google-cloud-asset-v1 0.13.0 → 0.15.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +8 -8
- data/README.md +1 -1
- data/lib/google/cloud/asset/v1/asset_service/client.rb +250 -86
- data/lib/google/cloud/asset/v1/asset_service/operations.rb +31 -22
- data/lib/google/cloud/asset/v1/asset_service_pb.rb +44 -0
- data/lib/google/cloud/asset/v1/asset_service_services_pb.rb +7 -1
- data/lib/google/cloud/asset/v1/assets_pb.rb +31 -0
- data/lib/google/cloud/asset/v1/version.rb +1 -1
- data/lib/google/identity/accesscontextmanager/v1/access_level_pb.rb +1 -0
- data/lib/google/identity/accesscontextmanager/v1/access_policy_pb.rb +1 -0
- data/lib/google/identity/accesscontextmanager/v1/service_perimeter_pb.rb +60 -0
- data/proto_docs/google/cloud/asset/v1/asset_service.rb +206 -3
- data/proto_docs/google/cloud/asset/v1/assets.rb +140 -0
- data/proto_docs/google/identity/accesscontextmanager/v1/access_level.rb +2 -2
- data/proto_docs/google/identity/accesscontextmanager/v1/access_policy.rb +1 -1
- data/proto_docs/google/identity/accesscontextmanager/v1/service_perimeter.rb +328 -2
- metadata +4 -4
@@ -140,6 +140,10 @@ module Google
|
|
140
140
|
# A representation of runtime OS Inventory information. See [this
|
141
141
|
# topic](https://cloud.google.com/compute/docs/instances/os-inventory-management)
|
142
142
|
# for more information.
|
143
|
+
# @!attribute [rw] related_assets
|
144
|
+
# @return [::Google::Cloud::Asset::V1::RelatedAssets]
|
145
|
+
# The related assets of the asset of one relationship type.
|
146
|
+
# One asset only represents one type of relationship.
|
143
147
|
# @!attribute [rw] ancestors
|
144
148
|
# @return [::Array<::String>]
|
145
149
|
# The ancestry path of an asset in Google Cloud [resource
|
@@ -208,6 +212,74 @@ module Google
|
|
208
212
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
209
213
|
end
|
210
214
|
|
215
|
+
# The detailed related assets with the `relationship_type`.
|
216
|
+
# @!attribute [rw] relationship_attributes
|
217
|
+
# @return [::Google::Cloud::Asset::V1::RelationshipAttributes]
|
218
|
+
# The detailed relationship attributes.
|
219
|
+
# @!attribute [rw] assets
|
220
|
+
# @return [::Array<::Google::Cloud::Asset::V1::RelatedAsset>]
|
221
|
+
# The peer resources of the relationship.
|
222
|
+
class RelatedAssets
|
223
|
+
include ::Google::Protobuf::MessageExts
|
224
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
225
|
+
end
|
226
|
+
|
227
|
+
# The relationship attributes which include `type`, `source_resource_type`,
|
228
|
+
# `target_resource_type` and `action`.
|
229
|
+
# @!attribute [rw] type
|
230
|
+
# @return [::String]
|
231
|
+
# The unique identifier of the relationship type. Example:
|
232
|
+
# `INSTANCE_TO_INSTANCEGROUP`
|
233
|
+
# @!attribute [rw] source_resource_type
|
234
|
+
# @return [::String]
|
235
|
+
# The source asset type. Example: `compute.googleapis.com/Instance`
|
236
|
+
# @!attribute [rw] target_resource_type
|
237
|
+
# @return [::String]
|
238
|
+
# The target asset type. Example: `compute.googleapis.com/Disk`
|
239
|
+
# @!attribute [rw] action
|
240
|
+
# @return [::String]
|
241
|
+
# The detail of the relationship, e.g. `contains`, `attaches`
|
242
|
+
class RelationshipAttributes
|
243
|
+
include ::Google::Protobuf::MessageExts
|
244
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
245
|
+
end
|
246
|
+
|
247
|
+
# An asset identify in Google Cloud which contains its name, type and
|
248
|
+
# ancestors. An asset can be any resource in the Google Cloud [resource
|
249
|
+
# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
|
250
|
+
# a resource outside the Google Cloud resource hierarchy (such as Google
|
251
|
+
# Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).
|
252
|
+
# See [Supported asset
|
253
|
+
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
|
254
|
+
# for more information.
|
255
|
+
# @!attribute [rw] asset
|
256
|
+
# @return [::String]
|
257
|
+
# The full name of the asset. Example:
|
258
|
+
# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
|
259
|
+
#
|
260
|
+
# See [Resource
|
261
|
+
# names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
|
262
|
+
# for more information.
|
263
|
+
# @!attribute [rw] asset_type
|
264
|
+
# @return [::String]
|
265
|
+
# The type of the asset. Example: `compute.googleapis.com/Disk`
|
266
|
+
#
|
267
|
+
# See [Supported asset
|
268
|
+
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
|
269
|
+
# for more information.
|
270
|
+
# @!attribute [rw] ancestors
|
271
|
+
# @return [::Array<::String>]
|
272
|
+
# The ancestors of an asset in Google Cloud [resource
|
273
|
+
# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
|
274
|
+
# represented as a list of relative resource names. An ancestry path starts
|
275
|
+
# with the closest ancestor in the hierarchy and ends at root.
|
276
|
+
#
|
277
|
+
# Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
|
278
|
+
class RelatedAsset
|
279
|
+
include ::Google::Protobuf::MessageExts
|
280
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
281
|
+
end
|
282
|
+
|
211
283
|
# A result of Resource Search, containing information of a cloud resource.
|
212
284
|
# @!attribute [rw] name
|
213
285
|
# @return [::String]
|
@@ -406,6 +478,24 @@ module Google
|
|
406
478
|
# `parentFullResourceName:"project-name"`
|
407
479
|
# * use a free text query. Example:
|
408
480
|
# `project-name`
|
481
|
+
# @!attribute [rw] versioned_resources
|
482
|
+
# @return [::Array<::Google::Cloud::Asset::V1::VersionedResource>]
|
483
|
+
# Versioned resource representations of this resource. This is repeated
|
484
|
+
# because there could be multiple versions of resource representations during
|
485
|
+
# version migration.
|
486
|
+
#
|
487
|
+
# This `versioned_resources` field is not searchable. Some attributes of the
|
488
|
+
# resource representations are exposed in `additional_attributes` field, so
|
489
|
+
# as to allow users to search on them.
|
490
|
+
# @!attribute [rw] attached_resources
|
491
|
+
# @return [::Array<::Google::Cloud::Asset::V1::AttachedResource>]
|
492
|
+
# Attached resources of this resource. For example, an OSConfig
|
493
|
+
# Inventory is an attached resource of a Compute Instance. This field is
|
494
|
+
# repeated because a resource could have multiple attached resources.
|
495
|
+
#
|
496
|
+
# This `attached_resources` field is not searchable. Some attributes
|
497
|
+
# of the attached resources are exposed in `additional_attributes` field, so
|
498
|
+
# as to allow users to search on them.
|
409
499
|
# @!attribute [rw] parent_asset_type
|
410
500
|
# @return [::String]
|
411
501
|
# The type of this resource's immediate parent, if there is one.
|
@@ -430,6 +520,56 @@ module Google
|
|
430
520
|
end
|
431
521
|
end
|
432
522
|
|
523
|
+
# Resource representation as defined by the corresponding service providing the
|
524
|
+
# resource for a given API version.
|
525
|
+
# @!attribute [rw] version
|
526
|
+
# @return [::String]
|
527
|
+
# API version of the resource.
|
528
|
+
#
|
529
|
+
# Example:
|
530
|
+
# If the resource is an instance provided by Compute Engine v1 API as defined
|
531
|
+
# in `https://cloud.google.com/compute/docs/reference/rest/v1/instances`,
|
532
|
+
# version will be "v1".
|
533
|
+
# @!attribute [rw] resource
|
534
|
+
# @return [::Google::Protobuf::Struct]
|
535
|
+
# JSON representation of the resource as defined by the corresponding
|
536
|
+
# service providing this resource.
|
537
|
+
#
|
538
|
+
# Example:
|
539
|
+
# If the resource is an instance provided by Compute Engine, this field will
|
540
|
+
# contain the JSON representation of the instance as defined by Compute
|
541
|
+
# Engine:
|
542
|
+
# `https://cloud.google.com/compute/docs/reference/rest/v1/instances`.
|
543
|
+
#
|
544
|
+
# You can find the resource definition for each supported resource type in
|
545
|
+
# this table:
|
546
|
+
# `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
|
547
|
+
class VersionedResource
|
548
|
+
include ::Google::Protobuf::MessageExts
|
549
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
550
|
+
end
|
551
|
+
|
552
|
+
# Attached resource representation, which is defined by the corresponding
|
553
|
+
# service provider. It represents an attached resource's payload.
|
554
|
+
# @!attribute [rw] asset_type
|
555
|
+
# @return [::String]
|
556
|
+
# The type of this attached resource.
|
557
|
+
#
|
558
|
+
# Example: `osconfig.googleapis.com/Inventory`
|
559
|
+
#
|
560
|
+
# You can find the supported attached asset types of each resource in this
|
561
|
+
# table:
|
562
|
+
# `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
|
563
|
+
# @!attribute [rw] versioned_resources
|
564
|
+
# @return [::Array<::Google::Cloud::Asset::V1::VersionedResource>]
|
565
|
+
# Versioned resource representations of this attached resource. This is
|
566
|
+
# repeated because there could be multiple versions of the attached resource
|
567
|
+
# representations during version migration.
|
568
|
+
class AttachedResource
|
569
|
+
include ::Google::Protobuf::MessageExts
|
570
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
571
|
+
end
|
572
|
+
|
433
573
|
# A result of IAM Policy search, containing information of an IAM policy.
|
434
574
|
# @!attribute [rw] resource
|
435
575
|
# @return [::String]
|
@@ -28,8 +28,8 @@ module Google
|
|
28
28
|
# @return [::String]
|
29
29
|
# Required. Resource name for the Access Level. The `short_name` component
|
30
30
|
# must begin with a letter and only include alphanumeric and '_'. Format:
|
31
|
-
# `accessPolicies/{
|
32
|
-
# of the `
|
31
|
+
# `accessPolicies/{access_policy}/accessLevels/{access_level}`. The maximum
|
32
|
+
# length of the `access_level` component is 50 characters.
|
33
33
|
# @!attribute [rw] title
|
34
34
|
# @return [::String]
|
35
35
|
# Human readable title. Must be unique within the Policy.
|
@@ -29,7 +29,7 @@ module Google
|
|
29
29
|
# @!attribute [rw] name
|
30
30
|
# @return [::String]
|
31
31
|
# Output only. Resource name of the `AccessPolicy`. Format:
|
32
|
-
# `accessPolicies/{
|
32
|
+
# `accessPolicies/{access_policy}`
|
33
33
|
# @!attribute [rw] parent
|
34
34
|
# @return [::String]
|
35
35
|
# Required. The parent of this `AccessPolicy` in the Cloud Resource
|
@@ -35,7 +35,8 @@ module Google
|
|
35
35
|
# @return [::String]
|
36
36
|
# Required. Resource name for the ServicePerimeter. The `short_name`
|
37
37
|
# component must begin with a letter and only include alphanumeric and '_'.
|
38
|
-
# Format:
|
38
|
+
# Format:
|
39
|
+
# `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}`
|
39
40
|
# @!attribute [rw] title
|
40
41
|
# @return [::String]
|
41
42
|
# Human readable title. Must be unique within the Policy.
|
@@ -133,6 +134,26 @@ module Google
|
|
133
134
|
# @!attribute [rw] vpc_accessible_services
|
134
135
|
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::VpcAccessibleServices]
|
135
136
|
# Configuration for APIs allowed within Perimeter.
|
137
|
+
# @!attribute [rw] ingress_policies
|
138
|
+
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressPolicy>]
|
139
|
+
# List of [IngressPolicies]
|
140
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
141
|
+
# to apply to the perimeter. A perimeter may have multiple [IngressPolicies]
|
142
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy],
|
143
|
+
# each of which is evaluated separately. Access is granted if any [Ingress
|
144
|
+
# Policy]
|
145
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
146
|
+
# grants it. Must be empty for a perimeter bridge.
|
147
|
+
# @!attribute [rw] egress_policies
|
148
|
+
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressPolicy>]
|
149
|
+
# List of [EgressPolicies]
|
150
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
151
|
+
# to apply to the perimeter. A perimeter may have multiple [EgressPolicies]
|
152
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy],
|
153
|
+
# each of which is evaluated separately. Access is granted if any
|
154
|
+
# [EgressPolicy]
|
155
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
156
|
+
# grants it. Must be empty for a perimeter bridge.
|
136
157
|
class ServicePerimeterConfig
|
137
158
|
include ::Google::Protobuf::MessageExts
|
138
159
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -146,11 +167,316 @@ module Google
|
|
146
167
|
# @!attribute [rw] allowed_services
|
147
168
|
# @return [::Array<::String>]
|
148
169
|
# The list of APIs usable within the Service Perimeter. Must be empty
|
149
|
-
# unless 'enable_restriction' is True.
|
170
|
+
# unless 'enable_restriction' is True. You can specify a list of individual
|
171
|
+
# services, as well as include the 'RESTRICTED-SERVICES' value, which
|
172
|
+
# automatically includes all of the services protected by the perimeter.
|
150
173
|
class VpcAccessibleServices
|
151
174
|
include ::Google::Protobuf::MessageExts
|
152
175
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
153
176
|
end
|
177
|
+
|
178
|
+
# An allowed method or permission of a service specified in [ApiOperation]
|
179
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
|
180
|
+
# @!attribute [rw] method
|
181
|
+
# @return [::String]
|
182
|
+
# Value for `method` should be a valid method name for the corresponding
|
183
|
+
# `service_name` in [ApiOperation]
|
184
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
|
185
|
+
# If `*` used as value for `method`, then ALL methods and permissions are
|
186
|
+
# allowed.
|
187
|
+
# @!attribute [rw] permission
|
188
|
+
# @return [::String]
|
189
|
+
# Value for `permission` should be a valid Cloud IAM permission for the
|
190
|
+
# corresponding `service_name` in [ApiOperation]
|
191
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
|
192
|
+
class MethodSelector
|
193
|
+
include ::Google::Protobuf::MessageExts
|
194
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
195
|
+
end
|
196
|
+
|
197
|
+
# Identification for an API Operation.
|
198
|
+
# @!attribute [rw] service_name
|
199
|
+
# @return [::String]
|
200
|
+
# The name of the API whose methods or permissions the [IngressPolicy]
|
201
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
202
|
+
# or [EgressPolicy]
|
203
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
204
|
+
# want to allow. A single [ApiOperation]
|
205
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
206
|
+
# with `service_name` field set to `*` will allow all methods AND
|
207
|
+
# permissions for all services.
|
208
|
+
# @!attribute [rw] method_selectors
|
209
|
+
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::MethodSelector>]
|
210
|
+
# API methods or permissions to allow. Method or permission must belong to
|
211
|
+
# the service specified by `service_name` field. A single [MethodSelector]
|
212
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector]
|
213
|
+
# entry with `*` specified for the `method` field will allow all methods
|
214
|
+
# AND permissions for the service specified in `service_name`.
|
215
|
+
class ApiOperation
|
216
|
+
include ::Google::Protobuf::MessageExts
|
217
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
218
|
+
end
|
219
|
+
|
220
|
+
# The source that [IngressPolicy]
|
221
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
222
|
+
# authorizes access from.
|
223
|
+
# @!attribute [rw] access_level
|
224
|
+
# @return [::String]
|
225
|
+
# An [AccessLevel]
|
226
|
+
# [google.identity.accesscontextmanager.v1.AccessLevel] resource
|
227
|
+
# name that allow resources within the [ServicePerimeters]
|
228
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] to be
|
229
|
+
# accessed from the internet. [AccessLevels]
|
230
|
+
# [google.identity.accesscontextmanager.v1.AccessLevel] listed must
|
231
|
+
# be in the same policy as this [ServicePerimeter]
|
232
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter].
|
233
|
+
# Referencing a nonexistent [AccessLevel]
|
234
|
+
# [google.identity.accesscontextmanager.v1.AccessLevel] will cause
|
235
|
+
# an error. If no [AccessLevel]
|
236
|
+
# [google.identity.accesscontextmanager.v1.AccessLevel] names are
|
237
|
+
# listed, resources within the perimeter can only be accessed via Google
|
238
|
+
# Cloud calls with request origins within the perimeter. Example:
|
239
|
+
# `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is
|
240
|
+
# specified for `access_level`, then all [IngressSources]
|
241
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource]
|
242
|
+
# will be allowed.
|
243
|
+
# @!attribute [rw] resource
|
244
|
+
# @return [::String]
|
245
|
+
# A Google Cloud resource that is allowed to ingress the perimeter.
|
246
|
+
# Requests from these resources will be allowed to access perimeter data.
|
247
|
+
# Currently only projects are allowed.
|
248
|
+
# Format: `projects/{project_number}`
|
249
|
+
# The project may be in any Google Cloud organization, not just the
|
250
|
+
# organization that the perimeter is defined in. `*` is not allowed, the
|
251
|
+
# case of allowing all Google Cloud resources only is not supported.
|
252
|
+
class IngressSource
|
253
|
+
include ::Google::Protobuf::MessageExts
|
254
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
255
|
+
end
|
256
|
+
|
257
|
+
# Defines the conditions under which an [EgressPolicy]
|
258
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
259
|
+
# matches a request. Conditions are based on information about the
|
260
|
+
# [ApiOperation]
|
261
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
262
|
+
# intended to be performed on the `resources` specified. Note that if the
|
263
|
+
# destination of the request is also protected by a [ServicePerimeter]
|
264
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
|
265
|
+
# [ServicePerimeter]
|
266
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
|
267
|
+
# an [IngressPolicy]
|
268
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
269
|
+
# which allows access in order for this request to succeed. The request must
|
270
|
+
# match `operations` AND `resources` fields in order to be allowed egress out
|
271
|
+
# of the perimeter.
|
272
|
+
# @!attribute [rw] resources
|
273
|
+
# @return [::Array<::String>]
|
274
|
+
# A list of resources, currently only projects in the form
|
275
|
+
# `projects/<projectnumber>`, that are allowed to be accessed by sources
|
276
|
+
# defined in the corresponding [EgressFrom]
|
277
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
|
278
|
+
# A request matches if it contains a resource in this list. If `*` is
|
279
|
+
# specified for `resources`, then this [EgressTo]
|
280
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
|
281
|
+
# rule will authorize access to all resources outside the perimeter.
|
282
|
+
# @!attribute [rw] operations
|
283
|
+
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
|
284
|
+
# A list of [ApiOperations]
|
285
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
286
|
+
# allowed to be performed by the sources specified in the corresponding
|
287
|
+
# [EgressFrom]
|
288
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
|
289
|
+
# A request matches if it uses an operation/service in this list.
|
290
|
+
class EgressTo
|
291
|
+
include ::Google::Protobuf::MessageExts
|
292
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
293
|
+
end
|
294
|
+
|
295
|
+
# Defines the conditions under which an [IngressPolicy]
|
296
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
297
|
+
# matches a request. Conditions are based on information about the source of
|
298
|
+
# the request. The request must satisfy what is defined in `sources` AND
|
299
|
+
# identity related fields in order to match.
|
300
|
+
# @!attribute [rw] sources
|
301
|
+
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressSource>]
|
302
|
+
# Sources that this [IngressPolicy]
|
303
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
304
|
+
# authorizes access from.
|
305
|
+
# @!attribute [rw] identities
|
306
|
+
# @return [::Array<::String>]
|
307
|
+
# A list of identities that are allowed access through this ingress
|
308
|
+
# policy. Should be in the format of email address. The email address
|
309
|
+
# should represent individual user or service account only.
|
310
|
+
# @!attribute [rw] identity_type
|
311
|
+
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
|
312
|
+
# Specifies the type of identities that are allowed access from outside the
|
313
|
+
# perimeter. If left unspecified, then members of `identities` field will
|
314
|
+
# be allowed access.
|
315
|
+
class IngressFrom
|
316
|
+
include ::Google::Protobuf::MessageExts
|
317
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
318
|
+
end
|
319
|
+
|
320
|
+
# Defines the conditions under which an [IngressPolicy]
|
321
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
322
|
+
# matches a request. Conditions are based on information about the
|
323
|
+
# [ApiOperation]
|
324
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
325
|
+
# intended to be performed on the target resource of the request. The request
|
326
|
+
# must satisfy what is defined in `operations` AND `resources` in order to
|
327
|
+
# match.
|
328
|
+
# @!attribute [rw] operations
|
329
|
+
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
|
330
|
+
# A list of [ApiOperations]
|
331
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
332
|
+
# allowed to be performed by the sources specified in corresponding
|
333
|
+
# [IngressFrom]
|
334
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
|
335
|
+
# in this [ServicePerimeter]
|
336
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter].
|
337
|
+
# @!attribute [rw] resources
|
338
|
+
# @return [::Array<::String>]
|
339
|
+
# A list of resources, currently only projects in the form
|
340
|
+
# `projects/<projectnumber>`, protected by this [ServicePerimeter]
|
341
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
|
342
|
+
# allowed to be accessed by sources defined in the corresponding
|
343
|
+
# [IngressFrom]
|
344
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
|
345
|
+
# If a single `*` is specified, then access to all resources inside the
|
346
|
+
# perimeter are allowed.
|
347
|
+
class IngressTo
|
348
|
+
include ::Google::Protobuf::MessageExts
|
349
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
350
|
+
end
|
351
|
+
|
352
|
+
# Policy for ingress into [ServicePerimeter]
|
353
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter].
|
354
|
+
#
|
355
|
+
# [IngressPolicies]
|
356
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
357
|
+
# match requests based on `ingress_from` and `ingress_to` stanzas. For an
|
358
|
+
# ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
|
359
|
+
# must be matched. If an [IngressPolicy]
|
360
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
361
|
+
# matches a request, the request is allowed through the perimeter boundary
|
362
|
+
# from outside the perimeter.
|
363
|
+
#
|
364
|
+
# For example, access from the internet can be allowed either
|
365
|
+
# based on an [AccessLevel]
|
366
|
+
# [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
|
367
|
+
# hosted on Google Cloud, the project of the source network. For access from
|
368
|
+
# private networks, using the project of the hosting network is required.
|
369
|
+
#
|
370
|
+
# Individual ingress policies can be limited by restricting which
|
371
|
+
# services and/or actions they match using the `ingress_to` field.
|
372
|
+
# @!attribute [rw] ingress_from
|
373
|
+
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressFrom]
|
374
|
+
# Defines the conditions on the source of a request causing this
|
375
|
+
# [IngressPolicy]
|
376
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
377
|
+
# to apply.
|
378
|
+
# @!attribute [rw] ingress_to
|
379
|
+
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressTo]
|
380
|
+
# Defines the conditions on the [ApiOperation]
|
381
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
382
|
+
# and request destination that cause this [IngressPolicy]
|
383
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
384
|
+
# to apply.
|
385
|
+
class IngressPolicy
|
386
|
+
include ::Google::Protobuf::MessageExts
|
387
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
388
|
+
end
|
389
|
+
|
390
|
+
# Policy for egress from perimeter.
|
391
|
+
#
|
392
|
+
# [EgressPolicies]
|
393
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
394
|
+
# match requests based on `egress_from` and `egress_to` stanzas. For an
|
395
|
+
# [EgressPolicy]
|
396
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
397
|
+
# to match, both `egress_from` and `egress_to` stanzas must be matched. If an
|
398
|
+
# [EgressPolicy]
|
399
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
400
|
+
# matches a request, the request is allowed to span the [ServicePerimeter]
|
401
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
|
402
|
+
# For example, an [EgressPolicy]
|
403
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
404
|
+
# can be used to allow VMs on networks within the [ServicePerimeter]
|
405
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
|
406
|
+
# defined set of projects outside the perimeter in certain contexts (e.g. to
|
407
|
+
# read data from a Cloud Storage bucket or query against a BigQuery dataset).
|
408
|
+
#
|
409
|
+
# [EgressPolicies]
|
410
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
411
|
+
# are concerned with the *resources* that a request relates as well as the
|
412
|
+
# API services and API actions being used. They do not related to the
|
413
|
+
# direction of data movement. More detailed documentation for this concept
|
414
|
+
# can be found in the descriptions of [EgressFrom]
|
415
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
|
416
|
+
# and [EgressTo]
|
417
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
|
418
|
+
# @!attribute [rw] egress_from
|
419
|
+
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressFrom]
|
420
|
+
# Defines conditions on the source of a request causing this [EgressPolicy]
|
421
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
422
|
+
# to apply.
|
423
|
+
# @!attribute [rw] egress_to
|
424
|
+
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressTo]
|
425
|
+
# Defines the conditions on the [ApiOperation]
|
426
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
427
|
+
# and destination resources that cause this [EgressPolicy]
|
428
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
429
|
+
# to apply.
|
430
|
+
class EgressPolicy
|
431
|
+
include ::Google::Protobuf::MessageExts
|
432
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
433
|
+
end
|
434
|
+
|
435
|
+
# Defines the conditions under which an [EgressPolicy]
|
436
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
437
|
+
# matches a request. Conditions based on information about the source of the
|
438
|
+
# request. Note that if the destination of the request is also protected by a
|
439
|
+
# [ServicePerimeter]
|
440
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
|
441
|
+
# [ServicePerimeter]
|
442
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
|
443
|
+
# an [IngressPolicy]
|
444
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
445
|
+
# which allows access in order for this request to succeed.
|
446
|
+
# @!attribute [rw] identities
|
447
|
+
# @return [::Array<::String>]
|
448
|
+
# A list of identities that are allowed access through this [EgressPolicy].
|
449
|
+
# Should be in the format of email address. The email address should
|
450
|
+
# represent individual user or service account only.
|
451
|
+
# @!attribute [rw] identity_type
|
452
|
+
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
|
453
|
+
# Specifies the type of identities that are allowed access to outside the
|
454
|
+
# perimeter. If left unspecified, then members of `identities` field will
|
455
|
+
# be allowed access.
|
456
|
+
class EgressFrom
|
457
|
+
include ::Google::Protobuf::MessageExts
|
458
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
459
|
+
end
|
460
|
+
|
461
|
+
# Specifies the types of identities that are allowed access in either
|
462
|
+
# [IngressFrom]
|
463
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
|
464
|
+
# or [EgressFrom]
|
465
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
|
466
|
+
# rules.
|
467
|
+
module IdentityType
|
468
|
+
# No blanket identity group specified.
|
469
|
+
IDENTITY_TYPE_UNSPECIFIED = 0
|
470
|
+
|
471
|
+
# Authorize access from all identities outside the perimeter.
|
472
|
+
ANY_IDENTITY = 1
|
473
|
+
|
474
|
+
# Authorize access from all human users outside the perimeter.
|
475
|
+
ANY_USER_ACCOUNT = 2
|
476
|
+
|
477
|
+
# Authorize access from all service accounts outside the perimeter.
|
478
|
+
ANY_SERVICE_ACCOUNT = 3
|
479
|
+
end
|
154
480
|
end
|
155
481
|
end
|
156
482
|
end
|