google-identity-access_context_manager-v1 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +1 -1
- data/lib/google/identity/access_context_manager/v1/access_context_manager/client.rb +437 -114
- data/lib/google/identity/access_context_manager/v1/access_context_manager.rb +8 -8
- data/lib/google/identity/access_context_manager/v1/version.rb +1 -1
- data/lib/google/identity/accesscontextmanager/v1/access_context_manager_pb.rb +2 -0
- data/lib/google/identity/accesscontextmanager/v1/access_context_manager_services_pb.rb +128 -112
- data/lib/google/identity/accesscontextmanager/v1/access_policy_pb.rb +1 -0
- data/lib/google/identity/accesscontextmanager/v1/service_perimeter_pb.rb +11 -10
- data/proto_docs/google/iam/v1/iam_policy.rb +87 -0
- data/proto_docs/google/iam/v1/options.rb +50 -0
- data/proto_docs/google/iam/v1/policy.rb +418 -0
- data/proto_docs/google/identity/accesscontextmanager/v1/access_context_manager.rb +1 -1
- data/proto_docs/google/identity/accesscontextmanager/v1/access_policy.rb +16 -0
- data/proto_docs/google/identity/accesscontextmanager/v1/service_perimeter.rb +72 -64
- data/proto_docs/google/protobuf/empty.rb +0 -2
- metadata +21 -4
@@ -0,0 +1,418 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2022 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Google
|
21
|
+
module Iam
|
22
|
+
module V1
|
23
|
+
# An Identity and Access Management (IAM) policy, which specifies access
|
24
|
+
# controls for Google Cloud resources.
|
25
|
+
#
|
26
|
+
#
|
27
|
+
# A `Policy` is a collection of `bindings`. A `binding` binds one or more
|
28
|
+
# `members`, or principals, to a single `role`. Principals can be user
|
29
|
+
# accounts, service accounts, Google groups, and domains (such as G Suite). A
|
30
|
+
# `role` is a named list of permissions; each `role` can be an IAM predefined
|
31
|
+
# role or a user-created custom role.
|
32
|
+
#
|
33
|
+
# For some types of Google Cloud resources, a `binding` can also specify a
|
34
|
+
# `condition`, which is a logical expression that allows access to a resource
|
35
|
+
# only if the expression evaluates to `true`. A condition can add constraints
|
36
|
+
# based on attributes of the request, the resource, or both. To learn which
|
37
|
+
# resources support conditions in their IAM policies, see the
|
38
|
+
# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
|
39
|
+
#
|
40
|
+
# **JSON example:**
|
41
|
+
#
|
42
|
+
# {
|
43
|
+
# "bindings": [
|
44
|
+
# {
|
45
|
+
# "role": "roles/resourcemanager.organizationAdmin",
|
46
|
+
# "members": [
|
47
|
+
# "user:mike@example.com",
|
48
|
+
# "group:admins@example.com",
|
49
|
+
# "domain:google.com",
|
50
|
+
# "serviceAccount:my-project-id@appspot.gserviceaccount.com"
|
51
|
+
# ]
|
52
|
+
# },
|
53
|
+
# {
|
54
|
+
# "role": "roles/resourcemanager.organizationViewer",
|
55
|
+
# "members": [
|
56
|
+
# "user:eve@example.com"
|
57
|
+
# ],
|
58
|
+
# "condition": {
|
59
|
+
# "title": "expirable access",
|
60
|
+
# "description": "Does not grant access after Sep 2020",
|
61
|
+
# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
|
62
|
+
# }
|
63
|
+
# }
|
64
|
+
# ],
|
65
|
+
# "etag": "BwWWja0YfJA=",
|
66
|
+
# "version": 3
|
67
|
+
# }
|
68
|
+
#
|
69
|
+
# **YAML example:**
|
70
|
+
#
|
71
|
+
# bindings:
|
72
|
+
# - members:
|
73
|
+
# - user:mike@example.com
|
74
|
+
# - group:admins@example.com
|
75
|
+
# - domain:google.com
|
76
|
+
# - serviceAccount:my-project-id@appspot.gserviceaccount.com
|
77
|
+
# role: roles/resourcemanager.organizationAdmin
|
78
|
+
# - members:
|
79
|
+
# - user:eve@example.com
|
80
|
+
# role: roles/resourcemanager.organizationViewer
|
81
|
+
# condition:
|
82
|
+
# title: expirable access
|
83
|
+
# description: Does not grant access after Sep 2020
|
84
|
+
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
|
85
|
+
# etag: BwWWja0YfJA=
|
86
|
+
# version: 3
|
87
|
+
#
|
88
|
+
# For a description of IAM and its features, see the
|
89
|
+
# [IAM documentation](https://cloud.google.com/iam/docs/).
|
90
|
+
# @!attribute [rw] version
|
91
|
+
# @return [::Integer]
|
92
|
+
# Specifies the format of the policy.
|
93
|
+
#
|
94
|
+
# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
|
95
|
+
# are rejected.
|
96
|
+
#
|
97
|
+
# Any operation that affects conditional role bindings must specify version
|
98
|
+
# `3`. This requirement applies to the following operations:
|
99
|
+
#
|
100
|
+
# * Getting a policy that includes a conditional role binding
|
101
|
+
# * Adding a conditional role binding to a policy
|
102
|
+
# * Changing a conditional role binding in a policy
|
103
|
+
# * Removing any role binding, with or without a condition, from a policy
|
104
|
+
# that includes conditions
|
105
|
+
#
|
106
|
+
# **Important:** If you use IAM Conditions, you must include the `etag` field
|
107
|
+
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
|
108
|
+
# you to overwrite a version `3` policy with a version `1` policy, and all of
|
109
|
+
# the conditions in the version `3` policy are lost.
|
110
|
+
#
|
111
|
+
# If a policy does not include any conditions, operations on that policy may
|
112
|
+
# specify any valid version or leave the field unset.
|
113
|
+
#
|
114
|
+
# To learn which resources support conditions in their IAM policies, see the
|
115
|
+
# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
|
116
|
+
# @!attribute [rw] bindings
|
117
|
+
# @return [::Array<::Google::Iam::V1::Binding>]
|
118
|
+
# Associates a list of `members`, or principals, with a `role`. Optionally,
|
119
|
+
# may specify a `condition` that determines how and when the `bindings` are
|
120
|
+
# applied. Each of the `bindings` must contain at least one principal.
|
121
|
+
#
|
122
|
+
# The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
|
123
|
+
# of these principals can be Google groups. Each occurrence of a principal
|
124
|
+
# counts towards these limits. For example, if the `bindings` grant 50
|
125
|
+
# different roles to `user:alice@example.com`, and not to any other
|
126
|
+
# principal, then you can add another 1,450 principals to the `bindings` in
|
127
|
+
# the `Policy`.
|
128
|
+
# @!attribute [rw] audit_configs
|
129
|
+
# @return [::Array<::Google::Iam::V1::AuditConfig>]
|
130
|
+
# Specifies cloud audit logging configuration for this policy.
|
131
|
+
# @!attribute [rw] etag
|
132
|
+
# @return [::String]
|
133
|
+
# `etag` is used for optimistic concurrency control as a way to help
|
134
|
+
# prevent simultaneous updates of a policy from overwriting each other.
|
135
|
+
# It is strongly suggested that systems make use of the `etag` in the
|
136
|
+
# read-modify-write cycle to perform policy updates in order to avoid race
|
137
|
+
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
|
138
|
+
# systems are expected to put that etag in the request to `setIamPolicy` to
|
139
|
+
# ensure that their change will be applied to the same version of the policy.
|
140
|
+
#
|
141
|
+
# **Important:** If you use IAM Conditions, you must include the `etag` field
|
142
|
+
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
|
143
|
+
# you to overwrite a version `3` policy with a version `1` policy, and all of
|
144
|
+
# the conditions in the version `3` policy are lost.
|
145
|
+
class Policy
|
146
|
+
include ::Google::Protobuf::MessageExts
|
147
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
148
|
+
end
|
149
|
+
|
150
|
+
# Associates `members`, or principals, with a `role`.
|
151
|
+
# @!attribute [rw] role
|
152
|
+
# @return [::String]
|
153
|
+
# Role that is assigned to the list of `members`, or principals.
|
154
|
+
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
155
|
+
# @!attribute [rw] members
|
156
|
+
# @return [::Array<::String>]
|
157
|
+
# Specifies the principals requesting access for a Cloud Platform resource.
|
158
|
+
# `members` can have the following values:
|
159
|
+
#
|
160
|
+
# * `allUsers`: A special identifier that represents anyone who is
|
161
|
+
# on the internet; with or without a Google account.
|
162
|
+
#
|
163
|
+
# * `allAuthenticatedUsers`: A special identifier that represents anyone
|
164
|
+
# who is authenticated with a Google account or a service account.
|
165
|
+
#
|
166
|
+
# * `user:{emailid}`: An email address that represents a specific Google
|
167
|
+
# account. For example, `alice@example.com` .
|
168
|
+
#
|
169
|
+
#
|
170
|
+
# * `serviceAccount:{emailid}`: An email address that represents a service
|
171
|
+
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
172
|
+
#
|
173
|
+
# * `group:{emailid}`: An email address that represents a Google group.
|
174
|
+
# For example, `admins@example.com`.
|
175
|
+
#
|
176
|
+
# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
|
177
|
+
# identifier) representing a user that has been recently deleted. For
|
178
|
+
# example, `alice@example.com?uid=123456789012345678901`. If the user is
|
179
|
+
# recovered, this value reverts to `user:{emailid}` and the recovered user
|
180
|
+
# retains the role in the binding.
|
181
|
+
#
|
182
|
+
# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
|
183
|
+
# unique identifier) representing a service account that has been recently
|
184
|
+
# deleted. For example,
|
185
|
+
# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
|
186
|
+
# If the service account is undeleted, this value reverts to
|
187
|
+
# `serviceAccount:{emailid}` and the undeleted service account retains the
|
188
|
+
# role in the binding.
|
189
|
+
#
|
190
|
+
# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
|
191
|
+
# identifier) representing a Google group that has been recently
|
192
|
+
# deleted. For example, `admins@example.com?uid=123456789012345678901`. If
|
193
|
+
# the group is recovered, this value reverts to `group:{emailid}` and the
|
194
|
+
# recovered group retains the role in the binding.
|
195
|
+
#
|
196
|
+
#
|
197
|
+
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
|
198
|
+
# users of that domain. For example, `google.com` or `example.com`.
|
199
|
+
# @!attribute [rw] condition
|
200
|
+
# @return [::Google::Type::Expr]
|
201
|
+
# The condition that is associated with this binding.
|
202
|
+
#
|
203
|
+
# If the condition evaluates to `true`, then this binding applies to the
|
204
|
+
# current request.
|
205
|
+
#
|
206
|
+
# If the condition evaluates to `false`, then this binding does not apply to
|
207
|
+
# the current request. However, a different role binding might grant the same
|
208
|
+
# role to one or more of the principals in this binding.
|
209
|
+
#
|
210
|
+
# To learn which resources support conditions in their IAM policies, see the
|
211
|
+
# [IAM
|
212
|
+
# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
|
213
|
+
class Binding
|
214
|
+
include ::Google::Protobuf::MessageExts
|
215
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
216
|
+
end
|
217
|
+
|
218
|
+
# Specifies the audit configuration for a service.
|
219
|
+
# The configuration determines which permission types are logged, and what
|
220
|
+
# identities, if any, are exempted from logging.
|
221
|
+
# An AuditConfig must have one or more AuditLogConfigs.
|
222
|
+
#
|
223
|
+
# If there are AuditConfigs for both `allServices` and a specific service,
|
224
|
+
# the union of the two AuditConfigs is used for that service: the log_types
|
225
|
+
# specified in each AuditConfig are enabled, and the exempted_members in each
|
226
|
+
# AuditLogConfig are exempted.
|
227
|
+
#
|
228
|
+
# Example Policy with multiple AuditConfigs:
|
229
|
+
#
|
230
|
+
# {
|
231
|
+
# "audit_configs": [
|
232
|
+
# {
|
233
|
+
# "service": "allServices",
|
234
|
+
# "audit_log_configs": [
|
235
|
+
# {
|
236
|
+
# "log_type": "DATA_READ",
|
237
|
+
# "exempted_members": [
|
238
|
+
# "user:jose@example.com"
|
239
|
+
# ]
|
240
|
+
# },
|
241
|
+
# {
|
242
|
+
# "log_type": "DATA_WRITE"
|
243
|
+
# },
|
244
|
+
# {
|
245
|
+
# "log_type": "ADMIN_READ"
|
246
|
+
# }
|
247
|
+
# ]
|
248
|
+
# },
|
249
|
+
# {
|
250
|
+
# "service": "sampleservice.googleapis.com",
|
251
|
+
# "audit_log_configs": [
|
252
|
+
# {
|
253
|
+
# "log_type": "DATA_READ"
|
254
|
+
# },
|
255
|
+
# {
|
256
|
+
# "log_type": "DATA_WRITE",
|
257
|
+
# "exempted_members": [
|
258
|
+
# "user:aliya@example.com"
|
259
|
+
# ]
|
260
|
+
# }
|
261
|
+
# ]
|
262
|
+
# }
|
263
|
+
# ]
|
264
|
+
# }
|
265
|
+
#
|
266
|
+
# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
|
267
|
+
# logging. It also exempts jose@example.com from DATA_READ logging, and
|
268
|
+
# aliya@example.com from DATA_WRITE logging.
|
269
|
+
# @!attribute [rw] service
|
270
|
+
# @return [::String]
|
271
|
+
# Specifies a service that will be enabled for audit logging.
|
272
|
+
# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
|
273
|
+
# `allServices` is a special value that covers all services.
|
274
|
+
# @!attribute [rw] audit_log_configs
|
275
|
+
# @return [::Array<::Google::Iam::V1::AuditLogConfig>]
|
276
|
+
# The configuration for logging of each type of permission.
|
277
|
+
class AuditConfig
|
278
|
+
include ::Google::Protobuf::MessageExts
|
279
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
280
|
+
end
|
281
|
+
|
282
|
+
# Provides the configuration for logging a type of permissions.
|
283
|
+
# Example:
|
284
|
+
#
|
285
|
+
# {
|
286
|
+
# "audit_log_configs": [
|
287
|
+
# {
|
288
|
+
# "log_type": "DATA_READ",
|
289
|
+
# "exempted_members": [
|
290
|
+
# "user:jose@example.com"
|
291
|
+
# ]
|
292
|
+
# },
|
293
|
+
# {
|
294
|
+
# "log_type": "DATA_WRITE"
|
295
|
+
# }
|
296
|
+
# ]
|
297
|
+
# }
|
298
|
+
#
|
299
|
+
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
|
300
|
+
# jose@example.com from DATA_READ logging.
|
301
|
+
# @!attribute [rw] log_type
|
302
|
+
# @return [::Google::Iam::V1::AuditLogConfig::LogType]
|
303
|
+
# The log type that this config enables.
|
304
|
+
# @!attribute [rw] exempted_members
|
305
|
+
# @return [::Array<::String>]
|
306
|
+
# Specifies the identities that do not cause logging for this type of
|
307
|
+
# permission.
|
308
|
+
# Follows the same format of {::Google::Iam::V1::Binding#members Binding.members}.
|
309
|
+
class AuditLogConfig
|
310
|
+
include ::Google::Protobuf::MessageExts
|
311
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
312
|
+
|
313
|
+
# The list of valid permission types for which logging can be configured.
|
314
|
+
# Admin writes are always logged, and are not configurable.
|
315
|
+
module LogType
|
316
|
+
# Default case. Should never be this.
|
317
|
+
LOG_TYPE_UNSPECIFIED = 0
|
318
|
+
|
319
|
+
# Admin reads. Example: CloudIAM getIamPolicy
|
320
|
+
ADMIN_READ = 1
|
321
|
+
|
322
|
+
# Data writes. Example: CloudSQL Users create
|
323
|
+
DATA_WRITE = 2
|
324
|
+
|
325
|
+
# Data reads. Example: CloudSQL Users list
|
326
|
+
DATA_READ = 3
|
327
|
+
end
|
328
|
+
end
|
329
|
+
|
330
|
+
# The difference delta between two policies.
|
331
|
+
# @!attribute [rw] binding_deltas
|
332
|
+
# @return [::Array<::Google::Iam::V1::BindingDelta>]
|
333
|
+
# The delta for Bindings between two policies.
|
334
|
+
# @!attribute [rw] audit_config_deltas
|
335
|
+
# @return [::Array<::Google::Iam::V1::AuditConfigDelta>]
|
336
|
+
# The delta for AuditConfigs between two policies.
|
337
|
+
class PolicyDelta
|
338
|
+
include ::Google::Protobuf::MessageExts
|
339
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
340
|
+
end
|
341
|
+
|
342
|
+
# One delta entry for Binding. Each individual change (only one member in each
|
343
|
+
# entry) to a binding will be a separate entry.
|
344
|
+
# @!attribute [rw] action
|
345
|
+
# @return [::Google::Iam::V1::BindingDelta::Action]
|
346
|
+
# The action that was performed on a Binding.
|
347
|
+
# Required
|
348
|
+
# @!attribute [rw] role
|
349
|
+
# @return [::String]
|
350
|
+
# Role that is assigned to `members`.
|
351
|
+
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
352
|
+
# Required
|
353
|
+
# @!attribute [rw] member
|
354
|
+
# @return [::String]
|
355
|
+
# A single identity requesting access for a Cloud Platform resource.
|
356
|
+
# Follows the same format of Binding.members.
|
357
|
+
# Required
|
358
|
+
# @!attribute [rw] condition
|
359
|
+
# @return [::Google::Type::Expr]
|
360
|
+
# The condition that is associated with this binding.
|
361
|
+
class BindingDelta
|
362
|
+
include ::Google::Protobuf::MessageExts
|
363
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
364
|
+
|
365
|
+
# The type of action performed on a Binding in a policy.
|
366
|
+
module Action
|
367
|
+
# Unspecified.
|
368
|
+
ACTION_UNSPECIFIED = 0
|
369
|
+
|
370
|
+
# Addition of a Binding.
|
371
|
+
ADD = 1
|
372
|
+
|
373
|
+
# Removal of a Binding.
|
374
|
+
REMOVE = 2
|
375
|
+
end
|
376
|
+
end
|
377
|
+
|
378
|
+
# One delta entry for AuditConfig. Each individual change (only one
|
379
|
+
# exempted_member in each entry) to a AuditConfig will be a separate entry.
|
380
|
+
# @!attribute [rw] action
|
381
|
+
# @return [::Google::Iam::V1::AuditConfigDelta::Action]
|
382
|
+
# The action that was performed on an audit configuration in a policy.
|
383
|
+
# Required
|
384
|
+
# @!attribute [rw] service
|
385
|
+
# @return [::String]
|
386
|
+
# Specifies a service that was configured for Cloud Audit Logging.
|
387
|
+
# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
|
388
|
+
# `allServices` is a special value that covers all services.
|
389
|
+
# Required
|
390
|
+
# @!attribute [rw] exempted_member
|
391
|
+
# @return [::String]
|
392
|
+
# A single identity that is exempted from "data access" audit
|
393
|
+
# logging for the `service` specified above.
|
394
|
+
# Follows the same format of Binding.members.
|
395
|
+
# @!attribute [rw] log_type
|
396
|
+
# @return [::String]
|
397
|
+
# Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
|
398
|
+
# enabled, and cannot be configured.
|
399
|
+
# Required
|
400
|
+
class AuditConfigDelta
|
401
|
+
include ::Google::Protobuf::MessageExts
|
402
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
403
|
+
|
404
|
+
# The type of action performed on an audit configuration in a policy.
|
405
|
+
module Action
|
406
|
+
# Unspecified.
|
407
|
+
ACTION_UNSPECIFIED = 0
|
408
|
+
|
409
|
+
# Addition of an audit configuration.
|
410
|
+
ADD = 1
|
411
|
+
|
412
|
+
# Removal of an audit configuration.
|
413
|
+
REMOVE = 2
|
414
|
+
end
|
415
|
+
end
|
416
|
+
end
|
417
|
+
end
|
418
|
+
end
|
@@ -395,7 +395,7 @@ module Google
|
|
395
395
|
# @!attribute [rw] etag
|
396
396
|
# @return [::String]
|
397
397
|
# Optional. The etag for the version of the [Access Policy]
|
398
|
-
# [google.identity.accesscontextmanager.
|
398
|
+
# [google.identity.accesscontextmanager.v1.AccessPolicy] that this
|
399
399
|
# commit operation is to be performed on. If, at the time of commit, the
|
400
400
|
# etag for the Access Policy stored in Access Context Manager is different
|
401
401
|
# from the specified etag, then the commit operation will not be performed
|
@@ -38,6 +38,22 @@ module Google
|
|
38
38
|
# @!attribute [rw] title
|
39
39
|
# @return [::String]
|
40
40
|
# Required. Human readable title. Does not affect behavior.
|
41
|
+
# @!attribute [rw] scopes
|
42
|
+
# @return [::Array<::String>]
|
43
|
+
# The scopes of a policy define which resources an ACM policy can restrict,
|
44
|
+
# and where ACM resources can be referenced.
|
45
|
+
# For example, a policy with scopes=["folders/123"] has the following
|
46
|
+
# behavior:
|
47
|
+
# - vpcsc perimeters can only restrict projects within folders/123
|
48
|
+
# - access levels can only be referenced by resources within folders/123.
|
49
|
+
# If empty, there are no limitations on which resources can be restricted by
|
50
|
+
# an ACM policy, and there are no limitations on where ACM resources can be
|
51
|
+
# referenced.
|
52
|
+
# Only one policy can include a given scope (attempting to create a second
|
53
|
+
# policy which includes "folders/123" will result in an error).
|
54
|
+
# Currently, scopes cannot be modified after a policy is created.
|
55
|
+
# Currently, policies can only have a single scope.
|
56
|
+
# Format: list of `folders/{folder_number}` or `projects/{project_number}`
|
41
57
|
# @!attribute [rw] create_time
|
42
58
|
# @return [::Google::Protobuf::Timestamp]
|
43
59
|
# Output only. Time the `AccessPolicy` was created in UTC.
|
@@ -254,44 +254,6 @@ module Google
|
|
254
254
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
255
255
|
end
|
256
256
|
|
257
|
-
# Defines the conditions under which an [EgressPolicy]
|
258
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
259
|
-
# matches a request. Conditions are based on information about the
|
260
|
-
# [ApiOperation]
|
261
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
262
|
-
# intended to be performed on the `resources` specified. Note that if the
|
263
|
-
# destination of the request is also protected by a [ServicePerimeter]
|
264
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
|
265
|
-
# [ServicePerimeter]
|
266
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
|
267
|
-
# an [IngressPolicy]
|
268
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
269
|
-
# which allows access in order for this request to succeed. The request must
|
270
|
-
# match `operations` AND `resources` fields in order to be allowed egress out
|
271
|
-
# of the perimeter.
|
272
|
-
# @!attribute [rw] resources
|
273
|
-
# @return [::Array<::String>]
|
274
|
-
# A list of resources, currently only projects in the form
|
275
|
-
# `projects/<projectnumber>`, that are allowed to be accessed by sources
|
276
|
-
# defined in the corresponding [EgressFrom]
|
277
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
|
278
|
-
# A request matches if it contains a resource in this list. If `*` is
|
279
|
-
# specified for `resources`, then this [EgressTo]
|
280
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
|
281
|
-
# rule will authorize access to all resources outside the perimeter.
|
282
|
-
# @!attribute [rw] operations
|
283
|
-
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
|
284
|
-
# A list of [ApiOperations]
|
285
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
286
|
-
# allowed to be performed by the sources specified in the corresponding
|
287
|
-
# [EgressFrom]
|
288
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
|
289
|
-
# A request matches if it uses an operation/service in this list.
|
290
|
-
class EgressTo
|
291
|
-
include ::Google::Protobuf::MessageExts
|
292
|
-
extend ::Google::Protobuf::MessageExts::ClassMethods
|
293
|
-
end
|
294
|
-
|
295
257
|
# Defines the conditions under which an [IngressPolicy]
|
296
258
|
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
297
259
|
# matches a request. Conditions are based on information about the source of
|
@@ -387,6 +349,78 @@ module Google
|
|
387
349
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
388
350
|
end
|
389
351
|
|
352
|
+
# Defines the conditions under which an [EgressPolicy]
|
353
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
354
|
+
# matches a request. Conditions based on information about the source of the
|
355
|
+
# request. Note that if the destination of the request is also protected by a
|
356
|
+
# [ServicePerimeter]
|
357
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
|
358
|
+
# [ServicePerimeter]
|
359
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
|
360
|
+
# an [IngressPolicy]
|
361
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
362
|
+
# which allows access in order for this request to succeed.
|
363
|
+
# @!attribute [rw] identities
|
364
|
+
# @return [::Array<::String>]
|
365
|
+
# A list of identities that are allowed access through this [EgressPolicy].
|
366
|
+
# Should be in the format of email address. The email address should
|
367
|
+
# represent individual user or service account only.
|
368
|
+
# @!attribute [rw] identity_type
|
369
|
+
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
|
370
|
+
# Specifies the type of identities that are allowed access to outside the
|
371
|
+
# perimeter. If left unspecified, then members of `identities` field will
|
372
|
+
# be allowed access.
|
373
|
+
class EgressFrom
|
374
|
+
include ::Google::Protobuf::MessageExts
|
375
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
376
|
+
end
|
377
|
+
|
378
|
+
# Defines the conditions under which an [EgressPolicy]
|
379
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
380
|
+
# matches a request. Conditions are based on information about the
|
381
|
+
# [ApiOperation]
|
382
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
383
|
+
# intended to be performed on the `resources` specified. Note that if the
|
384
|
+
# destination of the request is also protected by a [ServicePerimeter]
|
385
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
|
386
|
+
# [ServicePerimeter]
|
387
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
|
388
|
+
# an [IngressPolicy]
|
389
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
390
|
+
# which allows access in order for this request to succeed. The request must
|
391
|
+
# match `operations` AND `resources` fields in order to be allowed egress out
|
392
|
+
# of the perimeter.
|
393
|
+
# @!attribute [rw] resources
|
394
|
+
# @return [::Array<::String>]
|
395
|
+
# A list of resources, currently only projects in the form
|
396
|
+
# `projects/<projectnumber>`, that are allowed to be accessed by sources
|
397
|
+
# defined in the corresponding [EgressFrom]
|
398
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
|
399
|
+
# A request matches if it contains a resource in this list. If `*` is
|
400
|
+
# specified for `resources`, then this [EgressTo]
|
401
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
|
402
|
+
# rule will authorize access to all resources outside the perimeter.
|
403
|
+
# @!attribute [rw] operations
|
404
|
+
# @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
|
405
|
+
# A list of [ApiOperations]
|
406
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
|
407
|
+
# allowed to be performed by the sources specified in the corresponding
|
408
|
+
# [EgressFrom]
|
409
|
+
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
|
410
|
+
# A request matches if it uses an operation/service in this list.
|
411
|
+
# @!attribute [rw] external_resources
|
412
|
+
# @return [::Array<::String>]
|
413
|
+
# A list of external resources that are allowed to be accessed. Only AWS
|
414
|
+
# and Azure resources are supported. For Amazon S3, the supported format is
|
415
|
+
# s3://BUCKET_NAME. For Azure Storage, the supported format is
|
416
|
+
# azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
|
417
|
+
# if it contains an external resource in this list (Example:
|
418
|
+
# s3://bucket/path). Currently '*' is not allowed.
|
419
|
+
class EgressTo
|
420
|
+
include ::Google::Protobuf::MessageExts
|
421
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
422
|
+
end
|
423
|
+
|
390
424
|
# Policy for egress from perimeter.
|
391
425
|
#
|
392
426
|
# [EgressPolicies]
|
@@ -432,32 +466,6 @@ module Google
|
|
432
466
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
433
467
|
end
|
434
468
|
|
435
|
-
# Defines the conditions under which an [EgressPolicy]
|
436
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
|
437
|
-
# matches a request. Conditions based on information about the source of the
|
438
|
-
# request. Note that if the destination of the request is also protected by a
|
439
|
-
# [ServicePerimeter]
|
440
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
|
441
|
-
# [ServicePerimeter]
|
442
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
|
443
|
-
# an [IngressPolicy]
|
444
|
-
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
|
445
|
-
# which allows access in order for this request to succeed.
|
446
|
-
# @!attribute [rw] identities
|
447
|
-
# @return [::Array<::String>]
|
448
|
-
# A list of identities that are allowed access through this [EgressPolicy].
|
449
|
-
# Should be in the format of email address. The email address should
|
450
|
-
# represent individual user or service account only.
|
451
|
-
# @!attribute [rw] identity_type
|
452
|
-
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
|
453
|
-
# Specifies the type of identities that are allowed access to outside the
|
454
|
-
# perimeter. If left unspecified, then members of `identities` field will
|
455
|
-
# be allowed access.
|
456
|
-
class EgressFrom
|
457
|
-
include ::Google::Protobuf::MessageExts
|
458
|
-
extend ::Google::Protobuf::MessageExts::ClassMethods
|
459
|
-
end
|
460
|
-
|
461
469
|
# Specifies the types of identities that are allowed access in either
|
462
470
|
# [IngressFrom]
|
463
471
|
# [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
|
@@ -26,8 +26,6 @@ module Google
|
|
26
26
|
# service Foo {
|
27
27
|
# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
|
28
28
|
# }
|
29
|
-
#
|
30
|
-
# The JSON representation for `Empty` is empty JSON object `{}`.
|
31
29
|
class Empty
|
32
30
|
include ::Google::Protobuf::MessageExts
|
33
31
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: google-identity-access_context_manager-v1
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Google LLC
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-11-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: gapic-common
|
@@ -16,7 +16,7 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '0.
|
19
|
+
version: '0.12'
|
20
20
|
- - "<"
|
21
21
|
- !ruby/object:Gem::Version
|
22
22
|
version: 2.a
|
@@ -26,7 +26,7 @@ dependencies:
|
|
26
26
|
requirements:
|
27
27
|
- - ">="
|
28
28
|
- !ruby/object:Gem::Version
|
29
|
-
version: '0.
|
29
|
+
version: '0.12'
|
30
30
|
- - "<"
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: 2.a
|
@@ -44,6 +44,20 @@ dependencies:
|
|
44
44
|
- - "~>"
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: '1.0'
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
name: grpc-google-iam-v1
|
49
|
+
requirement: !ruby/object:Gem::Requirement
|
50
|
+
requirements:
|
51
|
+
- - "~>"
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: '1.1'
|
54
|
+
type: :runtime
|
55
|
+
prerelease: false
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
57
|
+
requirements:
|
58
|
+
- - "~>"
|
59
|
+
- !ruby/object:Gem::Version
|
60
|
+
version: '1.1'
|
47
61
|
- !ruby/object:Gem::Dependency
|
48
62
|
name: google-style
|
49
63
|
requirement: !ruby/object:Gem::Requirement
|
@@ -188,6 +202,9 @@ files:
|
|
188
202
|
- proto_docs/README.md
|
189
203
|
- proto_docs/google/api/field_behavior.rb
|
190
204
|
- proto_docs/google/api/resource.rb
|
205
|
+
- proto_docs/google/iam/v1/iam_policy.rb
|
206
|
+
- proto_docs/google/iam/v1/options.rb
|
207
|
+
- proto_docs/google/iam/v1/policy.rb
|
191
208
|
- proto_docs/google/identity/accesscontextmanager/type/device_resources.rb
|
192
209
|
- proto_docs/google/identity/accesscontextmanager/v1/access_context_manager.rb
|
193
210
|
- proto_docs/google/identity/accesscontextmanager/v1/access_level.rb
|