google-cloud-asset-v1 0.5.3 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/google/cloud/asset/v1/asset_service/client.rb +317 -98
- data/lib/google/cloud/asset/v1/asset_service_pb.rb +118 -0
- data/lib/google/cloud/asset/v1/asset_service_services_pb.rb +26 -14
- data/lib/google/cloud/asset/v1/assets_pb.rb +47 -2
- data/lib/google/cloud/asset/v1/version.rb +1 -1
- data/proto_docs/google/cloud/asset/v1/asset_service.rb +570 -90
- data/proto_docs/google/cloud/asset/v1/assets.rb +211 -25
- metadata +2 -2
@@ -26,6 +26,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
26
26
|
add_message "google.cloud.asset.v1.ExportAssetsResponse" do
|
27
27
|
optional :read_time, :message, 1, "google.protobuf.Timestamp"
|
28
28
|
optional :output_config, :message, 2, "google.cloud.asset.v1.OutputConfig"
|
29
|
+
optional :output_result, :message, 3, "google.cloud.asset.v1.OutputResult"
|
29
30
|
end
|
30
31
|
add_message "google.cloud.asset.v1.BatchGetAssetsHistoryRequest" do
|
31
32
|
optional :parent, :string, 1
|
@@ -63,6 +64,14 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
63
64
|
optional :bigquery_destination, :message, 2, "google.cloud.asset.v1.BigQueryDestination"
|
64
65
|
end
|
65
66
|
end
|
67
|
+
add_message "google.cloud.asset.v1.OutputResult" do
|
68
|
+
oneof :result do
|
69
|
+
optional :gcs_result, :message, 1, "google.cloud.asset.v1.GcsOutputResult"
|
70
|
+
end
|
71
|
+
end
|
72
|
+
add_message "google.cloud.asset.v1.GcsOutputResult" do
|
73
|
+
repeated :uris, :string, 1
|
74
|
+
end
|
66
75
|
add_message "google.cloud.asset.v1.GcsDestination" do
|
67
76
|
oneof :object_uri do
|
68
77
|
optional :uri, :string, 1
|
@@ -112,6 +121,96 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
112
121
|
repeated :results, :message, 1, "google.cloud.asset.v1.IamPolicySearchResult"
|
113
122
|
optional :next_page_token, :string, 2
|
114
123
|
end
|
124
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery" do
|
125
|
+
optional :scope, :string, 1
|
126
|
+
optional :resource_selector, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector"
|
127
|
+
optional :identity_selector, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector"
|
128
|
+
optional :access_selector, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector"
|
129
|
+
optional :options, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options"
|
130
|
+
end
|
131
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector" do
|
132
|
+
optional :full_resource_name, :string, 1
|
133
|
+
end
|
134
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector" do
|
135
|
+
optional :identity, :string, 1
|
136
|
+
end
|
137
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector" do
|
138
|
+
repeated :roles, :string, 1
|
139
|
+
repeated :permissions, :string, 2
|
140
|
+
end
|
141
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options" do
|
142
|
+
optional :expand_groups, :bool, 1
|
143
|
+
optional :expand_roles, :bool, 2
|
144
|
+
optional :expand_resources, :bool, 3
|
145
|
+
optional :output_resource_edges, :bool, 4
|
146
|
+
optional :output_group_edges, :bool, 5
|
147
|
+
optional :analyze_service_account_impersonation, :bool, 6
|
148
|
+
optional :max_fanouts_per_group, :int32, 7
|
149
|
+
optional :max_fanouts_per_resource, :int32, 8
|
150
|
+
end
|
151
|
+
add_message "google.cloud.asset.v1.AnalyzeIamPolicyRequest" do
|
152
|
+
optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
|
153
|
+
optional :execution_timeout, :message, 2, "google.protobuf.Duration"
|
154
|
+
end
|
155
|
+
add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse" do
|
156
|
+
optional :main_analysis, :message, 1, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
|
157
|
+
repeated :service_account_impersonation_analysis, :message, 2, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
|
158
|
+
optional :fully_explored, :bool, 3
|
159
|
+
end
|
160
|
+
add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis" do
|
161
|
+
optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
|
162
|
+
repeated :analysis_results, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult"
|
163
|
+
optional :fully_explored, :bool, 3
|
164
|
+
repeated :stats, :message, 4, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats"
|
165
|
+
repeated :non_critical_errors, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisState"
|
166
|
+
end
|
167
|
+
add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats" do
|
168
|
+
optional :node_type, :enum, 1, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType"
|
169
|
+
optional :node_subtype, :string, 2
|
170
|
+
optional :discovered_node_count, :int32, 3
|
171
|
+
optional :matched_node_count, :int32, 4
|
172
|
+
optional :explored_node_count, :int32, 5
|
173
|
+
optional :capped_node_count, :int32, 6
|
174
|
+
optional :permision_denied_node_count, :int32, 7
|
175
|
+
optional :execution_timeout_node_count, :int32, 8
|
176
|
+
end
|
177
|
+
add_enum "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType" do
|
178
|
+
value :NODE_TYPE_UNSPECIFIED, 0
|
179
|
+
value :BINDING, 1
|
180
|
+
value :IDENTITY, 2
|
181
|
+
value :RESOURCE, 3
|
182
|
+
value :ACCESS, 4
|
183
|
+
end
|
184
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig" do
|
185
|
+
oneof :destination do
|
186
|
+
optional :gcs_destination, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination"
|
187
|
+
optional :bigquery_destination, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination"
|
188
|
+
end
|
189
|
+
end
|
190
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination" do
|
191
|
+
optional :uri, :string, 1
|
192
|
+
end
|
193
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination" do
|
194
|
+
optional :dataset, :string, 1
|
195
|
+
optional :table_prefix, :string, 2
|
196
|
+
optional :partition_key, :enum, 3, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey"
|
197
|
+
optional :write_mode, :enum, 4, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode"
|
198
|
+
end
|
199
|
+
add_enum "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey" do
|
200
|
+
value :PARTITION_KEY_UNSPECIFIED, 0
|
201
|
+
value :REQUEST_TIME, 1
|
202
|
+
end
|
203
|
+
add_enum "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode" do
|
204
|
+
value :WRITE_MODE_UNSPECIFIED, 0
|
205
|
+
value :ABORT, 1
|
206
|
+
value :OVERWRITE, 2
|
207
|
+
end
|
208
|
+
add_message "google.cloud.asset.v1.ExportIamPolicyAnalysisRequest" do
|
209
|
+
optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
|
210
|
+
optional :output_config, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig"
|
211
|
+
end
|
212
|
+
add_message "google.cloud.asset.v1.ExportIamPolicyAnalysisResponse" do
|
213
|
+
end
|
115
214
|
add_enum "google.cloud.asset.v1.ContentType" do
|
116
215
|
value :CONTENT_TYPE_UNSPECIFIED, 0
|
117
216
|
value :RESOURCE, 1
|
@@ -137,6 +236,8 @@ module Google
|
|
137
236
|
UpdateFeedRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.UpdateFeedRequest").msgclass
|
138
237
|
DeleteFeedRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.DeleteFeedRequest").msgclass
|
139
238
|
OutputConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.OutputConfig").msgclass
|
239
|
+
OutputResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.OutputResult").msgclass
|
240
|
+
GcsOutputResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.GcsOutputResult").msgclass
|
140
241
|
GcsDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.GcsDestination").msgclass
|
141
242
|
BigQueryDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.BigQueryDestination").msgclass
|
142
243
|
PubsubDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.PubsubDestination").msgclass
|
@@ -146,6 +247,23 @@ module Google
|
|
146
247
|
SearchAllResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllResourcesResponse").msgclass
|
147
248
|
SearchAllIamPoliciesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesRequest").msgclass
|
148
249
|
SearchAllIamPoliciesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesResponse").msgclass
|
250
|
+
IamPolicyAnalysisQuery = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery").msgclass
|
251
|
+
IamPolicyAnalysisQuery::ResourceSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector").msgclass
|
252
|
+
IamPolicyAnalysisQuery::IdentitySelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector").msgclass
|
253
|
+
IamPolicyAnalysisQuery::AccessSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector").msgclass
|
254
|
+
IamPolicyAnalysisQuery::Options = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.Options").msgclass
|
255
|
+
AnalyzeIamPolicyRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyRequest").msgclass
|
256
|
+
AnalyzeIamPolicyResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse").msgclass
|
257
|
+
AnalyzeIamPolicyResponse::IamPolicyAnalysis = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis").msgclass
|
258
|
+
AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats").msgclass
|
259
|
+
AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.Stats.NodeType").enummodule
|
260
|
+
IamPolicyAnalysisOutputConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig").msgclass
|
261
|
+
IamPolicyAnalysisOutputConfig::GcsDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination").msgclass
|
262
|
+
IamPolicyAnalysisOutputConfig::BigQueryDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination").msgclass
|
263
|
+
IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey").enummodule
|
264
|
+
IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.WriteMode").enummodule
|
265
|
+
ExportIamPolicyAnalysisRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportIamPolicyAnalysisRequest").msgclass
|
266
|
+
ExportIamPolicyAnalysisResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportIamPolicyAnalysisResponse").msgclass
|
149
267
|
ContentType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ContentType").enummodule
|
150
268
|
end
|
151
269
|
end
|
@@ -36,14 +36,13 @@ module Google
|
|
36
36
|
# Exports assets with time and resource types to a given Cloud Storage
|
37
37
|
# location/BigQuery table. For Cloud Storage location destinations, the
|
38
38
|
# output format is newline-delimited JSON. Each line represents a
|
39
|
-
# [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON
|
40
|
-
#
|
41
|
-
#
|
42
|
-
#
|
43
|
-
#
|
44
|
-
#
|
45
|
-
#
|
46
|
-
# 5 minutes.
|
39
|
+
# [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON format; for BigQuery table
|
40
|
+
# destinations, the output table stores the fields in asset proto as columns.
|
41
|
+
# This API implements the [google.longrunning.Operation][google.longrunning.Operation] API
|
42
|
+
# , which allows you to keep track of the export. We recommend intervals of
|
43
|
+
# at least 2 seconds with exponential retry to poll the export operation
|
44
|
+
# result. For regular-size resource parent, the export operation usually
|
45
|
+
# finishes within 5 minutes.
|
47
46
|
rpc :ExportAssets, Google::Cloud::Asset::V1::ExportAssetsRequest, Google::Longrunning::Operation
|
48
47
|
# Batch gets the update history of assets that overlap a time window.
|
49
48
|
# For IAM_POLICY content, this API outputs history when the asset and its
|
@@ -64,16 +63,29 @@ module Google
|
|
64
63
|
rpc :UpdateFeed, Google::Cloud::Asset::V1::UpdateFeedRequest, Google::Cloud::Asset::V1::Feed
|
65
64
|
# Deletes an asset feed.
|
66
65
|
rpc :DeleteFeed, Google::Cloud::Asset::V1::DeleteFeedRequest, Google::Protobuf::Empty
|
67
|
-
# Searches all
|
68
|
-
#
|
69
|
-
#
|
66
|
+
# Searches all Cloud resources within the specified scope, such as a project,
|
67
|
+
# folder, or organization. The caller must be granted the
|
68
|
+
# `cloudasset.assets.searchAllResources` permission on the desired scope,
|
70
69
|
# otherwise the request will be rejected.
|
71
70
|
rpc :SearchAllResources, Google::Cloud::Asset::V1::SearchAllResourcesRequest, Google::Cloud::Asset::V1::SearchAllResourcesResponse
|
72
|
-
# Searches all
|
73
|
-
#
|
74
|
-
#
|
71
|
+
# Searches all IAM policies within the specified scope, such as a project,
|
72
|
+
# folder, or organization. The caller must be granted the
|
73
|
+
# `cloudasset.assets.searchAllIamPolicies` permission on the desired scope,
|
75
74
|
# otherwise the request will be rejected.
|
76
75
|
rpc :SearchAllIamPolicies, Google::Cloud::Asset::V1::SearchAllIamPoliciesRequest, Google::Cloud::Asset::V1::SearchAllIamPoliciesResponse
|
76
|
+
# Analyzes IAM policies to answer which identities have what accesses on
|
77
|
+
# which resources.
|
78
|
+
rpc :AnalyzeIamPolicy, Google::Cloud::Asset::V1::AnalyzeIamPolicyRequest, Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse
|
79
|
+
# Exports the answers of which identities have what accesses on which
|
80
|
+
# resources to a Google Cloud Storage or a BigQuery destination. For Cloud
|
81
|
+
# Storage destination, the output format is the JSON format that represents a
|
82
|
+
# [google.cloud.asset.v1.AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse].
|
83
|
+
# This method implements the
|
84
|
+
# [google.longrunning.Operation][google.longrunning.Operation], which allows
|
85
|
+
# you to track the export status. We recommend intervals of at least 2
|
86
|
+
# seconds with exponential retry to poll the export operation result. The
|
87
|
+
# metadata contains the request to help callers to map responses to requests.
|
88
|
+
rpc :ExportIamPolicyAnalysis, Google::Cloud::Asset::V1::ExportIamPolicyAnalysisRequest, Google::Longrunning::Operation
|
77
89
|
end
|
78
90
|
|
79
91
|
Stub = Service.rpc_stub_class
|
@@ -3,14 +3,12 @@
|
|
3
3
|
|
4
4
|
require 'google/protobuf'
|
5
5
|
|
6
|
-
require 'google/api/annotations_pb'
|
7
6
|
require 'google/api/resource_pb'
|
8
7
|
require 'google/cloud/orgpolicy/v1/orgpolicy_pb'
|
9
8
|
require 'google/iam/v1/policy_pb'
|
10
9
|
require 'google/identity/accesscontextmanager/v1/access_level_pb'
|
11
10
|
require 'google/identity/accesscontextmanager/v1/access_policy_pb'
|
12
11
|
require 'google/identity/accesscontextmanager/v1/service_perimeter_pb'
|
13
|
-
require 'google/protobuf/any_pb'
|
14
12
|
require 'google/protobuf/struct_pb'
|
15
13
|
require 'google/protobuf/timestamp_pb'
|
16
14
|
require 'google/rpc/code_pb'
|
@@ -80,6 +78,45 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
80
78
|
add_message "google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions" do
|
81
79
|
repeated :permissions, :string, 1
|
82
80
|
end
|
81
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisState" do
|
82
|
+
optional :code, :enum, 1, "google.rpc.Code"
|
83
|
+
optional :cause, :string, 2
|
84
|
+
end
|
85
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisResult" do
|
86
|
+
optional :attached_resource_full_name, :string, 1
|
87
|
+
optional :iam_binding, :message, 2, "google.iam.v1.Binding"
|
88
|
+
repeated :access_control_lists, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList"
|
89
|
+
optional :identity_list, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList"
|
90
|
+
optional :fully_explored, :bool, 5
|
91
|
+
end
|
92
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource" do
|
93
|
+
optional :full_resource_name, :string, 1
|
94
|
+
optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
|
95
|
+
end
|
96
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Access" do
|
97
|
+
optional :analysis_state, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisState"
|
98
|
+
oneof :oneof_access do
|
99
|
+
optional :role, :string, 1
|
100
|
+
optional :permission, :string, 2
|
101
|
+
end
|
102
|
+
end
|
103
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity" do
|
104
|
+
optional :name, :string, 1
|
105
|
+
optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
|
106
|
+
end
|
107
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge" do
|
108
|
+
optional :source_node, :string, 1
|
109
|
+
optional :target_node, :string, 2
|
110
|
+
end
|
111
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList" do
|
112
|
+
repeated :resources, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource"
|
113
|
+
repeated :accesses, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Access"
|
114
|
+
repeated :resource_edges, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
|
115
|
+
end
|
116
|
+
add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList" do
|
117
|
+
repeated :identities, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity"
|
118
|
+
repeated :group_edges, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
|
119
|
+
end
|
83
120
|
end
|
84
121
|
end
|
85
122
|
|
@@ -96,6 +133,14 @@ module Google
|
|
96
133
|
IamPolicySearchResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult").msgclass
|
97
134
|
IamPolicySearchResult::Explanation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation").msgclass
|
98
135
|
IamPolicySearchResult::Explanation::Permissions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions").msgclass
|
136
|
+
IamPolicyAnalysisState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisState").msgclass
|
137
|
+
IamPolicyAnalysisResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult").msgclass
|
138
|
+
IamPolicyAnalysisResult::Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Resource").msgclass
|
139
|
+
IamPolicyAnalysisResult::Access = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Access").msgclass
|
140
|
+
IamPolicyAnalysisResult::Identity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Identity").msgclass
|
141
|
+
IamPolicyAnalysisResult::Edge = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Edge").msgclass
|
142
|
+
IamPolicyAnalysisResult::AccessControlList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList").msgclass
|
143
|
+
IamPolicyAnalysisResult::IdentityList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList").msgclass
|
99
144
|
end
|
100
145
|
end
|
101
146
|
end
|
@@ -37,9 +37,22 @@ module Google
|
|
37
37
|
# running the same query may get different results.
|
38
38
|
# @!attribute [rw] asset_types
|
39
39
|
# @return [::Array<::String>]
|
40
|
-
# A list of asset types
|
41
|
-
# "compute.googleapis.com/Disk".
|
42
|
-
#
|
40
|
+
# A list of asset types to take a snapshot for. For example:
|
41
|
+
# "compute.googleapis.com/Disk".
|
42
|
+
#
|
43
|
+
# Regular expressions are also supported. For example:
|
44
|
+
#
|
45
|
+
# * "compute.googleapis.com.*" snapshots resources whose asset type starts
|
46
|
+
# with "compute.googleapis.com".
|
47
|
+
# * ".*Instance" snapshots resources whose asset type ends with "Instance".
|
48
|
+
# * ".*Instance.*" snapshots resources whose asset type contains "Instance".
|
49
|
+
#
|
50
|
+
# See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported
|
51
|
+
# regular expression syntax. If the regular expression does not match any
|
52
|
+
# supported asset type, an INVALID_ARGUMENT error will be returned.
|
53
|
+
#
|
54
|
+
# If specified, only matching assets will be returned, otherwise, it will
|
55
|
+
# snapshot all asset types. See [Introduction to Cloud Asset
|
43
56
|
# Inventory](https://cloud.google.com/asset-inventory/docs/overview)
|
44
57
|
# for all supported asset types.
|
45
58
|
# @!attribute [rw] content_type
|
@@ -48,24 +61,28 @@ module Google
|
|
48
61
|
# returned.
|
49
62
|
# @!attribute [rw] output_config
|
50
63
|
# @return [::Google::Cloud::Asset::V1::OutputConfig]
|
51
|
-
# Required. Output configuration indicating where the results will be output
|
52
|
-
# to.
|
64
|
+
# Required. Output configuration indicating where the results will be output to.
|
53
65
|
class ExportAssetsRequest
|
54
66
|
include ::Google::Protobuf::MessageExts
|
55
67
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
56
68
|
end
|
57
69
|
|
58
70
|
# The export asset response. This message is returned by the
|
59
|
-
# google.longrunning.Operations.GetOperation
|
60
|
-
#
|
61
|
-
# {::Google::Longrunning::Operation#response google.longrunning.Operation.response}
|
62
|
-
# field.
|
71
|
+
# google.longrunning.Operations.GetOperation method in the returned
|
72
|
+
# {::Google::Longrunning::Operation#response google.longrunning.Operation.response} field.
|
63
73
|
# @!attribute [rw] read_time
|
64
74
|
# @return [::Google::Protobuf::Timestamp]
|
65
75
|
# Time the snapshot was taken.
|
66
76
|
# @!attribute [rw] output_config
|
67
77
|
# @return [::Google::Cloud::Asset::V1::OutputConfig]
|
68
78
|
# Output configuration indicating where the results were output to.
|
79
|
+
# @!attribute [rw] output_result
|
80
|
+
# @return [::Google::Cloud::Asset::V1::OutputResult]
|
81
|
+
# Output result indicating where the assets were exported to. For example, a
|
82
|
+
# set of actual Google Cloud Storage object uris where the assets are
|
83
|
+
# exported to. The uris can be different from what [output_config] has
|
84
|
+
# specified, as the service will split the output object into multiple ones
|
85
|
+
# once it exceeds a single Google Cloud Storage object limit.
|
69
86
|
class ExportAssetsResponse
|
70
87
|
include ::Google::Protobuf::MessageExts
|
71
88
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -126,8 +143,9 @@ module Google
|
|
126
143
|
# be unique under a specific parent project/folder/organization.
|
127
144
|
# @!attribute [rw] feed
|
128
145
|
# @return [::Google::Cloud::Asset::V1::Feed]
|
129
|
-
# Required. The feed details. The field `name` must be empty and it will be
|
130
|
-
#
|
146
|
+
# Required. The feed details. The field `name` must be empty and it will be generated
|
147
|
+
# in the format of:
|
148
|
+
# projects/project_number/feeds/feed_id
|
131
149
|
# folders/folder_number/feeds/feed_id
|
132
150
|
# organizations/organization_number/feeds/feed_id
|
133
151
|
class CreateFeedRequest
|
@@ -169,8 +187,8 @@ module Google
|
|
169
187
|
# Update asset feed request.
|
170
188
|
# @!attribute [rw] feed
|
171
189
|
# @return [::Google::Cloud::Asset::V1::Feed]
|
172
|
-
# Required. The new values of feed details. It must match an existing feed
|
173
|
-
#
|
190
|
+
# Required. The new values of feed details. It must match an existing feed and the
|
191
|
+
# field `name` must be in the format of:
|
174
192
|
# projects/project_number/feeds/feed_id or
|
175
193
|
# folders/folder_number/feeds/feed_id or
|
176
194
|
# organizations/organization_number/feeds/feed_id.
|
@@ -208,6 +226,25 @@ module Google
|
|
208
226
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
209
227
|
end
|
210
228
|
|
229
|
+
# Output result of export assets.
|
230
|
+
# @!attribute [rw] gcs_result
|
231
|
+
# @return [::Google::Cloud::Asset::V1::GcsOutputResult]
|
232
|
+
# Export result on Cloud Storage.
|
233
|
+
class OutputResult
|
234
|
+
include ::Google::Protobuf::MessageExts
|
235
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
236
|
+
end
|
237
|
+
|
238
|
+
# A Cloud Storage output result.
|
239
|
+
# @!attribute [rw] uris
|
240
|
+
# @return [::Array<::String>]
|
241
|
+
# List of uris of the Cloud Storage objects. Example:
|
242
|
+
# "gs://bucket_name/object_name".
|
243
|
+
class GcsOutputResult
|
244
|
+
include ::Google::Protobuf::MessageExts
|
245
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
246
|
+
end
|
247
|
+
|
211
248
|
# A Cloud Storage location.
|
212
249
|
# @!attribute [rw] uri
|
213
250
|
# @return [::String]
|
@@ -324,8 +361,12 @@ module Google
|
|
324
361
|
# When set, `expression` field in the `Expr` must be a valid [CEL expression]
|
325
362
|
# (https://github.com/google/cel-spec) on a TemporalAsset with name
|
326
363
|
# `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted
|
327
|
-
# == true") will only publish Asset deletions. Other fields
|
364
|
+
# == true") will only publish Asset deletions. Other fields of `Expr` are
|
328
365
|
# optional.
|
366
|
+
#
|
367
|
+
# See our [user
|
368
|
+
# guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes#feed_with_condition)
|
369
|
+
# for detailed instructions.
|
329
370
|
class Feed
|
330
371
|
include ::Google::Protobuf::MessageExts
|
331
372
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -334,75 +375,81 @@ module Google
|
|
334
375
|
# Search all resources request.
|
335
376
|
# @!attribute [rw] scope
|
336
377
|
# @return [::String]
|
337
|
-
# Required. A scope can be a project, a folder or an organization. The search
|
338
|
-
#
|
378
|
+
# Required. A scope can be a project, a folder, or an organization. The search is
|
379
|
+
# limited to the resources within the `scope`. The caller must be granted the
|
380
|
+
# [`cloudasset.assets.searchAllResources`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
|
381
|
+
# permission on the desired scope.
|
339
382
|
#
|
340
383
|
# The allowed values are:
|
341
384
|
#
|
342
|
-
# * projects/\\{PROJECT_ID}
|
343
|
-
# * projects/\\{PROJECT_NUMBER}
|
344
|
-
# * folders/\\{FOLDER_NUMBER}
|
345
|
-
# * organizations/\\{ORGANIZATION_NUMBER}
|
385
|
+
# * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
|
386
|
+
# * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
|
387
|
+
# * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
|
388
|
+
# * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
|
346
389
|
# @!attribute [rw] query
|
347
390
|
# @return [::String]
|
348
|
-
# Optional. The query statement.
|
349
|
-
#
|
391
|
+
# Optional. The query statement. See [how to construct a
|
392
|
+
# query](http://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
|
393
|
+
# for more information. If not specified or empty, it will search all the
|
394
|
+
# resources within the specified `scope`. Note that the query string is
|
395
|
+
# compared against each Cloud IAM policy binding, including its members,
|
396
|
+
# roles, and Cloud IAM conditions. The returned Cloud IAM policies will only
|
397
|
+
# contain the bindings that match your query. To learn more about the IAM
|
398
|
+
# policy structure, see [IAM policy
|
399
|
+
# doc](https://cloud.google.com/iam/docs/policies#structure).
|
350
400
|
#
|
351
401
|
# Examples:
|
352
402
|
#
|
353
|
-
# * `name
|
403
|
+
# * `name:Important` to find Cloud resources whose name contains
|
354
404
|
# "Important" as a word.
|
355
|
-
# * `displayName
|
356
|
-
# contains "Impor" as a
|
357
|
-
# * `description
|
405
|
+
# * `displayName:Impor*` to find Cloud resources whose display name
|
406
|
+
# contains "Impor" as a prefix.
|
407
|
+
# * `description:*por*` to find Cloud resources whose description
|
358
408
|
# contains "por" as a substring.
|
359
|
-
# * `location
|
409
|
+
# * `location:us-west*` to find Cloud resources whose location is
|
360
410
|
# prefixed with "us-west".
|
361
|
-
# * `labels
|
411
|
+
# * `labels:prod` to find Cloud resources whose labels contain "prod" as
|
362
412
|
# a key or value.
|
363
|
-
# * `labels.env
|
413
|
+
# * `labels.env:prod` to find Cloud resources that have a label "env"
|
364
414
|
# and its value is "prod".
|
365
|
-
# * `labels.env
|
366
|
-
# * `
|
415
|
+
# * `labels.env:*` to find Cloud resources that have a label "env".
|
416
|
+
# * `Important` to find Cloud resources that contain "Important" as a word
|
367
417
|
# in any of the searchable fields.
|
368
|
-
# * `
|
418
|
+
# * `Impor*` to find Cloud resources that contain "Impor" as a prefix
|
369
419
|
# in any of the searchable fields.
|
370
|
-
# *
|
420
|
+
# * `*por*` to find Cloud resources that contain "por" as a substring in
|
371
421
|
# any of the searchable fields.
|
372
|
-
# * `
|
373
|
-
# resources
|
422
|
+
# * `Important location:(us-west1 OR global)` to find Cloud
|
423
|
+
# resources that contain "Important" as a word in any of the searchable
|
374
424
|
# fields and are also located in the "us-west1" region or the "global"
|
375
425
|
# location.
|
376
|
-
#
|
377
|
-
# See [how to construct a
|
378
|
-
# query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
|
379
|
-
# for more details.
|
380
426
|
# @!attribute [rw] asset_types
|
381
427
|
# @return [::Array<::String>]
|
382
|
-
# Optional. A list of asset types that this request searches for. If empty,
|
383
|
-
#
|
428
|
+
# Optional. A list of asset types that this request searches for. If empty, it will
|
429
|
+
# search all the [searchable asset
|
384
430
|
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
|
385
431
|
# @!attribute [rw] page_size
|
386
432
|
# @return [::Integer]
|
387
|
-
# Optional. The page size for search result pagination. Page size is capped
|
388
|
-
#
|
389
|
-
#
|
390
|
-
#
|
391
|
-
# returned.
|
433
|
+
# Optional. The page size for search result pagination. Page size is capped at 500 even
|
434
|
+
# if a larger value is given. If set to zero, server will pick an appropriate
|
435
|
+
# default. Returned results may be fewer than requested. When this happens,
|
436
|
+
# there could be more results as long as `next_page_token` is returned.
|
392
437
|
# @!attribute [rw] page_token
|
393
438
|
# @return [::String]
|
394
|
-
# Optional. If present, then retrieve the next batch of results from the
|
395
|
-
#
|
396
|
-
#
|
397
|
-
#
|
439
|
+
# Optional. If present, then retrieve the next batch of results from the preceding call
|
440
|
+
# to this method. `page_token` must be the value of `next_page_token` from
|
441
|
+
# the previous response. The values of all other method parameters, must be
|
442
|
+
# identical to those in the previous call.
|
398
443
|
# @!attribute [rw] order_by
|
399
444
|
# @return [::String]
|
400
|
-
# Optional. A comma separated list of fields specifying the sorting order of
|
401
|
-
#
|
402
|
-
#
|
403
|
-
# Example: "location DESC, name".
|
404
|
-
#
|
405
|
-
#
|
445
|
+
# Optional. A comma separated list of fields specifying the sorting order of the
|
446
|
+
# results. The default order is ascending. Add " DESC" after the field name
|
447
|
+
# to indicate descending order. Redundant space characters are ignored.
|
448
|
+
# Example: "location DESC, name". Only string fields in the response are
|
449
|
+
# sortable, including `name`, `displayName`, `description`, `location`. All
|
450
|
+
# the other fields such as repeated fields (e.g., `networkTags`), map
|
451
|
+
# fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
|
452
|
+
# are not supported.
|
406
453
|
class SearchAllResourcesRequest
|
407
454
|
include ::Google::Protobuf::MessageExts
|
408
455
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -426,51 +473,58 @@ module Google
|
|
426
473
|
# Search all IAM policies request.
|
427
474
|
# @!attribute [rw] scope
|
428
475
|
# @return [::String]
|
429
|
-
# Required. A scope can be a project, a folder or an organization. The search
|
430
|
-
#
|
476
|
+
# Required. A scope can be a project, a folder, or an organization. The search is
|
477
|
+
# limited to the IAM policies within the `scope`. The caller must be granted
|
478
|
+
# the
|
479
|
+
# [`cloudasset.assets.searchAllIamPolicies`](http://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
|
480
|
+
# permission on the desired scope.
|
431
481
|
#
|
432
482
|
# The allowed values are:
|
433
483
|
#
|
434
|
-
# * projects/\\{PROJECT_ID}
|
435
|
-
# * projects/\\{PROJECT_NUMBER}
|
436
|
-
# * folders/\\{FOLDER_NUMBER}
|
437
|
-
# * organizations/\\{ORGANIZATION_NUMBER}
|
484
|
+
# * projects/\\{PROJECT_ID} (e.g., "projects/foo-bar")
|
485
|
+
# * projects/\\{PROJECT_NUMBER} (e.g., "projects/12345678")
|
486
|
+
# * folders/\\{FOLDER_NUMBER} (e.g., "folders/1234567")
|
487
|
+
# * organizations/\\{ORGANIZATION_NUMBER} (e.g., "organizations/123456")
|
438
488
|
# @!attribute [rw] query
|
439
489
|
# @return [::String]
|
440
|
-
# Optional. The query statement.
|
441
|
-
#
|
490
|
+
# Optional. The query statement. See [how to construct a
|
491
|
+
# query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
|
492
|
+
# for more information. If not specified or empty, it will search all the
|
493
|
+
# IAM policies within the specified `scope`.
|
442
494
|
#
|
443
495
|
# Examples:
|
444
496
|
#
|
445
|
-
# * `policy
|
446
|
-
#
|
447
|
-
# * `policy
|
448
|
-
#
|
449
|
-
# * `policy.role.permissions
|
450
|
-
#
|
451
|
-
# permission.
|
452
|
-
#
|
453
|
-
#
|
454
|
-
# * `
|
455
|
-
#
|
456
|
-
#
|
457
|
-
#
|
458
|
-
#
|
459
|
-
#
|
460
|
-
#
|
497
|
+
# * `policy:amy@gmail.com` to find IAM policy bindings that specify user
|
498
|
+
# "amy@gmail.com".
|
499
|
+
# * `policy:roles/compute.admin` to find IAM policy bindings that specify
|
500
|
+
# the Compute Admin role.
|
501
|
+
# * `policy.role.permissions:storage.buckets.update` to find IAM policy
|
502
|
+
# bindings that specify a role containing "storage.buckets.update"
|
503
|
+
# permission. Note that if callers don't have `iam.roles.get` access to a
|
504
|
+
# role's included permissions, policy bindings that specify this role will
|
505
|
+
# be dropped from the search results.
|
506
|
+
# * `resource:organizations/123456` to find IAM policy bindings
|
507
|
+
# that are set on "organizations/123456".
|
508
|
+
# * `Important` to find IAM policy bindings that contain "Important" as a
|
509
|
+
# word in any of the searchable fields (except for the included
|
510
|
+
# permissions).
|
511
|
+
# * `*por*` to find IAM policy bindings that contain "por" as a substring
|
512
|
+
# in any of the searchable fields (except for the included permissions).
|
513
|
+
# * `resource:(instance1 OR instance2) policy:amy` to find
|
514
|
+
# IAM policy bindings that are set on resources "instance1" or
|
515
|
+
# "instance2" and also specify user "amy".
|
461
516
|
# @!attribute [rw] page_size
|
462
517
|
# @return [::Integer]
|
463
|
-
# Optional. The page size for search result pagination. Page size is capped
|
464
|
-
#
|
465
|
-
#
|
466
|
-
#
|
467
|
-
# returned.
|
518
|
+
# Optional. The page size for search result pagination. Page size is capped at 500 even
|
519
|
+
# if a larger value is given. If set to zero, server will pick an appropriate
|
520
|
+
# default. Returned results may be fewer than requested. When this happens,
|
521
|
+
# there could be more results as long as `next_page_token` is returned.
|
468
522
|
# @!attribute [rw] page_token
|
469
523
|
# @return [::String]
|
470
|
-
# Optional. If present, retrieve the next batch of results from the preceding
|
471
|
-
#
|
472
|
-
#
|
473
|
-
#
|
524
|
+
# Optional. If present, retrieve the next batch of results from the preceding call to
|
525
|
+
# this method. `page_token` must be the value of `next_page_token` from the
|
526
|
+
# previous response. The values of all other method parameters must be
|
527
|
+
# identical to those in the previous call.
|
474
528
|
class SearchAllIamPoliciesRequest
|
475
529
|
include ::Google::Protobuf::MessageExts
|
476
530
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -491,6 +545,432 @@ module Google
|
|
491
545
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
492
546
|
end
|
493
547
|
|
548
|
+
# IAM policy analysis query message.
|
549
|
+
# @!attribute [rw] scope
|
550
|
+
# @return [::String]
|
551
|
+
# The relative name of the root asset. Only resources and IAM policies within
|
552
|
+
# the scope will be analyzed.
|
553
|
+
#
|
554
|
+
# This can only be an organization number (such as "organizations/123"), a
|
555
|
+
# folder number (such as "folders/123"), a project ID (such as
|
556
|
+
# "projects/my-project-id"), or a project number (such as "projects/12345").
|
557
|
+
#
|
558
|
+
# To know how to get organization id, visit [here
|
559
|
+
# ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).
|
560
|
+
#
|
561
|
+
# To know how to get folder or project id, visit [here
|
562
|
+
# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
|
563
|
+
# @!attribute [rw] resource_selector
|
564
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
|
565
|
+
# Specifies a resource for analysis.
|
566
|
+
# @!attribute [rw] identity_selector
|
567
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
|
568
|
+
# Specifies an identity for analysis.
|
569
|
+
# @!attribute [rw] access_selector
|
570
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
|
571
|
+
# Specifies roles or permissions for analysis. This is optional.
|
572
|
+
# @!attribute [rw] options
|
573
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
|
574
|
+
# The query options.
|
575
|
+
class IamPolicyAnalysisQuery
|
576
|
+
include ::Google::Protobuf::MessageExts
|
577
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
578
|
+
|
579
|
+
# Specifies the resource to analyze for access policies, which may be set
|
580
|
+
# directly on the resource, or on ancestors such as organizations, folders or
|
581
|
+
# projects.
|
582
|
+
# @!attribute [rw] full_resource_name
|
583
|
+
# @return [::String]
|
584
|
+
# The [full resource name]
|
585
|
+
# (https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
586
|
+
# of a resource of [supported resource
|
587
|
+
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
|
588
|
+
class ResourceSelector
|
589
|
+
include ::Google::Protobuf::MessageExts
|
590
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
591
|
+
end
|
592
|
+
|
593
|
+
# Specifies an identity for which to determine resource access, based on
|
594
|
+
# roles assigned either directly to them or to the groups they belong to,
|
595
|
+
# directly or indirectly.
|
596
|
+
# @!attribute [rw] identity
|
597
|
+
# @return [::String]
|
598
|
+
# The identity appear in the form of members in
|
599
|
+
# [IAM policy
|
600
|
+
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
|
601
|
+
#
|
602
|
+
# The examples of supported forms are:
|
603
|
+
# "user:mike@example.com",
|
604
|
+
# "group:admins@example.com",
|
605
|
+
# "domain:google.com",
|
606
|
+
# "serviceAccount:my-project-id@appspot.gserviceaccount.com".
|
607
|
+
#
|
608
|
+
# Notice that wildcard characters (such as * and ?) are not supported.
|
609
|
+
# You must give a specific identity.
|
610
|
+
class IdentitySelector
|
611
|
+
include ::Google::Protobuf::MessageExts
|
612
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
613
|
+
end
|
614
|
+
|
615
|
+
# Specifies roles and/or permissions to analyze, to determine both the
|
616
|
+
# identities possessing them and the resources they control. If multiple
|
617
|
+
# values are specified, results will include roles or permissions matching
|
618
|
+
# any of them.
|
619
|
+
# @!attribute [rw] roles
|
620
|
+
# @return [::Array<::String>]
|
621
|
+
# The roles to appear in result.
|
622
|
+
# @!attribute [rw] permissions
|
623
|
+
# @return [::Array<::String>]
|
624
|
+
# The permissions to appear in result.
|
625
|
+
class AccessSelector
|
626
|
+
include ::Google::Protobuf::MessageExts
|
627
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
628
|
+
end
|
629
|
+
|
630
|
+
# Contains query options.
|
631
|
+
# @!attribute [rw] expand_groups
|
632
|
+
# @return [::Boolean]
|
633
|
+
# If true, the identities section of the result will expand any
|
634
|
+
# Google groups appearing in an IAM policy binding.
|
635
|
+
#
|
636
|
+
# If
|
637
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector}
|
638
|
+
# is specified, the identity in the result will be determined by the
|
639
|
+
# selector, and this flag is not allowed to set.
|
640
|
+
#
|
641
|
+
# Default is false.
|
642
|
+
# @!attribute [rw] expand_roles
|
643
|
+
# @return [::Boolean]
|
644
|
+
# If true, the access section of result will expand any roles
|
645
|
+
# appearing in IAM policy bindings to include their permissions.
|
646
|
+
#
|
647
|
+
# If
|
648
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector}
|
649
|
+
# is specified, the access section of the result will be determined by the
|
650
|
+
# selector, and this flag is not allowed to set.
|
651
|
+
#
|
652
|
+
# Default is false.
|
653
|
+
# @!attribute [rw] expand_resources
|
654
|
+
# @return [::Boolean]
|
655
|
+
# If true and
|
656
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
|
657
|
+
# is not specified, the resource section of the result will expand any
|
658
|
+
# resource attached to an IAM policy to include resources lower in the
|
659
|
+
# resource hierarchy.
|
660
|
+
#
|
661
|
+
# For example, if the request analyzes for which resources user A has
|
662
|
+
# permission P, and the results include an IAM policy with P on a GCP
|
663
|
+
# folder, the results will also include resources in that folder with
|
664
|
+
# permission P.
|
665
|
+
#
|
666
|
+
# If true and
|
667
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
|
668
|
+
# is specified, the resource section of the result will expand the
|
669
|
+
# specified resource to include resources lower in the resource hierarchy.
|
670
|
+
#
|
671
|
+
# For example, if the request analyzes for which users have permission P on
|
672
|
+
# a GCP folder with this option enabled, the results will include all users
|
673
|
+
# who have permission P on that folder or any lower resource(ex. project).
|
674
|
+
#
|
675
|
+
# Default is false.
|
676
|
+
# @!attribute [rw] output_resource_edges
|
677
|
+
# @return [::Boolean]
|
678
|
+
# If true, the result will output resource edges, starting
|
679
|
+
# from the policy attached resource, to any expanded resources.
|
680
|
+
# Default is false.
|
681
|
+
# @!attribute [rw] output_group_edges
|
682
|
+
# @return [::Boolean]
|
683
|
+
# If true, the result will output group identity edges, starting
|
684
|
+
# from the binding's group members, to any expanded identities.
|
685
|
+
# Default is false.
|
686
|
+
# @!attribute [rw] analyze_service_account_impersonation
|
687
|
+
# @return [::Boolean]
|
688
|
+
# If true, the response will include access analysis from identities to
|
689
|
+
# resources via service account impersonation. This is a very expensive
|
690
|
+
# operation, because many derived queries will be executed. We highly
|
691
|
+
# recommend you use
|
692
|
+
# {::Google::Cloud::Asset::V1::AssetService::Client#export_iam_policy_analysis google.cloud.asset.v1.AssetService.ExportIamPolicyAnalysis}
|
693
|
+
# rpc instead.
|
694
|
+
#
|
695
|
+
# For example, if the request analyzes for which resources user A has
|
696
|
+
# permission P, and there's an IAM policy states user A has
|
697
|
+
# iam.serviceAccounts.getAccessToken permission to a service account SA,
|
698
|
+
# and there's another IAM policy states service account SA has permission P
|
699
|
+
# to a GCP folder F, then user A potentially has access to the GCP folder
|
700
|
+
# F. And those advanced analysis results will be included in
|
701
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
702
|
+
#
|
703
|
+
# Another example, if the request analyzes for who has
|
704
|
+
# permission P to a GCP folder F, and there's an IAM policy states user A
|
705
|
+
# has iam.serviceAccounts.actAs permission to a service account SA, and
|
706
|
+
# there's another IAM policy states service account SA has permission P to
|
707
|
+
# the GCP folder F, then user A potentially has access to the GCP folder
|
708
|
+
# F. And those advanced analysis results will be included in
|
709
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
710
|
+
#
|
711
|
+
# Default is false.
|
712
|
+
# @!attribute [rw] max_fanouts_per_group
|
713
|
+
# @return [::Integer]
|
714
|
+
# The maximum number of fanouts per group when [expand_groups][expand_groups]
|
715
|
+
# is enabled. This internal field is to help load testing and determine a
|
716
|
+
# proper value, and won't be public in the future.
|
717
|
+
# @!attribute [rw] max_fanouts_per_resource
|
718
|
+
# @return [::Integer]
|
719
|
+
# The maximum number of fanouts per parent resource, such as
|
720
|
+
# GCP Project etc., when [expand_resources][] is enabled. This internal
|
721
|
+
# field is to help load testing and determine a proper value, and won't be
|
722
|
+
# public in the future.
|
723
|
+
class Options
|
724
|
+
include ::Google::Protobuf::MessageExts
|
725
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
726
|
+
end
|
727
|
+
end
|
728
|
+
|
729
|
+
# A request message for
|
730
|
+
# {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
|
731
|
+
# @!attribute [rw] analysis_query
|
732
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
733
|
+
# The request query.
|
734
|
+
# @!attribute [rw] execution_timeout
|
735
|
+
# @return [::Google::Protobuf::Duration]
|
736
|
+
# Amount of time executable has to complete. See JSON representation of
|
737
|
+
# [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
|
738
|
+
#
|
739
|
+
# If this field is set with a value less than the RPC deadline, and the
|
740
|
+
# execution of your query hasn't finished in the specified
|
741
|
+
# execution timeout, you will get a response with partial result.
|
742
|
+
# Otherwise, your query's execution will continue until the RPC deadline.
|
743
|
+
# If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
|
744
|
+
#
|
745
|
+
# Default is empty.
|
746
|
+
#
|
747
|
+
# (-- We had discussion of whether we should have this field in the --)
|
748
|
+
# (-- request or use the RPC deadline instead. We finally choose this --)
|
749
|
+
# (-- approach for the following reasons (detailed in --)
|
750
|
+
# (-- go/analyze-iam-policy-deadlines): --)
|
751
|
+
# (-- * HTTP clients have very limited support of the RPC deadline. --)
|
752
|
+
# (-- There is an X-Server-Timeout header introduced in 2019/09, but --)
|
753
|
+
# (-- only implemented in the C++ HTTP server library. --)
|
754
|
+
# (-- * The purpose of the RPC deadline is for RPC clients to --)
|
755
|
+
# (-- communicate its max waiting time to the server. This deadline --)
|
756
|
+
# (-- could be further propagated to the downstream servers. It is --)
|
757
|
+
# (-- mainly used for servers to cancel the request processing --)
|
758
|
+
# (-- to avoid resource wasting. Overloading the RPC deadline for --)
|
759
|
+
# (-- other purposes could make our backend system harder to reason --)
|
760
|
+
# (-- about. --)
|
761
|
+
class AnalyzeIamPolicyRequest
|
762
|
+
include ::Google::Protobuf::MessageExts
|
763
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
764
|
+
end
|
765
|
+
|
766
|
+
# A response message for
|
767
|
+
# {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
|
768
|
+
# @!attribute [rw] main_analysis
|
769
|
+
# @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
|
770
|
+
# The main analysis that matches the original request.
|
771
|
+
# @!attribute [rw] service_account_impersonation_analysis
|
772
|
+
# @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
|
773
|
+
# The service account impersonation analysis if
|
774
|
+
# [google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation][google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation]
|
775
|
+
# is enabled.
|
776
|
+
# @!attribute [rw] fully_explored
|
777
|
+
# @return [::Boolean]
|
778
|
+
# Represents whether all entries in the [main_analysis][main_analysis] and
|
779
|
+
# [service_account_impersonation_analysis][] have been fully explored to
|
780
|
+
# answer the query in the request.
|
781
|
+
class AnalyzeIamPolicyResponse
|
782
|
+
include ::Google::Protobuf::MessageExts
|
783
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
784
|
+
|
785
|
+
# An analysis message to group the query and results.
|
786
|
+
# @!attribute [rw] analysis_query
|
787
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
788
|
+
# The analysis query.
|
789
|
+
# @!attribute [rw] analysis_results
|
790
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
|
791
|
+
# A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult google.cloud.asset.v1.IamPolicyAnalysisResult}
|
792
|
+
# that matches the analysis query, or empty if no result is found.
|
793
|
+
# @!attribute [rw] fully_explored
|
794
|
+
# @return [::Boolean]
|
795
|
+
# Represents whether all entries in the
|
796
|
+
# [analysis_results][analysis_results] have been fully explored to answer
|
797
|
+
# the query.
|
798
|
+
# @!attribute [rw] stats
|
799
|
+
# @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats>]
|
800
|
+
# The stats of how the analysis has been explored.
|
801
|
+
# @!attribute [rw] non_critical_errors
|
802
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
|
803
|
+
# A list of non-critical errors happened during the query handling.
|
804
|
+
class IamPolicyAnalysis
|
805
|
+
include ::Google::Protobuf::MessageExts
|
806
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
807
|
+
|
808
|
+
# A stats message that contains a set of analysis metrics.
|
809
|
+
#
|
810
|
+
# Here are some equations to show relationships of the explicitly specified
|
811
|
+
# metrics with other implicit metrics:
|
812
|
+
# * node_count = discovered_node_count + undiscovered_node_count(implicit)
|
813
|
+
# * discovered_node_count = explored_node_count +
|
814
|
+
# unexplored_node_count(implicit)
|
815
|
+
# * explored_node_count = capped_node_count + uncapped_node_count(implicit)
|
816
|
+
# * unexplored_node_count(implicit) = permission_denied_node_count +
|
817
|
+
# execution_timeout_node_count + other_unexplored_node_count(implicit)
|
818
|
+
# * discovered_node_count = matched_node_count +
|
819
|
+
# unmatched_node_count(implicit)
|
820
|
+
# @!attribute [rw] node_type
|
821
|
+
# @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType]
|
822
|
+
# Node type.
|
823
|
+
# @!attribute [rw] node_subtype
|
824
|
+
# @return [::String]
|
825
|
+
# The subtype of a node, such as:
|
826
|
+
# * For Identity: Group, User, ServiceAccount etc.
|
827
|
+
# * For Resource: resource type name, such as
|
828
|
+
# cloudresourcemanager.googleapis.com/Organization, etc.
|
829
|
+
# * For Access: Role or Permission
|
830
|
+
# @!attribute [rw] discovered_node_count
|
831
|
+
# @return [::Integer]
|
832
|
+
# The count of discovered nodes.
|
833
|
+
# @!attribute [rw] matched_node_count
|
834
|
+
# @return [::Integer]
|
835
|
+
# The count of nodes that match the query. These nodes form a sub-graph
|
836
|
+
# of discovered nodes.
|
837
|
+
# @!attribute [rw] explored_node_count
|
838
|
+
# @return [::Integer]
|
839
|
+
# The count of explored nodes.
|
840
|
+
# @!attribute [rw] capped_node_count
|
841
|
+
# @return [::Integer]
|
842
|
+
# The count of nodes that get explored, but are capped by max fanout
|
843
|
+
# setting.
|
844
|
+
# @!attribute [rw] permision_denied_node_count
|
845
|
+
# @return [::Integer]
|
846
|
+
# The count of unexplored nodes caused by permission denied error.
|
847
|
+
# @!attribute [rw] execution_timeout_node_count
|
848
|
+
# @return [::Integer]
|
849
|
+
# The count of unexplored nodes caused by execution timeout.
|
850
|
+
class Stats
|
851
|
+
include ::Google::Protobuf::MessageExts
|
852
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
853
|
+
|
854
|
+
# Type of the node.
|
855
|
+
module NodeType
|
856
|
+
# Unspecified node type.
|
857
|
+
NODE_TYPE_UNSPECIFIED = 0
|
858
|
+
|
859
|
+
# IAM Policy Binding node type.
|
860
|
+
BINDING = 1
|
861
|
+
|
862
|
+
# Identity node type.
|
863
|
+
IDENTITY = 2
|
864
|
+
|
865
|
+
# Resource node type.
|
866
|
+
RESOURCE = 3
|
867
|
+
|
868
|
+
# Access node type.
|
869
|
+
ACCESS = 4
|
870
|
+
end
|
871
|
+
end
|
872
|
+
end
|
873
|
+
end
|
874
|
+
|
875
|
+
# Output configuration for export IAM policy analysis destination.
|
876
|
+
# @!attribute [rw] gcs_destination
|
877
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::GcsDestination]
|
878
|
+
# Destination on Cloud Storage.
|
879
|
+
# @!attribute [rw] bigquery_destination
|
880
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination]
|
881
|
+
# Destination on BigQuery.
|
882
|
+
class IamPolicyAnalysisOutputConfig
|
883
|
+
include ::Google::Protobuf::MessageExts
|
884
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
885
|
+
|
886
|
+
# A Cloud Storage location.
|
887
|
+
# @!attribute [rw] uri
|
888
|
+
# @return [::String]
|
889
|
+
# The uri of the Cloud Storage object. It's the same uri that is used by
|
890
|
+
# gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
|
891
|
+
# Editing Object
|
892
|
+
# Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
|
893
|
+
# for more information.
|
894
|
+
class GcsDestination
|
895
|
+
include ::Google::Protobuf::MessageExts
|
896
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
897
|
+
end
|
898
|
+
|
899
|
+
# A BigQuery destination.
|
900
|
+
# @!attribute [rw] dataset
|
901
|
+
# @return [::String]
|
902
|
+
# The BigQuery dataset in format "projects/projectId/datasets/datasetId",
|
903
|
+
# to which the analysis results should be exported. If this dataset does
|
904
|
+
# not exist, the export call will return an INVALID_ARGUMENT error.
|
905
|
+
# @!attribute [rw] table_prefix
|
906
|
+
# @return [::String]
|
907
|
+
# The prefix of the BigQuery tables to which the analysis results will be
|
908
|
+
# written. Tables will be created based on this table_prefix if not exist:
|
909
|
+
# * <table_prefix>_analysis table will contain export operation's metadata.
|
910
|
+
# * <table_prefix>_analysis_result will contain all the
|
911
|
+
# [IamPolicyAnalysisResult][].
|
912
|
+
# When [partition_key] is specified, both tables will be partitioned based
|
913
|
+
# on the [partition_key].
|
914
|
+
# @!attribute [rw] partition_key
|
915
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
|
916
|
+
# The partition key for BigQuery partitioned table.
|
917
|
+
# @!attribute [rw] write_mode
|
918
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode]
|
919
|
+
# The write mode when table exists. WriteMode is ignored when no existing
|
920
|
+
# tables, or no existing partitions are found.
|
921
|
+
class BigQueryDestination
|
922
|
+
include ::Google::Protobuf::MessageExts
|
923
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
924
|
+
|
925
|
+
# This enum determines the partition key column for the bigquery tables.
|
926
|
+
# Partitioning can improve query performance and reduce query cost by
|
927
|
+
# filtering partitions. Refer to
|
928
|
+
# https://cloud.google.com/bigquery/docs/partitioned-tables for details.
|
929
|
+
module PartitionKey
|
930
|
+
# Unspecified partition key. Tables won't be partitioned using this
|
931
|
+
# option.
|
932
|
+
PARTITION_KEY_UNSPECIFIED = 0
|
933
|
+
|
934
|
+
# The time when the request is received. If specified as partition key,
|
935
|
+
# the result table(s) is partitoned by the RequestTime column, an
|
936
|
+
# additional timestamp column representing when the request was received.
|
937
|
+
REQUEST_TIME = 1
|
938
|
+
end
|
939
|
+
|
940
|
+
# Write mode types if table exists.
|
941
|
+
module WriteMode
|
942
|
+
# Unspecified write mode. We expect one of the following valid modes must
|
943
|
+
# be specified when table or partition exists.
|
944
|
+
WRITE_MODE_UNSPECIFIED = 0
|
945
|
+
|
946
|
+
# Abort the export when table or partition exists.
|
947
|
+
ABORT = 1
|
948
|
+
|
949
|
+
# Overwrite the table when table exists. When partitioned, overwrite
|
950
|
+
# the existing partition.
|
951
|
+
OVERWRITE = 2
|
952
|
+
end
|
953
|
+
end
|
954
|
+
end
|
955
|
+
|
956
|
+
# A request message for [AssetService.ExportIamPolicyAnalysis][].
|
957
|
+
# @!attribute [rw] analysis_query
|
958
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
959
|
+
# The request query.
|
960
|
+
# @!attribute [rw] output_config
|
961
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
|
962
|
+
# Output configuration indicating where the results will be output to.
|
963
|
+
class ExportIamPolicyAnalysisRequest
|
964
|
+
include ::Google::Protobuf::MessageExts
|
965
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
966
|
+
end
|
967
|
+
|
968
|
+
# The export IAM policy analysis response.
|
969
|
+
class ExportIamPolicyAnalysisResponse
|
970
|
+
include ::Google::Protobuf::MessageExts
|
971
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
972
|
+
end
|
973
|
+
|
494
974
|
# Asset content type.
|
495
975
|
module ContentType
|
496
976
|
# Unspecified content type.
|
@@ -505,7 +985,7 @@ module Google
|
|
505
985
|
# The Cloud Organization Policy set on an asset.
|
506
986
|
ORG_POLICY = 4
|
507
987
|
|
508
|
-
# The Cloud Access context
|
988
|
+
# The Cloud Access context manager Policy set on an asset.
|
509
989
|
ACCESS_POLICY = 5
|
510
990
|
end
|
511
991
|
end
|