1 <html><body> 2 <style> 3 4 body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13 } 14 15 body { 16 font-size: 13px; 17 padding: 1em; 18 } 19 20 h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23 } 24 25 h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28 } 29 30 h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34 } 35 36 pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39 } 40 41 pre { 42 margin-top: 0.5em; 43 } 44 45 h1, h2, h3, p { 46 font-family: Arial, sans serif; 47 } 48 49 h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51 } 52 53 .toc_element { 54 margin-top: 0.5em; 55 } 56 57 .firstline { 58 margin-left: 2 em; 59 } 60 61 .method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66 } 67 68 .details { 69 font-weight: bold; 70 font-size: 14px; 71 } 72 73 </style> 74 75 <h1><a href="cloudkms_v1.html">Google Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a></h1> 76 <h2>Instance Methods</h2> 77 <p class="toc_element"> 78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys()</a></code> 79 </p> 80 <p class="firstline">Returns the cryptoKeys Resource.</p> 81 82 <p class="toc_element"> 83 <code><a href="#create">create(parent, body, keyRingId=None, x__xgafv=None)</a></code></p> 84 <p class="firstline">Create a new KeyRing in a given Project and Location.</p> 85 <p class="toc_element"> 86 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 87 <p class="firstline">Returns metadata for a given KeyRing.</p> 88 <p class="toc_element"> 89 <code><a href="#getIamPolicy">getIamPolicy(resource, x__xgafv=None)</a></code></p> 90 <p class="firstline">Gets the access control policy for a resource.</p> 91 <p class="toc_element"> 92 <code><a href="#list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p> 93 <p class="firstline">Lists KeyRings.</p> 94 <p class="toc_element"> 95 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 96 <p class="firstline">Retrieves the next page of results.</p> 97 <p class="toc_element"> 98 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 99 <p class="firstline">Sets the access control policy on the specified resource. Replaces any</p> 100 <p class="toc_element"> 101 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 102 <p class="firstline">Returns permissions that a caller has on the specified resource.</p> 103 <h3>Method Details</h3> 104 <div class="method"> 105 <code class="details" id="create">create(parent, body, keyRingId=None, x__xgafv=None)</code> 106 <pre>Create a new KeyRing in a given Project and Location. 107 108 Args: 109 parent: string, Required. The resource name of the location associated with the 110 KeyRings, in the format `projects/*/locations/*`. (required) 111 body: object, The request body. (required) 112 The object takes the form of: 113 114 { # A KeyRing is a toplevel logical grouping of CryptoKeys. 115 "createTime": "A String", # Output only. The time at which this KeyRing was created. 116 "name": "A String", # Output only. The resource name for the KeyRing in the format 117 # `projects/*/locations/*/keyRings/*`. 118 } 119 120 keyRingId: string, Required. It must be unique within a location and match the regular 121 expression `[a-zA-Z0-9_-]{1,63}` 122 x__xgafv: string, V1 error format. 123 Allowed values 124 1 - v1 error format 125 2 - v2 error format 126 127 Returns: 128 An object of the form: 129 130 { # A KeyRing is a toplevel logical grouping of CryptoKeys. 131 "createTime": "A String", # Output only. The time at which this KeyRing was created. 132 "name": "A String", # Output only. The resource name for the KeyRing in the format 133 # `projects/*/locations/*/keyRings/*`. 134 }</pre> 135 </div> 136 137 <div class="method"> 138 <code class="details" id="get">get(name, x__xgafv=None)</code> 139 <pre>Returns metadata for a given KeyRing. 140 141 Args: 142 name: string, The name of the KeyRing to get. (required) 143 x__xgafv: string, V1 error format. 144 Allowed values 145 1 - v1 error format 146 2 - v2 error format 147 148 Returns: 149 An object of the form: 150 151 { # A KeyRing is a toplevel logical grouping of CryptoKeys. 152 "createTime": "A String", # Output only. The time at which this KeyRing was created. 153 "name": "A String", # Output only. The resource name for the KeyRing in the format 154 # `projects/*/locations/*/keyRings/*`. 155 }</pre> 156 </div> 157 158 <div class="method"> 159 <code class="details" id="getIamPolicy">getIamPolicy(resource, x__xgafv=None)</code> 160 <pre>Gets the access control policy for a resource. 161 Returns an empty policy if the resource exists and does not have a policy 162 set. 163 164 Args: 165 resource: string, REQUIRED: The resource for which the policy is being requested. 166 See the operation documentation for the appropriate value for this field. (required) 167 x__xgafv: string, V1 error format. 168 Allowed values 169 1 - v1 error format 170 2 - v2 error format 171 172 Returns: 173 An object of the form: 174 175 { # Defines an Identity and Access Management (IAM) policy. It is used to 176 # specify access control policies for Cloud Platform resources. 177 # 178 # 179 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 180 # `members` to a `role`, where the members can be user accounts, Google groups, 181 # Google domains, and service accounts. A `role` is a named list of permissions 182 # defined by IAM. 183 # 184 # **Example** 185 # 186 # { 187 # "bindings": [ 188 # { 189 # "role": "roles/owner", 190 # "members": [ 191 # "user:mike (a] example.com", 192 # "group:admins (a] example.com", 193 # "domain:google.com", 194 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 195 # ] 196 # }, 197 # { 198 # "role": "roles/viewer", 199 # "members": ["user:sean (a] example.com"] 200 # } 201 # ] 202 # } 203 # 204 # For a description of IAM and its features, see the 205 # [IAM developer's guide](https://cloud.google.com/iam). 206 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 207 { # Specifies the audit configuration for a service. 208 # The configuration determines which permission types are logged, and what 209 # identities, if any, are exempted from logging. 210 # An AuditConfig must have one or more AuditLogConfigs. 211 # 212 # If there are AuditConfigs for both `allServices` and a specific service, 213 # the union of the two AuditConfigs is used for that service: the log_types 214 # specified in each AuditConfig are enabled, and the exempted_members in each 215 # AuditConfig are exempted. 216 # 217 # Example Policy with multiple AuditConfigs: 218 # 219 # { 220 # "audit_configs": [ 221 # { 222 # "service": "allServices" 223 # "audit_log_configs": [ 224 # { 225 # "log_type": "DATA_READ", 226 # "exempted_members": [ 227 # "user:foo (a] gmail.com" 228 # ] 229 # }, 230 # { 231 # "log_type": "DATA_WRITE", 232 # }, 233 # { 234 # "log_type": "ADMIN_READ", 235 # } 236 # ] 237 # }, 238 # { 239 # "service": "fooservice.googleapis.com" 240 # "audit_log_configs": [ 241 # { 242 # "log_type": "DATA_READ", 243 # }, 244 # { 245 # "log_type": "DATA_WRITE", 246 # "exempted_members": [ 247 # "user:bar (a] gmail.com" 248 # ] 249 # } 250 # ] 251 # } 252 # ] 253 # } 254 # 255 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 256 # logging. It also exempts foo (a] gmail.com from DATA_READ logging, and 257 # bar (a] gmail.com from DATA_WRITE logging. 258 "exemptedMembers": [ 259 "A String", 260 ], 261 "auditLogConfigs": [ # The configuration for logging of each type of permission. 262 # Next ID: 4 263 { # Provides the configuration for logging a type of permissions. 264 # Example: 265 # 266 # { 267 # "audit_log_configs": [ 268 # { 269 # "log_type": "DATA_READ", 270 # "exempted_members": [ 271 # "user:foo (a] gmail.com" 272 # ] 273 # }, 274 # { 275 # "log_type": "DATA_WRITE", 276 # } 277 # ] 278 # } 279 # 280 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 281 # foo (a] gmail.com from DATA_READ logging. 282 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 283 # permission. 284 # Follows the same format of Binding.members. 285 "A String", 286 ], 287 "logType": "A String", # The log type that this config enables. 288 }, 289 ], 290 "service": "A String", # Specifies a service that will be enabled for audit logging. 291 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 292 # `allServices` is a special value that covers all services. 293 }, 294 ], 295 "rules": [ # If more than one rule is specified, the rules are applied in the following 296 # manner: 297 # - All matching LOG rules are always applied. 298 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 299 # Logging will be applied if one or more matching rule requires logging. 300 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 301 # granted. 302 # Logging will be applied if one or more matching rule requires logging. 303 # - Otherwise, if no rule applies, permission is denied. 304 { # A rule to be applied in a Policy. 305 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 306 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 307 # The format for in and not_in entries is the same as for members in a 308 # Binding (see google/iam/v1/policy.proto). 309 "A String", 310 ], 311 "description": "A String", # Human-readable description of the rule. 312 "in": [ # If one or more 'in' clauses are specified, the rule matches if 313 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 314 "A String", 315 ], 316 "action": "A String", # Required 317 "conditions": [ # Additional restrictions that must be met 318 { # A condition to be met. 319 "iam": "A String", # Trusted attributes supplied by the IAM system. 320 "svc": "A String", # Trusted attributes discharged by the service. 321 "value": "A String", # DEPRECATED. Use 'values' instead. 322 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 323 # the IAM system for access control. 324 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 325 "A String", 326 ], 327 "op": "A String", # An operator to apply the subject with. 328 }, 329 ], 330 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 331 # that match the LOG action. 332 { # Specifies what kind of log the caller must write 333 "counter": { # Options for counters # Counter options. 334 "field": "A String", # The field value to attribute. 335 "metric": "A String", # The metric to update. 336 }, 337 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 338 }, 339 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 340 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 341 }, 342 }, 343 ], 344 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 345 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 346 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 347 "A String", 348 ], 349 }, 350 ], 351 "version": 42, # Version of the `Policy`. The default version is 0. 352 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 353 # prevent simultaneous updates of a policy from overwriting each other. 354 # It is strongly suggested that systems make use of the `etag` in the 355 # read-modify-write cycle to perform policy updates in order to avoid race 356 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 357 # systems are expected to put that etag in the request to `setIamPolicy` to 358 # ensure that their change will be applied to the same version of the policy. 359 # 360 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 361 # policy is overwritten blindly. 362 "bindings": [ # Associates a list of `members` to a `role`. 363 # `bindings` with no members will result in an error. 364 { # Associates `members` with a `role`. 365 "role": "A String", # Role that is assigned to `members`. 366 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 367 # Required 368 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 369 # `members` can have the following values: 370 # 371 # * `allUsers`: A special identifier that represents anyone who is 372 # on the internet; with or without a Google account. 373 # 374 # * `allAuthenticatedUsers`: A special identifier that represents anyone 375 # who is authenticated with a Google account or a service account. 376 # 377 # * `user:{emailid}`: An email address that represents a specific Google 378 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 379 # 380 # 381 # * `serviceAccount:{emailid}`: An email address that represents a service 382 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 383 # 384 # * `group:{emailid}`: An email address that represents a Google group. 385 # For example, `admins (a] example.com`. 386 # 387 # 388 # * `domain:{domain}`: A Google Apps domain name that represents all the 389 # users of that domain. For example, `google.com` or `example.com`. 390 # 391 "A String", 392 ], 393 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 394 # NOTE: an unsatisfied condition will not allow user access via current 395 # binding. Different bindings, including their conditions, are examined 396 # independently. 397 # This field is GOOGLE_INTERNAL. 398 # 399 # title: "User account presence" 400 # description: "Determines whether the request has a user account" 401 # expression: "size(request.user) > 0" 402 "location": "A String", # An optional string indicating the location of the expression for error 403 # reporting, e.g. a file name and a position in the file. 404 "expression": "A String", # Textual representation of an expression in 405 # [Common Expression Language](http://go/api-expr) syntax. 406 # 407 # The application context of the containing message determines which 408 # well-known feature set of CEL is supported. 409 "description": "A String", # An optional description of the expression. This is a longer text which 410 # describes the expression, e.g. when hovered over it in a UI. 411 "title": "A String", # An optional title for the expression, i.e. a short string describing 412 # its purpose. This can be used e.g. in UIs which allow to enter the 413 # expression. 414 }, 415 }, 416 ], 417 "iamOwned": True or False, 418 }</pre> 419 </div> 420 421 <div class="method"> 422 <code class="details" id="list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</code> 423 <pre>Lists KeyRings. 424 425 Args: 426 parent: string, Required. The resource name of the location associated with the 427 KeyRings, in the format `projects/*/locations/*`. (required) 428 pageToken: string, Optional pagination token, returned earlier via 429 ListKeyRingsResponse.next_page_token. 430 x__xgafv: string, V1 error format. 431 Allowed values 432 1 - v1 error format 433 2 - v2 error format 434 pageSize: integer, Optional limit on the number of KeyRings to include in the 435 response. Further KeyRings can subsequently be obtained by 436 including the ListKeyRingsResponse.next_page_token in a subsequent 437 request. If unspecified, the server will pick an appropriate default. 438 439 Returns: 440 An object of the form: 441 442 { # Response message for KeyManagementService.ListKeyRings. 443 "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in 444 # ListKeyRingsRequest.page_token to retrieve the next page of results. 445 "totalSize": 42, # The total number of KeyRings that matched the query. 446 "keyRings": [ # The list of KeyRings. 447 { # A KeyRing is a toplevel logical grouping of CryptoKeys. 448 "createTime": "A String", # Output only. The time at which this KeyRing was created. 449 "name": "A String", # Output only. The resource name for the KeyRing in the format 450 # `projects/*/locations/*/keyRings/*`. 451 }, 452 ], 453 }</pre> 454 </div> 455 456 <div class="method"> 457 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 458 <pre>Retrieves the next page of results. 459 460 Args: 461 previous_request: The request for the previous page. (required) 462 previous_response: The response from the request for the previous page. (required) 463 464 Returns: 465 A request object that you can call 'execute()' on to request the next 466 page. Returns None if there are no more items in the collection. 467 </pre> 468 </div> 469 470 <div class="method"> 471 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 472 <pre>Sets the access control policy on the specified resource. Replaces any 473 existing policy. 474 475 Args: 476 resource: string, REQUIRED: The resource for which the policy is being specified. 477 See the operation documentation for the appropriate value for this field. (required) 478 body: object, The request body. (required) 479 The object takes the form of: 480 481 { # Request message for `SetIamPolicy` method. 482 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 483 # the policy is limited to a few 10s of KB. An empty policy is a 484 # valid policy but certain Cloud Platform services (such as Projects) 485 # might reject them. 486 # specify access control policies for Cloud Platform resources. 487 # 488 # 489 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 490 # `members` to a `role`, where the members can be user accounts, Google groups, 491 # Google domains, and service accounts. A `role` is a named list of permissions 492 # defined by IAM. 493 # 494 # **Example** 495 # 496 # { 497 # "bindings": [ 498 # { 499 # "role": "roles/owner", 500 # "members": [ 501 # "user:mike (a] example.com", 502 # "group:admins (a] example.com", 503 # "domain:google.com", 504 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 505 # ] 506 # }, 507 # { 508 # "role": "roles/viewer", 509 # "members": ["user:sean (a] example.com"] 510 # } 511 # ] 512 # } 513 # 514 # For a description of IAM and its features, see the 515 # [IAM developer's guide](https://cloud.google.com/iam). 516 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 517 { # Specifies the audit configuration for a service. 518 # The configuration determines which permission types are logged, and what 519 # identities, if any, are exempted from logging. 520 # An AuditConfig must have one or more AuditLogConfigs. 521 # 522 # If there are AuditConfigs for both `allServices` and a specific service, 523 # the union of the two AuditConfigs is used for that service: the log_types 524 # specified in each AuditConfig are enabled, and the exempted_members in each 525 # AuditConfig are exempted. 526 # 527 # Example Policy with multiple AuditConfigs: 528 # 529 # { 530 # "audit_configs": [ 531 # { 532 # "service": "allServices" 533 # "audit_log_configs": [ 534 # { 535 # "log_type": "DATA_READ", 536 # "exempted_members": [ 537 # "user:foo (a] gmail.com" 538 # ] 539 # }, 540 # { 541 # "log_type": "DATA_WRITE", 542 # }, 543 # { 544 # "log_type": "ADMIN_READ", 545 # } 546 # ] 547 # }, 548 # { 549 # "service": "fooservice.googleapis.com" 550 # "audit_log_configs": [ 551 # { 552 # "log_type": "DATA_READ", 553 # }, 554 # { 555 # "log_type": "DATA_WRITE", 556 # "exempted_members": [ 557 # "user:bar (a] gmail.com" 558 # ] 559 # } 560 # ] 561 # } 562 # ] 563 # } 564 # 565 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 566 # logging. It also exempts foo (a] gmail.com from DATA_READ logging, and 567 # bar (a] gmail.com from DATA_WRITE logging. 568 "exemptedMembers": [ 569 "A String", 570 ], 571 "auditLogConfigs": [ # The configuration for logging of each type of permission. 572 # Next ID: 4 573 { # Provides the configuration for logging a type of permissions. 574 # Example: 575 # 576 # { 577 # "audit_log_configs": [ 578 # { 579 # "log_type": "DATA_READ", 580 # "exempted_members": [ 581 # "user:foo (a] gmail.com" 582 # ] 583 # }, 584 # { 585 # "log_type": "DATA_WRITE", 586 # } 587 # ] 588 # } 589 # 590 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 591 # foo (a] gmail.com from DATA_READ logging. 592 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 593 # permission. 594 # Follows the same format of Binding.members. 595 "A String", 596 ], 597 "logType": "A String", # The log type that this config enables. 598 }, 599 ], 600 "service": "A String", # Specifies a service that will be enabled for audit logging. 601 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 602 # `allServices` is a special value that covers all services. 603 }, 604 ], 605 "rules": [ # If more than one rule is specified, the rules are applied in the following 606 # manner: 607 # - All matching LOG rules are always applied. 608 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 609 # Logging will be applied if one or more matching rule requires logging. 610 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 611 # granted. 612 # Logging will be applied if one or more matching rule requires logging. 613 # - Otherwise, if no rule applies, permission is denied. 614 { # A rule to be applied in a Policy. 615 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 616 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 617 # The format for in and not_in entries is the same as for members in a 618 # Binding (see google/iam/v1/policy.proto). 619 "A String", 620 ], 621 "description": "A String", # Human-readable description of the rule. 622 "in": [ # If one or more 'in' clauses are specified, the rule matches if 623 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 624 "A String", 625 ], 626 "action": "A String", # Required 627 "conditions": [ # Additional restrictions that must be met 628 { # A condition to be met. 629 "iam": "A String", # Trusted attributes supplied by the IAM system. 630 "svc": "A String", # Trusted attributes discharged by the service. 631 "value": "A String", # DEPRECATED. Use 'values' instead. 632 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 633 # the IAM system for access control. 634 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 635 "A String", 636 ], 637 "op": "A String", # An operator to apply the subject with. 638 }, 639 ], 640 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 641 # that match the LOG action. 642 { # Specifies what kind of log the caller must write 643 "counter": { # Options for counters # Counter options. 644 "field": "A String", # The field value to attribute. 645 "metric": "A String", # The metric to update. 646 }, 647 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 648 }, 649 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 650 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 651 }, 652 }, 653 ], 654 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 655 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 656 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 657 "A String", 658 ], 659 }, 660 ], 661 "version": 42, # Version of the `Policy`. The default version is 0. 662 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 663 # prevent simultaneous updates of a policy from overwriting each other. 664 # It is strongly suggested that systems make use of the `etag` in the 665 # read-modify-write cycle to perform policy updates in order to avoid race 666 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 667 # systems are expected to put that etag in the request to `setIamPolicy` to 668 # ensure that their change will be applied to the same version of the policy. 669 # 670 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 671 # policy is overwritten blindly. 672 "bindings": [ # Associates a list of `members` to a `role`. 673 # `bindings` with no members will result in an error. 674 { # Associates `members` with a `role`. 675 "role": "A String", # Role that is assigned to `members`. 676 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 677 # Required 678 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 679 # `members` can have the following values: 680 # 681 # * `allUsers`: A special identifier that represents anyone who is 682 # on the internet; with or without a Google account. 683 # 684 # * `allAuthenticatedUsers`: A special identifier that represents anyone 685 # who is authenticated with a Google account or a service account. 686 # 687 # * `user:{emailid}`: An email address that represents a specific Google 688 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 689 # 690 # 691 # * `serviceAccount:{emailid}`: An email address that represents a service 692 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 693 # 694 # * `group:{emailid}`: An email address that represents a Google group. 695 # For example, `admins (a] example.com`. 696 # 697 # 698 # * `domain:{domain}`: A Google Apps domain name that represents all the 699 # users of that domain. For example, `google.com` or `example.com`. 700 # 701 "A String", 702 ], 703 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 704 # NOTE: an unsatisfied condition will not allow user access via current 705 # binding. Different bindings, including their conditions, are examined 706 # independently. 707 # This field is GOOGLE_INTERNAL. 708 # 709 # title: "User account presence" 710 # description: "Determines whether the request has a user account" 711 # expression: "size(request.user) > 0" 712 "location": "A String", # An optional string indicating the location of the expression for error 713 # reporting, e.g. a file name and a position in the file. 714 "expression": "A String", # Textual representation of an expression in 715 # [Common Expression Language](http://go/api-expr) syntax. 716 # 717 # The application context of the containing message determines which 718 # well-known feature set of CEL is supported. 719 "description": "A String", # An optional description of the expression. This is a longer text which 720 # describes the expression, e.g. when hovered over it in a UI. 721 "title": "A String", # An optional title for the expression, i.e. a short string describing 722 # its purpose. This can be used e.g. in UIs which allow to enter the 723 # expression. 724 }, 725 }, 726 ], 727 "iamOwned": True or False, 728 }, 729 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 730 # the fields in the mask will be modified. If no mask is provided, the 731 # following default mask is used: 732 # paths: "bindings, etag" 733 # This field is only used by Cloud IAM. 734 } 735 736 x__xgafv: string, V1 error format. 737 Allowed values 738 1 - v1 error format 739 2 - v2 error format 740 741 Returns: 742 An object of the form: 743 744 { # Defines an Identity and Access Management (IAM) policy. It is used to 745 # specify access control policies for Cloud Platform resources. 746 # 747 # 748 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 749 # `members` to a `role`, where the members can be user accounts, Google groups, 750 # Google domains, and service accounts. A `role` is a named list of permissions 751 # defined by IAM. 752 # 753 # **Example** 754 # 755 # { 756 # "bindings": [ 757 # { 758 # "role": "roles/owner", 759 # "members": [ 760 # "user:mike (a] example.com", 761 # "group:admins (a] example.com", 762 # "domain:google.com", 763 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 764 # ] 765 # }, 766 # { 767 # "role": "roles/viewer", 768 # "members": ["user:sean (a] example.com"] 769 # } 770 # ] 771 # } 772 # 773 # For a description of IAM and its features, see the 774 # [IAM developer's guide](https://cloud.google.com/iam). 775 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 776 { # Specifies the audit configuration for a service. 777 # The configuration determines which permission types are logged, and what 778 # identities, if any, are exempted from logging. 779 # An AuditConfig must have one or more AuditLogConfigs. 780 # 781 # If there are AuditConfigs for both `allServices` and a specific service, 782 # the union of the two AuditConfigs is used for that service: the log_types 783 # specified in each AuditConfig are enabled, and the exempted_members in each 784 # AuditConfig are exempted. 785 # 786 # Example Policy with multiple AuditConfigs: 787 # 788 # { 789 # "audit_configs": [ 790 # { 791 # "service": "allServices" 792 # "audit_log_configs": [ 793 # { 794 # "log_type": "DATA_READ", 795 # "exempted_members": [ 796 # "user:foo (a] gmail.com" 797 # ] 798 # }, 799 # { 800 # "log_type": "DATA_WRITE", 801 # }, 802 # { 803 # "log_type": "ADMIN_READ", 804 # } 805 # ] 806 # }, 807 # { 808 # "service": "fooservice.googleapis.com" 809 # "audit_log_configs": [ 810 # { 811 # "log_type": "DATA_READ", 812 # }, 813 # { 814 # "log_type": "DATA_WRITE", 815 # "exempted_members": [ 816 # "user:bar (a] gmail.com" 817 # ] 818 # } 819 # ] 820 # } 821 # ] 822 # } 823 # 824 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 825 # logging. It also exempts foo (a] gmail.com from DATA_READ logging, and 826 # bar (a] gmail.com from DATA_WRITE logging. 827 "exemptedMembers": [ 828 "A String", 829 ], 830 "auditLogConfigs": [ # The configuration for logging of each type of permission. 831 # Next ID: 4 832 { # Provides the configuration for logging a type of permissions. 833 # Example: 834 # 835 # { 836 # "audit_log_configs": [ 837 # { 838 # "log_type": "DATA_READ", 839 # "exempted_members": [ 840 # "user:foo (a] gmail.com" 841 # ] 842 # }, 843 # { 844 # "log_type": "DATA_WRITE", 845 # } 846 # ] 847 # } 848 # 849 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 850 # foo (a] gmail.com from DATA_READ logging. 851 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 852 # permission. 853 # Follows the same format of Binding.members. 854 "A String", 855 ], 856 "logType": "A String", # The log type that this config enables. 857 }, 858 ], 859 "service": "A String", # Specifies a service that will be enabled for audit logging. 860 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 861 # `allServices` is a special value that covers all services. 862 }, 863 ], 864 "rules": [ # If more than one rule is specified, the rules are applied in the following 865 # manner: 866 # - All matching LOG rules are always applied. 867 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 868 # Logging will be applied if one or more matching rule requires logging. 869 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 870 # granted. 871 # Logging will be applied if one or more matching rule requires logging. 872 # - Otherwise, if no rule applies, permission is denied. 873 { # A rule to be applied in a Policy. 874 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 875 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 876 # The format for in and not_in entries is the same as for members in a 877 # Binding (see google/iam/v1/policy.proto). 878 "A String", 879 ], 880 "description": "A String", # Human-readable description of the rule. 881 "in": [ # If one or more 'in' clauses are specified, the rule matches if 882 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 883 "A String", 884 ], 885 "action": "A String", # Required 886 "conditions": [ # Additional restrictions that must be met 887 { # A condition to be met. 888 "iam": "A String", # Trusted attributes supplied by the IAM system. 889 "svc": "A String", # Trusted attributes discharged by the service. 890 "value": "A String", # DEPRECATED. Use 'values' instead. 891 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 892 # the IAM system for access control. 893 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 894 "A String", 895 ], 896 "op": "A String", # An operator to apply the subject with. 897 }, 898 ], 899 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 900 # that match the LOG action. 901 { # Specifies what kind of log the caller must write 902 "counter": { # Options for counters # Counter options. 903 "field": "A String", # The field value to attribute. 904 "metric": "A String", # The metric to update. 905 }, 906 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 907 }, 908 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 909 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 910 }, 911 }, 912 ], 913 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 914 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 915 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 916 "A String", 917 ], 918 }, 919 ], 920 "version": 42, # Version of the `Policy`. The default version is 0. 921 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 922 # prevent simultaneous updates of a policy from overwriting each other. 923 # It is strongly suggested that systems make use of the `etag` in the 924 # read-modify-write cycle to perform policy updates in order to avoid race 925 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 926 # systems are expected to put that etag in the request to `setIamPolicy` to 927 # ensure that their change will be applied to the same version of the policy. 928 # 929 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 930 # policy is overwritten blindly. 931 "bindings": [ # Associates a list of `members` to a `role`. 932 # `bindings` with no members will result in an error. 933 { # Associates `members` with a `role`. 934 "role": "A String", # Role that is assigned to `members`. 935 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 936 # Required 937 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 938 # `members` can have the following values: 939 # 940 # * `allUsers`: A special identifier that represents anyone who is 941 # on the internet; with or without a Google account. 942 # 943 # * `allAuthenticatedUsers`: A special identifier that represents anyone 944 # who is authenticated with a Google account or a service account. 945 # 946 # * `user:{emailid}`: An email address that represents a specific Google 947 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 948 # 949 # 950 # * `serviceAccount:{emailid}`: An email address that represents a service 951 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 952 # 953 # * `group:{emailid}`: An email address that represents a Google group. 954 # For example, `admins (a] example.com`. 955 # 956 # 957 # * `domain:{domain}`: A Google Apps domain name that represents all the 958 # users of that domain. For example, `google.com` or `example.com`. 959 # 960 "A String", 961 ], 962 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 963 # NOTE: an unsatisfied condition will not allow user access via current 964 # binding. Different bindings, including their conditions, are examined 965 # independently. 966 # This field is GOOGLE_INTERNAL. 967 # 968 # title: "User account presence" 969 # description: "Determines whether the request has a user account" 970 # expression: "size(request.user) > 0" 971 "location": "A String", # An optional string indicating the location of the expression for error 972 # reporting, e.g. a file name and a position in the file. 973 "expression": "A String", # Textual representation of an expression in 974 # [Common Expression Language](http://go/api-expr) syntax. 975 # 976 # The application context of the containing message determines which 977 # well-known feature set of CEL is supported. 978 "description": "A String", # An optional description of the expression. This is a longer text which 979 # describes the expression, e.g. when hovered over it in a UI. 980 "title": "A String", # An optional title for the expression, i.e. a short string describing 981 # its purpose. This can be used e.g. in UIs which allow to enter the 982 # expression. 983 }, 984 }, 985 ], 986 "iamOwned": True or False, 987 }</pre> 988 </div> 989 990 <div class="method"> 991 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 992 <pre>Returns permissions that a caller has on the specified resource. 993 If the resource does not exist, this will return an empty set of 994 permissions, not a NOT_FOUND error. 995 996 Note: This operation is designed to be used for building permission-aware 997 UIs and command-line tools, not for authorization checking. This operation 998 may "fail open" without warning. 999 1000 Args: 1001 resource: string, REQUIRED: The resource for which the policy detail is being requested. 1002 See the operation documentation for the appropriate value for this field. (required) 1003 body: object, The request body. (required) 1004 The object takes the form of: 1005 1006 { # Request message for `TestIamPermissions` method. 1007 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 1008 # wildcards (such as '*' or 'storage.*') are not allowed. For more 1009 # information see 1010 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 1011 "A String", 1012 ], 1013 } 1014 1015 x__xgafv: string, V1 error format. 1016 Allowed values 1017 1 - v1 error format 1018 2 - v2 error format 1019 1020 Returns: 1021 An object of the form: 1022 1023 { # Response message for `TestIamPermissions` method. 1024 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 1025 # allowed. 1026 "A String", 1027 ], 1028 }</pre> 1029 </div> 1030 1031 </body></html>