1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="servicemanagement_v1.html">Google Service Management API</a> . <a href="servicemanagement_v1.services.html">services</a> . <a href="servicemanagement_v1.services.consumers.html">consumers</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#getIamPolicy">getIamPolicy(resource, body, x__xgafv=None)</a></code></p> 79<p class="firstline">Gets the access control policy for a resource.</p> 80<p class="toc_element"> 81 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 82<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p> 83<p class="toc_element"> 84 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 85<p class="firstline">Returns permissions that a caller has on the specified resource.</p> 86<h3>Method Details</h3> 87<div class="method"> 88 <code class="details" id="getIamPolicy">getIamPolicy(resource, body, x__xgafv=None)</code> 89 <pre>Gets the access control policy for a resource. 90Returns an empty policy if the resource exists and does not have a policy 91set. 92 93Args: 94 resource: string, REQUIRED: The resource for which the policy is being requested. 95See the operation documentation for the appropriate value for this field. (required) 96 body: object, The request body. (required) 97 The object takes the form of: 98 99{ # Request message for `GetIamPolicy` method. 100 } 101 102 x__xgafv: string, V1 error format. 103 Allowed values 104 1 - v1 error format 105 2 - v2 error format 106 107Returns: 108 An object of the form: 109 110 { # Defines an Identity and Access Management (IAM) policy. It is used to 111 # specify access control policies for Cloud Platform resources. 112 # 113 # 114 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 115 # `members` to a `role`, where the members can be user accounts, Google groups, 116 # Google domains, and service accounts. A `role` is a named list of permissions 117 # defined by IAM. 118 # 119 # **Example** 120 # 121 # { 122 # "bindings": [ 123 # { 124 # "role": "roles/owner", 125 # "members": [ 126 # "user:mike@example.com", 127 # "group:admins@example.com", 128 # "domain:google.com", 129 # "serviceAccount:my-other-app@appspot.gserviceaccount.com", 130 # ] 131 # }, 132 # { 133 # "role": "roles/viewer", 134 # "members": ["user:sean@example.com"] 135 # } 136 # ] 137 # } 138 # 139 # For a description of IAM and its features, see the 140 # [IAM developer's guide](https://cloud.google.com/iam). 141 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 142 { # Specifies the audit configuration for a service. 143 # The configuration determines which permission types are logged, and what 144 # identities, if any, are exempted from logging. 145 # An AuditConfig must have one or more AuditLogConfigs. 146 # 147 # If there are AuditConfigs for both `allServices` and a specific service, 148 # the union of the two AuditConfigs is used for that service: the log_types 149 # specified in each AuditConfig are enabled, and the exempted_members in each 150 # AuditConfig are exempted. 151 # 152 # Example Policy with multiple AuditConfigs: 153 # 154 # { 155 # "audit_configs": [ 156 # { 157 # "service": "allServices" 158 # "audit_log_configs": [ 159 # { 160 # "log_type": "DATA_READ", 161 # "exempted_members": [ 162 # "user:foo@gmail.com" 163 # ] 164 # }, 165 # { 166 # "log_type": "DATA_WRITE", 167 # }, 168 # { 169 # "log_type": "ADMIN_READ", 170 # } 171 # ] 172 # }, 173 # { 174 # "service": "fooservice.googleapis.com" 175 # "audit_log_configs": [ 176 # { 177 # "log_type": "DATA_READ", 178 # }, 179 # { 180 # "log_type": "DATA_WRITE", 181 # "exempted_members": [ 182 # "user:bar@gmail.com" 183 # ] 184 # } 185 # ] 186 # } 187 # ] 188 # } 189 # 190 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 191 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 192 # bar@gmail.com from DATA_WRITE logging. 193 "exemptedMembers": [ 194 "A String", 195 ], 196 "auditLogConfigs": [ # The configuration for logging of each type of permission. 197 # Next ID: 4 198 { # Provides the configuration for logging a type of permissions. 199 # Example: 200 # 201 # { 202 # "audit_log_configs": [ 203 # { 204 # "log_type": "DATA_READ", 205 # "exempted_members": [ 206 # "user:foo@gmail.com" 207 # ] 208 # }, 209 # { 210 # "log_type": "DATA_WRITE", 211 # } 212 # ] 213 # } 214 # 215 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 216 # foo@gmail.com from DATA_READ logging. 217 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 218 # permission. 219 # Follows the same format of Binding.members. 220 "A String", 221 ], 222 "logType": "A String", # The log type that this config enables. 223 }, 224 ], 225 "service": "A String", # Specifies a service that will be enabled for audit logging. 226 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 227 # `allServices` is a special value that covers all services. 228 }, 229 ], 230 "rules": [ # If more than one rule is specified, the rules are applied in the following 231 # manner: 232 # - All matching LOG rules are always applied. 233 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 234 # Logging will be applied if one or more matching rule requires logging. 235 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 236 # granted. 237 # Logging will be applied if one or more matching rule requires logging. 238 # - Otherwise, if no rule applies, permission is denied. 239 { # A rule to be applied in a Policy. 240 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 241 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 242 # The format for in and not_in entries is the same as for members in a 243 # Binding (see google/iam/v1/policy.proto). 244 "A String", 245 ], 246 "description": "A String", # Human-readable description of the rule. 247 "in": [ # If one or more 'in' clauses are specified, the rule matches if 248 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 249 "A String", 250 ], 251 "action": "A String", # Required 252 "conditions": [ # Additional restrictions that must be met 253 { # A condition to be met. 254 "iam": "A String", # Trusted attributes supplied by the IAM system. 255 "svc": "A String", # Trusted attributes discharged by the service. 256 "value": "A String", # DEPRECATED. Use 'values' instead. 257 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 258 # the IAM system for access control. 259 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 260 "A String", 261 ], 262 "op": "A String", # An operator to apply the subject with. 263 }, 264 ], 265 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 266 # that match the LOG action. 267 { # Specifies what kind of log the caller must write 268 "counter": { # Options for counters # Counter options. 269 "field": "A String", # The field value to attribute. 270 "metric": "A String", # The metric to update. 271 }, 272 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 273 }, 274 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 275 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 276 }, 277 }, 278 ], 279 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 280 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 281 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 282 "A String", 283 ], 284 }, 285 ], 286 "version": 42, # Version of the `Policy`. The default version is 0. 287 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 288 # prevent simultaneous updates of a policy from overwriting each other. 289 # It is strongly suggested that systems make use of the `etag` in the 290 # read-modify-write cycle to perform policy updates in order to avoid race 291 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 292 # systems are expected to put that etag in the request to `setIamPolicy` to 293 # ensure that their change will be applied to the same version of the policy. 294 # 295 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 296 # policy is overwritten blindly. 297 "bindings": [ # Associates a list of `members` to a `role`. 298 # Multiple `bindings` must not be specified for the same `role`. 299 # `bindings` with no members will result in an error. 300 { # Associates `members` with a `role`. 301 "role": "A String", # Role that is assigned to `members`. 302 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 303 # Required 304 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 305 # `members` can have the following values: 306 # 307 # * `allUsers`: A special identifier that represents anyone who is 308 # on the internet; with or without a Google account. 309 # 310 # * `allAuthenticatedUsers`: A special identifier that represents anyone 311 # who is authenticated with a Google account or a service account. 312 # 313 # * `user:{emailid}`: An email address that represents a specific Google 314 # account. For example, `alice@gmail.com` or `joe@example.com`. 315 # 316 # 317 # * `serviceAccount:{emailid}`: An email address that represents a service 318 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 319 # 320 # * `group:{emailid}`: An email address that represents a Google group. 321 # For example, `admins@example.com`. 322 # 323 # 324 # * `domain:{domain}`: A Google Apps domain name that represents all the 325 # users of that domain. For example, `google.com` or `example.com`. 326 # 327 "A String", 328 ], 329 }, 330 ], 331 "iamOwned": True or False, 332 }</pre> 333</div> 334 335<div class="method"> 336 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 337 <pre>Sets the access control policy on the specified resource. Replaces any 338existing policy. 339 340Args: 341 resource: string, REQUIRED: The resource for which the policy is being specified. 342See the operation documentation for the appropriate value for this field. (required) 343 body: object, The request body. (required) 344 The object takes the form of: 345 346{ # Request message for `SetIamPolicy` method. 347 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 348 # the policy is limited to a few 10s of KB. An empty policy is a 349 # valid policy but certain Cloud Platform services (such as Projects) 350 # might reject them. 351 # specify access control policies for Cloud Platform resources. 352 # 353 # 354 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 355 # `members` to a `role`, where the members can be user accounts, Google groups, 356 # Google domains, and service accounts. A `role` is a named list of permissions 357 # defined by IAM. 358 # 359 # **Example** 360 # 361 # { 362 # "bindings": [ 363 # { 364 # "role": "roles/owner", 365 # "members": [ 366 # "user:mike@example.com", 367 # "group:admins@example.com", 368 # "domain:google.com", 369 # "serviceAccount:my-other-app@appspot.gserviceaccount.com", 370 # ] 371 # }, 372 # { 373 # "role": "roles/viewer", 374 # "members": ["user:sean@example.com"] 375 # } 376 # ] 377 # } 378 # 379 # For a description of IAM and its features, see the 380 # [IAM developer's guide](https://cloud.google.com/iam). 381 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 382 { # Specifies the audit configuration for a service. 383 # The configuration determines which permission types are logged, and what 384 # identities, if any, are exempted from logging. 385 # An AuditConfig must have one or more AuditLogConfigs. 386 # 387 # If there are AuditConfigs for both `allServices` and a specific service, 388 # the union of the two AuditConfigs is used for that service: the log_types 389 # specified in each AuditConfig are enabled, and the exempted_members in each 390 # AuditConfig are exempted. 391 # 392 # Example Policy with multiple AuditConfigs: 393 # 394 # { 395 # "audit_configs": [ 396 # { 397 # "service": "allServices" 398 # "audit_log_configs": [ 399 # { 400 # "log_type": "DATA_READ", 401 # "exempted_members": [ 402 # "user:foo@gmail.com" 403 # ] 404 # }, 405 # { 406 # "log_type": "DATA_WRITE", 407 # }, 408 # { 409 # "log_type": "ADMIN_READ", 410 # } 411 # ] 412 # }, 413 # { 414 # "service": "fooservice.googleapis.com" 415 # "audit_log_configs": [ 416 # { 417 # "log_type": "DATA_READ", 418 # }, 419 # { 420 # "log_type": "DATA_WRITE", 421 # "exempted_members": [ 422 # "user:bar@gmail.com" 423 # ] 424 # } 425 # ] 426 # } 427 # ] 428 # } 429 # 430 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 431 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 432 # bar@gmail.com from DATA_WRITE logging. 433 "exemptedMembers": [ 434 "A String", 435 ], 436 "auditLogConfigs": [ # The configuration for logging of each type of permission. 437 # Next ID: 4 438 { # Provides the configuration for logging a type of permissions. 439 # Example: 440 # 441 # { 442 # "audit_log_configs": [ 443 # { 444 # "log_type": "DATA_READ", 445 # "exempted_members": [ 446 # "user:foo@gmail.com" 447 # ] 448 # }, 449 # { 450 # "log_type": "DATA_WRITE", 451 # } 452 # ] 453 # } 454 # 455 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 456 # foo@gmail.com from DATA_READ logging. 457 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 458 # permission. 459 # Follows the same format of Binding.members. 460 "A String", 461 ], 462 "logType": "A String", # The log type that this config enables. 463 }, 464 ], 465 "service": "A String", # Specifies a service that will be enabled for audit logging. 466 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 467 # `allServices` is a special value that covers all services. 468 }, 469 ], 470 "rules": [ # If more than one rule is specified, the rules are applied in the following 471 # manner: 472 # - All matching LOG rules are always applied. 473 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 474 # Logging will be applied if one or more matching rule requires logging. 475 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 476 # granted. 477 # Logging will be applied if one or more matching rule requires logging. 478 # - Otherwise, if no rule applies, permission is denied. 479 { # A rule to be applied in a Policy. 480 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 481 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 482 # The format for in and not_in entries is the same as for members in a 483 # Binding (see google/iam/v1/policy.proto). 484 "A String", 485 ], 486 "description": "A String", # Human-readable description of the rule. 487 "in": [ # If one or more 'in' clauses are specified, the rule matches if 488 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 489 "A String", 490 ], 491 "action": "A String", # Required 492 "conditions": [ # Additional restrictions that must be met 493 { # A condition to be met. 494 "iam": "A String", # Trusted attributes supplied by the IAM system. 495 "svc": "A String", # Trusted attributes discharged by the service. 496 "value": "A String", # DEPRECATED. Use 'values' instead. 497 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 498 # the IAM system for access control. 499 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 500 "A String", 501 ], 502 "op": "A String", # An operator to apply the subject with. 503 }, 504 ], 505 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 506 # that match the LOG action. 507 { # Specifies what kind of log the caller must write 508 "counter": { # Options for counters # Counter options. 509 "field": "A String", # The field value to attribute. 510 "metric": "A String", # The metric to update. 511 }, 512 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 513 }, 514 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 515 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 516 }, 517 }, 518 ], 519 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 520 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 521 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 522 "A String", 523 ], 524 }, 525 ], 526 "version": 42, # Version of the `Policy`. The default version is 0. 527 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 528 # prevent simultaneous updates of a policy from overwriting each other. 529 # It is strongly suggested that systems make use of the `etag` in the 530 # read-modify-write cycle to perform policy updates in order to avoid race 531 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 532 # systems are expected to put that etag in the request to `setIamPolicy` to 533 # ensure that their change will be applied to the same version of the policy. 534 # 535 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 536 # policy is overwritten blindly. 537 "bindings": [ # Associates a list of `members` to a `role`. 538 # Multiple `bindings` must not be specified for the same `role`. 539 # `bindings` with no members will result in an error. 540 { # Associates `members` with a `role`. 541 "role": "A String", # Role that is assigned to `members`. 542 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 543 # Required 544 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 545 # `members` can have the following values: 546 # 547 # * `allUsers`: A special identifier that represents anyone who is 548 # on the internet; with or without a Google account. 549 # 550 # * `allAuthenticatedUsers`: A special identifier that represents anyone 551 # who is authenticated with a Google account or a service account. 552 # 553 # * `user:{emailid}`: An email address that represents a specific Google 554 # account. For example, `alice@gmail.com` or `joe@example.com`. 555 # 556 # 557 # * `serviceAccount:{emailid}`: An email address that represents a service 558 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 559 # 560 # * `group:{emailid}`: An email address that represents a Google group. 561 # For example, `admins@example.com`. 562 # 563 # 564 # * `domain:{domain}`: A Google Apps domain name that represents all the 565 # users of that domain. For example, `google.com` or `example.com`. 566 # 567 "A String", 568 ], 569 }, 570 ], 571 "iamOwned": True or False, 572 }, 573 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 574 # the fields in the mask will be modified. If no mask is provided, the 575 # following default mask is used: 576 # paths: "bindings, etag" 577 # This field is only used by Cloud IAM. 578 } 579 580 x__xgafv: string, V1 error format. 581 Allowed values 582 1 - v1 error format 583 2 - v2 error format 584 585Returns: 586 An object of the form: 587 588 { # Defines an Identity and Access Management (IAM) policy. It is used to 589 # specify access control policies for Cloud Platform resources. 590 # 591 # 592 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 593 # `members` to a `role`, where the members can be user accounts, Google groups, 594 # Google domains, and service accounts. A `role` is a named list of permissions 595 # defined by IAM. 596 # 597 # **Example** 598 # 599 # { 600 # "bindings": [ 601 # { 602 # "role": "roles/owner", 603 # "members": [ 604 # "user:mike@example.com", 605 # "group:admins@example.com", 606 # "domain:google.com", 607 # "serviceAccount:my-other-app@appspot.gserviceaccount.com", 608 # ] 609 # }, 610 # { 611 # "role": "roles/viewer", 612 # "members": ["user:sean@example.com"] 613 # } 614 # ] 615 # } 616 # 617 # For a description of IAM and its features, see the 618 # [IAM developer's guide](https://cloud.google.com/iam). 619 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 620 { # Specifies the audit configuration for a service. 621 # The configuration determines which permission types are logged, and what 622 # identities, if any, are exempted from logging. 623 # An AuditConfig must have one or more AuditLogConfigs. 624 # 625 # If there are AuditConfigs for both `allServices` and a specific service, 626 # the union of the two AuditConfigs is used for that service: the log_types 627 # specified in each AuditConfig are enabled, and the exempted_members in each 628 # AuditConfig are exempted. 629 # 630 # Example Policy with multiple AuditConfigs: 631 # 632 # { 633 # "audit_configs": [ 634 # { 635 # "service": "allServices" 636 # "audit_log_configs": [ 637 # { 638 # "log_type": "DATA_READ", 639 # "exempted_members": [ 640 # "user:foo@gmail.com" 641 # ] 642 # }, 643 # { 644 # "log_type": "DATA_WRITE", 645 # }, 646 # { 647 # "log_type": "ADMIN_READ", 648 # } 649 # ] 650 # }, 651 # { 652 # "service": "fooservice.googleapis.com" 653 # "audit_log_configs": [ 654 # { 655 # "log_type": "DATA_READ", 656 # }, 657 # { 658 # "log_type": "DATA_WRITE", 659 # "exempted_members": [ 660 # "user:bar@gmail.com" 661 # ] 662 # } 663 # ] 664 # } 665 # ] 666 # } 667 # 668 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 669 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 670 # bar@gmail.com from DATA_WRITE logging. 671 "exemptedMembers": [ 672 "A String", 673 ], 674 "auditLogConfigs": [ # The configuration for logging of each type of permission. 675 # Next ID: 4 676 { # Provides the configuration for logging a type of permissions. 677 # Example: 678 # 679 # { 680 # "audit_log_configs": [ 681 # { 682 # "log_type": "DATA_READ", 683 # "exempted_members": [ 684 # "user:foo@gmail.com" 685 # ] 686 # }, 687 # { 688 # "log_type": "DATA_WRITE", 689 # } 690 # ] 691 # } 692 # 693 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 694 # foo@gmail.com from DATA_READ logging. 695 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 696 # permission. 697 # Follows the same format of Binding.members. 698 "A String", 699 ], 700 "logType": "A String", # The log type that this config enables. 701 }, 702 ], 703 "service": "A String", # Specifies a service that will be enabled for audit logging. 704 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 705 # `allServices` is a special value that covers all services. 706 }, 707 ], 708 "rules": [ # If more than one rule is specified, the rules are applied in the following 709 # manner: 710 # - All matching LOG rules are always applied. 711 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 712 # Logging will be applied if one or more matching rule requires logging. 713 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 714 # granted. 715 # Logging will be applied if one or more matching rule requires logging. 716 # - Otherwise, if no rule applies, permission is denied. 717 { # A rule to be applied in a Policy. 718 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 719 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 720 # The format for in and not_in entries is the same as for members in a 721 # Binding (see google/iam/v1/policy.proto). 722 "A String", 723 ], 724 "description": "A String", # Human-readable description of the rule. 725 "in": [ # If one or more 'in' clauses are specified, the rule matches if 726 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 727 "A String", 728 ], 729 "action": "A String", # Required 730 "conditions": [ # Additional restrictions that must be met 731 { # A condition to be met. 732 "iam": "A String", # Trusted attributes supplied by the IAM system. 733 "svc": "A String", # Trusted attributes discharged by the service. 734 "value": "A String", # DEPRECATED. Use 'values' instead. 735 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 736 # the IAM system for access control. 737 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 738 "A String", 739 ], 740 "op": "A String", # An operator to apply the subject with. 741 }, 742 ], 743 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 744 # that match the LOG action. 745 { # Specifies what kind of log the caller must write 746 "counter": { # Options for counters # Counter options. 747 "field": "A String", # The field value to attribute. 748 "metric": "A String", # The metric to update. 749 }, 750 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 751 }, 752 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 753 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 754 }, 755 }, 756 ], 757 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 758 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 759 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 760 "A String", 761 ], 762 }, 763 ], 764 "version": 42, # Version of the `Policy`. The default version is 0. 765 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 766 # prevent simultaneous updates of a policy from overwriting each other. 767 # It is strongly suggested that systems make use of the `etag` in the 768 # read-modify-write cycle to perform policy updates in order to avoid race 769 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 770 # systems are expected to put that etag in the request to `setIamPolicy` to 771 # ensure that their change will be applied to the same version of the policy. 772 # 773 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 774 # policy is overwritten blindly. 775 "bindings": [ # Associates a list of `members` to a `role`. 776 # Multiple `bindings` must not be specified for the same `role`. 777 # `bindings` with no members will result in an error. 778 { # Associates `members` with a `role`. 779 "role": "A String", # Role that is assigned to `members`. 780 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 781 # Required 782 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 783 # `members` can have the following values: 784 # 785 # * `allUsers`: A special identifier that represents anyone who is 786 # on the internet; with or without a Google account. 787 # 788 # * `allAuthenticatedUsers`: A special identifier that represents anyone 789 # who is authenticated with a Google account or a service account. 790 # 791 # * `user:{emailid}`: An email address that represents a specific Google 792 # account. For example, `alice@gmail.com` or `joe@example.com`. 793 # 794 # 795 # * `serviceAccount:{emailid}`: An email address that represents a service 796 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 797 # 798 # * `group:{emailid}`: An email address that represents a Google group. 799 # For example, `admins@example.com`. 800 # 801 # 802 # * `domain:{domain}`: A Google Apps domain name that represents all the 803 # users of that domain. For example, `google.com` or `example.com`. 804 # 805 "A String", 806 ], 807 }, 808 ], 809 "iamOwned": True or False, 810 }</pre> 811</div> 812 813<div class="method"> 814 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 815 <pre>Returns permissions that a caller has on the specified resource. 816If the resource does not exist, this will return an empty set of 817permissions, not a NOT_FOUND error. 818 819Note: This operation is designed to be used for building permission-aware 820UIs and command-line tools, not for authorization checking. This operation 821may "fail open" without warning. 822 823Args: 824 resource: string, REQUIRED: The resource for which the policy detail is being requested. 825See the operation documentation for the appropriate value for this field. (required) 826 body: object, The request body. (required) 827 The object takes the form of: 828 829{ # Request message for `TestIamPermissions` method. 830 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 831 # wildcards (such as '*' or 'storage.*') are not allowed. For more 832 # information see 833 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 834 "A String", 835 ], 836 } 837 838 x__xgafv: string, V1 error format. 839 Allowed values 840 1 - v1 error format 841 2 - v2 error format 842 843Returns: 844 An object of the form: 845 846 { # Response message for `TestIamPermissions` method. 847 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 848 # allowed. 849 "A String", 850 ], 851 }</pre> 852</div> 853 854</body></html>