1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="iam_v1.html">Identity and Access Management (IAM) API</a> . <a href="iam_v1.iamPolicies.html">iamPolicies</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#lintPolicy">lintPolicy(body, x__xgafv=None)</a></code></p> 79<p class="firstline">Lints a Cloud IAM policy object or its sub fields. Currently supports</p> 80<p class="toc_element"> 81 <code><a href="#queryAuditableServices">queryAuditableServices(body, x__xgafv=None)</a></code></p> 82<p class="firstline">Returns a list of services that support service level audit logging</p> 83<h3>Method Details</h3> 84<div class="method"> 85 <code class="details" id="lintPolicy">lintPolicy(body, x__xgafv=None)</code> 86 <pre>Lints a Cloud IAM policy object or its sub fields. Currently supports 87google.iam.v1.Policy, google.iam.v1.Binding and 88google.iam.v1.Binding.condition. 89 90Each lint operation consists of multiple lint validation units. 91Validation units have the following properties: 92 93- Each unit inspects the input object in regard to a particular 94 linting aspect and issues a google.iam.admin.v1.LintResult 95 disclosing the result. 96- Domain of discourse of each unit can be either 97 google.iam.v1.Policy, google.iam.v1.Binding, or 98 google.iam.v1.Binding.condition depending on the purpose of the 99 validation. 100- A unit may require additional data (like the list of all possible 101 enumerable values of a particular attribute used in the policy instance) 102 which shall be provided by the caller. Refer to the comments of 103 google.iam.admin.v1.LintPolicyRequest.context for more details. 104 105The set of applicable validation units is determined by the Cloud IAM 106server and is not configurable. 107 108Regardless of any lint issues or their severities, successful calls to 109`lintPolicy` return an HTTP 200 OK status code. 110 111Args: 112 body: object, The request body. (required) 113 The object takes the form of: 114 115{ # The request to lint a Cloud IAM policy object. LintPolicy is currently 116 # functional only for `lint_object` of type `condition`. 117 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # Policy object to be linted. The functionality of linting a policy is not 118 # yet implemented and if this field is set, it returns NOT_IMPLEMENTED 119 # error. 120 # specify access control policies for Cloud Platform resources. 121 # 122 # 123 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 124 # `members` to a `role`, where the members can be user accounts, Google groups, 125 # Google domains, and service accounts. A `role` is a named list of permissions 126 # defined by IAM. 127 # 128 # **JSON Example** 129 # 130 # { 131 # "bindings": [ 132 # { 133 # "role": "roles/owner", 134 # "members": [ 135 # "user:mike@example.com", 136 # "group:admins@example.com", 137 # "domain:google.com", 138 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 139 # ] 140 # }, 141 # { 142 # "role": "roles/viewer", 143 # "members": ["user:sean@example.com"] 144 # } 145 # ] 146 # } 147 # 148 # **YAML Example** 149 # 150 # bindings: 151 # - members: 152 # - user:mike@example.com 153 # - group:admins@example.com 154 # - domain:google.com 155 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 156 # role: roles/owner 157 # - members: 158 # - user:sean@example.com 159 # role: roles/viewer 160 # 161 # 162 # For a description of IAM and its features, see the 163 # [IAM developer's guide](https://cloud.google.com/iam/docs). 164 "bindings": [ # Associates a list of `members` to a `role`. 165 # `bindings` with no members will result in an error. 166 { # Associates `members` with a `role`. 167 "role": "A String", # Role that is assigned to `members`. 168 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 169 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 170 # `members` can have the following values: 171 # 172 # * `allUsers`: A special identifier that represents anyone who is 173 # on the internet; with or without a Google account. 174 # 175 # * `allAuthenticatedUsers`: A special identifier that represents anyone 176 # who is authenticated with a Google account or a service account. 177 # 178 # * `user:{emailid}`: An email address that represents a specific Google 179 # account. For example, `alice@gmail.com` . 180 # 181 # 182 # * `serviceAccount:{emailid}`: An email address that represents a service 183 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 184 # 185 # * `group:{emailid}`: An email address that represents a Google group. 186 # For example, `admins@example.com`. 187 # 188 # 189 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 190 # users of that domain. For example, `google.com` or `example.com`. 191 # 192 "A String", 193 ], 194 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 195 # NOTE: An unsatisfied condition will not allow user access via current 196 # binding. Different bindings, including their conditions, are examined 197 # independently. 198 # 199 # title: "User account presence" 200 # description: "Determines whether the request has a user account" 201 # expression: "size(request.user) > 0" 202 "location": "A String", # An optional string indicating the location of the expression for error 203 # reporting, e.g. a file name and a position in the file. 204 "expression": "A String", # Textual representation of an expression in 205 # Common Expression Language syntax. 206 # 207 # The application context of the containing message determines which 208 # well-known feature set of CEL is supported. 209 "description": "A String", # An optional description of the expression. This is a longer text which 210 # describes the expression, e.g. when hovered over it in a UI. 211 "title": "A String", # An optional title for the expression, i.e. a short string describing 212 # its purpose. This can be used e.g. in UIs which allow to enter the 213 # expression. 214 }, 215 }, 216 ], 217 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 218 { # Specifies the audit configuration for a service. 219 # The configuration determines which permission types are logged, and what 220 # identities, if any, are exempted from logging. 221 # An AuditConfig must have one or more AuditLogConfigs. 222 # 223 # If there are AuditConfigs for both `allServices` and a specific service, 224 # the union of the two AuditConfigs is used for that service: the log_types 225 # specified in each AuditConfig are enabled, and the exempted_members in each 226 # AuditLogConfig are exempted. 227 # 228 # Example Policy with multiple AuditConfigs: 229 # 230 # { 231 # "audit_configs": [ 232 # { 233 # "service": "allServices" 234 # "audit_log_configs": [ 235 # { 236 # "log_type": "DATA_READ", 237 # "exempted_members": [ 238 # "user:foo@gmail.com" 239 # ] 240 # }, 241 # { 242 # "log_type": "DATA_WRITE", 243 # }, 244 # { 245 # "log_type": "ADMIN_READ", 246 # } 247 # ] 248 # }, 249 # { 250 # "service": "fooservice.googleapis.com" 251 # "audit_log_configs": [ 252 # { 253 # "log_type": "DATA_READ", 254 # }, 255 # { 256 # "log_type": "DATA_WRITE", 257 # "exempted_members": [ 258 # "user:bar@gmail.com" 259 # ] 260 # } 261 # ] 262 # } 263 # ] 264 # } 265 # 266 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 267 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 268 # bar@gmail.com from DATA_WRITE logging. 269 "auditLogConfigs": [ # The configuration for logging of each type of permission. 270 { # Provides the configuration for logging a type of permissions. 271 # Example: 272 # 273 # { 274 # "audit_log_configs": [ 275 # { 276 # "log_type": "DATA_READ", 277 # "exempted_members": [ 278 # "user:foo@gmail.com" 279 # ] 280 # }, 281 # { 282 # "log_type": "DATA_WRITE", 283 # } 284 # ] 285 # } 286 # 287 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 288 # foo@gmail.com from DATA_READ logging. 289 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 290 # permission. 291 # Follows the same format of Binding.members. 292 "A String", 293 ], 294 "logType": "A String", # The log type that this config enables. 295 }, 296 ], 297 "service": "A String", # Specifies a service that will be enabled for audit logging. 298 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 299 # `allServices` is a special value that covers all services. 300 }, 301 ], 302 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 303 # prevent simultaneous updates of a policy from overwriting each other. 304 # It is strongly suggested that systems make use of the `etag` in the 305 # read-modify-write cycle to perform policy updates in order to avoid race 306 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 307 # systems are expected to put that etag in the request to `setIamPolicy` to 308 # ensure that their change will be applied to the same version of the policy. 309 # 310 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 311 # policy is overwritten blindly. 312 "version": 42, # Deprecated. 313 }, 314 "fullResourceName": "A String", # The full resource name of the policy this lint request is about. 315 # 316 # The name follows the Google Cloud Platform (GCP) resource format. 317 # For example, a GCP project with ID `my-project` will be named 318 # `//cloudresourcemanager.googleapis.com/projects/my-project`. 319 # 320 # The resource name is not used to read the policy instance from the Cloud 321 # IAM database. The candidate policy for lint has to be provided in the same 322 # request object. 323 "binding": { # Associates `members` with a `role`. # Binding object to be linted. The functionality of linting a binding is 324 # not yet implemented and if this field is set, it returns NOT_IMPLEMENTED 325 # error. 326 "role": "A String", # Role that is assigned to `members`. 327 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 328 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 329 # `members` can have the following values: 330 # 331 # * `allUsers`: A special identifier that represents anyone who is 332 # on the internet; with or without a Google account. 333 # 334 # * `allAuthenticatedUsers`: A special identifier that represents anyone 335 # who is authenticated with a Google account or a service account. 336 # 337 # * `user:{emailid}`: An email address that represents a specific Google 338 # account. For example, `alice@gmail.com` . 339 # 340 # 341 # * `serviceAccount:{emailid}`: An email address that represents a service 342 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 343 # 344 # * `group:{emailid}`: An email address that represents a Google group. 345 # For example, `admins@example.com`. 346 # 347 # 348 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 349 # users of that domain. For example, `google.com` or `example.com`. 350 # 351 "A String", 352 ], 353 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 354 # NOTE: An unsatisfied condition will not allow user access via current 355 # binding. Different bindings, including their conditions, are examined 356 # independently. 357 # 358 # title: "User account presence" 359 # description: "Determines whether the request has a user account" 360 # expression: "size(request.user) > 0" 361 "location": "A String", # An optional string indicating the location of the expression for error 362 # reporting, e.g. a file name and a position in the file. 363 "expression": "A String", # Textual representation of an expression in 364 # Common Expression Language syntax. 365 # 366 # The application context of the containing message determines which 367 # well-known feature set of CEL is supported. 368 "description": "A String", # An optional description of the expression. This is a longer text which 369 # describes the expression, e.g. when hovered over it in a UI. 370 "title": "A String", # An optional title for the expression, i.e. a short string describing 371 # its purpose. This can be used e.g. in UIs which allow to enter the 372 # expression. 373 }, 374 }, 375 "condition": { # Represents an expression text. Example: # google.iam.v1.Binding.condition object to be linted. 376 # 377 # title: "User account presence" 378 # description: "Determines whether the request has a user account" 379 # expression: "size(request.user) > 0" 380 "location": "A String", # An optional string indicating the location of the expression for error 381 # reporting, e.g. a file name and a position in the file. 382 "expression": "A String", # Textual representation of an expression in 383 # Common Expression Language syntax. 384 # 385 # The application context of the containing message determines which 386 # well-known feature set of CEL is supported. 387 "description": "A String", # An optional description of the expression. This is a longer text which 388 # describes the expression, e.g. when hovered over it in a UI. 389 "title": "A String", # An optional title for the expression, i.e. a short string describing 390 # its purpose. This can be used e.g. in UIs which allow to enter the 391 # expression. 392 }, 393 "context": { # `context` contains additional *permission-controlled* data that any 394 # lint unit may depend on, in form of `{key: value}` pairs. Currently, this 395 # field is non-operational and it will not be used during the lint operation. 396 "a_key": "", # Properties of the object. 397 }, 398 } 399 400 x__xgafv: string, V1 error format. 401 Allowed values 402 1 - v1 error format 403 2 - v2 error format 404 405Returns: 406 An object of the form: 407 408 { # The response of a lint operation. An empty response indicates 409 # the operation was able to fully execute and no lint issue was found. 410 "lintResults": [ # List of lint results sorted by a composite <severity, binding_ordinal> key, 411 # descending order of severity and ascending order of binding_ordinal. 412 # There is no certain order among the same keys. 413 # 414 # For cross-binding results (only if the input object to lint is 415 # instance of google.iam.v1.Policy), there will be a 416 # google.iam.admin.v1.LintResult for each of the involved bindings, 417 # and the associated debug_message may enumerate the other involved 418 # binding ordinal number(s). 419 { # Structured response of a single validation unit. 420 "validationUnitName": "A String", # The validation unit name, for instance 421 # “lintValidationUnits/ConditionComplexityCheck”. 422 "severity": "A String", # The validation unit severity. 423 "level": "A String", # The validation unit level. 424 "bindingOrdinal": 42, # 0-based index ordinality of the binding in the input object associated 425 # with this result. 426 # This field is populated only if the input object to lint is of type 427 # google.iam.v1.Policy, which can comprise more than one binding. 428 # It is set to -1 if the result is not associated with any particular 429 # binding and only targets the policy as a whole, such as results about 430 # policy size violations. 431 "debugMessage": "A String", # Human readable debug message associated with the issue. 432 "fieldName": "A String", # The name of the field for which this lint result is about. 433 # 434 # For nested messages, `field_name` consists of names of the embedded fields 435 # separated by period character. The top-level qualifier is the input object 436 # to lint in the request. For instance, if the lint request is on a 437 # google.iam.v1.Policy and this lint result is about a condition 438 # expression of one of the input policy bindings, the field would be 439 # populated as `policy.bindings.condition.expression`. 440 # 441 # This field does not identify the ordinality of the repetitive fields (for 442 # instance bindings in a policy). 443 "locationOffset": 42, # 0-based character position of problematic construct within the object 444 # identified by `field_name`. Currently, this is populated only for condition 445 # expression. 446 }, 447 ], 448 }</pre> 449</div> 450 451<div class="method"> 452 <code class="details" id="queryAuditableServices">queryAuditableServices(body, x__xgafv=None)</code> 453 <pre>Returns a list of services that support service level audit logging 454configuration for the given resource. 455 456Args: 457 body: object, The request body. (required) 458 The object takes the form of: 459 460{ # A request to get the list of auditable services for a resource. 461 "fullResourceName": "A String", # Required. The full resource name to query from the list of auditable 462 # services. 463 # 464 # The name follows the Google Cloud Platform resource format. 465 # For example, a Cloud Platform project with id `my-project` will be named 466 # `//cloudresourcemanager.googleapis.com/projects/my-project`. 467 } 468 469 x__xgafv: string, V1 error format. 470 Allowed values 471 1 - v1 error format 472 2 - v2 error format 473 474Returns: 475 An object of the form: 476 477 { # A response containing a list of auditable services for a resource. 478 "services": [ # The auditable services for a resource. 479 { # Contains information about an auditable service. 480 "name": "A String", # Public name of the service. 481 # For example, the service name for Cloud IAM is 'iam.googleapis.com'. 482 }, 483 ], 484 }</pre> 485</div> 486 487</body></html>