google-cloud-iap-v1 0.1.3 → 0.4.0

data/lib/google/cloud/iap/v1/identity_aware_proxy_admin_service/paths.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Google
+  module Cloud
+    module Iap
+      module V1
+        module IdentityAwareProxyAdminService
+          # Path helper methods for the IdentityAwareProxyAdminService API.
+          module Paths
+            ##
+            # Create a fully-qualified TunnelDestGroup resource string.
+            #
+            # The resource will be in the following format:
+            #
+            # `projects/{project}/iap_tunnel/locations/{location}/destGroups/{dest_group}`
+            #
+            # @param project [String]
+            # @param location [String]
+            # @param dest_group [String]
+            #
+            # @return [::String]
+            def tunnel_dest_group_path project:, location:, dest_group:
+              raise ::ArgumentError, "project cannot contain /" if project.to_s.include? "/"
+              raise ::ArgumentError, "location cannot contain /" if location.to_s.include? "/"
+
+              "projects/#{project}/iap_tunnel/locations/#{location}/destGroups/#{dest_group}"
+            end
+
+            ##
+            # Create a fully-qualified TunnelLocation resource string.
+            #
+            # The resource will be in the following format:
+            #
+            # `projects/{project}/iap_tunnel/locations/{location}`
+            #
+            # @param project [String]
+            # @param location [String]
+            #
+            # @return [::String]
+            def tunnel_location_path project:, location:
+              raise ::ArgumentError, "project cannot contain /" if project.to_s.include? "/"
+
+              "projects/#{project}/iap_tunnel/locations/#{location}"
+            end
+
+            extend self
+          end
+        end
+      end
+    end
+  end
+end

data/lib/google/cloud/iap/v1/identity_aware_proxy_admin_service.rb

@@ -23,6 +23,7 @@ require "gapic/config/method"
 require "google/cloud/iap/v1/version"
 
 require "google/cloud/iap/v1/identity_aware_proxy_admin_service/credentials"
+require "google/cloud/iap/v1/identity_aware_proxy_admin_service/paths"
 require "google/cloud/iap/v1/identity_aware_proxy_admin_service/client"
 
 module Google

data/lib/google/cloud/iap/v1/identity_aware_proxy_o_auth_service/client.rb

@@ -235,11 +235,12 @@ module Google
             ##
             # Constructs a new OAuth brand for the project if one does not exist.
             # The created brand is "internal only", meaning that OAuth clients created
-            # under it only accept requests from users who belong to the same G Suite
-            # organization as the project. The brand is created in an un-reviewed status.
-            # NOTE: The "internal only" status can be manually changed in the Google
-            # Cloud console. Requires that a brand does not already exist for the
-            # project, and that the specified support email is owned by the caller.
+            # under it only accept requests from users who belong to the same Google
+            # Workspace organization as the project. The brand is created in an
+            # un-reviewed status. NOTE: The "internal only" status can be manually
+            # changed in the Google Cloud Console. Requires that a brand does not already
+            # exist for the project, and that the specified support email is owned by the
+            # caller.
             #
             # @overload create_brand(request, options = nil)
             #   Pass arguments to `create_brand` via a request object, either of type

data/lib/google/cloud/iap/v1/service_pb.rb

@@ -1,18 +1,50 @@
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: google/cloud/iap/v1/service.proto
 
+require 'google/protobuf'
+
 require 'google/api/annotations_pb'
+require 'google/api/client_pb'
 require 'google/api/field_behavior_pb'
+require 'google/api/resource_pb'
 require 'google/iam/v1/iam_policy_pb'
 require 'google/iam/v1/policy_pb'
+require 'google/protobuf/duration_pb'
 require 'google/protobuf/empty_pb'
 require 'google/protobuf/field_mask_pb'
 require 'google/protobuf/wrappers_pb'
-require 'google/api/client_pb'
-require 'google/protobuf'
 
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/iap/v1/service.proto", :syntax => :proto3) do
+    add_message "google.cloud.iap.v1.ListTunnelDestGroupsRequest" do
+      optional :parent, :string, 1
+      optional :page_size, :int32, 2
+      optional :page_token, :string, 3
+    end
+    add_message "google.cloud.iap.v1.ListTunnelDestGroupsResponse" do
+      repeated :tunnel_dest_groups, :message, 1, "google.cloud.iap.v1.TunnelDestGroup"
+      optional :next_page_token, :string, 2
+    end
+    add_message "google.cloud.iap.v1.CreateTunnelDestGroupRequest" do
+      optional :parent, :string, 1
+      optional :tunnel_dest_group, :message, 2, "google.cloud.iap.v1.TunnelDestGroup"
+      optional :tunnel_dest_group_id, :string, 3
+    end
+    add_message "google.cloud.iap.v1.GetTunnelDestGroupRequest" do
+      optional :name, :string, 1
+    end
+    add_message "google.cloud.iap.v1.DeleteTunnelDestGroupRequest" do
+      optional :name, :string, 1
+    end
+    add_message "google.cloud.iap.v1.UpdateTunnelDestGroupRequest" do
+      optional :tunnel_dest_group, :message, 1, "google.cloud.iap.v1.TunnelDestGroup"
+      optional :update_mask, :message, 2, "google.protobuf.FieldMask"
+    end
+    add_message "google.cloud.iap.v1.TunnelDestGroup" do
+      optional :name, :string, 1
+      repeated :cidrs, :string, 2
+      repeated :fqdns, :string, 3
+    end
     add_message "google.cloud.iap.v1.GetIapSettingsRequest" do
       optional :name, :string, 1
     end
@@ -29,6 +61,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :gcip_settings, :message, 1, "google.cloud.iap.v1.GcipSettings"
       optional :cors_settings, :message, 2, "google.cloud.iap.v1.CorsSettings"
       optional :oauth_settings, :message, 3, "google.cloud.iap.v1.OAuthSettings"
+      optional :reauth_settings, :message, 6, "google.cloud.iap.v1.ReauthSettings"
     end
     add_message "google.cloud.iap.v1.GcipSettings" do
       repeated :tenant_ids, :string, 1
@@ -40,6 +73,22 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     add_message "google.cloud.iap.v1.OAuthSettings" do
       optional :login_hint, :message, 2, "google.protobuf.StringValue"
     end
+    add_message "google.cloud.iap.v1.ReauthSettings" do
+      optional :method, :enum, 1, "google.cloud.iap.v1.ReauthSettings.Method"
+      optional :max_age, :message, 2, "google.protobuf.Duration"
+      optional :policy_type, :enum, 3, "google.cloud.iap.v1.ReauthSettings.PolicyType"
+    end
+    add_enum "google.cloud.iap.v1.ReauthSettings.Method" do
+      value :METHOD_UNSPECIFIED, 0
+      value :LOGIN, 1
+      value :PASSWORD, 2
+      value :SECURE_KEY, 3
+    end
+    add_enum "google.cloud.iap.v1.ReauthSettings.PolicyType" do
+      value :POLICY_TYPE_UNSPECIFIED, 0
+      value :MINIMUM, 1
+      value :DEFAULT, 2
+    end
     add_message "google.cloud.iap.v1.ApplicationSettings" do
       optional :csm_settings, :message, 1, "google.cloud.iap.v1.CsmSettings"
       optional :access_denied_page_settings, :message, 2, "google.cloud.iap.v1.AccessDeniedPageSettings"
@@ -105,6 +154,13 @@ module Google
   module Cloud
     module Iap
       module V1
+        ListTunnelDestGroupsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.ListTunnelDestGroupsRequest").msgclass
+        ListTunnelDestGroupsResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.ListTunnelDestGroupsResponse").msgclass
+        CreateTunnelDestGroupRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.CreateTunnelDestGroupRequest").msgclass
+        GetTunnelDestGroupRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.GetTunnelDestGroupRequest").msgclass
+        DeleteTunnelDestGroupRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.DeleteTunnelDestGroupRequest").msgclass
+        UpdateTunnelDestGroupRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.UpdateTunnelDestGroupRequest").msgclass
+        TunnelDestGroup = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.TunnelDestGroup").msgclass
         GetIapSettingsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.GetIapSettingsRequest").msgclass
         UpdateIapSettingsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.UpdateIapSettingsRequest").msgclass
         IapSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.IapSettings").msgclass
@@ -112,6 +168,9 @@ module Google
         GcipSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.GcipSettings").msgclass
         CorsSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.CorsSettings").msgclass
         OAuthSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.OAuthSettings").msgclass
+        ReauthSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.ReauthSettings").msgclass
+        ReauthSettings::Method = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.ReauthSettings.Method").enummodule
+        ReauthSettings::PolicyType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.ReauthSettings.PolicyType").enummodule
         ApplicationSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.ApplicationSettings").msgclass
         CsmSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.CsmSettings").msgclass
         AccessDeniedPageSettings = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.iap.v1.AccessDeniedPageSettings").msgclass

data/lib/google/cloud/iap/v1/service_services_pb.rb

@@ -53,6 +53,18 @@ module Google
             # Updates the IAP settings on a particular IAP protected resource. It
             # replaces all fields unless the `update_mask` is set.
             rpc :UpdateIapSettings, ::Google::Cloud::Iap::V1::UpdateIapSettingsRequest, ::Google::Cloud::Iap::V1::IapSettings
+            # Lists the existing TunnelDestGroups. To group across all locations, use a
+            # `-` as the location ID. For example:
+            # `/v1/projects/123/iap_tunnel/locations/-/destGroups`
+            rpc :ListTunnelDestGroups, ::Google::Cloud::Iap::V1::ListTunnelDestGroupsRequest, ::Google::Cloud::Iap::V1::ListTunnelDestGroupsResponse
+            # Creates a new TunnelDestGroup.
+            rpc :CreateTunnelDestGroup, ::Google::Cloud::Iap::V1::CreateTunnelDestGroupRequest, ::Google::Cloud::Iap::V1::TunnelDestGroup
+            # Retrieves an existing TunnelDestGroup.
+            rpc :GetTunnelDestGroup, ::Google::Cloud::Iap::V1::GetTunnelDestGroupRequest, ::Google::Cloud::Iap::V1::TunnelDestGroup
+            # Deletes a TunnelDestGroup.
+            rpc :DeleteTunnelDestGroup, ::Google::Cloud::Iap::V1::DeleteTunnelDestGroupRequest, ::Google::Protobuf::Empty
+            # Updates a TunnelDestGroup.
+            rpc :UpdateTunnelDestGroup, ::Google::Cloud::Iap::V1::UpdateTunnelDestGroupRequest, ::Google::Cloud::Iap::V1::TunnelDestGroup
           end
 
           Stub = Service.rpc_stub_class
@@ -73,11 +85,12 @@ module Google
             rpc :ListBrands, ::Google::Cloud::Iap::V1::ListBrandsRequest, ::Google::Cloud::Iap::V1::ListBrandsResponse
             # Constructs a new OAuth brand for the project if one does not exist.
             # The created brand is "internal only", meaning that OAuth clients created
-            # under it only accept requests from users who belong to the same G Suite
-            # organization as the project. The brand is created in an un-reviewed status.
-            # NOTE: The "internal only" status can be manually changed in the Google
-            # Cloud console. Requires that a brand does not already exist for the
-            # project, and that the specified support email is owned by the caller.
+            # under it only accept requests from users who belong to the same Google
+            # Workspace organization as the project. The brand is created in an
+            # un-reviewed status. NOTE: The "internal only" status can be manually
+            # changed in the Google Cloud Console. Requires that a brand does not already
+            # exist for the project, and that the specified support email is owned by the
+            # caller.
             rpc :CreateBrand, ::Google::Cloud::Iap::V1::CreateBrandRequest, ::Google::Cloud::Iap::V1::Brand
             # Retrieves the OAuth brand of the project.
             rpc :GetBrand, ::Google::Cloud::Iap::V1::GetBrandRequest, ::Google::Cloud::Iap::V1::Brand

data/lib/google/cloud/iap/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module Iap
       module V1
-        VERSION = "0.1.3"
+        VERSION = "0.4.0"
       end
     end
   end

data/lib/google/cloud/iap/v1.rb

@@ -26,6 +26,8 @@ module Google
       ##
       # To load this package, including all its services, and instantiate a client:
       #
+      # @example
+      #
       #     require "google/cloud/iap/v1"
       #     client = ::Google::Cloud::Iap::V1::IdentityAwareProxyAdminService::Client.new
       #

data/proto_docs/google/cloud/iap/v1/service.rb

@@ -21,6 +21,118 @@ module Google
   module Cloud
     module Iap
       module V1
+        # The request to ListTunnelDestGroups.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. Google Cloud Project ID and location.
+        #     In the following format:
+        #     `projects/{project_number/id}/iap_tunnel/locations/{location}`.
+        #     A `-` can be used for the location to group across all locations.
+        # @!attribute [rw] page_size
+        #   @return [::Integer]
+        #     The maximum number of groups to return. The service might return fewer than
+        #     this value.
+        #     If unspecified, at most 100 groups are returned.
+        #     The maximum value is 1000; values above 1000 are coerced to 1000.
+        # @!attribute [rw] page_token
+        #   @return [::String]
+        #     A page token, received from a previous `ListTunnelDestGroups`
+        #     call. Provide this to retrieve the subsequent page.
+        #
+        #     When paginating, all other parameters provided to
+        #     `ListTunnelDestGroups` must match the call that provided the page
+        #     token.
+        class ListTunnelDestGroupsRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # The response from ListTunnelDestGroups.
+        # @!attribute [rw] tunnel_dest_groups
+        #   @return [::Array<::Google::Cloud::Iap::V1::TunnelDestGroup>]
+        #     TunnelDestGroup existing in the project.
+        # @!attribute [rw] next_page_token
+        #   @return [::String]
+        #     A token that you can send as `page_token` to retrieve the next page.
+        #     If this field is omitted, there are no subsequent pages.
+        class ListTunnelDestGroupsResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # The request to CreateTunnelDestGroup.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. Google Cloud Project ID and location.
+        #     In the following format:
+        #     `projects/{project_number/id}/iap_tunnel/locations/{location}`.
+        # @!attribute [rw] tunnel_dest_group
+        #   @return [::Google::Cloud::Iap::V1::TunnelDestGroup]
+        #     Required. The TunnelDestGroup to create.
+        # @!attribute [rw] tunnel_dest_group_id
+        #   @return [::String]
+        #     Required. The ID to use for the TunnelDestGroup, which becomes the final component of
+        #     the resource name.
+        #
+        #     This value must be 4-63 characters, and valid characters
+        #     are `[a-z][0-9]-`.
+        class CreateTunnelDestGroupRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # The request to GetTunnelDestGroup.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the TunnelDestGroup to be fetched.
+        #     In the following format:
+        #     `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`.
+        class GetTunnelDestGroupRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # The request to DeleteTunnelDestGroup.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the TunnelDestGroup to delete.
+        #     In the following format:
+        #     `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`.
+        class DeleteTunnelDestGroupRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # The request to UpdateTunnelDestGroup.
+        # @!attribute [rw] tunnel_dest_group
+        #   @return [::Google::Cloud::Iap::V1::TunnelDestGroup]
+        #     Required. The new values for the TunnelDestGroup.
+        # @!attribute [rw] update_mask
+        #   @return [::Google::Protobuf::FieldMask]
+        #     A field mask that specifies which IAP settings to update.
+        #     If omitted, then all of the settings are updated. See
+        #     https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
+        class UpdateTunnelDestGroupRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A TunnelDestGroup.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Immutable. Identifier for the TunnelDestGroup. Must be unique within the
+        #     project.
+        # @!attribute [rw] cidrs
+        #   @return [::Array<::String>]
+        #     null List of CIDRs that this group applies to.
+        # @!attribute [rw] fqdns
+        #   @return [::Array<::String>]
+        #     null List of FQDNs that this group applies to.
+        class TunnelDestGroup
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # The request sent to GetIapSettings.
         # @!attribute [rw] name
         #   @return [::String]
@@ -73,6 +185,9 @@ module Google
         # @!attribute [rw] oauth_settings
         #   @return [::Google::Cloud::Iap::V1::OAuthSettings]
         #     Settings to configure IAP's OAuth behavior.
+        # @!attribute [rw] reauth_settings
+        #   @return [::Google::Cloud::Iap::V1::ReauthSettings]
+        #     Settings to configure reauthentication policies in IAP.
         class AccessSettings
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -122,6 +237,55 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # Configuration for IAP reauthentication policies.
+        # @!attribute [rw] method
+        #   @return [::Google::Cloud::Iap::V1::ReauthSettings::Method]
+        #     Reauth method required by the policy.
+        # @!attribute [rw] max_age
+        #   @return [::Google::Protobuf::Duration]
+        #     Reauth session lifetime, how long before a user has to reauthenticate
+        #     again.
+        # @!attribute [rw] policy_type
+        #   @return [::Google::Cloud::Iap::V1::ReauthSettings::PolicyType]
+        #     How IAP determines the effective policy in cases of hierarchial policies.
+        #     Policies are merged from higher in the hierarchy to lower in the hierarchy.
+        class ReauthSettings
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Types of reauthentication methods supported by IAP.
+          module Method
+            # Reauthentication disabled.
+            METHOD_UNSPECIFIED = 0
+
+            # Mimics the behavior as if the user had logged out and tried to log in
+            # again. Users with 2SV (2-step verification) enabled see their 2SV
+            # challenges if they did not opt to have their second factor responses
+            # saved. Apps Core (GSuites) admins can configure settings to disable 2SV
+            # cookies and require 2SV for all Apps Core users in their domains.
+            LOGIN = 1
+
+            # User must type their password.
+            PASSWORD = 2
+
+            # User must use their secure key 2nd factor device.
+            SECURE_KEY = 3
+          end
+
+          # Type of policy in the case of hierarchial policies.
+          module PolicyType
+            # Default value. This value is unused.
+            POLICY_TYPE_UNSPECIFIED = 0
+
+            # This policy acts as a minimum to other policies, lower in the hierarchy.
+            # Effective policy may only be the same or stricter.
+            MINIMUM = 1
+
+            # This policy acts as a default if no other reauth policy is set.
+            DEFAULT = 2
+          end
+        end
+
         # Wrapper over application specific settings for IAP.
         # @!attribute [rw] csm_settings
         #   @return [::Google::Cloud::Iap::V1::CsmSettings]

data/proto_docs/google/iam/v1/iam_policy.rb

@@ -31,6 +31,13 @@ module Google
       #     the policy is limited to a few 10s of KB. An empty policy is a
       #     valid policy but certain Cloud Platform services (such as Projects)
       #     might reject them.
+      # @!attribute [rw] update_mask
+      #   @return [::Google::Protobuf::FieldMask]
+      #     OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+      #     the fields in the mask will be modified. If no mask is provided, the
+      #     following default mask is used:
+      #
+      #     `paths: "bindings, etag"`
       class SetIamPolicyRequest
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -44,7 +51,7 @@ module Google
       # @!attribute [rw] options
       #   @return [::Google::Iam::V1::GetPolicyOptions]
       #     OPTIONAL: A `GetPolicyOptions` object for specifying options to
-      #     `GetIamPolicy`. This field is only used by Cloud IAM.
+      #     `GetIamPolicy`.
       class GetIamPolicyRequest
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/iam/v1/options.rb

@@ -23,14 +23,24 @@ module Google
       # Encapsulates settings provided to GetIamPolicy.
       # @!attribute [rw] requested_policy_version
       #   @return [::Integer]
-      #     Optional. The policy format version to be returned.
+      #     Optional. The maximum policy version that will be used to format the
+      #     policy.
       #
       #     Valid values are 0, 1, and 3. Requests specifying an invalid value will be
       #     rejected.
       #
-      #     Requests for policies with any conditional bindings must specify version 3.
-      #     Policies without any conditional bindings may specify any valid value or
-      #     leave the field unset.
+      #     Requests for policies with any conditional role bindings must specify
+      #     version 3. Policies with no conditional role bindings may specify any valid
+      #     value or leave the field unset.
+      #
+      #     The policy in the response might use the policy version that you specified,
+      #     or it might use a lower policy version. For example, if you specify version
+      #     3, but the policy has no conditional role bindings, the response uses
+      #     version 1.
+      #
+      #     To learn which resources support conditions in their IAM policies, see the
+      #     [IAM
+      #     documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
       class GetPolicyOptions
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods