Namespace Google.Apis.CloudAsset.v1beta1.Data
Classes
AnalyzeIamPolicyLongrunningMetadata
Represents the metadata of the longrunning operation for the AnalyzeIamPolicyLongrunning RPC.
AnalyzeIamPolicyLongrunningResponse
A response message for AssetService.AnalyzeIamPolicyLongrunning.
Asset
An asset in Google Cloud. An asset can be any resource in the Google Cloud resource hierarchy, a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See Supported asset types for more information.
AuditConfig
Specifies the audit configuration for a service. The configuration determines which permission types are logged,
and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If
there are AuditConfigs for both allServices
and a specific service, the union of the two AuditConfigs is used
for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each
AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service":
"allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ]
}, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com",
"audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [
"user:aliya@example.com" ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
logging. It also exempts jose@example.com
from DATA_READ logging, and aliya@example.com
from DATA_WRITE
logging.
AuditLogConfig
Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
BatchGetAssetsHistoryResponse
Batch get assets history response.
Binding
Associates members
, or principals, with a role
.
ExportAssetsRequest
Export asset request.
Expr
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
GcsDestination
A Cloud Storage location.
GoogleCloudAssetV1p7beta1Asset
An asset in Google Cloud. An asset can be any resource in the Google Cloud resource hierarchy, a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See Supported asset types for more information.
GoogleCloudAssetV1p7beta1RelatedAsset
An asset identify in Google Cloud which contains its name, type and ancestors. An asset can be any resource in the Google Cloud resource hierarchy, a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See Supported asset types for more information.
GoogleCloudAssetV1p7beta1RelatedAssets
The detailed related assets with the relationship_type
.
GoogleCloudAssetV1p7beta1RelationshipAttributes
The relationship attributes which include type
, source_resource_type
, target_resource_type
and action
.
GoogleCloudAssetV1p7beta1Resource
A representation of a Google Cloud resource.
GoogleCloudOrgpolicyV1BooleanPolicy
Used in policy_type
to specify how boolean_policy
will behave at this resource.
GoogleCloudOrgpolicyV1ListPolicy
Used in policy_type
to specify how list_policy
behaves at this resource. ListPolicy
can define specific
values and subtrees of Cloud Resource Manager resource hierarchy (Organizations
, Folders
, Projects
) that
are allowed or denied by setting the allowed_values
and denied_values
fields. This is achieved by using the
under:
and optional is:
prefixes. The under:
prefix is used to denote resource subtree values. The is:
prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with
"is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats:
- "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g.
"organizations/1234" The
supports_under
field of the associatedConstraint
defines whether ancestry prefixes can be used. You can setallowed_values
anddenied_values
in the samePolicy
ifall_values
isALL_VALUES_UNSPECIFIED
.ALLOW
orDENY
are used to allow or deny all values. Ifall_values
is set to eitherALLOW
orDENY
,allowed_values
anddenied_values
must be unset.
GoogleCloudOrgpolicyV1Policy
Defines a Cloud Organization Policy
which is used to specify Constraints
for configurations of Cloud
Platform resources.
GoogleCloudOrgpolicyV1RestoreDefault
Ignores policies set above this resource and restores the constraint_default
enforcement behavior of the
specific Constraint
at this resource. Suppose that constraint_default
is set to ALLOW
for the Constraint
constraints/serviceuser.services
. Suppose that organization foo.com sets a Policy
at their Organization
resource node that restricts the allowed service activations to deny all service activations. They could then
set a Policy
with the policy_type
restore_default
on several experimental projects, restoring the
constraint_default
enforcement of the Constraint
for only those projects, allowing those projects to have
all services activated.
GoogleIdentityAccesscontextmanagerV1AccessLevel
An AccessLevel
is a label that can be applied to requests to Google Cloud services, along with a list of
requirements necessary for the label to be applied.
GoogleIdentityAccesscontextmanagerV1AccessPolicy
AccessPolicy
is a container for AccessLevels
(which define the necessary attributes to use Google Cloud
services) and ServicePerimeters
(which define regions of services able to freely pass data within a
perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply
to all projects within an organization.
GoogleIdentityAccesscontextmanagerV1ApiOperation
Identification for an API Operation.
GoogleIdentityAccesscontextmanagerV1BasicLevel
BasicLevel
is an AccessLevel
using a set of recommended features.
GoogleIdentityAccesscontextmanagerV1Condition
A condition necessary for an AccessLevel
to be granted. The Condition is an AND over its fields. So a
Condition is true if: 1) the request IP is from one of the listed subnetworks AND 2) the originating device
complies with the listed device policy AND 3) all listed access levels are granted AND 4) the request was sent
at a time allowed by the DateTimeRestriction.
GoogleIdentityAccesscontextmanagerV1CustomLevel
CustomLevel
is an AccessLevel
using the Cloud Common Expression Language to represent the necessary
conditions for the level to apply to a request. See CEL spec at: https://github.com/google/cel-spec
GoogleIdentityAccesscontextmanagerV1DevicePolicy
DevicePolicy
specifies device specific restrictions necessary to acquire a given access level. A
DevicePolicy
specifies requirements for requests from devices to be granted access levels, it does not do any
enforcement on the device. DevicePolicy
acts as an AND over all specified fields, and each repeated field is
an OR over its elements. Any unset fields are ignored. For example, if the proto is { os_type : DESKTOP_WINDOWS,
os_type : DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be true for requests
originating from encrypted Linux desktops and encrypted Windows desktops.
GoogleIdentityAccesscontextmanagerV1EgressFrom
Defines the conditions under which an EgressPolicy matches a request. Conditions based on information about the source of the request. Note that if the destination of the request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed.
GoogleIdentityAccesscontextmanagerV1EgressPolicy
Policy for egress from perimeter. EgressPolicies match requests based on egress_from
and egress_to
stanzas.
For an EgressPolicy to match, both egress_from
and egress_to
stanzas must be matched. If an EgressPolicy
matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy
can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the
perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery
dataset). EgressPolicies are concerned with the resources that a request relates as well as the API services
and API actions being used. They do not related to the direction of data movement. More detailed documentation
for this concept can be found in the descriptions of EgressFrom and EgressTo.
GoogleIdentityAccesscontextmanagerV1EgressSource
The source that EgressPolicy authorizes access from inside the ServicePerimeter to somewhere outside the ServicePerimeter boundaries.
GoogleIdentityAccesscontextmanagerV1EgressTo
Defines the conditions under which an EgressPolicy matches a request. Conditions are based on information about
the ApiOperation intended to be performed on the resources
specified. Note that if the destination of the
request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which
allows access in order for this request to succeed. The request must match operations
AND resources
fields
in order to be allowed egress out of the perimeter.
GoogleIdentityAccesscontextmanagerV1IngressFrom
Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about
the source of the request. The request must satisfy what is defined in sources
AND identity related fields in
order to match.
GoogleIdentityAccesscontextmanagerV1IngressPolicy
Policy for ingress into ServicePerimeter. IngressPolicies match requests based on ingress_from
and
ingress_to
stanzas. For an ingress policy to match, both the ingress_from
and ingress_to
stanzas must be
matched. If an IngressPolicy matches a request, the request is allowed through the perimeter boundary from
outside the perimeter. For example, access from the internet can be allowed either based on an AccessLevel or,
for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using
the project of the hosting network is required. Individual ingress policies can be limited by restricting which
services and/or actions they match using the ingress_to
field.
GoogleIdentityAccesscontextmanagerV1IngressSource
The source that IngressPolicy authorizes access from.
GoogleIdentityAccesscontextmanagerV1IngressTo
Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about
the ApiOperation intended to be performed on the target resource of the request. The request must satisfy what
is defined in operations
AND resources
in order to match.
GoogleIdentityAccesscontextmanagerV1MethodSelector
An allowed method or permission of a service specified in ApiOperation.
GoogleIdentityAccesscontextmanagerV1OsConstraint
A restriction on the OS type and version of devices making requests.
GoogleIdentityAccesscontextmanagerV1ServicePerimeter
ServicePerimeter
describes a set of Google Cloud resources which can freely import and export data amongst
themselves, but not export outside of the ServicePerimeter
. If a request with a source within this
ServicePerimeter
has a target outside of the ServicePerimeter
, the request will be blocked. Otherwise the
request is allowed. There are two types of Service Perimeter - Regular and Bridge. Regular Service Perimeters
cannot overlap, a single Google Cloud project or VPC network can only belong to a single regular Service
Perimeter. Service Perimeter Bridges can contain only Google Cloud projects as members, a single Google Cloud
project may belong to multiple Service Perimeter Bridges.
GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig
ServicePerimeterConfig
specifies a set of Google Cloud resources that describe specific Service Perimeter
configuration.
GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices
Specifies how APIs are allowed to communicate within the Service Perimeter.
GoogleIdentityAccesscontextmanagerV1VpcNetworkSource
The originating network source in Google Cloud.
GoogleIdentityAccesscontextmanagerV1VpcSubNetwork
Sub-segment ranges inside of a VPC Network.
Operation
This resource represents a long-running operation that is the result of a network API call.
OutputConfig
Output configuration for export assets destination.
Policy
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A
Policy
is a collection of bindings
. A binding
binds one or more members
, or principals, to a single
role
. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A
role
is a named list of permissions; each role
can be an IAM predefined role or a user-created custom role.
For some types of Google Cloud resources, a binding
can also specify a condition
, which is a logical
expression that allows access to a resource only if the expression evaluates to true
. A condition can add
constraints based on attributes of the request, the resource, or both. To learn which resources support
conditions in their IAM policies, see the IAM
documentation. JSON example:
{
"bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com",
"group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] },
{ "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": {
"title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time
< timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
YAML example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com -
serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin -
members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable
access description: Does not grant access after Sep 2020 expression: request.time <
timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3
For a description of IAM and its features, see the IAM documentation.
Resource
A representation of a Google Cloud resource.
Status
The Status
type defines a logical error model that is suitable for different programming environments,
including REST APIs and RPC APIs. It is used by gRPC. Each Status
message contains
three pieces of data: error code, error message, and error details. You can find out more about this error model
and how to work with it in the API Design Guide.
TemporalAsset
An asset in Google Cloud and its temporal metadata, including the time window when it was observed and its status during that window.
TimeWindow
A time window specified by its start_time
and end_time
.