google-cloud-asset-v1 0.5.3 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -26,6 +26,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
26
26
  add_message "google.cloud.asset.v1.ExportAssetsResponse" do
27
27
  optional :read_time, :message, 1, "google.protobuf.Timestamp"
28
28
  optional :output_config, :message, 2, "google.cloud.asset.v1.OutputConfig"
29
+ optional :output_result, :message, 3, "google.cloud.asset.v1.OutputResult"
29
30
  end
30
31
  add_message "google.cloud.asset.v1.BatchGetAssetsHistoryRequest" do
31
32
  optional :parent, :string, 1
@@ -63,6 +64,14 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
63
64
  optional :bigquery_destination, :message, 2, "google.cloud.asset.v1.BigQueryDestination"
64
65
  end
65
66
  end
67
+ add_message "google.cloud.asset.v1.OutputResult" do
68
+ oneof :result do
69
+ optional :gcs_result, :message, 1, "google.cloud.asset.v1.GcsOutputResult"
70
+ end
71
+ end
72
+ add_message "google.cloud.asset.v1.GcsOutputResult" do
73
+ repeated :uris, :string, 1
74
+ end
66
75
  add_message "google.cloud.asset.v1.GcsDestination" do
67
76
  oneof :object_uri do
68
77
  optional :uri, :string, 1
@@ -112,6 +121,96 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
112
121
  repeated :results, :message, 1, "google.cloud.asset.v1.IamPolicySearchResult"
113
122
  optional :next_page_token, :string, 2
114
123
  end
124
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery" do
125
+ optional :scope, :string, 1
126
+ optional :resource_selector, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector"
127
+ optional :identity_selector, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector"
128
+ optional :access_selector, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector"
129
+ optional :options, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options"
130
+ end
131
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector" do
132
+ optional :full_resource_name, :string, 1
133
+ end
134
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector" do
135
+ optional :identity, :string, 1
136
+ end
137
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector" do
138
+ repeated :roles, :string, 1
139
+ repeated :permissions, :string, 2
140
+ end
141
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options" do
142
+ optional :expand_groups, :bool, 1
143
+ optional :expand_roles, :bool, 2
144
+ optional :expand_resources, :bool, 3
145
+ optional :output_resource_edges, :bool, 4
146
+ optional :output_group_edges, :bool, 5
147
+ optional :analyze_service_account_impersonation, :bool, 6
148
+ optional :max_fanouts_per_group, :int32, 7
149
+ optional :max_fanouts_per_resource, :int32, 8
150
+ end
151
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyRequest" do
152
+ optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
153
+ optional :execution_timeout, :message, 2, "google.protobuf.Duration"
154
+ end
155
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse" do
156
+ optional :main_analysis, :message, 1, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
157
+ repeated :service_account_impersonation_analysis, :message, 2, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
158
+ optional :fully_explored, :bool, 3
159
+ end
160
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis" do
161
+ optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
162
+ repeated :analysis_results, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult"
163
+ optional :fully_explored, :bool, 3
164
+ repeated :stats, :message, 4, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats"
165
+ repeated :non_critical_errors, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisState"
166
+ end
167
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats" do
168
+ optional :node_type, :enum, 1, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType"
169
+ optional :node_subtype, :string, 2
170
+ optional :discovered_node_count, :int32, 3
171
+ optional :matched_node_count, :int32, 4
172
+ optional :explored_node_count, :int32, 5
173
+ optional :capped_node_count, :int32, 6
174
+ optional :permision_denied_node_count, :int32, 7
175
+ optional :execution_timeout_node_count, :int32, 8
176
+ end
177
+ add_enum "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType" do
178
+ value :NODE_TYPE_UNSPECIFIED, 0
179
+ value :BINDING, 1
180
+ value :IDENTITY, 2
181
+ value :RESOURCE, 3
182
+ value :ACCESS, 4
183
+ end
184
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig" do
185
+ oneof :destination do
186
+ optional :gcs_destination, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination"
187
+ optional :bigquery_destination, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination"
188
+ end
189
+ end
190
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination" do
191
+ optional :uri, :string, 1
192
+ end
193
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination" do
194
+ optional :dataset, :string, 1
195
+ optional :table_prefix, :string, 2
196
+ optional :partition_key, :enum, 3, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey"
197
+ optional :write_mode, :enum, 4, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode"
198
+ end
199
+ add_enum "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey" do
200
+ value :PARTITION_KEY_UNSPECIFIED, 0
201
+ value :REQUEST_TIME, 1
202
+ end
203
+ add_enum "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode" do
204
+ value :WRITE_MODE_UNSPECIFIED, 0
205
+ value :ABORT, 1
206
+ value :OVERWRITE, 2
207
+ end
208
+ add_message "google.cloud.asset.v1.ExportIamPolicyAnalysisRequest" do
209
+ optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
210
+ optional :output_config, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig"
211
+ end
212
+ add_message "google.cloud.asset.v1.ExportIamPolicyAnalysisResponse" do
213
+ end
115
214
  add_enum "google.cloud.asset.v1.ContentType" do
116
215
  value :CONTENT_TYPE_UNSPECIFIED, 0
117
216
  value :RESOURCE, 1
@@ -137,6 +236,8 @@ module Google
137
236
  UpdateFeedRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.UpdateFeedRequest").msgclass
138
237
  DeleteFeedRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.DeleteFeedRequest").msgclass
139
238
  OutputConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.OutputConfig").msgclass
239
+ OutputResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.OutputResult").msgclass
240
+ GcsOutputResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.GcsOutputResult").msgclass
140
241
  GcsDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.GcsDestination").msgclass
141
242
  BigQueryDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.BigQueryDestination").msgclass
142
243
  PubsubDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.PubsubDestination").msgclass
@@ -146,6 +247,23 @@ module Google
146
247
  SearchAllResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllResourcesResponse").msgclass
147
248
  SearchAllIamPoliciesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesRequest").msgclass
148
249
  SearchAllIamPoliciesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesResponse").msgclass
250
+ IamPolicyAnalysisQuery = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery").msgclass
251
+ IamPolicyAnalysisQuery::ResourceSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector").msgclass
252
+ IamPolicyAnalysisQuery::IdentitySelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector").msgclass
253
+ IamPolicyAnalysisQuery::AccessSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector").msgclass
254
+ IamPolicyAnalysisQuery::Options = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.Options").msgclass
255
+ AnalyzeIamPolicyRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyRequest").msgclass
256
+ AnalyzeIamPolicyResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse").msgclass
257
+ AnalyzeIamPolicyResponse::IamPolicyAnalysis = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis").msgclass
258
+ AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats").msgclass
259
+ AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType").enummodule
260
+ IamPolicyAnalysisOutputConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig").msgclass
261
+ IamPolicyAnalysisOutputConfig::GcsDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination").msgclass
262
+ IamPolicyAnalysisOutputConfig::BigQueryDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination").msgclass
263
+ IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey").enummodule
264
+ IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode").enummodule
265
+ ExportIamPolicyAnalysisRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportIamPolicyAnalysisRequest").msgclass
266
+ ExportIamPolicyAnalysisResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportIamPolicyAnalysisResponse").msgclass
149
267
  ContentType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ContentType").enummodule
150
268
  end
151
269
  end
@@ -36,14 +36,13 @@ module Google
36
36
  # Exports assets with time and resource types to a given Cloud Storage
37
37
  # location/BigQuery table. For Cloud Storage location destinations, the
38
38
  # output format is newline-delimited JSON. Each line represents a
39
- # [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON
40
- # format; for BigQuery table destinations, the output table stores the fields
41
- # in asset proto as columns. This API implements the
42
- # [google.longrunning.Operation][google.longrunning.Operation] API , which
43
- # allows you to keep track of the export. We recommend intervals of at least
44
- # 2 seconds with exponential retry to poll the export operation result. For
45
- # regular-size resource parent, the export operation usually finishes within
46
- # 5 minutes.
39
+ # [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON format; for BigQuery table
40
+ # destinations, the output table stores the fields in asset proto as columns.
41
+ # This API implements the [google.longrunning.Operation][google.longrunning.Operation] API
42
+ # , which allows you to keep track of the export. We recommend intervals of
43
+ # at least 2 seconds with exponential retry to poll the export operation
44
+ # result. For regular-size resource parent, the export operation usually
45
+ # finishes within 5 minutes.
47
46
  rpc :ExportAssets, Google::Cloud::Asset::V1::ExportAssetsRequest, Google::Longrunning::Operation
48
47
  # Batch gets the update history of assets that overlap a time window.
49
48
  # For IAM_POLICY content, this API outputs history when the asset and its
@@ -64,16 +63,29 @@ module Google
64
63
  rpc :UpdateFeed, Google::Cloud::Asset::V1::UpdateFeedRequest, Google::Cloud::Asset::V1::Feed
65
64
  # Deletes an asset feed.
66
65
  rpc :DeleteFeed, Google::Cloud::Asset::V1::DeleteFeedRequest, Google::Protobuf::Empty
67
- # Searches all the resources within the given accessible scope (e.g., a
68
- # project, a folder or an organization). Callers should have
69
- # cloud.assets.SearchAllResources permission upon the requested scope,
66
+ # Searches all Cloud resources within the specified scope, such as a project,
67
+ # folder, or organization. The caller must be granted the
68
+ # `cloudasset.assets.searchAllResources` permission on the desired scope,
70
69
  # otherwise the request will be rejected.
71
70
  rpc :SearchAllResources, Google::Cloud::Asset::V1::SearchAllResourcesRequest, Google::Cloud::Asset::V1::SearchAllResourcesResponse
72
- # Searches all the IAM policies within the given accessible scope (e.g., a
73
- # project, a folder or an organization). Callers should have
74
- # cloud.assets.SearchAllIamPolicies permission upon the requested scope,
71
+ # Searches all IAM policies within the specified scope, such as a project,
72
+ # folder, or organization. The caller must be granted the
73
+ # `cloudasset.assets.searchAllIamPolicies` permission on the desired scope,
75
74
  # otherwise the request will be rejected.
76
75
  rpc :SearchAllIamPolicies, Google::Cloud::Asset::V1::SearchAllIamPoliciesRequest, Google::Cloud::Asset::V1::SearchAllIamPoliciesResponse
76
+ # Analyzes IAM policies to answer which identities have what accesses on
77
+ # which resources.
78
+ rpc :AnalyzeIamPolicy, Google::Cloud::Asset::V1::AnalyzeIamPolicyRequest, Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse
79
+ # Exports the answers of which identities have what accesses on which
80
+ # resources to a Google Cloud Storage or a BigQuery destination. For Cloud
81
+ # Storage destination, the output format is the JSON format that represents a
82
+ # [google.cloud.asset.v1.AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse].
83
+ # This method implements the
84
+ # [google.longrunning.Operation][google.longrunning.Operation], which allows
85
+ # you to track the export status. We recommend intervals of at least 2
86
+ # seconds with exponential retry to poll the export operation result. The
87
+ # metadata contains the request to help callers to map responses to requests.
88
+ rpc :ExportIamPolicyAnalysis, Google::Cloud::Asset::V1::ExportIamPolicyAnalysisRequest, Google::Longrunning::Operation
77
89
  end
78
90
 
79
91
  Stub = Service.rpc_stub_class
@@ -3,14 +3,12 @@
3
3
 
4
4
  require 'google/protobuf'
5
5
 
6
- require 'google/api/annotations_pb'
7
6
  require 'google/api/resource_pb'
8
7
  require 'google/cloud/orgpolicy/v1/orgpolicy_pb'
9
8
  require 'google/iam/v1/policy_pb'
10
9
  require 'google/identity/accesscontextmanager/v1/access_level_pb'
11
10
  require 'google/identity/accesscontextmanager/v1/access_policy_pb'
12
11
  require 'google/identity/accesscontextmanager/v1/service_perimeter_pb'
13
- require 'google/protobuf/any_pb'
14
12
  require 'google/protobuf/struct_pb'
15
13
  require 'google/protobuf/timestamp_pb'
16
14
  require 'google/rpc/code_pb'
@@ -80,6 +78,45 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
80
78
  add_message "google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions" do
81
79
  repeated :permissions, :string, 1
82
80
  end
81
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisState" do
82
+ optional :code, :enum, 1, "google.rpc.Code"
83
+ optional :cause, :string, 2
84
+ end
85
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult" do
86
+ optional :attached_resource_full_name, :string, 1
87
+ optional :iam_binding, :message, 2, "google.iam.v1.Binding"
88
+ repeated :access_control_lists, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList"
89
+ optional :identity_list, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList"
90
+ optional :fully_explored, :bool, 5
91
+ end
92
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource" do
93
+ optional :full_resource_name, :string, 1
94
+ optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
95
+ end
96
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Access" do
97
+ optional :analysis_state, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisState"
98
+ oneof :oneof_access do
99
+ optional :role, :string, 1
100
+ optional :permission, :string, 2
101
+ end
102
+ end
103
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity" do
104
+ optional :name, :string, 1
105
+ optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
106
+ end
107
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge" do
108
+ optional :source_node, :string, 1
109
+ optional :target_node, :string, 2
110
+ end
111
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList" do
112
+ repeated :resources, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource"
113
+ repeated :accesses, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Access"
114
+ repeated :resource_edges, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
115
+ end
116
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList" do
117
+ repeated :identities, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity"
118
+ repeated :group_edges, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
119
+ end
83
120
  end
84
121
  end
85
122
 
@@ -96,6 +133,14 @@ module Google
96
133
  IamPolicySearchResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult").msgclass
97
134
  IamPolicySearchResult::Explanation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation").msgclass
98
135
  IamPolicySearchResult::Explanation::Permissions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions").msgclass
136
+ IamPolicyAnalysisState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisState").msgclass
137
+ IamPolicyAnalysisResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult").msgclass
138
+ IamPolicyAnalysisResult::Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Resource").msgclass
139
+ IamPolicyAnalysisResult::Access = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Access").msgclass
140
+ IamPolicyAnalysisResult::Identity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Identity").msgclass
141
+ IamPolicyAnalysisResult::Edge = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Edge").msgclass
142
+ IamPolicyAnalysisResult::AccessControlList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList").msgclass
143
+ IamPolicyAnalysisResult::IdentityList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList").msgclass
99
144
  end
100
145
  end
101
146
  end
@@ -21,7 +21,7 @@ module Google
21
21
  module Cloud
22
22
  module Asset
23
23
  module V1
24
- VERSION = "0.5.3"
24
+ VERSION = "0.6.0"
25
25
  end
26
26
  end
27
27
  end
@@ -37,9 +37,22 @@ module Google
37
37
  # running the same query may get different results.
38
38
  # @!attribute [rw] asset_types
39
39
  # @return [::Array<::String>]
40
- # A list of asset types of which to take a snapshot for. Example:
41
- # "compute.googleapis.com/Disk". If specified, only matching assets will be
42
- # returned. See [Introduction to Cloud Asset
40
+ # A list of asset types to take a snapshot for. For example:
41
+ # "compute.googleapis.com/Disk".
42
+ #
43
+ # Regular expressions are also supported. For example:
44
+ #
45
+ # * "compute.googleapis.com.*" snapshots resources whose asset type starts
46
+ # with "compute.googleapis.com".
47
+ # * ".*Instance" snapshots resources whose asset type ends with "Instance".
48
+ # * ".*Instance.*" snapshots resources whose asset type contains "Instance".
49
+ #
50
+ # See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported
51
+ # regular expression syntax. If the regular expression does not match any
52
+ # supported asset type, an INVALID_ARGUMENT error will be returned.
53
+ #
54
+ # If specified, only matching assets will be returned, otherwise, it will
55
+ # snapshot all asset types. See [Introduction to Cloud Asset
43
56
  # Inventory](https://cloud.google.com/asset-inventory/docs/overview)
44
57
  # for all supported asset types.
45
58
  # @!attribute [rw] content_type
@@ -48,24 +61,28 @@ module Google
48
61
  # returned.
49
62
  # @!attribute [rw] output_config
50
63
  # @return [::Google::Cloud::Asset::V1::OutputConfig]
51
- # Required. Output configuration indicating where the results will be output
52
- # to.
64
+ # Required. Output configuration indicating where the results will be output to.
53
65
  class ExportAssetsRequest
54
66
  include ::Google::Protobuf::MessageExts
55
67
  extend ::Google::Protobuf::MessageExts::ClassMethods
56
68
  end
57
69
 
58
70
  # The export asset response. This message is returned by the
59
- # google.longrunning.Operations.GetOperation
60
- # method in the returned
61
- # {::Google::Longrunning::Operation#response google.longrunning.Operation.response}
62
- # field.
71
+ # google.longrunning.Operations.GetOperation method in the returned
72
+ # {::Google::Longrunning::Operation#response google.longrunning.Operation.response} field.
63
73
  # @!attribute [rw] read_time
64
74
  # @return [::Google::Protobuf::Timestamp]
65
75
  # Time the snapshot was taken.
66
76
  # @!attribute [rw] output_config
67
77
  # @return [::Google::Cloud::Asset::V1::OutputConfig]
68
78
  # Output configuration indicating where the results were output to.
79
+ # @!attribute [rw] output_result
80
+ # @return [::Google::Cloud::Asset::V1::OutputResult]
81
+ # Output result indicating where the assets were exported to. For example, a
82
+ # set of actual Google Cloud Storage object uris where the assets are
83
+ # exported to. The uris can be different from what [output_config] has
84
+ # specified, as the service will split the output object into multiple ones
85
+ # once it exceeds a single Google Cloud Storage object limit.
69
86
  class ExportAssetsResponse
70
87
  include ::Google::Protobuf::MessageExts
71
88
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -126,8 +143,9 @@ module Google
126
143
  # be unique under a specific parent project/folder/organization.
127
144
  # @!attribute [rw] feed
128
145
  # @return [::Google::Cloud::Asset::V1::Feed]
129
- # Required. The feed details. The field `name` must be empty and it will be
130
- # generated in the format of: projects/project_number/feeds/feed_id
146
+ # Required. The feed details. The field `name` must be empty and it will be generated
147
+ # in the format of:
148
+ # projects/project_number/feeds/feed_id
131
149
  # folders/folder_number/feeds/feed_id
132
150
  # organizations/organization_number/feeds/feed_id
133
151
  class CreateFeedRequest
@@ -169,8 +187,8 @@ module Google
169
187
  # Update asset feed request.
170
188
  # @!attribute [rw] feed
171
189
  # @return [::Google::Cloud::Asset::V1::Feed]
172
- # Required. The new values of feed details. It must match an existing feed
173
- # and the field `name` must be in the format of:
190
+ # Required. The new values of feed details. It must match an existing feed and the
191
+ # field `name` must be in the format of:
174
192
  # projects/project_number/feeds/feed_id or
175
193
  # folders/folder_number/feeds/feed_id or
176
194
  # organizations/organization_number/feeds/feed_id.
@@ -208,6 +226,25 @@ module Google
208
226
  extend ::Google::Protobuf::MessageExts::ClassMethods
209
227
  end
210
228
 
229
+ # Output result of export assets.
230
+ # @!attribute [rw] gcs_result
231
+ # @return [::Google::Cloud::Asset::V1::GcsOutputResult]
232
+ # Export result on Cloud Storage.
233
+ class OutputResult
234
+ include ::Google::Protobuf::MessageExts
235
+ extend ::Google::Protobuf::MessageExts::ClassMethods
236
+ end
237
+
238
+ # A Cloud Storage output result.
239
+ # @!attribute [rw] uris
240
+ # @return [::Array<::String>]
241
+ # List of uris of the Cloud Storage objects. Example:
242
+ # "gs://bucket_name/object_name".
243
+ class GcsOutputResult
244
+ include ::Google::Protobuf::MessageExts
245
+ extend ::Google::Protobuf::MessageExts::ClassMethods
246
+ end
247
+
211
248
  # A Cloud Storage location.
212
249
  # @!attribute [rw] uri
213
250
  # @return [::String]
@@ -324,8 +361,12 @@ module Google
324
361
  # When set, `expression` field in the `Expr` must be a valid [CEL expression]
325
362
  # (https://github.com/google/cel-spec) on a TemporalAsset with name
326
363
  # `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted
327
- # == true") will only publish Asset deletions. Other fields in `Expr` are
364
+ # == true") will only publish Asset deletions. Other fields of `Expr` are
328
365
  # optional.
366
+ #
367
+ # See our [user
368
+ # guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes#feed_with_condition)
369
+ # for detailed instructions.
329
370
  class Feed
330
371
  include ::Google::Protobuf::MessageExts
331
372
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -334,75 +375,81 @@ module Google
334
375
  # Search all resources request.
335
376
  # @!attribute [rw] scope
336
377
  # @return [::String]
337
- # Required. A scope can be a project, a folder or an organization. The search
338
- # is limited to the resources within the `scope`.
378
+ # Required. A scope can be a project, a folder, or an organization. The search is
379
+ # limited to the resources within the `scope`. The caller must be granted the
380
+ # [`cloudasset.assets.searchAllResources`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
381
+ # permission on the desired scope.
339
382
  #
340
383
  # The allowed values are:
341
384
  #
342
- # * projects/\\{PROJECT_ID}
343
- # * projects/\\{PROJECT_NUMBER}
344
- # * folders/\\{FOLDER_NUMBER}
345
- # * organizations/\\{ORGANIZATION_NUMBER}
385
+ # * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
386
+ # * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
387
+ # * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
388
+ # * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
346
389
  # @!attribute [rw] query
347
390
  # @return [::String]
348
- # Optional. The query statement. An empty query can be specified to search
349
- # all the resources of certain `asset_types` within the given `scope`.
391
+ # Optional. The query statement. See [how to construct a
392
+ # query](http://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
393
+ # for more information. If not specified or empty, it will search all the
394
+ # resources within the specified `scope`. Note that the query string is
395
+ # compared against each Cloud IAM policy binding, including its members,
396
+ # roles, and Cloud IAM conditions. The returned Cloud IAM policies will only
397
+ # contain the bindings that match your query. To learn more about the IAM
398
+ # policy structure, see [IAM policy
399
+ # doc](https://cloud.google.com/iam/docs/policies#structure).
350
400
  #
351
401
  # Examples:
352
402
  #
353
- # * `name : "Important"` to find Cloud resources whose name contains
403
+ # * `name:Important` to find Cloud resources whose name contains
354
404
  # "Important" as a word.
355
- # * `displayName : "Impor*"` to find Cloud resources whose display name
356
- # contains "Impor" as a word prefix.
357
- # * `description : "*por*"` to find Cloud resources whose description
405
+ # * `displayName:Impor*` to find Cloud resources whose display name
406
+ # contains "Impor" as a prefix.
407
+ # * `description:*por*` to find Cloud resources whose description
358
408
  # contains "por" as a substring.
359
- # * `location : "us-west*"` to find Cloud resources whose location is
409
+ # * `location:us-west*` to find Cloud resources whose location is
360
410
  # prefixed with "us-west".
361
- # * `labels : "prod"` to find Cloud resources whose labels contain "prod" as
411
+ # * `labels:prod` to find Cloud resources whose labels contain "prod" as
362
412
  # a key or value.
363
- # * `labels.env : "prod"` to find Cloud resources which have a label "env"
413
+ # * `labels.env:prod` to find Cloud resources that have a label "env"
364
414
  # and its value is "prod".
365
- # * `labels.env : *` to find Cloud resources which have a label "env".
366
- # * `"Important"` to find Cloud resources which contain "Important" as a word
415
+ # * `labels.env:*` to find Cloud resources that have a label "env".
416
+ # * `Important` to find Cloud resources that contain "Important" as a word
367
417
  # in any of the searchable fields.
368
- # * `"Impor*"` to find Cloud resources which contain "Impor" as a word prefix
418
+ # * `Impor*` to find Cloud resources that contain "Impor" as a prefix
369
419
  # in any of the searchable fields.
370
- # * `"*por*"` to find Cloud resources which contain "por" as a substring in
420
+ # * `*por*` to find Cloud resources that contain "por" as a substring in
371
421
  # any of the searchable fields.
372
- # * `("Important" AND location : ("us-west1" OR "global"))` to find Cloud
373
- # resources which contain "Important" as a word in any of the searchable
422
+ # * `Important location:(us-west1 OR global)` to find Cloud
423
+ # resources that contain "Important" as a word in any of the searchable
374
424
  # fields and are also located in the "us-west1" region or the "global"
375
425
  # location.
376
- #
377
- # See [how to construct a
378
- # query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
379
- # for more details.
380
426
  # @!attribute [rw] asset_types
381
427
  # @return [::Array<::String>]
382
- # Optional. A list of asset types that this request searches for. If empty,
383
- # it will search all the [searchable asset
428
+ # Optional. A list of asset types that this request searches for. If empty, it will
429
+ # search all the [searchable asset
384
430
  # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
385
431
  # @!attribute [rw] page_size
386
432
  # @return [::Integer]
387
- # Optional. The page size for search result pagination. Page size is capped
388
- # at 500 even if a larger value is given. If set to zero, server will pick an
389
- # appropriate default. Returned results may be fewer than requested. When
390
- # this happens, there could be more results as long as `next_page_token` is
391
- # returned.
433
+ # Optional. The page size for search result pagination. Page size is capped at 500 even
434
+ # if a larger value is given. If set to zero, server will pick an appropriate
435
+ # default. Returned results may be fewer than requested. When this happens,
436
+ # there could be more results as long as `next_page_token` is returned.
392
437
  # @!attribute [rw] page_token
393
438
  # @return [::String]
394
- # Optional. If present, then retrieve the next batch of results from the
395
- # preceding call to this method. `page_token` must be the value of
396
- # `next_page_token` from the previous response. The values of all other
397
- # method parameters, must be identical to those in the previous call.
439
+ # Optional. If present, then retrieve the next batch of results from the preceding call
440
+ # to this method. `page_token` must be the value of `next_page_token` from
441
+ # the previous response. The values of all other method parameters, must be
442
+ # identical to those in the previous call.
398
443
  # @!attribute [rw] order_by
399
444
  # @return [::String]
400
- # Optional. A comma separated list of fields specifying the sorting order of
401
- # the results. The default order is ascending. Add " DESC" after the field
402
- # name to indicate descending order. Redundant space characters are ignored.
403
- # Example: "location DESC, name". See [supported resource metadata
404
- # fields](https://cloud.google.com/asset-inventory/docs/searching-resources#query_on_resource_metadata_fields)
405
- # for more details.
445
+ # Optional. A comma separated list of fields specifying the sorting order of the
446
+ # results. The default order is ascending. Add " DESC" after the field name
447
+ # to indicate descending order. Redundant space characters are ignored.
448
+ # Example: "location DESC, name". Only string fields in the response are
449
+ # sortable, including `name`, `displayName`, `description`, `location`. All
450
+ # the other fields such as repeated fields (e.g., `networkTags`), map
451
+ # fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
452
+ # are not supported.
406
453
  class SearchAllResourcesRequest
407
454
  include ::Google::Protobuf::MessageExts
408
455
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -426,51 +473,58 @@ module Google
426
473
  # Search all IAM policies request.
427
474
  # @!attribute [rw] scope
428
475
  # @return [::String]
429
- # Required. A scope can be a project, a folder or an organization. The search
430
- # is limited to the IAM policies within the `scope`.
476
+ # Required. A scope can be a project, a folder, or an organization. The search is
477
+ # limited to the IAM policies within the `scope`. The caller must be granted
478
+ # the
479
+ # [`cloudasset.assets.searchAllIamPolicies`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
480
+ # permission on the desired scope.
431
481
  #
432
482
  # The allowed values are:
433
483
  #
434
- # * projects/\\{PROJECT_ID}
435
- # * projects/\\{PROJECT_NUMBER}
436
- # * folders/\\{FOLDER_NUMBER}
437
- # * organizations/\\{ORGANIZATION_NUMBER}
484
+ # * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
485
+ # * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
486
+ # * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
487
+ # * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
438
488
  # @!attribute [rw] query
439
489
  # @return [::String]
440
- # Optional. The query statement. An empty query can be specified to search
441
- # all the IAM policies within the given `scope`.
490
+ # Optional. The query statement. See [how to construct a
491
+ # query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
492
+ # for more information. If not specified or empty, it will search all the
493
+ # IAM policies within the specified `scope`.
442
494
  #
443
495
  # Examples:
444
496
  #
445
- # * `policy : "amy@gmail.com"` to find Cloud IAM policy bindings that
446
- # specify user "amy@gmail.com".
447
- # * `policy : "roles/compute.admin"` to find Cloud IAM policy bindings that
448
- # specify the Compute Admin role.
449
- # * `policy.role.permissions : "storage.buckets.update"` to find Cloud IAM
450
- # policy bindings that specify a role containing "storage.buckets.update"
451
- # permission.
452
- # * `resource : "organizations/123"` to find Cloud IAM policy bindings that
453
- # are set on "organizations/123".
454
- # * `(resource : ("organizations/123" OR "folders/1234") AND policy : "amy")`
455
- # to find Cloud IAM policy bindings that are set on "organizations/123" or
456
- # "folders/1234", and also specify user "amy".
457
- #
458
- # See [how to construct a
459
- # query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
460
- # for more details.
497
+ # * `policy:amy@gmail.com` to find IAM policy bindings that specify user
498
+ # "amy@gmail.com".
499
+ # * `policy:roles/compute.admin` to find IAM policy bindings that specify
500
+ # the Compute Admin role.
501
+ # * `policy.role.permissions:storage.buckets.update` to find IAM policy
502
+ # bindings that specify a role containing "storage.buckets.update"
503
+ # permission. Note that if callers don't have `iam.roles.get` access to a
504
+ # role's included permissions, policy bindings that specify this role will
505
+ # be dropped from the search results.
506
+ # * `resource:organizations/123456` to find IAM policy bindings
507
+ # that are set on "organizations/123456".
508
+ # * `Important` to find IAM policy bindings that contain "Important" as a
509
+ # word in any of the searchable fields (except for the included
510
+ # permissions).
511
+ # * `*por*` to find IAM policy bindings that contain "por" as a substring
512
+ # in any of the searchable fields (except for the included permissions).
513
+ # * `resource:(instance1 OR instance2) policy:amy` to find
514
+ # IAM policy bindings that are set on resources "instance1" or
515
+ # "instance2" and also specify user "amy".
461
516
  # @!attribute [rw] page_size
462
517
  # @return [::Integer]
463
- # Optional. The page size for search result pagination. Page size is capped
464
- # at 500 even if a larger value is given. If set to zero, server will pick an
465
- # appropriate default. Returned results may be fewer than requested. When
466
- # this happens, there could be more results as long as `next_page_token` is
467
- # returned.
518
+ # Optional. The page size for search result pagination. Page size is capped at 500 even
519
+ # if a larger value is given. If set to zero, server will pick an appropriate
520
+ # default. Returned results may be fewer than requested. When this happens,
521
+ # there could be more results as long as `next_page_token` is returned.
468
522
  # @!attribute [rw] page_token
469
523
  # @return [::String]
470
- # Optional. If present, retrieve the next batch of results from the preceding
471
- # call to this method. `page_token` must be the value of `next_page_token`
472
- # from the previous response. The values of all other method parameters must
473
- # be identical to those in the previous call.
524
+ # Optional. If present, retrieve the next batch of results from the preceding call to
525
+ # this method. `page_token` must be the value of `next_page_token` from the
526
+ # previous response. The values of all other method parameters must be
527
+ # identical to those in the previous call.
474
528
  class SearchAllIamPoliciesRequest
475
529
  include ::Google::Protobuf::MessageExts
476
530
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -491,6 +545,432 @@ module Google
491
545
  extend ::Google::Protobuf::MessageExts::ClassMethods
492
546
  end
493
547
 
548
+ # IAM policy analysis query message.
549
+ # @!attribute [rw] scope
550
+ # @return [::String]
551
+ # The relative name of the root asset. Only resources and IAM policies within
552
+ # the scope will be analyzed.
553
+ #
554
+ # This can only be an organization number (such as "organizations/123"), a
555
+ # folder number (such as "folders/123"), a project ID (such as
556
+ # "projects/my-project-id"), or a project number (such as "projects/12345").
557
+ #
558
+ # To know how to get organization id, visit [here
559
+ # ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).
560
+ #
561
+ # To know how to get folder or project id, visit [here
562
+ # ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
563
+ # @!attribute [rw] resource_selector
564
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
565
+ # Specifies a resource for analysis.
566
+ # @!attribute [rw] identity_selector
567
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
568
+ # Specifies an identity for analysis.
569
+ # @!attribute [rw] access_selector
570
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
571
+ # Specifies roles or permissions for analysis. This is optional.
572
+ # @!attribute [rw] options
573
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
574
+ # The query options.
575
+ class IamPolicyAnalysisQuery
576
+ include ::Google::Protobuf::MessageExts
577
+ extend ::Google::Protobuf::MessageExts::ClassMethods
578
+
579
+ # Specifies the resource to analyze for access policies, which may be set
580
+ # directly on the resource, or on ancestors such as organizations, folders or
581
+ # projects.
582
+ # @!attribute [rw] full_resource_name
583
+ # @return [::String]
584
+ # The [full resource name]
585
+ # (https://cloud.google.com/asset-inventory/docs/resource-name-format)
586
+ # of a resource of [supported resource
587
+ # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
588
+ class ResourceSelector
589
+ include ::Google::Protobuf::MessageExts
590
+ extend ::Google::Protobuf::MessageExts::ClassMethods
591
+ end
592
+
593
+ # Specifies an identity for which to determine resource access, based on
594
+ # roles assigned either directly to them or to the groups they belong to,
595
+ # directly or indirectly.
596
+ # @!attribute [rw] identity
597
+ # @return [::String]
598
+ # The identity appear in the form of members in
599
+ # [IAM policy
600
+ # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
601
+ #
602
+ # The examples of supported forms are:
603
+ # "user:mike@example.com",
604
+ # "group:admins@example.com",
605
+ # "domain:google.com",
606
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com".
607
+ #
608
+ # Notice that wildcard characters (such as * and ?) are not supported.
609
+ # You must give a specific identity.
610
+ class IdentitySelector
611
+ include ::Google::Protobuf::MessageExts
612
+ extend ::Google::Protobuf::MessageExts::ClassMethods
613
+ end
614
+
615
+ # Specifies roles and/or permissions to analyze, to determine both the
616
+ # identities possessing them and the resources they control. If multiple
617
+ # values are specified, results will include roles or permissions matching
618
+ # any of them.
619
+ # @!attribute [rw] roles
620
+ # @return [::Array<::String>]
621
+ # The roles to appear in result.
622
+ # @!attribute [rw] permissions
623
+ # @return [::Array<::String>]
624
+ # The permissions to appear in result.
625
+ class AccessSelector
626
+ include ::Google::Protobuf::MessageExts
627
+ extend ::Google::Protobuf::MessageExts::ClassMethods
628
+ end
629
+
630
+ # Contains query options.
631
+ # @!attribute [rw] expand_groups
632
+ # @return [::Boolean]
633
+ # If true, the identities section of the result will expand any
634
+ # Google groups appearing in an IAM policy binding.
635
+ #
636
+ # If
637
+ # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector}
638
+ # is specified, the identity in the result will be determined by the
639
+ # selector, and this flag is not allowed to set.
640
+ #
641
+ # Default is false.
642
+ # @!attribute [rw] expand_roles
643
+ # @return [::Boolean]
644
+ # If true, the access section of result will expand any roles
645
+ # appearing in IAM policy bindings to include their permissions.
646
+ #
647
+ # If
648
+ # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector}
649
+ # is specified, the access section of the result will be determined by the
650
+ # selector, and this flag is not allowed to set.
651
+ #
652
+ # Default is false.
653
+ # @!attribute [rw] expand_resources
654
+ # @return [::Boolean]
655
+ # If true and
656
+ # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
657
+ # is not specified, the resource section of the result will expand any
658
+ # resource attached to an IAM policy to include resources lower in the
659
+ # resource hierarchy.
660
+ #
661
+ # For example, if the request analyzes for which resources user A has
662
+ # permission P, and the results include an IAM policy with P on a GCP
663
+ # folder, the results will also include resources in that folder with
664
+ # permission P.
665
+ #
666
+ # If true and
667
+ # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
668
+ # is specified, the resource section of the result will expand the
669
+ # specified resource to include resources lower in the resource hierarchy.
670
+ #
671
+ # For example, if the request analyzes for which users have permission P on
672
+ # a GCP folder with this option enabled, the results will include all users
673
+ # who have permission P on that folder or any lower resource(ex. project).
674
+ #
675
+ # Default is false.
676
+ # @!attribute [rw] output_resource_edges
677
+ # @return [::Boolean]
678
+ # If true, the result will output resource edges, starting
679
+ # from the policy attached resource, to any expanded resources.
680
+ # Default is false.
681
+ # @!attribute [rw] output_group_edges
682
+ # @return [::Boolean]
683
+ # If true, the result will output group identity edges, starting
684
+ # from the binding's group members, to any expanded identities.
685
+ # Default is false.
686
+ # @!attribute [rw] analyze_service_account_impersonation
687
+ # @return [::Boolean]
688
+ # If true, the response will include access analysis from identities to
689
+ # resources via service account impersonation. This is a very expensive
690
+ # operation, because many derived queries will be executed. We highly
691
+ # recommend you use
692
+ # {::Google::Cloud::Asset::V1::AssetService::Client#export_iam_policy_analysis google.cloud.asset.v1.AssetService.ExportIamPolicyAnalysis}
693
+ # rpc instead.
694
+ #
695
+ # For example, if the request analyzes for which resources user A has
696
+ # permission P, and there's an IAM policy states user A has
697
+ # iam.serviceAccounts.getAccessToken permission to a service account SA,
698
+ # and there's another IAM policy states service account SA has permission P
699
+ # to a GCP folder F, then user A potentially has access to the GCP folder
700
+ # F. And those advanced analysis results will be included in
701
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
702
+ #
703
+ # Another example, if the request analyzes for who has
704
+ # permission P to a GCP folder F, and there's an IAM policy states user A
705
+ # has iam.serviceAccounts.actAs permission to a service account SA, and
706
+ # there's another IAM policy states service account SA has permission P to
707
+ # the GCP folder F, then user A potentially has access to the GCP folder
708
+ # F. And those advanced analysis results will be included in
709
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
710
+ #
711
+ # Default is false.
712
+ # @!attribute [rw] max_fanouts_per_group
713
+ # @return [::Integer]
714
+ # The maximum number of fanouts per group when [expand_groups][expand_groups]
715
+ # is enabled. This internal field is to help load testing and determine a
716
+ # proper value, and won't be public in the future.
717
+ # @!attribute [rw] max_fanouts_per_resource
718
+ # @return [::Integer]
719
+ # The maximum number of fanouts per parent resource, such as
720
+ # GCP Project etc., when [expand_resources][] is enabled. This internal
721
+ # field is to help load testing and determine a proper value, and won't be
722
+ # public in the future.
723
+ class Options
724
+ include ::Google::Protobuf::MessageExts
725
+ extend ::Google::Protobuf::MessageExts::ClassMethods
726
+ end
727
+ end
728
+
729
+ # A request message for
730
+ # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
731
+ # @!attribute [rw] analysis_query
732
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
733
+ # The request query.
734
+ # @!attribute [rw] execution_timeout
735
+ # @return [::Google::Protobuf::Duration]
736
+ # Amount of time executable has to complete. See JSON representation of
737
+ # [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
738
+ #
739
+ # If this field is set with a value less than the RPC deadline, and the
740
+ # execution of your query hasn't finished in the specified
741
+ # execution timeout, you will get a response with partial result.
742
+ # Otherwise, your query's execution will continue until the RPC deadline.
743
+ # If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
744
+ #
745
+ # Default is empty.
746
+ #
747
+ # (-- We had discussion of whether we should have this field in the --)
748
+ # (-- request or use the RPC deadline instead. We finally choose this --)
749
+ # (-- approach for the following reasons (detailed in --)
750
+ # (-- go/analyze-iam-policy-deadlines): --)
751
+ # (-- * HTTP clients have very limited support of the RPC deadline. --)
752
+ # (-- There is an X-Server-Timeout header introduced in 2019/09, but --)
753
+ # (-- only implemented in the C++ HTTP server library. --)
754
+ # (-- * The purpose of the RPC deadline is for RPC clients to --)
755
+ # (-- communicate its max waiting time to the server. This deadline --)
756
+ # (-- could be further propagated to the downstream servers. It is --)
757
+ # (-- mainly used for servers to cancel the request processing --)
758
+ # (-- to avoid resource wasting. Overloading the RPC deadline for --)
759
+ # (-- other purposes could make our backend system harder to reason --)
760
+ # (-- about. --)
761
+ class AnalyzeIamPolicyRequest
762
+ include ::Google::Protobuf::MessageExts
763
+ extend ::Google::Protobuf::MessageExts::ClassMethods
764
+ end
765
+
766
+ # A response message for
767
+ # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
768
+ # @!attribute [rw] main_analysis
769
+ # @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
770
+ # The main analysis that matches the original request.
771
+ # @!attribute [rw] service_account_impersonation_analysis
772
+ # @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
773
+ # The service account impersonation analysis if
774
+ # [google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation][google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation]
775
+ # is enabled.
776
+ # @!attribute [rw] fully_explored
777
+ # @return [::Boolean]
778
+ # Represents whether all entries in the [main_analysis][main_analysis] and
779
+ # [service_account_impersonation_analysis][] have been fully explored to
780
+ # answer the query in the request.
781
+ class AnalyzeIamPolicyResponse
782
+ include ::Google::Protobuf::MessageExts
783
+ extend ::Google::Protobuf::MessageExts::ClassMethods
784
+
785
+ # An analysis message to group the query and results.
786
+ # @!attribute [rw] analysis_query
787
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
788
+ # The analysis query.
789
+ # @!attribute [rw] analysis_results
790
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
791
+ # A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult google.cloud.asset.v1.IamPolicyAnalysisResult}
792
+ # that matches the analysis query, or empty if no result is found.
793
+ # @!attribute [rw] fully_explored
794
+ # @return [::Boolean]
795
+ # Represents whether all entries in the
796
+ # [analysis_results][analysis_results] have been fully explored to answer
797
+ # the query.
798
+ # @!attribute [rw] stats
799
+ # @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats>]
800
+ # The stats of how the analysis has been explored.
801
+ # @!attribute [rw] non_critical_errors
802
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
803
+ # A list of non-critical errors happened during the query handling.
804
+ class IamPolicyAnalysis
805
+ include ::Google::Protobuf::MessageExts
806
+ extend ::Google::Protobuf::MessageExts::ClassMethods
807
+
808
+ # A stats message that contains a set of analysis metrics.
809
+ #
810
+ # Here are some equations to show relationships of the explicitly specified
811
+ # metrics with other implicit metrics:
812
+ # * node_count = discovered_node_count + undiscovered_node_count(implicit)
813
+ # * discovered_node_count = explored_node_count +
814
+ # unexplored_node_count(implicit)
815
+ # * explored_node_count = capped_node_count + uncapped_node_count(implicit)
816
+ # * unexplored_node_count(implicit) = permission_denied_node_count +
817
+ # execution_timeout_node_count + other_unexplored_node_count(implicit)
818
+ # * discovered_node_count = matched_node_count +
819
+ # unmatched_node_count(implicit)
820
+ # @!attribute [rw] node_type
821
+ # @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType]
822
+ # Node type.
823
+ # @!attribute [rw] node_subtype
824
+ # @return [::String]
825
+ # The subtype of a node, such as:
826
+ # * For Identity: Group, User, ServiceAccount etc.
827
+ # * For Resource: resource type name, such as
828
+ # cloudresourcemanager.googleapis.com/Organization, etc.
829
+ # * For Access: Role or Permission
830
+ # @!attribute [rw] discovered_node_count
831
+ # @return [::Integer]
832
+ # The count of discovered nodes.
833
+ # @!attribute [rw] matched_node_count
834
+ # @return [::Integer]
835
+ # The count of nodes that match the query. These nodes form a sub-graph
836
+ # of discovered nodes.
837
+ # @!attribute [rw] explored_node_count
838
+ # @return [::Integer]
839
+ # The count of explored nodes.
840
+ # @!attribute [rw] capped_node_count
841
+ # @return [::Integer]
842
+ # The count of nodes that get explored, but are capped by max fanout
843
+ # setting.
844
+ # @!attribute [rw] permision_denied_node_count
845
+ # @return [::Integer]
846
+ # The count of unexplored nodes caused by permission denied error.
847
+ # @!attribute [rw] execution_timeout_node_count
848
+ # @return [::Integer]
849
+ # The count of unexplored nodes caused by execution timeout.
850
+ class Stats
851
+ include ::Google::Protobuf::MessageExts
852
+ extend ::Google::Protobuf::MessageExts::ClassMethods
853
+
854
+ # Type of the node.
855
+ module NodeType
856
+ # Unspecified node type.
857
+ NODE_TYPE_UNSPECIFIED = 0
858
+
859
+ # IAM Policy Binding node type.
860
+ BINDING = 1
861
+
862
+ # Identity node type.
863
+ IDENTITY = 2
864
+
865
+ # Resource node type.
866
+ RESOURCE = 3
867
+
868
+ # Access node type.
869
+ ACCESS = 4
870
+ end
871
+ end
872
+ end
873
+ end
874
+
875
+ # Output configuration for export IAM policy analysis destination.
876
+ # @!attribute [rw] gcs_destination
877
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::GcsDestination]
878
+ # Destination on Cloud Storage.
879
+ # @!attribute [rw] bigquery_destination
880
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination]
881
+ # Destination on BigQuery.
882
+ class IamPolicyAnalysisOutputConfig
883
+ include ::Google::Protobuf::MessageExts
884
+ extend ::Google::Protobuf::MessageExts::ClassMethods
885
+
886
+ # A Cloud Storage location.
887
+ # @!attribute [rw] uri
888
+ # @return [::String]
889
+ # The uri of the Cloud Storage object. It's the same uri that is used by
890
+ # gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
891
+ # Editing Object
892
+ # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
893
+ # for more information.
894
+ class GcsDestination
895
+ include ::Google::Protobuf::MessageExts
896
+ extend ::Google::Protobuf::MessageExts::ClassMethods
897
+ end
898
+
899
+ # A BigQuery destination.
900
+ # @!attribute [rw] dataset
901
+ # @return [::String]
902
+ # The BigQuery dataset in format "projects/projectId/datasets/datasetId",
903
+ # to which the analysis results should be exported. If this dataset does
904
+ # not exist, the export call will return an INVALID_ARGUMENT error.
905
+ # @!attribute [rw] table_prefix
906
+ # @return [::String]
907
+ # The prefix of the BigQuery tables to which the analysis results will be
908
+ # written. Tables will be created based on this table_prefix if not exist:
909
+ # * <table_prefix>_analysis table will contain export operation's metadata.
910
+ # * <table_prefix>_analysis_result will contain all the
911
+ # [IamPolicyAnalysisResult][].
912
+ # When [partition_key] is specified, both tables will be partitioned based
913
+ # on the [partition_key].
914
+ # @!attribute [rw] partition_key
915
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
916
+ # The partition key for BigQuery partitioned table.
917
+ # @!attribute [rw] write_mode
918
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode]
919
+ # The write mode when table exists. WriteMode is ignored when no existing
920
+ # tables, or no existing partitions are found.
921
+ class BigQueryDestination
922
+ include ::Google::Protobuf::MessageExts
923
+ extend ::Google::Protobuf::MessageExts::ClassMethods
924
+
925
+ # This enum determines the partition key column for the bigquery tables.
926
+ # Partitioning can improve query performance and reduce query cost by
927
+ # filtering partitions. Refer to
928
+ # https://cloud.google.com/bigquery/docs/partitioned-tables for details.
929
+ module PartitionKey
930
+ # Unspecified partition key. Tables won't be partitioned using this
931
+ # option.
932
+ PARTITION_KEY_UNSPECIFIED = 0
933
+
934
+ # The time when the request is received. If specified as partition key,
935
+ # the result table(s) is partitoned by the RequestTime column, an
936
+ # additional timestamp column representing when the request was received.
937
+ REQUEST_TIME = 1
938
+ end
939
+
940
+ # Write mode types if table exists.
941
+ module WriteMode
942
+ # Unspecified write mode. We expect one of the following valid modes must
943
+ # be specified when table or partition exists.
944
+ WRITE_MODE_UNSPECIFIED = 0
945
+
946
+ # Abort the export when table or partition exists.
947
+ ABORT = 1
948
+
949
+ # Overwrite the table when table exists. When partitioned, overwrite
950
+ # the existing partition.
951
+ OVERWRITE = 2
952
+ end
953
+ end
954
+ end
955
+
956
+ # A request message for [AssetService.ExportIamPolicyAnalysis][].
957
+ # @!attribute [rw] analysis_query
958
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
959
+ # The request query.
960
+ # @!attribute [rw] output_config
961
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
962
+ # Output configuration indicating where the results will be output to.
963
+ class ExportIamPolicyAnalysisRequest
964
+ include ::Google::Protobuf::MessageExts
965
+ extend ::Google::Protobuf::MessageExts::ClassMethods
966
+ end
967
+
968
+ # The export IAM policy analysis response.
969
+ class ExportIamPolicyAnalysisResponse
970
+ include ::Google::Protobuf::MessageExts
971
+ extend ::Google::Protobuf::MessageExts::ClassMethods
972
+ end
973
+
494
974
  # Asset content type.
495
975
  module ContentType
496
976
  # Unspecified content type.
@@ -505,7 +985,7 @@ module Google
505
985
  # The Cloud Organization Policy set on an asset.
506
986
  ORG_POLICY = 4
507
987
 
508
- # The Cloud Access context mananger Policy set on an asset.
988
+ # The Cloud Access context manager Policy set on an asset.
509
989
  ACCESS_POLICY = 5
510
990
  end
511
991
  end