analyzeIamPolicy(scope, analysisQuery_accessSelector_permissions=None, analysisQuery_accessSelector_roles=None, analysisQuery_conditionContext_accessTime=None, analysisQuery_identitySelector_identity=None, analysisQuery_options_analyzeServiceAccountImpersonation=None, analysisQuery_options_expandGroups=None, analysisQuery_options_expandResources=None, analysisQuery_options_expandRoles=None, analysisQuery_options_includeDenyPolicyAnalysis=None, analysisQuery_options_outputGroupEdges=None, analysisQuery_options_outputResourceEdges=None, analysisQuery_resourceSelector_fullResourceName=None, executionTimeout=None, savedAnalysisQuery=None, x__xgafv=None)
Analyzes IAM policies to answer which identities have what accesses on which resources.
analyzeIamPolicyLongrunning(scope, body=None, x__xgafv=None)
Retrieves the next page of results.
analyzeIamPolicy(scope, analysisQuery_accessSelector_permissions=None, analysisQuery_accessSelector_roles=None, analysisQuery_conditionContext_accessTime=None, analysisQuery_identitySelector_identity=None, analysisQuery_options_analyzeServiceAccountImpersonation=None, analysisQuery_options_expandGroups=None, analysisQuery_options_expandResources=None, analysisQuery_options_expandRoles=None, analysisQuery_options_outputGroupEdges=None, analysisQuery_options_outputResourceEdges=None, analysisQuery_resourceSelector_fullResourceName=None, executionTimeout=None, savedAnalysisQuery=None, x__xgafv=None)
+ analyzeIamPolicy(scope, analysisQuery_accessSelector_permissions=None, analysisQuery_accessSelector_roles=None, analysisQuery_conditionContext_accessTime=None, analysisQuery_identitySelector_identity=None, analysisQuery_options_analyzeServiceAccountImpersonation=None, analysisQuery_options_expandGroups=None, analysisQuery_options_expandResources=None, analysisQuery_options_expandRoles=None, analysisQuery_options_includeDenyPolicyAnalysis=None, analysisQuery_options_outputGroupEdges=None, analysisQuery_options_outputResourceEdges=None, analysisQuery_resourceSelector_fullResourceName=None, executionTimeout=None, savedAnalysisQuery=None, x__xgafv=None)
Analyzes IAM policies to answer which identities have what accesses on which resources. Args: @@ -140,6 +140,7 @@Method Details
analysisQuery_options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false. analysisQuery_options_expandResources: boolean, Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false. analysisQuery_options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. + analysisQuery_options_includeDenyPolicyAnalysis: boolean, Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false. analysisQuery_options_outputGroupEdges: boolean, Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. analysisQuery_options_outputResourceEdges: boolean, Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of [supported resource types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). @@ -176,6 +177,7 @@Method Details
"expandGroups": True or False, # Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false. "expandResources": True or False, # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false. "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. + "includeDenyPolicyAnalysis": True or False, # Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false. "outputGroupEdges": True or False, # Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. "outputResourceEdges": True or False, # Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. }, @@ -245,12 +247,69 @@Method Details
"cause": "A String", # The human-readable description of the cause of failure. "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; }, - "name": "A String", # The identity name in any form of members appear in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers - etc. + "name": "A String", # The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers }, ], }, }, ], + "deniedAccesses": [ # A list of DeniedAccess, which contains all access tuples in the analysis_results that are denied by IAM deny policies. If no access tuples are denied, the list is empty. This is only populated when IamPolicyAnalysisQuery.Options.include_deny_policy_analysis is true. + { # A denied access contains details about an access tuple that is blocked by IAM deny policies. + "deniedAccessTuple": { # An access tuple contains a tuple of a resource, an identity and an access. # A denied access tuple that is either fully or partially denied by IAM deny rules. This access tuple should match at least one access tuple derived from IamPolicyAnalysisResult. + "access": { # An IAM role or permission under analysis. # One access from IamPolicyAnalysisResult.AccessControlList.accesses. + "permission": "A String", # The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference) + "role": "A String", # The IAM role. + }, + "identity": { # An identity under analysis. # One identity from IamPolicyAnalysisResult.IdentityList.identities. + "name": "A String", # The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers + }, + "resource": { # A Google Cloud resource under analysis. # One resource from IamPolicyAnalysisResult.AccessControlList.resources. + "fullResourceName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) + }, + }, + "denyDetails": [ # The details about how denied_access_tuple is denied. + { # A deny detail that explains which IAM deny rule denies the denied_access_tuple. + "accesses": [ # The denied accesses. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.access. Otherwise, this field can contain AccessTuple.access and its descendant accesses, such as a subset of IAM permissions contained in an IAM role. + { # An IAM role or permission under analysis. + "permission": "A String", # The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference) + "role": "A String", # The IAM role. + }, + ], + "denyRule": { # A deny rule in an IAM deny policy. # A deny rule in an IAM deny policy. + "denialCondition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. # The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to `true`, then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate [resource tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other functions and operators are not supported. + "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. + "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + }, + "deniedPermissions": [ # The permissions that are explicitly denied by this rule. Each permission uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`. + "A String", + ], + "deniedPrincipals": [ # The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * `principalSet://goog/public:all`: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * `principal://goog/subject/{email_id}`: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, `principal://goog/subject/alice@example.com`. * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific Google Account that was deleted recently. For example, `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * `principalSet://goog/group/{group_id}`: A Google group. For example, `principalSet://goog/group/admins@example.com`. * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group that was deleted recently. For example, `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`: A Google Cloud service account. For example, `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`. * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`: A Google Cloud service account that was deleted recently. For example, `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, `principalSet://goog/cloudIdentityCustomerId/C01Abc35`. + "A String", + ], + "exceptionPermissions": [ # Specifies the permissions that this rule excludes from the set of denied permissions given by `denied_permissions`. If a permission appears in `denied_permissions` _and_ in `exception_permissions` then it will _not_ be denied. The excluded permissions can be specified using the same syntax as `denied_permissions`. + "A String", + ], + "exceptionPrincipals": [ # The identities that are excluded from the deny rule, even if they are listed in the `denied_principals`. For example, you could add a Google group to the `denied_principals`, then exclude specific users who belong to that group. This field can contain the same values as the `denied_principals` field, excluding `principalSet://goog/public:all`, which represents all users on the internet. + "A String", + ], + }, + "fullyDenied": True or False, # Whether the deny_rule fully denies all access granted by the denied_access_tuple. `True` means the deny rule fully blocks the access tuple. `False` means the deny rule partially blocks the access tuple." + "identities": [ # If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.identity. Otherwise, this field can contain AccessTuple.identity and its descendant identities, such as a subset of users in a group. + { # An identity under analysis. + "name": "A String", # The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers + }, + ], + "resources": [ # The resources that the identities are denied access to. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.resource. Otherwise, this field can contain AccessTuple.resource and its descendant resources. + { # A Google Cloud resource under analysis. + "fullResourceName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) + }, + ], + }, + ], + }, + ], "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been fully explored to answer the query. "nonCriticalErrors": [ # A list of non-critical errors happened during the query handling. { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. @@ -281,6 +340,7 @@Method Details
"expandGroups": True or False, # Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false. "expandResources": True or False, # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false. "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. + "includeDenyPolicyAnalysis": True or False, # Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false. "outputGroupEdges": True or False, # Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. "outputResourceEdges": True or False, # Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. }, @@ -350,12 +410,69 @@Method Details
"cause": "A String", # The human-readable description of the cause of failure. "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; }, - "name": "A String", # The identity name in any form of members appear in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers - etc. + "name": "A String", # The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers }, ], }, }, ], + "deniedAccesses": [ # A list of DeniedAccess, which contains all access tuples in the analysis_results that are denied by IAM deny policies. If no access tuples are denied, the list is empty. This is only populated when IamPolicyAnalysisQuery.Options.include_deny_policy_analysis is true. + { # A denied access contains details about an access tuple that is blocked by IAM deny policies. + "deniedAccessTuple": { # An access tuple contains a tuple of a resource, an identity and an access. # A denied access tuple that is either fully or partially denied by IAM deny rules. This access tuple should match at least one access tuple derived from IamPolicyAnalysisResult. + "access": { # An IAM role or permission under analysis. # One access from IamPolicyAnalysisResult.AccessControlList.accesses. + "permission": "A String", # The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference) + "role": "A String", # The IAM role. + }, + "identity": { # An identity under analysis. # One identity from IamPolicyAnalysisResult.IdentityList.identities. + "name": "A String", # The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers + }, + "resource": { # A Google Cloud resource under analysis. # One resource from IamPolicyAnalysisResult.AccessControlList.resources. + "fullResourceName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) + }, + }, + "denyDetails": [ # The details about how denied_access_tuple is denied. + { # A deny detail that explains which IAM deny rule denies the denied_access_tuple. + "accesses": [ # The denied accesses. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.access. Otherwise, this field can contain AccessTuple.access and its descendant accesses, such as a subset of IAM permissions contained in an IAM role. + { # An IAM role or permission under analysis. + "permission": "A String", # The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference) + "role": "A String", # The IAM role. + }, + ], + "denyRule": { # A deny rule in an IAM deny policy. # A deny rule in an IAM deny policy. + "denialCondition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. # The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to `true`, then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate [resource tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other functions and operators are not supported. + "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. + "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + }, + "deniedPermissions": [ # The permissions that are explicitly denied by this rule. Each permission uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`. + "A String", + ], + "deniedPrincipals": [ # The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * `principalSet://goog/public:all`: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * `principal://goog/subject/{email_id}`: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, `principal://goog/subject/alice@example.com`. * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific Google Account that was deleted recently. For example, `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * `principalSet://goog/group/{group_id}`: A Google group. For example, `principalSet://goog/group/admins@example.com`. * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group that was deleted recently. For example, `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`: A Google Cloud service account. For example, `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`. * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`: A Google Cloud service account that was deleted recently. For example, `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, `principalSet://goog/cloudIdentityCustomerId/C01Abc35`. + "A String", + ], + "exceptionPermissions": [ # Specifies the permissions that this rule excludes from the set of denied permissions given by `denied_permissions`. If a permission appears in `denied_permissions` _and_ in `exception_permissions` then it will _not_ be denied. The excluded permissions can be specified using the same syntax as `denied_permissions`. + "A String", + ], + "exceptionPrincipals": [ # The identities that are excluded from the deny rule, even if they are listed in the `denied_principals`. For example, you could add a Google group to the `denied_principals`, then exclude specific users who belong to that group. This field can contain the same values as the `denied_principals` field, excluding `principalSet://goog/public:all`, which represents all users on the internet. + "A String", + ], + }, + "fullyDenied": True or False, # Whether the deny_rule fully denies all access granted by the denied_access_tuple. `True` means the deny rule fully blocks the access tuple. `False` means the deny rule partially blocks the access tuple." + "identities": [ # If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.identity. Otherwise, this field can contain AccessTuple.identity and its descendant identities, such as a subset of users in a group. + { # An identity under analysis. + "name": "A String", # The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers + }, + ], + "resources": [ # The resources that the identities are denied access to. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.resource. Otherwise, this field can contain AccessTuple.resource and its descendant resources. + { # A Google Cloud resource under analysis. + "fullResourceName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) + }, + ], + }, + ], + }, + ], "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been fully explored to answer the query. "nonCriticalErrors": [ # A list of non-critical errors happened during the query handling. { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. @@ -398,6 +515,7 @@Method Details
"expandGroups": True or False, # Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false. "expandResources": True or False, # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false. "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. + "includeDenyPolicyAnalysis": True or False, # Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false. "outputGroupEdges": True or False, # Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. "outputResourceEdges": True or False, # Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. }, @@ -699,7 +817,7 @@Method Details
], }, "governedIamPolicy": { # The IAM policies governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint. # An IAM policy governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint. - "attachedResource": "A String", # The full resource name of the resource associated with this IAM policy. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information. + "attachedResource": "A String", # The full resource name of the resource on which this IAM policy is set. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information. "folders": [ # The folder(s) that this IAM policy belongs to, in the format of folders/{FOLDER_NUMBER}. This field is available when the IAM policy belongs (directly or cascadingly) to one or more folders. "A String", ], @@ -2091,7 +2209,7 @@Method Details
scope: string, Required. A scope can be a project, a folder, or an organization. The search is limited to the IAM policies within the `scope`. The caller must be granted the [`cloudasset.assets.searchAllIamPolicies`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) permission on the desired scope. The allowed values are: * projects/{PROJECT_ID} (e.g., "projects/foo-bar") * projects/{PROJECT_NUMBER} (e.g., "projects/12345678") * folders/{FOLDER_NUMBER} (e.g., "folders/1234567") * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") (required) assetTypes: string, Optional. A list of asset types that the IAM policies are attached to. If empty, it will search the IAM policies that are attached to all the [searchable asset types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). Regular expressions are also supported. For example: * "compute.googleapis.com.*" snapshots IAM policies attached to asset type starts with "compute.googleapis.com". * ".*Instance" snapshots IAM policies attached to asset type ends with "Instance". * ".*Instance.*" snapshots IAM policies attached to asset type contains "Instance". See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned. (repeated) orderBy: string, Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add " DESC" after the field name to indicate descending order. Redundant space characters are ignored. Example: "assetType DESC, resource". Only singular primitive fields in the response are sortable: * resource * assetType * project All the other fields such as repeated fields (e.g., `folders`) and non-primitive fields (e.g., `policy`) are not supported. - pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned. + pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero or a negative value, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned. pageToken: string, Optional. If present, retrieve the next batch of results from the preceding call to this method. `page_token` must be the value of `next_page_token` from the previous response. The values of all other method parameters must be identical to those in the previous call. query: string, Optional. The query statement. See [how to construct a query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query) for more information. If not specified or empty, it will search all the IAM policies within the specified `scope`. Note that the query string is compared against each IAM policy binding, including its principals, roles, and IAM conditions. The returned IAM policies will only contain the bindings that match your query. To learn more about the IAM policy structure, see the [IAM policy documentation](https://cloud.google.com/iam/help/allow-policies/structure). Examples: * `policy:amy@gmail.com` to find IAM policy bindings that specify user "amy@gmail.com". * `policy:roles/compute.admin` to find IAM policy bindings that specify the Compute Admin role. * `policy:comp*` to find IAM policy bindings that contain "comp" as a prefix of any word in the binding. * `policy.role.permissions:storage.buckets.update` to find IAM policy bindings that specify a role containing "storage.buckets.update" permission. Note that if callers don't have `iam.roles.get` access to a role's included permissions, policy bindings that specify this role will be dropped from the search results. * `policy.role.permissions:upd*` to find IAM policy bindings that specify a role containing "upd" as a prefix of any word in the role permission. Note that if callers don't have `iam.roles.get` access to a role's included permissions, policy bindings that specify this role will be dropped from the search results. * `resource:organizations/123456` to find IAM policy bindings that are set on "organizations/123456". * `resource=//cloudresourcemanager.googleapis.com/projects/myproject` to find IAM policy bindings that are set on the project named "myproject". * `Important` to find IAM policy bindings that contain "Important" as a word in any of the searchable fields (except for the included permissions). * `resource:(instance1 OR instance2) policy:amy` to find IAM policy bindings that are set on resources "instance1" or "instance2" and also specify user "amy". * `roles:roles/compute.admin` to find IAM policy bindings that specify the Compute Admin role. * `memberTypes:user` to find IAM policy bindings that contain the principal type "user". x__xgafv: string, V1 error format. @@ -2180,7 +2298,7 @@Method Details
scope: string, Required. A scope can be a project, a folder, or an organization. The search is limited to the resources within the `scope`. The caller must be granted the [`cloudasset.assets.searchAllResources`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) permission on the desired scope. The allowed values are: * projects/{PROJECT_ID} (e.g., "projects/foo-bar") * projects/{PROJECT_NUMBER} (e.g., "projects/12345678") * folders/{FOLDER_NUMBER} (e.g., "folders/1234567") * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") (required) assetTypes: string, Optional. A list of asset types that this request searches for. If empty, it will search all the [searchable asset types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). Regular expressions are also supported. For example: * "compute.googleapis.com.*" snapshots resources whose asset type starts with "compute.googleapis.com". * ".*Instance" snapshots resources whose asset type ends with "Instance". * ".*Instance.*" snapshots resources whose asset type contains "Instance". See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned. (repeated) orderBy: string, Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add " DESC" after the field name to indicate descending order. Redundant space characters are ignored. Example: "location DESC, name". Only singular primitive fields in the response are sortable: * name * assetType * project * displayName * description * location * createTime * updateTime * state * parentFullResourceName * parentAssetType All the other fields such as repeated fields (e.g., `networkTags`, `kmsKeys`), map fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`) are not supported. - pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned. + pageSize: integer, Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero or a negative value, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned. pageToken: string, Optional. If present, then retrieve the next batch of results from the preceding call to this method. `page_token` must be the value of `next_page_token` from the previous response. The values of all other method parameters, must be identical to those in the previous call. query: string, Optional. The query statement. See [how to construct a query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query) for more information. If not specified or empty, it will search all the resources within the specified `scope`. Examples: * `name:Important` to find Google Cloud resources whose name contains "Important" as a word. * `name=Important` to find the Google Cloud resource whose name is exactly "Important". * `displayName:Impor*` to find Google Cloud resources whose display name contains "Impor" as a prefix of any word in the field. * `location:us-west*` to find Google Cloud resources whose location contains both "us" and "west" as prefixes. * `labels:prod` to find Google Cloud resources whose labels contain "prod" as a key or value. * `labels.env:prod` to find Google Cloud resources that have a label "env" and its value is "prod". * `labels.env:*` to find Google Cloud resources that have a label "env". * `kmsKey:key` to find Google Cloud resources encrypted with a customer-managed encryption key whose name contains "key" as a word. This field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS key information. * `kmsKeys:key` to find Google Cloud resources encrypted with customer-managed encryption keys whose name contains the word "key". * `relationships:instance-group-1` to find Google Cloud resources that have relationships with "instance-group-1" in the related resource name. * `relationships:INSTANCE_TO_INSTANCEGROUP` to find Compute Engine instances that have relationships of type "INSTANCE_TO_INSTANCEGROUP". * `relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1` to find Compute Engine instances that have relationships with "instance-group-1" in the Compute Engine instance group resource name, for relationship type "INSTANCE_TO_INSTANCEGROUP". * `state:ACTIVE` to find Google Cloud resources whose state contains "ACTIVE" as a word. * `NOT state:ACTIVE` to find Google Cloud resources whose state doesn't contain "ACTIVE" as a word. * `createTime<1609459200` to find Google Cloud resources that were created before "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of "2021-01-01 00:00:00 UTC" in seconds. * `updateTime>1609459200` to find Google Cloud resources that were updated after "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of "2021-01-01 00:00:00 UTC" in seconds. * `Important` to find Google Cloud resources that contain "Important" as a word in any of the searchable fields. * `Impor*` to find Google Cloud resources that contain "Impor" as a prefix of any word in any of the searchable fields. * `Important location:(us-west1 OR global)` to find Google Cloud resources that contain "Important" as a word in any of the searchable fields and are also located in the "us-west1" region or the "global" location. readMask: string, Optional. A comma-separated list of fields specifying which fields to be returned in ResourceSearchResult. Only '*' or combination of top level fields can be specified. Field names of both snake_case and camelCase are supported. Examples: `"*"`, `"name,location"`, `"name,versionedResources"`. The read_mask paths must be valid field paths listed but not limited to (both snake_case and camelCase are supported): * name * assetType * project * displayName * description * location * tagKeys * tagValues * tagValueIds * labels * networkTags * kmsKey (This field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS key information.) * kmsKeys * createTime * updateTime * state * additionalAttributes * versionedResources If read_mask is not specified, all fields except versionedResources will be returned. If only '*' is specified, all fields including versionedResources will be returned. Any invalid field path will trigger INVALID_ARGUMENT error. @@ -2195,7 +2313,7 @@Method Details
{ # Search all resources response. "nextPageToken": "A String", # If there are more results than those appearing in this response, then `next_page_token` is included. To get the next set of results, call this method again using the value of `next_page_token` as `page_token`. "results": [ # A list of Resources that match the search query. It contains the resource standard metadata information. - { # A result of Resource Search, containing information of a cloud resource. Next ID: 32 + { # A result of Resource Search, containing information of a cloud resource. Next ID: 34 "additionalAttributes": { # The additional searchable attributes of this resource. The attributes may vary from one resource type to another. Examples: `projectId` for Project, `dnsName` for DNS ManagedZone. This field contains a subset of the resource metadata fields that are returned by the List or Get APIs provided by the corresponding Google Cloud service (e.g., Compute Engine). see [API references and supported searchable attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types) to see which fields are included. You can search values of these fields through free text search. However, you should not consume the field programically as the field names and values may change as the Google Cloud service updates to a new incompatible API version. To search against the `additional_attributes`: * Use a free text query to match the attributes values. Example: to search `additional_attributes = { dnsName: "foobar" }`, you can issue a query `foobar`. "a_key": "", # Properties of the object. }, @@ -2249,7 +2367,7 @@Method Details
"tagKeys": [ # TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}. To search against the `tagKeys`: * Use a field query. Example: - `tagKeys:"123456789/env*"` - `tagKeys="123456789/env"` - `tagKeys:"env"` * Use a free text query. Example: - `env` "A String", ], - "tagValueIds": [ # TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}. To search against the `tagValueIds`: * Use a field query. Example: - `tagValueIds:"456"` - `tagValueIds="tagValues/456"` * Use a free text query. Example: - `456` + "tagValueIds": [ # TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}. To search against the `tagValueIds`: * Use a field query. Example: - `tagValueIds="tagValues/456"` "A String", ], "tagValues": [ # TagValue namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}. To search against the `tagValues`: * Use a field query. Example: - `tagValues:"env"` - `tagValues:"env/prod"` - `tagValues:"123456789/env/prod*"` - `tagValues="123456789/env/prod"` * Use a free text query. Example: - `prod` diff --git a/googleapiclient/discovery_cache/documents/cloudasset.v1.json b/googleapiclient/discovery_cache/documents/cloudasset.v1.json index 75c322ba41a..ddb2a8bf466 100644 --- a/googleapiclient/discovery_cache/documents/cloudasset.v1.json +++ b/googleapiclient/discovery_cache/documents/cloudasset.v1.json @@ -601,6 +601,11 @@ "location": "query", "type": "boolean" }, + "analysisQuery.options.includeDenyPolicyAnalysis": { + "description": "Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false.", + "location": "query", + "type": "boolean" + }, "analysisQuery.options.outputGroupEdges": { "description": "Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.", "location": "query", @@ -1003,7 +1008,7 @@ "type": "string" }, "pageSize": { - "description": "Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned.", + "description": "Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero or a negative value, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned.", "format": "int32", "location": "query", "type": "integer" @@ -1055,7 +1060,7 @@ "type": "string" }, "pageSize": { - "description": "Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned.", + "description": "Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero or a negative value, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as `next_page_token` is returned.", "format": "int32", "location": "query", "type": "integer" @@ -1095,7 +1100,7 @@ } } }, - "revision": "20230401", + "revision": "20230520", "rootUrl": "https://cloudasset.googleapis.com/", "schemas": { "AccessSelector": { @@ -1585,6 +1590,24 @@ }, "type": "object" }, + "DeniedAccess": { + "description": "A denied access contains details about an access tuple that is blocked by IAM deny policies.", + "id": "DeniedAccess", + "properties": { + "deniedAccessTuple": { + "$ref": "GoogleCloudAssetV1DeniedAccessAccessTuple", + "description": "A denied access tuple that is either fully or partially denied by IAM deny rules. This access tuple should match at least one access tuple derived from IamPolicyAnalysisResult." + }, + "denyDetails": { + "description": "The details about how denied_access_tuple is denied.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessDenyDetail" + }, + "type": "array" + } + }, + "type": "object" + }, "EffectiveIamPolicy": { "description": "The effective IAM policies on one resource.", "id": "EffectiveIamPolicy", @@ -1868,7 +1891,7 @@ "id": "GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy", "properties": { "attachedResource": { - "description": "The full resource name of the resource associated with this IAM policy. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information.", + "description": "The full resource name of the resource on which this IAM policy is set. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information.", "type": "string" }, "folders": { @@ -2064,6 +2087,98 @@ }, "type": "object" }, + "GoogleCloudAssetV1DeniedAccessAccess": { + "description": "An IAM role or permission under analysis.", + "id": "GoogleCloudAssetV1DeniedAccessAccess", + "properties": { + "permission": { + "description": "The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference)", + "type": "string" + }, + "role": { + "description": "The IAM role.", + "type": "string" + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessAccessTuple": { + "description": "An access tuple contains a tuple of a resource, an identity and an access.", + "id": "GoogleCloudAssetV1DeniedAccessAccessTuple", + "properties": { + "access": { + "$ref": "GoogleCloudAssetV1DeniedAccessAccess", + "description": "One access from IamPolicyAnalysisResult.AccessControlList.accesses." + }, + "identity": { + "$ref": "GoogleCloudAssetV1DeniedAccessIdentity", + "description": "One identity from IamPolicyAnalysisResult.IdentityList.identities." + }, + "resource": { + "$ref": "GoogleCloudAssetV1DeniedAccessResource", + "description": "One resource from IamPolicyAnalysisResult.AccessControlList.resources." + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessDenyDetail": { + "description": "A deny detail that explains which IAM deny rule denies the denied_access_tuple.", + "id": "GoogleCloudAssetV1DeniedAccessDenyDetail", + "properties": { + "accesses": { + "description": "The denied accesses. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.access. Otherwise, this field can contain AccessTuple.access and its descendant accesses, such as a subset of IAM permissions contained in an IAM role.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessAccess" + }, + "type": "array" + }, + "denyRule": { + "$ref": "GoogleIamV2DenyRule", + "description": "A deny rule in an IAM deny policy." + }, + "fullyDenied": { + "description": "Whether the deny_rule fully denies all access granted by the denied_access_tuple. `True` means the deny rule fully blocks the access tuple. `False` means the deny rule partially blocks the access tuple.\"", + "type": "boolean" + }, + "identities": { + "description": "If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.identity. Otherwise, this field can contain AccessTuple.identity and its descendant identities, such as a subset of users in a group.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessIdentity" + }, + "type": "array" + }, + "resources": { + "description": "The resources that the identities are denied access to. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.resource. Otherwise, this field can contain AccessTuple.resource and its descendant resources.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessResource" + }, + "type": "array" + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessIdentity": { + "description": "An identity under analysis.", + "id": "GoogleCloudAssetV1DeniedAccessIdentity", + "properties": { + "name": { + "description": "The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers", + "type": "string" + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessResource": { + "description": "A Google Cloud resource under analysis.", + "id": "GoogleCloudAssetV1DeniedAccessResource", + "properties": { + "fullResourceName": { + "description": "The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format)", + "type": "string" + } + }, + "type": "object" + }, "GoogleCloudAssetV1Edge": { "description": "A directional edge.", "id": "GoogleCloudAssetV1Edge", @@ -2125,7 +2240,7 @@ "description": "The analysis state of this identity." }, "name": { - "description": "The identity name in any form of members appear in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers - etc.", + "description": "The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers", "type": "string" } }, @@ -2507,6 +2622,45 @@ "properties": {}, "type": "object" }, + "GoogleIamV2DenyRule": { + "description": "A deny rule in an IAM deny policy.", + "id": "GoogleIamV2DenyRule", + "properties": { + "denialCondition": { + "$ref": "Expr", + "description": "The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to `true`, then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate [resource tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other functions and operators are not supported." + }, + "deniedPermissions": { + "description": "The permissions that are explicitly denied by this rule. Each permission uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "deniedPrincipals": { + "description": "The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * `principalSet://goog/public:all`: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * `principal://goog/subject/{email_id}`: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, `principal://goog/subject/alice@example.com`. * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific Google Account that was deleted recently. For example, `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * `principalSet://goog/group/{group_id}`: A Google group. For example, `principalSet://goog/group/admins@example.com`. * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group that was deleted recently. For example, `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`: A Google Cloud service account. For example, `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`. * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`: A Google Cloud service account that was deleted recently. For example, `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "exceptionPermissions": { + "description": "Specifies the permissions that this rule excludes from the set of denied permissions given by `denied_permissions`. If a permission appears in `denied_permissions` _and_ in `exception_permissions` then it will _not_ be denied. The excluded permissions can be specified using the same syntax as `denied_permissions`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "exceptionPrincipals": { + "description": "The identities that are excluded from the deny rule, even if they are listed in the `denied_principals`. For example, you could add a Google group to the `denied_principals`, then exclude specific users who belong to that group. This field can contain the same values as the `denied_principals` field, excluding `principalSet://goog/public:all`, which represents all users on the internet.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, "GoogleIdentityAccesscontextmanagerV1AccessLevel": { "description": "An `AccessLevel` is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied.", "id": "GoogleIdentityAccesscontextmanagerV1AccessLevel", @@ -3061,6 +3215,13 @@ }, "type": "array" }, + "deniedAccesses": { + "description": "A list of DeniedAccess, which contains all access tuples in the analysis_results that are denied by IAM deny policies. If no access tuples are denied, the list is empty. This is only populated when IamPolicyAnalysisQuery.Options.include_deny_policy_analysis is true.", + "items": { + "$ref": "DeniedAccess" + }, + "type": "array" + }, "fullyExplored": { "description": "Represents whether all entries in the analysis_results have been fully explored to answer the query.", "type": "boolean" @@ -3497,6 +3658,10 @@ "description": "Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.", "type": "boolean" }, + "includeDenyPolicyAnalysis": { + "description": "Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false.", + "type": "boolean" + }, "outputGroupEdges": { "description": "Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.", "type": "boolean" @@ -3930,7 +4095,7 @@ "type": "object" }, "ResourceSearchResult": { - "description": "A result of Resource Search, containing information of a cloud resource. Next ID: 32", + "description": "A result of Resource Search, containing information of a cloud resource. Next ID: 34", "id": "ResourceSearchResult", "properties": { "additionalAttributes": { @@ -4040,7 +4205,7 @@ "type": "array" }, "tagValueIds": { - "description": "TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}. To search against the `tagValueIds`: * Use a field query. Example: - `tagValueIds:\"456\"` - `tagValueIds=\"tagValues/456\"` * Use a free text query. Example: - `456`", + "description": "TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}. To search against the `tagValueIds`: * Use a field query. Example: - `tagValueIds=\"tagValues/456\"`", "items": { "type": "string" }, diff --git a/googleapiclient/discovery_cache/documents/cloudasset.v1beta1.json b/googleapiclient/discovery_cache/documents/cloudasset.v1beta1.json index 8d7945be208..2ba96deaeb5 100644 --- a/googleapiclient/discovery_cache/documents/cloudasset.v1beta1.json +++ b/googleapiclient/discovery_cache/documents/cloudasset.v1beta1.json @@ -411,7 +411,7 @@ } } }, - "revision": "20230401", + "revision": "20230520", "rootUrl": "https://cloudasset.googleapis.com/", "schemas": { "AnalyzeIamPolicyLongrunningMetadata": { diff --git a/googleapiclient/discovery_cache/documents/cloudasset.v1p1beta1.json b/googleapiclient/discovery_cache/documents/cloudasset.v1p1beta1.json index 9df91a1816c..42f9145f7b1 100644 --- a/googleapiclient/discovery_cache/documents/cloudasset.v1p1beta1.json +++ b/googleapiclient/discovery_cache/documents/cloudasset.v1p1beta1.json @@ -207,7 +207,7 @@ } } }, - "revision": "20230401", + "revision": "20230520", "rootUrl": "https://cloudasset.googleapis.com/", "schemas": { "AnalyzeIamPolicyLongrunningMetadata": { diff --git a/googleapiclient/discovery_cache/documents/cloudasset.v1p5beta1.json b/googleapiclient/discovery_cache/documents/cloudasset.v1p5beta1.json index 69bac5a47e8..59bf3e2421c 100644 --- a/googleapiclient/discovery_cache/documents/cloudasset.v1p5beta1.json +++ b/googleapiclient/discovery_cache/documents/cloudasset.v1p5beta1.json @@ -177,7 +177,7 @@ } } }, - "revision": "20230401", + "revision": "20230520", "rootUrl": "https://cloudasset.googleapis.com/", "schemas": { "AnalyzeIamPolicyLongrunningMetadata": { diff --git a/googleapiclient/discovery_cache/documents/cloudasset.v1p7beta1.json b/googleapiclient/discovery_cache/documents/cloudasset.v1p7beta1.json index 66540acd5b5..d1583559cfb 100644 --- a/googleapiclient/discovery_cache/documents/cloudasset.v1p7beta1.json +++ b/googleapiclient/discovery_cache/documents/cloudasset.v1p7beta1.json @@ -167,7 +167,7 @@ } } }, - "revision": "20230401", + "revision": "20230520", "rootUrl": "https://cloudasset.googleapis.com/", "schemas": { "AnalyzeIamPolicyLongrunningMetadata": {