google-cloud-asset-v1 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3a33096b1fa6262e9bd69d258c12d8cd8ff8efa76c1537c0d49e4e2941e3516e
4
- data.tar.gz: aa07a54ad150dd6707ea2f775a46730cdf9275c8c57b943f0d7dd8c7385aa210
3
+ metadata.gz: '05390bfafbb8f33e2657eafdb8ea02df48f64fe22566b08677f7283e93247abf'
4
+ data.tar.gz: d4fc94fdf2eb291f3c16092cf1642567a27b2cb750ed5c0a2ccf0211f3cfc291
5
5
  SHA512:
6
- metadata.gz: 6d83fa78c7480975dc0ce2102c27421e22f1132ec29170eadf3bdf319a5e2419e09762fca2a83c8a1118d47fe5182f0822211556bcab6f4bd63c32419fde2595
7
- data.tar.gz: 2e57428a82dffbf427466096119e6d0c7030d0dd232778c25d40062ece4dc8d789702e2df36e4d223ede5a491f7adf8e319be6bcc4b89fba711b68fd78db01bc
6
+ metadata.gz: 6109bc11e6dee3a83b058f27b9ffff14dc921eda4b055667cf9ad6cd1ebb43238d088545441d67006b036d80fd3f55d5d81eb46bb88ee3b08cc4b2b2fe941079
7
+ data.tar.gz: f872c116d26b2479e77d9922c3a49cdbbb37ed1b7f3e40cfdd823353075041a13cb7d4f8d716df134f537c87907f8ed6f3ff26f35bfb095da2c249c9603af3e6
@@ -119,6 +119,16 @@ module Google
119
119
  retry_codes: [4, 14]
120
120
  }
121
121
 
122
+ default_config.rpcs.analyze_iam_policy.timeout = 300.0
123
+ default_config.rpcs.analyze_iam_policy.retry_policy = {
124
+ initial_delay: 0.1,
125
+ max_delay: 60.0,
126
+ multiplier: 1.3,
127
+ retry_codes: [14]
128
+ }
129
+
130
+ default_config.rpcs.analyze_iam_policy_longrunning.timeout = 60.0
131
+
122
132
  default_config
123
133
  end
124
134
  yield @configure if block_given?
@@ -1028,6 +1038,161 @@ module Google
1028
1038
  raise ::Google::Cloud::Error.from_error(e)
1029
1039
  end
1030
1040
 
1041
+ ##
1042
+ # Analyzes IAM policies to answer which identities have what accesses on
1043
+ # which resources.
1044
+ #
1045
+ # @overload analyze_iam_policy(request, options = nil)
1046
+ # Pass arguments to `analyze_iam_policy` via a request object, either of type
1047
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyRequest} or an equivalent Hash.
1048
+ #
1049
+ # @param request [::Google::Cloud::Asset::V1::AnalyzeIamPolicyRequest, ::Hash]
1050
+ # A request object representing the call parameters. Required. To specify no
1051
+ # parameters, or to keep all the default parameter values, pass an empty Hash.
1052
+ # @param options [::Gapic::CallOptions, ::Hash]
1053
+ # Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
1054
+ #
1055
+ # @overload analyze_iam_policy(analysis_query: nil, execution_timeout: nil)
1056
+ # Pass arguments to `analyze_iam_policy` via keyword arguments. Note that at
1057
+ # least one keyword argument is required. To specify no parameters, or to keep all
1058
+ # the default parameter values, pass an empty Hash as a request object (see above).
1059
+ #
1060
+ # @param analysis_query [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery, ::Hash]
1061
+ # Required. The request query.
1062
+ # @param execution_timeout [::Google::Protobuf::Duration, ::Hash]
1063
+ # Optional. Amount of time executable has to complete. See JSON representation of
1064
+ # [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
1065
+ #
1066
+ # If this field is set with a value less than the RPC deadline, and the
1067
+ # execution of your query hasn't finished in the specified
1068
+ # execution timeout, you will get a response with partial result.
1069
+ # Otherwise, your query's execution will continue until the RPC deadline.
1070
+ # If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
1071
+ #
1072
+ # Default is empty.
1073
+ #
1074
+ # @yield [response, operation] Access the result along with the RPC operation
1075
+ # @yieldparam response [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse]
1076
+ # @yieldparam operation [::GRPC::ActiveCall::Operation]
1077
+ #
1078
+ # @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse]
1079
+ #
1080
+ # @raise [::Google::Cloud::Error] if the RPC is aborted.
1081
+ #
1082
+ def analyze_iam_policy request, options = nil
1083
+ raise ::ArgumentError, "request must be provided" if request.nil?
1084
+
1085
+ request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::Asset::V1::AnalyzeIamPolicyRequest
1086
+
1087
+ # Converts hash and nil to an options object
1088
+ options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
1089
+
1090
+ # Customize the options with defaults
1091
+ metadata = @config.rpcs.analyze_iam_policy.metadata.to_h
1092
+
1093
+ # Set x-goog-api-client and x-goog-user-project headers
1094
+ metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
1095
+ lib_name: @config.lib_name, lib_version: @config.lib_version,
1096
+ gapic_version: ::Google::Cloud::Asset::V1::VERSION
1097
+ metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
1098
+
1099
+ header_params = {
1100
+ "analysis_query.scope" => request.analysis_query.scope
1101
+ }
1102
+ request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
1103
+ metadata[:"x-goog-request-params"] ||= request_params_header
1104
+
1105
+ options.apply_defaults timeout: @config.rpcs.analyze_iam_policy.timeout,
1106
+ metadata: metadata,
1107
+ retry_policy: @config.rpcs.analyze_iam_policy.retry_policy
1108
+ options.apply_defaults metadata: @config.metadata,
1109
+ retry_policy: @config.retry_policy
1110
+
1111
+ @asset_service_stub.call_rpc :analyze_iam_policy, request, options: options do |response, operation|
1112
+ yield response, operation if block_given?
1113
+ return response
1114
+ end
1115
+ rescue ::GRPC::BadStatus => e
1116
+ raise ::Google::Cloud::Error.from_error(e)
1117
+ end
1118
+
1119
+ ##
1120
+ # Analyzes IAM policies asynchronously to answer which identities have what
1121
+ # accesses on which resources, and writes the analysis results to a Google
1122
+ # Cloud Storage or a BigQuery destination. For Cloud Storage destination, the
1123
+ # output format is the JSON format that represents a
1124
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse AnalyzeIamPolicyResponse}. This method implements the
1125
+ # {::Google::Longrunning::Operation google.longrunning.Operation}, which allows you to track the operation
1126
+ # status. We recommend intervals of at least 2 seconds with exponential
1127
+ # backoff retry to poll the operation result. The metadata contains the
1128
+ # request to help callers to map responses to requests.
1129
+ #
1130
+ # @overload analyze_iam_policy_longrunning(request, options = nil)
1131
+ # Pass arguments to `analyze_iam_policy_longrunning` via a request object, either of type
1132
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyLongrunningRequest} or an equivalent Hash.
1133
+ #
1134
+ # @param request [::Google::Cloud::Asset::V1::AnalyzeIamPolicyLongrunningRequest, ::Hash]
1135
+ # A request object representing the call parameters. Required. To specify no
1136
+ # parameters, or to keep all the default parameter values, pass an empty Hash.
1137
+ # @param options [::Gapic::CallOptions, ::Hash]
1138
+ # Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
1139
+ #
1140
+ # @overload analyze_iam_policy_longrunning(analysis_query: nil, output_config: nil)
1141
+ # Pass arguments to `analyze_iam_policy_longrunning` via keyword arguments. Note that at
1142
+ # least one keyword argument is required. To specify no parameters, or to keep all
1143
+ # the default parameter values, pass an empty Hash as a request object (see above).
1144
+ #
1145
+ # @param analysis_query [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery, ::Hash]
1146
+ # Required. The request query.
1147
+ # @param output_config [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig, ::Hash]
1148
+ # Required. Output configuration indicating where the results will be output to.
1149
+ #
1150
+ # @yield [response, operation] Access the result along with the RPC operation
1151
+ # @yieldparam response [::Gapic::Operation]
1152
+ # @yieldparam operation [::GRPC::ActiveCall::Operation]
1153
+ #
1154
+ # @return [::Gapic::Operation]
1155
+ #
1156
+ # @raise [::Google::Cloud::Error] if the RPC is aborted.
1157
+ #
1158
+ def analyze_iam_policy_longrunning request, options = nil
1159
+ raise ::ArgumentError, "request must be provided" if request.nil?
1160
+
1161
+ request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::Asset::V1::AnalyzeIamPolicyLongrunningRequest
1162
+
1163
+ # Converts hash and nil to an options object
1164
+ options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
1165
+
1166
+ # Customize the options with defaults
1167
+ metadata = @config.rpcs.analyze_iam_policy_longrunning.metadata.to_h
1168
+
1169
+ # Set x-goog-api-client and x-goog-user-project headers
1170
+ metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
1171
+ lib_name: @config.lib_name, lib_version: @config.lib_version,
1172
+ gapic_version: ::Google::Cloud::Asset::V1::VERSION
1173
+ metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
1174
+
1175
+ header_params = {
1176
+ "analysis_query.scope" => request.analysis_query.scope
1177
+ }
1178
+ request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
1179
+ metadata[:"x-goog-request-params"] ||= request_params_header
1180
+
1181
+ options.apply_defaults timeout: @config.rpcs.analyze_iam_policy_longrunning.timeout,
1182
+ metadata: metadata,
1183
+ retry_policy: @config.rpcs.analyze_iam_policy_longrunning.retry_policy
1184
+ options.apply_defaults metadata: @config.metadata,
1185
+ retry_policy: @config.retry_policy
1186
+
1187
+ @asset_service_stub.call_rpc :analyze_iam_policy_longrunning, request, options: options do |response, operation|
1188
+ response = ::Gapic::Operation.new response, @operations_client, options: options
1189
+ yield response, operation if block_given?
1190
+ return response
1191
+ end
1192
+ rescue ::GRPC::BadStatus => e
1193
+ raise ::Google::Cloud::Error.from_error(e)
1194
+ end
1195
+
1031
1196
  ##
1032
1197
  # Configuration class for the AssetService API.
1033
1198
  #
@@ -1209,6 +1374,16 @@ module Google
1209
1374
  # @return [::Gapic::Config::Method]
1210
1375
  #
1211
1376
  attr_reader :search_all_iam_policies
1377
+ ##
1378
+ # RPC-specific configuration for `analyze_iam_policy`
1379
+ # @return [::Gapic::Config::Method]
1380
+ #
1381
+ attr_reader :analyze_iam_policy
1382
+ ##
1383
+ # RPC-specific configuration for `analyze_iam_policy_longrunning`
1384
+ # @return [::Gapic::Config::Method]
1385
+ #
1386
+ attr_reader :analyze_iam_policy_longrunning
1212
1387
 
1213
1388
  # @private
1214
1389
  def initialize parent_rpcs = nil
@@ -1230,6 +1405,10 @@ module Google
1230
1405
  @search_all_resources = ::Gapic::Config::Method.new search_all_resources_config
1231
1406
  search_all_iam_policies_config = parent_rpcs&.search_all_iam_policies if parent_rpcs&.respond_to? :search_all_iam_policies
1232
1407
  @search_all_iam_policies = ::Gapic::Config::Method.new search_all_iam_policies_config
1408
+ analyze_iam_policy_config = parent_rpcs&.analyze_iam_policy if parent_rpcs&.respond_to? :analyze_iam_policy
1409
+ @analyze_iam_policy = ::Gapic::Config::Method.new analyze_iam_policy_config
1410
+ analyze_iam_policy_longrunning_config = parent_rpcs&.analyze_iam_policy_longrunning if parent_rpcs&.respond_to? :analyze_iam_policy_longrunning
1411
+ @analyze_iam_policy_longrunning = ::Gapic::Config::Method.new analyze_iam_policy_longrunning_config
1233
1412
 
1234
1413
  yield self if block_given?
1235
1414
  end
@@ -131,6 +131,71 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
131
131
  repeated :results, :message, 1, "google.cloud.asset.v1.IamPolicySearchResult"
132
132
  optional :next_page_token, :string, 2
133
133
  end
134
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery" do
135
+ optional :scope, :string, 1
136
+ optional :resource_selector, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector"
137
+ optional :identity_selector, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector"
138
+ optional :access_selector, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector"
139
+ optional :options, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options"
140
+ end
141
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector" do
142
+ optional :full_resource_name, :string, 1
143
+ end
144
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector" do
145
+ optional :identity, :string, 1
146
+ end
147
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector" do
148
+ repeated :roles, :string, 1
149
+ repeated :permissions, :string, 2
150
+ end
151
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisQuery.Options" do
152
+ optional :expand_groups, :bool, 1
153
+ optional :expand_roles, :bool, 2
154
+ optional :expand_resources, :bool, 3
155
+ optional :output_resource_edges, :bool, 4
156
+ optional :output_group_edges, :bool, 5
157
+ optional :analyze_service_account_impersonation, :bool, 6
158
+ end
159
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyRequest" do
160
+ optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
161
+ optional :execution_timeout, :message, 2, "google.protobuf.Duration"
162
+ end
163
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse" do
164
+ optional :main_analysis, :message, 1, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
165
+ repeated :service_account_impersonation_analysis, :message, 2, "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis"
166
+ optional :fully_explored, :bool, 3
167
+ end
168
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis" do
169
+ optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
170
+ repeated :analysis_results, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult"
171
+ optional :fully_explored, :bool, 3
172
+ repeated :non_critical_errors, :message, 5, "google.cloud.asset.v1.IamPolicyAnalysisState"
173
+ end
174
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig" do
175
+ oneof :destination do
176
+ optional :gcs_destination, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination"
177
+ optional :bigquery_destination, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination"
178
+ end
179
+ end
180
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination" do
181
+ optional :uri, :string, 1
182
+ end
183
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination" do
184
+ optional :dataset, :string, 1
185
+ optional :table_prefix, :string, 2
186
+ optional :partition_key, :enum, 3, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey"
187
+ optional :write_disposition, :string, 4
188
+ end
189
+ add_enum "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey" do
190
+ value :PARTITION_KEY_UNSPECIFIED, 0
191
+ value :REQUEST_TIME, 1
192
+ end
193
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningRequest" do
194
+ optional :analysis_query, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisQuery"
195
+ optional :output_config, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisOutputConfig"
196
+ end
197
+ add_message "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningResponse" do
198
+ end
134
199
  add_enum "google.cloud.asset.v1.ContentType" do
135
200
  value :CONTENT_TYPE_UNSPECIFIED, 0
136
201
  value :RESOURCE, 1
@@ -169,6 +234,20 @@ module Google
169
234
  SearchAllResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllResourcesResponse").msgclass
170
235
  SearchAllIamPoliciesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesRequest").msgclass
171
236
  SearchAllIamPoliciesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.SearchAllIamPoliciesResponse").msgclass
237
+ IamPolicyAnalysisQuery = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery").msgclass
238
+ IamPolicyAnalysisQuery::ResourceSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.ResourceSelector").msgclass
239
+ IamPolicyAnalysisQuery::IdentitySelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.IdentitySelector").msgclass
240
+ IamPolicyAnalysisQuery::AccessSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.AccessSelector").msgclass
241
+ IamPolicyAnalysisQuery::Options = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisQuery.Options").msgclass
242
+ AnalyzeIamPolicyRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyRequest").msgclass
243
+ AnalyzeIamPolicyResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse").msgclass
244
+ AnalyzeIamPolicyResponse::IamPolicyAnalysis = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis").msgclass
245
+ IamPolicyAnalysisOutputConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig").msgclass
246
+ IamPolicyAnalysisOutputConfig::GcsDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.GcsDestination").msgclass
247
+ IamPolicyAnalysisOutputConfig::BigQueryDestination = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination").msgclass
248
+ IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey").enummodule
249
+ AnalyzeIamPolicyLongrunningRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyLongrunningRequest").msgclass
250
+ AnalyzeIamPolicyLongrunningResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyLongrunningResponse").msgclass
172
251
  ContentType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ContentType").enummodule
173
252
  end
174
253
  end
@@ -73,6 +73,19 @@ module Google
73
73
  # `cloudasset.assets.searchAllIamPolicies` permission on the desired scope,
74
74
  # otherwise the request will be rejected.
75
75
  rpc :SearchAllIamPolicies, ::Google::Cloud::Asset::V1::SearchAllIamPoliciesRequest, ::Google::Cloud::Asset::V1::SearchAllIamPoliciesResponse
76
+ # Analyzes IAM policies to answer which identities have what accesses on
77
+ # which resources.
78
+ rpc :AnalyzeIamPolicy, ::Google::Cloud::Asset::V1::AnalyzeIamPolicyRequest, ::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse
79
+ # Analyzes IAM policies asynchronously to answer which identities have what
80
+ # accesses on which resources, and writes the analysis results to a Google
81
+ # Cloud Storage or a BigQuery destination. For Cloud Storage destination, the
82
+ # output format is the JSON format that represents a
83
+ # [AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse]. This method implements the
84
+ # [google.longrunning.Operation][google.longrunning.Operation], which allows you to track the operation
85
+ # status. We recommend intervals of at least 2 seconds with exponential
86
+ # backoff retry to poll the operation result. The metadata contains the
87
+ # request to help callers to map responses to requests.
88
+ rpc :AnalyzeIamPolicyLongrunning, ::Google::Cloud::Asset::V1::AnalyzeIamPolicyLongrunningRequest, ::Google::Longrunning::Operation
76
89
  end
77
90
 
78
91
  Stub = Service.rpc_stub_class
@@ -80,6 +80,45 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
80
80
  add_message "google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions" do
81
81
  repeated :permissions, :string, 1
82
82
  end
83
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisState" do
84
+ optional :code, :enum, 1, "google.rpc.Code"
85
+ optional :cause, :string, 2
86
+ end
87
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult" do
88
+ optional :attached_resource_full_name, :string, 1
89
+ optional :iam_binding, :message, 2, "google.iam.v1.Binding"
90
+ repeated :access_control_lists, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList"
91
+ optional :identity_list, :message, 4, "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList"
92
+ optional :fully_explored, :bool, 5
93
+ end
94
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource" do
95
+ optional :full_resource_name, :string, 1
96
+ optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
97
+ end
98
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Access" do
99
+ optional :analysis_state, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisState"
100
+ oneof :oneof_access do
101
+ optional :role, :string, 1
102
+ optional :permission, :string, 2
103
+ end
104
+ end
105
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity" do
106
+ optional :name, :string, 1
107
+ optional :analysis_state, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisState"
108
+ end
109
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge" do
110
+ optional :source_node, :string, 1
111
+ optional :target_node, :string, 2
112
+ end
113
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList" do
114
+ repeated :resources, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Resource"
115
+ repeated :accesses, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Access"
116
+ repeated :resource_edges, :message, 3, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
117
+ end
118
+ add_message "google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList" do
119
+ repeated :identities, :message, 1, "google.cloud.asset.v1.IamPolicyAnalysisResult.Identity"
120
+ repeated :group_edges, :message, 2, "google.cloud.asset.v1.IamPolicyAnalysisResult.Edge"
121
+ end
83
122
  end
84
123
  end
85
124
 
@@ -96,6 +135,14 @@ module Google
96
135
  IamPolicySearchResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult").msgclass
97
136
  IamPolicySearchResult::Explanation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation").msgclass
98
137
  IamPolicySearchResult::Explanation::Permissions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions").msgclass
138
+ IamPolicyAnalysisState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisState").msgclass
139
+ IamPolicyAnalysisResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult").msgclass
140
+ IamPolicyAnalysisResult::Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Resource").msgclass
141
+ IamPolicyAnalysisResult::Access = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Access").msgclass
142
+ IamPolicyAnalysisResult::Identity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Identity").msgclass
143
+ IamPolicyAnalysisResult::Edge = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.Edge").msgclass
144
+ IamPolicyAnalysisResult::AccessControlList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.AccessControlList").msgclass
145
+ IamPolicyAnalysisResult::IdentityList = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList").msgclass
99
146
  end
100
147
  end
101
148
  end
@@ -21,7 +21,7 @@ module Google
21
21
  module Cloud
22
22
  module Asset
23
23
  module V1
24
- VERSION = "0.7.0"
24
+ VERSION = "0.8.0"
25
25
  end
26
26
  end
27
27
  end
@@ -625,6 +625,329 @@ module Google
625
625
  extend ::Google::Protobuf::MessageExts::ClassMethods
626
626
  end
627
627
 
628
+ # IAM policy analysis query message.
629
+ # @!attribute [rw] scope
630
+ # @return [::String]
631
+ # Required. The relative name of the root asset. Only resources and IAM policies within
632
+ # the scope will be analyzed.
633
+ #
634
+ # This can only be an organization number (such as "organizations/123"), a
635
+ # folder number (such as "folders/123"), a project ID (such as
636
+ # "projects/my-project-id"), or a project number (such as "projects/12345").
637
+ #
638
+ # To know how to get organization id, visit [here
639
+ # ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).
640
+ #
641
+ # To know how to get folder or project id, visit [here
642
+ # ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
643
+ # @!attribute [rw] resource_selector
644
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
645
+ # Optional. Specifies a resource for analysis.
646
+ # @!attribute [rw] identity_selector
647
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
648
+ # Optional. Specifies an identity for analysis.
649
+ # @!attribute [rw] access_selector
650
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
651
+ # Optional. Specifies roles or permissions for analysis. This is optional.
652
+ # @!attribute [rw] options
653
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
654
+ # Optional. The query options.
655
+ class IamPolicyAnalysisQuery
656
+ include ::Google::Protobuf::MessageExts
657
+ extend ::Google::Protobuf::MessageExts::ClassMethods
658
+
659
+ # Specifies the resource to analyze for access policies, which may be set
660
+ # directly on the resource, or on ancestors such as organizations, folders or
661
+ # projects.
662
+ # @!attribute [rw] full_resource_name
663
+ # @return [::String]
664
+ # Required. The [full resource name]
665
+ # (https://cloud.google.com/asset-inventory/docs/resource-name-format)
666
+ # of a resource of [supported resource
667
+ # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
668
+ class ResourceSelector
669
+ include ::Google::Protobuf::MessageExts
670
+ extend ::Google::Protobuf::MessageExts::ClassMethods
671
+ end
672
+
673
+ # Specifies an identity for which to determine resource access, based on
674
+ # roles assigned either directly to them or to the groups they belong to,
675
+ # directly or indirectly.
676
+ # @!attribute [rw] identity
677
+ # @return [::String]
678
+ # Required. The identity appear in the form of members in
679
+ # [IAM policy
680
+ # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
681
+ #
682
+ # The examples of supported forms are:
683
+ # "user:mike@example.com",
684
+ # "group:admins@example.com",
685
+ # "domain:google.com",
686
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com".
687
+ #
688
+ # Notice that wildcard characters (such as * and ?) are not supported.
689
+ # You must give a specific identity.
690
+ class IdentitySelector
691
+ include ::Google::Protobuf::MessageExts
692
+ extend ::Google::Protobuf::MessageExts::ClassMethods
693
+ end
694
+
695
+ # Specifies roles and/or permissions to analyze, to determine both the
696
+ # identities possessing them and the resources they control. If multiple
697
+ # values are specified, results will include roles or permissions matching
698
+ # any of them. The total number of roles and permissions should be equal or
699
+ # less than 10.
700
+ # @!attribute [rw] roles
701
+ # @return [::Array<::String>]
702
+ # Optional. The roles to appear in result.
703
+ # @!attribute [rw] permissions
704
+ # @return [::Array<::String>]
705
+ # Optional. The permissions to appear in result.
706
+ class AccessSelector
707
+ include ::Google::Protobuf::MessageExts
708
+ extend ::Google::Protobuf::MessageExts::ClassMethods
709
+ end
710
+
711
+ # Contains query options.
712
+ # @!attribute [rw] expand_groups
713
+ # @return [::Boolean]
714
+ # Optional. If true, the identities section of the result will expand any
715
+ # Google groups appearing in an IAM policy binding.
716
+ #
717
+ # If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} is specified, the
718
+ # identity in the result will be determined by the selector, and this flag
719
+ # is not allowed to set.
720
+ #
721
+ # Default is false.
722
+ # @!attribute [rw] expand_roles
723
+ # @return [::Boolean]
724
+ # Optional. If true, the access section of result will expand any roles
725
+ # appearing in IAM policy bindings to include their permissions.
726
+ #
727
+ # If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} is specified, the access
728
+ # section of the result will be determined by the selector, and this flag
729
+ # is not allowed to set.
730
+ #
731
+ # Default is false.
732
+ # @!attribute [rw] expand_resources
733
+ # @return [::Boolean]
734
+ # Optional. If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is not
735
+ # specified, the resource section of the result will expand any resource
736
+ # attached to an IAM policy to include resources lower in the resource
737
+ # hierarchy.
738
+ #
739
+ # For example, if the request analyzes for which resources user A has
740
+ # permission P, and the results include an IAM policy with P on a GCP
741
+ # folder, the results will also include resources in that folder with
742
+ # permission P.
743
+ #
744
+ # If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is specified,
745
+ # the resource section of the result will expand the specified resource to
746
+ # include resources lower in the resource hierarchy. Only project or
747
+ # lower resources are supported. Folder and organization resource cannot be
748
+ # used together with this option.
749
+ #
750
+ # For example, if the request analyzes for which users have permission P on
751
+ # a GCP project with this option enabled, the results will include all
752
+ # users who have permission P on that project or any lower resource.
753
+ #
754
+ # Default is false.
755
+ # @!attribute [rw] output_resource_edges
756
+ # @return [::Boolean]
757
+ # Optional. If true, the result will output resource edges, starting
758
+ # from the policy attached resource, to any expanded resources.
759
+ # Default is false.
760
+ # @!attribute [rw] output_group_edges
761
+ # @return [::Boolean]
762
+ # Optional. If true, the result will output group identity edges, starting
763
+ # from the binding's group members, to any expanded identities.
764
+ # Default is false.
765
+ # @!attribute [rw] analyze_service_account_impersonation
766
+ # @return [::Boolean]
767
+ # Optional. If true, the response will include access analysis from identities to
768
+ # resources via service account impersonation. This is a very expensive
769
+ # operation, because many derived queries will be executed. We highly
770
+ # recommend you use {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} rpc
771
+ # instead.
772
+ #
773
+ # For example, if the request analyzes for which resources user A has
774
+ # permission P, and there's an IAM policy states user A has
775
+ # iam.serviceAccounts.getAccessToken permission to a service account SA,
776
+ # and there's another IAM policy states service account SA has permission P
777
+ # to a GCP folder F, then user A potentially has access to the GCP folder
778
+ # F. And those advanced analysis results will be included in
779
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
780
+ #
781
+ # Another example, if the request analyzes for who has
782
+ # permission P to a GCP folder F, and there's an IAM policy states user A
783
+ # has iam.serviceAccounts.actAs permission to a service account SA, and
784
+ # there's another IAM policy states service account SA has permission P to
785
+ # the GCP folder F, then user A potentially has access to the GCP folder
786
+ # F. And those advanced analysis results will be included in
787
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
788
+ #
789
+ # Default is false.
790
+ class Options
791
+ include ::Google::Protobuf::MessageExts
792
+ extend ::Google::Protobuf::MessageExts::ClassMethods
793
+ end
794
+ end
795
+
796
+ # A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
797
+ # @!attribute [rw] analysis_query
798
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
799
+ # Required. The request query.
800
+ # @!attribute [rw] execution_timeout
801
+ # @return [::Google::Protobuf::Duration]
802
+ # Optional. Amount of time executable has to complete. See JSON representation of
803
+ # [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
804
+ #
805
+ # If this field is set with a value less than the RPC deadline, and the
806
+ # execution of your query hasn't finished in the specified
807
+ # execution timeout, you will get a response with partial result.
808
+ # Otherwise, your query's execution will continue until the RPC deadline.
809
+ # If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
810
+ #
811
+ # Default is empty.
812
+ class AnalyzeIamPolicyRequest
813
+ include ::Google::Protobuf::MessageExts
814
+ extend ::Google::Protobuf::MessageExts::ClassMethods
815
+ end
816
+
817
+ # A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
818
+ # @!attribute [rw] main_analysis
819
+ # @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
820
+ # The main analysis that matches the original request.
821
+ # @!attribute [rw] service_account_impersonation_analysis
822
+ # @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
823
+ # The service account impersonation analysis if
824
+ # [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
825
+ # enabled.
826
+ # @!attribute [rw] fully_explored
827
+ # @return [::Boolean]
828
+ # Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#main_analysis main_analysis} and
829
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis service_account_impersonation_analysis} have been fully explored to
830
+ # answer the query in the request.
831
+ class AnalyzeIamPolicyResponse
832
+ include ::Google::Protobuf::MessageExts
833
+ extend ::Google::Protobuf::MessageExts::ClassMethods
834
+
835
+ # An analysis message to group the query and results.
836
+ # @!attribute [rw] analysis_query
837
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
838
+ # The analysis query.
839
+ # @!attribute [rw] analysis_results
840
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
841
+ # A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult} that matches the analysis query, or
842
+ # empty if no result is found.
843
+ # @!attribute [rw] fully_explored
844
+ # @return [::Boolean]
845
+ # Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis#analysis_results analysis_results} have been
846
+ # fully explored to answer the query.
847
+ # @!attribute [rw] non_critical_errors
848
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
849
+ # A list of non-critical errors happened during the query handling.
850
+ class IamPolicyAnalysis
851
+ include ::Google::Protobuf::MessageExts
852
+ extend ::Google::Protobuf::MessageExts::ClassMethods
853
+ end
854
+ end
855
+
856
+ # Output configuration for export IAM policy analysis destination.
857
+ # @!attribute [rw] gcs_destination
858
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::GcsDestination]
859
+ # Destination on Cloud Storage.
860
+ # @!attribute [rw] bigquery_destination
861
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination]
862
+ # Destination on BigQuery.
863
+ class IamPolicyAnalysisOutputConfig
864
+ include ::Google::Protobuf::MessageExts
865
+ extend ::Google::Protobuf::MessageExts::ClassMethods
866
+
867
+ # A Cloud Storage location.
868
+ # @!attribute [rw] uri
869
+ # @return [::String]
870
+ # Required. The uri of the Cloud Storage object. It's the same uri that is used by
871
+ # gsutil. For example: "gs://bucket_name/object_name". See
872
+ # [Quickstart: Using the gsutil tool]
873
+ # (https://cloud.google.com/storage/docs/quickstart-gsutil) for examples.
874
+ class GcsDestination
875
+ include ::Google::Protobuf::MessageExts
876
+ extend ::Google::Protobuf::MessageExts::ClassMethods
877
+ end
878
+
879
+ # A BigQuery destination.
880
+ # @!attribute [rw] dataset
881
+ # @return [::String]
882
+ # Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId",
883
+ # to which the analysis results should be exported. If this dataset does
884
+ # not exist, the export call will return an INVALID_ARGUMENT error.
885
+ # @!attribute [rw] table_prefix
886
+ # @return [::String]
887
+ # Required. The prefix of the BigQuery tables to which the analysis results will be
888
+ # written. Tables will be created based on this table_prefix if not exist:
889
+ # * <table_prefix>_analysis table will contain export operation's metadata.
890
+ # * <table_prefix>_analysis_result will contain all the
891
+ # {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult}.
892
+ # When [partition_key] is specified, both tables will be partitioned based
893
+ # on the [partition_key].
894
+ # @!attribute [rw] partition_key
895
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
896
+ # The partition key for BigQuery partitioned table.
897
+ # @!attribute [rw] write_disposition
898
+ # @return [::String]
899
+ # Optional. Specifies the action that occurs if the destination table or partition
900
+ # already exists. The following values are supported:
901
+ #
902
+ # * WRITE_TRUNCATE: If the table or partition already exists, BigQuery
903
+ # overwrites the entire table or all the partitions data.
904
+ # * WRITE_APPEND: If the table or partition already exists, BigQuery
905
+ # appends the data to the table or the latest partition.
906
+ # * WRITE_EMPTY: If the table already exists and contains data, an error is
907
+ # returned.
908
+ #
909
+ # The default value is WRITE_APPEND. Each action is atomic and only occurs
910
+ # if BigQuery is able to complete the job successfully. Details are at
911
+ # https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file.
912
+ class BigQueryDestination
913
+ include ::Google::Protobuf::MessageExts
914
+ extend ::Google::Protobuf::MessageExts::ClassMethods
915
+
916
+ # This enum determines the partition key column for the bigquery tables.
917
+ # Partitioning can improve query performance and reduce query cost by
918
+ # filtering partitions. Refer to
919
+ # https://cloud.google.com/bigquery/docs/partitioned-tables for details.
920
+ module PartitionKey
921
+ # Unspecified partition key. Tables won't be partitioned using this
922
+ # option.
923
+ PARTITION_KEY_UNSPECIFIED = 0
924
+
925
+ # The time when the request is received. If specified as partition key,
926
+ # the result table(s) is partitoned by the RequestTime column, an
927
+ # additional timestamp column representing when the request was received.
928
+ REQUEST_TIME = 1
929
+ end
930
+ end
931
+ end
932
+
933
+ # A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
934
+ # @!attribute [rw] analysis_query
935
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
936
+ # Required. The request query.
937
+ # @!attribute [rw] output_config
938
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
939
+ # Required. Output configuration indicating where the results will be output to.
940
+ class AnalyzeIamPolicyLongrunningRequest
941
+ include ::Google::Protobuf::MessageExts
942
+ extend ::Google::Protobuf::MessageExts::ClassMethods
943
+ end
944
+
945
+ # A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
946
+ class AnalyzeIamPolicyLongrunningResponse
947
+ include ::Google::Protobuf::MessageExts
948
+ extend ::Google::Protobuf::MessageExts::ClassMethods
949
+ end
950
+
628
951
  # Asset content type.
629
952
  module ContentType
630
953
  # Unspecified content type.
@@ -396,6 +396,173 @@ module Google
396
396
  end
397
397
  end
398
398
  end
399
+
400
+ # Represents the detailed state of an entity under analysis, such as a
401
+ # resource, an identity or an access.
402
+ # @!attribute [rw] code
403
+ # @return [::Google::Rpc::Code]
404
+ # The Google standard error code that best describes the state.
405
+ # For example:
406
+ # - OK means the analysis on this entity has been successfully finished;
407
+ # - PERMISSION_DENIED means an access denied error is encountered;
408
+ # - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started
409
+ # in time;
410
+ # @!attribute [rw] cause
411
+ # @return [::String]
412
+ # The human-readable description of the cause of failure.
413
+ class IamPolicyAnalysisState
414
+ include ::Google::Protobuf::MessageExts
415
+ extend ::Google::Protobuf::MessageExts::ClassMethods
416
+ end
417
+
418
+ # IAM Policy analysis result, consisting of one IAM policy binding and derived
419
+ # access control lists.
420
+ # @!attribute [rw] attached_resource_full_name
421
+ # @return [::String]
422
+ # The [full resource
423
+ # name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
424
+ # of the resource to which the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} policy attaches.
425
+ # @!attribute [rw] iam_binding
426
+ # @return [::Google::Iam::V1::Binding]
427
+ # The Cloud IAM policy binding under analysis.
428
+ # @!attribute [rw] access_control_lists
429
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::AccessControlList>]
430
+ # The access control lists derived from the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} that match or
431
+ # potentially match resource and access selectors specified in the request.
432
+ # @!attribute [rw] identity_list
433
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList]
434
+ # The identity list derived from members of the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} that match or
435
+ # potentially match identity selector specified in the request.
436
+ # @!attribute [rw] fully_explored
437
+ # @return [::Boolean]
438
+ # Represents whether all analyses on the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} have successfully
439
+ # finished.
440
+ class IamPolicyAnalysisResult
441
+ include ::Google::Protobuf::MessageExts
442
+ extend ::Google::Protobuf::MessageExts::ClassMethods
443
+
444
+ # A Google Cloud resource under analysis.
445
+ # @!attribute [rw] full_resource_name
446
+ # @return [::String]
447
+ # The [full resource
448
+ # name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
449
+ # @!attribute [rw] analysis_state
450
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
451
+ # The analysis state of this resource.
452
+ class Resource
453
+ include ::Google::Protobuf::MessageExts
454
+ extend ::Google::Protobuf::MessageExts::ClassMethods
455
+ end
456
+
457
+ # An IAM role or permission under analysis.
458
+ # @!attribute [rw] role
459
+ # @return [::String]
460
+ # The role.
461
+ # @!attribute [rw] permission
462
+ # @return [::String]
463
+ # The permission.
464
+ # @!attribute [rw] analysis_state
465
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
466
+ # The analysis state of this access.
467
+ class Access
468
+ include ::Google::Protobuf::MessageExts
469
+ extend ::Google::Protobuf::MessageExts::ClassMethods
470
+ end
471
+
472
+ # An identity under analysis.
473
+ # @!attribute [rw] name
474
+ # @return [::String]
475
+ # The identity name in any form of members appear in
476
+ # [IAM policy
477
+ # binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
478
+ # as:
479
+ # - user:foo@google.com
480
+ # - group:group1@google.com
481
+ # - serviceAccount:s1@prj1.iam.gserviceaccount.com
482
+ # - projectOwner:some_project_id
483
+ # - domain:google.com
484
+ # - allUsers
485
+ # - etc.
486
+ # @!attribute [rw] analysis_state
487
+ # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
488
+ # The analysis state of this identity.
489
+ class Identity
490
+ include ::Google::Protobuf::MessageExts
491
+ extend ::Google::Protobuf::MessageExts::ClassMethods
492
+ end
493
+
494
+ # A directional edge.
495
+ # @!attribute [rw] source_node
496
+ # @return [::String]
497
+ # The source node of the edge. For example, it could be a full resource
498
+ # name for a resource node or an email of an identity.
499
+ # @!attribute [rw] target_node
500
+ # @return [::String]
501
+ # The target node of the edge. For example, it could be a full resource
502
+ # name for a resource node or an email of an identity.
503
+ class Edge
504
+ include ::Google::Protobuf::MessageExts
505
+ extend ::Google::Protobuf::MessageExts::ClassMethods
506
+ end
507
+
508
+ # An access control list, derived from the above IAM policy binding, which
509
+ # contains a set of resources and accesses. May include one
510
+ # item from each set to compose an access control entry.
511
+ #
512
+ # NOTICE that there could be multiple access control lists for one IAM policy
513
+ # binding. The access control lists are created based on resource and access
514
+ # combinations.
515
+ #
516
+ # For example, assume we have the following cases in one IAM policy binding:
517
+ # - Permission P1 and P2 apply to resource R1 and R2;
518
+ # - Permission P3 applies to resource R2 and R3;
519
+ #
520
+ # This will result in the following access control lists:
521
+ # - AccessControlList 1: [R1, R2], [P1, P2]
522
+ # - AccessControlList 2: [R2, R3], [P3]
523
+ # @!attribute [rw] resources
524
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
525
+ # The resources that match one of the following conditions:
526
+ # - The resource_selector, if it is specified in request;
527
+ # - Otherwise, resources reachable from the policy attached resource.
528
+ # @!attribute [rw] accesses
529
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
530
+ # The accesses that match one of the following conditions:
531
+ # - The access_selector, if it is specified in request;
532
+ # - Otherwise, access specifiers reachable from the policy binding's role.
533
+ # @!attribute [rw] resource_edges
534
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
535
+ # Resource edges of the graph starting from the policy attached
536
+ # resource to any descendant resources. The {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node} contains
537
+ # the full resource name of a parent resource and {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
538
+ # contains the full resource name of a child resource. This field is
539
+ # present only if the output_resource_edges option is enabled in request.
540
+ class AccessControlList
541
+ include ::Google::Protobuf::MessageExts
542
+ extend ::Google::Protobuf::MessageExts::ClassMethods
543
+ end
544
+
545
+ # The identities and group edges.
546
+ # @!attribute [rw] identities
547
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
548
+ # Only the identities that match one of the following conditions will be
549
+ # presented:
550
+ # - The identity_selector, if it is specified in request;
551
+ # - Otherwise, identities reachable from the policy binding's members.
552
+ # @!attribute [rw] group_edges
553
+ # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
554
+ # Group identity edges of the graph starting from the binding's
555
+ # group members to any node of the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}. The {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
556
+ # contains a group, such as `group:parent@google.com`. The
557
+ # {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node} contains a member of the group,
558
+ # such as `group:child@google.com` or `user:foo@google.com`.
559
+ # This field is present only if the output_group_edges option is enabled in
560
+ # request.
561
+ class IdentityList
562
+ include ::Google::Protobuf::MessageExts
563
+ extend ::Google::Protobuf::MessageExts::ClassMethods
564
+ end
565
+ end
399
566
  end
400
567
  end
401
568
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: google-cloud-asset-v1
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.0
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Google LLC
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-09-17 00:00:00.000000000 Z
11
+ date: 2020-11-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: gapic-common