Types for Google Cloud Iam v2 API¶
- class google.cloud.iam_v2.types.CreatePolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Request message for
CreatePolicy
.- parent¶
Required. The resource that the policy is attached to, along with the kind of policy to create. Format:
policies/{attachment_point}/denypolicies
The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character,
/
, must be written as%2F
. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies
.For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.
- Type
- policy¶
Required. The policy to create.
- class google.cloud.iam_v2.types.DeletePolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Request message for
DeletePolicy
.- name¶
Required. The resource name of the policy to delete. Format:
policies/{attachment_point}/denypolicies/{policy_id}
Use the URL-encoded full resource name, which means that the forward-slash character,
/
, must be written as%2F
. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy
.For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.
- Type
- class google.cloud.iam_v2.types.DenyRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
A deny rule in an IAM deny policy.
- denied_principals¶
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
- Type
MutableSequence[str]
- exception_principals¶
The identities that are excluded from the deny rule, even if they are listed in the
denied_principals
. For example, you could add a Google group to thedenied_principals
, then exclude specific users who belong to that group.This field can contain the same values as the
denied_principals
field, excludingprincipalSet://goog/public:all
, which represents all users on the internet.- Type
MutableSequence[str]
- denied_permissions¶
The permissions that are explicitly denied by this rule. Each permission uses the format
{service_fqdn}/{resource}.{verb}
, where{service_fqdn}
is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list
.- Type
MutableSequence[str]
- exception_permissions¶
Specifies the permissions that this rule excludes from the set of denied permissions given by
denied_permissions
. If a permission appears indenied_permissions
and inexception_permissions
then it will not be denied.The excluded permissions can be specified using the same syntax as
denied_permissions
.- Type
MutableSequence[str]
- denial_condition¶
The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to
true
, then the deny rule is applied; otherwise, the deny rule is not applied.Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.
- Type
google.type.expr_pb2.Expr
- class google.cloud.iam_v2.types.GetPolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Request message for
GetPolicy
.- name¶
Required. The resource name of the policy to retrieve. Format:
policies/{attachment_point}/denypolicies/{policy_id}
Use the URL-encoded full resource name, which means that the forward-slash character,
/
, must be written as%2F
. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy
.For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.
- Type
- class google.cloud.iam_v2.types.ListPoliciesRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Request message for
ListPolicies
.- parent¶
Required. The resource that the policy is attached to, along with the kind of policy to list. Format:
policies/{attachment_point}/denypolicies
The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character,
/
, must be written as%2F
. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies
.For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.
- Type
- page_size¶
The maximum number of policies to return. IAM ignores this value and uses the value 1000.
- Type
- class google.cloud.iam_v2.types.ListPoliciesResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Response message for
ListPolicies
.- policies¶
Metadata for the policies that are attached to the resource.
- Type
MutableSequence[google.cloud.iam_v2.types.Policy]
- class google.cloud.iam_v2.types.Policy(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Data for an IAM policy.
- name¶
Immutable. The resource name of the
Policy
, which must be unique. Format:policies/{attachment_point}/denypolicies/{policy_id}
The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character,
/
, must be written as%2F
. For example,policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy
.For organizations and folders, use the numeric ID in the full resource name. For projects, requests can use the alphanumeric or the numeric ID. Responses always contain the numeric ID.
- Type
- uid¶
Immutable. The globally unique ID of the
Policy
. Assigned automatically when thePolicy
is created.- Type
- display_name¶
A user-specified description of the
Policy
. This value can be up to 63 characters.- Type
- annotations¶
A key-value map to store arbitrary metadata for the
Policy
. Keys can be up to 63 characters. Values can be up to 255 characters.
- etag¶
An opaque tag that identifies the current version of the
Policy
. IAM uses this value to help manage concurrent updates, so they do not cause one update to be overwritten by another.If this field is present in a [CreatePolicy][] request, the value is ignored.
- Type
- create_time¶
Output only. The time when the
Policy
was created.
- update_time¶
Output only. The time when the
Policy
was last updated.
- delete_time¶
Output only. The time when the
Policy
was deleted. Empty if the policy is not deleted.
- rules¶
A list of rules that specify the behavior of the
Policy
. All of the rules should be of thekind
specified in thePolicy
.- Type
MutableSequence[google.cloud.iam_v2.types.PolicyRule]
- managing_authority¶
Immutable. Specifies that this policy is managed by an authority and can only be modified by that authority. Usage is restricted.
- Type
- class AnnotationsEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)¶
Bases:
proto.message.Message
- class google.cloud.iam_v2.types.PolicyOperationMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Metadata for long-running
Policy
operations.- create_time¶
Timestamp when the
google.longrunning.Operation
was created.
- class google.cloud.iam_v2.types.PolicyRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
A single rule in a
Policy
.
- class google.cloud.iam_v2.types.UpdatePolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
Request message for
UpdatePolicy
.- policy¶
Required. The policy to update.
To prevent conflicting updates, the
etag
value must match the value that is stored in IAM. If theetag
values do not match, the request fails with a409
error code andABORTED
status.