Class V1Resource.AnalyzeIamPolicyRequest

Analyzes IAM policies to answer which identities have what accesses on which resources.

Inheritance

object

ClientServiceRequest

ClientServiceRequest<AnalyzeIamPolicyResponse>

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>

V1Resource.AnalyzeIamPolicyRequest

Implements

IClientServiceRequest<AnalyzeIamPolicyResponse>

IClientServiceRequest

Inherited Members

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.Xgafv

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.AccessToken

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.Alt

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.Callback

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.Fields

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.Key

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.OauthToken

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.PrettyPrint

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.QuotaUser

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.UploadType

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.UploadProtocol

ClientServiceRequest<AnalyzeIamPolicyResponse>.Execute()

ClientServiceRequest<AnalyzeIamPolicyResponse>.ExecuteAsStream()

ClientServiceRequest<AnalyzeIamPolicyResponse>.ExecuteAsync()

ClientServiceRequest<AnalyzeIamPolicyResponse>.ExecuteAsync(CancellationToken)

ClientServiceRequest<AnalyzeIamPolicyResponse>.ExecuteAsStreamAsync()

ClientServiceRequest<AnalyzeIamPolicyResponse>.ExecuteAsStreamAsync(CancellationToken)

ClientServiceRequest<AnalyzeIamPolicyResponse>.CreateRequest(bool?)

ClientServiceRequest<AnalyzeIamPolicyResponse>.GenerateRequestUri()

ClientServiceRequest<AnalyzeIamPolicyResponse>.GetBody()

ClientServiceRequest<AnalyzeIamPolicyResponse>.GetDefaultETagAction(string)

ClientServiceRequest<AnalyzeIamPolicyResponse>.ETagAction

ClientServiceRequest<AnalyzeIamPolicyResponse>.ModifyRequest

ClientServiceRequest<AnalyzeIamPolicyResponse>.ValidateParameters

ClientServiceRequest<AnalyzeIamPolicyResponse>.ApiVersion

ClientServiceRequest<AnalyzeIamPolicyResponse>.RequestParameters

ClientServiceRequest<AnalyzeIamPolicyResponse>.Service

ClientServiceRequest._unsuccessfulResponseHandlers

ClientServiceRequest._exceptionHandlers

ClientServiceRequest._executeInterceptors

ClientServiceRequest.AddUnsuccessfulResponseHandler(IHttpUnsuccessfulResponseHandler)

ClientServiceRequest.AddExceptionHandler(IHttpExceptionHandler)

ClientServiceRequest.AddExecuteInterceptor(IHttpExecuteInterceptor)

ClientServiceRequest.Credential

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Namespace: Google.Apis.CloudAsset.v1

Assembly: Google.Apis.CloudAsset.v1.dll

Syntax

public class V1Resource.AnalyzeIamPolicyRequest : CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>, IClientServiceRequest<AnalyzeIamPolicyResponse>, IClientServiceRequest

Constructors

AnalyzeIamPolicyRequest(IClientService, string)

Constructs a new AnalyzeIamPolicy request.

Declaration

public AnalyzeIamPolicyRequest(IClientService service, string scope)

Parameters

Type	Name	Description
IClientService	service
string	scope

Properties

AnalysisQueryAccessSelectorPermissions

Optional. The permissions to appear in result.

Declaration

[RequestParameter("analysisQuery.accessSelector.permissions", RequestParameterType.Query)]
public virtual Repeatable<string> AnalysisQueryAccessSelectorPermissions { get; set; }

Property Value

Type	Description
Repeatable<string>

AnalysisQueryAccessSelectorRoles

Optional. The roles to appear in result.

Declaration

[RequestParameter("analysisQuery.accessSelector.roles", RequestParameterType.Query)]
public virtual Repeatable<string> AnalysisQueryAccessSelectorRoles { get; set; }

Property Value

Type	Description
Repeatable<string>

AnalysisQueryConditionContextAccessTime

object representation of AnalysisQueryConditionContextAccessTimeRaw.

Declaration

[Obsolete("This property is obsolete and may behave unexpectedly; please use AnalysisQueryConditionContextAccessTimeDateTimeOffset instead.")]
public virtual object AnalysisQueryConditionContextAccessTime { get; set; }

Property Value

Type	Description
object

AnalysisQueryConditionContextAccessTimeDateTimeOffset

Declaration

public virtual DateTimeOffset? AnalysisQueryConditionContextAccessTimeDateTimeOffset { get; set; }

Property Value

Type	Description
DateTimeOffset?

AnalysisQueryConditionContextAccessTimeRaw

String representation of AnalysisQueryConditionContextAccessTimeDateTimeOffset, formatted for inclusion in the HTTP request.

Declaration

[RequestParameter("analysisQuery.conditionContext.accessTime", RequestParameterType.Query)]
public virtual string AnalysisQueryConditionContextAccessTimeRaw { get; }

Property Value

Type	Description
string

AnalysisQueryIdentitySelectorIdentity

Required. The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.

Declaration

[RequestParameter("analysisQuery.identitySelector.identity", RequestParameterType.Query)]
public virtual string AnalysisQueryIdentitySelectorIdentity { get; set; }

Property Value

Type	Description
string

AnalysisQueryOptionsAnalyzeServiceAccountImpersonation

Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.

Declaration

[RequestParameter("analysisQuery.options.analyzeServiceAccountImpersonation", RequestParameterType.Query)]
public virtual bool? AnalysisQueryOptionsAnalyzeServiceAccountImpersonation { get; set; }

Property Value

Type	Description
bool?

AnalysisQueryOptionsExpandGroups

Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.

Declaration

[RequestParameter("analysisQuery.options.expandGroups", RequestParameterType.Query)]
public virtual bool? AnalysisQueryOptionsExpandGroups { get; set; }

Property Value

Type	Description
bool?

AnalysisQueryOptionsExpandResources

Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.

Declaration

[RequestParameter("analysisQuery.options.expandResources", RequestParameterType.Query)]
public virtual bool? AnalysisQueryOptionsExpandResources { get; set; }

Property Value

Type	Description
bool?

AnalysisQueryOptionsExpandRoles

Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.

Declaration

[RequestParameter("analysisQuery.options.expandRoles", RequestParameterType.Query)]
public virtual bool? AnalysisQueryOptionsExpandRoles { get; set; }

Property Value

Type	Description
bool?

AnalysisQueryOptionsOutputGroupEdges

Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.

Declaration

[RequestParameter("analysisQuery.options.outputGroupEdges", RequestParameterType.Query)]
public virtual bool? AnalysisQueryOptionsOutputGroupEdges { get; set; }

Property Value

Type	Description
bool?

AnalysisQueryOptionsOutputResourceEdges

Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.

Declaration

[RequestParameter("analysisQuery.options.outputResourceEdges", RequestParameterType.Query)]
public virtual bool? AnalysisQueryOptionsOutputResourceEdges { get; set; }

Property Value

Type	Description
bool?

AnalysisQueryResourceSelectorFullResourceName

Required. The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.

Declaration

[RequestParameter("analysisQuery.resourceSelector.fullResourceName", RequestParameterType.Query)]
public virtual string AnalysisQueryResourceSelectorFullResourceName { get; set; }

Property Value

Type	Description
string

ExecutionTimeout

Optional. Amount of time executable has to complete. See JSON representation of Duration. If this field is set with a value less than the RPC deadline, and the execution of your query hasn't finished in the specified execution timeout, you will get a response with partial result. Otherwise, your query's execution will continue until the RPC deadline. If it's not finished until then, you will get a DEADLINE_EXCEEDED error. Default is empty.

Declaration

[RequestParameter("executionTimeout", RequestParameterType.Query)]
public virtual object ExecutionTimeout { get; set; }

Property Value

Type	Description
object

HttpMethod

Gets the HTTP method.

Declaration

public override string HttpMethod { get; }

Property Value

Type	Description
string

Overrides

ClientServiceRequest<AnalyzeIamPolicyResponse>.HttpMethod

MethodName

Gets the method name.

Declaration

public override string MethodName { get; }

Property Value

Type	Description
string

Overrides

ClientServiceRequest<AnalyzeIamPolicyResponse>.MethodName

RestPath

Gets the REST path.

Declaration

public override string RestPath { get; }

Property Value

Type	Description
string

Overrides

ClientServiceRequest<AnalyzeIamPolicyResponse>.RestPath

SavedAnalysisQuery

Optional. The name of a saved query, which must be in the format of: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id

• organizations/organization_number/savedQueries/saved_query_id If both analysis_query and saved_analysis_query are provided, they will be merged together with the saved_analysis_query as base and the analysis_query as overrides. For more details of the merge behavior, refer to the MergeFrom page. Note that you cannot override primitive fields with default value, such as 0 or empty string, etc., because we use proto3, which doesn't support field presence yet.

Declaration

[RequestParameter("savedAnalysisQuery", RequestParameterType.Query)]
public virtual string SavedAnalysisQuery { get; set; }

Property Value

Type	Description
string

Scope

Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization ID, visit here. To know how to get folder or project ID, visit here.

Declaration

[RequestParameter("scope", RequestParameterType.Path)]
public virtual string Scope { get; }

Property Value

Type	Description
string

Methods

InitParameters()

Initializes AnalyzeIamPolicy parameter list.

Declaration

protected override void InitParameters()

Overrides

CloudAssetBaseServiceRequest<AnalyzeIamPolicyResponse>.InitParameters()

Implements

IClientServiceRequest<TResponse>

IClientServiceRequest