google-cloud-asset-v1 0.28.0 → 0.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 01243b2f7e69373b2cfbd53589a2a22992428f3cd31eecdd121a6fa07f9d77b8
-  data.tar.gz: bc8c8cb91bb50b4a4c3517e515c696933f9c45e6afb068ced6f5579f5cf19d1e
+  metadata.gz: 463db4503e7e2b31ffcd0fe5e78c4d4e81f8518320e94c7be8cc634e97220319
+  data.tar.gz: 3ed4f4d5714cf470e7e345ed19f6a47208fbdb8bc178dc469dbb44a4ce9db366
 SHA512:
-  metadata.gz: 8fa655567ef6f712b3c58f8aaf7b3b24e5bc4c78d2348c2695b1f1471dbf650ebb2e2e2f258432de9c52e2a5110cde54d6fb4ff51d14922e150b5b007ca4528a
-  data.tar.gz: 76e6fe824da276ba998685fea9f7bfb187116c40d0b44ea2d05697a9c6354060115d7c8e470a3fc71200c3fe32b0bd5e7d5bb6e6b023a95285c01a7908203930
+  metadata.gz: a1eba4d4f2e0572a55c41b70174987407de2e02e09d544460b0812b28688b83a90487509e100145403a8e6613e3a80cd84731986bf80067804dad49f14926718
+  data.tar.gz: 250bf54f136348a2e12cff19d1ad4c7ae30a97ccfd621607943bed22e869f973bdcff68dbd310d74908f66d0f21282c7cfcabbe0127021abe8ea7ab9a498e3f7

data/AUTHENTICATION.md

@@ -1,151 +1,122 @@
 # Authentication
 
-In general, the google-cloud-asset-v1 library uses
-[Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
-credentials to connect to Google Cloud services. When running within
-[Google Cloud Platform environments](#google-cloud-platform-environments) the
-credentials will be discovered automatically. When running on other
-environments, the Service Account credentials can be specified by providing the
-path to the
-[JSON keyfile](https://cloud.google.com/iam/docs/managing-service-account-keys)
-for the account (or the JSON itself) in
-[environment variables](#environment-variables). Additionally, Cloud SDK
-credentials can also be discovered automatically, but this is only recommended
-during development.
+The recommended way to authenticate to the google-cloud-asset-v1 library is to use
+[Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials).
+To review all of your authentication options, see [Credentials lookup](#credential-lookup).
 
 ## Quickstart
 
-1. [Create a service account and credentials](#creating-a-service-account).
-2. Set the [environment variable](#environment-variables).
+The following example shows how to set up authentication for a local development
+environment with your user credentials. 
 
-```sh
-export ASSET_CREDENTIALS=path/to/keyfile.json
-```
-
-3. Initialize the client.
+**NOTE:** This method is _not_ recommended for running in production. User credentials
+should be used only during development.
 
-```ruby
-require "google/cloud/asset/v1"
+1. [Download and install the Google Cloud CLI](https://cloud.google.com/sdk).
+2. Set up a local ADC file with your user credentials:
 
-client = ::Google::Cloud::Asset::V1::AssetService::Client.new
+```sh
+gcloud auth application-default login
 ```
 
-## Credential Lookup
-
-The google-cloud-asset-v1 library aims to make authentication
-as simple as possible, and provides several mechanisms to configure your system
-without requiring **Service Account Credentials** directly in code.
-
-**Credentials** are discovered in the following order:
-
-1. Specify credentials in method arguments
-2. Specify credentials in configuration
-3. Discover credentials path in environment variables
-4. Discover credentials JSON in environment variables
-5. Discover credentials file in the Cloud SDK's path
-6. Discover GCP credentials
-
-### Google Cloud Platform environments
+3. Write code as if already authenticated.
 
-When running on Google Cloud Platform (GCP), including Google Compute Engine
-(GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud
-Functions (GCF) and Cloud Run, **Credentials** are discovered automatically.
-Code should be written as if already authenticated.
+For more information about setting up authentication for a local development environment, see
+[Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev).
 
-### Environment Variables
+## Credential Lookup
 
-The **Credentials JSON** can be placed in environment variables instead of
-declaring them directly in code. Each service has its own environment variable,
-allowing for different service accounts to be used for different services. (See
-the READMEs for the individual service gems for details.) The path to the
-**Credentials JSON** file can be stored in the environment variable, or the
-**Credentials JSON** itself can be stored for environments such as Docker
-containers where writing files is difficult or not encouraged.
+The google-cloud-asset-v1 library provides several mechanisms to configure your system.
+Generally, using Application Default Credentials to facilitate automatic 
+credentials discovery is the easist method. But if you need to explicitly specify
+credentials, there are several methods available to you.
 
-The environment variables that google-cloud-asset-v1
-checks for credentials are configured on the service Credentials class (such as
-{::Google::Cloud::Asset::V1::AssetService::Credentials}):
+Credentials are accepted in the following ways, in the following order or precedence:
 
-* `ASSET_CREDENTIALS` - Path to JSON file, or JSON contents
-* `ASSET_KEYFILE` - Path to JSON file, or JSON contents
-* `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents
-* `GOOGLE_CLOUD_KEYFILE` - Path to JSON file, or JSON contents
-* `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
+1. Credentials specified in method arguments
+2. Credentials specified in configuration
+3. Credentials pointed to or included in environment variables
+4. Credentials found in local ADC file
+5. Credentials returned by the metadata server for the attached service account (GCP)
 
-```ruby
-require "google/cloud/asset/v1"
-
-ENV["ASSET_CREDENTIALS"] = "path/to/keyfile.json"
+### Configuration
 
-client = ::Google::Cloud::Asset::V1::AssetService::Client.new
-```
+You can configure a path to a JSON credentials file, either for an individual client object or
+globally, for all client objects. The JSON file can contain credentials created for
+[workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation),
+[workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a
+[service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key).
 
-### Configuration
+Note: Service account keys are a security risk if not managed correctly. You should
+[choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree)
+whenever possible.
 
-The path to the **Credentials JSON** file can be configured instead of storing
-it in an environment variable. Either on an individual client initialization:
+To configure a credentials file for an individual client initialization:
 
 ```ruby
 require "google/cloud/asset/v1"
 
 client = ::Google::Cloud::Asset::V1::AssetService::Client.new do |config|
-  config.credentials = "path/to/keyfile.json"
+  config.credentials = "path/to/credentialfile.json"
 end
 ```
 
-Or globally for all clients:
+To configure a credentials file globally for all clients:
 
 ```ruby
 require "google/cloud/asset/v1"
 
 ::Google::Cloud::Asset::V1::AssetService::Client.configure do |config|
-  config.credentials = "path/to/keyfile.json"
+  config.credentials = "path/to/credentialfile.json"
 end
 
 client = ::Google::Cloud::Asset::V1::AssetService::Client.new
 ```
 
-### Cloud SDK
+### Environment Variables
 
-This option allows for an easy way to authenticate during development. If
-credentials are not provided in code or in environment variables, then Cloud SDK
-credentials are discovered.
+You can also use an environment variable to provide a JSON credentials file.
+The environment variable can contain a path to the credentials file or, for
+environments such as Docker containers where writing files is not encouraged,
+you can include the credentials file itself.
 
-To configure your system for this, simply:
+The JSON file can contain credentials created for
+[workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation),
+[workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a
+[service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key).
 
-1. [Download and install the Cloud SDK](https://cloud.google.com/sdk)
-2. Authenticate using OAuth 2.0 `$ gcloud auth application-default login`
-3. Write code as if already authenticated.
+Note: Service account keys are a security risk if not managed correctly. You should
+[choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree)
+whenever possible.
+
+The environment variables that google-cloud-asset-v1
+checks for credentials are:
 
-**NOTE:** This is _not_ recommended for running in production. The Cloud SDK
-*should* only be used during development.
+* `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents
+* `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
 
-## Creating a Service Account
+```ruby
+require "google/cloud/asset/v1"
 
-Google Cloud requires **Service Account Credentials** to
-connect to the APIs. You will use the **JSON key file** to
-connect to most services with google-cloud-asset-v1.
+ENV["GOOGLE_APPLICATION_CREDENTIALS"] = "path/to/credentialfile.json"
 
-If you are not running this client within
-[Google Cloud Platform environments](#google-cloud-platform-environments), you
-need a Google Developers service account.
+client = ::Google::Cloud::Asset::V1::AssetService::Client.new
+```
 
-1. Visit the [Google Cloud Console](https://console.cloud.google.com/project).
-2. Create a new project or click on an existing project.
-3. Activate the menu in the upper left and select **APIs & Services**. From
-   here, you will enable the APIs that your application requires.
+### Local ADC file
 
-   *Note: You may need to enable billing in order to use these services.*
+You can set up a local ADC file with your user credentials for authentication during
+development. If credentials are not provided in code or in environment variables,
+then the local ADC credentials are discovered.
 
-4. Select **Credentials** from the side navigation.
+Follow the steps in [Quickstart](#quickstart) to set up a local ADC file.
 
-   Find the "Create credentials" drop down near the top of the page, and select
-   "Service account" to be guided through downloading a new JSON key file.
+### Google Cloud Platform environments
 
-   If you want to re-use an existing service account, you can easily generate a
-   new key file. Just select the account you wish to re-use, click the pencil
-   tool on the right side to edit the service account, select the **Keys** tab,
-   and then select **Add Key**.
+When running on Google Cloud Platform (GCP), including Google Compute Engine
+(GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud
+Functions (GCF) and Cloud Run, credentials are retrieved from the attached
+service account automatically. Code should be written as if already authenticated.
 
-   The key file you download will be used by this library to authenticate API
-   requests and should be stored in a secure location.
+For more information, see
+[Set up ADC for Google Cloud services](https://cloud.google.com/docs/authentication/provide-credentials-adc#attached-sa).

data/lib/google/cloud/asset/v1/asset_service/client.rb

@@ -30,6 +30,9 @@ module Google
           # Asset service definition.
           #
           class Client
+            # @private
+            DEFAULT_ENDPOINT_TEMPLATE = "cloudasset.$UNIVERSE_DOMAIN$"
+
             include Paths
 
             # @private
@@ -182,6 +185,15 @@ module Google
               @config
             end
 
+            ##
+            # The effective universe domain
+            #
+            # @return [String]
+            #
+            def universe_domain
+              @asset_service_stub.universe_domain
+            end
+
             ##
             # Create a new AssetService client object.
             #
@@ -215,8 +227,9 @@ module Google
               credentials = @config.credentials
               # Use self-signed JWT if the endpoint is unchanged from default,
               # but only if the default endpoint does not have a region prefix.
-              enable_self_signed_jwt = @config.endpoint == Configuration::DEFAULT_ENDPOINT &&
-                                       !@config.endpoint.split(".").first.include?("-")
+              enable_self_signed_jwt = @config.endpoint.nil? ||
+                                       (@config.endpoint == Configuration::DEFAULT_ENDPOINT &&
+                                       !@config.endpoint.split(".").first.include?("-"))
               credentials ||= Credentials.default scope: @config.scope,
                                                   enable_self_signed_jwt: enable_self_signed_jwt
               if credentials.is_a?(::String) || credentials.is_a?(::Hash)
@@ -229,12 +242,15 @@ module Google
                 config.credentials = credentials
                 config.quota_project = @quota_project_id
                 config.endpoint = @config.endpoint
+                config.universe_domain = @config.universe_domain
               end
 
               @asset_service_stub = ::Gapic::ServiceStub.new(
                 ::Google::Cloud::Asset::V1::AssetService::Stub,
-                credentials:  credentials,
-                endpoint:     @config.endpoint,
+                credentials: credentials,
+                endpoint: @config.endpoint,
+                endpoint_template: DEFAULT_ENDPOINT_TEMPLATE,
+                universe_domain: @config.universe_domain,
                 channel_args: @config.channel_args,
                 interceptors: @config.interceptors,
                 channel_pool_config: @config.channel_pool
@@ -1188,31 +1204,31 @@ module Google
             #     * `labels.env:*` to find Google Cloud resources that have a label `env`.
             #     * `tagKeys:env` to find Google Cloud resources that have directly
             #       attached tags where the
-            #       [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
-            #       .`namespacedName` contains `env`.
+            #       [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
+            #       contains `env`.
             #     * `tagValues:prod*` to find Google Cloud resources that have directly
             #       attached tags where the
-            #       [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-            #       .`namespacedName` contains a word prefixed by `prod`.
+            #       [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+            #       contains a word prefixed by `prod`.
             #     * `tagValueIds=tagValues/123` to find Google Cloud resources that have
             #       directly attached tags where the
-            #       [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-            #       .`name` is exactly `tagValues/123`.
+            #       [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+            #       is exactly `tagValues/123`.
             #     * `effectiveTagKeys:env` to find Google Cloud resources that have
             #       directly attached or inherited tags where the
-            #       [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
-            #       .`namespacedName` contains `env`.
+            #       [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
+            #       contains `env`.
             #     * `effectiveTagValues:prod*` to find Google Cloud resources that have
             #       directly attached or inherited tags where the
-            #       [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-            #       .`namespacedName` contains a word prefixed by `prod`.
+            #       [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+            #       contains a word prefixed by `prod`.
             #     * `effectiveTagValueIds=tagValues/123` to find Google Cloud resources that
             #        have directly attached or inherited tags where the
-            #       [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-            #       .`name` is exactly `tagValues/123`.
+            #       [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+            #       is exactly `tagValues/123`.
             #     * `kmsKey:key` to find Google Cloud resources encrypted with a
             #       customer-managed encryption key whose name contains `key` as a word. This
-            #       field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS
+            #       field is deprecated. Use the `kmsKeys` field to retrieve Cloud KMS
             #       key information.
             #     * `kmsKeys:key` to find Google Cloud resources encrypted with
             #       customer-managed encryption keys whose name contains the word `key`.
@@ -1224,6 +1240,10 @@ module Google
             #       Compute Engine instances that have relationships with `instance-group-1`
             #       in the Compute Engine instance group resource name, for relationship type
             #       `INSTANCE_TO_INSTANCEGROUP`.
+            #     * `sccSecurityMarks.key=value` to find Cloud resources that are attached
+            #       with security marks whose key is `key` and value is `value`.
+            #     * `sccSecurityMarks.key:*` to find Cloud resources that are attached with
+            #       security marks whose key is `key`.
             #     * `state:ACTIVE` to find Google Cloud resources whose state contains
             #       `ACTIVE` as a word.
             #     * `NOT state:ACTIVE` to find Google Cloud resources whose state doesn't
@@ -1245,7 +1265,7 @@ module Google
             #   @param asset_types [::Array<::String>]
             #     Optional. A list of asset types that this request searches for. If empty,
             #     it will search all the [searchable asset
-            #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
+            #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types).
             #
             #     Regular expressions are also supported. For example:
             #
@@ -1480,7 +1500,7 @@ module Google
             #     Optional. A list of asset types that the IAM policies are attached to. If
             #     empty, it will search the IAM policies that are attached to all the
             #     [searchable asset
-            #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
+            #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types).
             #
             #     Regular expressions are also supported. For example:
             #
@@ -1606,7 +1626,7 @@ module Google
             #     If both `analysis_query` and `saved_analysis_query` are provided, they
             #     will be merged together with the `saved_analysis_query` as base and
             #     the `analysis_query` as overrides. For more details of the merge behavior,
-            #     please refer to the
+            #     refer to the
             #     [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details)
             #     page.
             #
@@ -1729,7 +1749,7 @@ module Google
             #     If both `analysis_query` and `saved_analysis_query` are provided, they
             #     will be merged together with the `saved_analysis_query` as base and
             #     the `analysis_query` as overrides. For more details of the merge behavior,
-            #     please refer to the
+            #     refer to the
             #     [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details)
             #     doc.
             #
@@ -2583,7 +2603,7 @@ module Google
             #     Required. The names refer to the [full_resource_names]
             #     (https://cloud.google.com/asset-inventory/docs/resource-name-format)
             #     of [searchable asset
-            #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
+            #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types).
             #     A maximum of 20 resources' effective policies can be retrieved in a batch.
             #
             # @yield [response, operation] Access the result along with the RPC operation
@@ -2680,12 +2700,15 @@ module Google
             #   @param filter [::String]
             #     The expression to filter
             #     {::Google::Cloud::Asset::V1::AnalyzeOrgPoliciesResponse#org_policy_results AnalyzeOrgPoliciesResponse.org_policy_results}.
-            #     The only supported field is `consolidated_policy.attached_resource`, and
-            #     the only supported operator is `=`.
+            #     Filtering is currently available for bare literal values and the following
+            #     fields:
+            #     * consolidated_policy.attached_resource
+            #     * consolidated_policy.rules.enforce
             #
-            #     Example:
+            #     When filtering by a specific field, the only supported operator is `=`.
+            #     For example, filtering by
             #     consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/folders/001"
-            #     will return the org policy results of"folders/001".
+            #     will return all the Organization Policy results attached to "folders/001".
             #   @param page_size [::Integer]
             #     The maximum number of items to return per page. If unspecified,
             #     {::Google::Cloud::Asset::V1::AnalyzeOrgPoliciesResponse#org_policy_results AnalyzeOrgPoliciesResponse.org_policy_results}
@@ -2793,13 +2816,17 @@ module Google
             #     The analysis only contains organization policies for the provided
             #     constraint.
             #   @param filter [::String]
-            #     The expression to filter the governed containers in result.
-            #     The only supported field is `parent`, and the only supported operator is
-            #     `=`.
-            #
-            #     Example:
-            #     parent="//cloudresourcemanager.googleapis.com/folders/001" will return all
-            #     containers under "folders/001".
+            #     The expression to filter
+            #     {::Google::Cloud::Asset::V1::AnalyzeOrgPolicyGovernedContainersResponse#governed_containers AnalyzeOrgPolicyGovernedContainersResponse.governed_containers}.
+            #     Filtering is currently available for bare literal values and the following
+            #     fields:
+            #     * parent
+            #     * consolidated_policy.rules.enforce
+            #
+            #     When filtering by a specific field, the only supported operator is `=`.
+            #     For example, filtering by
+            #     parent="//cloudresourcemanager.googleapis.com/folders/001"
+            #     will return all the containers under "folders/001".
             #   @param page_size [::Integer]
             #     The maximum number of items to return per page. If unspecified,
             #     {::Google::Cloud::Asset::V1::AnalyzeOrgPolicyGovernedContainersResponse#governed_containers AnalyzeOrgPolicyGovernedContainersResponse.governed_containers}
@@ -2894,7 +2921,7 @@ module Google
             #
             # This RPC only returns either resources of types supported by [searchable
             # asset
-            # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types),
+            # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types),
             # or IAM policies.
             #
             # @overload analyze_org_policy_governed_assets(request, options = nil)
@@ -2924,18 +2951,33 @@ module Google
             #     analysis only contains analyzed organization policies for the provided
             #     constraint.
             #   @param filter [::String]
-            #     The expression to filter the governed assets in result. The only supported
-            #     fields for governed resources are `governed_resource.project` and
-            #     `governed_resource.folders`. The only supported fields for governed iam
-            #     policies are `governed_iam_policy.project` and
-            #     `governed_iam_policy.folders`. The only supported operator is `=`.
-            #
-            #     Example 1: governed_resource.project="projects/12345678" filter will return
-            #     all governed resources under projects/12345678 including the project
-            #     ifself, if applicable.
-            #
-            #     Example 2: governed_iam_policy.folders="folders/12345678" filter will
-            #     return all governed iam policies under folders/12345678, if applicable.
+            #     The expression to filter
+            #     {::Google::Cloud::Asset::V1::AnalyzeOrgPolicyGovernedAssetsResponse#governed_assets AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets}.
+            #
+            #     For governed resources, filtering is currently available for bare literal
+            #     values and the following fields:
+            #     * governed_resource.project
+            #     * governed_resource.folders
+            #     * consolidated_policy.rules.enforce
+            #     When filtering by `governed_resource.project` or
+            #     `consolidated_policy.rules.enforce`, the only supported operator is `=`.
+            #     When filtering by `governed_resource.folders`, the supported operators
+            #     are `=` and `:`.
+            #     For example, filtering by `governed_resource.project="projects/12345678"`
+            #     will return all the governed resources under "projects/12345678",
+            #     including the project itself if applicable.
+            #
+            #     For governed IAM policies, filtering is currently available for bare
+            #     literal values and the following fields:
+            #     * governed_iam_policy.project
+            #     * governed_iam_policy.folders
+            #     * consolidated_policy.rules.enforce
+            #     When filtering by `governed_iam_policy.project` or
+            #     `consolidated_policy.rules.enforce`, the only supported operator is `=`.
+            #     When filtering by `governed_iam_policy.folders`, the supported operators
+            #     are `=` and `:`.
+            #     For example, filtering by `governed_iam_policy.folders:"folders/12345678"`
+            #     will return all the governed IAM policies under "folders/001".
             #   @param page_size [::Integer]
             #     The maximum number of items to return per page. If unspecified,
             #     {::Google::Cloud::Asset::V1::AnalyzeOrgPolicyGovernedAssetsResponse#governed_assets AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets}
@@ -3042,9 +3084,9 @@ module Google
             #   end
             #
             # @!attribute [rw] endpoint
-            #   The hostname or hostname:port of the service endpoint.
-            #   Defaults to `"cloudasset.googleapis.com"`.
-            #   @return [::String]
+            #   A custom service endpoint, as a hostname or hostname:port. The default is
+            #   nil, indicating to use the default endpoint in the current universe domain.
+            #   @return [::String,nil]
             # @!attribute [rw] credentials
             #   Credentials to send with calls. You may provide any of the following types:
             #    *  (`String`) The path to a service account key file in JSON format
@@ -3090,13 +3132,20 @@ module Google
             # @!attribute [rw] quota_project
             #   A separate project against which to charge quota.
             #   @return [::String]
+            # @!attribute [rw] universe_domain
+            #   The universe domain within which to make requests. This determines the
+            #   default endpoint URL. The default value of nil uses the environment
+            #   universe (usually the default "googleapis.com" universe).
+            #   @return [::String,nil]
             #
             class Configuration
               extend ::Gapic::Config
 
+              # @private
+              # The endpoint specific to the default "googleapis.com" universe. Deprecated.
               DEFAULT_ENDPOINT = "cloudasset.googleapis.com"
 
-              config_attr :endpoint,      DEFAULT_ENDPOINT, ::String
+              config_attr :endpoint,      nil, ::String, nil
               config_attr :credentials,   nil do |value|
                 allowed = [::String, ::Hash, ::Proc, ::Symbol, ::Google::Auth::Credentials, ::Signet::OAuth2::Client, nil]
                 allowed += [::GRPC::Core::Channel, ::GRPC::Core::ChannelCredentials] if defined? ::GRPC
@@ -3111,6 +3160,7 @@ module Google
               config_attr :metadata,      nil, ::Hash, nil
               config_attr :retry_policy,  nil, ::Hash, ::Proc, nil
               config_attr :quota_project, nil, ::String, nil
+              config_attr :universe_domain, nil, ::String, nil
 
               # @private
               def initialize parent_config = nil

data/lib/google/cloud/asset/v1/asset_service/operations.rb

@@ -26,6 +26,9 @@ module Google
         module AssetService
           # Service that implements Longrunning Operations API.
           class Operations
+            # @private
+            DEFAULT_ENDPOINT_TEMPLATE = "cloudasset.$UNIVERSE_DOMAIN$"
+
             # @private
             attr_reader :operations_stub
 
@@ -60,6 +63,15 @@ module Google
               @config
             end
 
+            ##
+            # The effective universe domain
+            #
+            # @return [String]
+            #
+            def universe_domain
+              @operations_stub.universe_domain
+            end
+
             ##
             # Create a new Operations client object.
             #
@@ -90,8 +102,10 @@ module Google
 
               @operations_stub = ::Gapic::ServiceStub.new(
                 ::Google::Longrunning::Operations::Stub,
-                credentials:  credentials,
-                endpoint:     @config.endpoint,
+                credentials: credentials,
+                endpoint: @config.endpoint,
+                endpoint_template: DEFAULT_ENDPOINT_TEMPLATE,
+                universe_domain: @config.universe_domain,
                 channel_args: @config.channel_args,
                 interceptors: @config.interceptors,
                 channel_pool_config: @config.channel_pool
@@ -613,9 +627,9 @@ module Google
             #   end
             #
             # @!attribute [rw] endpoint
-            #   The hostname or hostname:port of the service endpoint.
-            #   Defaults to `"cloudasset.googleapis.com"`.
-            #   @return [::String]
+            #   A custom service endpoint, as a hostname or hostname:port. The default is
+            #   nil, indicating to use the default endpoint in the current universe domain.
+            #   @return [::String,nil]
             # @!attribute [rw] credentials
             #   Credentials to send with calls. You may provide any of the following types:
             #    *  (`String`) The path to a service account key file in JSON format
@@ -661,13 +675,20 @@ module Google
             # @!attribute [rw] quota_project
             #   A separate project against which to charge quota.
             #   @return [::String]
+            # @!attribute [rw] universe_domain
+            #   The universe domain within which to make requests. This determines the
+            #   default endpoint URL. The default value of nil uses the environment
+            #   universe (usually the default "googleapis.com" universe).
+            #   @return [::String,nil]
             #
             class Configuration
               extend ::Gapic::Config
 
+              # @private
+              # The endpoint specific to the default "googleapis.com" universe. Deprecated.
               DEFAULT_ENDPOINT = "cloudasset.googleapis.com"
 
-              config_attr :endpoint,      DEFAULT_ENDPOINT, ::String
+              config_attr :endpoint,      nil, ::String, nil
               config_attr :credentials,   nil do |value|
                 allowed = [::String, ::Hash, ::Proc, ::Symbol, ::Google::Auth::Credentials, ::Signet::OAuth2::Client, nil]
                 allowed += [::GRPC::Core::Channel, ::GRPC::Core::ChannelCredentials] if defined? ::GRPC
@@ -682,6 +703,7 @@ module Google
               config_attr :metadata,      nil, ::Hash, nil
               config_attr :retry_policy,  nil, ::Hash, ::Proc, nil
               config_attr :quota_project, nil, ::String, nil
+              config_attr :universe_domain, nil, ::String, nil
 
               # @private
               def initialize parent_config = nil