Parrott

2017-01-06 09:58:29 -0800

[diff] [blame]

3551

#

3552

# Read-only.

Jon Wayne Parrott