policytroubleshooter

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 28, 2019 License: BSD-3-Clause Imports: 14 Imported by: 0

Documentation

Overview

Package policytroubleshooter provides access to the Policy Troubleshooter API.

For product documentation, see: https://cloud.google.com/iam/

Creating a client

Usage example:

import "google.golang.org/api/policytroubleshooter/v1beta"
...
ctx := context.Background()
policytroubleshooterService, err := policytroubleshooter.NewService(ctx)

In this example, Google Application Default Credentials are used for authentication.

For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials.

Other authentication options

To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey:

policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithAPIKey("AIza..."))

To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource:

config := &oauth2.Config{...}
// ...
token, err := config.Exchange(ctx, ...)
policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token)))

See https://godoc.org/google.golang.org/api/option/ for details on options.

Index

Constants

View Source
const (
	// View and manage your data across Google Cloud Platform services
	CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform"
)

OAuth2 scopes used by this API.

Variables

This section is empty.

Functions

This section is empty.

Types

type GoogleCloudPolicytroubleshooterV1betaAccessTuple

type GoogleCloudPolicytroubleshooterV1betaAccessTuple struct {
	// FullResourceName: Required. A full resource name according
	// to
	// https://cloud.google.com/apis/design/resource_names. This is the
	// full
	// resource name of the resource that access is checked against.
	FullResourceName string `json:"fullResourceName,omitempty"`

	// Permission: Required. The Cloud IAM permission under which defines
	// the kind of access
	// being explained. Example: "resourcemanager.projects.get" would
	// explain
	// if and why the principal has the resourcemanager.projects.get
	// permission
	// on the resource specified in full_resource_name declared in this
	// structure.
	// See https://cloud.google.com/iam/docs/testing-permissions
	Permission string `json:"permission,omitempty"`

	// Principal: Required. The principal on behalf of who the access is
	// explained for.
	// The format is one of the principal's email addresses associated
	// with
	// its gaia account. It must be an account that can appear as an
	// actor.
	// For example groups are not supported. Currently, service accounts,
	// users
	// are supported.
	Principal string `json:"principal,omitempty"`

	// ForceSendFields is a list of field names (e.g. "FullResourceName") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "FullResourceName") to
	// include in API requests with the JSON null value. By default, fields
	// with empty values are omitted from API requests. However, any field
	// with an empty value appearing in NullFields will be sent to the
	// server as null. It is an error if a field in this list has a
	// non-empty value. This may be used to include null fields in Patch
	// requests.
	NullFields []string `json:"-"`
}

GoogleCloudPolicytroubleshooterV1betaAccessTuple: AccessTuple defines information required for checking an access attempt. In other words, this is the tuple given to `CheckAccess`.

func (*GoogleCloudPolicytroubleshooterV1betaAccessTuple) MarshalJSON

type GoogleCloudPolicytroubleshooterV1betaBindingExplanation

type GoogleCloudPolicytroubleshooterV1betaBindingExplanation struct {
	// Access: REQUIRED: Access decision for this binding.
	//
	// Possible values:
	//   "ACCESS_STATE_UNSPECIFIED" - Reserved
	//   "GRANTED" - The access is granted due to one or multiple bindings
	// found.
	//   "NOT_GRANTED" - The access is not granted by the policy.
	//   "UNKNOWN_CONDITIONAL" - At least one binding was found but it is
	// conditional. undecided,
	// undetermined ,uncertain, open, tentative, contingent
	//   "UNKNOWN_INFO_DENIED" - Indicating that lack of access to the
	// underlying information
	// causes the result to be undetermined.
	// This can be due to
	//
	// 1) The caller has no access to the policy. In this case
	// ExplainedPolicy
	//    will have not policy set.
	//
	// 2) The caller has no access to some of the items referenced in the
	// policy.
	//    In this case the policy in ExplainedPolicy will be set but the
	//    explanations field will contain at least one inconclusive element.
	Access string `json:"access,omitempty"`

	// Condition: The condition which needs to be satisfied in order for
	// this
	// binding to grant the role to the principal.
	// See https://cloud.google.com/iam/docs/conditions-base
	Condition *GoogleTypeExpr `json:"condition,omitempty"`

	// Memberships: For each member in the binding, provides
	// information
	// whether or not the principal from the request is included
	// in the member by which the CheckResult is keyed.
	// May indicate that the caller has no access to this
	// information.
	// example key: 'group:cloud-iam-assist-eng@google.com'
	// example value '{NOT_GRANTED, HIGH}
	Memberships map[string]GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership `json:"memberships,omitempty"`

	// Relevance: Bubbles up role_permission level relavance to
	// BindingExplanation object.
	// If role permission is NORMAL, then binding relevance is NORMAL.
	// If role permission is HIGH, then binding relevance is HIGH.
	//
	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	Relevance string `json:"relevance,omitempty"`

	// Role: The role that this binding grants in the policy.
	// for example "roles/compute.serviceAgent"
	Role string `json:"role,omitempty"`

	// RolePermission: Whether the role of this binding contains the checked
	// permission
	//
	// Possible values:
	//   "ROLE_PERMISSION_UNSPECIFIED" - Reserved
	//   "ROLE_PERMISSION_INCLUDED" - Permission is included in the role.
	//   "ROLE_PERMISSION_NOT_INCLUDED" - Permission is included in the
	// role.
	//   "ROLE_PERMISSION_UNKNOWN_INFO_DENIED" - Calling principal has no
	// access to the role permission relation.
	RolePermission string `json:"rolePermission,omitempty"`

	// RolePermissionRelevance: The relevance of this permission with
	// respect to the BindingExplanation.
	//
	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	RolePermissionRelevance string `json:"rolePermissionRelevance,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Access") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Access") to include in API
	// requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleCloudPolicytroubleshooterV1betaBindingExplanation: Binding Explanation.

func (*GoogleCloudPolicytroubleshooterV1betaBindingExplanation) MarshalJSON

type GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership

type GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership struct {
	// Membership: Membership status.
	//
	// Possible values:
	//   "MEMBERSHIP_UNSPECIFIED" - Reserved.
	//   "MEMBERSHIP_INCLUDED" - Member is included in group/domain/allUsers
	// or is a direct match.
	//   "MEMBERSHIP_NOT_INCLUDED" - Member is not included in
	// group/domain/allUsers nor is a direct match.
	//   "MEMBERSHIP_UNKNOWN_INFO_DENIED" - Calling principal has no access
	// to the membership relation.
	//   "MEMBERSHIP_UNKNOWN_UNSUPPORTED" - This member type is currently
	// not supported.
	Membership string `json:"membership,omitempty"`

	// Relevance: Relevance of this membership with respect to
	// BindingExplanation.
	//
	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	Relevance string `json:"relevance,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Membership") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Membership") to include in
	// API requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMember ship: Encapsulated membership and the relevance of that membership with respect to BindingExplanation.

func (*GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership) MarshalJSON

type GoogleCloudPolicytroubleshooterV1betaExplainedPolicy

type GoogleCloudPolicytroubleshooterV1betaExplainedPolicy struct {
	// Access: Access decision for this section of the resource's effective
	// policy.
	//
	// Possible values:
	//   "ACCESS_STATE_UNSPECIFIED" - Reserved
	//   "GRANTED" - The access is granted due to one or multiple bindings
	// found.
	//   "NOT_GRANTED" - The access is not granted by the policy.
	//   "UNKNOWN_CONDITIONAL" - At least one binding was found but it is
	// conditional. undecided,
	// undetermined ,uncertain, open, tentative, contingent
	//   "UNKNOWN_INFO_DENIED" - Indicating that lack of access to the
	// underlying information
	// causes the result to be undetermined.
	// This can be due to
	//
	// 1) The caller has no access to the policy. In this case
	// ExplainedPolicy
	//    will have not policy set.
	//
	// 2) The caller has no access to some of the items referenced in the
	// policy.
	//    In this case the policy in ExplainedPolicy will be set but the
	//    explanations field will contain at least one inconclusive element.
	Access string `json:"access,omitempty"`

	// BindingExplanations: Detailed binding evaluation explanations provide
	// information
	// about how each binding contributes to the principal's
	// access or the lack thereof.
	BindingExplanations []*GoogleCloudPolicytroubleshooterV1betaBindingExplanation `json:"bindingExplanations,omitempty"`

	// FullResourceName: Resource that this section of the effective policy
	// attaches to.
	FullResourceName string `json:"fullResourceName,omitempty"`

	// Policy: The IAM policy attached to the resource.
	Policy *GoogleIamV1Policy `json:"policy,omitempty"`

	// Relevance: Relevance of this Policy.
	//
	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	Relevance string `json:"relevance,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Access") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Access") to include in API
	// requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleCloudPolicytroubleshooterV1betaExplainedPolicy: An explained IAM policy combines the raw policy in the context of the resource which it is attached to along with detailed evaluation on the evaluation parameters provided through the request.

func (*GoogleCloudPolicytroubleshooterV1betaExplainedPolicy) MarshalJSON

type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest

type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest struct {
	// AccessTuple: Collection of attributes for example user, permission,
	// resource that define
	// troubleshooter's input.
	AccessTuple *GoogleCloudPolicytroubleshooterV1betaAccessTuple `json:"accessTuple,omitempty"`

	// ForceSendFields is a list of field names (e.g. "AccessTuple") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "AccessTuple") to include
	// in API requests with the JSON null value. By default, fields with
	// empty values are omitted from API requests. However, any field with
	// an empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest: TroubleshootIamPolicyRequest is used in TroubleshootIamPolicy

func (*GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest) MarshalJSON

type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse

type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse struct {
	// Access: Reflects whether the probed access was granted, denied
	// or ultimately could not be decided from the caller's point of view.
	//
	// Possible values:
	//   "ACCESS_STATE_UNSPECIFIED" - Reserved
	//   "GRANTED" - The access is granted due to one or multiple bindings
	// found.
	//   "NOT_GRANTED" - The access is not granted by the policy.
	//   "UNKNOWN_CONDITIONAL" - At least one binding was found but it is
	// conditional. undecided,
	// undetermined ,uncertain, open, tentative, contingent
	//   "UNKNOWN_INFO_DENIED" - Indicating that lack of access to the
	// underlying information
	// causes the result to be undetermined.
	// This can be due to
	//
	// 1) The caller has no access to the policy. In this case
	// ExplainedPolicy
	//    will have not policy set.
	//
	// 2) The caller has no access to some of the items referenced in the
	// policy.
	//    In this case the policy in ExplainedPolicy will be set but the
	//    explanations field will contain at least one inconclusive element.
	Access string `json:"access,omitempty"`

	// ExplainedPolicies: List of explained policies.
	// Each explanation corresponds to one policy along the ancestry path.
	ExplainedPolicies []*GoogleCloudPolicytroubleshooterV1betaExplainedPolicy `json:"explainedPolicies,omitempty"`

	// ServerResponse contains the HTTP response code and headers from the
	// server.
	googleapi.ServerResponse `json:"-"`

	// ForceSendFields is a list of field names (e.g. "Access") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Access") to include in API
	// requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse: TroubleshootIamPolicyResponse is used in TroubleshootIamPolicy.

func (*GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse) MarshalJSON

type GoogleIamV1AuditConfig

type GoogleIamV1AuditConfig struct {
	// AuditLogConfigs: The configuration for logging of each type of
	// permission.
	AuditLogConfigs []*GoogleIamV1AuditLogConfig `json:"auditLogConfigs,omitempty"`

	// Service: Specifies a service that will be enabled for audit
	// logging.
	// For example, `storage.googleapis.com`,
	// `cloudsql.googleapis.com`.
	// `allServices` is a special value that covers all services.
	Service string `json:"service,omitempty"`

	// ForceSendFields is a list of field names (e.g. "AuditLogConfigs") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "AuditLogConfigs") to
	// include in API requests with the JSON null value. By default, fields
	// with empty values are omitted from API requests. However, any field
	// with an empty value appearing in NullFields will be sent to the
	// server as null. It is an error if a field in this list has a
	// non-empty value. This may be used to include null fields in Patch
	// requests.
	NullFields []string `json:"-"`
}

GoogleIamV1AuditConfig: Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

Example Policy with multiple AuditConfigs:

{
  "audit_configs": [
    {
      "service": "allServices"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
          "exempted_members": [
            "user:jose@example.com"
          ]
        },
        {
          "log_type": "DATA_WRITE",
        },
        {
          "log_type": "ADMIN_READ",
        }
      ]
    },
    {
      "service": "sampleservice.googleapis.com"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
        },
        {
          "log_type": "DATA_WRITE",
          "exempted_members": [
            "user:aliya@example.com"
          ]
        }
      ]
    }
  ]
}

For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.

func (*GoogleIamV1AuditConfig) MarshalJSON

func (s *GoogleIamV1AuditConfig) MarshalJSON() ([]byte, error)

type GoogleIamV1AuditLogConfig

type GoogleIamV1AuditLogConfig struct {
	// ExemptedMembers: Specifies the identities that do not cause logging
	// for this type of
	// permission.
	// Follows the same format of Binding.members.
	ExemptedMembers []string `json:"exemptedMembers,omitempty"`

	// LogType: The log type that this config enables.
	//
	// Possible values:
	//   "LOG_TYPE_UNSPECIFIED" - Default case. Should never be this.
	//   "ADMIN_READ" - Admin reads. Example: CloudIAM getIamPolicy
	//   "DATA_WRITE" - Data writes. Example: CloudSQL Users create
	//   "DATA_READ" - Data reads. Example: CloudSQL Users list
	LogType string `json:"logType,omitempty"`

	// ForceSendFields is a list of field names (e.g. "ExemptedMembers") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "ExemptedMembers") to
	// include in API requests with the JSON null value. By default, fields
	// with empty values are omitted from API requests. However, any field
	// with an empty value appearing in NullFields will be sent to the
	// server as null. It is an error if a field in this list has a
	// non-empty value. This may be used to include null fields in Patch
	// requests.
	NullFields []string `json:"-"`
}

GoogleIamV1AuditLogConfig: Provides the configuration for logging a type of permissions. Example:

{
  "audit_log_configs": [
    {
      "log_type": "DATA_READ",
      "exempted_members": [
        "user:jose@example.com"
      ]
    },
    {
      "log_type": "DATA_WRITE",
    }
  ]
}

This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.

func (*GoogleIamV1AuditLogConfig) MarshalJSON

func (s *GoogleIamV1AuditLogConfig) MarshalJSON() ([]byte, error)

type GoogleIamV1Binding

type GoogleIamV1Binding struct {
	// Condition: The condition that is associated with this binding.
	// NOTE: An unsatisfied condition will not allow user access via
	// current
	// binding. Different bindings, including their conditions, are
	// examined
	// independently.
	Condition *GoogleTypeExpr `json:"condition,omitempty"`

	// Members: Specifies the identities requesting access for a Cloud
	// Platform resource.
	// `members` can have the following values:
	//
	// * `allUsers`: A special identifier that represents anyone who is
	//    on the internet; with or without a Google account.
	//
	// * `allAuthenticatedUsers`: A special identifier that represents
	// anyone
	//    who is authenticated with a Google account or a service
	// account.
	//
	// * `user:{emailid}`: An email address that represents a specific
	// Google
	//    account. For example, `alice@example.com` .
	//
	//
	// * `serviceAccount:{emailid}`: An email address that represents a
	// service
	//    account. For example,
	// `my-other-app@appspot.gserviceaccount.com`.
	//
	// * `group:{emailid}`: An email address that represents a Google
	// group.
	//    For example, `admins@example.com`.
	//
	//
	// * `domain:{domain}`: The G Suite domain (primary) that represents all
	// the
	//    users of that domain. For example, `google.com` or
	// `example.com`.
	//
	//
	Members []string `json:"members,omitempty"`

	// Role: Role that is assigned to `members`.
	// For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
	Role string `json:"role,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Condition") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Condition") to include in
	// API requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleIamV1Binding: Associates `members` with a `role`.

func (*GoogleIamV1Binding) MarshalJSON

func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error)

type GoogleIamV1Policy

type GoogleIamV1Policy struct {
	// AuditConfigs: Specifies cloud audit logging configuration for this
	// policy.
	AuditConfigs []*GoogleIamV1AuditConfig `json:"auditConfigs,omitempty"`

	// Bindings: Associates a list of `members` to a `role`. Optionally may
	// specify a
	// `condition` that determines when binding is in effect.
	// `bindings` with no members will result in an error.
	Bindings []*GoogleIamV1Binding `json:"bindings,omitempty"`

	// Etag: `etag` is used for optimistic concurrency control as a way to
	// help
	// prevent simultaneous updates of a policy from overwriting each
	// other.
	// It is strongly suggested that systems make use of the `etag` in
	// the
	// read-modify-write cycle to perform policy updates in order to avoid
	// race
	// conditions: An `etag` is returned in the response to `getIamPolicy`,
	// and
	// systems are expected to put that etag in the request to
	// `setIamPolicy` to
	// ensure that their change will be applied to the same version of the
	// policy.
	//
	// If no `etag` is provided in the call to `setIamPolicy`, then the
	// existing
	// policy is overwritten. Due to blind-set semantics of an etag-less
	// policy,
	// 'setIamPolicy' will not fail even if either of incoming or stored
	// policy
	// does not meet the version requirements.
	Etag string `json:"etag,omitempty"`

	// Version: Specifies the format of the policy.
	//
	// Valid values are 0, 1, and 3. Requests specifying an invalid value
	// will be
	// rejected.
	//
	// Operations affecting conditional bindings must specify version 3.
	// This can
	// be either setting a conditional policy, modifying a conditional
	// binding,
	// or removing a conditional binding from the stored conditional
	// policy.
	// Operations on non-conditional policies may specify any valid value
	// or
	// leave the field unset.
	//
	// If no etag is provided in the call to `setIamPolicy`, any
	// version
	// compliance checks on the incoming and/or stored policy is skipped.
	Version int64 `json:"version,omitempty"`

	// ForceSendFields is a list of field names (e.g. "AuditConfigs") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "AuditConfigs") to include
	// in API requests with the JSON null value. By default, fields with
	// empty values are omitted from API requests. However, any field with
	// an empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleIamV1Policy: Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.

A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions (defined by IAM or configured by users). A `binding` can optionally specify a `condition`, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.

**JSON Example**

{
  "bindings": [
    {
      "role": "roles/resourcemanager.organizationAdmin",
      "members": [
        "user:mike@example.com",
        "group:admins@example.com",
        "domain:google.com",

"serviceAccount:my-project-id@appspot.gserviceaccount.com"

      ]
    },
    {
      "role": "roles/resourcemanager.organizationViewer",
      "members": ["user:eve@example.com"],
      "condition": {
        "title": "expirable access",
        "description": "Does not grant access after Sep 2020",
        "expression": "request.time <
        timestamp('2020-10-01T00:00:00.000Z')",
      }
    }
  ]
}

**YAML Example**

bindings:
- members:
  - user:mike@example.com
  - group:admins@example.com
  - domain:google.com
  - serviceAccount:my-project-id@appspot.gserviceaccount.com
  role: roles/resourcemanager.organizationAdmin
- members:
  - user:eve@example.com
  role: roles/resourcemanager.organizationViewer
  condition:
    title: expirable access
    description: Does not grant access after Sep 2020
    expression: request.time <

timestamp('2020-10-01T00:00:00.000Z')

For a description of IAM and its features, see the [IAM developer's guide](https://cloud.google.com/iam/docs).

func (*GoogleIamV1Policy) MarshalJSON

func (s *GoogleIamV1Policy) MarshalJSON() ([]byte, error)

type GoogleTypeExpr

type GoogleTypeExpr struct {
	// Description: An optional description of the expression. This is a
	// longer text which
	// describes the expression, e.g. when hovered over it in a UI.
	Description string `json:"description,omitempty"`

	// Expression: Textual representation of an expression in
	// Common Expression Language syntax.
	//
	// The application context of the containing message determines
	// which
	// well-known feature set of CEL is supported.
	Expression string `json:"expression,omitempty"`

	// Location: An optional string indicating the location of the
	// expression for error
	// reporting, e.g. a file name and a position in the file.
	Location string `json:"location,omitempty"`

	// Title: An optional title for the expression, i.e. a short string
	// describing
	// its purpose. This can be used e.g. in UIs which allow to enter
	// the
	// expression.
	Title string `json:"title,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Description") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Description") to include
	// in API requests with the JSON null value. By default, fields with
	// empty values are omitted from API requests. However, any field with
	// an empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

GoogleTypeExpr: Represents an expression text. Example:

title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"

func (*GoogleTypeExpr) MarshalJSON

func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error)

type IamService

type IamService struct {
	// contains filtered or unexported fields
}

func NewIamService

func NewIamService(s *Service) *IamService

func (*IamService) Troubleshoot

func (r *IamService) Troubleshoot(googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest) *IamTroubleshootCall

Troubleshoot: Perform a check on whether a member is granted a permission on a resource and how that grant/deny is determined accordinga to the resource's effective IAM policy interpretation.

type IamTroubleshootCall

type IamTroubleshootCall struct {
	// contains filtered or unexported fields
}

func (*IamTroubleshootCall) Context

Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.

func (*IamTroubleshootCall) Do

Do executes the "policytroubleshooter.iam.troubleshoot" call. Exactly one of *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse.Se rverResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

func (*IamTroubleshootCall) Fields

Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.

func (*IamTroubleshootCall) Header

func (c *IamTroubleshootCall) Header() http.Header

Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.

type Service

type Service struct {
	BasePath  string // API endpoint base URL
	UserAgent string // optional additional User-Agent fragment

	Iam *IamService
	// contains filtered or unexported fields
}

func New deprecated

func New(client *http.Client) (*Service, error)

New creates a new Service. It uses the provided http.Client for requests.

Deprecated: please use NewService instead. To provide a custom HTTP client, use option.WithHTTPClient. If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead.

func NewService

func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error)

NewService creates a new Service.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL