google-cloud-asset-v1 0.5.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,7 +3,6 @@
3
3
 
4
4
  require 'google/protobuf'
5
5
 
6
- require 'google/api/annotations_pb'
7
6
  require 'google/api/resource_pb'
8
7
  require 'google/cloud/orgpolicy/v1/orgpolicy_pb'
9
8
  require 'google/iam/v1/policy_pb'
@@ -14,6 +13,7 @@ require 'google/protobuf/any_pb'
14
13
  require 'google/protobuf/struct_pb'
15
14
  require 'google/protobuf/timestamp_pb'
16
15
  require 'google/rpc/code_pb'
16
+ require 'google/api/annotations_pb'
17
17
  Google::Protobuf::DescriptorPool.generated_pool.build do
18
18
  add_file("google/cloud/asset/v1/assets.proto", :syntax => :proto3) do
19
19
  add_message "google.cloud.asset.v1.TemporalAsset" do
@@ -21,7 +21,7 @@ module Google
21
21
  module Cloud
22
22
  module Asset
23
23
  module V1
24
- VERSION = "0.5.1"
24
+ VERSION = "0.7.0"
25
25
  end
26
26
  end
27
27
  end
@@ -43,12 +43,12 @@ module Google
43
43
  #
44
44
  # The ResourceDescriptor Yaml config will look like:
45
45
  #
46
- # resources:
47
- # - type: "pubsub.googleapis.com/Topic"
48
- # name_descriptor:
49
- # - pattern: "projects/\\{project}/topics/\\{topic}"
50
- # parent_type: "cloudresourcemanager.googleapis.com/Project"
51
- # parent_name_extractor: "projects/\\{project}"
46
+ # resources:
47
+ # - type: "pubsub.googleapis.com/Topic"
48
+ # name_descriptor:
49
+ # - pattern: "projects/{project}/topics/{topic}"
50
+ # parent_type: "cloudresourcemanager.googleapis.com/Project"
51
+ # parent_name_extractor: "projects/{project}"
52
52
  #
53
53
  # Sometimes, resources have multiple patterns, typically because they can
54
54
  # live under multiple parents.
@@ -183,15 +183,24 @@ module Google
183
183
  # }
184
184
  # @!attribute [rw] plural
185
185
  # @return [::String]
186
- # The plural name used in the resource name, such as 'projects' for
187
- # the name of 'projects/\\{project}'. It is the same concept of the `plural`
188
- # field in k8s CRD spec
186
+ # The plural name used in the resource name and permission names, such as
187
+ # 'projects' for the resource name of 'projects/\\{project}' and the permission
188
+ # name of 'cloudresourcemanager.googleapis.com/projects.get'. It is the same
189
+ # concept of the `plural` field in k8s CRD spec
189
190
  # https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
191
+ #
192
+ # Note: The plural form is required even for singleton resources. See
193
+ # https://aip.dev/156
190
194
  # @!attribute [rw] singular
191
195
  # @return [::String]
192
196
  # The same concept of the `singular` field in k8s CRD spec
193
197
  # https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
194
198
  # Such as "project" for the `resourcemanager.googleapis.com/Project` type.
199
+ # @!attribute [rw] style
200
+ # @return [::Array<::Google::Api::ResourceDescriptor::Style>]
201
+ # Style flag(s) for this resource.
202
+ # These indicate that a resource is expected to conform to a given
203
+ # style. See the specific style flags for additional information.
195
204
  class ResourceDescriptor
196
205
  include ::Google::Protobuf::MessageExts
197
206
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -211,6 +220,22 @@ module Google
211
220
  # that from being necessary once there are multiple patterns.)
212
221
  FUTURE_MULTI_PATTERN = 2
213
222
  end
223
+
224
+ # A flag representing a specific style that a resource claims to conform to.
225
+ module Style
226
+ # The unspecified value. Do not use.
227
+ STYLE_UNSPECIFIED = 0
228
+
229
+ # This resource is intended to be "declarative-friendly".
230
+ #
231
+ # Declarative-friendly resources must be more strictly consistent, and
232
+ # setting this to true communicates to tools that this resource should
233
+ # adhere to declarative-friendly expectations.
234
+ #
235
+ # Note: This is used by the API linter (linter.aip.dev) to enable
236
+ # additional checks.
237
+ DECLARATIVE_FRIENDLY = 1
238
+ end
214
239
  end
215
240
 
216
241
  # Defines a proto annotation that describes a string field that refers to
@@ -226,6 +251,17 @@ module Google
226
251
  # type: "pubsub.googleapis.com/Topic"
227
252
  # }];
228
253
  # }
254
+ #
255
+ # Occasionally, a field may reference an arbitrary resource. In this case,
256
+ # APIs use the special value * in their resource reference.
257
+ #
258
+ # Example:
259
+ #
260
+ # message GetIamPolicyRequest {
261
+ # string resource = 2 [(google.api.resource_reference) = {
262
+ # type: "*"
263
+ # }];
264
+ # }
229
265
  # @!attribute [rw] child_type
230
266
  # @return [::String]
231
267
  # The resource type of a child collection that the annotated field
@@ -234,11 +270,11 @@ module Google
234
270
  #
235
271
  # Example:
236
272
  #
237
- # message ListLogEntriesRequest {
238
- # string parent = 1 [(google.api.resource_reference) = {
239
- # child_type: "logging.googleapis.com/LogEntry"
240
- # };
241
- # }
273
+ # message ListLogEntriesRequest {
274
+ # string parent = 1 [(google.api.resource_reference) = {
275
+ # child_type: "logging.googleapis.com/LogEntry"
276
+ # };
277
+ # }
242
278
  class ResourceReference
243
279
  include ::Google::Protobuf::MessageExts
244
280
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -37,9 +37,22 @@ module Google
37
37
  # running the same query may get different results.
38
38
  # @!attribute [rw] asset_types
39
39
  # @return [::Array<::String>]
40
- # A list of asset types of which to take a snapshot for. Example:
41
- # "compute.googleapis.com/Disk". If specified, only matching assets will be
42
- # returned. See [Introduction to Cloud Asset
40
+ # A list of asset types to take a snapshot for. For example:
41
+ # "compute.googleapis.com/Disk".
42
+ #
43
+ # Regular expressions are also supported. For example:
44
+ #
45
+ # * "compute.googleapis.com.*" snapshots resources whose asset type starts
46
+ # with "compute.googleapis.com".
47
+ # * ".*Instance" snapshots resources whose asset type ends with "Instance".
48
+ # * ".*Instance.*" snapshots resources whose asset type contains "Instance".
49
+ #
50
+ # See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported
51
+ # regular expression syntax. If the regular expression does not match any
52
+ # supported asset type, an INVALID_ARGUMENT error will be returned.
53
+ #
54
+ # If specified, only matching assets will be returned, otherwise, it will
55
+ # snapshot all asset types. See [Introduction to Cloud Asset
43
56
  # Inventory](https://cloud.google.com/asset-inventory/docs/overview)
44
57
  # for all supported asset types.
45
58
  # @!attribute [rw] content_type
@@ -48,24 +61,28 @@ module Google
48
61
  # returned.
49
62
  # @!attribute [rw] output_config
50
63
  # @return [::Google::Cloud::Asset::V1::OutputConfig]
51
- # Required. Output configuration indicating where the results will be output
52
- # to.
64
+ # Required. Output configuration indicating where the results will be output to.
53
65
  class ExportAssetsRequest
54
66
  include ::Google::Protobuf::MessageExts
55
67
  extend ::Google::Protobuf::MessageExts::ClassMethods
56
68
  end
57
69
 
58
70
  # The export asset response. This message is returned by the
59
- # google.longrunning.Operations.GetOperation
60
- # method in the returned
61
- # {::Google::Longrunning::Operation#response google.longrunning.Operation.response}
62
- # field.
71
+ # google.longrunning.Operations.GetOperation method in the returned
72
+ # {::Google::Longrunning::Operation#response google.longrunning.Operation.response} field.
63
73
  # @!attribute [rw] read_time
64
74
  # @return [::Google::Protobuf::Timestamp]
65
75
  # Time the snapshot was taken.
66
76
  # @!attribute [rw] output_config
67
77
  # @return [::Google::Cloud::Asset::V1::OutputConfig]
68
78
  # Output configuration indicating where the results were output to.
79
+ # @!attribute [rw] output_result
80
+ # @return [::Google::Cloud::Asset::V1::OutputResult]
81
+ # Output result indicating where the assets were exported to. For example, a
82
+ # set of actual Google Cloud Storage object uris where the assets are
83
+ # exported to. The uris can be different from what [output_config] has
84
+ # specified, as the service will split the output object into multiple ones
85
+ # once it exceeds a single Google Cloud Storage object limit.
69
86
  class ExportAssetsResponse
70
87
  include ::Google::Protobuf::MessageExts
71
88
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -126,8 +143,9 @@ module Google
126
143
  # be unique under a specific parent project/folder/organization.
127
144
  # @!attribute [rw] feed
128
145
  # @return [::Google::Cloud::Asset::V1::Feed]
129
- # Required. The feed details. The field `name` must be empty and it will be
130
- # generated in the format of: projects/project_number/feeds/feed_id
146
+ # Required. The feed details. The field `name` must be empty and it will be generated
147
+ # in the format of:
148
+ # projects/project_number/feeds/feed_id
131
149
  # folders/folder_number/feeds/feed_id
132
150
  # organizations/organization_number/feeds/feed_id
133
151
  class CreateFeedRequest
@@ -169,8 +187,8 @@ module Google
169
187
  # Update asset feed request.
170
188
  # @!attribute [rw] feed
171
189
  # @return [::Google::Cloud::Asset::V1::Feed]
172
- # Required. The new values of feed details. It must match an existing feed
173
- # and the field `name` must be in the format of:
190
+ # Required. The new values of feed details. It must match an existing feed and the
191
+ # field `name` must be in the format of:
174
192
  # projects/project_number/feeds/feed_id or
175
193
  # folders/folder_number/feeds/feed_id or
176
194
  # organizations/organization_number/feeds/feed_id.
@@ -208,6 +226,25 @@ module Google
208
226
  extend ::Google::Protobuf::MessageExts::ClassMethods
209
227
  end
210
228
 
229
+ # Output result of export assets.
230
+ # @!attribute [rw] gcs_result
231
+ # @return [::Google::Cloud::Asset::V1::GcsOutputResult]
232
+ # Export result on Cloud Storage.
233
+ class OutputResult
234
+ include ::Google::Protobuf::MessageExts
235
+ extend ::Google::Protobuf::MessageExts::ClassMethods
236
+ end
237
+
238
+ # A Cloud Storage output result.
239
+ # @!attribute [rw] uris
240
+ # @return [::Array<::String>]
241
+ # List of uris of the Cloud Storage objects. Example:
242
+ # "gs://bucket_name/object_name".
243
+ class GcsOutputResult
244
+ include ::Google::Protobuf::MessageExts
245
+ extend ::Google::Protobuf::MessageExts::ClassMethods
246
+ end
247
+
211
248
  # A Cloud Storage location.
212
249
  # @!attribute [rw] uri
213
250
  # @return [::String]
@@ -250,11 +287,91 @@ module Google
250
287
  # table will be overwritten by the contents of assets snapshot. If the flag
251
288
  # is `FALSE` or unset and the destination table already exists, the export
252
289
  # call returns an INVALID_ARGUMEMT error.
290
+ # @!attribute [rw] partition_spec
291
+ # @return [::Google::Cloud::Asset::V1::PartitionSpec]
292
+ # [partition_spec] determines whether to export to partitioned table(s) and
293
+ # how to partition the data.
294
+ #
295
+ # If [partition_spec] is unset or [partition_spec.partion_key] is unset or
296
+ # `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to
297
+ # non-partitioned table(s). [force] will decide whether to overwrite existing
298
+ # table(s).
299
+ #
300
+ # If [partition_spec] is specified. First, the snapshot results will be
301
+ # written to partitioned table(s) with two additional timestamp columns,
302
+ # readTime and requestTime, one of which will be the partition key. Secondly,
303
+ # in the case when any destination table already exists, it will first try to
304
+ # update existing table's schema as necessary by appending additional
305
+ # columns. Then, if [force] is `TRUE`, the corresponding partition will be
306
+ # overwritten by the snapshot results (data in different partitions will
307
+ # remain intact); if [force] is unset or `FALSE`, it will append the data. An
308
+ # error will be returned if the schema update or data appension fails.
309
+ # @!attribute [rw] separate_tables_per_asset_type
310
+ # @return [::Boolean]
311
+ # If this flag is `TRUE`, the snapshot results will be written to one or
312
+ # multiple tables, each of which contains results of one asset type. The
313
+ # [force] and [partition_spec] fields will apply to each of them.
314
+ #
315
+ # Field [table] will be concatenated with "_" and the asset type names (see
316
+ # https://cloud.google.com/asset-inventory/docs/supported-asset-types for
317
+ # supported asset types) to construct per-asset-type table names, in which
318
+ # all non-alphanumeric characters like "." and "/" will be substituted by
319
+ # "_". Example: if field [table] is "mytable" and snapshot results
320
+ # contain "storage.googleapis.com/Bucket" assets, the corresponding table
321
+ # name will be "mytable_storage_googleapis_com_Bucket". If any of these
322
+ # tables does not exist, a new table with the concatenated name will be
323
+ # created.
324
+ #
325
+ # When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of
326
+ # each table will include RECORD-type columns mapped to the nested fields in
327
+ # the Asset.resource.data field of that asset type (up to the 15 nested level
328
+ # BigQuery supports
329
+ # (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The
330
+ # fields in >15 nested levels will be stored in JSON format string as a child
331
+ # column of its parent RECORD column.
332
+ #
333
+ # If error occurs when exporting to any table, the whole export call will
334
+ # return an error but the export results that already succeed will persist.
335
+ # Example: if exporting to table_type_A succeeds when exporting to
336
+ # table_type_B fails during one export call, the results in table_type_A will
337
+ # persist and there will not be partial results persisting in a table.
253
338
  class BigQueryDestination
254
339
  include ::Google::Protobuf::MessageExts
255
340
  extend ::Google::Protobuf::MessageExts::ClassMethods
256
341
  end
257
342
 
343
+ # Specifications of BigQuery partitioned table as export destination.
344
+ # @!attribute [rw] partition_key
345
+ # @return [::Google::Cloud::Asset::V1::PartitionSpec::PartitionKey]
346
+ # The partition key for BigQuery partitioned table.
347
+ class PartitionSpec
348
+ include ::Google::Protobuf::MessageExts
349
+ extend ::Google::Protobuf::MessageExts::ClassMethods
350
+
351
+ # This enum is used to determine the partition key column when exporting
352
+ # assets to BigQuery partitioned table(s). Note that, if the partition key is
353
+ # a timestamp column, the actual partition is based on its date value
354
+ # (expressed in UTC. see details in
355
+ # https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables).
356
+ module PartitionKey
357
+ # Unspecified partition key. If used, it means using non-partitioned table.
358
+ PARTITION_KEY_UNSPECIFIED = 0
359
+
360
+ # The time when the snapshot is taken. If specified as partition key, the
361
+ # result table(s) is partitoned by the additional timestamp column,
362
+ # readTime. If [read_time] in ExportAssetsRequest is specified, the
363
+ # readTime column's value will be the same as it. Otherwise, its value will
364
+ # be the current time that is used to take the snapshot.
365
+ READ_TIME = 1
366
+
367
+ # The time when the request is received and started to be processed. If
368
+ # specified as partition key, the result table(s) is partitoned by the
369
+ # requestTime column, an additional timestamp column representing when the
370
+ # request was received.
371
+ REQUEST_TIME = 2
372
+ end
373
+ end
374
+
258
375
  # A Pub/Sub destination.
259
376
  # @!attribute [rw] topic
260
377
  # @return [::String]
@@ -324,8 +441,12 @@ module Google
324
441
  # When set, `expression` field in the `Expr` must be a valid [CEL expression]
325
442
  # (https://github.com/google/cel-spec) on a TemporalAsset with name
326
443
  # `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted
327
- # == true") will only publish Asset deletions. Other fields in `Expr` are
444
+ # == true") will only publish Asset deletions. Other fields of `Expr` are
328
445
  # optional.
446
+ #
447
+ # See our [user
448
+ # guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes#feed_with_condition)
449
+ # for detailed instructions.
329
450
  class Feed
330
451
  include ::Google::Protobuf::MessageExts
331
452
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -334,75 +455,81 @@ module Google
334
455
  # Search all resources request.
335
456
  # @!attribute [rw] scope
336
457
  # @return [::String]
337
- # Required. A scope can be a project, a folder or an organization. The search
338
- # is limited to the resources within the `scope`.
458
+ # Required. A scope can be a project, a folder, or an organization. The search is
459
+ # limited to the resources within the `scope`. The caller must be granted the
460
+ # [`cloudasset.assets.searchAllResources`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
461
+ # permission on the desired scope.
339
462
  #
340
463
  # The allowed values are:
341
464
  #
342
- # * projects/\\{PROJECT_ID}
343
- # * projects/\\{PROJECT_NUMBER}
344
- # * folders/\\{FOLDER_NUMBER}
345
- # * organizations/\\{ORGANIZATION_NUMBER}
465
+ # * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
466
+ # * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
467
+ # * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
468
+ # * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
346
469
  # @!attribute [rw] query
347
470
  # @return [::String]
348
- # Optional. The query statement. An empty query can be specified to search
349
- # all the resources of certain `asset_types` within the given `scope`.
471
+ # Optional. The query statement. See [how to construct a
472
+ # query](http://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
473
+ # for more information. If not specified or empty, it will search all the
474
+ # resources within the specified `scope`. Note that the query string is
475
+ # compared against each Cloud IAM policy binding, including its members,
476
+ # roles, and Cloud IAM conditions. The returned Cloud IAM policies will only
477
+ # contain the bindings that match your query. To learn more about the IAM
478
+ # policy structure, see [IAM policy
479
+ # doc](https://cloud.google.com/iam/docs/policies#structure).
350
480
  #
351
481
  # Examples:
352
482
  #
353
- # * `name : "Important"` to find Cloud resources whose name contains
483
+ # * `name:Important` to find Cloud resources whose name contains
354
484
  # "Important" as a word.
355
- # * `displayName : "Impor*"` to find Cloud resources whose display name
356
- # contains "Impor" as a word prefix.
357
- # * `description : "*por*"` to find Cloud resources whose description
485
+ # * `displayName:Impor*` to find Cloud resources whose display name
486
+ # contains "Impor" as a prefix.
487
+ # * `description:*por*` to find Cloud resources whose description
358
488
  # contains "por" as a substring.
359
- # * `location : "us-west*"` to find Cloud resources whose location is
489
+ # * `location:us-west*` to find Cloud resources whose location is
360
490
  # prefixed with "us-west".
361
- # * `labels : "prod"` to find Cloud resources whose labels contain "prod" as
491
+ # * `labels:prod` to find Cloud resources whose labels contain "prod" as
362
492
  # a key or value.
363
- # * `labels.env : "prod"` to find Cloud resources which have a label "env"
493
+ # * `labels.env:prod` to find Cloud resources that have a label "env"
364
494
  # and its value is "prod".
365
- # * `labels.env : *` to find Cloud resources which have a label "env".
366
- # * `"Important"` to find Cloud resources which contain "Important" as a word
495
+ # * `labels.env:*` to find Cloud resources that have a label "env".
496
+ # * `Important` to find Cloud resources that contain "Important" as a word
367
497
  # in any of the searchable fields.
368
- # * `"Impor*"` to find Cloud resources which contain "Impor" as a word prefix
498
+ # * `Impor*` to find Cloud resources that contain "Impor" as a prefix
369
499
  # in any of the searchable fields.
370
- # * `"*por*"` to find Cloud resources which contain "por" as a substring in
500
+ # * `*por*` to find Cloud resources that contain "por" as a substring in
371
501
  # any of the searchable fields.
372
- # * `("Important" AND location : ("us-west1" OR "global"))` to find Cloud
373
- # resources which contain "Important" as a word in any of the searchable
502
+ # * `Important location:(us-west1 OR global)` to find Cloud
503
+ # resources that contain "Important" as a word in any of the searchable
374
504
  # fields and are also located in the "us-west1" region or the "global"
375
505
  # location.
376
- #
377
- # See [how to construct a
378
- # query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
379
- # for more details.
380
506
  # @!attribute [rw] asset_types
381
507
  # @return [::Array<::String>]
382
- # Optional. A list of asset types that this request searches for. If empty,
383
- # it will search all the [searchable asset
508
+ # Optional. A list of asset types that this request searches for. If empty, it will
509
+ # search all the [searchable asset
384
510
  # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
385
511
  # @!attribute [rw] page_size
386
512
  # @return [::Integer]
387
- # Optional. The page size for search result pagination. Page size is capped
388
- # at 500 even if a larger value is given. If set to zero, server will pick an
389
- # appropriate default. Returned results may be fewer than requested. When
390
- # this happens, there could be more results as long as `next_page_token` is
391
- # returned.
513
+ # Optional. The page size for search result pagination. Page size is capped at 500 even
514
+ # if a larger value is given. If set to zero, server will pick an appropriate
515
+ # default. Returned results may be fewer than requested. When this happens,
516
+ # there could be more results as long as `next_page_token` is returned.
392
517
  # @!attribute [rw] page_token
393
518
  # @return [::String]
394
- # Optional. If present, then retrieve the next batch of results from the
395
- # preceding call to this method. `page_token` must be the value of
396
- # `next_page_token` from the previous response. The values of all other
397
- # method parameters, must be identical to those in the previous call.
519
+ # Optional. If present, then retrieve the next batch of results from the preceding call
520
+ # to this method. `page_token` must be the value of `next_page_token` from
521
+ # the previous response. The values of all other method parameters, must be
522
+ # identical to those in the previous call.
398
523
  # @!attribute [rw] order_by
399
524
  # @return [::String]
400
- # Optional. A comma separated list of fields specifying the sorting order of
401
- # the results. The default order is ascending. Add " DESC" after the field
402
- # name to indicate descending order. Redundant space characters are ignored.
403
- # Example: "location DESC, name". See [supported resource metadata
404
- # fields](https://cloud.google.com/asset-inventory/docs/searching-resources#query_on_resource_metadata_fields)
405
- # for more details.
525
+ # Optional. A comma separated list of fields specifying the sorting order of the
526
+ # results. The default order is ascending. Add " DESC" after the field name
527
+ # to indicate descending order. Redundant space characters are ignored.
528
+ # Example: "location DESC, name". Only string fields in the response are
529
+ # sortable, including `name`, `displayName`, `description`, `location`. All
530
+ # the other fields such as repeated fields (e.g., `networkTags`), map
531
+ # fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
532
+ # are not supported.
406
533
  class SearchAllResourcesRequest
407
534
  include ::Google::Protobuf::MessageExts
408
535
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -426,51 +553,58 @@ module Google
426
553
  # Search all IAM policies request.
427
554
  # @!attribute [rw] scope
428
555
  # @return [::String]
429
- # Required. A scope can be a project, a folder or an organization. The search
430
- # is limited to the IAM policies within the `scope`.
556
+ # Required. A scope can be a project, a folder, or an organization. The search is
557
+ # limited to the IAM policies within the `scope`. The caller must be granted
558
+ # the
559
+ # [`cloudasset.assets.searchAllIamPolicies`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
560
+ # permission on the desired scope.
431
561
  #
432
562
  # The allowed values are:
433
563
  #
434
- # * projects/\\{PROJECT_ID}
435
- # * projects/\\{PROJECT_NUMBER}
436
- # * folders/\\{FOLDER_NUMBER}
437
- # * organizations/\\{ORGANIZATION_NUMBER}
564
+ # * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
565
+ # * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
566
+ # * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
567
+ # * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
438
568
  # @!attribute [rw] query
439
569
  # @return [::String]
440
- # Optional. The query statement. An empty query can be specified to search
441
- # all the IAM policies within the given `scope`.
570
+ # Optional. The query statement. See [how to construct a
571
+ # query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
572
+ # for more information. If not specified or empty, it will search all the
573
+ # IAM policies within the specified `scope`.
442
574
  #
443
575
  # Examples:
444
576
  #
445
- # * `policy : "amy@gmail.com"` to find Cloud IAM policy bindings that
446
- # specify user "amy@gmail.com".
447
- # * `policy : "roles/compute.admin"` to find Cloud IAM policy bindings that
448
- # specify the Compute Admin role.
449
- # * `policy.role.permissions : "storage.buckets.update"` to find Cloud IAM
450
- # policy bindings that specify a role containing "storage.buckets.update"
451
- # permission.
452
- # * `resource : "organizations/123"` to find Cloud IAM policy bindings that
453
- # are set on "organizations/123".
454
- # * `(resource : ("organizations/123" OR "folders/1234") AND policy : "amy")`
455
- # to find Cloud IAM policy bindings that are set on "organizations/123" or
456
- # "folders/1234", and also specify user "amy".
457
- #
458
- # See [how to construct a
459
- # query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
460
- # for more details.
577
+ # * `policy:amy@gmail.com` to find IAM policy bindings that specify user
578
+ # "amy@gmail.com".
579
+ # * `policy:roles/compute.admin` to find IAM policy bindings that specify
580
+ # the Compute Admin role.
581
+ # * `policy.role.permissions:storage.buckets.update` to find IAM policy
582
+ # bindings that specify a role containing "storage.buckets.update"
583
+ # permission. Note that if callers don't have `iam.roles.get` access to a
584
+ # role's included permissions, policy bindings that specify this role will
585
+ # be dropped from the search results.
586
+ # * `resource:organizations/123456` to find IAM policy bindings
587
+ # that are set on "organizations/123456".
588
+ # * `Important` to find IAM policy bindings that contain "Important" as a
589
+ # word in any of the searchable fields (except for the included
590
+ # permissions).
591
+ # * `*por*` to find IAM policy bindings that contain "por" as a substring
592
+ # in any of the searchable fields (except for the included permissions).
593
+ # * `resource:(instance1 OR instance2) policy:amy` to find
594
+ # IAM policy bindings that are set on resources "instance1" or
595
+ # "instance2" and also specify user "amy".
461
596
  # @!attribute [rw] page_size
462
597
  # @return [::Integer]
463
- # Optional. The page size for search result pagination. Page size is capped
464
- # at 500 even if a larger value is given. If set to zero, server will pick an
465
- # appropriate default. Returned results may be fewer than requested. When
466
- # this happens, there could be more results as long as `next_page_token` is
467
- # returned.
598
+ # Optional. The page size for search result pagination. Page size is capped at 500 even
599
+ # if a larger value is given. If set to zero, server will pick an appropriate
600
+ # default. Returned results may be fewer than requested. When this happens,
601
+ # there could be more results as long as `next_page_token` is returned.
468
602
  # @!attribute [rw] page_token
469
603
  # @return [::String]
470
- # Optional. If present, retrieve the next batch of results from the preceding
471
- # call to this method. `page_token` must be the value of `next_page_token`
472
- # from the previous response. The values of all other method parameters must
473
- # be identical to those in the previous call.
604
+ # Optional. If present, retrieve the next batch of results from the preceding call to
605
+ # this method. `page_token` must be the value of `next_page_token` from the
606
+ # previous response. The values of all other method parameters must be
607
+ # identical to those in the previous call.
474
608
  class SearchAllIamPoliciesRequest
475
609
  include ::Google::Protobuf::MessageExts
476
610
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -505,7 +639,7 @@ module Google
505
639
  # The Cloud Organization Policy set on an asset.
506
640
  ORG_POLICY = 4
507
641
 
508
- # The Cloud Access context mananger Policy set on an asset.
642
+ # The Cloud Access context manager Policy set on an asset.
509
643
  ACCESS_POLICY = 5
510
644
  end
511
645
  end