google-cloud-asset-v1 0.6.1 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +64 -0
- data/lib/google/cloud/asset/v1.rb +3 -0
- data/lib/google/cloud/asset/v1/asset_service/client.rb +187 -2
- data/lib/google/cloud/asset/v1/asset_service/operations.rb +89 -4
- data/lib/google/cloud/asset/v1/asset_service_pb.rb +92 -0
- data/lib/google/cloud/asset/v1/asset_service_services_pb.rb +22 -9
- data/lib/google/cloud/asset/v1/assets_pb.rb +49 -0
- data/lib/google/cloud/asset/v1/version.rb +1 -1
- data/lib/google/cloud/osconfig/v1/inventory_pb.rb +108 -0
- data/proto_docs/google/api/field_behavior.rb +6 -0
- data/proto_docs/google/api/resource.rb +50 -14
- data/proto_docs/google/cloud/asset/v1/asset_service.rb +406 -0
- data/proto_docs/google/cloud/asset/v1/assets.rb +172 -0
- data/proto_docs/google/cloud/osconfig/v1/inventory.rb +284 -0
- data/proto_docs/google/longrunning/operations.rb +17 -3
- data/proto_docs/google/protobuf/any.rb +5 -2
- data/proto_docs/google/protobuf/timestamp.rb +10 -1
- metadata +8 -4
@@ -287,11 +287,91 @@ module Google
|
|
287
287
|
# table will be overwritten by the contents of assets snapshot. If the flag
|
288
288
|
# is `FALSE` or unset and the destination table already exists, the export
|
289
289
|
# call returns an INVALID_ARGUMEMT error.
|
290
|
+
# @!attribute [rw] partition_spec
|
291
|
+
# @return [::Google::Cloud::Asset::V1::PartitionSpec]
|
292
|
+
# [partition_spec] determines whether to export to partitioned table(s) and
|
293
|
+
# how to partition the data.
|
294
|
+
#
|
295
|
+
# If [partition_spec] is unset or [partition_spec.partition_key] is unset or
|
296
|
+
# `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to
|
297
|
+
# non-partitioned table(s). [force] will decide whether to overwrite existing
|
298
|
+
# table(s).
|
299
|
+
#
|
300
|
+
# If [partition_spec] is specified. First, the snapshot results will be
|
301
|
+
# written to partitioned table(s) with two additional timestamp columns,
|
302
|
+
# readTime and requestTime, one of which will be the partition key. Secondly,
|
303
|
+
# in the case when any destination table already exists, it will first try to
|
304
|
+
# update existing table's schema as necessary by appending additional
|
305
|
+
# columns. Then, if [force] is `TRUE`, the corresponding partition will be
|
306
|
+
# overwritten by the snapshot results (data in different partitions will
|
307
|
+
# remain intact); if [force] is unset or `FALSE`, it will append the data. An
|
308
|
+
# error will be returned if the schema update or data appension fails.
|
309
|
+
# @!attribute [rw] separate_tables_per_asset_type
|
310
|
+
# @return [::Boolean]
|
311
|
+
# If this flag is `TRUE`, the snapshot results will be written to one or
|
312
|
+
# multiple tables, each of which contains results of one asset type. The
|
313
|
+
# [force] and [partition_spec] fields will apply to each of them.
|
314
|
+
#
|
315
|
+
# Field [table] will be concatenated with "_" and the asset type names (see
|
316
|
+
# https://cloud.google.com/asset-inventory/docs/supported-asset-types for
|
317
|
+
# supported asset types) to construct per-asset-type table names, in which
|
318
|
+
# all non-alphanumeric characters like "." and "/" will be substituted by
|
319
|
+
# "_". Example: if field [table] is "mytable" and snapshot results
|
320
|
+
# contain "storage.googleapis.com/Bucket" assets, the corresponding table
|
321
|
+
# name will be "mytable_storage_googleapis_com_Bucket". If any of these
|
322
|
+
# tables does not exist, a new table with the concatenated name will be
|
323
|
+
# created.
|
324
|
+
#
|
325
|
+
# When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of
|
326
|
+
# each table will include RECORD-type columns mapped to the nested fields in
|
327
|
+
# the Asset.resource.data field of that asset type (up to the 15 nested level
|
328
|
+
# BigQuery supports
|
329
|
+
# (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The
|
330
|
+
# fields in >15 nested levels will be stored in JSON format string as a child
|
331
|
+
# column of its parent RECORD column.
|
332
|
+
#
|
333
|
+
# If error occurs when exporting to any table, the whole export call will
|
334
|
+
# return an error but the export results that already succeed will persist.
|
335
|
+
# Example: if exporting to table_type_A succeeds when exporting to
|
336
|
+
# table_type_B fails during one export call, the results in table_type_A will
|
337
|
+
# persist and there will not be partial results persisting in a table.
|
290
338
|
class BigQueryDestination
|
291
339
|
include ::Google::Protobuf::MessageExts
|
292
340
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
293
341
|
end
|
294
342
|
|
343
|
+
# Specifications of BigQuery partitioned table as export destination.
|
344
|
+
# @!attribute [rw] partition_key
|
345
|
+
# @return [::Google::Cloud::Asset::V1::PartitionSpec::PartitionKey]
|
346
|
+
# The partition key for BigQuery partitioned table.
|
347
|
+
class PartitionSpec
|
348
|
+
include ::Google::Protobuf::MessageExts
|
349
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
350
|
+
|
351
|
+
# This enum is used to determine the partition key column when exporting
|
352
|
+
# assets to BigQuery partitioned table(s). Note that, if the partition key is
|
353
|
+
# a timestamp column, the actual partition is based on its date value
|
354
|
+
# (expressed in UTC. see details in
|
355
|
+
# https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables).
|
356
|
+
module PartitionKey
|
357
|
+
# Unspecified partition key. If used, it means using non-partitioned table.
|
358
|
+
PARTITION_KEY_UNSPECIFIED = 0
|
359
|
+
|
360
|
+
# The time when the snapshot is taken. If specified as partition key, the
|
361
|
+
# result table(s) is partitoned by the additional timestamp column,
|
362
|
+
# readTime. If [read_time] in ExportAssetsRequest is specified, the
|
363
|
+
# readTime column's value will be the same as it. Otherwise, its value will
|
364
|
+
# be the current time that is used to take the snapshot.
|
365
|
+
READ_TIME = 1
|
366
|
+
|
367
|
+
# The time when the request is received and started to be processed. If
|
368
|
+
# specified as partition key, the result table(s) is partitoned by the
|
369
|
+
# requestTime column, an additional timestamp column representing when the
|
370
|
+
# request was received.
|
371
|
+
REQUEST_TIME = 2
|
372
|
+
end
|
373
|
+
end
|
374
|
+
|
295
375
|
# A Pub/Sub destination.
|
296
376
|
# @!attribute [rw] topic
|
297
377
|
# @return [::String]
|
@@ -545,6 +625,329 @@ module Google
|
|
545
625
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
546
626
|
end
|
547
627
|
|
628
|
+
# IAM policy analysis query message.
|
629
|
+
# @!attribute [rw] scope
|
630
|
+
# @return [::String]
|
631
|
+
# Required. The relative name of the root asset. Only resources and IAM policies within
|
632
|
+
# the scope will be analyzed.
|
633
|
+
#
|
634
|
+
# This can only be an organization number (such as "organizations/123"), a
|
635
|
+
# folder number (such as "folders/123"), a project ID (such as
|
636
|
+
# "projects/my-project-id"), or a project number (such as "projects/12345").
|
637
|
+
#
|
638
|
+
# To know how to get organization id, visit [here
|
639
|
+
# ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).
|
640
|
+
#
|
641
|
+
# To know how to get folder or project id, visit [here
|
642
|
+
# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
|
643
|
+
# @!attribute [rw] resource_selector
|
644
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
|
645
|
+
# Optional. Specifies a resource for analysis.
|
646
|
+
# @!attribute [rw] identity_selector
|
647
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
|
648
|
+
# Optional. Specifies an identity for analysis.
|
649
|
+
# @!attribute [rw] access_selector
|
650
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
|
651
|
+
# Optional. Specifies roles or permissions for analysis. This is optional.
|
652
|
+
# @!attribute [rw] options
|
653
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
|
654
|
+
# Optional. The query options.
|
655
|
+
class IamPolicyAnalysisQuery
|
656
|
+
include ::Google::Protobuf::MessageExts
|
657
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
658
|
+
|
659
|
+
# Specifies the resource to analyze for access policies, which may be set
|
660
|
+
# directly on the resource, or on ancestors such as organizations, folders or
|
661
|
+
# projects.
|
662
|
+
# @!attribute [rw] full_resource_name
|
663
|
+
# @return [::String]
|
664
|
+
# Required. The [full resource name]
|
665
|
+
# (https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
666
|
+
# of a resource of [supported resource
|
667
|
+
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
|
668
|
+
class ResourceSelector
|
669
|
+
include ::Google::Protobuf::MessageExts
|
670
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
671
|
+
end
|
672
|
+
|
673
|
+
# Specifies an identity for which to determine resource access, based on
|
674
|
+
# roles assigned either directly to them or to the groups they belong to,
|
675
|
+
# directly or indirectly.
|
676
|
+
# @!attribute [rw] identity
|
677
|
+
# @return [::String]
|
678
|
+
# Required. The identity appear in the form of members in
|
679
|
+
# [IAM policy
|
680
|
+
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
|
681
|
+
#
|
682
|
+
# The examples of supported forms are:
|
683
|
+
# "user:mike@example.com",
|
684
|
+
# "group:admins@example.com",
|
685
|
+
# "domain:google.com",
|
686
|
+
# "serviceAccount:my-project-id@appspot.gserviceaccount.com".
|
687
|
+
#
|
688
|
+
# Notice that wildcard characters (such as * and ?) are not supported.
|
689
|
+
# You must give a specific identity.
|
690
|
+
class IdentitySelector
|
691
|
+
include ::Google::Protobuf::MessageExts
|
692
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
693
|
+
end
|
694
|
+
|
695
|
+
# Specifies roles and/or permissions to analyze, to determine both the
|
696
|
+
# identities possessing them and the resources they control. If multiple
|
697
|
+
# values are specified, results will include roles or permissions matching
|
698
|
+
# any of them. The total number of roles and permissions should be equal or
|
699
|
+
# less than 10.
|
700
|
+
# @!attribute [rw] roles
|
701
|
+
# @return [::Array<::String>]
|
702
|
+
# Optional. The roles to appear in result.
|
703
|
+
# @!attribute [rw] permissions
|
704
|
+
# @return [::Array<::String>]
|
705
|
+
# Optional. The permissions to appear in result.
|
706
|
+
class AccessSelector
|
707
|
+
include ::Google::Protobuf::MessageExts
|
708
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
709
|
+
end
|
710
|
+
|
711
|
+
# Contains query options.
|
712
|
+
# @!attribute [rw] expand_groups
|
713
|
+
# @return [::Boolean]
|
714
|
+
# Optional. If true, the identities section of the result will expand any
|
715
|
+
# Google groups appearing in an IAM policy binding.
|
716
|
+
#
|
717
|
+
# If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} is specified, the
|
718
|
+
# identity in the result will be determined by the selector, and this flag
|
719
|
+
# is not allowed to set.
|
720
|
+
#
|
721
|
+
# Default is false.
|
722
|
+
# @!attribute [rw] expand_roles
|
723
|
+
# @return [::Boolean]
|
724
|
+
# Optional. If true, the access section of result will expand any roles
|
725
|
+
# appearing in IAM policy bindings to include their permissions.
|
726
|
+
#
|
727
|
+
# If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} is specified, the access
|
728
|
+
# section of the result will be determined by the selector, and this flag
|
729
|
+
# is not allowed to set.
|
730
|
+
#
|
731
|
+
# Default is false.
|
732
|
+
# @!attribute [rw] expand_resources
|
733
|
+
# @return [::Boolean]
|
734
|
+
# Optional. If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is not
|
735
|
+
# specified, the resource section of the result will expand any resource
|
736
|
+
# attached to an IAM policy to include resources lower in the resource
|
737
|
+
# hierarchy.
|
738
|
+
#
|
739
|
+
# For example, if the request analyzes for which resources user A has
|
740
|
+
# permission P, and the results include an IAM policy with P on a GCP
|
741
|
+
# folder, the results will also include resources in that folder with
|
742
|
+
# permission P.
|
743
|
+
#
|
744
|
+
# If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is specified,
|
745
|
+
# the resource section of the result will expand the specified resource to
|
746
|
+
# include resources lower in the resource hierarchy. Only project or
|
747
|
+
# lower resources are supported. Folder and organization resource cannot be
|
748
|
+
# used together with this option.
|
749
|
+
#
|
750
|
+
# For example, if the request analyzes for which users have permission P on
|
751
|
+
# a GCP project with this option enabled, the results will include all
|
752
|
+
# users who have permission P on that project or any lower resource.
|
753
|
+
#
|
754
|
+
# Default is false.
|
755
|
+
# @!attribute [rw] output_resource_edges
|
756
|
+
# @return [::Boolean]
|
757
|
+
# Optional. If true, the result will output resource edges, starting
|
758
|
+
# from the policy attached resource, to any expanded resources.
|
759
|
+
# Default is false.
|
760
|
+
# @!attribute [rw] output_group_edges
|
761
|
+
# @return [::Boolean]
|
762
|
+
# Optional. If true, the result will output group identity edges, starting
|
763
|
+
# from the binding's group members, to any expanded identities.
|
764
|
+
# Default is false.
|
765
|
+
# @!attribute [rw] analyze_service_account_impersonation
|
766
|
+
# @return [::Boolean]
|
767
|
+
# Optional. If true, the response will include access analysis from identities to
|
768
|
+
# resources via service account impersonation. This is a very expensive
|
769
|
+
# operation, because many derived queries will be executed. We highly
|
770
|
+
# recommend you use {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} rpc
|
771
|
+
# instead.
|
772
|
+
#
|
773
|
+
# For example, if the request analyzes for which resources user A has
|
774
|
+
# permission P, and there's an IAM policy states user A has
|
775
|
+
# iam.serviceAccounts.getAccessToken permission to a service account SA,
|
776
|
+
# and there's another IAM policy states service account SA has permission P
|
777
|
+
# to a GCP folder F, then user A potentially has access to the GCP folder
|
778
|
+
# F. And those advanced analysis results will be included in
|
779
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
780
|
+
#
|
781
|
+
# Another example, if the request analyzes for who has
|
782
|
+
# permission P to a GCP folder F, and there's an IAM policy states user A
|
783
|
+
# has iam.serviceAccounts.actAs permission to a service account SA, and
|
784
|
+
# there's another IAM policy states service account SA has permission P to
|
785
|
+
# the GCP folder F, then user A potentially has access to the GCP folder
|
786
|
+
# F. And those advanced analysis results will be included in
|
787
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
|
788
|
+
#
|
789
|
+
# Default is false.
|
790
|
+
class Options
|
791
|
+
include ::Google::Protobuf::MessageExts
|
792
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
793
|
+
end
|
794
|
+
end
|
795
|
+
|
796
|
+
# A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
|
797
|
+
# @!attribute [rw] analysis_query
|
798
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
799
|
+
# Required. The request query.
|
800
|
+
# @!attribute [rw] execution_timeout
|
801
|
+
# @return [::Google::Protobuf::Duration]
|
802
|
+
# Optional. Amount of time executable has to complete. See JSON representation of
|
803
|
+
# [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
|
804
|
+
#
|
805
|
+
# If this field is set with a value less than the RPC deadline, and the
|
806
|
+
# execution of your query hasn't finished in the specified
|
807
|
+
# execution timeout, you will get a response with partial result.
|
808
|
+
# Otherwise, your query's execution will continue until the RPC deadline.
|
809
|
+
# If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
|
810
|
+
#
|
811
|
+
# Default is empty.
|
812
|
+
class AnalyzeIamPolicyRequest
|
813
|
+
include ::Google::Protobuf::MessageExts
|
814
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
815
|
+
end
|
816
|
+
|
817
|
+
# A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
|
818
|
+
# @!attribute [rw] main_analysis
|
819
|
+
# @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
|
820
|
+
# The main analysis that matches the original request.
|
821
|
+
# @!attribute [rw] service_account_impersonation_analysis
|
822
|
+
# @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
|
823
|
+
# The service account impersonation analysis if
|
824
|
+
# [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
|
825
|
+
# enabled.
|
826
|
+
# @!attribute [rw] fully_explored
|
827
|
+
# @return [::Boolean]
|
828
|
+
# Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#main_analysis main_analysis} and
|
829
|
+
# {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis service_account_impersonation_analysis} have been fully explored to
|
830
|
+
# answer the query in the request.
|
831
|
+
class AnalyzeIamPolicyResponse
|
832
|
+
include ::Google::Protobuf::MessageExts
|
833
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
834
|
+
|
835
|
+
# An analysis message to group the query and results.
|
836
|
+
# @!attribute [rw] analysis_query
|
837
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
838
|
+
# The analysis query.
|
839
|
+
# @!attribute [rw] analysis_results
|
840
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
|
841
|
+
# A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult} that matches the analysis query, or
|
842
|
+
# empty if no result is found.
|
843
|
+
# @!attribute [rw] fully_explored
|
844
|
+
# @return [::Boolean]
|
845
|
+
# Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis#analysis_results analysis_results} have been
|
846
|
+
# fully explored to answer the query.
|
847
|
+
# @!attribute [rw] non_critical_errors
|
848
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
|
849
|
+
# A list of non-critical errors happened during the query handling.
|
850
|
+
class IamPolicyAnalysis
|
851
|
+
include ::Google::Protobuf::MessageExts
|
852
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
853
|
+
end
|
854
|
+
end
|
855
|
+
|
856
|
+
# Output configuration for export IAM policy analysis destination.
|
857
|
+
# @!attribute [rw] gcs_destination
|
858
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::GcsDestination]
|
859
|
+
# Destination on Cloud Storage.
|
860
|
+
# @!attribute [rw] bigquery_destination
|
861
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination]
|
862
|
+
# Destination on BigQuery.
|
863
|
+
class IamPolicyAnalysisOutputConfig
|
864
|
+
include ::Google::Protobuf::MessageExts
|
865
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
866
|
+
|
867
|
+
# A Cloud Storage location.
|
868
|
+
# @!attribute [rw] uri
|
869
|
+
# @return [::String]
|
870
|
+
# Required. The uri of the Cloud Storage object. It's the same uri that is used by
|
871
|
+
# gsutil. For example: "gs://bucket_name/object_name". See
|
872
|
+
# [Quickstart: Using the gsutil tool]
|
873
|
+
# (https://cloud.google.com/storage/docs/quickstart-gsutil) for examples.
|
874
|
+
class GcsDestination
|
875
|
+
include ::Google::Protobuf::MessageExts
|
876
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
877
|
+
end
|
878
|
+
|
879
|
+
# A BigQuery destination.
|
880
|
+
# @!attribute [rw] dataset
|
881
|
+
# @return [::String]
|
882
|
+
# Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId",
|
883
|
+
# to which the analysis results should be exported. If this dataset does
|
884
|
+
# not exist, the export call will return an INVALID_ARGUMENT error.
|
885
|
+
# @!attribute [rw] table_prefix
|
886
|
+
# @return [::String]
|
887
|
+
# Required. The prefix of the BigQuery tables to which the analysis results will be
|
888
|
+
# written. Tables will be created based on this table_prefix if not exist:
|
889
|
+
# * <table_prefix>_analysis table will contain export operation's metadata.
|
890
|
+
# * <table_prefix>_analysis_result will contain all the
|
891
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult}.
|
892
|
+
# When [partition_key] is specified, both tables will be partitioned based
|
893
|
+
# on the [partition_key].
|
894
|
+
# @!attribute [rw] partition_key
|
895
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
|
896
|
+
# The partition key for BigQuery partitioned table.
|
897
|
+
# @!attribute [rw] write_disposition
|
898
|
+
# @return [::String]
|
899
|
+
# Optional. Specifies the action that occurs if the destination table or partition
|
900
|
+
# already exists. The following values are supported:
|
901
|
+
#
|
902
|
+
# * WRITE_TRUNCATE: If the table or partition already exists, BigQuery
|
903
|
+
# overwrites the entire table or all the partitions data.
|
904
|
+
# * WRITE_APPEND: If the table or partition already exists, BigQuery
|
905
|
+
# appends the data to the table or the latest partition.
|
906
|
+
# * WRITE_EMPTY: If the table already exists and contains data, an error is
|
907
|
+
# returned.
|
908
|
+
#
|
909
|
+
# The default value is WRITE_APPEND. Each action is atomic and only occurs
|
910
|
+
# if BigQuery is able to complete the job successfully. Details are at
|
911
|
+
# https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file.
|
912
|
+
class BigQueryDestination
|
913
|
+
include ::Google::Protobuf::MessageExts
|
914
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
915
|
+
|
916
|
+
# This enum determines the partition key column for the bigquery tables.
|
917
|
+
# Partitioning can improve query performance and reduce query cost by
|
918
|
+
# filtering partitions. Refer to
|
919
|
+
# https://cloud.google.com/bigquery/docs/partitioned-tables for details.
|
920
|
+
module PartitionKey
|
921
|
+
# Unspecified partition key. Tables won't be partitioned using this
|
922
|
+
# option.
|
923
|
+
PARTITION_KEY_UNSPECIFIED = 0
|
924
|
+
|
925
|
+
# The time when the request is received. If specified as partition key,
|
926
|
+
# the result table(s) is partitoned by the RequestTime column, an
|
927
|
+
# additional timestamp column representing when the request was received.
|
928
|
+
REQUEST_TIME = 1
|
929
|
+
end
|
930
|
+
end
|
931
|
+
end
|
932
|
+
|
933
|
+
# A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
|
934
|
+
# @!attribute [rw] analysis_query
|
935
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
|
936
|
+
# Required. The request query.
|
937
|
+
# @!attribute [rw] output_config
|
938
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
|
939
|
+
# Required. Output configuration indicating where the results will be output to.
|
940
|
+
class AnalyzeIamPolicyLongrunningRequest
|
941
|
+
include ::Google::Protobuf::MessageExts
|
942
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
943
|
+
end
|
944
|
+
|
945
|
+
# A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
|
946
|
+
class AnalyzeIamPolicyLongrunningResponse
|
947
|
+
include ::Google::Protobuf::MessageExts
|
948
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
949
|
+
end
|
950
|
+
|
548
951
|
# Asset content type.
|
549
952
|
module ContentType
|
550
953
|
# Unspecified content type.
|
@@ -561,6 +964,9 @@ module Google
|
|
561
964
|
|
562
965
|
# The Cloud Access context manager Policy set on an asset.
|
563
966
|
ACCESS_POLICY = 5
|
967
|
+
|
968
|
+
# The runtime OS Inventory information.
|
969
|
+
OS_INVENTORY = 6
|
564
970
|
end
|
565
971
|
end
|
566
972
|
end
|
@@ -134,6 +134,11 @@ module Google
|
|
134
134
|
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeter]
|
135
135
|
# Please also refer to the [service perimeter user
|
136
136
|
# guide](https://cloud.google.com/vpc-service-controls/docs/overview).
|
137
|
+
# @!attribute [rw] os_inventory
|
138
|
+
# @return [::Google::Cloud::OsConfig::V1::Inventory]
|
139
|
+
# A representation of runtime OS Inventory information. See [this
|
140
|
+
# topic](https://cloud.google.com/compute/docs/instances/os-inventory-management)
|
141
|
+
# for more information.
|
137
142
|
# @!attribute [rw] ancestors
|
138
143
|
# @return [::Array<::String>]
|
139
144
|
# The ancestry path of an asset in Google Cloud [resource
|
@@ -396,6 +401,173 @@ module Google
|
|
396
401
|
end
|
397
402
|
end
|
398
403
|
end
|
404
|
+
|
405
|
+
# Represents the detailed state of an entity under analysis, such as a
|
406
|
+
# resource, an identity or an access.
|
407
|
+
# @!attribute [rw] code
|
408
|
+
# @return [::Google::Rpc::Code]
|
409
|
+
# The Google standard error code that best describes the state.
|
410
|
+
# For example:
|
411
|
+
# - OK means the analysis on this entity has been successfully finished;
|
412
|
+
# - PERMISSION_DENIED means an access denied error is encountered;
|
413
|
+
# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started
|
414
|
+
# in time;
|
415
|
+
# @!attribute [rw] cause
|
416
|
+
# @return [::String]
|
417
|
+
# The human-readable description of the cause of failure.
|
418
|
+
class IamPolicyAnalysisState
|
419
|
+
include ::Google::Protobuf::MessageExts
|
420
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
421
|
+
end
|
422
|
+
|
423
|
+
# IAM Policy analysis result, consisting of one IAM policy binding and derived
|
424
|
+
# access control lists.
|
425
|
+
# @!attribute [rw] attached_resource_full_name
|
426
|
+
# @return [::String]
|
427
|
+
# The [full resource
|
428
|
+
# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
429
|
+
# of the resource to which the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} policy attaches.
|
430
|
+
# @!attribute [rw] iam_binding
|
431
|
+
# @return [::Google::Iam::V1::Binding]
|
432
|
+
# The Cloud IAM policy binding under analysis.
|
433
|
+
# @!attribute [rw] access_control_lists
|
434
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::AccessControlList>]
|
435
|
+
# The access control lists derived from the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} that match or
|
436
|
+
# potentially match resource and access selectors specified in the request.
|
437
|
+
# @!attribute [rw] identity_list
|
438
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList]
|
439
|
+
# The identity list derived from members of the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} that match or
|
440
|
+
# potentially match identity selector specified in the request.
|
441
|
+
# @!attribute [rw] fully_explored
|
442
|
+
# @return [::Boolean]
|
443
|
+
# Represents whether all analyses on the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} have successfully
|
444
|
+
# finished.
|
445
|
+
class IamPolicyAnalysisResult
|
446
|
+
include ::Google::Protobuf::MessageExts
|
447
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
448
|
+
|
449
|
+
# A Google Cloud resource under analysis.
|
450
|
+
# @!attribute [rw] full_resource_name
|
451
|
+
# @return [::String]
|
452
|
+
# The [full resource
|
453
|
+
# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
454
|
+
# @!attribute [rw] analysis_state
|
455
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
|
456
|
+
# The analysis state of this resource.
|
457
|
+
class Resource
|
458
|
+
include ::Google::Protobuf::MessageExts
|
459
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
460
|
+
end
|
461
|
+
|
462
|
+
# An IAM role or permission under analysis.
|
463
|
+
# @!attribute [rw] role
|
464
|
+
# @return [::String]
|
465
|
+
# The role.
|
466
|
+
# @!attribute [rw] permission
|
467
|
+
# @return [::String]
|
468
|
+
# The permission.
|
469
|
+
# @!attribute [rw] analysis_state
|
470
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
|
471
|
+
# The analysis state of this access.
|
472
|
+
class Access
|
473
|
+
include ::Google::Protobuf::MessageExts
|
474
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
475
|
+
end
|
476
|
+
|
477
|
+
# An identity under analysis.
|
478
|
+
# @!attribute [rw] name
|
479
|
+
# @return [::String]
|
480
|
+
# The identity name in any form of members appear in
|
481
|
+
# [IAM policy
|
482
|
+
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
|
483
|
+
# as:
|
484
|
+
# - user:foo@google.com
|
485
|
+
# - group:group1@google.com
|
486
|
+
# - serviceAccount:s1@prj1.iam.gserviceaccount.com
|
487
|
+
# - projectOwner:some_project_id
|
488
|
+
# - domain:google.com
|
489
|
+
# - allUsers
|
490
|
+
# - etc.
|
491
|
+
# @!attribute [rw] analysis_state
|
492
|
+
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
|
493
|
+
# The analysis state of this identity.
|
494
|
+
class Identity
|
495
|
+
include ::Google::Protobuf::MessageExts
|
496
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
497
|
+
end
|
498
|
+
|
499
|
+
# A directional edge.
|
500
|
+
# @!attribute [rw] source_node
|
501
|
+
# @return [::String]
|
502
|
+
# The source node of the edge. For example, it could be a full resource
|
503
|
+
# name for a resource node or an email of an identity.
|
504
|
+
# @!attribute [rw] target_node
|
505
|
+
# @return [::String]
|
506
|
+
# The target node of the edge. For example, it could be a full resource
|
507
|
+
# name for a resource node or an email of an identity.
|
508
|
+
class Edge
|
509
|
+
include ::Google::Protobuf::MessageExts
|
510
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
511
|
+
end
|
512
|
+
|
513
|
+
# An access control list, derived from the above IAM policy binding, which
|
514
|
+
# contains a set of resources and accesses. May include one
|
515
|
+
# item from each set to compose an access control entry.
|
516
|
+
#
|
517
|
+
# NOTICE that there could be multiple access control lists for one IAM policy
|
518
|
+
# binding. The access control lists are created based on resource and access
|
519
|
+
# combinations.
|
520
|
+
#
|
521
|
+
# For example, assume we have the following cases in one IAM policy binding:
|
522
|
+
# - Permission P1 and P2 apply to resource R1 and R2;
|
523
|
+
# - Permission P3 applies to resource R2 and R3;
|
524
|
+
#
|
525
|
+
# This will result in the following access control lists:
|
526
|
+
# - AccessControlList 1: [R1, R2], [P1, P2]
|
527
|
+
# - AccessControlList 2: [R2, R3], [P3]
|
528
|
+
# @!attribute [rw] resources
|
529
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
|
530
|
+
# The resources that match one of the following conditions:
|
531
|
+
# - The resource_selector, if it is specified in request;
|
532
|
+
# - Otherwise, resources reachable from the policy attached resource.
|
533
|
+
# @!attribute [rw] accesses
|
534
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
|
535
|
+
# The accesses that match one of the following conditions:
|
536
|
+
# - The access_selector, if it is specified in request;
|
537
|
+
# - Otherwise, access specifiers reachable from the policy binding's role.
|
538
|
+
# @!attribute [rw] resource_edges
|
539
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
|
540
|
+
# Resource edges of the graph starting from the policy attached
|
541
|
+
# resource to any descendant resources. The {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node} contains
|
542
|
+
# the full resource name of a parent resource and {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
|
543
|
+
# contains the full resource name of a child resource. This field is
|
544
|
+
# present only if the output_resource_edges option is enabled in request.
|
545
|
+
class AccessControlList
|
546
|
+
include ::Google::Protobuf::MessageExts
|
547
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
548
|
+
end
|
549
|
+
|
550
|
+
# The identities and group edges.
|
551
|
+
# @!attribute [rw] identities
|
552
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
|
553
|
+
# Only the identities that match one of the following conditions will be
|
554
|
+
# presented:
|
555
|
+
# - The identity_selector, if it is specified in request;
|
556
|
+
# - Otherwise, identities reachable from the policy binding's members.
|
557
|
+
# @!attribute [rw] group_edges
|
558
|
+
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
|
559
|
+
# Group identity edges of the graph starting from the binding's
|
560
|
+
# group members to any node of the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}. The {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
|
561
|
+
# contains a group, such as `group:parent@google.com`. The
|
562
|
+
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node} contains a member of the group,
|
563
|
+
# such as `group:child@google.com` or `user:foo@google.com`.
|
564
|
+
# This field is present only if the output_group_edges option is enabled in
|
565
|
+
# request.
|
566
|
+
class IdentityList
|
567
|
+
include ::Google::Protobuf::MessageExts
|
568
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
569
|
+
end
|
570
|
+
end
|
399
571
|
end
|
400
572
|
end
|
401
573
|
end
|