google-cloud-privileged_access_manager 0.a → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.yardopts +11 -0
- data/AUTHENTICATION.md +122 -0
- data/README.md +151 -8
- data/lib/google/cloud/privileged_access_manager/version.rb +7 -2
- data/lib/google/cloud/privileged_access_manager.rb +139 -0
- data/lib/google-cloud-privileged_access_manager.rb +19 -0
- metadata +77 -10
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6c5414a23e8310f2f2379de4b37969d3bb2294440ce1049b1cd5a82813ffb124
|
4
|
+
data.tar.gz: da26a13fb5d759d1fd9811ba28581ea474dfb1d838a7246f9f807c7ca06116c9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c09252e3f0fe829eb3f874078f4d18a5b6826448d09331251177684b55b442439ba580e5eb35a101c629845e8c74c49d0a497f7a370f91ef5ba771ec3d8cdd99
|
7
|
+
data.tar.gz: 3cad6a3c8d2b05fb450841d670c71181b61ba00820ec50440bdf9cdace51b90f584293dbf293e962f0aca2a3c550a3576185aff400e7de343aab88f20f914771
|
data/.yardopts
ADDED
data/AUTHENTICATION.md
ADDED
@@ -0,0 +1,122 @@
|
|
1
|
+
# Authentication
|
2
|
+
|
3
|
+
The recommended way to authenticate to the google-cloud-privileged_access_manager library is to use
|
4
|
+
[Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials).
|
5
|
+
To review all of your authentication options, see [Credentials lookup](#credential-lookup).
|
6
|
+
|
7
|
+
## Quickstart
|
8
|
+
|
9
|
+
The following example shows how to set up authentication for a local development
|
10
|
+
environment with your user credentials.
|
11
|
+
|
12
|
+
**NOTE:** This method is _not_ recommended for running in production. User credentials
|
13
|
+
should be used only during development.
|
14
|
+
|
15
|
+
1. [Download and install the Google Cloud CLI](https://cloud.google.com/sdk).
|
16
|
+
2. Set up a local ADC file with your user credentials:
|
17
|
+
|
18
|
+
```sh
|
19
|
+
gcloud auth application-default login
|
20
|
+
```
|
21
|
+
|
22
|
+
3. Write code as if already authenticated.
|
23
|
+
|
24
|
+
For more information about setting up authentication for a local development environment, see
|
25
|
+
[Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev).
|
26
|
+
|
27
|
+
## Credential Lookup
|
28
|
+
|
29
|
+
The google-cloud-privileged_access_manager library provides several mechanisms to configure your system.
|
30
|
+
Generally, using Application Default Credentials to facilitate automatic
|
31
|
+
credentials discovery is the easist method. But if you need to explicitly specify
|
32
|
+
credentials, there are several methods available to you.
|
33
|
+
|
34
|
+
Credentials are accepted in the following ways, in the following order or precedence:
|
35
|
+
|
36
|
+
1. Credentials specified in method arguments
|
37
|
+
2. Credentials specified in configuration
|
38
|
+
3. Credentials pointed to or included in environment variables
|
39
|
+
4. Credentials found in local ADC file
|
40
|
+
5. Credentials returned by the metadata server for the attached service account (GCP)
|
41
|
+
|
42
|
+
### Configuration
|
43
|
+
|
44
|
+
You can configure a path to a JSON credentials file, either for an individual client object or
|
45
|
+
globally, for all client objects. The JSON file can contain credentials created for
|
46
|
+
[workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation),
|
47
|
+
[workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a
|
48
|
+
[service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key).
|
49
|
+
|
50
|
+
Note: Service account keys are a security risk if not managed correctly. You should
|
51
|
+
[choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree)
|
52
|
+
whenever possible.
|
53
|
+
|
54
|
+
To configure a credentials file for an individual client initialization:
|
55
|
+
|
56
|
+
```ruby
|
57
|
+
require "google/cloud/privileged_access_manager"
|
58
|
+
|
59
|
+
client = Google::Cloud::PrivilegedAccessManager.privileged_access_manager do |config|
|
60
|
+
config.credentials = "path/to/credentialfile.json"
|
61
|
+
end
|
62
|
+
```
|
63
|
+
|
64
|
+
To configure a credentials file globally for all clients:
|
65
|
+
|
66
|
+
```ruby
|
67
|
+
require "google/cloud/privileged_access_manager"
|
68
|
+
|
69
|
+
Google::Cloud::PrivilegedAccessManager.configure do |config|
|
70
|
+
config.credentials = "path/to/credentialfile.json"
|
71
|
+
end
|
72
|
+
|
73
|
+
client = Google::Cloud::PrivilegedAccessManager.privileged_access_manager
|
74
|
+
```
|
75
|
+
|
76
|
+
### Environment Variables
|
77
|
+
|
78
|
+
You can also use an environment variable to provide a JSON credentials file.
|
79
|
+
The environment variable can contain a path to the credentials file or, for
|
80
|
+
environments such as Docker containers where writing files is not encouraged,
|
81
|
+
you can include the credentials file itself.
|
82
|
+
|
83
|
+
The JSON file can contain credentials created for
|
84
|
+
[workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation),
|
85
|
+
[workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a
|
86
|
+
[service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key).
|
87
|
+
|
88
|
+
Note: Service account keys are a security risk if not managed correctly. You should
|
89
|
+
[choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree)
|
90
|
+
whenever possible.
|
91
|
+
|
92
|
+
The environment variables that google-cloud-privileged_access_manager
|
93
|
+
checks for credentials are:
|
94
|
+
|
95
|
+
* `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents
|
96
|
+
* `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
|
97
|
+
|
98
|
+
```ruby
|
99
|
+
require "google/cloud/privileged_access_manager"
|
100
|
+
|
101
|
+
ENV["GOOGLE_APPLICATION_CREDENTIALS"] = "path/to/credentialfile.json"
|
102
|
+
|
103
|
+
client = Google::Cloud::PrivilegedAccessManager.privileged_access_manager
|
104
|
+
```
|
105
|
+
|
106
|
+
### Local ADC file
|
107
|
+
|
108
|
+
You can set up a local ADC file with your user credentials for authentication during
|
109
|
+
development. If credentials are not provided in code or in environment variables,
|
110
|
+
then the local ADC credentials are discovered.
|
111
|
+
|
112
|
+
Follow the steps in [Quickstart](#quickstart) to set up a local ADC file.
|
113
|
+
|
114
|
+
### Google Cloud Platform environments
|
115
|
+
|
116
|
+
When running on Google Cloud Platform (GCP), including Google Compute Engine
|
117
|
+
(GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud
|
118
|
+
Functions (GCF) and Cloud Run, credentials are retrieved from the attached
|
119
|
+
service account automatically. Code should be written as if already authenticated.
|
120
|
+
|
121
|
+
For more information, see
|
122
|
+
[Set up ADC for Google Cloud services](https://cloud.google.com/docs/authentication/provide-credentials-adc#attached-sa).
|
data/README.md
CHANGED
@@ -1,8 +1,151 @@
|
|
1
|
-
#
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
1
|
+
# Ruby Client for the Privileged Access Manager API
|
2
|
+
|
3
|
+
Privileged Access Manager (PAM) helps you on your journey towards least privilege and helps mitigate risks tied to privileged access misuse or abuse. PAM allows you to shift from always-on standing privileges towards on-demand access with just-in-time, time-bound, and approval-based access elevations. PAM allows IAM administrators to create entitlements that can grant just-in-time, temporary access to any resource scope. Requesters can explore eligible entitlements and request the access needed for their task. Approvers are notified when approvals await their decision. Streamlined workflows facilitated by using PAM can support various use cases, including emergency access for incident responders, time-boxed access for developers for critical deployment or maintenance, temporary access for operators for data ingestion and audits, JIT access to service accounts for automated tasks, and more.
|
4
|
+
|
5
|
+
## Overview
|
6
|
+
|
7
|
+
Privileged Access Manager (PAM) is a Google Cloud native, managed solution
|
8
|
+
to secure, manage and audit privileged access while ensuring operational
|
9
|
+
velocity and developer productivity.
|
10
|
+
|
11
|
+
PAM enables just-in-time, time-bound, approval-based access elevations,
|
12
|
+
and auditing of privileged access elevations and activity. PAM lets you
|
13
|
+
define the rules of who can request access, what they can request access
|
14
|
+
to, and if they should be granted access with or without approvals based
|
15
|
+
on the sensitivity of the access and emergency of the situation.
|
16
|
+
|
17
|
+
## Concepts
|
18
|
+
|
19
|
+
### Entitlement
|
20
|
+
|
21
|
+
An entitlement is an eligibility or license that allows specified users
|
22
|
+
(requesters) to request and obtain access to specified resources subject
|
23
|
+
to a set of conditions such as duration, etc. entitlements can be granted
|
24
|
+
to both human and non-human principals.
|
25
|
+
|
26
|
+
### Grant
|
27
|
+
|
28
|
+
A grant is an instance of active usage against the entitlement. A user can
|
29
|
+
place a request for a grant against an entitlement. The request may be
|
30
|
+
forwarded to an approver for their decision. Once approved, the grant is
|
31
|
+
activated, ultimately giving the user access (roles/permissions) on a
|
32
|
+
resource per the criteria specified in entitlement.
|
33
|
+
|
34
|
+
### How does PAM work
|
35
|
+
|
36
|
+
PAM creates and uses a service agent (Google-managed service account) to
|
37
|
+
perform the required IAM policy changes for granting access at a
|
38
|
+
specific
|
39
|
+
resource/access scope. The service agent requires getIAMPolicy and
|
40
|
+
setIAMPolicy permissions at the appropriate (or higher) access scope
|
41
|
+
-
|
42
|
+
Organization/Folder/Project to make policy changes on the resources listed
|
43
|
+
in PAM entitlements.
|
44
|
+
|
45
|
+
When enabling PAM for a resource scope, the user/ principal performing
|
46
|
+
that action should have the appropriate permissions at that resource
|
47
|
+
scope
|
48
|
+
(resourcemanager.\\{projects|folders|organizations}.setIamPolicy,
|
49
|
+
resourcemanager.\\{projects|folders|organizations}.getIamPolicy, and
|
50
|
+
resourcemanager.\\{projects|folders|organizations}.get) to list and grant
|
51
|
+
the service agent/account the required access to perform IAM policy
|
52
|
+
changes.
|
53
|
+
|
54
|
+
Actual client classes for the various versions of this API are defined in
|
55
|
+
_versioned_ client gems, with names of the form `google-cloud-privileged_access_manager-v*`.
|
56
|
+
The gem `google-cloud-privileged_access_manager` is the main client library that brings the
|
57
|
+
verisoned gems in as dependencies, and provides high-level methods for
|
58
|
+
constructing clients. More information on versioned clients can be found below
|
59
|
+
in the section titled *Which client should I use?*.
|
60
|
+
|
61
|
+
View the [Client Library Documentation](https://cloud.google.com/ruby/docs/reference/google-cloud-privileged_access_manager/latest)
|
62
|
+
for this library, google-cloud-privileged_access_manager, to see the convenience methods for
|
63
|
+
constructing client objects. Reference documentation for the client objects
|
64
|
+
themselves can be found in the client library documentation for the versioned
|
65
|
+
client gems:
|
66
|
+
[google-cloud-privileged_access_manager-v1](https://cloud.google.com/ruby/docs/reference/google-cloud-privileged_access_manager-v1/latest).
|
67
|
+
|
68
|
+
See also the [Product Documentation](https://cloud.google.com/iam/docs/pam-overview)
|
69
|
+
for more usage information.
|
70
|
+
|
71
|
+
## Quick Start
|
72
|
+
|
73
|
+
```
|
74
|
+
$ gem install google-cloud-privileged_access_manager
|
75
|
+
```
|
76
|
+
|
77
|
+
In order to use this library, you first need to go through the following steps:
|
78
|
+
|
79
|
+
1. [Select or create a Cloud Platform project.](https://console.cloud.google.com/project)
|
80
|
+
1. [Enable billing for your project.](https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_project)
|
81
|
+
1. [Enable the API.](https://console.cloud.google.com/apis/library/privilegedaccessmanager.googleapis.com)
|
82
|
+
1. {file:AUTHENTICATION.md Set up authentication.}
|
83
|
+
|
84
|
+
## Supported Ruby Versions
|
85
|
+
|
86
|
+
This library is supported on Ruby 2.7+.
|
87
|
+
|
88
|
+
Google provides official support for Ruby versions that are actively supported
|
89
|
+
by Ruby Core—that is, Ruby versions that are either in normal maintenance or
|
90
|
+
in security maintenance, and not end of life. Older versions of Ruby _may_
|
91
|
+
still work, but are unsupported and not recommended. See
|
92
|
+
https://www.ruby-lang.org/en/downloads/branches/ for details about the Ruby
|
93
|
+
support schedule.
|
94
|
+
|
95
|
+
## Which client should I use?
|
96
|
+
|
97
|
+
Most modern Ruby client libraries for Google APIs come in two flavors: the main
|
98
|
+
client library with a name such as `google-cloud-privileged_access_manager`,
|
99
|
+
and lower-level _versioned_ client libraries with names such as
|
100
|
+
`google-cloud-privileged_access_manager-v1`.
|
101
|
+
_In most cases, you should install the main client._
|
102
|
+
|
103
|
+
### What's the difference between the main client and a versioned client?
|
104
|
+
|
105
|
+
A _versioned client_ provides a basic set of data types and client classes for
|
106
|
+
a _single version_ of a specific service. (That is, for a service with multiple
|
107
|
+
versions, there might be a separate versioned client for each service version.)
|
108
|
+
Most versioned clients are written and maintained by a code generator.
|
109
|
+
|
110
|
+
The _main client_ is designed to provide you with the _recommended_ client
|
111
|
+
interfaces for the service. There will be only one main client for any given
|
112
|
+
service, even a service with multiple versions. The main client includes
|
113
|
+
factory methods for constructing the client objects we recommend for most
|
114
|
+
users. In some cases, those will be classes provided by an underlying versioned
|
115
|
+
client; in other cases, they will be handwritten higher-level client objects
|
116
|
+
with additional capabilities, convenience methods, or best practices built in.
|
117
|
+
Generally, the main client will default to a recommended service version,
|
118
|
+
although in some cases you can override this if you need to talk to a specific
|
119
|
+
service version.
|
120
|
+
|
121
|
+
### Why would I want to use the main client?
|
122
|
+
|
123
|
+
We recommend that most users install the main client gem for a service. You can
|
124
|
+
identify this gem as the one _without_ a version in its name, e.g.
|
125
|
+
`google-cloud-privileged_access_manager`.
|
126
|
+
The main client is recommended because it will embody the best practices for
|
127
|
+
accessing the service, and may also provide more convenient interfaces or
|
128
|
+
tighter integration into frameworks and third-party libraries. In addition, the
|
129
|
+
documentation and samples published by Google will generally demonstrate use of
|
130
|
+
the main client.
|
131
|
+
|
132
|
+
### Why would I want to use a versioned client?
|
133
|
+
|
134
|
+
You can use a versioned client if you are content with a possibly lower-level
|
135
|
+
class interface, you explicitly want to avoid features provided by the main
|
136
|
+
client, or you want to access a specific service version not be covered by the
|
137
|
+
main client. You can identify versioned client gems because the service version
|
138
|
+
is part of the name, e.g. `google-cloud-privileged_access_manager-v1`.
|
139
|
+
|
140
|
+
### What about the google-apis-<name> clients?
|
141
|
+
|
142
|
+
Client library gems with names that begin with `google-apis-` are based on an
|
143
|
+
older code generation technology. They talk to a REST/JSON backend (whereas
|
144
|
+
most modern clients talk to a [gRPC](https://grpc.io/) backend) and they may
|
145
|
+
not offer the same performance, features, and ease of use provided by more
|
146
|
+
modern clients.
|
147
|
+
|
148
|
+
The `google-apis-` clients have wide coverage across Google services, so you
|
149
|
+
might need to use one if there is no modern client available for the service.
|
150
|
+
However, if a modern client is available, we generally recommend it over the
|
151
|
+
older `google-apis-` clients.
|
@@ -1,10 +1,12 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# Copyright 2024 Google LLC
|
2
4
|
#
|
3
5
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
6
|
# you may not use this file except in compliance with the License.
|
5
7
|
# You may obtain a copy of the License at
|
6
8
|
#
|
7
|
-
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
8
10
|
#
|
9
11
|
# Unless required by applicable law or agreed to in writing, software
|
10
12
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
@@ -12,10 +14,13 @@
|
|
12
14
|
# See the License for the specific language governing permissions and
|
13
15
|
# limitations under the License.
|
14
16
|
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
15
20
|
module Google
|
16
21
|
module Cloud
|
17
22
|
module PrivilegedAccessManager
|
18
|
-
VERSION = "0.
|
23
|
+
VERSION = "0.1.1"
|
19
24
|
end
|
20
25
|
end
|
21
26
|
end
|
@@ -0,0 +1,139 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2024 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
# Require this file early so that the version constant gets defined before
|
20
|
+
# requiring "google/cloud". This is because google-cloud-core will load the
|
21
|
+
# entrypoint (gem name) file, which in turn re-requires this file (hence
|
22
|
+
# causing a require cycle) unless the version constant is already defined.
|
23
|
+
require "google/cloud/privileged_access_manager/version"
|
24
|
+
|
25
|
+
require "googleauth"
|
26
|
+
gem "google-cloud-core"
|
27
|
+
require "google/cloud" unless defined? ::Google::Cloud.new
|
28
|
+
require "google/cloud/config"
|
29
|
+
|
30
|
+
# Set the default configuration
|
31
|
+
::Google::Cloud.configure.add_config! :privileged_access_manager do |config|
|
32
|
+
config.add_field! :endpoint, nil, match: ::String
|
33
|
+
config.add_field! :credentials, nil, match: [::String, ::Hash, ::Google::Auth::Credentials]
|
34
|
+
config.add_field! :scope, nil, match: [::Array, ::String]
|
35
|
+
config.add_field! :lib_name, nil, match: ::String
|
36
|
+
config.add_field! :lib_version, nil, match: ::String
|
37
|
+
config.add_field! :interceptors, nil, match: ::Array
|
38
|
+
config.add_field! :timeout, nil, match: ::Numeric
|
39
|
+
config.add_field! :metadata, nil, match: ::Hash
|
40
|
+
config.add_field! :retry_policy, nil, match: [::Hash, ::Proc]
|
41
|
+
config.add_field! :quota_project, nil, match: ::String
|
42
|
+
config.add_field! :universe_domain, nil, match: ::String
|
43
|
+
end
|
44
|
+
|
45
|
+
module Google
|
46
|
+
module Cloud
|
47
|
+
module PrivilegedAccessManager
|
48
|
+
##
|
49
|
+
# Create a new client object for PrivilegedAccessManager.
|
50
|
+
#
|
51
|
+
# By default, this returns an instance of
|
52
|
+
# [Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccessManager::Client](https://cloud.google.com/ruby/docs/reference/google-cloud-privileged_access_manager-v1/latest/Google-Cloud-PrivilegedAccessManager-V1-PrivilegedAccessManager-Client)
|
53
|
+
# for a gRPC client for version V1 of the API.
|
54
|
+
# However, you can specify a different API version by passing it in the
|
55
|
+
# `version` parameter. If the PrivilegedAccessManager service is
|
56
|
+
# supported by that API version, and the corresponding gem is available, the
|
57
|
+
# appropriate versioned client will be returned.
|
58
|
+
# You can also specify a different transport by passing `:rest` or `:grpc` in
|
59
|
+
# the `transport` parameter.
|
60
|
+
#
|
61
|
+
# ## About PrivilegedAccessManager
|
62
|
+
#
|
63
|
+
# This API allows customers to manage temporary, request based privileged
|
64
|
+
# access to their resources.
|
65
|
+
#
|
66
|
+
# It defines the following resource model:
|
67
|
+
#
|
68
|
+
# * A collection of `Entitlement` resources. An entitlement allows configuring
|
69
|
+
# (among other things):
|
70
|
+
#
|
71
|
+
# * Some kind of privileged access that users can request.
|
72
|
+
# * A set of users called _requesters_ who can request this access.
|
73
|
+
# * A maximum duration for which the access can be requested.
|
74
|
+
# * An optional approval workflow which must be satisfied before access is
|
75
|
+
# granted.
|
76
|
+
#
|
77
|
+
# * A collection of `Grant` resources. A grant is a request by a requester to
|
78
|
+
# get the privileged access specified in an entitlement for some duration.
|
79
|
+
#
|
80
|
+
# After the approval workflow as specified in the entitlement is satisfied,
|
81
|
+
# the specified access is given to the requester. The access is automatically
|
82
|
+
# taken back after the requested duration is over.
|
83
|
+
#
|
84
|
+
# @param version [::String, ::Symbol] The API version to connect to. Optional.
|
85
|
+
# Defaults to `:v1`.
|
86
|
+
# @param transport [:grpc, :rest] The transport to use. Defaults to `:grpc`.
|
87
|
+
# @return [::Object] A client object for the specified version.
|
88
|
+
#
|
89
|
+
def self.privileged_access_manager version: :v1, transport: :grpc, &block
|
90
|
+
require "google/cloud/privileged_access_manager/#{version.to_s.downcase}"
|
91
|
+
|
92
|
+
package_name = Google::Cloud::PrivilegedAccessManager
|
93
|
+
.constants
|
94
|
+
.select { |sym| sym.to_s.downcase == version.to_s.downcase.tr("_", "") }
|
95
|
+
.first
|
96
|
+
service_module = Google::Cloud::PrivilegedAccessManager.const_get(package_name).const_get(:PrivilegedAccessManager)
|
97
|
+
service_module = service_module.const_get(:Rest) if transport == :rest
|
98
|
+
service_module.const_get(:Client).new(&block)
|
99
|
+
end
|
100
|
+
|
101
|
+
##
|
102
|
+
# Configure the google-cloud-privileged_access_manager library.
|
103
|
+
#
|
104
|
+
# The following configuration parameters are supported:
|
105
|
+
#
|
106
|
+
# * `credentials` (*type:* `String, Hash, Google::Auth::Credentials`) -
|
107
|
+
# The path to the keyfile as a String, the contents of the keyfile as a
|
108
|
+
# Hash, or a Google::Auth::Credentials object.
|
109
|
+
# * `lib_name` (*type:* `String`) -
|
110
|
+
# The library name as recorded in instrumentation and logging.
|
111
|
+
# * `lib_version` (*type:* `String`) -
|
112
|
+
# The library version as recorded in instrumentation and logging.
|
113
|
+
# * `interceptors` (*type:* `Array<GRPC::ClientInterceptor>`) -
|
114
|
+
# An array of interceptors that are run before calls are executed.
|
115
|
+
# * `timeout` (*type:* `Numeric`) -
|
116
|
+
# Default timeout in seconds.
|
117
|
+
# * `metadata` (*type:* `Hash{Symbol=>String}`) -
|
118
|
+
# Additional headers to be sent with the call.
|
119
|
+
# * `retry_policy` (*type:* `Hash`) -
|
120
|
+
# The retry policy. The value is a hash with the following keys:
|
121
|
+
# * `:initial_delay` (*type:* `Numeric`) - The initial delay in seconds.
|
122
|
+
# * `:max_delay` (*type:* `Numeric`) - The max delay in seconds.
|
123
|
+
# * `:multiplier` (*type:* `Numeric`) - The incremental backoff multiplier.
|
124
|
+
# * `:retry_codes` (*type:* `Array<String>`) -
|
125
|
+
# The error codes that should trigger a retry.
|
126
|
+
#
|
127
|
+
# @return [::Google::Cloud::Config] The default configuration used by this library
|
128
|
+
#
|
129
|
+
def self.configure
|
130
|
+
yield ::Google::Cloud.configure.privileged_access_manager if block_given?
|
131
|
+
|
132
|
+
::Google::Cloud.configure.privileged_access_manager
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
helper_path = ::File.join __dir__, "privileged_access_manager", "helpers.rb"
|
139
|
+
require "google/cloud/privileged_access_manager/helpers" if ::File.file? helper_path
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2024 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
require "google/cloud/privileged_access_manager" unless defined? Google::Cloud::PrivilegedAccessManager::VERSION
|
metadata
CHANGED
@@ -1,27 +1,84 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: google-cloud-privileged_access_manager
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.1.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Google LLC
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
12
|
-
dependencies:
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
11
|
+
date: 2024-08-09 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: google-cloud-core
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '1.6'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '1.6'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: google-cloud-privileged_access_manager-v1
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0.0'
|
34
|
+
- - "<"
|
35
|
+
- !ruby/object:Gem::Version
|
36
|
+
version: 2.a
|
37
|
+
type: :runtime
|
38
|
+
prerelease: false
|
39
|
+
version_requirements: !ruby/object:Gem::Requirement
|
40
|
+
requirements:
|
41
|
+
- - ">="
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
version: '0.0'
|
44
|
+
- - "<"
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: 2.a
|
47
|
+
description: "## Overview Privileged Access Manager (PAM) is a Google Cloud native,
|
48
|
+
managed solution to secure, manage and audit privileged access while ensuring operational
|
49
|
+
velocity and developer productivity. PAM enables just-in-time, time-bound, approval-based
|
50
|
+
access elevations, and auditing of privileged access elevations and activity. PAM
|
51
|
+
lets you define the rules of who can request access, what they can request access
|
52
|
+
to, and if they should be granted access with or without approvals based on the
|
53
|
+
sensitivity of the access and emergency of the situation. ## Concepts ### Entitlement
|
54
|
+
An entitlement is an eligibility or license that allows specified users (requesters)
|
55
|
+
to request and obtain access to specified resources subject to a set of conditions
|
56
|
+
such as duration, etc. entitlements can be granted to both human and non-human principals.
|
57
|
+
### Grant A grant is an instance of active usage against the entitlement. A user
|
58
|
+
can place a request for a grant against an entitlement. The request may be forwarded
|
59
|
+
to an approver for their decision. Once approved, the grant is activated, ultimately
|
60
|
+
giving the user access (roles/permissions) on a resource per the criteria specified
|
61
|
+
in entitlement. ### How does PAM work PAM creates and uses a service agent (Google-managed
|
62
|
+
service account) to perform the required IAM policy changes for granting access
|
63
|
+
at a specific resource/access scope. The service agent requires getIAMPolicy and
|
64
|
+
setIAMPolicy permissions at the appropriate (or higher) access scope - Organization/Folder/Project
|
65
|
+
to make policy changes on the resources listed in PAM entitlements. When enabling
|
66
|
+
PAM for a resource scope, the user/ principal performing that action should have
|
67
|
+
the appropriate permissions at that resource scope (resourcemanager.{projects|folders|organizations}.setIamPolicy,
|
68
|
+
resourcemanager.{projects|folders|organizations}.getIamPolicy, and resourcemanager.{projects|folders|organizations}.get)
|
69
|
+
to list and grant the service agent/account the required access to perform IAM policy
|
70
|
+
changes."
|
18
71
|
email: googleapis-packages@google.com
|
19
72
|
executables: []
|
20
73
|
extensions: []
|
21
74
|
extra_rdoc_files: []
|
22
75
|
files:
|
76
|
+
- ".yardopts"
|
77
|
+
- AUTHENTICATION.md
|
23
78
|
- LICENSE.md
|
24
79
|
- README.md
|
80
|
+
- lib/google-cloud-privileged_access_manager.rb
|
81
|
+
- lib/google/cloud/privileged_access_manager.rb
|
25
82
|
- lib/google/cloud/privileged_access_manager/version.rb
|
26
83
|
homepage: https://github.com/googleapis/google-cloud-ruby
|
27
84
|
licenses:
|
@@ -35,7 +92,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
35
92
|
requirements:
|
36
93
|
- - ">="
|
37
94
|
- !ruby/object:Gem::Version
|
38
|
-
version: '
|
95
|
+
version: '2.7'
|
39
96
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
40
97
|
requirements:
|
41
98
|
- - ">="
|
@@ -45,5 +102,15 @@ requirements: []
|
|
45
102
|
rubygems_version: 3.5.6
|
46
103
|
signing_key:
|
47
104
|
specification_version: 4
|
48
|
-
summary:
|
105
|
+
summary: Privileged Access Manager (PAM) helps you on your journey towards least privilege
|
106
|
+
and helps mitigate risks tied to privileged access misuse or abuse. PAM allows you
|
107
|
+
to shift from always-on standing privileges towards on-demand access with just-in-time,
|
108
|
+
time-bound, and approval-based access elevations. PAM allows IAM administrators
|
109
|
+
to create entitlements that can grant just-in-time, temporary access to any resource
|
110
|
+
scope. Requesters can explore eligible entitlements and request the access needed
|
111
|
+
for their task. Approvers are notified when approvals await their decision. Streamlined
|
112
|
+
workflows facilitated by using PAM can support various use cases, including emergency
|
113
|
+
access for incident responders, time-boxed access for developers for critical deployment
|
114
|
+
or maintenance, temporary access for operators for data ingestion and audits, JIT
|
115
|
+
access to service accounts for automated tasks, and more.
|
49
116
|
test_files: []
|