Namespace Google.Apis.CloudAsset.v1.Data

Classes

AccessSelector

Specifies roles and/or permissions to analyze, to determine both the identities possessing them and the resources they control. If multiple values are specified, results will include roles or permissions matching any of them. The total number of roles and permissions should be equal or less than 10.

AnalyzeIamPolicyLongrunningMetadata

Represents the metadata of the longrunning operation for the AnalyzeIamPolicyLongrunning RPC.

AnalyzeIamPolicyLongrunningRequest

A request message for AssetService.AnalyzeIamPolicyLongrunning.

AnalyzeIamPolicyLongrunningResponse

A response message for AssetService.AnalyzeIamPolicyLongrunning.

AnalyzeIamPolicyResponse

A response message for AssetService.AnalyzeIamPolicy.

AnalyzeMoveResponse

The response message for resource move analysis.

AnalyzeOrgPoliciesResponse

The response message for AssetService.AnalyzeOrgPolicies.

AnalyzeOrgPolicyGovernedAssetsResponse

The response message for AssetService.AnalyzeOrgPolicyGovernedAssets.

AnalyzeOrgPolicyGovernedContainersResponse

The response message for AssetService.AnalyzeOrgPolicyGovernedContainers.

AnalyzerOrgPolicy

This organization policy message is a modified version of the one defined in the Organization Policy system. This message contains several fields defined in the original organization policy with some new fields for analysis purpose.

AnalyzerOrgPolicyConstraint

The organization policy constraint definition.

Asset

An asset in Google Cloud. An asset can be any resource in the Google Cloud resource hierarchy, a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP relationship). See Supported asset types for more information.

AssetEnrichment

The enhanced metadata information for a resource.

AttachedResource

Attached resource representation, which is defined by the corresponding service provider. It represents an attached resource's payload.

AuditConfig

Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.

AuditLogConfig

Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.

BatchGetAssetsHistoryResponse

Batch get assets history response.

BatchGetEffectiveIamPoliciesResponse

A response message for AssetService.BatchGetEffectiveIamPolicies.

BigQueryDestination

A BigQuery destination for exporting assets to.

Binding

Associates members, or principals, with a role.

ConditionContext

The IAM conditions context.

ConditionEvaluation

The condition evaluation.

CreateFeedRequest

Create asset feed request.

Date

Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp

EffectiveIamPolicy

The effective IAM policies on one resource.

EffectiveTagDetails

The effective tags and the ancestor resources from which they were inherited.

Empty

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }

Explanation

Explanation about the IAM policy search result.

ExportAssetsRequest

Export asset request.

Expr

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

Feed

An asset feed used to export asset updates to a destinations. An asset feed filter controls what updates are exported. The asset feed must be created within a project, organization, or folder. Supported destinations are: Pub/Sub topics.

FeedOutputConfig

Output configuration for asset feed destination.

GcsDestination

A Cloud Storage location.

GoogleCloudAssetV1Access

An IAM role or permission under analysis.

GoogleCloudAssetV1AccessControlList

An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry. NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations. For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3; This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3]

GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedAsset

Represents a Google Cloud asset(resource or IAM policy) governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy

The IAM policies governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedResource

The Google Cloud resources governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

GoogleCloudAssetV1BigQueryDestination

A BigQuery destination.

GoogleCloudAssetV1BooleanConstraint

A Constraint that is either enforced or not. For example a constraint constraints/compute.disableSerialPortAccess. If it is enforced on a VM instance, serial port connections will not be opened to that instance.

GoogleCloudAssetV1Constraint

The definition of a constraint.

GoogleCloudAssetV1CustomConstraint

The definition of a custom constraint.

GoogleCloudAssetV1Edge

A directional edge.

GoogleCloudAssetV1GcsDestination

A Cloud Storage location.

GoogleCloudAssetV1GovernedContainer

The organization/folder/project resource governed by organization policies of AnalyzeOrgPolicyGovernedContainersRequest.constraint.

GoogleCloudAssetV1Identity

An identity under analysis.

GoogleCloudAssetV1IdentityList

The identities and group edges.

GoogleCloudAssetV1ListConstraint

A Constraint that allows or disallows a list of string values, which are configured by an organization's policy administrator with a Policy.

GoogleCloudAssetV1QueryAssetsOutputConfigBigQueryDestination

BigQuery destination.

GoogleCloudAssetV1Resource

A Google Cloud resource under analysis.

GoogleCloudAssetV1Rule

This rule message is a customized version of the one defined in the Organization Policy system. In addition to the fields defined in the original organization policy, it contains additional field(s) under specific circumstances to support analysis results.

GoogleCloudAssetV1StringValues

The string values for the list constraints.

GoogleCloudAssetV1p7beta1Asset

GoogleCloudAssetV1p7beta1RelatedAsset

An asset identify in Google Cloud which contains its name, type and ancestors. An asset can be any resource in the Google Cloud resource hierarchy, a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See Supported asset types for more information.

GoogleCloudAssetV1p7beta1RelatedAssets

The detailed related assets with the relationship_type.

GoogleCloudAssetV1p7beta1RelationshipAttributes

The relationship attributes which include type, source_resource_type, target_resource_type and action.

GoogleCloudAssetV1p7beta1Resource

A representation of a Google Cloud resource.

GoogleCloudOrgpolicyV1BooleanPolicy

Used in policy_type to specify how boolean_policy will behave at this resource.

GoogleCloudOrgpolicyV1ListPolicy

Used in policy_type to specify how list_policy behaves at this resource. ListPolicy can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations, Folders, Projects) that are allowed or denied by setting the allowed_values and denied_values fields. This is achieved by using the under: and optional is: prefixes. The under: prefix is used to denote resource subtree values. The is: prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats:

"projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The supports_under field of the associated Constraint defines whether ancestry prefixes can be used. You can set allowed_values and denied_values in the same Policy if all_values is ALL_VALUES_UNSPECIFIED. ALLOW or DENY are used to allow or deny all values. If all_values is set to either ALLOW or DENY, allowed_values and denied_values must be unset.

GoogleCloudOrgpolicyV1Policy

Defines a Cloud Organization Policy which is used to specify Constraints for configurations of Cloud Platform resources.

GoogleCloudOrgpolicyV1RestoreDefault

Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. Suppose that constraint_default is set to ALLOW for the Constraint constraints/serviceuser.services. Suppose that organization foo.com sets a Policy at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a Policy with the policy_type restore_default on several experimental projects, restoring the constraint_default enforcement of the Constraint for only those projects, allowing those projects to have all services activated.

GoogleIdentityAccesscontextmanagerV1AccessLevel

An AccessLevel is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied.

GoogleIdentityAccesscontextmanagerV1AccessPolicy

AccessPolicy is a container for AccessLevels (which define the necessary attributes to use Google Cloud services) and ServicePerimeters (which define regions of services able to freely pass data within a perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply to all projects within an organization.

GoogleIdentityAccesscontextmanagerV1ApiOperation

Identification for an API Operation.

GoogleIdentityAccesscontextmanagerV1BasicLevel

BasicLevel is an AccessLevel using a set of recommended features.

GoogleIdentityAccesscontextmanagerV1Condition

A condition necessary for an AccessLevel to be granted. The Condition is an AND over its fields. So a Condition is true if: 1) the request IP is from one of the listed subnetworks AND 2) the originating device complies with the listed device policy AND 3) all listed access levels are granted AND 4) the request was sent at a time allowed by the DateTimeRestriction.

GoogleIdentityAccesscontextmanagerV1CustomLevel

CustomLevel is an AccessLevel using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. See CEL spec at: https://github.com/google/cel-spec

GoogleIdentityAccesscontextmanagerV1DevicePolicy

DevicePolicy specifies device specific restrictions necessary to acquire a given access level. A DevicePolicy specifies requirements for requests from devices to be granted access levels, it does not do any enforcement on the device. DevicePolicy acts as an AND over all specified fields, and each repeated field is an OR over its elements. Any unset fields are ignored. For example, if the proto is { os_type : DESKTOP_WINDOWS, os_type : DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be true for requests originating from encrypted Linux desktops and encrypted Windows desktops.

GoogleIdentityAccesscontextmanagerV1EgressFrom

Defines the conditions under which an EgressPolicy matches a request. Conditions based on information about the source of the request. Note that if the destination of the request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed.

GoogleIdentityAccesscontextmanagerV1EgressPolicy

Policy for egress from perimeter. EgressPolicies match requests based on egress_from and egress_to stanzas. For an EgressPolicy to match, both egress_from and egress_to stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset). EgressPolicies are concerned with the resources that a request relates as well as the API services and API actions being used. They do not related to the direction of data movement. More detailed documentation for this concept can be found in the descriptions of EgressFrom and EgressTo.

GoogleIdentityAccesscontextmanagerV1EgressSource

The source that EgressPolicy authorizes access from inside the ServicePerimeter to somewhere outside the ServicePerimeter boundaries.

GoogleIdentityAccesscontextmanagerV1EgressTo

Defines the conditions under which an EgressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the resources specified. Note that if the destination of the request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed. The request must match operations AND resources fields in order to be allowed egress out of the perimeter.

GoogleIdentityAccesscontextmanagerV1IngressFrom

Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the source of the request. The request must satisfy what is defined in sources AND identity related fields in order to match.

GoogleIdentityAccesscontextmanagerV1IngressPolicy

Policy for ingress into ServicePerimeter. IngressPolicies match requests based on ingress_from and ingress_to stanzas. For an ingress policy to match, both the ingress_from and ingress_to stanzas must be matched. If an IngressPolicy matches a request, the request is allowed through the perimeter boundary from outside the perimeter. For example, access from the internet can be allowed either based on an AccessLevel or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required. Individual ingress policies can be limited by restricting which services and/or actions they match using the ingress_to field.

GoogleIdentityAccesscontextmanagerV1IngressSource

The source that IngressPolicy authorizes access from.

GoogleIdentityAccesscontextmanagerV1IngressTo

Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the target resource of the request. The request must satisfy what is defined in operations AND resources in order to match.

GoogleIdentityAccesscontextmanagerV1MethodSelector

An allowed method or permission of a service specified in ApiOperation.

GoogleIdentityAccesscontextmanagerV1OsConstraint

A restriction on the OS type and version of devices making requests.

GoogleIdentityAccesscontextmanagerV1ServicePerimeter

ServicePerimeter describes a set of Google Cloud resources which can freely import and export data amongst themselves, but not export outside of the ServicePerimeter. If a request with a source within this ServicePerimeter has a target outside of the ServicePerimeter, the request will be blocked. Otherwise the request is allowed. There are two types of Service Perimeter - Regular and Bridge. Regular Service Perimeters cannot overlap, a single Google Cloud project or VPC network can only belong to a single regular Service Perimeter. Service Perimeter Bridges can contain only Google Cloud projects as members, a single Google Cloud project may belong to multiple Service Perimeter Bridges.

GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig

ServicePerimeterConfig specifies a set of Google Cloud resources that describe specific Service Perimeter configuration.

GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices

Specifies how APIs are allowed to communicate within the Service Perimeter.

GoogleIdentityAccesscontextmanagerV1VpcNetworkSource

The originating network source in Google Cloud.

GoogleIdentityAccesscontextmanagerV1VpcSubNetwork

Sub-segment ranges inside of a VPC Network.

IamPolicyAnalysis

An analysis message to group the query and results.

IamPolicyAnalysisOutputConfig

Output configuration for export IAM policy analysis destination.

IamPolicyAnalysisQuery

IAM policy analysis query message.

IamPolicyAnalysisResult

IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists.

IamPolicyAnalysisState

Represents the detailed state of an entity under analysis, such as a resource, an identity or an access.

IamPolicySearchResult

A result of IAM Policy search, containing information of an IAM policy.

IdentitySelector

Specifies an identity for which to determine resource access, based on roles assigned either directly to them or to the groups they belong to, directly or indirectly.

Inventory

This API resource represents the available inventory data for a Compute Engine virtual machine (VM) instance at a given point in time. You can use this API resource to determine the inventory data of your VM. For more information, see Information provided by OS inventory management.

Item

A single piece of inventory on a VM.

ListAssetsResponse

ListAssets response.

ListFeedsResponse

ListSavedQueriesResponse

Response of listing saved queries.

MoveAnalysis

A message to group the analysis information.

MoveAnalysisResult

An analysis result including blockers and warnings.

MoveImpact

A message to group impacts of moving the target resource.

Operation

This resource represents a long-running operation that is the result of a network API call.

Options

Contains query options.

OrgPolicyResult

The organization policy result to the query.

OsInfo

Operating system information for the VM.

OutputConfig

Output configuration for export assets destination.

PartitionSpec

Specifications of BigQuery partitioned table as export destination.

Permissions

IAM permissions

Policy

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example:

{
"bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com",
"group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] },
{ "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": {
"title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time
&lt; timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }

YAML example:

bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com -
serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin -
members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable
access description: Does not grant access after Sep 2020 expression: request.time &lt;
timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3

For a description of IAM and its features, see the IAM documentation.

PolicyInfo

The IAM policy and its attached resource.

PubsubDestination

A Pub/Sub destination.

QueryAssetsOutputConfig

Output configuration query assets.

QueryAssetsRequest

QueryAssets request.

QueryAssetsResponse

QueryAssets response.

QueryContent

The query content.

QueryResult

Execution results of the query. The result is formatted as rows represented by BigQuery compatible [schema]. When pagination is necessary, it will contains the page token to retrieve the results of following pages.

RelatedAsset

An asset identifier in Google Cloud which contains its name, type and ancestors. An asset can be any resource in the Google Cloud resource hierarchy, a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See Supported asset types for more information.

RelatedAssets

DEPRECATED. This message only presents for the purpose of backward-compatibility. The server will never populate this message in responses. The detailed related assets with the relationship_type.

RelatedResource

The detailed related resource.

RelatedResources

The related resources of the primary resource.

RelationshipAttributes

DEPRECATED. This message only presents for the purpose of backward-compatibility. The server will never populate this message in responses. The relationship attributes which include type, source_resource_type, target_resource_type and action.

Resource

A representation of a Google Cloud resource.

ResourceOwners

The resource owners information.

ResourceSearchResult

A result of Resource Search, containing information of a cloud resource.

ResourceSelector

Specifies the resource to analyze for access policies, which may be set directly on the resource, or on ancestors such as organizations, folders or projects.

SavedQuery

A saved query which can be shared with others or used later.

SearchAllIamPoliciesResponse

Search all IAM policies response.

SearchAllResourcesResponse

Search all resources response.

SoftwarePackage

Software package information of the operating system.

Status

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

TableFieldSchema

A field in TableSchema.

TableSchema

BigQuery Compatible table schema.

Tag

The key and value for a tag.

TemporalAsset

An asset in Google Cloud and its temporal metadata, including the time window when it was observed and its status during that window.

TimeWindow

A time window specified by its start_time and end_time.

UpdateFeedRequest

Update asset feed request.

VersionedPackage

Information related to the a standard versioned package. This includes package info for APT, Yum, Zypper, and Googet package managers.

VersionedResource

Resource representation as defined by the corresponding service providing the resource for a given API version.

WindowsApplication

Contains information about a Windows application that is retrieved from the Windows Registry. For more information about these fields, see: https://docs.microsoft.com/en-us/windows/win32/msi/uninstall-registry-key

WindowsQuickFixEngineeringPackage

Information related to a Quick Fix Engineering package. Fields are taken from Windows QuickFixEngineering Interface and match the source names: https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-quickfixengineering

WindowsUpdateCategory

Categories specified by the Windows Update.

WindowsUpdatePackage

Details related to a Windows Update package. Field data and names are taken from Windows Update API IUpdate Interface: https://docs.microsoft.com/en-us/windows/win32/api/_wua/ Descriptive fields like title, and description are localized based on the locale of the VM being updated.

ZypperPatch

Details related to a Zypper Patch.