As of January 1, 2020 this library no longer supports Python 2 on the latest released version. Library versions released prior to that date will continue to be available. For more information please visit Python 2 support on Google Cloud.

Types for Google Cloud Iam v2 API

class google.cloud.iam_v2.types.CreatePolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Request message for CreatePolicy.

parent

Required. The resource that the policy is attached to, along with the kind of policy to create. Format: policies/{attachment_point}/denypolicies

The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character, /, must be written as %2F. For example, policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

Type

str

policy

Required. The policy to create.

Type

google.cloud.iam_v2.types.Policy

policy_id

The ID to use for this policy, which will become the final component of the policy’s resource name. The ID must contain 3 to 63 characters. It can contain lowercase letters and numbers, as well as dashes (-) and periods (.). The first character must be a lowercase letter.

Type

str

class google.cloud.iam_v2.types.DeletePolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Request message for DeletePolicy.

name

Required. The resource name of the policy to delete. Format: policies/{attachment_point}/denypolicies/{policy_id}

Use the URL-encoded full resource name, which means that the forward-slash character, /, must be written as %2F. For example, policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

Type

str

etag

Optional. The expected etag of the policy to delete. If the value does not match the value that is stored in IAM, the request fails with a 409 error code and ABORTED status.

If you omit this field, the policy is deleted regardless of its current etag.

Type

str

class google.cloud.iam_v2.types.DenyRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A deny rule in an IAM deny policy.

denied_principals

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

Type

Sequence[str]

exception_principals

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

Type

Sequence[str]

denied_permissions

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

Type

Sequence[str]

exception_permissions

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

Type

Sequence[str]

denial_condition

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

Type

google.type.expr_pb2.Expr

class google.cloud.iam_v2.types.GetPolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Request message for GetPolicy.

name

Required. The resource name of the policy to retrieve. Format: policies/{attachment_point}/denypolicies/{policy_id}

Use the URL-encoded full resource name, which means that the forward-slash character, /, must be written as %2F. For example, policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

Type

str

class google.cloud.iam_v2.types.ListPoliciesRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Request message for ListPolicies.

parent

Required. The resource that the policy is attached to, along with the kind of policy to list. Format: policies/{attachment_point}/denypolicies

The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character, /, must be written as %2F. For example, policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies.

For organizations and folders, use the numeric ID in the full resource name. For projects, you can use the alphanumeric or the numeric ID.

Type

str

page_size

The maximum number of policies to return. IAM ignores this value and uses the value 1000.

Type

int

page_token

A page token received in a [ListPoliciesResponse][google.iam.v2.ListPoliciesResponse]. Provide this token to retrieve the next page.

Type

str

class google.cloud.iam_v2.types.ListPoliciesResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Response message for ListPolicies.

policies

Metadata for the policies that are attached to the resource.

Type

Sequence[google.cloud.iam_v2.types.Policy]

next_page_token

A page token that you can use in a [ListPoliciesRequest][google.iam.v2.ListPoliciesRequest] to retrieve the next page. If this field is omitted, there are no additional pages.

Type

str

class google.cloud.iam_v2.types.Policy(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Data for an IAM policy.

name

Immutable. The resource name of the Policy, which must be unique. Format: policies/{attachment_point}/denypolicies/{policy_id}

The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character, /, must be written as %2F. For example, policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy.

For organizations and folders, use the numeric ID in the full resource name. For projects, requests can use the alphanumeric or the numeric ID. Responses always contain the numeric ID.

Type

str

uid

Immutable. The globally unique ID of the Policy. Assigned automatically when the Policy is created.

Type

str

kind

Output only. The kind of the Policy. Always contains the value DenyPolicy.

Type

str

display_name

A user-specified description of the Policy. This value can be up to 63 characters.

Type

str

annotations

A key-value map to store arbitrary metadata for the Policy. Keys can be up to 63 characters. Values can be up to 255 characters.

Type

Mapping[str, str]

etag

An opaque tag that identifies the current version of the Policy. IAM uses this value to help manage concurrent updates, so they do not cause one update to be overwritten by another.

If this field is present in a [CreatePolicy][] request, the value is ignored.

Type

str

create_time

Output only. The time when the Policy was created.

Type

google.protobuf.timestamp_pb2.Timestamp

update_time

Output only. The time when the Policy was last updated.

Type

google.protobuf.timestamp_pb2.Timestamp

delete_time

Output only. The time when the Policy was deleted. Empty if the policy is not deleted.

Type

google.protobuf.timestamp_pb2.Timestamp

rules

A list of rules that specify the behavior of the Policy. All of the rules should be of the kind specified in the Policy.

Type

Sequence[google.cloud.iam_v2.types.PolicyRule]

managing_authority

Immutable. Specifies that this policy is managed by an authority and can only be modified by that authority. Usage is restricted.

Type

str

class AnnotationsEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)

Bases: proto.message.Message

class google.cloud.iam_v2.types.PolicyOperationMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Metadata for long-running Policy operations.

create_time

Timestamp when the google.longrunning.Operation was created.

Type

google.protobuf.timestamp_pb2.Timestamp

class google.cloud.iam_v2.types.PolicyRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A single rule in a Policy.

deny_rule

A rule for a deny policy.

This field is a member of oneof kind.

Type

google.cloud.iam_v2.types.DenyRule

description

A user-specified description of the rule. This value can be up to 256 characters.

Type

str

class google.cloud.iam_v2.types.UpdatePolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Request message for UpdatePolicy.

policy

Required. The policy to update.

To prevent conflicting updates, the etag value must match the value that is stored in IAM. If the etag values do not match, the request fails with a 409 error code and ABORTED status.

Type

google.cloud.iam_v2.types.Policy