1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="cloudkms_v1.html">Google Cloud Key Management Service (KMS) API</a> . <a href="cloudkms_v1.projects.html">projects</a> . <a href="cloudkms_v1.projects.locations.html">locations</a> . <a href="cloudkms_v1.projects.locations.keyRings.html">keyRings</a> . <a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.html">cryptoKeys</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="cloudkms_v1.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.html">cryptoKeyVersions()</a></code> 79</p> 80<p class="firstline">Returns the cryptoKeyVersions Resource.</p> 81 82<p class="toc_element"> 83 <code><a href="#create">create(parent, body, cryptoKeyId=None, x__xgafv=None)</a></code></p> 84<p class="firstline">Create a new CryptoKey within a KeyRing.</p> 85<p class="toc_element"> 86 <code><a href="#decrypt">decrypt(name, body, x__xgafv=None)</a></code></p> 87<p class="firstline">Decrypts data that was protected by Encrypt.</p> 88<p class="toc_element"> 89 <code><a href="#encrypt">encrypt(name, body, x__xgafv=None)</a></code></p> 90<p class="firstline">Encrypts data, so that it can only be recovered by a call to Decrypt.</p> 91<p class="toc_element"> 92 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 93<p class="firstline">Returns metadata for a given CryptoKey, as well as its</p> 94<p class="toc_element"> 95 <code><a href="#getIamPolicy">getIamPolicy(resource, x__xgafv=None)</a></code></p> 96<p class="firstline">Gets the access control policy for a resource.</p> 97<p class="toc_element"> 98 <code><a href="#list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p> 99<p class="firstline">Lists CryptoKeys.</p> 100<p class="toc_element"> 101 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 102<p class="firstline">Retrieves the next page of results.</p> 103<p class="toc_element"> 104 <code><a href="#patch">patch(name, body, updateMask=None, x__xgafv=None)</a></code></p> 105<p class="firstline">Update a CryptoKey.</p> 106<p class="toc_element"> 107 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 108<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p> 109<p class="toc_element"> 110 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 111<p class="firstline">Returns permissions that a caller has on the specified resource.</p> 112<p class="toc_element"> 113 <code><a href="#updatePrimaryVersion">updatePrimaryVersion(name, body, x__xgafv=None)</a></code></p> 114<p class="firstline">Update the version of a CryptoKey that will be used in Encrypt</p> 115<h3>Method Details</h3> 116<div class="method"> 117 <code class="details" id="create">create(parent, body, cryptoKeyId=None, x__xgafv=None)</code> 118 <pre>Create a new CryptoKey within a KeyRing. 119 120CryptoKey.purpose is required. 121 122Args: 123 parent: string, Required. The name of the KeyRing associated with the 124CryptoKeys. (required) 125 body: object, The request body. (required) 126 The object takes the form of: 127 128{ # A CryptoKey represents a logical key that can be used for cryptographic 129 # operations. 130 # 131 # A CryptoKey is made up of one or more versions, which 132 # represent the actual key material used in cryptographic operations. 133 "name": "A String", # Output only. The resource name for this CryptoKey in the format 134 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 135 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 136 # automatically rotates a key. Must be at least one day. 137 # 138 # If rotation_period is set, next_rotation_time must also be set. 139 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 140 # by Encrypt when this CryptoKey is given 141 # in EncryptRequest.name. 142 # 143 # The CryptoKey's primary version can be updated via 144 # UpdateCryptoKeyPrimaryVersion. 145 # associated key material. 146 # 147 # It can be used for cryptographic operations either directly, or via its 148 # parent CryptoKey, in which case the server will choose the appropriate 149 # version for the operation. 150 "state": "A String", # The current state of the CryptoKeyVersion. 151 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 152 # for destruction. Only present if state is 153 # DESTROY_SCHEDULED. 154 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 155 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 156 # destroyed. Only present if state is 157 # DESTROYED. 158 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 159 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 160 }, 161 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable 162 # purpose is ENCRYPT_DECRYPT. 163 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 164 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 165 # 166 # 1. Create a new version of this CryptoKey. 167 # 2. Mark the new version as primary. 168 # 169 # Key rotations performed manually via 170 # CreateCryptoKeyVersion and 171 # UpdateCryptoKeyPrimaryVersion 172 # do not affect next_rotation_time. 173} 174 175 cryptoKeyId: string, Required. It must be unique within a KeyRing and match the regular 176expression `[a-zA-Z0-9_-]{1,63}` 177 x__xgafv: string, V1 error format. 178 Allowed values 179 1 - v1 error format 180 2 - v2 error format 181 182Returns: 183 An object of the form: 184 185 { # A CryptoKey represents a logical key that can be used for cryptographic 186 # operations. 187 # 188 # A CryptoKey is made up of one or more versions, which 189 # represent the actual key material used in cryptographic operations. 190 "name": "A String", # Output only. The resource name for this CryptoKey in the format 191 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 192 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 193 # automatically rotates a key. Must be at least one day. 194 # 195 # If rotation_period is set, next_rotation_time must also be set. 196 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 197 # by Encrypt when this CryptoKey is given 198 # in EncryptRequest.name. 199 # 200 # The CryptoKey's primary version can be updated via 201 # UpdateCryptoKeyPrimaryVersion. 202 # associated key material. 203 # 204 # It can be used for cryptographic operations either directly, or via its 205 # parent CryptoKey, in which case the server will choose the appropriate 206 # version for the operation. 207 "state": "A String", # The current state of the CryptoKeyVersion. 208 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 209 # for destruction. Only present if state is 210 # DESTROY_SCHEDULED. 211 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 212 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 213 # destroyed. Only present if state is 214 # DESTROYED. 215 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 216 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 217 }, 218 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable 219 # purpose is ENCRYPT_DECRYPT. 220 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 221 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 222 # 223 # 1. Create a new version of this CryptoKey. 224 # 2. Mark the new version as primary. 225 # 226 # Key rotations performed manually via 227 # CreateCryptoKeyVersion and 228 # UpdateCryptoKeyPrimaryVersion 229 # do not affect next_rotation_time. 230 }</pre> 231</div> 232 233<div class="method"> 234 <code class="details" id="decrypt">decrypt(name, body, x__xgafv=None)</code> 235 <pre>Decrypts data that was protected by Encrypt. 236 237Args: 238 name: string, Required. The resource name of the CryptoKey to use for decryption. 239The server will choose the appropriate version. (required) 240 body: object, The request body. (required) 241 The object takes the form of: 242 243{ # Request message for KeyManagementService.Decrypt. 244 "ciphertext": "A String", # Required. The encrypted data originally returned in 245 # EncryptResponse.ciphertext. 246 "additionalAuthenticatedData": "A String", # Optional data that must match the data originally supplied in 247 # EncryptRequest.additional_authenticated_data. 248 } 249 250 x__xgafv: string, V1 error format. 251 Allowed values 252 1 - v1 error format 253 2 - v2 error format 254 255Returns: 256 An object of the form: 257 258 { # Response message for KeyManagementService.Decrypt. 259 "plaintext": "A String", # The decrypted data originally supplied in EncryptRequest.plaintext. 260 }</pre> 261</div> 262 263<div class="method"> 264 <code class="details" id="encrypt">encrypt(name, body, x__xgafv=None)</code> 265 <pre>Encrypts data, so that it can only be recovered by a call to Decrypt. 266 267Args: 268 name: string, Required. The resource name of the CryptoKey or CryptoKeyVersion 269to use for encryption. 270 271If a CryptoKey is specified, the server will use its 272primary version. (required) 273 body: object, The request body. (required) 274 The object takes the form of: 275 276{ # Request message for KeyManagementService.Encrypt. 277 "plaintext": "A String", # Required. The data to encrypt. Must be no larger than 64KiB. 278 "additionalAuthenticatedData": "A String", # Optional data that, if specified, must also be provided during decryption 279 # through DecryptRequest.additional_authenticated_data. Must be no 280 # larger than 64KiB. 281 } 282 283 x__xgafv: string, V1 error format. 284 Allowed values 285 1 - v1 error format 286 2 - v2 error format 287 288Returns: 289 An object of the form: 290 291 { # Response message for KeyManagementService.Encrypt. 292 "ciphertext": "A String", # The encrypted data. 293 "name": "A String", # The resource name of the CryptoKeyVersion used in encryption. 294 }</pre> 295</div> 296 297<div class="method"> 298 <code class="details" id="get">get(name, x__xgafv=None)</code> 299 <pre>Returns metadata for a given CryptoKey, as well as its 300primary CryptoKeyVersion. 301 302Args: 303 name: string, The name of the CryptoKey to get. (required) 304 x__xgafv: string, V1 error format. 305 Allowed values 306 1 - v1 error format 307 2 - v2 error format 308 309Returns: 310 An object of the form: 311 312 { # A CryptoKey represents a logical key that can be used for cryptographic 313 # operations. 314 # 315 # A CryptoKey is made up of one or more versions, which 316 # represent the actual key material used in cryptographic operations. 317 "name": "A String", # Output only. The resource name for this CryptoKey in the format 318 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 319 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 320 # automatically rotates a key. Must be at least one day. 321 # 322 # If rotation_period is set, next_rotation_time must also be set. 323 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 324 # by Encrypt when this CryptoKey is given 325 # in EncryptRequest.name. 326 # 327 # The CryptoKey's primary version can be updated via 328 # UpdateCryptoKeyPrimaryVersion. 329 # associated key material. 330 # 331 # It can be used for cryptographic operations either directly, or via its 332 # parent CryptoKey, in which case the server will choose the appropriate 333 # version for the operation. 334 "state": "A String", # The current state of the CryptoKeyVersion. 335 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 336 # for destruction. Only present if state is 337 # DESTROY_SCHEDULED. 338 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 339 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 340 # destroyed. Only present if state is 341 # DESTROYED. 342 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 343 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 344 }, 345 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable 346 # purpose is ENCRYPT_DECRYPT. 347 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 348 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 349 # 350 # 1. Create a new version of this CryptoKey. 351 # 2. Mark the new version as primary. 352 # 353 # Key rotations performed manually via 354 # CreateCryptoKeyVersion and 355 # UpdateCryptoKeyPrimaryVersion 356 # do not affect next_rotation_time. 357 }</pre> 358</div> 359 360<div class="method"> 361 <code class="details" id="getIamPolicy">getIamPolicy(resource, x__xgafv=None)</code> 362 <pre>Gets the access control policy for a resource. 363Returns an empty policy if the resource exists and does not have a policy 364set. 365 366Args: 367 resource: string, REQUIRED: The resource for which the policy is being requested. 368See the operation documentation for the appropriate value for this field. (required) 369 x__xgafv: string, V1 error format. 370 Allowed values 371 1 - v1 error format 372 2 - v2 error format 373 374Returns: 375 An object of the form: 376 377 { # Defines an Identity and Access Management (IAM) policy. It is used to 378 # specify access control policies for Cloud Platform resources. 379 # 380 # 381 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 382 # `members` to a `role`, where the members can be user accounts, Google groups, 383 # Google domains, and service accounts. A `role` is a named list of permissions 384 # defined by IAM. 385 # 386 # **Example** 387 # 388 # { 389 # "bindings": [ 390 # { 391 # "role": "roles/owner", 392 # "members": [ 393 # "user:mike@example.com", 394 # "group:admins@example.com", 395 # "domain:google.com", 396 # "serviceAccount:my-other-app@appspot.gserviceaccount.com", 397 # ] 398 # }, 399 # { 400 # "role": "roles/viewer", 401 # "members": ["user:sean@example.com"] 402 # } 403 # ] 404 # } 405 # 406 # For a description of IAM and its features, see the 407 # [IAM developer's guide](https://cloud.google.com/iam). 408 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 409 { # Specifies the audit configuration for a service. 410 # The configuration determines which permission types are logged, and what 411 # identities, if any, are exempted from logging. 412 # An AuditConfig must have one or more AuditLogConfigs. 413 # 414 # If there are AuditConfigs for both `allServices` and a specific service, 415 # the union of the two AuditConfigs is used for that service: the log_types 416 # specified in each AuditConfig are enabled, and the exempted_members in each 417 # AuditConfig are exempted. 418 # 419 # Example Policy with multiple AuditConfigs: 420 # 421 # { 422 # "audit_configs": [ 423 # { 424 # "service": "allServices" 425 # "audit_log_configs": [ 426 # { 427 # "log_type": "DATA_READ", 428 # "exempted_members": [ 429 # "user:foo@gmail.com" 430 # ] 431 # }, 432 # { 433 # "log_type": "DATA_WRITE", 434 # }, 435 # { 436 # "log_type": "ADMIN_READ", 437 # } 438 # ] 439 # }, 440 # { 441 # "service": "fooservice.googleapis.com" 442 # "audit_log_configs": [ 443 # { 444 # "log_type": "DATA_READ", 445 # }, 446 # { 447 # "log_type": "DATA_WRITE", 448 # "exempted_members": [ 449 # "user:bar@gmail.com" 450 # ] 451 # } 452 # ] 453 # } 454 # ] 455 # } 456 # 457 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 458 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 459 # bar@gmail.com from DATA_WRITE logging. 460 "exemptedMembers": [ 461 "A String", 462 ], 463 "auditLogConfigs": [ # The configuration for logging of each type of permission. 464 # Next ID: 4 465 { # Provides the configuration for logging a type of permissions. 466 # Example: 467 # 468 # { 469 # "audit_log_configs": [ 470 # { 471 # "log_type": "DATA_READ", 472 # "exempted_members": [ 473 # "user:foo@gmail.com" 474 # ] 475 # }, 476 # { 477 # "log_type": "DATA_WRITE", 478 # } 479 # ] 480 # } 481 # 482 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 483 # foo@gmail.com from DATA_READ logging. 484 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 485 # permission. 486 # Follows the same format of Binding.members. 487 "A String", 488 ], 489 "logType": "A String", # The log type that this config enables. 490 }, 491 ], 492 "service": "A String", # Specifies a service that will be enabled for audit logging. 493 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 494 # `allServices` is a special value that covers all services. 495 }, 496 ], 497 "rules": [ # If more than one rule is specified, the rules are applied in the following 498 # manner: 499 # - All matching LOG rules are always applied. 500 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 501 # Logging will be applied if one or more matching rule requires logging. 502 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 503 # granted. 504 # Logging will be applied if one or more matching rule requires logging. 505 # - Otherwise, if no rule applies, permission is denied. 506 { # A rule to be applied in a Policy. 507 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 508 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 509 # The format for in and not_in entries is the same as for members in a 510 # Binding (see google/iam/v1/policy.proto). 511 "A String", 512 ], 513 "description": "A String", # Human-readable description of the rule. 514 "in": [ # If one or more 'in' clauses are specified, the rule matches if 515 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 516 "A String", 517 ], 518 "action": "A String", # Required 519 "conditions": [ # Additional restrictions that must be met 520 { # A condition to be met. 521 "iam": "A String", # Trusted attributes supplied by the IAM system. 522 "svc": "A String", # Trusted attributes discharged by the service. 523 "value": "A String", # DEPRECATED. Use 'values' instead. 524 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 525 # the IAM system for access control. 526 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 527 "A String", 528 ], 529 "op": "A String", # An operator to apply the subject with. 530 }, 531 ], 532 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 533 # that match the LOG action. 534 { # Specifies what kind of log the caller must write 535 "counter": { # Options for counters # Counter options. 536 "field": "A String", # The field value to attribute. 537 "metric": "A String", # The metric to update. 538 }, 539 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 540 }, 541 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 542 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 543 }, 544 }, 545 ], 546 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 547 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 548 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 549 "A String", 550 ], 551 }, 552 ], 553 "version": 42, # Version of the `Policy`. The default version is 0. 554 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 555 # prevent simultaneous updates of a policy from overwriting each other. 556 # It is strongly suggested that systems make use of the `etag` in the 557 # read-modify-write cycle to perform policy updates in order to avoid race 558 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 559 # systems are expected to put that etag in the request to `setIamPolicy` to 560 # ensure that their change will be applied to the same version of the policy. 561 # 562 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 563 # policy is overwritten blindly. 564 "bindings": [ # Associates a list of `members` to a `role`. 565 # `bindings` with no members will result in an error. 566 { # Associates `members` with a `role`. 567 "role": "A String", # Role that is assigned to `members`. 568 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 569 # Required 570 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 571 # `members` can have the following values: 572 # 573 # * `allUsers`: A special identifier that represents anyone who is 574 # on the internet; with or without a Google account. 575 # 576 # * `allAuthenticatedUsers`: A special identifier that represents anyone 577 # who is authenticated with a Google account or a service account. 578 # 579 # * `user:{emailid}`: An email address that represents a specific Google 580 # account. For example, `alice@gmail.com` or `joe@example.com`. 581 # 582 # 583 # * `serviceAccount:{emailid}`: An email address that represents a service 584 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 585 # 586 # * `group:{emailid}`: An email address that represents a Google group. 587 # For example, `admins@example.com`. 588 # 589 # 590 # * `domain:{domain}`: A Google Apps domain name that represents all the 591 # users of that domain. For example, `google.com` or `example.com`. 592 # 593 "A String", 594 ], 595 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 596 # NOTE: an unsatisfied condition will not allow user access via current 597 # binding. Different bindings, including their conditions, are examined 598 # independently. 599 # This field is GOOGLE_INTERNAL. 600 # 601 # title: "User account presence" 602 # description: "Determines whether the request has a user account" 603 # expression: "size(request.user) > 0" 604 "location": "A String", # An optional string indicating the location of the expression for error 605 # reporting, e.g. a file name and a position in the file. 606 "expression": "A String", # Textual representation of an expression in 607 # [Common Expression Language](http://go/api-expr) syntax. 608 # 609 # The application context of the containing message determines which 610 # well-known feature set of CEL is supported. 611 "description": "A String", # An optional description of the expression. This is a longer text which 612 # describes the expression, e.g. when hovered over it in a UI. 613 "title": "A String", # An optional title for the expression, i.e. a short string describing 614 # its purpose. This can be used e.g. in UIs which allow to enter the 615 # expression. 616 }, 617 }, 618 ], 619 "iamOwned": True or False, 620 }</pre> 621</div> 622 623<div class="method"> 624 <code class="details" id="list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</code> 625 <pre>Lists CryptoKeys. 626 627Args: 628 parent: string, Required. The resource name of the KeyRing to list, in the format 629`projects/*/locations/*/keyRings/*`. (required) 630 pageToken: string, Optional pagination token, returned earlier via 631ListCryptoKeysResponse.next_page_token. 632 x__xgafv: string, V1 error format. 633 Allowed values 634 1 - v1 error format 635 2 - v2 error format 636 pageSize: integer, Optional limit on the number of CryptoKeys to include in the 637response. Further CryptoKeys can subsequently be obtained by 638including the ListCryptoKeysResponse.next_page_token in a subsequent 639request. If unspecified, the server will pick an appropriate default. 640 641Returns: 642 An object of the form: 643 644 { # Response message for KeyManagementService.ListCryptoKeys. 645 "nextPageToken": "A String", # A token to retrieve next page of results. Pass this value in 646 # ListCryptoKeysRequest.page_token to retrieve the next page of results. 647 "cryptoKeys": [ # The list of CryptoKeys. 648 { # A CryptoKey represents a logical key that can be used for cryptographic 649 # operations. 650 # 651 # A CryptoKey is made up of one or more versions, which 652 # represent the actual key material used in cryptographic operations. 653 "name": "A String", # Output only. The resource name for this CryptoKey in the format 654 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 655 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 656 # automatically rotates a key. Must be at least one day. 657 # 658 # If rotation_period is set, next_rotation_time must also be set. 659 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 660 # by Encrypt when this CryptoKey is given 661 # in EncryptRequest.name. 662 # 663 # The CryptoKey's primary version can be updated via 664 # UpdateCryptoKeyPrimaryVersion. 665 # associated key material. 666 # 667 # It can be used for cryptographic operations either directly, or via its 668 # parent CryptoKey, in which case the server will choose the appropriate 669 # version for the operation. 670 "state": "A String", # The current state of the CryptoKeyVersion. 671 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 672 # for destruction. Only present if state is 673 # DESTROY_SCHEDULED. 674 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 675 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 676 # destroyed. Only present if state is 677 # DESTROYED. 678 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 679 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 680 }, 681 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable 682 # purpose is ENCRYPT_DECRYPT. 683 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 684 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 685 # 686 # 1. Create a new version of this CryptoKey. 687 # 2. Mark the new version as primary. 688 # 689 # Key rotations performed manually via 690 # CreateCryptoKeyVersion and 691 # UpdateCryptoKeyPrimaryVersion 692 # do not affect next_rotation_time. 693 }, 694 ], 695 "totalSize": 42, # The total number of CryptoKeys that matched the query. 696 }</pre> 697</div> 698 699<div class="method"> 700 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 701 <pre>Retrieves the next page of results. 702 703Args: 704 previous_request: The request for the previous page. (required) 705 previous_response: The response from the request for the previous page. (required) 706 707Returns: 708 A request object that you can call 'execute()' on to request the next 709 page. Returns None if there are no more items in the collection. 710 </pre> 711</div> 712 713<div class="method"> 714 <code class="details" id="patch">patch(name, body, updateMask=None, x__xgafv=None)</code> 715 <pre>Update a CryptoKey. 716 717Args: 718 name: string, Output only. The resource name for this CryptoKey in the format 719`projects/*/locations/*/keyRings/*/cryptoKeys/*`. (required) 720 body: object, The request body. (required) 721 The object takes the form of: 722 723{ # A CryptoKey represents a logical key that can be used for cryptographic 724 # operations. 725 # 726 # A CryptoKey is made up of one or more versions, which 727 # represent the actual key material used in cryptographic operations. 728 "name": "A String", # Output only. The resource name for this CryptoKey in the format 729 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 730 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 731 # automatically rotates a key. Must be at least one day. 732 # 733 # If rotation_period is set, next_rotation_time must also be set. 734 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 735 # by Encrypt when this CryptoKey is given 736 # in EncryptRequest.name. 737 # 738 # The CryptoKey's primary version can be updated via 739 # UpdateCryptoKeyPrimaryVersion. 740 # associated key material. 741 # 742 # It can be used for cryptographic operations either directly, or via its 743 # parent CryptoKey, in which case the server will choose the appropriate 744 # version for the operation. 745 "state": "A String", # The current state of the CryptoKeyVersion. 746 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 747 # for destruction. Only present if state is 748 # DESTROY_SCHEDULED. 749 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 750 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 751 # destroyed. Only present if state is 752 # DESTROYED. 753 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 754 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 755 }, 756 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable 757 # purpose is ENCRYPT_DECRYPT. 758 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 759 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 760 # 761 # 1. Create a new version of this CryptoKey. 762 # 2. Mark the new version as primary. 763 # 764 # Key rotations performed manually via 765 # CreateCryptoKeyVersion and 766 # UpdateCryptoKeyPrimaryVersion 767 # do not affect next_rotation_time. 768} 769 770 updateMask: string, Required list of fields to be updated in this request. 771 x__xgafv: string, V1 error format. 772 Allowed values 773 1 - v1 error format 774 2 - v2 error format 775 776Returns: 777 An object of the form: 778 779 { # A CryptoKey represents a logical key that can be used for cryptographic 780 # operations. 781 # 782 # A CryptoKey is made up of one or more versions, which 783 # represent the actual key material used in cryptographic operations. 784 "name": "A String", # Output only. The resource name for this CryptoKey in the format 785 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 786 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 787 # automatically rotates a key. Must be at least one day. 788 # 789 # If rotation_period is set, next_rotation_time must also be set. 790 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 791 # by Encrypt when this CryptoKey is given 792 # in EncryptRequest.name. 793 # 794 # The CryptoKey's primary version can be updated via 795 # UpdateCryptoKeyPrimaryVersion. 796 # associated key material. 797 # 798 # It can be used for cryptographic operations either directly, or via its 799 # parent CryptoKey, in which case the server will choose the appropriate 800 # version for the operation. 801 "state": "A String", # The current state of the CryptoKeyVersion. 802 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 803 # for destruction. Only present if state is 804 # DESTROY_SCHEDULED. 805 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 806 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 807 # destroyed. Only present if state is 808 # DESTROYED. 809 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 810 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 811 }, 812 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable 813 # purpose is ENCRYPT_DECRYPT. 814 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 815 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 816 # 817 # 1. Create a new version of this CryptoKey. 818 # 2. Mark the new version as primary. 819 # 820 # Key rotations performed manually via 821 # CreateCryptoKeyVersion and 822 # UpdateCryptoKeyPrimaryVersion 823 # do not affect next_rotation_time. 824 }</pre> 825</div> 826 827<div class="method"> 828 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 829 <pre>Sets the access control policy on the specified resource. Replaces any 830existing policy. 831 832Args: 833 resource: string, REQUIRED: The resource for which the policy is being specified. 834See the operation documentation for the appropriate value for this field. (required) 835 body: object, The request body. (required) 836 The object takes the form of: 837 838{ # Request message for `SetIamPolicy` method. 839 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 840 # the policy is limited to a few 10s of KB. An empty policy is a 841 # valid policy but certain Cloud Platform services (such as Projects) 842 # might reject them. 843 # specify access control policies for Cloud Platform resources. 844 # 845 # 846 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 847 # `members` to a `role`, where the members can be user accounts, Google groups, 848 # Google domains, and service accounts. A `role` is a named list of permissions 849 # defined by IAM. 850 # 851 # **Example** 852 # 853 # { 854 # "bindings": [ 855 # { 856 # "role": "roles/owner", 857 # "members": [ 858 # "user:mike@example.com", 859 # "group:admins@example.com", 860 # "domain:google.com", 861 # "serviceAccount:my-other-app@appspot.gserviceaccount.com", 862 # ] 863 # }, 864 # { 865 # "role": "roles/viewer", 866 # "members": ["user:sean@example.com"] 867 # } 868 # ] 869 # } 870 # 871 # For a description of IAM and its features, see the 872 # [IAM developer's guide](https://cloud.google.com/iam). 873 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 874 { # Specifies the audit configuration for a service. 875 # The configuration determines which permission types are logged, and what 876 # identities, if any, are exempted from logging. 877 # An AuditConfig must have one or more AuditLogConfigs. 878 # 879 # If there are AuditConfigs for both `allServices` and a specific service, 880 # the union of the two AuditConfigs is used for that service: the log_types 881 # specified in each AuditConfig are enabled, and the exempted_members in each 882 # AuditConfig are exempted. 883 # 884 # Example Policy with multiple AuditConfigs: 885 # 886 # { 887 # "audit_configs": [ 888 # { 889 # "service": "allServices" 890 # "audit_log_configs": [ 891 # { 892 # "log_type": "DATA_READ", 893 # "exempted_members": [ 894 # "user:foo@gmail.com" 895 # ] 896 # }, 897 # { 898 # "log_type": "DATA_WRITE", 899 # }, 900 # { 901 # "log_type": "ADMIN_READ", 902 # } 903 # ] 904 # }, 905 # { 906 # "service": "fooservice.googleapis.com" 907 # "audit_log_configs": [ 908 # { 909 # "log_type": "DATA_READ", 910 # }, 911 # { 912 # "log_type": "DATA_WRITE", 913 # "exempted_members": [ 914 # "user:bar@gmail.com" 915 # ] 916 # } 917 # ] 918 # } 919 # ] 920 # } 921 # 922 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 923 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 924 # bar@gmail.com from DATA_WRITE logging. 925 "exemptedMembers": [ 926 "A String", 927 ], 928 "auditLogConfigs": [ # The configuration for logging of each type of permission. 929 # Next ID: 4 930 { # Provides the configuration for logging a type of permissions. 931 # Example: 932 # 933 # { 934 # "audit_log_configs": [ 935 # { 936 # "log_type": "DATA_READ", 937 # "exempted_members": [ 938 # "user:foo@gmail.com" 939 # ] 940 # }, 941 # { 942 # "log_type": "DATA_WRITE", 943 # } 944 # ] 945 # } 946 # 947 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 948 # foo@gmail.com from DATA_READ logging. 949 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 950 # permission. 951 # Follows the same format of Binding.members. 952 "A String", 953 ], 954 "logType": "A String", # The log type that this config enables. 955 }, 956 ], 957 "service": "A String", # Specifies a service that will be enabled for audit logging. 958 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 959 # `allServices` is a special value that covers all services. 960 }, 961 ], 962 "rules": [ # If more than one rule is specified, the rules are applied in the following 963 # manner: 964 # - All matching LOG rules are always applied. 965 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 966 # Logging will be applied if one or more matching rule requires logging. 967 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 968 # granted. 969 # Logging will be applied if one or more matching rule requires logging. 970 # - Otherwise, if no rule applies, permission is denied. 971 { # A rule to be applied in a Policy. 972 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 973 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 974 # The format for in and not_in entries is the same as for members in a 975 # Binding (see google/iam/v1/policy.proto). 976 "A String", 977 ], 978 "description": "A String", # Human-readable description of the rule. 979 "in": [ # If one or more 'in' clauses are specified, the rule matches if 980 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 981 "A String", 982 ], 983 "action": "A String", # Required 984 "conditions": [ # Additional restrictions that must be met 985 { # A condition to be met. 986 "iam": "A String", # Trusted attributes supplied by the IAM system. 987 "svc": "A String", # Trusted attributes discharged by the service. 988 "value": "A String", # DEPRECATED. Use 'values' instead. 989 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 990 # the IAM system for access control. 991 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 992 "A String", 993 ], 994 "op": "A String", # An operator to apply the subject with. 995 }, 996 ], 997 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 998 # that match the LOG action. 999 { # Specifies what kind of log the caller must write 1000 "counter": { # Options for counters # Counter options. 1001 "field": "A String", # The field value to attribute. 1002 "metric": "A String", # The metric to update. 1003 }, 1004 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 1005 }, 1006 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 1007 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 1008 }, 1009 }, 1010 ], 1011 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 1012 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 1013 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 1014 "A String", 1015 ], 1016 }, 1017 ], 1018 "version": 42, # Version of the `Policy`. The default version is 0. 1019 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1020 # prevent simultaneous updates of a policy from overwriting each other. 1021 # It is strongly suggested that systems make use of the `etag` in the 1022 # read-modify-write cycle to perform policy updates in order to avoid race 1023 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1024 # systems are expected to put that etag in the request to `setIamPolicy` to 1025 # ensure that their change will be applied to the same version of the policy. 1026 # 1027 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1028 # policy is overwritten blindly. 1029 "bindings": [ # Associates a list of `members` to a `role`. 1030 # `bindings` with no members will result in an error. 1031 { # Associates `members` with a `role`. 1032 "role": "A String", # Role that is assigned to `members`. 1033 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1034 # Required 1035 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1036 # `members` can have the following values: 1037 # 1038 # * `allUsers`: A special identifier that represents anyone who is 1039 # on the internet; with or without a Google account. 1040 # 1041 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1042 # who is authenticated with a Google account or a service account. 1043 # 1044 # * `user:{emailid}`: An email address that represents a specific Google 1045 # account. For example, `alice@gmail.com` or `joe@example.com`. 1046 # 1047 # 1048 # * `serviceAccount:{emailid}`: An email address that represents a service 1049 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 1050 # 1051 # * `group:{emailid}`: An email address that represents a Google group. 1052 # For example, `admins@example.com`. 1053 # 1054 # 1055 # * `domain:{domain}`: A Google Apps domain name that represents all the 1056 # users of that domain. For example, `google.com` or `example.com`. 1057 # 1058 "A String", 1059 ], 1060 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 1061 # NOTE: an unsatisfied condition will not allow user access via current 1062 # binding. Different bindings, including their conditions, are examined 1063 # independently. 1064 # This field is GOOGLE_INTERNAL. 1065 # 1066 # title: "User account presence" 1067 # description: "Determines whether the request has a user account" 1068 # expression: "size(request.user) > 0" 1069 "location": "A String", # An optional string indicating the location of the expression for error 1070 # reporting, e.g. a file name and a position in the file. 1071 "expression": "A String", # Textual representation of an expression in 1072 # [Common Expression Language](http://go/api-expr) syntax. 1073 # 1074 # The application context of the containing message determines which 1075 # well-known feature set of CEL is supported. 1076 "description": "A String", # An optional description of the expression. This is a longer text which 1077 # describes the expression, e.g. when hovered over it in a UI. 1078 "title": "A String", # An optional title for the expression, i.e. a short string describing 1079 # its purpose. This can be used e.g. in UIs which allow to enter the 1080 # expression. 1081 }, 1082 }, 1083 ], 1084 "iamOwned": True or False, 1085 }, 1086 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 1087 # the fields in the mask will be modified. If no mask is provided, the 1088 # following default mask is used: 1089 # paths: "bindings, etag" 1090 # This field is only used by Cloud IAM. 1091 } 1092 1093 x__xgafv: string, V1 error format. 1094 Allowed values 1095 1 - v1 error format 1096 2 - v2 error format 1097 1098Returns: 1099 An object of the form: 1100 1101 { # Defines an Identity and Access Management (IAM) policy. It is used to 1102 # specify access control policies for Cloud Platform resources. 1103 # 1104 # 1105 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 1106 # `members` to a `role`, where the members can be user accounts, Google groups, 1107 # Google domains, and service accounts. A `role` is a named list of permissions 1108 # defined by IAM. 1109 # 1110 # **Example** 1111 # 1112 # { 1113 # "bindings": [ 1114 # { 1115 # "role": "roles/owner", 1116 # "members": [ 1117 # "user:mike@example.com", 1118 # "group:admins@example.com", 1119 # "domain:google.com", 1120 # "serviceAccount:my-other-app@appspot.gserviceaccount.com", 1121 # ] 1122 # }, 1123 # { 1124 # "role": "roles/viewer", 1125 # "members": ["user:sean@example.com"] 1126 # } 1127 # ] 1128 # } 1129 # 1130 # For a description of IAM and its features, see the 1131 # [IAM developer's guide](https://cloud.google.com/iam). 1132 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1133 { # Specifies the audit configuration for a service. 1134 # The configuration determines which permission types are logged, and what 1135 # identities, if any, are exempted from logging. 1136 # An AuditConfig must have one or more AuditLogConfigs. 1137 # 1138 # If there are AuditConfigs for both `allServices` and a specific service, 1139 # the union of the two AuditConfigs is used for that service: the log_types 1140 # specified in each AuditConfig are enabled, and the exempted_members in each 1141 # AuditConfig are exempted. 1142 # 1143 # Example Policy with multiple AuditConfigs: 1144 # 1145 # { 1146 # "audit_configs": [ 1147 # { 1148 # "service": "allServices" 1149 # "audit_log_configs": [ 1150 # { 1151 # "log_type": "DATA_READ", 1152 # "exempted_members": [ 1153 # "user:foo@gmail.com" 1154 # ] 1155 # }, 1156 # { 1157 # "log_type": "DATA_WRITE", 1158 # }, 1159 # { 1160 # "log_type": "ADMIN_READ", 1161 # } 1162 # ] 1163 # }, 1164 # { 1165 # "service": "fooservice.googleapis.com" 1166 # "audit_log_configs": [ 1167 # { 1168 # "log_type": "DATA_READ", 1169 # }, 1170 # { 1171 # "log_type": "DATA_WRITE", 1172 # "exempted_members": [ 1173 # "user:bar@gmail.com" 1174 # ] 1175 # } 1176 # ] 1177 # } 1178 # ] 1179 # } 1180 # 1181 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1182 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 1183 # bar@gmail.com from DATA_WRITE logging. 1184 "exemptedMembers": [ 1185 "A String", 1186 ], 1187 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1188 # Next ID: 4 1189 { # Provides the configuration for logging a type of permissions. 1190 # Example: 1191 # 1192 # { 1193 # "audit_log_configs": [ 1194 # { 1195 # "log_type": "DATA_READ", 1196 # "exempted_members": [ 1197 # "user:foo@gmail.com" 1198 # ] 1199 # }, 1200 # { 1201 # "log_type": "DATA_WRITE", 1202 # } 1203 # ] 1204 # } 1205 # 1206 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1207 # foo@gmail.com from DATA_READ logging. 1208 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1209 # permission. 1210 # Follows the same format of Binding.members. 1211 "A String", 1212 ], 1213 "logType": "A String", # The log type that this config enables. 1214 }, 1215 ], 1216 "service": "A String", # Specifies a service that will be enabled for audit logging. 1217 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1218 # `allServices` is a special value that covers all services. 1219 }, 1220 ], 1221 "rules": [ # If more than one rule is specified, the rules are applied in the following 1222 # manner: 1223 # - All matching LOG rules are always applied. 1224 # - If any DENY/DENY_WITH_LOG rule matches, permission is denied. 1225 # Logging will be applied if one or more matching rule requires logging. 1226 # - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is 1227 # granted. 1228 # Logging will be applied if one or more matching rule requires logging. 1229 # - Otherwise, if no rule applies, permission is denied. 1230 { # A rule to be applied in a Policy. 1231 "notIn": [ # If one or more 'not_in' clauses are specified, the rule matches 1232 # if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 1233 # The format for in and not_in entries is the same as for members in a 1234 # Binding (see google/iam/v1/policy.proto). 1235 "A String", 1236 ], 1237 "description": "A String", # Human-readable description of the rule. 1238 "in": [ # If one or more 'in' clauses are specified, the rule matches if 1239 # the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 1240 "A String", 1241 ], 1242 "action": "A String", # Required 1243 "conditions": [ # Additional restrictions that must be met 1244 { # A condition to be met. 1245 "iam": "A String", # Trusted attributes supplied by the IAM system. 1246 "svc": "A String", # Trusted attributes discharged by the service. 1247 "value": "A String", # DEPRECATED. Use 'values' instead. 1248 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses 1249 # the IAM system for access control. 1250 "values": [ # The objects of the condition. This is mutually exclusive with 'value'. 1251 "A String", 1252 ], 1253 "op": "A String", # An operator to apply the subject with. 1254 }, 1255 ], 1256 "logConfig": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries 1257 # that match the LOG action. 1258 { # Specifies what kind of log the caller must write 1259 "counter": { # Options for counters # Counter options. 1260 "field": "A String", # The field value to attribute. 1261 "metric": "A String", # The metric to update. 1262 }, 1263 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 1264 }, 1265 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 1266 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 1267 }, 1268 }, 1269 ], 1270 "permissions": [ # A permission is a string of form '<service>.<resource type>.<verb>' 1271 # (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, 1272 # and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 1273 "A String", 1274 ], 1275 }, 1276 ], 1277 "version": 42, # Version of the `Policy`. The default version is 0. 1278 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1279 # prevent simultaneous updates of a policy from overwriting each other. 1280 # It is strongly suggested that systems make use of the `etag` in the 1281 # read-modify-write cycle to perform policy updates in order to avoid race 1282 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1283 # systems are expected to put that etag in the request to `setIamPolicy` to 1284 # ensure that their change will be applied to the same version of the policy. 1285 # 1286 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1287 # policy is overwritten blindly. 1288 "bindings": [ # Associates a list of `members` to a `role`. 1289 # `bindings` with no members will result in an error. 1290 { # Associates `members` with a `role`. 1291 "role": "A String", # Role that is assigned to `members`. 1292 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1293 # Required 1294 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1295 # `members` can have the following values: 1296 # 1297 # * `allUsers`: A special identifier that represents anyone who is 1298 # on the internet; with or without a Google account. 1299 # 1300 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1301 # who is authenticated with a Google account or a service account. 1302 # 1303 # * `user:{emailid}`: An email address that represents a specific Google 1304 # account. For example, `alice@gmail.com` or `joe@example.com`. 1305 # 1306 # 1307 # * `serviceAccount:{emailid}`: An email address that represents a service 1308 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 1309 # 1310 # * `group:{emailid}`: An email address that represents a Google group. 1311 # For example, `admins@example.com`. 1312 # 1313 # 1314 # * `domain:{domain}`: A Google Apps domain name that represents all the 1315 # users of that domain. For example, `google.com` or `example.com`. 1316 # 1317 "A String", 1318 ], 1319 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 1320 # NOTE: an unsatisfied condition will not allow user access via current 1321 # binding. Different bindings, including their conditions, are examined 1322 # independently. 1323 # This field is GOOGLE_INTERNAL. 1324 # 1325 # title: "User account presence" 1326 # description: "Determines whether the request has a user account" 1327 # expression: "size(request.user) > 0" 1328 "location": "A String", # An optional string indicating the location of the expression for error 1329 # reporting, e.g. a file name and a position in the file. 1330 "expression": "A String", # Textual representation of an expression in 1331 # [Common Expression Language](http://go/api-expr) syntax. 1332 # 1333 # The application context of the containing message determines which 1334 # well-known feature set of CEL is supported. 1335 "description": "A String", # An optional description of the expression. This is a longer text which 1336 # describes the expression, e.g. when hovered over it in a UI. 1337 "title": "A String", # An optional title for the expression, i.e. a short string describing 1338 # its purpose. This can be used e.g. in UIs which allow to enter the 1339 # expression. 1340 }, 1341 }, 1342 ], 1343 "iamOwned": True or False, 1344 }</pre> 1345</div> 1346 1347<div class="method"> 1348 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 1349 <pre>Returns permissions that a caller has on the specified resource. 1350If the resource does not exist, this will return an empty set of 1351permissions, not a NOT_FOUND error. 1352 1353Note: This operation is designed to be used for building permission-aware 1354UIs and command-line tools, not for authorization checking. This operation 1355may "fail open" without warning. 1356 1357Args: 1358 resource: string, REQUIRED: The resource for which the policy detail is being requested. 1359See the operation documentation for the appropriate value for this field. (required) 1360 body: object, The request body. (required) 1361 The object takes the form of: 1362 1363{ # Request message for `TestIamPermissions` method. 1364 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 1365 # wildcards (such as '*' or 'storage.*') are not allowed. For more 1366 # information see 1367 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 1368 "A String", 1369 ], 1370 } 1371 1372 x__xgafv: string, V1 error format. 1373 Allowed values 1374 1 - v1 error format 1375 2 - v2 error format 1376 1377Returns: 1378 An object of the form: 1379 1380 { # Response message for `TestIamPermissions` method. 1381 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 1382 # allowed. 1383 "A String", 1384 ], 1385 }</pre> 1386</div> 1387 1388<div class="method"> 1389 <code class="details" id="updatePrimaryVersion">updatePrimaryVersion(name, body, x__xgafv=None)</code> 1390 <pre>Update the version of a CryptoKey that will be used in Encrypt 1391 1392Args: 1393 name: string, The resource name of the CryptoKey to update. (required) 1394 body: object, The request body. (required) 1395 The object takes the form of: 1396 1397{ # Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion. 1398 "cryptoKeyVersionId": "A String", # The id of the child CryptoKeyVersion to use as primary. 1399 } 1400 1401 x__xgafv: string, V1 error format. 1402 Allowed values 1403 1 - v1 error format 1404 2 - v2 error format 1405 1406Returns: 1407 An object of the form: 1408 1409 { # A CryptoKey represents a logical key that can be used for cryptographic 1410 # operations. 1411 # 1412 # A CryptoKey is made up of one or more versions, which 1413 # represent the actual key material used in cryptographic operations. 1414 "name": "A String", # Output only. The resource name for this CryptoKey in the format 1415 # `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 1416 "rotationPeriod": "A String", # next_rotation_time will be advanced by this period when the service 1417 # automatically rotates a key. Must be at least one day. 1418 # 1419 # If rotation_period is set, next_rotation_time must also be set. 1420 "primary": { # A CryptoKeyVersion represents an individual cryptographic key, and the # Output only. A copy of the "primary" CryptoKeyVersion that will be used 1421 # by Encrypt when this CryptoKey is given 1422 # in EncryptRequest.name. 1423 # 1424 # The CryptoKey's primary version can be updated via 1425 # UpdateCryptoKeyPrimaryVersion. 1426 # associated key material. 1427 # 1428 # It can be used for cryptographic operations either directly, or via its 1429 # parent CryptoKey, in which case the server will choose the appropriate 1430 # version for the operation. 1431 "state": "A String", # The current state of the CryptoKeyVersion. 1432 "destroyTime": "A String", # Output only. The time this CryptoKeyVersion's key material is scheduled 1433 # for destruction. Only present if state is 1434 # DESTROY_SCHEDULED. 1435 "createTime": "A String", # Output only. The time at which this CryptoKeyVersion was created. 1436 "destroyEventTime": "A String", # Output only. The time this CryptoKeyVersion's key material was 1437 # destroyed. Only present if state is 1438 # DESTROYED. 1439 "name": "A String", # Output only. The resource name for this CryptoKeyVersion in the format 1440 # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 1441 }, 1442 "purpose": "A String", # The immutable purpose of this CryptoKey. Currently, the only acceptable 1443 # purpose is ENCRYPT_DECRYPT. 1444 "createTime": "A String", # Output only. The time at which this CryptoKey was created. 1445 "nextRotationTime": "A String", # At next_rotation_time, the Key Management Service will automatically: 1446 # 1447 # 1. Create a new version of this CryptoKey. 1448 # 2. Mark the new version as primary. 1449 # 1450 # Key rotations performed manually via 1451 # CreateCryptoKeyVersion and 1452 # UpdateCryptoKeyPrimaryVersion 1453 # do not affect next_rotation_time. 1454 }</pre> 1455</div> 1456 1457</body></html>