google-cloud-asset-v1 0.5.3 → 0.6.0

data/lib/google/cloud/asset/v1/asset_service_pb.rb

@@ -26,6 +26,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     add_message "google.cloud.asset.v1.ExportAssetsResponse" do
       optional :read_time, :message, 1, "google.protobuf.Timestamp"
       optional :output_config, :message, 2, "google.cloud.asset.v1.OutputConfig"
+      optional :output_result, :message, 3, "google.cloud.asset.v1.OutputResult"
     end
     add_message "google.cloud.asset.v1.BatchGetAssetsHistoryRequest" do
       optional :parent, :string, 1
@@ -63,6 +64,14 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
         optional :bigquery_destination, :message, 2, "google.cloud.asset.v1.BigQueryDestination"
       end
     end
+    add_message "google.cloud.asset.v1.OutputResult" do
+      oneof :result do
+        optional :gcs_result, :message, 1, "google.cloud.asset.v1.GcsOutputResult"
+      end
+    end
+    add_message "google.cloud.asset.v1.GcsOutputResult" do
+      repeated :uris, :string, 1
+    end
     add_message "google.cloud.asset.v1.GcsDestination" do
       oneof :object_uri do
         optional :uri, :string, 1
@@ -112,6 +121,96 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       repeated :results, :message, 1, "google.cloud.asset.v1.IamPolicySearchResult"
       optional :next_page_token, :string, 2
     end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery" do
+      optional :scope, :string, 1
+      optional :resource_selector, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector"
+      optional :identity_selector, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector"
+      optional :access_selector, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector"
+      optional :options, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options"
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector" do
+      optional :full_resource_name, :string, 1
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector" do
+      optional :identity, :string, 1
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector" do
+      repeated :roles, :string, 1
+      repeated :permissions, :string, 2
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options" do
+      optional :expand_groups, :bool, 1
+      optional :expand_roles, :bool, 2
+      optional :expand_resources, :bool, 3
+      optional :output_resource_edges, :bool, 4
+      optional :output_group_edges, :bool, 5
+      optional :analyze_service_account_impersonation, :bool, 6
+      optional :max_fanouts_per_group, :int32, 7
+      optional :max_fanouts_per_resource, :int32, 8
+    end
+    add_message "google.cloud.asset.v1.AnalyzeIamPolicyRequest" do
+      optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
+      optional :execution_timeout, :message, 2, "google.protobuf.Duration"
+    end
+    add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse" do
+      optional :main_analysis, :message, 1, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
+      repeated :service_account_impersonation_analysis, :message, 2, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
+      optional :fully_explored, :bool, 3
+    end
+    add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis" do
+      optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
+      repeated :analysis_results, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult"
+      optional :fully_explored, :bool, 3
+      repeated :stats, :message, 4, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats"
+      repeated :non_critical_errors, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisState"
+    end
+    add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats" do
+      optional :node_type, :enum, 1, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType"
+      optional :node_subtype, :string, 2
+      optional :discovered_node_count, :int32, 3
+      optional :matched_node_count, :int32, 4
+      optional :explored_node_count, :int32, 5
+      optional :capped_node_count, :int32, 6
+      optional :permision_denied_node_count, :int32, 7
+      optional :execution_timeout_node_count, :int32, 8
+    end
+    add_enum "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType" do
+      value :NODE_TYPE_UNSPECIFIED, 0
+      value :BINDING, 1
+      value :IDENTITY, 2
+      value :RESOURCE, 3
+      value :ACCESS, 4
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig" do
+      oneof :destination do
+        optional :gcs_destination, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination"
+        optional :bigquery_destination, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination"
+      end
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination" do
+      optional :uri, :string, 1
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination" do
+      optional :dataset, :string, 1
+      optional :table_prefix, :string, 2
+      optional :partition_key, :enum, 3, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey"
+      optional :write_mode, :enum, 4, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode"
+    end
+    add_enum "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey" do
+      value :PARTITION_KEY_UNSPECIFIED, 0
+      value :REQUEST_TIME, 1
+    end
+    add_enum "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode" do
+      value :WRITE_MODE_UNSPECIFIED, 0
+      value :ABORT, 1
+      value :OVERWRITE, 2
+    end
+    add_message "google.cloud.asset.v1.ExportIamPolicyAnalysisRequest" do
+      optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
+      optional :output_config, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig"
+    end
+    add_message "google.cloud.asset.v1.ExportIamPolicyAnalysisResponse" do
+    end
     add_enum "google.cloud.asset.v1.ContentType" do
       value :CONTENT_TYPE_UNSPECIFIED, 0
       value :RESOURCE, 1
@@ -137,6 +236,8 @@ module Google
         UpdateFeedRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.UpdateFeedRequest").msgclass
         DeleteFeedRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.DeleteFeedRequest").msgclass
         OutputConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.OutputConfig").msgclass
+        OutputResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.OutputResult").msgclass
+        GcsOutputResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.GcsOutputResult").msgclass
         GcsDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.GcsDestination").msgclass
         BigQueryDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.BigQueryDestination").msgclass
         PubsubDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.PubsubDestination").msgclass
@@ -146,6 +247,23 @@ module Google
         SearchAllResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllResourcesResponse").msgclass
         SearchAllIamPoliciesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesRequest").msgclass
         SearchAllIamPoliciesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesResponse").msgclass
+        IamPolicyAnalysisQuery = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery").msgclass
+        IamPolicyAnalysisQuery::ResourceSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector").msgclass
+        IamPolicyAnalysisQuery::IdentitySelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector").msgclass
+        IamPolicyAnalysisQuery::AccessSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector").msgclass
+        IamPolicyAnalysisQuery::Options = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.Options").msgclass
+        AnalyzeIamPolicyRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyRequest").msgclass
+        AnalyzeIamPolicyResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse").msgclass
+        AnalyzeIamPolicyResponse::IamPolicyAnalysis = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis").msgclass
+        AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats").msgclass
+        AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType").enummodule
+        IamPolicyAnalysisOutputConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig").msgclass
+        IamPolicyAnalysisOutputConfig::GcsDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination").msgclass
+        IamPolicyAnalysisOutputConfig::BigQueryDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination").msgclass
+        IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey").enummodule
+        IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode").enummodule
+        ExportIamPolicyAnalysisRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportIamPolicyAnalysisRequest").msgclass
+        ExportIamPolicyAnalysisResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportIamPolicyAnalysisResponse").msgclass
         ContentType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ContentType").enummodule
       end
     end

data/lib/google/cloud/asset/v1/asset_service_services_pb.rb

@@ -36,14 +36,13 @@ module Google
             # Exports assets with time and resource types to a given Cloud Storage
             # location/BigQuery table. For Cloud Storage location destinations, the
             # output format is newline-delimited JSON. Each line represents a
-            # [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON
-            # format; for BigQuery table destinations, the output table stores the fields
-            # in asset proto as columns. This API implements the
-            # [google.longrunning.Operation][google.longrunning.Operation] API , which
-            # allows you to keep track of the export. We recommend intervals of at least
-            # 2 seconds with exponential retry to poll the export operation result. For
-            # regular-size resource parent, the export operation usually finishes within
-            # 5 minutes.
+            # [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON format; for BigQuery table
+            # destinations, the output table stores the fields in asset proto as columns.
+            # This API implements the [google.longrunning.Operation][google.longrunning.Operation] API
+            # , which allows you to keep track of the export. We recommend intervals of
+            # at least 2 seconds with exponential retry to poll the export operation
+            # result. For regular-size resource parent, the export operation usually
+            # finishes within 5 minutes.
             rpc :ExportAssets, Google::Cloud::Asset::V1::ExportAssetsRequest, Google::Longrunning::Operation
             # Batch gets the update history of assets that overlap a time window.
             # For IAM_POLICY content, this API outputs history when the asset and its
@@ -64,16 +63,29 @@ module Google
             rpc :UpdateFeed, Google::Cloud::Asset::V1::UpdateFeedRequest, Google::Cloud::Asset::V1::Feed
             # Deletes an asset feed.
             rpc :DeleteFeed, Google::Cloud::Asset::V1::DeleteFeedRequest, Google::Protobuf::Empty
-            # Searches all the resources within the given accessible scope (e.g., a
-            # project, a folder or an organization). Callers should have
-            # cloud.assets.SearchAllResources permission upon the requested scope,
+            # Searches all Cloud resources within the specified scope, such as a project,
+            # folder, or organization. The caller must be granted the
+            # `cloudasset.assets.searchAllResources` permission on the desired scope,
             # otherwise the request will be rejected.
             rpc :SearchAllResources, Google::Cloud::Asset::V1::SearchAllResourcesRequest, Google::Cloud::Asset::V1::SearchAllResourcesResponse
-            # Searches all the IAM policies within the given accessible scope (e.g., a
-            # project, a folder or an organization). Callers should have
-            # cloud.assets.SearchAllIamPolicies permission upon the requested scope,
+            # Searches all IAM policies within the specified scope, such as a project,
+            # folder, or organization. The caller must be granted the
+            # `cloudasset.assets.searchAllIamPolicies` permission on the desired scope,
             # otherwise the request will be rejected.
             rpc :SearchAllIamPolicies, Google::Cloud::Asset::V1::SearchAllIamPoliciesRequest, Google::Cloud::Asset::V1::SearchAllIamPoliciesResponse
+            # Analyzes IAM policies to answer which identities have what accesses on
+            # which resources.
+            rpc :AnalyzeIamPolicy, Google::Cloud::Asset::V1::AnalyzeIamPolicyRequest, Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse
+            # Exports the answers of which identities have what accesses on which
+            # resources to a Google Cloud Storage or a BigQuery destination. For Cloud
+            # Storage destination, the output format is the JSON format that represents a
+            # [google.cloud.asset.v1.AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse].
+            # This method implements the
+            # [google.longrunning.Operation][google.longrunning.Operation], which allows
+            # you to track the export status. We recommend intervals of at least 2
+            # seconds with exponential retry to poll the export operation result. The
+            # metadata contains the request to help callers to map responses to requests.
+            rpc :ExportIamPolicyAnalysis, Google::Cloud::Asset::V1::ExportIamPolicyAnalysisRequest, Google::Longrunning::Operation
           end
 
           Stub = Service.rpc_stub_class

data/lib/google/cloud/asset/v1/assets_pb.rb

@@ -3,14 +3,12 @@
 
 require 'google/protobuf'
 
-require 'google/api/annotations_pb'
 require 'google/api/resource_pb'
 require 'google/cloud/orgpolicy/v1/orgpolicy_pb'
 require 'google/iam/v1/policy_pb'
 require 'google/identity/accesscontextmanager/v1/access_level_pb'
 require 'google/identity/accesscontextmanager/v1/access_policy_pb'
 require 'google/identity/accesscontextmanager/v1/service_perimeter_pb'
-require 'google/protobuf/any_pb'
 require 'google/protobuf/struct_pb'
 require 'google/protobuf/timestamp_pb'
 require 'google/rpc/code_pb'
@@ -80,6 +78,45 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     add_message "google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions" do
       repeated :permissions, :string, 1
     end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisState" do
+      optional :code, :enum, 1, "google.rpc.Code"
+      optional :cause, :string, 2
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisResult" do
+      optional :attached_resource_full_name, :string, 1
+      optional :iam_binding, :message, 2, "google.iam.v1.Binding"
+      repeated :access_control_lists, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList"
+      optional :identity_list, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList"
+      optional :fully_explored, :bool, 5
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource" do
+      optional :full_resource_name, :string, 1
+      optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Access" do
+      optional :analysis_state, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisState"
+      oneof :oneof_access do
+        optional :role, :string, 1
+        optional :permission, :string, 2
+      end
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity" do
+      optional :name, :string, 1
+      optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge" do
+      optional :source_node, :string, 1
+      optional :target_node, :string, 2
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList" do
+      repeated :resources, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource"
+      repeated :accesses, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Access"
+      repeated :resource_edges, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
+    end
+    add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList" do
+      repeated :identities, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity"
+      repeated :group_edges, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
+    end
   end
 end
 
@@ -96,6 +133,14 @@ module Google
         IamPolicySearchResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult").msgclass
         IamPolicySearchResult::Explanation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation").msgclass
         IamPolicySearchResult::Explanation::Permissions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions").msgclass
+        IamPolicyAnalysisState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisState").msgclass
+        IamPolicyAnalysisResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult").msgclass
+        IamPolicyAnalysisResult::Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Resource").msgclass
+        IamPolicyAnalysisResult::Access = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Access").msgclass
+        IamPolicyAnalysisResult::Identity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Identity").msgclass
+        IamPolicyAnalysisResult::Edge = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Edge").msgclass
+        IamPolicyAnalysisResult::AccessControlList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList").msgclass
+        IamPolicyAnalysisResult::IdentityList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList").msgclass
       end
     end
   end

data/lib/google/cloud/asset/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module Asset
       module V1
-        VERSION = "0.5.3"
+        VERSION = "0.6.0"
       end
     end
   end

data/proto_docs/google/cloud/asset/v1/asset_service.rb

@@ -37,9 +37,22 @@ module Google
         #     running the same query may get different results.
         # @!attribute [rw] asset_types
         #   @return [::Array<::String>]
-        #     A list of asset types of which to take a snapshot for. Example:
-        #     "compute.googleapis.com/Disk". If specified, only matching assets will be
-        #     returned. See [Introduction to Cloud Asset
+        #     A list of asset types to take a snapshot for. For example:
+        #     "compute.googleapis.com/Disk".
+        #
+        #     Regular expressions are also supported. For example:
+        #
+        #     * "compute.googleapis.com.*" snapshots resources whose asset type starts
+        #     with "compute.googleapis.com".
+        #     * ".*Instance" snapshots resources whose asset type ends with "Instance".
+        #     * ".*Instance.*" snapshots resources whose asset type contains "Instance".
+        #
+        #     See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported
+        #     regular expression syntax. If the regular expression does not match any
+        #     supported asset type, an INVALID_ARGUMENT error will be returned.
+        #
+        #     If specified, only matching assets will be returned, otherwise, it will
+        #     snapshot all asset types. See [Introduction to Cloud Asset
         #     Inventory](https://cloud.google.com/asset-inventory/docs/overview)
         #     for all supported asset types.
         # @!attribute [rw] content_type
@@ -48,24 +61,28 @@ module Google
         #     returned.
         # @!attribute [rw] output_config
         #   @return [::Google::Cloud::Asset::V1::OutputConfig]
-        #     Required. Output configuration indicating where the results will be output
-        #     to.
+        #     Required. Output configuration indicating where the results will be output to.
         class ExportAssetsRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
         # The export asset response. This message is returned by the
-        # google.longrunning.Operations.GetOperation
-        # method in the returned
-        # {::Google::Longrunning::Operation#response google.longrunning.Operation.response}
-        # field.
+        # google.longrunning.Operations.GetOperation method in the returned
+        # {::Google::Longrunning::Operation#response google.longrunning.Operation.response} field.
         # @!attribute [rw] read_time
         #   @return [::Google::Protobuf::Timestamp]
         #     Time the snapshot was taken.
         # @!attribute [rw] output_config
         #   @return [::Google::Cloud::Asset::V1::OutputConfig]
         #     Output configuration indicating where the results were output to.
+        # @!attribute [rw] output_result
+        #   @return [::Google::Cloud::Asset::V1::OutputResult]
+        #     Output result indicating where the assets were exported to. For example, a
+        #     set of actual Google Cloud Storage object uris where the assets are
+        #     exported to. The uris can be different from what [output_config] has
+        #     specified, as the service will split the output object into multiple ones
+        #     once it exceeds a single Google Cloud Storage object limit.
         class ExportAssetsResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -126,8 +143,9 @@ module Google
         #     be unique under a specific parent project/folder/organization.
         # @!attribute [rw] feed
         #   @return [::Google::Cloud::Asset::V1::Feed]
-        #     Required. The feed details. The field `name` must be empty and it will be
-        #     generated in the format of: projects/project_number/feeds/feed_id
+        #     Required. The feed details. The field `name` must be empty and it will be generated
+        #     in the format of:
+        #     projects/project_number/feeds/feed_id
         #     folders/folder_number/feeds/feed_id
         #     organizations/organization_number/feeds/feed_id
         class CreateFeedRequest
@@ -169,8 +187,8 @@ module Google
         # Update asset feed request.
         # @!attribute [rw] feed
         #   @return [::Google::Cloud::Asset::V1::Feed]
-        #     Required. The new values of feed details. It must match an existing feed
-        #     and the field `name` must be in the format of:
+        #     Required. The new values of feed details. It must match an existing feed and the
+        #     field `name` must be in the format of:
         #     projects/project_number/feeds/feed_id or
         #     folders/folder_number/feeds/feed_id or
         #     organizations/organization_number/feeds/feed_id.
@@ -208,6 +226,25 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # Output result of export assets.
+        # @!attribute [rw] gcs_result
+        #   @return [::Google::Cloud::Asset::V1::GcsOutputResult]
+        #     Export result on Cloud Storage.
+        class OutputResult
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A Cloud Storage output result.
+        # @!attribute [rw] uris
+        #   @return [::Array<::String>]
+        #     List of uris of the Cloud Storage objects. Example:
+        #     "gs://bucket_name/object_name".
+        class GcsOutputResult
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # A Cloud Storage location.
         # @!attribute [rw] uri
         #   @return [::String]
@@ -324,8 +361,12 @@ module Google
         #     When set, `expression` field in the `Expr` must be a valid [CEL expression]
         #     (https://github.com/google/cel-spec) on a TemporalAsset with name
         #     `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted
-        #     == true") will only publish Asset deletions. Other fields in `Expr` are
+        #     == true") will only publish Asset deletions. Other fields of `Expr` are
         #     optional.
+        #
+        #     See our [user
+        #     guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes#feed_with_condition)
+        #     for detailed instructions.
         class Feed
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -334,75 +375,81 @@ module Google
         # Search all resources request.
         # @!attribute [rw] scope
         #   @return [::String]
-        #     Required. A scope can be a project, a folder or an organization. The search
-        #     is limited to the resources within the `scope`.
+        #     Required. A scope can be a project, a folder, or an organization. The search is
+        #     limited to the resources within the `scope`. The caller must be granted the
+        #     [`cloudasset.assets.searchAllResources`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
+        #     permission on the desired scope.
         #
         #     The allowed values are:
         #
-        #     * projects/\\{PROJECT_ID}
-        #     * projects/\\{PROJECT_NUMBER}
-        #     * folders/\\{FOLDER_NUMBER}
-        #     * organizations/\\{ORGANIZATION_NUMBER}
+        #     * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
+        #     * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
+        #     * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
+        #     * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
         # @!attribute [rw] query
         #   @return [::String]
-        #     Optional. The query statement. An empty query can be specified to search
-        #     all the resources of certain `asset_types` within the given `scope`.
+        #     Optional. The query statement. See [how to construct a
+        #     query](http://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
+        #     for more information. If not specified or empty, it will search all the
+        #     resources within the specified `scope`. Note that the query string is
+        #     compared against each Cloud IAM policy binding, including its members,
+        #     roles, and Cloud IAM conditions. The returned Cloud IAM policies will only
+        #     contain the bindings that match your query. To learn more about the IAM
+        #     policy structure, see [IAM policy
+        #     doc](https://cloud.google.com/iam/docs/policies#structure).
         #
         #     Examples:
         #
-        #     * `name : "Important"` to find Cloud resources whose name contains
+        #     * `name:Important` to find Cloud resources whose name contains
         #       "Important" as a word.
-        #     * `displayName : "Impor*"` to find Cloud resources whose display name
-        #       contains "Impor" as a word prefix.
-        #     * `description : "*por*"` to find Cloud resources whose description
+        #     * `displayName:Impor*` to find Cloud resources whose display name
+        #       contains "Impor" as a prefix.
+        #     * `description:*por*` to find Cloud resources whose description
         #       contains "por" as a substring.
-        #     * `location : "us-west*"` to find Cloud resources whose location is
+        #     * `location:us-west*` to find Cloud resources whose location is
         #       prefixed with "us-west".
-        #     * `labels : "prod"` to find Cloud resources whose labels contain "prod" as
+        #     * `labels:prod` to find Cloud resources whose labels contain "prod" as
         #       a key or value.
-        #     * `labels.env : "prod"` to find Cloud resources which have a label "env"
+        #     * `labels.env:prod` to find Cloud resources that have a label "env"
         #       and its value is "prod".
-        #     * `labels.env : *` to find Cloud resources which have a label "env".
-        #     * `"Important"` to find Cloud resources which contain "Important" as a word
+        #     * `labels.env:*` to find Cloud resources that have a label "env".
+        #     * `Important` to find Cloud resources that contain "Important" as a word
         #       in any of the searchable fields.
-        #     * `"Impor*"` to find Cloud resources which contain "Impor" as a word prefix
+        #     * `Impor*` to find Cloud resources that contain "Impor" as a prefix
         #       in any of the searchable fields.
-        #     * `"*por*"` to find Cloud resources which contain "por" as a substring in
+        #     * `*por*` to find Cloud resources that contain "por" as a substring in
         #       any of the searchable fields.
-        #     * `("Important" AND location : ("us-west1" OR "global"))` to find Cloud
-        #       resources which contain "Important" as a word in any of the searchable
+        #     * `Important location:(us-west1 OR global)` to find Cloud
+        #       resources that contain "Important" as a word in any of the searchable
         #       fields and are also located in the "us-west1" region or the "global"
         #       location.
-        #
-        #     See [how to construct a
-        #     query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
-        #     for more details.
         # @!attribute [rw] asset_types
         #   @return [::Array<::String>]
-        #     Optional. A list of asset types that this request searches for. If empty,
-        #     it will search all the [searchable asset
+        #     Optional. A list of asset types that this request searches for. If empty, it will
+        #     search all the [searchable asset
         #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
         # @!attribute [rw] page_size
         #   @return [::Integer]
-        #     Optional. The page size for search result pagination. Page size is capped
-        #     at 500 even if a larger value is given. If set to zero, server will pick an
-        #     appropriate default. Returned results may be fewer than requested. When
-        #     this happens, there could be more results as long as `next_page_token` is
-        #     returned.
+        #     Optional. The page size for search result pagination. Page size is capped at 500 even
+        #     if a larger value is given. If set to zero, server will pick an appropriate
+        #     default. Returned results may be fewer than requested. When this happens,
+        #     there could be more results as long as `next_page_token` is returned.
         # @!attribute [rw] page_token
         #   @return [::String]
-        #     Optional. If present, then retrieve the next batch of results from the
-        #     preceding call to this method. `page_token` must be the value of
-        #     `next_page_token` from the previous response. The values of all other
-        #     method parameters, must be identical to those in the previous call.
+        #     Optional. If present, then retrieve the next batch of results from the preceding call
+        #     to this method. `page_token` must be the value of `next_page_token` from
+        #     the previous response. The values of all other method parameters, must be
+        #     identical to those in the previous call.
         # @!attribute [rw] order_by
         #   @return [::String]
-        #     Optional. A comma separated list of fields specifying the sorting order of
-        #     the results. The default order is ascending. Add " DESC" after the field
-        #     name to indicate descending order. Redundant space characters are ignored.
-        #     Example: "location DESC, name". See [supported resource metadata
-        #     fields](https://cloud.google.com/asset-inventory/docs/searching-resources#query_on_resource_metadata_fields)
-        #     for more details.
+        #     Optional. A comma separated list of fields specifying the sorting order of the
+        #     results. The default order is ascending. Add " DESC" after the field name
+        #     to indicate descending order. Redundant space characters are ignored.
+        #     Example: "location DESC, name". Only string fields in the response are
+        #     sortable, including `name`, `displayName`, `description`, `location`. All
+        #     the other fields such as repeated fields (e.g., `networkTags`), map
+        #     fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
+        #     are not supported.
         class SearchAllResourcesRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -426,51 +473,58 @@ module Google
         # Search all IAM policies request.
         # @!attribute [rw] scope
         #   @return [::String]
-        #     Required. A scope can be a project, a folder or an organization. The search
-        #     is limited to the IAM policies within the `scope`.
+        #     Required. A scope can be a project, a folder, or an organization. The search is
+        #     limited to the IAM policies within the `scope`. The caller must be granted
+        #     the
+        #     [`cloudasset.assets.searchAllIamPolicies`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
+        #     permission on the desired scope.
         #
         #     The allowed values are:
         #
-        #     * projects/\\{PROJECT_ID}
-        #     * projects/\\{PROJECT_NUMBER}
-        #     * folders/\\{FOLDER_NUMBER}
-        #     * organizations/\\{ORGANIZATION_NUMBER}
+        #     * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
+        #     * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
+        #     * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
+        #     * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
         # @!attribute [rw] query
         #   @return [::String]
-        #     Optional. The query statement. An empty query can be specified to search
-        #     all the IAM policies within the given `scope`.
+        #     Optional. The query statement. See [how to construct a
+        #     query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
+        #     for more information. If not specified or empty, it will search all the
+        #     IAM policies within the specified `scope`.
         #
         #     Examples:
         #
-        #     * `policy : "amy@gmail.com"` to find Cloud IAM policy bindings that
-        #       specify user "amy@gmail.com".
-        #     * `policy : "roles/compute.admin"` to find Cloud IAM policy bindings that
-        #       specify the Compute Admin role.
-        #     * `policy.role.permissions : "storage.buckets.update"` to find Cloud IAM
-        #       policy bindings that specify a role containing "storage.buckets.update"
-        #       permission.
-        #     * `resource : "organizations/123"` to find Cloud IAM policy bindings that
-        #       are set on "organizations/123".
-        #     * `(resource : ("organizations/123" OR "folders/1234") AND policy : "amy")`
-        #       to find Cloud IAM policy bindings that are set on "organizations/123" or
-        #       "folders/1234", and also specify user "amy".
-        #
-        #     See [how to construct a
-        #     query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
-        #     for more details.
+        #     * `policy:amy@gmail.com` to find IAM policy bindings that specify user
+        #       "amy@gmail.com".
+        #     * `policy:roles/compute.admin` to find IAM policy bindings that specify
+        #       the Compute Admin role.
+        #     * `policy.role.permissions:storage.buckets.update` to find IAM policy
+        #       bindings that specify a role containing "storage.buckets.update"
+        #       permission. Note that if callers don't have `iam.roles.get` access to a
+        #       role's included permissions, policy bindings that specify this role will
+        #       be dropped from the search results.
+        #     * `resource:organizations/123456` to find IAM policy bindings
+        #       that are set on "organizations/123456".
+        #     * `Important` to find IAM policy bindings that contain "Important" as a
+        #       word in any of the searchable fields (except for the included
+        #       permissions).
+        #     * `*por*` to find IAM policy bindings that contain "por" as a substring
+        #       in any of the searchable fields (except for the included permissions).
+        #     * `resource:(instance1 OR instance2) policy:amy` to find
+        #       IAM policy bindings that are set on resources "instance1" or
+        #       "instance2" and also specify user "amy".
         # @!attribute [rw] page_size
         #   @return [::Integer]
-        #     Optional. The page size for search result pagination. Page size is capped
-        #     at 500 even if a larger value is given. If set to zero, server will pick an
-        #     appropriate default. Returned results may be fewer than requested. When
-        #     this happens, there could be more results as long as `next_page_token` is
-        #     returned.
+        #     Optional. The page size for search result pagination. Page size is capped at 500 even
+        #     if a larger value is given. If set to zero, server will pick an appropriate
+        #     default. Returned results may be fewer than requested. When this happens,
+        #     there could be more results as long as `next_page_token` is returned.
         # @!attribute [rw] page_token
         #   @return [::String]
-        #     Optional. If present, retrieve the next batch of results from the preceding
-        #     call to this method. `page_token` must be the value of `next_page_token`
-        #     from the previous response. The values of all other method parameters must
-        #     be identical to those in the previous call.
+        #     Optional. If present, retrieve the next batch of results from the preceding call to
+        #     this method. `page_token` must be the value of `next_page_token` from the
+        #     previous response. The values of all other method parameters must be
+        #     identical to those in the previous call.
         class SearchAllIamPoliciesRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -491,6 +545,432 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # IAM policy analysis query message.
+        # @!attribute [rw] scope
+        #   @return [::String]
+        #     The relative name of the root asset. Only resources and IAM policies within
+        #     the scope will be analyzed.
+        #
+        #     This can only be an organization number (such as "organizations/123"), a
+        #     folder number (such as "folders/123"), a project ID (such as
+        #     "projects/my-project-id"), or a project number (such as "projects/12345").
+        #
+        #     To know how to get organization id, visit [here
+        #     ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).
+        #
+        #     To know how to get folder or project id, visit [here
+        #     ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
+        # @!attribute [rw] resource_selector
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
+        #     Specifies a resource for analysis.
+        # @!attribute [rw] identity_selector
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
+        #     Specifies an identity for analysis.
+        # @!attribute [rw] access_selector
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
+        #     Specifies roles or permissions for analysis. This is optional.
+        # @!attribute [rw] options
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
+        #     The query options.
+        class IamPolicyAnalysisQuery
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Specifies the resource to analyze for access policies, which may be set
+          # directly on the resource, or on ancestors such as organizations, folders or
+          # projects.
+          # @!attribute [rw] full_resource_name
+          #   @return [::String]
+          #     The [full resource name]
+          #     (https://cloud.google.com/asset-inventory/docs/resource-name-format)
+          #     of a resource of [supported resource
+          #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
+          class ResourceSelector
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Specifies an identity for which to determine resource access, based on
+          # roles assigned either directly to them or to the groups they belong to,
+          # directly or indirectly.
+          # @!attribute [rw] identity
+          #   @return [::String]
+          #     The identity appear in the form of members in
+          #     [IAM policy
+          #     binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
+          #
+          #     The examples of supported forms are:
+          #     "user:mike@example.com",
+          #     "group:admins@example.com",
+          #     "domain:google.com",
+          #     "serviceAccount:my-project-id@appspot.gserviceaccount.com".
+          #
+          #     Notice that wildcard characters (such as * and ?) are not supported.
+          #     You must give a specific identity.
+          class IdentitySelector
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Specifies roles and/or permissions to analyze, to determine both the
+          # identities possessing them and the resources they control. If multiple
+          # values are specified, results will include roles or permissions matching
+          # any of them.
+          # @!attribute [rw] roles
+          #   @return [::Array<::String>]
+          #     The roles to appear in result.
+          # @!attribute [rw] permissions
+          #   @return [::Array<::String>]
+          #     The permissions to appear in result.
+          class AccessSelector
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Contains query options.
+          # @!attribute [rw] expand_groups
+          #   @return [::Boolean]
+          #     If true, the identities section of the result will expand any
+          #     Google groups appearing in an IAM policy binding.
+          #
+          #     If
+          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector}
+          #     is specified, the identity in the result will be determined by the
+          #     selector, and this flag is not allowed to set.
+          #
+          #     Default is false.
+          # @!attribute [rw] expand_roles
+          #   @return [::Boolean]
+          #     If true, the access section of result will expand any roles
+          #     appearing in IAM policy bindings to include their permissions.
+          #
+          #     If
+          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector}
+          #     is specified, the access section of the result will be determined by the
+          #     selector, and this flag is not allowed to set.
+          #
+          #     Default is false.
+          # @!attribute [rw] expand_resources
+          #   @return [::Boolean]
+          #     If true and
+          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
+          #     is not specified, the resource section of the result will expand any
+          #     resource attached to an IAM policy to include resources lower in the
+          #     resource hierarchy.
+          #
+          #     For example, if the request analyzes for which resources user A has
+          #     permission P, and the results include an IAM policy with P on a GCP
+          #     folder, the results will also include resources in that folder with
+          #     permission P.
+          #
+          #     If true and
+          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
+          #     is specified, the resource section of the result will expand the
+          #     specified resource to include resources lower in the resource hierarchy.
+          #
+          #     For example, if the request analyzes for which users have permission P on
+          #     a GCP folder with this option enabled, the results will include all users
+          #     who have permission P on that folder or any lower resource(ex. project).
+          #
+          #     Default is false.
+          # @!attribute [rw] output_resource_edges
+          #   @return [::Boolean]
+          #     If true, the result will output resource edges, starting
+          #     from the policy attached resource, to any expanded resources.
+          #     Default is false.
+          # @!attribute [rw] output_group_edges
+          #   @return [::Boolean]
+          #     If true, the result will output group identity edges, starting
+          #     from the binding's group members, to any expanded identities.
+          #     Default is false.
+          # @!attribute [rw] analyze_service_account_impersonation
+          #   @return [::Boolean]
+          #     If true, the response will include access analysis from identities to
+          #     resources via service account impersonation. This is a very expensive
+          #     operation, because many derived queries will be executed. We highly
+          #     recommend you use
+          #     {::Google::Cloud::Asset::V1::AssetService::Client#export_iam_policy_analysis google.cloud.asset.v1.AssetService.ExportIamPolicyAnalysis}
+          #     rpc instead.
+          #
+          #     For example, if the request analyzes for which resources user A has
+          #     permission P, and there's an IAM policy states user A has
+          #     iam.serviceAccounts.getAccessToken permission to a service account SA,
+          #     and there's another IAM policy states service account SA has permission P
+          #     to a GCP folder F, then user A potentially has access to the GCP folder
+          #     F. And those advanced analysis results will be included in
+          #     {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
+          #
+          #     Another example, if the request analyzes for who has
+          #     permission P to a GCP folder F, and there's an IAM policy states user A
+          #     has iam.serviceAccounts.actAs permission to a service account SA, and
+          #     there's another IAM policy states service account SA has permission P to
+          #     the GCP folder F, then user A potentially has access to the GCP folder
+          #     F. And those advanced analysis results will be included in
+          #     {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
+          #
+          #     Default is false.
+          # @!attribute [rw] max_fanouts_per_group
+          #   @return [::Integer]
+          #     The maximum number of fanouts per group when [expand_groups][expand_groups]
+          #     is enabled. This internal field is to help load testing and determine a
+          #     proper value, and won't be public in the future.
+          # @!attribute [rw] max_fanouts_per_resource
+          #   @return [::Integer]
+          #     The maximum number of fanouts per parent resource, such as
+          #     GCP Project etc., when [expand_resources][] is enabled. This internal
+          #     field is to help load testing and determine a proper value, and won't be
+          #     public in the future.
+          class Options
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+        end
+
+        # A request message for
+        # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
+        # @!attribute [rw] analysis_query
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
+        #     The request query.
+        # @!attribute [rw] execution_timeout
+        #   @return [::Google::Protobuf::Duration]
+        #     Amount of time executable has to complete.  See JSON representation of
+        #     [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
+        #
+        #     If this field is set with a value less than the RPC deadline, and the
+        #     execution of your query hasn't finished in the specified
+        #     execution timeout,  you will get a response with partial result.
+        #     Otherwise, your query's execution will continue until the RPC deadline.
+        #     If it's not finished until then, you will get a  DEADLINE_EXCEEDED error.
+        #
+        #     Default is empty.
+        #
+        #     (-- We had discussion of whether we should have this field in the    --)
+        #     (-- request or use the RPC deadline instead. We finally choose this  --)
+        #     (-- approach for the following reasons (detailed in                  --)
+        #     (-- go/analyze-iam-policy-deadlines):                                --)
+        #     (-- * HTTP clients have very limited support of the RPC deadline.    --)
+        #     (--   There is an X-Server-Timeout header introduced in 2019/09, but --)
+        #     (--   only implemented in the C++ HTTP server library.               --)
+        #     (-- * The purpose of the RPC deadline is for RPC clients to          --)
+        #     (--   communicate its max waiting time to the server. This deadline  --)
+        #     (--   could be further propagated to the downstream servers. It is   --)
+        #     (--   mainly used for servers to cancel the request processing       --)
+        #     (--   to avoid resource wasting. Overloading the RPC deadline for    --)
+        #     (--   other purposes could make our backend system harder to reason  --)
+        #     (--   about.                                                         --)
+        class AnalyzeIamPolicyRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A response message for
+        # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
+        # @!attribute [rw] main_analysis
+        #   @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
+        #     The main analysis that matches the original request.
+        # @!attribute [rw] service_account_impersonation_analysis
+        #   @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
+        #     The service account impersonation analysis if
+        #     [google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation][google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation]
+        #     is enabled.
+        # @!attribute [rw] fully_explored
+        #   @return [::Boolean]
+        #     Represents whether all entries in the [main_analysis][main_analysis] and
+        #     [service_account_impersonation_analysis][] have been fully explored to
+        #     answer the query in the request.
+        class AnalyzeIamPolicyResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # An analysis message to group the query and results.
+          # @!attribute [rw] analysis_query
+          #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
+          #     The analysis query.
+          # @!attribute [rw] analysis_results
+          #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
+          #     A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult google.cloud.asset.v1.IamPolicyAnalysisResult}
+          #     that matches the analysis query, or empty if no result is found.
+          # @!attribute [rw] fully_explored
+          #   @return [::Boolean]
+          #     Represents whether all entries in the
+          #     [analysis_results][analysis_results] have been fully explored to answer
+          #     the query.
+          # @!attribute [rw] stats
+          #   @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats>]
+          #     The stats of how the analysis has been explored.
+          # @!attribute [rw] non_critical_errors
+          #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
+          #     A list of non-critical errors happened during the query handling.
+          class IamPolicyAnalysis
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # A stats message that contains a set of analysis metrics.
+            #
+            # Here are some equations to show relationships of the explicitly specified
+            # metrics with other implicit metrics:
+            # * node_count = discovered_node_count + undiscovered_node_count(implicit)
+            # * discovered_node_count = explored_node_count +
+            # unexplored_node_count(implicit)
+            # * explored_node_count = capped_node_count + uncapped_node_count(implicit)
+            # * unexplored_node_count(implicit) = permission_denied_node_count +
+            # execution_timeout_node_count + other_unexplored_node_count(implicit)
+            # * discovered_node_count = matched_node_count +
+            # unmatched_node_count(implicit)
+            # @!attribute [rw] node_type
+            #   @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType]
+            #     Node type.
+            # @!attribute [rw] node_subtype
+            #   @return [::String]
+            #     The subtype of a node, such as:
+            #     * For Identity: Group, User, ServiceAccount etc.
+            #     * For Resource: resource type name, such as
+            #     cloudresourcemanager.googleapis.com/Organization, etc.
+            #     * For Access: Role or Permission
+            # @!attribute [rw] discovered_node_count
+            #   @return [::Integer]
+            #     The count of discovered nodes.
+            # @!attribute [rw] matched_node_count
+            #   @return [::Integer]
+            #     The count of nodes that match the query. These nodes form a sub-graph
+            #     of discovered nodes.
+            # @!attribute [rw] explored_node_count
+            #   @return [::Integer]
+            #     The count of explored nodes.
+            # @!attribute [rw] capped_node_count
+            #   @return [::Integer]
+            #     The count of nodes that get explored, but are capped by max fanout
+            #     setting.
+            # @!attribute [rw] permision_denied_node_count
+            #   @return [::Integer]
+            #     The count of unexplored nodes caused by permission denied error.
+            # @!attribute [rw] execution_timeout_node_count
+            #   @return [::Integer]
+            #     The count of unexplored nodes caused by execution timeout.
+            class Stats
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+
+              # Type of the node.
+              module NodeType
+                # Unspecified node type.
+                NODE_TYPE_UNSPECIFIED = 0
+
+                # IAM Policy Binding node type.
+                BINDING = 1
+
+                # Identity node type.
+                IDENTITY = 2
+
+                # Resource node type.
+                RESOURCE = 3
+
+                # Access node type.
+                ACCESS = 4
+              end
+            end
+          end
+        end
+
+        # Output configuration for export IAM policy analysis destination.
+        # @!attribute [rw] gcs_destination
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::GcsDestination]
+        #     Destination on Cloud Storage.
+        # @!attribute [rw] bigquery_destination
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination]
+        #     Destination on BigQuery.
+        class IamPolicyAnalysisOutputConfig
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # A Cloud Storage location.
+          # @!attribute [rw] uri
+          #   @return [::String]
+          #     The uri of the Cloud Storage object. It's the same uri that is used by
+          #     gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
+          #     Editing Object
+          #     Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
+          #     for more information.
+          class GcsDestination
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # A BigQuery destination.
+          # @!attribute [rw] dataset
+          #   @return [::String]
+          #     The BigQuery dataset in format "projects/projectId/datasets/datasetId",
+          #     to which the analysis results should be exported. If this dataset does
+          #     not exist, the export call will return an INVALID_ARGUMENT error.
+          # @!attribute [rw] table_prefix
+          #   @return [::String]
+          #     The prefix of the BigQuery tables to which the analysis results will be
+          #     written. Tables will be created based on this table_prefix if not exist:
+          #     * <table_prefix>_analysis table will contain export operation's metadata.
+          #     * <table_prefix>_analysis_result will contain all the
+          #       [IamPolicyAnalysisResult][].
+          #     When [partition_key] is specified, both tables will be partitioned based
+          #     on the [partition_key].
+          # @!attribute [rw] partition_key
+          #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
+          #     The partition key for BigQuery partitioned table.
+          # @!attribute [rw] write_mode
+          #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode]
+          #     The write mode when table exists. WriteMode is ignored when no existing
+          #     tables, or no existing partitions are found.
+          class BigQueryDestination
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # This enum determines the partition key column for the bigquery tables.
+            # Partitioning can improve query performance and reduce query cost by
+            # filtering partitions. Refer to
+            # https://cloud.google.com/bigquery/docs/partitioned-tables for details.
+            module PartitionKey
+              # Unspecified partition key. Tables won't be partitioned using this
+              # option.
+              PARTITION_KEY_UNSPECIFIED = 0
+
+              # The time when the request is received. If specified as partition key,
+              # the result table(s) is partitoned by the RequestTime column, an
+              # additional timestamp column representing when the request was received.
+              REQUEST_TIME = 1
+            end
+
+            # Write mode types if table exists.
+            module WriteMode
+              # Unspecified write mode. We expect one of the following valid modes must
+              # be specified when table or partition exists.
+              WRITE_MODE_UNSPECIFIED = 0
+
+              # Abort the export when table or partition exists.
+              ABORT = 1
+
+              # Overwrite the table when table exists. When partitioned, overwrite
+              # the existing partition.
+              OVERWRITE = 2
+            end
+          end
+        end
+
+        # A request message for [AssetService.ExportIamPolicyAnalysis][].
+        # @!attribute [rw] analysis_query
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
+        #     The request query.
+        # @!attribute [rw] output_config
+        #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
+        #     Output configuration indicating where the results will be output to.
+        class ExportIamPolicyAnalysisRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # The export IAM policy analysis response.
+        class ExportIamPolicyAnalysisResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # Asset content type.
         module ContentType
           # Unspecified content type.
@@ -505,7 +985,7 @@ module Google
           # The Cloud Organization Policy set on an asset.
           ORG_POLICY = 4
 
-          # The Cloud Access context mananger Policy set on an asset.
+          # The Cloud Access context manager Policy set on an asset.
           ACCESS_POLICY = 5
         end
       end