|
601 | 601 | "location": "query", |
602 | 602 | "type": "boolean" |
603 | 603 | }, |
604 | | - "analysisQuery.options.includeDenyPolicyAnalysis": { |
605 | | - "description": "Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false.", |
606 | | - "location": "query", |
607 | | - "type": "boolean" |
608 | | - }, |
609 | 604 | "analysisQuery.options.outputGroupEdges": { |
610 | 605 | "description": "Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.", |
611 | 606 | "location": "query", |
|
1076 | 1071 | "type": "string" |
1077 | 1072 | }, |
1078 | 1073 | "readMask": { |
1079 | | - "description": "Optional. A comma-separated list of fields specifying which fields to be returned in ResourceSearchResult. Only '*' or combination of top level fields can be specified. Field names of both snake_case and camelCase are supported. Examples: `\"*\"`, `\"name,location\"`, `\"name,versionedResources\"`. The read_mask paths must be valid field paths listed but not limited to (both snake_case and camelCase are supported): * name * assetType * project * displayName * description * location * tagKeys * tagValues * tagValueIds * labels * networkTags * kmsKey (This field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS key information.) * kmsKeys * createTime * updateTime * state * additionalAttributes * versionedResources If read_mask is not specified, all fields except versionedResources will be returned. If only '*' is specified, all fields including versionedResources will be returned. Any invalid field path will trigger INVALID_ARGUMENT error.", |
| 1074 | + "description": "Optional. A comma-separated list of fields that you want returned in the results. The following fields are returned by default if not specified: * `name` * `assetType` * `project` * `folders` * `organization` * `displayName` * `description` * `location` * `labels` * `networkTags` * `kmsKeys` * `createTime` * `updateTime` * `state` * `additionalAttributes` * `parentFullResourceName` * `parentAssetType` Some fields of large size, such as `versionedResources` and `attachedResources`, are not returned by default, but you can specify them in the `read_mask` parameter if you want to include them. If `\"*\"` is specified, all [available fields](https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllResources#resourcesearchresult) are returned. Examples: `\"name,location\"`, `\"name,versionedResources\"`, `\"*\"`. Any invalid field path will trigger INVALID_ARGUMENT error.", |
1080 | 1075 | "format": "google-fieldmask", |
1081 | 1076 | "location": "query", |
1082 | 1077 | "type": "string" |
|
1100 | 1095 | } |
1101 | 1096 | } |
1102 | 1097 | }, |
1103 | | - "revision": "20230527", |
| 1098 | + "revision": "20230609", |
1104 | 1099 | "rootUrl": "https://cloudasset.googleapis.com/", |
1105 | 1100 | "schemas": { |
1106 | 1101 | "AccessSelector": { |
|
1590 | 1585 | }, |
1591 | 1586 | "type": "object" |
1592 | 1587 | }, |
1593 | | - "DeniedAccess": { |
1594 | | - "description": "A denied access contains details about an access tuple that is blocked by IAM deny policies.", |
1595 | | - "id": "DeniedAccess", |
1596 | | - "properties": { |
1597 | | - "deniedAccessTuple": { |
1598 | | - "$ref": "GoogleCloudAssetV1DeniedAccessAccessTuple", |
1599 | | - "description": "A denied access tuple that is either fully or partially denied by IAM deny rules. This access tuple should match at least one access tuple derived from IamPolicyAnalysisResult." |
1600 | | - }, |
1601 | | - "denyDetails": { |
1602 | | - "description": "The details about how denied_access_tuple is denied.", |
1603 | | - "items": { |
1604 | | - "$ref": "GoogleCloudAssetV1DeniedAccessDenyDetail" |
1605 | | - }, |
1606 | | - "type": "array" |
1607 | | - } |
1608 | | - }, |
1609 | | - "type": "object" |
1610 | | - }, |
1611 | 1588 | "EffectiveIamPolicy": { |
1612 | 1589 | "description": "The effective IAM policies on one resource.", |
1613 | 1590 | "id": "EffectiveIamPolicy", |
|
2087 | 2064 | }, |
2088 | 2065 | "type": "object" |
2089 | 2066 | }, |
2090 | | - "GoogleCloudAssetV1DeniedAccessAccess": { |
2091 | | - "description": "An IAM role or permission under analysis.", |
2092 | | - "id": "GoogleCloudAssetV1DeniedAccessAccess", |
2093 | | - "properties": { |
2094 | | - "permission": { |
2095 | | - "description": "The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference)", |
2096 | | - "type": "string" |
2097 | | - }, |
2098 | | - "role": { |
2099 | | - "description": "The IAM role.", |
2100 | | - "type": "string" |
2101 | | - } |
2102 | | - }, |
2103 | | - "type": "object" |
2104 | | - }, |
2105 | | - "GoogleCloudAssetV1DeniedAccessAccessTuple": { |
2106 | | - "description": "An access tuple contains a tuple of a resource, an identity and an access.", |
2107 | | - "id": "GoogleCloudAssetV1DeniedAccessAccessTuple", |
2108 | | - "properties": { |
2109 | | - "access": { |
2110 | | - "$ref": "GoogleCloudAssetV1DeniedAccessAccess", |
2111 | | - "description": "One access from IamPolicyAnalysisResult.AccessControlList.accesses." |
2112 | | - }, |
2113 | | - "identity": { |
2114 | | - "$ref": "GoogleCloudAssetV1DeniedAccessIdentity", |
2115 | | - "description": "One identity from IamPolicyAnalysisResult.IdentityList.identities." |
2116 | | - }, |
2117 | | - "resource": { |
2118 | | - "$ref": "GoogleCloudAssetV1DeniedAccessResource", |
2119 | | - "description": "One resource from IamPolicyAnalysisResult.AccessControlList.resources." |
2120 | | - } |
2121 | | - }, |
2122 | | - "type": "object" |
2123 | | - }, |
2124 | | - "GoogleCloudAssetV1DeniedAccessDenyDetail": { |
2125 | | - "description": "A deny detail that explains which IAM deny rule denies the denied_access_tuple.", |
2126 | | - "id": "GoogleCloudAssetV1DeniedAccessDenyDetail", |
2127 | | - "properties": { |
2128 | | - "accesses": { |
2129 | | - "description": "The denied accesses. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.access. Otherwise, this field can contain AccessTuple.access and its descendant accesses, such as a subset of IAM permissions contained in an IAM role.", |
2130 | | - "items": { |
2131 | | - "$ref": "GoogleCloudAssetV1DeniedAccessAccess" |
2132 | | - }, |
2133 | | - "type": "array" |
2134 | | - }, |
2135 | | - "denyRule": { |
2136 | | - "$ref": "GoogleIamV2DenyRule", |
2137 | | - "description": "A deny rule in an IAM deny policy." |
2138 | | - }, |
2139 | | - "fullyDenied": { |
2140 | | - "description": "Whether the deny_rule fully denies all access granted by the denied_access_tuple. `True` means the deny rule fully blocks the access tuple. `False` means the deny rule partially blocks the access tuple.\"", |
2141 | | - "type": "boolean" |
2142 | | - }, |
2143 | | - "identities": { |
2144 | | - "description": "If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.identity. Otherwise, this field can contain AccessTuple.identity and its descendant identities, such as a subset of users in a group.", |
2145 | | - "items": { |
2146 | | - "$ref": "GoogleCloudAssetV1DeniedAccessIdentity" |
2147 | | - }, |
2148 | | - "type": "array" |
2149 | | - }, |
2150 | | - "resources": { |
2151 | | - "description": "The resources that the identities are denied access to. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.resource. Otherwise, this field can contain AccessTuple.resource and its descendant resources.", |
2152 | | - "items": { |
2153 | | - "$ref": "GoogleCloudAssetV1DeniedAccessResource" |
2154 | | - }, |
2155 | | - "type": "array" |
2156 | | - } |
2157 | | - }, |
2158 | | - "type": "object" |
2159 | | - }, |
2160 | | - "GoogleCloudAssetV1DeniedAccessIdentity": { |
2161 | | - "description": "An identity under analysis.", |
2162 | | - "id": "GoogleCloudAssetV1DeniedAccessIdentity", |
2163 | | - "properties": { |
2164 | | - "name": { |
2165 | | - "description": "The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers", |
2166 | | - "type": "string" |
2167 | | - } |
2168 | | - }, |
2169 | | - "type": "object" |
2170 | | - }, |
2171 | | - "GoogleCloudAssetV1DeniedAccessResource": { |
2172 | | - "description": "A Google Cloud resource under analysis.", |
2173 | | - "id": "GoogleCloudAssetV1DeniedAccessResource", |
2174 | | - "properties": { |
2175 | | - "fullResourceName": { |
2176 | | - "description": "The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format)", |
2177 | | - "type": "string" |
2178 | | - } |
2179 | | - }, |
2180 | | - "type": "object" |
2181 | | - }, |
2182 | 2067 | "GoogleCloudAssetV1Edge": { |
2183 | 2068 | "description": "A directional edge.", |
2184 | 2069 | "id": "GoogleCloudAssetV1Edge", |
|
2317 | 2202 | "type": "object" |
2318 | 2203 | }, |
2319 | 2204 | "GoogleCloudAssetV1Rule": { |
2320 | | - "description": "Represents a rule defined in an organization policy", |
| 2205 | + "description": "This rule message is a customized version of the one defined in the Organization Policy system. In addition to the fields defined in the original organization policy, it contains additional field(s) under specific circumstances to support analysis results.", |
2321 | 2206 | "id": "GoogleCloudAssetV1Rule", |
2322 | 2207 | "properties": { |
2323 | 2208 | "allowAll": { |
|
2622 | 2507 | "properties": {}, |
2623 | 2508 | "type": "object" |
2624 | 2509 | }, |
2625 | | - "GoogleIamV2DenyRule": { |
2626 | | - "description": "A deny rule in an IAM deny policy.", |
2627 | | - "id": "GoogleIamV2DenyRule", |
2628 | | - "properties": { |
2629 | | - "denialCondition": { |
2630 | | - "$ref": "Expr", |
2631 | | - "description": "The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to `true`, then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate [resource tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other functions and operators are not supported." |
2632 | | - }, |
2633 | | - "deniedPermissions": { |
2634 | | - "description": "The permissions that are explicitly denied by this rule. Each permission uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`.", |
2635 | | - "items": { |
2636 | | - "type": "string" |
2637 | | - }, |
2638 | | - "type": "array" |
2639 | | - }, |
2640 | | - "deniedPrincipals": { |
2641 | | - "description": "The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * `principalSet://goog/public:all`: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * `principal://goog/subject/{email_id}`: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, `principal://goog/subject/alice@example.com`. * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific Google Account that was deleted recently. For example, `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * `principalSet://goog/group/{group_id}`: A Google group. For example, `principalSet://goog/group/admins@example.com`. * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group that was deleted recently. For example, `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`: A Google Cloud service account. For example, `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`. * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`: A Google Cloud service account that was deleted recently. For example, `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.", |
2642 | | - "items": { |
2643 | | - "type": "string" |
2644 | | - }, |
2645 | | - "type": "array" |
2646 | | - }, |
2647 | | - "exceptionPermissions": { |
2648 | | - "description": "Specifies the permissions that this rule excludes from the set of denied permissions given by `denied_permissions`. If a permission appears in `denied_permissions` _and_ in `exception_permissions` then it will _not_ be denied. The excluded permissions can be specified using the same syntax as `denied_permissions`.", |
2649 | | - "items": { |
2650 | | - "type": "string" |
2651 | | - }, |
2652 | | - "type": "array" |
2653 | | - }, |
2654 | | - "exceptionPrincipals": { |
2655 | | - "description": "The identities that are excluded from the deny rule, even if they are listed in the `denied_principals`. For example, you could add a Google group to the `denied_principals`, then exclude specific users who belong to that group. This field can contain the same values as the `denied_principals` field, excluding `principalSet://goog/public:all`, which represents all users on the internet.", |
2656 | | - "items": { |
2657 | | - "type": "string" |
2658 | | - }, |
2659 | | - "type": "array" |
2660 | | - } |
2661 | | - }, |
2662 | | - "type": "object" |
2663 | | - }, |
2664 | 2510 | "GoogleIdentityAccesscontextmanagerV1AccessLevel": { |
2665 | 2511 | "description": "An `AccessLevel` is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied.", |
2666 | 2512 | "id": "GoogleIdentityAccesscontextmanagerV1AccessLevel", |
|
3215 | 3061 | }, |
3216 | 3062 | "type": "array" |
3217 | 3063 | }, |
3218 | | - "deniedAccesses": { |
3219 | | - "description": "A list of DeniedAccess, which contains all access tuples in the analysis_results that are denied by IAM deny policies. If no access tuples are denied, the list is empty. This is only populated when IamPolicyAnalysisQuery.Options.include_deny_policy_analysis is true.", |
3220 | | - "items": { |
3221 | | - "$ref": "DeniedAccess" |
3222 | | - }, |
3223 | | - "type": "array" |
3224 | | - }, |
3225 | 3064 | "fullyExplored": { |
3226 | 3065 | "description": "Represents whether all entries in the analysis_results have been fully explored to answer the query.", |
3227 | 3066 | "type": "boolean" |
|
3658 | 3497 | "description": "Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.", |
3659 | 3498 | "type": "boolean" |
3660 | 3499 | }, |
3661 | | - "includeDenyPolicyAnalysis": { |
3662 | | - "description": "Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false.", |
3663 | | - "type": "boolean" |
3664 | | - }, |
3665 | 3500 | "outputGroupEdges": { |
3666 | 3501 | "description": "Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.", |
3667 | 3502 | "type": "boolean" |
|
0 commit comments