1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="compute_alpha.html">Compute Engine API</a> . <a href="compute_alpha.licenseCodes.html">licenseCodes</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#get">get(project, licenseCode)</a></code></p> 79<p class="firstline">Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code.</p> 80<p class="toc_element"> 81 <code><a href="#getIamPolicy">getIamPolicy(project, resource)</a></code></p> 82<p class="firstline">Gets the access control policy for a resource. May be empty if no such policy or resource exists.</p> 83<p class="toc_element"> 84 <code><a href="#setIamPolicy">setIamPolicy(project, resource, body)</a></code></p> 85<p class="firstline">Sets the access control policy on the specified resource. Replaces any existing policy.</p> 86<p class="toc_element"> 87 <code><a href="#testIamPermissions">testIamPermissions(project, resource, body)</a></code></p> 88<p class="firstline">Returns permissions that a caller has on the specified resource.</p> 89<h3>Method Details</h3> 90<div class="method"> 91 <code class="details" id="get">get(project, licenseCode)</code> 92 <pre>Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code. 93 94Args: 95 project: string, Project ID for this request. (required) 96 licenseCode: string, Number corresponding to the License code resource to return. (required) 97 98Returns: 99 An object of the form: 100 101 { 102 "kind": "compute#licenseCode", # [Output Only] Type of resource. Always compute#licenseCode for licenses. 103 "description": "A String", # [Output Only] Description of this License Code. 104 "transferable": True or False, # [Output Only] If true, the license will remain attached when creating images or snapshots from disks. Otherwise, the license is not transferred. 105 "state": "A String", # [Output Only] Current state of this License Code. 106 "licenseAlias": [ # [Output Only] URL and description aliases of Licenses with the same License Code. 107 { 108 "description": "A String", # [Output Only] Description of this License Code. 109 "selfLink": "A String", # [Output Only] URL of license corresponding to this License Code. 110 }, 111 ], 112 "creationTimestamp": "A String", # [Output Only] Creation timestamp in RFC3339 text format. 113 "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is defined by the server. 114 "selfLink": "A String", # [Output Only] Server-defined URL for the resource. 115 "name": "A String", # [Output Only] Name of the resource. The name is 1-20 characters long and must be a valid 64 bit integer. 116 }</pre> 117</div> 118 119<div class="method"> 120 <code class="details" id="getIamPolicy">getIamPolicy(project, resource)</code> 121 <pre>Gets the access control policy for a resource. May be empty if no such policy or resource exists. 122 123Args: 124 project: string, Project ID for this request. (required) 125 resource: string, Name or id of the resource for this request. (required) 126 127Returns: 128 An object of the form: 129 130 { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. 131 # 132 # 133 # 134 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM. 135 # 136 # **JSON Example** 137 # 138 # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] } 139 # 140 # **YAML Example** 141 # 142 # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer 143 # 144 # 145 # 146 # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs). 147 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 148 { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. 149 # 150 # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. 151 # 152 # Example Policy with multiple AuditConfigs: 153 # 154 # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] } 155 # 156 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging. 157 "exemptedMembers": [ 158 "A String", 159 ], 160 "auditLogConfigs": [ # The configuration for logging of each type of permission. 161 { # Provides the configuration for logging a type of permissions. Example: 162 # 163 # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] } 164 # 165 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging. 166 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][]. 167 "A String", 168 ], 169 "logType": "A String", # The log type that this config enables. 170 }, 171 ], 172 "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. 173 }, 174 ], 175 "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied. 176 { # A rule to be applied in a Policy. 177 "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action. 178 { # Specifies what kind of log the caller must write 179 "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options. 180 # 181 # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended. 182 # 183 # Field names correspond to IAM request parameters and field values are their respective values. 184 # 185 # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields. 186 # 187 # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]} 188 # 189 # At this time we do not support multiple field names (though this may be supported in the future). 190 "field": "A String", # The field value to attribute. 191 "metric": "A String", # The metric to update. 192 }, 193 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 194 "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now. 195 }, 196 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 197 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 198 "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline. 199 "permissionType": "A String", # The type of the permission that was checked. 200 }, 201 }, 202 }, 203 ], 204 "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 205 "A String", 206 ], 207 "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 208 "A String", 209 ], 210 "action": "A String", # Required 211 "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 212 "A String", 213 ], 214 "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match. 215 { # A condition to be met. 216 "iam": "A String", # Trusted attributes supplied by the IAM system. 217 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control. 218 "values": [ # The objects of the condition. 219 "A String", 220 ], 221 "svc": "A String", # Trusted attributes discharged by the service. 222 "op": "A String", # An operator to apply the subject with. 223 }, 224 ], 225 "description": "A String", # Human-readable description of the rule. 226 }, 227 ], 228 "version": 42, # Deprecated. 229 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. 230 # 231 # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly. 232 "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error. 233 { # Associates `members` with a `role`. 234 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 235 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: 236 # 237 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. 238 # 239 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. 240 # 241 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` . 242 # 243 # 244 # 245 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. 246 # 247 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. 248 # 249 # 250 # 251 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. 252 "A String", 253 ], 254 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently. 255 # 256 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0" 257 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. 258 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. 259 # 260 # The application context of the containing message determines which well-known feature set of CEL is supported. 261 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. 262 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file. 263 }, 264 }, 265 ], 266 "iamOwned": True or False, 267 }</pre> 268</div> 269 270<div class="method"> 271 <code class="details" id="setIamPolicy">setIamPolicy(project, resource, body)</code> 272 <pre>Sets the access control policy on the specified resource. Replaces any existing policy. 273 274Args: 275 project: string, Project ID for this request. (required) 276 resource: string, Name or id of the resource for this request. (required) 277 body: object, The request body. (required) 278 The object takes the form of: 279 280{ 281 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. # REQUIRED: The complete policy to be applied to the 'resource'. The size of the policy is limited to a few 10s of KB. An empty policy is in general a valid policy but certain services (like Projects) might reject them. 282 # 283 # 284 # 285 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM. 286 # 287 # **JSON Example** 288 # 289 # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] } 290 # 291 # **YAML Example** 292 # 293 # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer 294 # 295 # 296 # 297 # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs). 298 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 299 { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. 300 # 301 # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. 302 # 303 # Example Policy with multiple AuditConfigs: 304 # 305 # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] } 306 # 307 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging. 308 "exemptedMembers": [ 309 "A String", 310 ], 311 "auditLogConfigs": [ # The configuration for logging of each type of permission. 312 { # Provides the configuration for logging a type of permissions. Example: 313 # 314 # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] } 315 # 316 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging. 317 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][]. 318 "A String", 319 ], 320 "logType": "A String", # The log type that this config enables. 321 }, 322 ], 323 "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. 324 }, 325 ], 326 "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied. 327 { # A rule to be applied in a Policy. 328 "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action. 329 { # Specifies what kind of log the caller must write 330 "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options. 331 # 332 # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended. 333 # 334 # Field names correspond to IAM request parameters and field values are their respective values. 335 # 336 # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields. 337 # 338 # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]} 339 # 340 # At this time we do not support multiple field names (though this may be supported in the future). 341 "field": "A String", # The field value to attribute. 342 "metric": "A String", # The metric to update. 343 }, 344 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 345 "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now. 346 }, 347 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 348 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 349 "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline. 350 "permissionType": "A String", # The type of the permission that was checked. 351 }, 352 }, 353 }, 354 ], 355 "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 356 "A String", 357 ], 358 "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 359 "A String", 360 ], 361 "action": "A String", # Required 362 "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 363 "A String", 364 ], 365 "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match. 366 { # A condition to be met. 367 "iam": "A String", # Trusted attributes supplied by the IAM system. 368 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control. 369 "values": [ # The objects of the condition. 370 "A String", 371 ], 372 "svc": "A String", # Trusted attributes discharged by the service. 373 "op": "A String", # An operator to apply the subject with. 374 }, 375 ], 376 "description": "A String", # Human-readable description of the rule. 377 }, 378 ], 379 "version": 42, # Deprecated. 380 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. 381 # 382 # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly. 383 "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error. 384 { # Associates `members` with a `role`. 385 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 386 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: 387 # 388 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. 389 # 390 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. 391 # 392 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` . 393 # 394 # 395 # 396 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. 397 # 398 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. 399 # 400 # 401 # 402 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. 403 "A String", 404 ], 405 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently. 406 # 407 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0" 408 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. 409 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. 410 # 411 # The application context of the containing message determines which well-known feature set of CEL is supported. 412 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. 413 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file. 414 }, 415 }, 416 ], 417 "iamOwned": True or False, 418 }, 419 "bindings": [ # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify bindings. 420 { # Associates `members` with a `role`. 421 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 422 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: 423 # 424 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. 425 # 426 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. 427 # 428 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` . 429 # 430 # 431 # 432 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. 433 # 434 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. 435 # 436 # 437 # 438 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. 439 "A String", 440 ], 441 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently. 442 # 443 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0" 444 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. 445 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. 446 # 447 # The application context of the containing message determines which well-known feature set of CEL is supported. 448 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. 449 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file. 450 }, 451 }, 452 ], 453 "etag": "A String", # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag. 454 } 455 456 457Returns: 458 An object of the form: 459 460 { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. 461 # 462 # 463 # 464 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM. 465 # 466 # **JSON Example** 467 # 468 # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] } 469 # 470 # **YAML Example** 471 # 472 # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer 473 # 474 # 475 # 476 # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs). 477 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 478 { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. 479 # 480 # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. 481 # 482 # Example Policy with multiple AuditConfigs: 483 # 484 # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] } 485 # 486 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging. 487 "exemptedMembers": [ 488 "A String", 489 ], 490 "auditLogConfigs": [ # The configuration for logging of each type of permission. 491 { # Provides the configuration for logging a type of permissions. Example: 492 # 493 # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] } 494 # 495 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging. 496 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][]. 497 "A String", 498 ], 499 "logType": "A String", # The log type that this config enables. 500 }, 501 ], 502 "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. 503 }, 504 ], 505 "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied. 506 { # A rule to be applied in a Policy. 507 "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action. 508 { # Specifies what kind of log the caller must write 509 "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options. 510 # 511 # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended. 512 # 513 # Field names correspond to IAM request parameters and field values are their respective values. 514 # 515 # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields. 516 # 517 # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]} 518 # 519 # At this time we do not support multiple field names (though this may be supported in the future). 520 "field": "A String", # The field value to attribute. 521 "metric": "A String", # The metric to update. 522 }, 523 "dataAccess": { # Write a Data Access (Gin) log # Data access options. 524 "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now. 525 }, 526 "cloudAudit": { # Write a Cloud Audit log # Cloud audit options. 527 "logName": "A String", # The log_name to populate in the Cloud Audit Record. 528 "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline. 529 "permissionType": "A String", # The type of the permission that was checked. 530 }, 531 }, 532 }, 533 ], 534 "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. 535 "A String", 536 ], 537 "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 538 "A String", 539 ], 540 "action": "A String", # Required 541 "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs. 542 "A String", 543 ], 544 "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match. 545 { # A condition to be met. 546 "iam": "A String", # Trusted attributes supplied by the IAM system. 547 "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control. 548 "values": [ # The objects of the condition. 549 "A String", 550 ], 551 "svc": "A String", # Trusted attributes discharged by the service. 552 "op": "A String", # An operator to apply the subject with. 553 }, 554 ], 555 "description": "A String", # Human-readable description of the rule. 556 }, 557 ], 558 "version": 42, # Deprecated. 559 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. 560 # 561 # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly. 562 "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error. 563 { # Associates `members` with a `role`. 564 "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 565 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: 566 # 567 # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. 568 # 569 # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. 570 # 571 # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` . 572 # 573 # 574 # 575 # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. 576 # 577 # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. 578 # 579 # 580 # 581 # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. 582 "A String", 583 ], 584 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently. 585 # 586 # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0" 587 "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. 588 "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. 589 # 590 # The application context of the containing message determines which well-known feature set of CEL is supported. 591 "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. 592 "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file. 593 }, 594 }, 595 ], 596 "iamOwned": True or False, 597 }</pre> 598</div> 599 600<div class="method"> 601 <code class="details" id="testIamPermissions">testIamPermissions(project, resource, body)</code> 602 <pre>Returns permissions that a caller has on the specified resource. 603 604Args: 605 project: string, Project ID for this request. (required) 606 resource: string, Name or id of the resource for this request. (required) 607 body: object, The request body. (required) 608 The object takes the form of: 609 610{ 611 "permissions": [ # The set of permissions to check for the 'resource'. Permissions with wildcards (such as '*' or 'storage.*') are not allowed. 612 "A String", 613 ], 614 } 615 616 617Returns: 618 An object of the form: 619 620 { 621 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is allowed. 622 "A String", 623 ], 624 }</pre> 625</div> 626 627</body></html>