You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
627 lines
41 KiB
627 lines
41 KiB
<html><body>
|
|
<style>
|
|
|
|
body, h1, h2, h3, div, span, p, pre, a {
|
|
margin: 0;
|
|
padding: 0;
|
|
border: 0;
|
|
font-weight: inherit;
|
|
font-style: inherit;
|
|
font-size: 100%;
|
|
font-family: inherit;
|
|
vertical-align: baseline;
|
|
}
|
|
|
|
body {
|
|
font-size: 13px;
|
|
padding: 1em;
|
|
}
|
|
|
|
h1 {
|
|
font-size: 26px;
|
|
margin-bottom: 1em;
|
|
}
|
|
|
|
h2 {
|
|
font-size: 24px;
|
|
margin-bottom: 1em;
|
|
}
|
|
|
|
h3 {
|
|
font-size: 20px;
|
|
margin-bottom: 1em;
|
|
margin-top: 1em;
|
|
}
|
|
|
|
pre, code {
|
|
line-height: 1.5;
|
|
font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
|
|
}
|
|
|
|
pre {
|
|
margin-top: 0.5em;
|
|
}
|
|
|
|
h1, h2, h3, p {
|
|
font-family: Arial, sans serif;
|
|
}
|
|
|
|
h1, h2, h3 {
|
|
border-bottom: solid #CCC 1px;
|
|
}
|
|
|
|
.toc_element {
|
|
margin-top: 0.5em;
|
|
}
|
|
|
|
.firstline {
|
|
margin-left: 2 em;
|
|
}
|
|
|
|
.method {
|
|
margin-top: 1em;
|
|
border: solid 1px #CCC;
|
|
padding: 1em;
|
|
background: #EEE;
|
|
}
|
|
|
|
.details {
|
|
font-weight: bold;
|
|
font-size: 14px;
|
|
}
|
|
|
|
</style>
|
|
|
|
<h1><a href="compute_alpha.html">Compute Engine API</a> . <a href="compute_alpha.licenseCodes.html">licenseCodes</a></h1>
|
|
<h2>Instance Methods</h2>
|
|
<p class="toc_element">
|
|
<code><a href="#get">get(project, licenseCode)</a></code></p>
|
|
<p class="firstline">Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code.</p>
|
|
<p class="toc_element">
|
|
<code><a href="#getIamPolicy">getIamPolicy(project, resource)</a></code></p>
|
|
<p class="firstline">Gets the access control policy for a resource. May be empty if no such policy or resource exists.</p>
|
|
<p class="toc_element">
|
|
<code><a href="#setIamPolicy">setIamPolicy(project, resource, body)</a></code></p>
|
|
<p class="firstline">Sets the access control policy on the specified resource. Replaces any existing policy.</p>
|
|
<p class="toc_element">
|
|
<code><a href="#testIamPermissions">testIamPermissions(project, resource, body)</a></code></p>
|
|
<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
|
|
<h3>Method Details</h3>
|
|
<div class="method">
|
|
<code class="details" id="get">get(project, licenseCode)</code>
|
|
<pre>Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code.
|
|
|
|
Args:
|
|
project: string, Project ID for this request. (required)
|
|
licenseCode: string, Number corresponding to the License code resource to return. (required)
|
|
|
|
Returns:
|
|
An object of the form:
|
|
|
|
{
|
|
"kind": "compute#licenseCode", # [Output Only] Type of resource. Always compute#licenseCode for licenses.
|
|
"description": "A String", # [Output Only] Description of this License Code.
|
|
"transferable": True or False, # [Output Only] If true, the license will remain attached when creating images or snapshots from disks. Otherwise, the license is not transferred.
|
|
"state": "A String", # [Output Only] Current state of this License Code.
|
|
"licenseAlias": [ # [Output Only] URL and description aliases of Licenses with the same License Code.
|
|
{
|
|
"description": "A String", # [Output Only] Description of this License Code.
|
|
"selfLink": "A String", # [Output Only] URL of license corresponding to this License Code.
|
|
},
|
|
],
|
|
"creationTimestamp": "A String", # [Output Only] Creation timestamp in RFC3339 text format.
|
|
"id": "A String", # [Output Only] The unique identifier for the resource. This identifier is defined by the server.
|
|
"selfLink": "A String", # [Output Only] Server-defined URL for the resource.
|
|
"name": "A String", # [Output Only] Name of the resource. The name is 1-20 characters long and must be a valid 64 bit integer.
|
|
}</pre>
|
|
</div>
|
|
|
|
<div class="method">
|
|
<code class="details" id="getIamPolicy">getIamPolicy(project, resource)</code>
|
|
<pre>Gets the access control policy for a resource. May be empty if no such policy or resource exists.
|
|
|
|
Args:
|
|
project: string, Project ID for this request. (required)
|
|
resource: string, Name or id of the resource for this request. (required)
|
|
|
|
Returns:
|
|
An object of the form:
|
|
|
|
{ # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.
|
|
#
|
|
#
|
|
#
|
|
# A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
|
|
#
|
|
# **JSON Example**
|
|
#
|
|
# { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
|
|
#
|
|
# **YAML Example**
|
|
#
|
|
# bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
|
|
#
|
|
#
|
|
#
|
|
# For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
|
|
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
|
|
{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
|
|
#
|
|
# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
|
|
#
|
|
# Example Policy with multiple AuditConfigs:
|
|
#
|
|
# { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
|
|
#
|
|
# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
|
|
"exemptedMembers": [
|
|
"A String",
|
|
],
|
|
"auditLogConfigs": [ # The configuration for logging of each type of permission.
|
|
{ # Provides the configuration for logging a type of permissions. Example:
|
|
#
|
|
# { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
|
|
#
|
|
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
|
|
"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
|
|
"A String",
|
|
],
|
|
"logType": "A String", # The log type that this config enables.
|
|
},
|
|
],
|
|
"service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
|
|
},
|
|
],
|
|
"rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
|
|
{ # A rule to be applied in a Policy.
|
|
"logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
|
|
{ # Specifies what kind of log the caller must write
|
|
"counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
|
|
#
|
|
# Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
|
|
#
|
|
# Field names correspond to IAM request parameters and field values are their respective values.
|
|
#
|
|
# Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
|
|
#
|
|
# Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
|
|
#
|
|
# At this time we do not support multiple field names (though this may be supported in the future).
|
|
"field": "A String", # The field value to attribute.
|
|
"metric": "A String", # The metric to update.
|
|
},
|
|
"dataAccess": { # Write a Data Access (Gin) log # Data access options.
|
|
"logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
|
|
},
|
|
"cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
|
|
"logName": "A String", # The log_name to populate in the Cloud Audit Record.
|
|
"authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
|
|
"permissionType": "A String", # The type of the permission that was checked.
|
|
},
|
|
},
|
|
},
|
|
],
|
|
"notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
|
|
"A String",
|
|
],
|
|
"ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
|
|
"A String",
|
|
],
|
|
"action": "A String", # Required
|
|
"permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
|
|
"A String",
|
|
],
|
|
"conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
|
|
{ # A condition to be met.
|
|
"iam": "A String", # Trusted attributes supplied by the IAM system.
|
|
"sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
|
|
"values": [ # The objects of the condition.
|
|
"A String",
|
|
],
|
|
"svc": "A String", # Trusted attributes discharged by the service.
|
|
"op": "A String", # An operator to apply the subject with.
|
|
},
|
|
],
|
|
"description": "A String", # Human-readable description of the rule.
|
|
},
|
|
],
|
|
"version": 42, # Deprecated.
|
|
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
|
|
#
|
|
# If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
|
|
"bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
|
|
{ # Associates `members` with a `role`.
|
|
"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
|
"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
|
|
#
|
|
# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
|
|
#
|
|
# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
|
|
#
|
|
# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
|
|
#
|
|
#
|
|
#
|
|
# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
|
#
|
|
# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
|
|
#
|
|
#
|
|
#
|
|
# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
|
|
"A String",
|
|
],
|
|
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
|
|
#
|
|
# title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
|
|
"title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
|
|
"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
|
|
#
|
|
# The application context of the containing message determines which well-known feature set of CEL is supported.
|
|
"description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
|
|
"location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
|
|
},
|
|
},
|
|
],
|
|
"iamOwned": True or False,
|
|
}</pre>
|
|
</div>
|
|
|
|
<div class="method">
|
|
<code class="details" id="setIamPolicy">setIamPolicy(project, resource, body)</code>
|
|
<pre>Sets the access control policy on the specified resource. Replaces any existing policy.
|
|
|
|
Args:
|
|
project: string, Project ID for this request. (required)
|
|
resource: string, Name or id of the resource for this request. (required)
|
|
body: object, The request body. (required)
|
|
The object takes the form of:
|
|
|
|
{
|
|
"policy": { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. # REQUIRED: The complete policy to be applied to the 'resource'. The size of the policy is limited to a few 10s of KB. An empty policy is in general a valid policy but certain services (like Projects) might reject them.
|
|
#
|
|
#
|
|
#
|
|
# A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
|
|
#
|
|
# **JSON Example**
|
|
#
|
|
# { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
|
|
#
|
|
# **YAML Example**
|
|
#
|
|
# bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
|
|
#
|
|
#
|
|
#
|
|
# For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
|
|
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
|
|
{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
|
|
#
|
|
# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
|
|
#
|
|
# Example Policy with multiple AuditConfigs:
|
|
#
|
|
# { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
|
|
#
|
|
# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
|
|
"exemptedMembers": [
|
|
"A String",
|
|
],
|
|
"auditLogConfigs": [ # The configuration for logging of each type of permission.
|
|
{ # Provides the configuration for logging a type of permissions. Example:
|
|
#
|
|
# { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
|
|
#
|
|
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
|
|
"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
|
|
"A String",
|
|
],
|
|
"logType": "A String", # The log type that this config enables.
|
|
},
|
|
],
|
|
"service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
|
|
},
|
|
],
|
|
"rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
|
|
{ # A rule to be applied in a Policy.
|
|
"logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
|
|
{ # Specifies what kind of log the caller must write
|
|
"counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
|
|
#
|
|
# Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
|
|
#
|
|
# Field names correspond to IAM request parameters and field values are their respective values.
|
|
#
|
|
# Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
|
|
#
|
|
# Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
|
|
#
|
|
# At this time we do not support multiple field names (though this may be supported in the future).
|
|
"field": "A String", # The field value to attribute.
|
|
"metric": "A String", # The metric to update.
|
|
},
|
|
"dataAccess": { # Write a Data Access (Gin) log # Data access options.
|
|
"logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
|
|
},
|
|
"cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
|
|
"logName": "A String", # The log_name to populate in the Cloud Audit Record.
|
|
"authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
|
|
"permissionType": "A String", # The type of the permission that was checked.
|
|
},
|
|
},
|
|
},
|
|
],
|
|
"notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
|
|
"A String",
|
|
],
|
|
"ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
|
|
"A String",
|
|
],
|
|
"action": "A String", # Required
|
|
"permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
|
|
"A String",
|
|
],
|
|
"conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
|
|
{ # A condition to be met.
|
|
"iam": "A String", # Trusted attributes supplied by the IAM system.
|
|
"sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
|
|
"values": [ # The objects of the condition.
|
|
"A String",
|
|
],
|
|
"svc": "A String", # Trusted attributes discharged by the service.
|
|
"op": "A String", # An operator to apply the subject with.
|
|
},
|
|
],
|
|
"description": "A String", # Human-readable description of the rule.
|
|
},
|
|
],
|
|
"version": 42, # Deprecated.
|
|
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
|
|
#
|
|
# If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
|
|
"bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
|
|
{ # Associates `members` with a `role`.
|
|
"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
|
"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
|
|
#
|
|
# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
|
|
#
|
|
# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
|
|
#
|
|
# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
|
|
#
|
|
#
|
|
#
|
|
# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
|
#
|
|
# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
|
|
#
|
|
#
|
|
#
|
|
# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
|
|
"A String",
|
|
],
|
|
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
|
|
#
|
|
# title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
|
|
"title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
|
|
"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
|
|
#
|
|
# The application context of the containing message determines which well-known feature set of CEL is supported.
|
|
"description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
|
|
"location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
|
|
},
|
|
},
|
|
],
|
|
"iamOwned": True or False,
|
|
},
|
|
"bindings": [ # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify bindings.
|
|
{ # Associates `members` with a `role`.
|
|
"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
|
"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
|
|
#
|
|
# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
|
|
#
|
|
# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
|
|
#
|
|
# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
|
|
#
|
|
#
|
|
#
|
|
# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
|
#
|
|
# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
|
|
#
|
|
#
|
|
#
|
|
# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
|
|
"A String",
|
|
],
|
|
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
|
|
#
|
|
# title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
|
|
"title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
|
|
"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
|
|
#
|
|
# The application context of the containing message determines which well-known feature set of CEL is supported.
|
|
"description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
|
|
"location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
|
|
},
|
|
},
|
|
],
|
|
"etag": "A String", # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag.
|
|
}
|
|
|
|
|
|
Returns:
|
|
An object of the form:
|
|
|
|
{ # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.
|
|
#
|
|
#
|
|
#
|
|
# A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
|
|
#
|
|
# **JSON Example**
|
|
#
|
|
# { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
|
|
#
|
|
# **YAML Example**
|
|
#
|
|
# bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
|
|
#
|
|
#
|
|
#
|
|
# For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
|
|
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
|
|
{ # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
|
|
#
|
|
# If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
|
|
#
|
|
# Example Policy with multiple AuditConfigs:
|
|
#
|
|
# { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
|
|
#
|
|
# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
|
|
"exemptedMembers": [
|
|
"A String",
|
|
],
|
|
"auditLogConfigs": [ # The configuration for logging of each type of permission.
|
|
{ # Provides the configuration for logging a type of permissions. Example:
|
|
#
|
|
# { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
|
|
#
|
|
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
|
|
"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
|
|
"A String",
|
|
],
|
|
"logType": "A String", # The log type that this config enables.
|
|
},
|
|
],
|
|
"service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
|
|
},
|
|
],
|
|
"rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
|
|
{ # A rule to be applied in a Policy.
|
|
"logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
|
|
{ # Specifies what kind of log the caller must write
|
|
"counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
|
|
#
|
|
# Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
|
|
#
|
|
# Field names correspond to IAM request parameters and field values are their respective values.
|
|
#
|
|
# Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
|
|
#
|
|
# Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
|
|
#
|
|
# At this time we do not support multiple field names (though this may be supported in the future).
|
|
"field": "A String", # The field value to attribute.
|
|
"metric": "A String", # The metric to update.
|
|
},
|
|
"dataAccess": { # Write a Data Access (Gin) log # Data access options.
|
|
"logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
|
|
},
|
|
"cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
|
|
"logName": "A String", # The log_name to populate in the Cloud Audit Record.
|
|
"authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
|
|
"permissionType": "A String", # The type of the permission that was checked.
|
|
},
|
|
},
|
|
},
|
|
],
|
|
"notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
|
|
"A String",
|
|
],
|
|
"ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
|
|
"A String",
|
|
],
|
|
"action": "A String", # Required
|
|
"permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
|
|
"A String",
|
|
],
|
|
"conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
|
|
{ # A condition to be met.
|
|
"iam": "A String", # Trusted attributes supplied by the IAM system.
|
|
"sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
|
|
"values": [ # The objects of the condition.
|
|
"A String",
|
|
],
|
|
"svc": "A String", # Trusted attributes discharged by the service.
|
|
"op": "A String", # An operator to apply the subject with.
|
|
},
|
|
],
|
|
"description": "A String", # Human-readable description of the rule.
|
|
},
|
|
],
|
|
"version": 42, # Deprecated.
|
|
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
|
|
#
|
|
# If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
|
|
"bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
|
|
{ # Associates `members` with a `role`.
|
|
"role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
|
"members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
|
|
#
|
|
# * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
|
|
#
|
|
# * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
|
|
#
|
|
# * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
|
|
#
|
|
#
|
|
#
|
|
# * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
|
#
|
|
# * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
|
|
#
|
|
#
|
|
#
|
|
# * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
|
|
"A String",
|
|
],
|
|
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
|
|
#
|
|
# title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
|
|
"title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
|
|
"expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
|
|
#
|
|
# The application context of the containing message determines which well-known feature set of CEL is supported.
|
|
"description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
|
|
"location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
|
|
},
|
|
},
|
|
],
|
|
"iamOwned": True or False,
|
|
}</pre>
|
|
</div>
|
|
|
|
<div class="method">
|
|
<code class="details" id="testIamPermissions">testIamPermissions(project, resource, body)</code>
|
|
<pre>Returns permissions that a caller has on the specified resource.
|
|
|
|
Args:
|
|
project: string, Project ID for this request. (required)
|
|
resource: string, Name or id of the resource for this request. (required)
|
|
body: object, The request body. (required)
|
|
The object takes the form of:
|
|
|
|
{
|
|
"permissions": [ # The set of permissions to check for the 'resource'. Permissions with wildcards (such as '*' or 'storage.*') are not allowed.
|
|
"A String",
|
|
],
|
|
}
|
|
|
|
|
|
Returns:
|
|
An object of the form:
|
|
|
|
{
|
|
"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
|
|
"A String",
|
|
],
|
|
}</pre>
|
|
</div>
|
|
|
|
</body></html> |