lintPolicy(body, x__xgafv=None)
Lints a Cloud IAM policy object or its sub fields. Currently supports
queryAuditableServices(body, x__xgafv=None)
Returns a list of services that support service level audit logging
lintPolicy(body, x__xgafv=None)
Lints a Cloud IAM policy object or its sub fields. Currently supports
google.iam.v1.Policy, google.iam.v1.Binding and
google.iam.v1.Binding.condition.
Each lint operation consists of multiple lint validation units.
Validation units have the following properties:
- Each unit inspects the input object in regard to a particular
linting aspect and issues a google.iam.admin.v1.LintResult
disclosing the result.
- Domain of discourse of each unit can be either
google.iam.v1.Policy, google.iam.v1.Binding, or
google.iam.v1.Binding.condition depending on the purpose of the
validation.
- A unit may require additional data (like the list of all possible
enumerable values of a particular attribute used in the policy instance)
which shall be provided by the caller. Refer to the comments of
google.iam.admin.v1.LintPolicyRequest.context for more details.
The set of applicable validation units is determined by the Cloud IAM
server and is not configurable.
Regardless of any lint issues or their severities, successful calls to
`lintPolicy` return an HTTP 200 OK status code.
Args:
body: object, The request body. (required)
The object takes the form of:
{ # The request to lint a Cloud IAM policy object. LintPolicy is currently
# functional only for `lint_object` of type `condition`.
"policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # Policy object to be linted. The functionality of linting a policy is not
# yet implemented and if this field is set, it returns NOT_IMPLEMENTED
# error.
# specify access control policies for Cloud Platform resources.
#
#
# A `Policy` consists of a list of `bindings`. A `binding` binds a list of
# `members` to a `role`, where the members can be user accounts, Google groups,
# Google domains, and service accounts. A `role` is a named list of permissions
# defined by IAM.
#
# **JSON Example**
#
# {
# "bindings": [
# {
# "role": "roles/owner",
# "members": [
# "user:mike@example.com",
# "group:admins@example.com",
# "domain:google.com",
# "serviceAccount:my-other-app@appspot.gserviceaccount.com"
# ]
# },
# {
# "role": "roles/viewer",
# "members": ["user:sean@example.com"]
# }
# ]
# }
#
# **YAML Example**
#
# bindings:
# - members:
# - user:mike@example.com
# - group:admins@example.com
# - domain:google.com
# - serviceAccount:my-other-app@appspot.gserviceaccount.com
# role: roles/owner
# - members:
# - user:sean@example.com
# role: roles/viewer
#
#
# For a description of IAM and its features, see the
# [IAM developer's guide](https://cloud.google.com/iam/docs).
"bindings": [ # Associates a list of `members` to a `role`.
# `bindings` with no members will result in an error.
{ # Associates `members` with a `role`.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `alice@gmail.com` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `admins@example.com`.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
#
# title: "User account presence"
# description: "Determines whether the request has a user account"
# expression: "size(request.user) > 0"
"location": "A String", # An optional string indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"expression": "A String", # Textual representation of an expression in
# Common Expression Language syntax.
#
# The application context of the containing message determines which
# well-known feature set of CEL is supported.
"description": "A String", # An optional description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # An optional title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
],
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service.
# The configuration determines which permission types are logged, and what
# identities, if any, are exempted from logging.
# An AuditConfig must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service,
# the union of the two AuditConfigs is used for that service: the log_types
# specified in each AuditConfig are enabled, and the exempted_members in each
# AuditLogConfig are exempted.
#
# Example Policy with multiple AuditConfigs:
#
# {
# "audit_configs": [
# {
# "service": "allServices"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:foo@gmail.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# },
# {
# "log_type": "ADMIN_READ",
# }
# ]
# },
# {
# "service": "fooservice.googleapis.com"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# },
# {
# "log_type": "DATA_WRITE",
# "exempted_members": [
# "user:bar@gmail.com"
# ]
# }
# ]
# }
# ]
# }
#
# For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
# logging. It also exempts foo@gmail.com from DATA_READ logging, and
# bar@gmail.com from DATA_WRITE logging.
"auditLogConfigs": [ # The configuration for logging of each type of permission.
{ # Provides the configuration for logging a type of permissions.
# Example:
#
# {
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:foo@gmail.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# }
# ]
# }
#
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
# foo@gmail.com from DATA_READ logging.
"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
# permission.
# Follows the same format of Binding.members.
"A String",
],
"logType": "A String", # The log type that this config enables.
},
],
"service": "A String", # Specifies a service that will be enabled for audit logging.
# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# `allServices` is a special value that covers all services.
},
],
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# If no `etag` is provided in the call to `setIamPolicy`, then the existing
# policy is overwritten blindly.
"version": 42, # Deprecated.
},
"fullResourceName": "A String", # The full resource name of the policy this lint request is about.
#
# The name follows the Google Cloud Platform (GCP) resource format.
# For example, a GCP project with ID `my-project` will be named
# `//cloudresourcemanager.googleapis.com/projects/my-project`.
#
# The resource name is not used to read the policy instance from the Cloud
# IAM database. The candidate policy for lint has to be provided in the same
# request object.
"binding": { # Associates `members` with a `role`. # Binding object to be linted. The functionality of linting a binding is
# not yet implemented and if this field is set, it returns NOT_IMPLEMENTED
# error.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `alice@gmail.com` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `admins@example.com`.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
#
# title: "User account presence"
# description: "Determines whether the request has a user account"
# expression: "size(request.user) > 0"
"location": "A String", # An optional string indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"expression": "A String", # Textual representation of an expression in
# Common Expression Language syntax.
#
# The application context of the containing message determines which
# well-known feature set of CEL is supported.
"description": "A String", # An optional description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # An optional title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
"condition": { # Represents an expression text. Example: # google.iam.v1.Binding.condition object to be linted.
#
# title: "User account presence"
# description: "Determines whether the request has a user account"
# expression: "size(request.user) > 0"
"location": "A String", # An optional string indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"expression": "A String", # Textual representation of an expression in
# Common Expression Language syntax.
#
# The application context of the containing message determines which
# well-known feature set of CEL is supported.
"description": "A String", # An optional description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # An optional title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
"context": { # `context` contains additional *permission-controlled* data that any
# lint unit may depend on, in form of `{key: value}` pairs. Currently, this
# field is non-operational and it will not be used during the lint operation.
"a_key": "", # Properties of the object.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The response of a lint operation. An empty response indicates
# the operation was able to fully execute and no lint issue was found.
"lintResults": [ # List of lint results sorted by a composite key,
# descending order of severity and ascending order of binding_ordinal.
# There is no certain order among the same keys.
#
# For cross-binding results (only if the input object to lint is
# instance of google.iam.v1.Policy), there will be a
# google.iam.admin.v1.LintResult for each of the involved bindings,
# and the associated debug_message may enumerate the other involved
# binding ordinal number(s).
{ # Structured response of a single validation unit.
"validationUnitName": "A String", # The validation unit name, for instance
# “lintValidationUnits/ConditionComplexityCheck”.
"severity": "A String", # The validation unit severity.
"level": "A String", # The validation unit level.
"bindingOrdinal": 42, # 0-based index ordinality of the binding in the input object associated
# with this result.
# This field is populated only if the input object to lint is of type
# google.iam.v1.Policy, which can comprise more than one binding.
# It is set to -1 if the result is not associated with any particular
# binding and only targets the policy as a whole, such as results about
# policy size violations.
"debugMessage": "A String", # Human readable debug message associated with the issue.
"fieldName": "A String", # The name of the field for which this lint result is about.
#
# For nested messages, `field_name` consists of names of the embedded fields
# separated by period character. The top-level qualifier is the input object
# to lint in the request. For instance, if the lint request is on a
# google.iam.v1.Policy and this lint result is about a condition
# expression of one of the input policy bindings, the field would be
# populated as `policy.bindings.condition.expression`.
#
# This field does not identify the ordinality of the repetitive fields (for
# instance bindings in a policy).
"locationOffset": 42, # 0-based character position of problematic construct within the object
# identified by `field_name`. Currently, this is populated only for condition
# expression.
},
],
}
queryAuditableServices(body, x__xgafv=None)
Returns a list of services that support service level audit logging
configuration for the given resource.
Args:
body: object, The request body. (required)
The object takes the form of:
{ # A request to get the list of auditable services for a resource.
"fullResourceName": "A String", # Required. The full resource name to query from the list of auditable
# services.
#
# The name follows the Google Cloud Platform resource format.
# For example, a Cloud Platform project with id `my-project` will be named
# `//cloudresourcemanager.googleapis.com/projects/my-project`.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A response containing a list of auditable services for a resource.
"services": [ # The auditable services for a resource.
{ # Contains information about an auditable service.
"name": "A String", # Public name of the service.
# For example, the service name for Cloud IAM is 'iam.googleapis.com'.
},
],
}