• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5  margin: 0;
6  padding: 0;
7  border: 0;
8  font-weight: inherit;
9  font-style: inherit;
10  font-size: 100%;
11  font-family: inherit;
12  vertical-align: baseline;
13}
14
15body {
16  font-size: 13px;
17  padding: 1em;
18}
19
20h1 {
21  font-size: 26px;
22  margin-bottom: 1em;
23}
24
25h2 {
26  font-size: 24px;
27  margin-bottom: 1em;
28}
29
30h3 {
31  font-size: 20px;
32  margin-bottom: 1em;
33  margin-top: 1em;
34}
35
36pre, code {
37  line-height: 1.5;
38  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42  margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46  font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50  border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54  margin-top: 0.5em;
55}
56
57.firstline {
58  margin-left: 2 em;
59}
60
61.method  {
62  margin-top: 1em;
63  border: solid 1px #CCC;
64  padding: 1em;
65  background: #EEE;
66}
67
68.details {
69  font-weight: bold;
70  font-size: 14px;
71}
72
73</style>
74
75<h1><a href="compute_alpha.html">Compute Engine API</a> . <a href="compute_alpha.licenseCodes.html">licenseCodes</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78  <code><a href="#get">get(project, licenseCode)</a></code></p>
79<p class="firstline">Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code.</p>
80<p class="toc_element">
81  <code><a href="#getIamPolicy">getIamPolicy(project, resource)</a></code></p>
82<p class="firstline">Gets the access control policy for a resource. May be empty if no such policy or resource exists.</p>
83<p class="toc_element">
84  <code><a href="#setIamPolicy">setIamPolicy(project, resource, body)</a></code></p>
85<p class="firstline">Sets the access control policy on the specified resource. Replaces any existing policy.</p>
86<p class="toc_element">
87  <code><a href="#testIamPermissions">testIamPermissions(project, resource, body)</a></code></p>
88<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
89<h3>Method Details</h3>
90<div class="method">
91    <code class="details" id="get">get(project, licenseCode)</code>
92  <pre>Return a specified license code. License codes are mirrored across all projects that have permissions to read the License Code.
93
94Args:
95  project: string, Project ID for this request. (required)
96  licenseCode: string, Number corresponding to the License code resource to return. (required)
97
98Returns:
99  An object of the form:
100
101    {
102    "kind": "compute#licenseCode", # [Output Only] Type of resource. Always compute#licenseCode for licenses.
103    "description": "A String", # [Output Only] Description of this License Code.
104    "transferable": True or False, # [Output Only] If true, the license will remain attached when creating images or snapshots from disks. Otherwise, the license is not transferred.
105    "state": "A String", # [Output Only] Current state of this License Code.
106    "licenseAlias": [ # [Output Only] URL and description aliases of Licenses with the same License Code.
107      {
108        "description": "A String", # [Output Only] Description of this License Code.
109        "selfLink": "A String", # [Output Only] URL of license corresponding to this License Code.
110      },
111    ],
112    "creationTimestamp": "A String", # [Output Only] Creation timestamp in RFC3339 text format.
113    "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is defined by the server.
114    "selfLink": "A String", # [Output Only] Server-defined URL for the resource.
115    "name": "A String", # [Output Only] Name of the resource. The name is 1-20 characters long and must be a valid 64 bit integer.
116  }</pre>
117</div>
118
119<div class="method">
120    <code class="details" id="getIamPolicy">getIamPolicy(project, resource)</code>
121  <pre>Gets the access control policy for a resource. May be empty if no such policy or resource exists.
122
123Args:
124  project: string, Project ID for this request. (required)
125  resource: string, Name or id of the resource for this request. (required)
126
127Returns:
128  An object of the form:
129
130    { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.
131      #
132      #
133      #
134      # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
135      #
136      # **JSON Example**
137      #
138      # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
139      #
140      # **YAML Example**
141      #
142      # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
143      #
144      #
145      #
146      # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
147    "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
148      { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
149          #
150          # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
151          #
152          # Example Policy with multiple AuditConfigs:
153          #
154          # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
155          #
156          # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
157        "exemptedMembers": [
158          "A String",
159        ],
160        "auditLogConfigs": [ # The configuration for logging of each type of permission.
161          { # Provides the configuration for logging a type of permissions. Example:
162              #
163              # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
164              #
165              # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
166            "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
167              "A String",
168            ],
169            "logType": "A String", # The log type that this config enables.
170          },
171        ],
172        "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
173      },
174    ],
175    "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
176      { # A rule to be applied in a Policy.
177        "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
178          { # Specifies what kind of log the caller must write
179            "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
180                #
181                # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
182                #
183                # Field names correspond to IAM request parameters and field values are their respective values.
184                #
185                # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
186                #
187                # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
188                #
189                # At this time we do not support multiple field names (though this may be supported in the future).
190              "field": "A String", # The field value to attribute.
191              "metric": "A String", # The metric to update.
192            },
193            "dataAccess": { # Write a Data Access (Gin) log # Data access options.
194              "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
195            },
196            "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
197              "logName": "A String", # The log_name to populate in the Cloud Audit Record.
198              "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
199                "permissionType": "A String", # The type of the permission that was checked.
200              },
201            },
202          },
203        ],
204        "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
205          "A String",
206        ],
207        "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
208          "A String",
209        ],
210        "action": "A String", # Required
211        "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
212          "A String",
213        ],
214        "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
215          { # A condition to be met.
216            "iam": "A String", # Trusted attributes supplied by the IAM system.
217            "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
218            "values": [ # The objects of the condition.
219              "A String",
220            ],
221            "svc": "A String", # Trusted attributes discharged by the service.
222            "op": "A String", # An operator to apply the subject with.
223          },
224        ],
225        "description": "A String", # Human-readable description of the rule.
226      },
227    ],
228    "version": 42, # Deprecated.
229    "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
230        #
231        # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
232    "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
233      { # Associates `members` with a `role`.
234        "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
235        "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
236            #
237            # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
238            #
239            # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
240            #
241            # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
242            #
243            #
244            #
245            # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
246            #
247            # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
248            #
249            #
250            #
251            # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
252          "A String",
253        ],
254        "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
255            #
256            # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
257          "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
258          "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
259              #
260              # The application context of the containing message determines which well-known feature set of CEL is supported.
261          "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
262          "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
263        },
264      },
265    ],
266    "iamOwned": True or False,
267  }</pre>
268</div>
269
270<div class="method">
271    <code class="details" id="setIamPolicy">setIamPolicy(project, resource, body)</code>
272  <pre>Sets the access control policy on the specified resource. Replaces any existing policy.
273
274Args:
275  project: string, Project ID for this request. (required)
276  resource: string, Name or id of the resource for this request. (required)
277  body: object, The request body. (required)
278    The object takes the form of:
279
280{
281    "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. # REQUIRED: The complete policy to be applied to the 'resource'. The size of the policy is limited to a few 10s of KB. An empty policy is in general a valid policy but certain services (like Projects) might reject them.
282        #
283        #
284        #
285        # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
286        #
287        # **JSON Example**
288        #
289        # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
290        #
291        # **YAML Example**
292        #
293        # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
294        #
295        #
296        #
297        # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
298      "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
299        { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
300            #
301            # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
302            #
303            # Example Policy with multiple AuditConfigs:
304            #
305            # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
306            #
307            # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
308          "exemptedMembers": [
309            "A String",
310          ],
311          "auditLogConfigs": [ # The configuration for logging of each type of permission.
312            { # Provides the configuration for logging a type of permissions. Example:
313                #
314                # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
315                #
316                # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
317              "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
318                "A String",
319              ],
320              "logType": "A String", # The log type that this config enables.
321            },
322          ],
323          "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
324        },
325      ],
326      "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
327        { # A rule to be applied in a Policy.
328          "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
329            { # Specifies what kind of log the caller must write
330              "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
331                  #
332                  # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
333                  #
334                  # Field names correspond to IAM request parameters and field values are their respective values.
335                  #
336                  # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
337                  #
338                  # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
339                  #
340                  # At this time we do not support multiple field names (though this may be supported in the future).
341                "field": "A String", # The field value to attribute.
342                "metric": "A String", # The metric to update.
343              },
344              "dataAccess": { # Write a Data Access (Gin) log # Data access options.
345                "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
346              },
347              "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
348                "logName": "A String", # The log_name to populate in the Cloud Audit Record.
349                "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
350                  "permissionType": "A String", # The type of the permission that was checked.
351                },
352              },
353            },
354          ],
355          "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
356            "A String",
357          ],
358          "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
359            "A String",
360          ],
361          "action": "A String", # Required
362          "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
363            "A String",
364          ],
365          "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
366            { # A condition to be met.
367              "iam": "A String", # Trusted attributes supplied by the IAM system.
368              "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
369              "values": [ # The objects of the condition.
370                "A String",
371              ],
372              "svc": "A String", # Trusted attributes discharged by the service.
373              "op": "A String", # An operator to apply the subject with.
374            },
375          ],
376          "description": "A String", # Human-readable description of the rule.
377        },
378      ],
379      "version": 42, # Deprecated.
380      "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
381          #
382          # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
383      "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
384        { # Associates `members` with a `role`.
385          "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
386          "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
387              #
388              # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
389              #
390              # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
391              #
392              # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
393              #
394              #
395              #
396              # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
397              #
398              # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
399              #
400              #
401              #
402              # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
403            "A String",
404          ],
405          "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
406              #
407              # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
408            "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
409            "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
410                #
411                # The application context of the containing message determines which well-known feature set of CEL is supported.
412            "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
413            "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
414          },
415        },
416      ],
417      "iamOwned": True or False,
418    },
419    "bindings": [ # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify bindings.
420      { # Associates `members` with a `role`.
421        "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
422        "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
423            #
424            # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
425            #
426            # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
427            #
428            # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
429            #
430            #
431            #
432            # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
433            #
434            # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
435            #
436            #
437            #
438            # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
439          "A String",
440        ],
441        "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
442            #
443            # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
444          "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
445          "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
446              #
447              # The application context of the containing message determines which well-known feature set of CEL is supported.
448          "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
449          "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
450        },
451      },
452    ],
453    "etag": "A String", # Flatten Policy to create a backward compatible wire-format. Deprecated. Use 'policy' to specify the etag.
454  }
455
456
457Returns:
458  An object of the form:
459
460    { # Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.
461      #
462      #
463      #
464      # A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM.
465      #
466      # **JSON Example**
467      #
468      # { "bindings": [ { "role": "roles/owner", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] }, { "role": "roles/viewer", "members": ["user:sean@example.com"] } ] }
469      #
470      # **YAML Example**
471      #
472      # bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-other-app@appspot.gserviceaccount.com role: roles/owner - members: - user:sean@example.com role: roles/viewer
473      #
474      #
475      #
476      # For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).
477    "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
478      { # Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
479          #
480          # If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
481          #
482          # Example Policy with multiple AuditConfigs:
483          #
484          # { "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:bar@gmail.com" ] } ] } ] }
485          #
486          # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts foo@gmail.com from DATA_READ logging, and bar@gmail.com from DATA_WRITE logging.
487        "exemptedMembers": [
488          "A String",
489        ],
490        "auditLogConfigs": [ # The configuration for logging of each type of permission.
491          { # Provides the configuration for logging a type of permissions. Example:
492              #
493              # { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:foo@gmail.com" ] }, { "log_type": "DATA_WRITE", } ] }
494              #
495              # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting foo@gmail.com from DATA_READ logging.
496            "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of permission. Follows the same format of [Binding.members][].
497              "A String",
498            ],
499            "logType": "A String", # The log type that this config enables.
500          },
501        ],
502        "service": "A String", # Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
503      },
504    ],
505    "rules": [ # If more than one rule is specified, the rules are applied in the following manner: - All matching LOG rules are always applied. - If any DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be applied if one or more matching rule requires logging. - Otherwise, if any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. Logging will be applied if one or more matching rule requires logging. - Otherwise, if no rule applies, permission is denied.
506      { # A rule to be applied in a Policy.
507        "logConfigs": [ # The config returned to callers of tech.iam.IAM.CheckPolicy for any entries that match the LOG action.
508          { # Specifies what kind of log the caller must write
509            "counter": { # Increment a streamz counter with the specified metric and field names. # Counter options.
510                #
511                # Metric names should start with a '/', generally be lowercase-only, and end in "_count". Field names should not contain an initial slash. The actual exported metric names will have "/iam/policy" prepended.
512                #
513                # Field names correspond to IAM request parameters and field values are their respective values.
514                #
515                # Supported field names: - "authority", which is "[token]" if IAMContext.token is present, otherwise the value of IAMContext.authority_selector if present, and otherwise a representation of IAMContext.principal; or - "iam_principal", a representation of IAMContext.principal even if a token or authority selector is present; or - "" (empty string), resulting in a counter with no fields.
516                #
517                # Examples: counter { metric: "/debug_access_count" field: "iam_principal" } ==> increment counter /iam/policy/backend_debug_access_count {iam_principal=[value of IAMContext.principal]}
518                #
519                # At this time we do not support multiple field names (though this may be supported in the future).
520              "field": "A String", # The field value to attribute.
521              "metric": "A String", # The metric to update.
522            },
523            "dataAccess": { # Write a Data Access (Gin) log # Data access options.
524              "logMode": "A String", # Whether Gin logging should happen in a fail-closed manner at the caller. This is relevant only in the LocalIAM implementation, for now.
525            },
526            "cloudAudit": { # Write a Cloud Audit log # Cloud audit options.
527              "logName": "A String", # The log_name to populate in the Cloud Audit Record.
528              "authorizationLoggingOptions": { # Authorization-related information used by Cloud Audit Logging. # Information used by the Cloud Audit Logging pipeline.
529                "permissionType": "A String", # The type of the permission that was checked.
530              },
531            },
532          },
533        ],
534        "notIns": [ # If one or more 'not_in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries.
535          "A String",
536        ],
537        "ins": [ # If one or more 'in' clauses are specified, the rule matches if the PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
538          "A String",
539        ],
540        "action": "A String", # Required
541        "permissions": [ # A permission is a string of form '..' (e.g., 'storage.buckets.list'). A value of '*' matches all permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches all verbs.
542          "A String",
543        ],
544        "conditions": [ # Additional restrictions that must be met. All conditions must pass for the rule to match.
545          { # A condition to be met.
546            "iam": "A String", # Trusted attributes supplied by the IAM system.
547            "sys": "A String", # Trusted attributes supplied by any service that owns resources and uses the IAM system for access control.
548            "values": [ # The objects of the condition.
549              "A String",
550            ],
551            "svc": "A String", # Trusted attributes discharged by the service.
552            "op": "A String", # An operator to apply the subject with.
553          },
554        ],
555        "description": "A String", # Human-readable description of the rule.
556      },
557    ],
558    "version": 42, # Deprecated.
559    "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy.
560        #
561        # If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly.
562    "bindings": [ # Associates a list of `members` to a `role`. `bindings` with no members will result in an error.
563      { # Associates `members` with a `role`.
564        "role": "A String", # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
565        "members": [ # Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values:
566            #
567            # * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account.
568            #
569            # * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account.
570            #
571            # * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@gmail.com` .
572            #
573            #
574            #
575            # * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`.
576            #
577            # * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`.
578            #
579            #
580            #
581            # * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
582          "A String",
583        ],
584        "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently.
585            #
586            # title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"
587          "title": "A String", # An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
588          "expression": "A String", # Textual representation of an expression in Common Expression Language syntax.
589              #
590              # The application context of the containing message determines which well-known feature set of CEL is supported.
591          "description": "A String", # An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
592          "location": "A String", # An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
593        },
594      },
595    ],
596    "iamOwned": True or False,
597  }</pre>
598</div>
599
600<div class="method">
601    <code class="details" id="testIamPermissions">testIamPermissions(project, resource, body)</code>
602  <pre>Returns permissions that a caller has on the specified resource.
603
604Args:
605  project: string, Project ID for this request. (required)
606  resource: string, Name or id of the resource for this request. (required)
607  body: object, The request body. (required)
608    The object takes the form of:
609
610{
611    "permissions": [ # The set of permissions to check for the 'resource'. Permissions with wildcards (such as '*' or 'storage.*') are not allowed.
612      "A String",
613    ],
614  }
615
616
617Returns:
618  An object of the form:
619
620    {
621    "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
622      "A String",
623    ],
624  }</pre>
625</div>
626
627</body></html>