iam

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 16, 2022 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation

Overview

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Package iam defines operations in the declarative SDK.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Package iam includes tools for setting and getting policies, bindings, and members of IAM policies in the DCL.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2022 Google LLC. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source
const RoleMaxPage = -1
View Source
const ServiceAccountMaxPage = -1
View Source
const WorkloadIdentityPoolMaxPage = -1
View Source
const WorkloadIdentityPoolProviderMaxPage = -1

Variables

View Source
var YAML_role = []byte("info:\n  title: Iam/Role\n  description: The Iam Role resource\n  x-dcl-struct-name: Role\n  x-dcl-has-iam: false\npaths:\n  get:\n    description: The function used to get information about a Role\n    parameters:\n    - name: Role\n      required: true\n      description: A full instance of a Role\n  apply:\n    description: The function used to apply information about a Role\n    parameters:\n    - name: Role\n      required: true\n      description: A full instance of a Role\n  delete:\n    description: The function used to delete a Role\n    parameters:\n    - name: Role\n      required: true\n      description: A full instance of a Role\n  deleteAll:\n    description: The function used to delete all Role\n    parameters:\n    - name: parent\n      required: true\n      schema:\n        type: string\n  list:\n    description: The function used to list information about many Role\n    parameters:\n    - name: parent\n      required: true\n      schema:\n        type: string\ncomponents:\n  schemas:\n    Role:\n      title: Role\n      x-dcl-id: '{{parent}}/roles/{{name}}'\n      x-dcl-has-iam: false\n      type: object\n      properties:\n        deleted:\n          type: boolean\n          x-dcl-go-name: Deleted\n          description: The current deleted state of the role. This field is read only.\n            It will be ignored in calls to CreateRole and UpdateRole.\n          x-kubernetes-immutable: true\n        description:\n          type: string\n          x-dcl-go-name: Description\n          description: Optional. A human-readable description for the role.\n          x-kubernetes-immutable: true\n        etag:\n          type: string\n          x-dcl-go-name: Etag\n          description: Used to perform a consistent read-modify-write.\n          x-kubernetes-immutable: true\n        groupName:\n          type: string\n          x-dcl-go-name: GroupName\n          x-kubernetes-immutable: true\n        groupTitle:\n          type: string\n          x-dcl-go-name: GroupTitle\n          x-kubernetes-immutable: true\n        includedPermissions:\n          type: array\n          x-dcl-go-name: IncludedPermissions\n          description: The names of the permissions this role grants when bound in\n            an IAM policy.\n          x-kubernetes-immutable: true\n          x-dcl-send-empty: true\n          x-dcl-list-type: list\n          items:\n            type: string\n            x-dcl-go-type: string\n        includedRoles:\n          type: array\n          x-dcl-go-name: IncludedRoles\n          x-kubernetes-immutable: true\n          x-dcl-send-empty: true\n          x-dcl-list-type: list\n          items:\n            type: string\n            x-dcl-go-type: string\n        lifecyclePhase:\n          type: string\n          x-dcl-go-name: LifecyclePhase\n          x-kubernetes-immutable: true\n        localizedValues:\n          type: object\n          x-dcl-go-name: LocalizedValues\n          x-dcl-go-type: RoleLocalizedValues\n          x-kubernetes-immutable: true\n          properties:\n            localizedDescription:\n              type: string\n              x-dcl-go-name: LocalizedDescription\n              description: Will be English by default or if an error occurred during\n                translation.\n              x-kubernetes-immutable: true\n            localizedTitle:\n              type: string\n              x-dcl-go-name: LocalizedTitle\n              description: Will be English by default or if an error occurred during\n                translation.\n              x-kubernetes-immutable: true\n        name:\n          type: string\n          x-dcl-go-name: Name\n          description: The name of the role. When Role is used in CreateRole, the\n            role name must not be set. When Role is used in output and other input\n            such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer\n            for predefined roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer\n            for custom roles.\n          x-kubernetes-immutable: true\n        parent:\n          type: string\n          x-dcl-go-name: Parent\n          description: 'The parent parameter''s value depends on the target resource\n            for the request, namely projects or organizations. Each resource type''s\n            parent value format is described below: projects.roles.create(): projects/{PROJECT_ID}.\n            This method creates project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles\n            organizations.roles.create(): organizations/{ORGANIZATION_ID}. This method\n            creates organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles\n            Note: Wildcard (*) values are invalid; you must specify a complete project\n            ID or organization ID. Authorization requires the following IAM permission\n            on the specified resource parent: iam.roles.create'\n          x-kubernetes-immutable: true\n          x-dcl-forward-slash-allowed: true\n          x-dcl-references:\n          - resource: Cloudresourcemanager/Project\n            field: name\n            parent: true\n          - resource: Cloudresourcemanager/Organization\n            field: name\n            parent: true\n        stage:\n          type: string\n          x-dcl-go-name: Stage\n          x-dcl-go-type: RoleStageEnum\n          description: The current launch stage of the role. If the `ALPHA` launch\n            stage has been selected for a role, the `stage` field will not be included\n            in the returned definition for the role.\n          x-kubernetes-immutable: true\n          enum:\n          - ALPHA\n          - BETA\n          - GA\n          - DEPRECATED\n          - DISABLED\n          - EAP\n        title:\n          type: string\n          x-dcl-go-name: Title\n          description: Optional. A human-readable title for the role. Typically this\n            is limited to 100 UTF-8 bytes.\n          x-kubernetes-immutable: true\n")

blaze-out/k8-fastbuild/genfiles/cloud/graphite/mmv2/services/google/iam/role.yaml

View Source
var YAML_service_account = []byte("info:\n  title: Iam/ServiceAccount\n  description: The Iam ServiceAccount resource\n  x-dcl-struct-name: ServiceAccount\n  x-dcl-has-iam: true\npaths:\n  get:\n    description: The function used to get information about a ServiceAccount\n    parameters:\n    - name: ServiceAccount\n      required: true\n      description: A full instance of a ServiceAccount\n  apply:\n    description: The function used to apply information about a ServiceAccount\n    parameters:\n    - name: ServiceAccount\n      required: true\n      description: A full instance of a ServiceAccount\n  delete:\n    description: The function used to delete a ServiceAccount\n    parameters:\n    - name: ServiceAccount\n      required: true\n      description: A full instance of a ServiceAccount\n  deleteAll:\n    description: The function used to delete all ServiceAccount\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\n  list:\n    description: The function used to list information about many ServiceAccount\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\ncomponents:\n  schemas:\n    ServiceAccount:\n      title: ServiceAccount\n      x-dcl-id: projects/{{project}}/serviceAccounts/{{name}}@{{project}}.iam.gserviceaccount.com\n      x-dcl-parent-container: project\n      x-dcl-has-iam: true\n      type: object\n      properties:\n        actasResources:\n          type: object\n          x-dcl-go-name: ActasResources\n          x-dcl-go-type: ServiceAccountActasResources\n          description: Optional.\n          x-kubernetes-immutable: true\n          properties:\n            resources:\n              type: array\n              x-dcl-go-name: Resources\n              x-kubernetes-immutable: true\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: ServiceAccountActasResourcesResources\n                properties:\n                  fullResourceName:\n                    type: string\n                    x-dcl-go-name: FullResourceName\n                    x-kubernetes-immutable: true\n        description:\n          type: string\n          x-dcl-go-name: Description\n          description: Optional. A user-specified, human-readable description of the\n            service account. The maximum length is 256 UTF-8 bytes.\n        disabled:\n          type: boolean\n          x-dcl-go-name: Disabled\n          readOnly: true\n          description: Output only. Whether the service account is disabled.\n          x-kubernetes-immutable: true\n        displayName:\n          type: string\n          x-dcl-go-name: DisplayName\n          description: Optional. A user-specified, human-readable name for the service\n            account. The maximum length is 100 UTF-8 bytes.\n        email:\n          type: string\n          x-dcl-go-name: Email\n          readOnly: true\n          description: Output only. The email address of the service account.\n          x-kubernetes-immutable: true\n        name:\n          type: string\n          x-dcl-go-name: Name\n          description: 'The resource name of the service account. Use one of the following\n            formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`\n            As an alternative, you can use the `-` wildcard character instead of the\n            project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}`\n            When possible, avoid using the `-` wildcard character, because it can\n            cause response messages to contain misleading error codes. For example,\n            if you try to get the service account `projects/-/serviceAccounts/fake@example.com`,\n            which does not exist, the response contains an HTTP `403 Forbidden` error\n            instead of a `404 Not Found` error.'\n          x-kubernetes-immutable: true\n        oauth2ClientId:\n          type: string\n          x-dcl-go-name: OAuth2ClientId\n          readOnly: true\n          description: Output only. The OAuth 2.0 client ID for the service account.\n          x-kubernetes-immutable: true\n        project:\n          type: string\n          x-dcl-go-name: Project\n          description: The ID of the project that owns the service account.\n          x-kubernetes-immutable: true\n          x-dcl-references:\n          - resource: Cloudresourcemanager/Project\n            field: name\n            parent: true\n        uniqueId:\n          type: string\n          x-dcl-go-name: UniqueId\n          readOnly: true\n          description: Output only. The unique, stable numeric ID for the service\n            account. Each service account retains its unique ID even if you delete\n            the service account. For example, if you delete a service account, then\n            create a new service account with the same name, the new service account\n            has a different unique ID than the deleted service account.\n          x-kubernetes-immutable: true\n")

blaze-out/k8-fastbuild/genfiles/cloud/graphite/mmv2/services/google/iam/service_account.yaml

View Source
var YAML_workload_identity_pool = []byte("info:\n  title: Iam/WorkloadIdentityPool\n  description: The Iam WorkloadIdentityPool resource\n  x-dcl-struct-name: WorkloadIdentityPool\n  x-dcl-has-iam: false\npaths:\n  get:\n    description: The function used to get information about a WorkloadIdentityPool\n    parameters:\n    - name: WorkloadIdentityPool\n      required: true\n      description: A full instance of a WorkloadIdentityPool\n  apply:\n    description: The function used to apply information about a WorkloadIdentityPool\n    parameters:\n    - name: WorkloadIdentityPool\n      required: true\n      description: A full instance of a WorkloadIdentityPool\n  delete:\n    description: The function used to delete a WorkloadIdentityPool\n    parameters:\n    - name: WorkloadIdentityPool\n      required: true\n      description: A full instance of a WorkloadIdentityPool\n  deleteAll:\n    description: The function used to delete all WorkloadIdentityPool\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\n    - name: location\n      required: true\n      schema:\n        type: string\n  list:\n    description: The function used to list information about many WorkloadIdentityPool\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\n    - name: location\n      required: true\n      schema:\n        type: string\ncomponents:\n  schemas:\n    WorkloadIdentityPool:\n      title: WorkloadIdentityPool\n      x-dcl-id: projects/{{project}}/locations/{{location}}/workloadIdentityPools/{{name}}\n      x-dcl-parent-container: project\n      x-dcl-has-iam: false\n      type: object\n      required:\n      - name\n      - project\n      - location\n      properties:\n        description:\n          type: string\n          x-dcl-go-name: Description\n          description: A description of the pool. Cannot exceed 256 characters.\n        disabled:\n          type: boolean\n          x-dcl-go-name: Disabled\n          description: Whether the pool is disabled. You cannot use a disabled pool\n            to exchange tokens, or use existing tokens to access resources. If the\n            pool is re-enabled, existing tokens grant access again.\n        displayName:\n          type: string\n          x-dcl-go-name: DisplayName\n          description: A display name for the pool. Cannot exceed 32 characters.\n        location:\n          type: string\n          x-dcl-go-name: Location\n          description: The location for the resource\n          x-kubernetes-immutable: true\n        name:\n          type: string\n          x-dcl-go-name: Name\n          description: Output only. The resource name of the pool.\n          x-kubernetes-immutable: true\n        project:\n          type: string\n          x-dcl-go-name: Project\n          description: The project for the resource\n          x-kubernetes-immutable: true\n          x-dcl-references:\n          - resource: Cloudresourcemanager/Project\n            field: name\n            parent: true\n        state:\n          type: string\n          x-dcl-go-name: State\n          x-dcl-go-type: WorkloadIdentityPoolStateEnum\n          readOnly: true\n          description: 'Output only. The state of the pool. Possible values: STATE_UNSPECIFIED,\n            ACTIVE, DELETED'\n          x-kubernetes-immutable: true\n          enum:\n          - STATE_UNSPECIFIED\n          - ACTIVE\n          - DELETED\n")

blaze-out/k8-fastbuild/genfiles/cloud/graphite/mmv2/services/google/iam/workload_identity_pool.yaml

View Source
var YAML_workload_identity_pool_provider = []byte("info:\n  title: Iam/WorkloadIdentityPoolProvider\n  description: The Iam WorkloadIdentityPoolProvider resource\n  x-dcl-struct-name: WorkloadIdentityPoolProvider\n  x-dcl-has-iam: false\npaths:\n  get:\n    description: The function used to get information about a WorkloadIdentityPoolProvider\n    parameters:\n    - name: WorkloadIdentityPoolProvider\n      required: true\n      description: A full instance of a WorkloadIdentityPoolProvider\n  apply:\n    description: The function used to apply information about a WorkloadIdentityPoolProvider\n    parameters:\n    - name: WorkloadIdentityPoolProvider\n      required: true\n      description: A full instance of a WorkloadIdentityPoolProvider\n  delete:\n    description: The function used to delete a WorkloadIdentityPoolProvider\n    parameters:\n    - name: WorkloadIdentityPoolProvider\n      required: true\n      description: A full instance of a WorkloadIdentityPoolProvider\n  deleteAll:\n    description: The function used to delete all WorkloadIdentityPoolProvider\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\n    - name: location\n      required: true\n      schema:\n        type: string\n    - name: workloadidentitypool\n      required: true\n      schema:\n        type: string\n  list:\n    description: The function used to list information about many WorkloadIdentityPoolProvider\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\n    - name: location\n      required: true\n      schema:\n        type: string\n    - name: workloadidentitypool\n      required: true\n      schema:\n        type: string\ncomponents:\n  schemas:\n    WorkloadIdentityPoolProvider:\n      title: WorkloadIdentityPoolProvider\n      x-dcl-id: projects/{{project}}/locations/{{location}}/workloadIdentityPools/{{workload_identity_pool}}/providers/{{name}}\n      x-dcl-uses-state-hint: true\n      x-dcl-parent-container: project\n      x-dcl-has-iam: false\n      type: object\n      required:\n      - name\n      - project\n      - location\n      - workloadIdentityPool\n      properties:\n        attributeCondition:\n          type: string\n          x-dcl-go-name: AttributeCondition\n          description: '[A Common Expression Language](https://opensource.google/projects/cel)\n            expression, in plain text, to restrict what otherwise valid authentication\n            credentials issued by the provider should not be accepted. The expression\n            must output a boolean representing whether to allow the federation. The\n            following keywords may be referenced in the expressions: * `assertion`:\n            JSON representing the authentication credential issued by the provider.\n            * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`.\n            * `attribute`: The custom attributes mapped from the assertion in the\n            `attribute_mappings`. The maximum length of the attribute condition expression\n            is 4096 characters. If unspecified, all valid authentication credential\n            are accepted. The following example shows how to only allow credentials\n            with a mapped `google.groups` value of `admins`: ``` \"''admins'' in google.groups\"\n            ```'\n        attributeMapping:\n          type: object\n          additionalProperties:\n            type: string\n          x-dcl-go-name: AttributeMapping\n          description: 'Maps attributes from authentication credentials issued by\n            an external identity provider to Google Cloud attributes, such as `subject`\n            and `segment`. Each key must be a string specifying the Google Cloud IAM\n            attribute to map to. The following keys are supported: * `google.subject`:\n            The principal IAM is authenticating. You can reference this value in IAM\n            bindings. This is also the subject that appears in Cloud Logging logs.\n            Cannot exceed 127 characters. * `google.groups`: Groups the external identity\n            belongs to. You can grant groups access to resources using an IAM `principalSet`\n            binding; access applies to all members of the group. You can also provide\n            custom attributes by specifying `attribute.{custom_attribute}`, where\n            `{custom_attribute}` is the name of the custom attribute to be mapped.\n            You can define a maximum of 50 custom attributes. The maximum length of\n            a mapped attribute key is 100 characters, and the key may only contain\n            the characters [a-z0-9_]. You can reference these attributes in IAM policies\n            to define fine-grained access for a workload to Google Cloud resources.\n            For example: * `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`\n            * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`\n            * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`\n            Each value must be a [Common Expression Language] (https://opensource.google/projects/cel)\n            function that maps an identity provider credential to the normalized attribute\n            specified by the corresponding map key. You can use the `assertion` keyword\n            in the expression to access a JSON representation of the authentication\n            credential issued by the provider. The maximum length of an attribute\n            mapping expression is 2048 characters. When evaluated, the total size\n            of all mapped attributes must not exceed 8KB. For AWS providers, if no\n            attribute mapping is defined, the following default mapping applies: ```\n            { \"google.subject\":\"assertion.arn\", \"attribute.aws_role\": \"assertion.arn.contains(''assumed-role'')\"\n            \" ? assertion.arn.extract(''{account_arn}assumed-role/'')\" \" + ''assumed-role/''\"\n            \" + assertion.arn.extract(''assumed-role/{role_name}/'')\" \" : assertion.arn\",\n            } ``` If any custom attribute mappings are defined, they must include\n            a mapping to the `google.subject` attribute. For OIDC providers, you must\n            supply a custom mapping, which must include the `google.subject` attribute.\n            For example, the following maps the `sub` claim of the incoming credential\n            to the `subject` attribute on a Google token: ``` {\"google.subject\": \"assertion.sub\"}\n            ```'\n        aws:\n          type: object\n          x-dcl-go-name: Aws\n          x-dcl-go-type: WorkloadIdentityPoolProviderAws\n          description: An Amazon Web Services identity provider.\n          x-dcl-conflicts:\n          - oidc\n          required:\n          - accountId\n          properties:\n            accountId:\n              type: string\n              x-dcl-go-name: AccountId\n              description: Required. The AWS account ID.\n            stsUri:\n              type: array\n              x-dcl-go-name: StsUri\n              description: A list of AWS STS URIs that can be used when exchanging\n                credentials. If not provided, any valid AWS STS URI is allowed. URIs\n                must use the form `https://sts.amazonaws.com` or `https://sts.{region}.amazonaws.com`,\n                where {region} is a valid AWS region. You can specify a maximum of\n                25 URIs.\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n              x-dcl-mutable-unreadable: true\n        description:\n          type: string\n          x-dcl-go-name: Description\n          description: A description for the provider. Cannot exceed 256 characters.\n        disabled:\n          type: boolean\n          x-dcl-go-name: Disabled\n          description: Whether the provider is disabled. You cannot use a disabled\n            provider to exchange tokens. However, existing tokens still grant access.\n        displayName:\n          type: string\n          x-dcl-go-name: DisplayName\n          description: A display name for the provider. Cannot exceed 32 characters.\n        location:\n          type: string\n          x-dcl-go-name: Location\n          description: The location for the resource\n          x-kubernetes-immutable: true\n        name:\n          type: string\n          x-dcl-go-name: Name\n          description: Output only. The resource name of the provider.\n          x-kubernetes-immutable: true\n        oidc:\n          type: object\n          x-dcl-go-name: Oidc\n          x-dcl-go-type: WorkloadIdentityPoolProviderOidc\n          description: An OpenId Connect 1.0 identity provider.\n          x-dcl-conflicts:\n          - aws\n          required:\n          - issuerUri\n          properties:\n            allowedAudiences:\n              type: array\n              x-dcl-go-name: AllowedAudiences\n              description: 'Acceptable values for the `aud` field (audience) in the\n                OIDC token. Token exchange requests are rejected if the token audience\n                does not match one of the configured values. Each audience may be\n                at most 256 characters. A maximum of 10 audiences may be configured.\n                If this list is empty, the OIDC token audience must be equal to the\n                full canonical resource name of the WorkloadIdentityPoolProvider,\n                with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/\n                https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/\n                ```'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            issuerUri:\n              type: string\n              x-dcl-go-name: IssuerUri\n              description: Required. The OIDC issuer URL. Must be an HTTPS endpoint.\n        project:\n          type: string\n          x-dcl-go-name: Project\n          description: The project for the resource\n          x-kubernetes-immutable: true\n          x-dcl-references:\n          - resource: Cloudresourcemanager/Project\n            field: name\n            parent: true\n        state:\n          type: string\n          x-dcl-go-name: State\n          x-dcl-go-type: WorkloadIdentityPoolProviderStateEnum\n          readOnly: true\n          description: 'Output only. The state of the provider. Possible values: STATE_UNSPECIFIED,\n            ACTIVE, DELETED'\n          x-kubernetes-immutable: true\n          enum:\n          - STATE_UNSPECIFIED\n          - ACTIVE\n          - DELETED\n        workloadIdentityPool:\n          type: string\n          x-dcl-go-name: WorkloadIdentityPool\n          description: The workloadIdentityPool for the resource\n          x-kubernetes-immutable: true\n          x-dcl-references:\n          - resource: Iam/WorkloadIdentityPool\n            field: name\n            parent: true\n")

blaze-out/k8-fastbuild/genfiles/cloud/graphite/mmv2/services/google/iam/workload_identity_pool_provider.yaml

Functions

func EncodeIAMCreateRequest

func EncodeIAMCreateRequest(m map[string]interface{}, resourceName, idField string) map[string]interface{}

EncodeIAMCreateRequest encodes the create request for an iam resource.

func EncodeRoleCreateRequest

func EncodeRoleCreateRequest(m map[string]interface{}) map[string]interface{}

EncodeRoleCreateRequest properly encodes the create request for an iam role.

func EncodeServiceAccountCreateRequest

func EncodeServiceAccountCreateRequest(m map[string]interface{}) map[string]interface{}

EncodeServiceAccountCreateRequest properly encodes the create request for an iam service account.

Types

type Binding

type Binding struct {
	Role      *string            `json:"role"`
	Members   []string           `json:"members"`
	Condition *Condition         `json:"condition,omitempty"`
	Resource  ResourceWithPolicy `json:"resource"`
}

Binding maps a single role to all of its members.

func (*Binding) Encode

func (b *Binding) Encode() (map[string]interface{}, error)

Encode encodes the members and role of an IAM binding.

type Client

type Client struct {
	Config *dcl.Config
}

The Client is the base struct of all operations. This will receive the Get, Delete, List, and Apply operations on all resources.

func NewClient

func NewClient(c *dcl.Config) *Client

NewClient creates a client that retries all operations a few times each.

func (*Client) ApplyBinding

func (c *Client) ApplyBinding(ctx context.Context, binding *Binding, opts ...dcl.ApplyOption) (*Binding, error)

ApplyBinding is a convenience method to create a binding if it does not exist. It supports BlockAcquire and BlockCreation but ignores other lifecycle parameters as they are not relevant to IAM bindings.

func (*Client) ApplyMember

func (c *Client) ApplyMember(ctx context.Context, member *Member, opts ...dcl.ApplyOption) (*Member, error)

ApplyMember is a convenience method to create a member if it does not exist. It supports BlockAcquire and BlockCreation but ignores other lifecycle parameters as they are not relevant to IAM members.

func (*Client) ApplyRole

func (c *Client) ApplyRole(ctx context.Context, rawDesired *Role, opts ...dcl.ApplyOption) (*Role, error)

func (*Client) ApplyServiceAccount

func (c *Client) ApplyServiceAccount(ctx context.Context, rawDesired *ServiceAccount, opts ...dcl.ApplyOption) (*ServiceAccount, error)

func (*Client) ApplyWorkloadIdentityPool

func (c *Client) ApplyWorkloadIdentityPool(ctx context.Context, rawDesired *WorkloadIdentityPool, opts ...dcl.ApplyOption) (*WorkloadIdentityPool, error)

func (*Client) ApplyWorkloadIdentityPoolProvider

func (c *Client) ApplyWorkloadIdentityPoolProvider(ctx context.Context, rawDesired *WorkloadIdentityPoolProvider, opts ...dcl.ApplyOption) (*WorkloadIdentityPoolProvider, error)

func (*Client) DeleteAllRole

func (c *Client) DeleteAllRole(ctx context.Context, parent string, filter func(*Role) bool) error

DeleteAllRole deletes all resources that the filter functions returns true on.

func (*Client) DeleteAllServiceAccount

func (c *Client) DeleteAllServiceAccount(ctx context.Context, project string, filter func(*ServiceAccount) bool) error

DeleteAllServiceAccount deletes all resources that the filter functions returns true on.

func (*Client) DeleteAllWorkloadIdentityPool

func (c *Client) DeleteAllWorkloadIdentityPool(ctx context.Context, project, location string, filter func(*WorkloadIdentityPool) bool) error

DeleteAllWorkloadIdentityPool deletes all resources that the filter functions returns true on.

func (*Client) DeleteAllWorkloadIdentityPoolProvider

func (c *Client) DeleteAllWorkloadIdentityPoolProvider(ctx context.Context, project, location, workloadIdentityPool string, filter func(*WorkloadIdentityPoolProvider) bool) error

DeleteAllWorkloadIdentityPoolProvider deletes all resources that the filter functions returns true on.

func (*Client) DeleteBinding

func (c *Client) DeleteBinding(ctx context.Context, binding *Binding) error

DeleteBinding deletes a binding from its specified resource.

func (*Client) DeleteMember

func (c *Client) DeleteMember(ctx context.Context, member *Member) error

DeleteMember deletes a member from its specified binding.

func (*Client) DeleteRole

func (c *Client) DeleteRole(ctx context.Context, r *Role) error

func (*Client) DeleteServiceAccount

func (c *Client) DeleteServiceAccount(ctx context.Context, r *ServiceAccount) error

func (*Client) DeleteWorkloadIdentityPool

func (c *Client) DeleteWorkloadIdentityPool(ctx context.Context, r *WorkloadIdentityPool) error

func (*Client) DeleteWorkloadIdentityPoolProvider

func (c *Client) DeleteWorkloadIdentityPoolProvider(ctx context.Context, r *WorkloadIdentityPoolProvider) error

func (*Client) GetBinding

func (c *Client) GetBinding(ctx context.Context, r ResourceWithPolicy, role string) (*Binding, error)

GetBinding returns the binding for the given role, or nil if there is no such binding.

func (*Client) GetMember

func (c *Client) GetMember(ctx context.Context, r ResourceWithPolicy, role, member string) (*Member, error)

GetMember returns a Member struct if the role/member pair exists on the resource's policy, or nil if they do not.

func (*Client) GetPolicy

func (c *Client) GetPolicy(ctx context.Context, r ResourceWithPolicy) (*Policy, error)

GetPolicy returns the policy for the given resource.

func (*Client) GetRole

func (c *Client) GetRole(ctx context.Context, r *Role) (*Role, error)

func (*Client) GetServiceAccount

func (c *Client) GetServiceAccount(ctx context.Context, r *ServiceAccount) (*ServiceAccount, error)

func (*Client) GetWorkloadIdentityPool

func (c *Client) GetWorkloadIdentityPool(ctx context.Context, r *WorkloadIdentityPool) (*WorkloadIdentityPool, error)

func (*Client) GetWorkloadIdentityPoolProvider

func (c *Client) GetWorkloadIdentityPoolProvider(ctx context.Context, r *WorkloadIdentityPoolProvider) (*WorkloadIdentityPoolProvider, error)

func (*Client) ListRole

func (c *Client) ListRole(ctx context.Context, parent string) (*RoleList, error)

func (*Client) ListRoleWithMaxResults

func (c *Client) ListRoleWithMaxResults(ctx context.Context, parent string, pageSize int32) (*RoleList, error)

func (*Client) ListServiceAccount

func (c *Client) ListServiceAccount(ctx context.Context, project string) (*ServiceAccountList, error)

func (*Client) ListServiceAccountWithMaxResults

func (c *Client) ListServiceAccountWithMaxResults(ctx context.Context, project string, pageSize int32) (*ServiceAccountList, error)

func (*Client) ListWorkloadIdentityPool

func (c *Client) ListWorkloadIdentityPool(ctx context.Context, project, location string) (*WorkloadIdentityPoolList, error)

func (*Client) ListWorkloadIdentityPoolProvider

func (c *Client) ListWorkloadIdentityPoolProvider(ctx context.Context, project, location, workloadIdentityPool string) (*WorkloadIdentityPoolProviderList, error)

func (*Client) ListWorkloadIdentityPoolProviderWithMaxResults

func (c *Client) ListWorkloadIdentityPoolProviderWithMaxResults(ctx context.Context, project, location, workloadIdentityPool string, pageSize int32) (*WorkloadIdentityPoolProviderList, error)

func (*Client) ListWorkloadIdentityPoolWithMaxResults

func (c *Client) ListWorkloadIdentityPoolWithMaxResults(ctx context.Context, project, location string, pageSize int32) (*WorkloadIdentityPoolList, error)

func (*Client) SetBinding

func (c *Client) SetBinding(ctx context.Context, b *Binding) (*Policy, error)

SetBinding sets one binding, authoritatively on the role, for the given resource.

func (*Client) SetMember

func (c *Client) SetMember(ctx context.Context, m *Member) (*Policy, error)

SetMember adds a member to the binding for its role if not already present.

func (*Client) SetPolicy

func (c *Client) SetPolicy(ctx context.Context, p *Policy) (*Policy, error)

SetPolicy sets the policy for the given resource.

type Condition

type Condition struct {
	Title       *string `json:"title"`
	Description *string `json:"description"`
	Expression  *string `json:"expression"`
}

Condition represents an IAM condition. See https://cloud.google.com/iam/docs/conditions-overview#resources for details.

type Member

type Member struct {
	Role     *string            `json:"role"`
	Member   *string            `json:"member"`
	Resource ResourceWithPolicy `json:"resource"`
}

Member maps a single IAM member to one of its roles.

func (*Member) Encode

func (m *Member) Encode() (map[string]interface{}, error)

Encode encodes the role and member of a single IAM member.

func (*Member) String

func (m *Member) String() string

type Policy

type Policy struct {
	Bindings []Binding          `json:"bindings"`
	Etag     *string            `json:"etag"`
	Version  *int               `json:"version"`
	Resource ResourceWithPolicy `json:"resource"`
}

Policy is the core resource of an IAM policy.

func (*Policy) Encode

func (p *Policy) Encode() (map[string]interface{}, error)

Encode encodes the bindings, tag, and version of an IAM policy.

func (*Policy) String

func (p *Policy) String() string

type ResourceWithPolicy

type ResourceWithPolicy interface {
	SetPolicyURL(string) string
	SetPolicyVerb() string
	GetPolicy(string) (string, string, *bytes.Buffer, error)
	IAMPolicyVersion() int
}

ResourceWithPolicy is any DCL resource which has an IAM policy.

type Role

type Role struct {
	Name                *string              `json:"name"`
	Title               *string              `json:"title"`
	Description         *string              `json:"description"`
	LocalizedValues     *RoleLocalizedValues `json:"localizedValues"`
	LifecyclePhase      *string              `json:"lifecyclePhase"`
	GroupName           *string              `json:"groupName"`
	GroupTitle          *string              `json:"groupTitle"`
	IncludedPermissions []string             `json:"includedPermissions"`
	Stage               *RoleStageEnum       `json:"stage"`
	Etag                *string              `json:"etag"`
	Deleted             *bool                `json:"deleted"`
	IncludedRoles       []string             `json:"includedRoles"`
	Parent              *string              `json:"parent"`
}

func (*Role) Describe

func (r *Role) Describe() dcl.ServiceTypeVersion

Describe returns a simple description of this resource to ensure that automated tools can identify it.

func (*Role) ID

func (r *Role) ID() (string, error)

func (*Role) String

func (r *Role) String() string

type RoleList

type RoleList struct {
	Items []*Role
	// contains filtered or unexported fields
}

func (*RoleList) HasNext

func (l *RoleList) HasNext() bool

func (*RoleList) Next

func (l *RoleList) Next(ctx context.Context, c *Client) error

type RoleLocalizedValues

type RoleLocalizedValues struct {
	LocalizedTitle       *string `json:"localizedTitle"`
	LocalizedDescription *string `json:"localizedDescription"`
	// contains filtered or unexported fields
}
var EmptyRoleLocalizedValues *RoleLocalizedValues = &RoleLocalizedValues{empty: true}

This object is used to assert a desired state where this RoleLocalizedValues is empty. Go lacks global const objects, but this object should be treated as one. Modifying this object will have undesirable results.

func (*RoleLocalizedValues) Empty

func (r *RoleLocalizedValues) Empty() bool

func (*RoleLocalizedValues) HashCode

func (r *RoleLocalizedValues) HashCode() string

func (*RoleLocalizedValues) String

func (r *RoleLocalizedValues) String() string

func (*RoleLocalizedValues) UnmarshalJSON

func (r *RoleLocalizedValues) UnmarshalJSON(data []byte) error

type RoleStageEnum

type RoleStageEnum string

The enum RoleStageEnum.

func RoleStageEnumRef

func RoleStageEnumRef(s string) *RoleStageEnum

RoleStageEnumRef returns a *RoleStageEnum with the value of string s If the empty string is provided, nil is returned.

func (RoleStageEnum) Validate

func (v RoleStageEnum) Validate() error

type ServiceAccount

type ServiceAccount struct {
	Name           *string                       `json:"name"`
	Project        *string                       `json:"project"`
	UniqueId       *string                       `json:"uniqueId"`
	Email          *string                       `json:"email"`
	DisplayName    *string                       `json:"displayName"`
	Description    *string                       `json:"description"`
	OAuth2ClientId *string                       `json:"oauth2ClientId"`
	ActasResources *ServiceAccountActasResources `json:"actasResources"`
	Disabled       *bool                         `json:"disabled"`
}

func (*ServiceAccount) Describe

func (r *ServiceAccount) Describe() dcl.ServiceTypeVersion

Describe returns a simple description of this resource to ensure that automated tools can identify it.

func (*ServiceAccount) GetPolicy

func (r *ServiceAccount) GetPolicy(basePath string) (string, string, *bytes.Buffer, error)

func (*ServiceAccount) IAMPolicyVersion

func (r *ServiceAccount) IAMPolicyVersion() int

func (*ServiceAccount) ID

func (r *ServiceAccount) ID() (string, error)

func (*ServiceAccount) SetPolicyURL

func (r *ServiceAccount) SetPolicyURL(userBasePath string) string

func (*ServiceAccount) SetPolicyVerb

func (r *ServiceAccount) SetPolicyVerb() string

func (*ServiceAccount) String

func (r *ServiceAccount) String() string

type ServiceAccountActasResources

type ServiceAccountActasResources struct {
	Resources []ServiceAccountActasResourcesResources `json:"resources"`
	// contains filtered or unexported fields
}
var EmptyServiceAccountActasResources *ServiceAccountActasResources = &ServiceAccountActasResources{empty: true}

This object is used to assert a desired state where this ServiceAccountActasResources is empty. Go lacks global const objects, but this object should be treated as one. Modifying this object will have undesirable results.

func (*ServiceAccountActasResources) Empty

func (*ServiceAccountActasResources) HashCode

func (r *ServiceAccountActasResources) HashCode() string

func (*ServiceAccountActasResources) String

func (*ServiceAccountActasResources) UnmarshalJSON

func (r *ServiceAccountActasResources) UnmarshalJSON(data []byte) error

type ServiceAccountActasResourcesResources

type ServiceAccountActasResourcesResources struct {
	FullResourceName *string `json:"fullResourceName"`
	// contains filtered or unexported fields
}
var EmptyServiceAccountActasResourcesResources *ServiceAccountActasResourcesResources = &ServiceAccountActasResourcesResources{empty: true}

This object is used to assert a desired state where this ServiceAccountActasResourcesResources is empty. Go lacks global const objects, but this object should be treated as one. Modifying this object will have undesirable results.

func (*ServiceAccountActasResourcesResources) Empty

func (*ServiceAccountActasResourcesResources) HashCode

func (*ServiceAccountActasResourcesResources) String

func (*ServiceAccountActasResourcesResources) UnmarshalJSON

func (r *ServiceAccountActasResourcesResources) UnmarshalJSON(data []byte) error

type ServiceAccountList

type ServiceAccountList struct {
	Items []*ServiceAccount
	// contains filtered or unexported fields
}

func (*ServiceAccountList) HasNext

func (l *ServiceAccountList) HasNext() bool

func (*ServiceAccountList) Next

func (l *ServiceAccountList) Next(ctx context.Context, c *Client) error

type WorkloadIdentityPool

type WorkloadIdentityPool struct {
	Name        *string                        `json:"name"`
	DisplayName *string                        `json:"displayName"`
	Description *string                        `json:"description"`
	State       *WorkloadIdentityPoolStateEnum `json:"state"`
	Disabled    *bool                          `json:"disabled"`
	Project     *string                        `json:"project"`
	Location    *string                        `json:"location"`
}

func (*WorkloadIdentityPool) Describe

Describe returns a simple description of this resource to ensure that automated tools can identify it.

func (*WorkloadIdentityPool) ID

func (r *WorkloadIdentityPool) ID() (string, error)

func (*WorkloadIdentityPool) String

func (r *WorkloadIdentityPool) String() string

type WorkloadIdentityPoolList

type WorkloadIdentityPoolList struct {
	Items []*WorkloadIdentityPool
	// contains filtered or unexported fields
}

func (*WorkloadIdentityPoolList) HasNext

func (l *WorkloadIdentityPoolList) HasNext() bool

func (*WorkloadIdentityPoolList) Next

type WorkloadIdentityPoolProvider

type WorkloadIdentityPoolProvider struct {
	Name                 *string                                `json:"name"`
	DisplayName          *string                                `json:"displayName"`
	Description          *string                                `json:"description"`
	State                *WorkloadIdentityPoolProviderStateEnum `json:"state"`
	Disabled             *bool                                  `json:"disabled"`
	AttributeMapping     map[string]string                      `json:"attributeMapping"`
	AttributeCondition   *string                                `json:"attributeCondition"`
	Aws                  *WorkloadIdentityPoolProviderAws       `json:"aws"`
	Oidc                 *WorkloadIdentityPoolProviderOidc      `json:"oidc"`
	Project              *string                                `json:"project"`
	Location             *string                                `json:"location"`
	WorkloadIdentityPool *string                                `json:"workloadIdentityPool"`
}

func (*WorkloadIdentityPoolProvider) Describe

Describe returns a simple description of this resource to ensure that automated tools can identify it.

func (*WorkloadIdentityPoolProvider) ID

func (*WorkloadIdentityPoolProvider) String

type WorkloadIdentityPoolProviderAws

type WorkloadIdentityPoolProviderAws struct {
	AccountId *string  `json:"accountId"`
	StsUri    []string `json:"stsUri"`
	// contains filtered or unexported fields
}
var EmptyWorkloadIdentityPoolProviderAws *WorkloadIdentityPoolProviderAws = &WorkloadIdentityPoolProviderAws{empty: true}

This object is used to assert a desired state where this WorkloadIdentityPoolProviderAws is empty. Go lacks global const objects, but this object should be treated as one. Modifying this object will have undesirable results.

func (*WorkloadIdentityPoolProviderAws) Empty

func (*WorkloadIdentityPoolProviderAws) HashCode

func (*WorkloadIdentityPoolProviderAws) String

func (*WorkloadIdentityPoolProviderAws) UnmarshalJSON

func (r *WorkloadIdentityPoolProviderAws) UnmarshalJSON(data []byte) error

type WorkloadIdentityPoolProviderList

type WorkloadIdentityPoolProviderList struct {
	Items []*WorkloadIdentityPoolProvider
	// contains filtered or unexported fields
}

func (*WorkloadIdentityPoolProviderList) HasNext

func (*WorkloadIdentityPoolProviderList) Next

type WorkloadIdentityPoolProviderOidc

type WorkloadIdentityPoolProviderOidc struct {
	IssuerUri        *string  `json:"issuerUri"`
	AllowedAudiences []string `json:"allowedAudiences"`
	// contains filtered or unexported fields
}
var EmptyWorkloadIdentityPoolProviderOidc *WorkloadIdentityPoolProviderOidc = &WorkloadIdentityPoolProviderOidc{empty: true}

This object is used to assert a desired state where this WorkloadIdentityPoolProviderOidc is empty. Go lacks global const objects, but this object should be treated as one. Modifying this object will have undesirable results.

func (*WorkloadIdentityPoolProviderOidc) Empty

func (*WorkloadIdentityPoolProviderOidc) HashCode

func (*WorkloadIdentityPoolProviderOidc) String

func (*WorkloadIdentityPoolProviderOidc) UnmarshalJSON

func (r *WorkloadIdentityPoolProviderOidc) UnmarshalJSON(data []byte) error

type WorkloadIdentityPoolProviderStateEnum

type WorkloadIdentityPoolProviderStateEnum string

The enum WorkloadIdentityPoolProviderStateEnum.

func WorkloadIdentityPoolProviderStateEnumRef

func WorkloadIdentityPoolProviderStateEnumRef(s string) *WorkloadIdentityPoolProviderStateEnum

WorkloadIdentityPoolProviderStateEnumRef returns a *WorkloadIdentityPoolProviderStateEnum with the value of string s If the empty string is provided, nil is returned.

func (WorkloadIdentityPoolProviderStateEnum) Validate

type WorkloadIdentityPoolStateEnum

type WorkloadIdentityPoolStateEnum string

The enum WorkloadIdentityPoolStateEnum.

func WorkloadIdentityPoolStateEnumRef

func WorkloadIdentityPoolStateEnumRef(s string) *WorkloadIdentityPoolStateEnum

WorkloadIdentityPoolStateEnumRef returns a *WorkloadIdentityPoolStateEnum with the value of string s If the empty string is provided, nil is returned.

func (WorkloadIdentityPoolStateEnum) Validate

func (v WorkloadIdentityPoolStateEnum) Validate() error

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL