var File_google_iam_v2_deny_proto protoreflect.FileDescriptor
var File_google_iam_v2_policy_proto protoreflect.FileDescriptor
func RegisterPoliciesServer(s *grpc.Server, srv PoliciesServer)
Request message for `CreatePolicy`.
type CreatePolicyRequest struct {
// Required. The resource that the policy is attached to, along with the kind of policy
// to create. Format: `policies/{attachment_point}/denypolicies`
//
// The attachment point is identified by its URL-encoded full resource name,
// which means that the forward-slash character, `/`, must be written as
// `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// Required. The policy to create.
Policy *Policy `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
// The ID to use for this policy, which will become the final component of
// the policy's resource name. The ID must contain 3 to 63 characters. It can
// contain lowercase letters and numbers, as well as dashes (`-`) and periods
// (`.`). The first character must be a lowercase letter.
PolicyId string `protobuf:"bytes,3,opt,name=policy_id,json=policyId,proto3" json:"policy_id,omitempty"`
// contains filtered or unexported fields
}
func (*CreatePolicyRequest) Descriptor() ([]byte, []int)
Deprecated: Use CreatePolicyRequest.ProtoReflect.Descriptor instead.
func (x *CreatePolicyRequest) GetParent() string
func (x *CreatePolicyRequest) GetPolicy() *Policy
func (x *CreatePolicyRequest) GetPolicyId() string
func (*CreatePolicyRequest) ProtoMessage()
func (x *CreatePolicyRequest) ProtoReflect() protoreflect.Message
func (x *CreatePolicyRequest) Reset()
func (x *CreatePolicyRequest) String() string
Request message for `DeletePolicy`.
type DeletePolicyRequest struct {
// Required. The resource name of the policy to delete. Format:
// `policies/{attachment_point}/denypolicies/{policy_id}`
//
// Use the URL-encoded full resource name, which means that the forward-slash
// character, `/`, must be written as `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// Optional. The expected `etag` of the policy to delete. If the value does not match
// the value that is stored in IAM, the request fails with a `409` error code
// and `ABORTED` status.
//
// If you omit this field, the policy is deleted regardless of its current
// `etag`.
Etag string `protobuf:"bytes,2,opt,name=etag,proto3" json:"etag,omitempty"`
// contains filtered or unexported fields
}
func (*DeletePolicyRequest) Descriptor() ([]byte, []int)
Deprecated: Use DeletePolicyRequest.ProtoReflect.Descriptor instead.
func (x *DeletePolicyRequest) GetEtag() string
func (x *DeletePolicyRequest) GetName() string
func (*DeletePolicyRequest) ProtoMessage()
func (x *DeletePolicyRequest) ProtoReflect() protoreflect.Message
func (x *DeletePolicyRequest) Reset()
func (x *DeletePolicyRequest) String() string
A deny rule in an IAM deny policy.
type DenyRule struct {
// The identities that are prevented from using one or more permissions on
// Google Cloud resources. This field can contain the following values:
//
// - `principalSet://goog/public:all`: A special identifier that represents
// any principal that is on the internet, even if they do not have a Google
// Account or are not logged in.
//
// - `principal://goog/subject/{email_id}`: A specific Google Account.
// Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
// example, `principal://goog/subject/alice@example.com`.
//
// - `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific
// Google Account that was deleted recently. For example,
// `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If
// the Google Account is recovered, this identifier reverts to the standard
// identifier for a Google Account.
//
// - `principalSet://goog/group/{group_id}`: A Google group. For example,
// `principalSet://goog/group/admins@example.com`.
//
// - `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group
// that was deleted recently. For example,
// `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If
// the Google group is restored, this identifier reverts to the standard
// identifier for a Google group.
//
// - `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`:
// A Google Cloud service account. For example,
// `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`.
//
// - `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`:
// A Google Cloud service account that was deleted recently. For example,
// `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`.
// If the service account is undeleted, this identifier reverts to the
// standard identifier for a service account.
//
// - `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the
// principals associated with the specified Google Workspace or Cloud
// Identity customer ID. For example,
// `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.
DeniedPrincipals []string `protobuf:"bytes,1,rep,name=denied_principals,json=deniedPrincipals,proto3" json:"denied_principals,omitempty"`
// The identities that are excluded from the deny rule, even if they are
// listed in the `denied_principals`. For example, you could add a Google
// group to the `denied_principals`, then exclude specific users who belong to
// that group.
//
// This field can contain the same values as the `denied_principals` field,
// excluding `principalSet://goog/public:all`, which represents all users on
// the internet.
ExceptionPrincipals []string `protobuf:"bytes,2,rep,name=exception_principals,json=exceptionPrincipals,proto3" json:"exception_principals,omitempty"`
// The permissions that are explicitly denied by this rule. Each permission
// uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}`
// is the fully qualified domain name for the service. For example,
// `iam.googleapis.com/roles.list`.
DeniedPermissions []string `protobuf:"bytes,3,rep,name=denied_permissions,json=deniedPermissions,proto3" json:"denied_permissions,omitempty"`
// Specifies the permissions that this rule excludes from the set of denied
// permissions given by `denied_permissions`. If a permission appears in
// `denied_permissions` _and_ in `exception_permissions` then it will _not_ be
// denied.
//
// The excluded permissions can be specified using the same syntax as
// `denied_permissions`.
ExceptionPermissions []string `protobuf:"bytes,4,rep,name=exception_permissions,json=exceptionPermissions,proto3" json:"exception_permissions,omitempty"`
// The condition that determines whether this deny rule applies to a request.
// If the condition expression evaluates to `true`, then the deny rule is
// applied; otherwise, the deny rule is not applied.
//
// Each deny rule is evaluated independently. If this deny rule does not apply
// to a request, other deny rules might still apply.
//
// The condition can use CEL functions that evaluate
// [resource
// tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other
// functions and operators are not supported.
DenialCondition *expr.Expr `protobuf:"bytes,5,opt,name=denial_condition,json=denialCondition,proto3" json:"denial_condition,omitempty"`
// contains filtered or unexported fields
}
func (*DenyRule) Descriptor() ([]byte, []int)
Deprecated: Use DenyRule.ProtoReflect.Descriptor instead.
func (x *DenyRule) GetDenialCondition() *expr.Expr
func (x *DenyRule) GetDeniedPermissions() []string
func (x *DenyRule) GetDeniedPrincipals() []string
func (x *DenyRule) GetExceptionPermissions() []string
func (x *DenyRule) GetExceptionPrincipals() []string
func (*DenyRule) ProtoMessage()
func (x *DenyRule) ProtoReflect() protoreflect.Message
func (x *DenyRule) Reset()
func (x *DenyRule) String() string
Request message for `GetPolicy`.
type GetPolicyRequest struct {
// Required. The resource name of the policy to retrieve. Format:
// `policies/{attachment_point}/denypolicies/{policy_id}`
//
// Use the URL-encoded full resource name, which means that the forward-slash
// character, `/`, must be written as `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// contains filtered or unexported fields
}
func (*GetPolicyRequest) Descriptor() ([]byte, []int)
Deprecated: Use GetPolicyRequest.ProtoReflect.Descriptor instead.
func (x *GetPolicyRequest) GetName() string
func (*GetPolicyRequest) ProtoMessage()
func (x *GetPolicyRequest) ProtoReflect() protoreflect.Message
func (x *GetPolicyRequest) Reset()
func (x *GetPolicyRequest) String() string
Request message for `ListPolicies`.
type ListPoliciesRequest struct {
// Required. The resource that the policy is attached to, along with the kind of policy
// to list. Format:
// `policies/{attachment_point}/denypolicies`
//
// The attachment point is identified by its URL-encoded full resource name,
// which means that the forward-slash character, `/`, must be written as
// `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// The maximum number of policies to return. IAM ignores this value and uses
// the value 1000.
PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
// A page token received in a [ListPoliciesResponse][google.iam.v2.ListPoliciesResponse]. Provide this token to
// retrieve the next page.
PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
// contains filtered or unexported fields
}
func (*ListPoliciesRequest) Descriptor() ([]byte, []int)
Deprecated: Use ListPoliciesRequest.ProtoReflect.Descriptor instead.
func (x *ListPoliciesRequest) GetPageSize() int32
func (x *ListPoliciesRequest) GetPageToken() string
func (x *ListPoliciesRequest) GetParent() string
func (*ListPoliciesRequest) ProtoMessage()
func (x *ListPoliciesRequest) ProtoReflect() protoreflect.Message
func (x *ListPoliciesRequest) Reset()
func (x *ListPoliciesRequest) String() string
Response message for `ListPolicies`.
type ListPoliciesResponse struct {
// Metadata for the policies that are attached to the resource.
Policies []*Policy `protobuf:"bytes,1,rep,name=policies,proto3" json:"policies,omitempty"`
// A page token that you can use in a [ListPoliciesRequest][google.iam.v2.ListPoliciesRequest] to retrieve the
// next page. If this field is omitted, there are no additional pages.
NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
// contains filtered or unexported fields
}
func (*ListPoliciesResponse) Descriptor() ([]byte, []int)
Deprecated: Use ListPoliciesResponse.ProtoReflect.Descriptor instead.
func (x *ListPoliciesResponse) GetNextPageToken() string
func (x *ListPoliciesResponse) GetPolicies() []*Policy
func (*ListPoliciesResponse) ProtoMessage()
func (x *ListPoliciesResponse) ProtoReflect() protoreflect.Message
func (x *ListPoliciesResponse) Reset()
func (x *ListPoliciesResponse) String() string
PoliciesClient is the client API for Policies service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type PoliciesClient interface {
// Retrieves the policies of the specified kind that are attached to a
// resource.
//
// The response lists only policy metadata. In particular, policy rules are
// omitted.
ListPolicies(ctx context.Context, in *ListPoliciesRequest, opts ...grpc.CallOption) (*ListPoliciesResponse, error)
// Gets a policy.
GetPolicy(ctx context.Context, in *GetPolicyRequest, opts ...grpc.CallOption) (*Policy, error)
// Creates a policy.
CreatePolicy(ctx context.Context, in *CreatePolicyRequest, opts ...grpc.CallOption) (*longrunningpb.Operation, error)
// Updates the specified policy.
//
// You can update only the rules and the display name for the policy.
//
// To update a policy, you should use a read-modify-write loop:
//
// 1. Use [GetPolicy][google.iam.v2.Policies.GetPolicy] to read the current version of the policy.
// 2. Modify the policy as needed.
// 3. Use `UpdatePolicy` to write the updated policy.
//
// This pattern helps prevent conflicts between concurrent updates.
UpdatePolicy(ctx context.Context, in *UpdatePolicyRequest, opts ...grpc.CallOption) (*longrunningpb.Operation, error)
// Deletes a policy. This action is permanent.
DeletePolicy(ctx context.Context, in *DeletePolicyRequest, opts ...grpc.CallOption) (*longrunningpb.Operation, error)
}
func NewPoliciesClient(cc grpc.ClientConnInterface) PoliciesClient
PoliciesServer is the server API for Policies service.
type PoliciesServer interface {
// Retrieves the policies of the specified kind that are attached to a
// resource.
//
// The response lists only policy metadata. In particular, policy rules are
// omitted.
ListPolicies(context.Context, *ListPoliciesRequest) (*ListPoliciesResponse, error)
// Gets a policy.
GetPolicy(context.Context, *GetPolicyRequest) (*Policy, error)
// Creates a policy.
CreatePolicy(context.Context, *CreatePolicyRequest) (*longrunningpb.Operation, error)
// Updates the specified policy.
//
// You can update only the rules and the display name for the policy.
//
// To update a policy, you should use a read-modify-write loop:
//
// 1. Use [GetPolicy][google.iam.v2.Policies.GetPolicy] to read the current version of the policy.
// 2. Modify the policy as needed.
// 3. Use `UpdatePolicy` to write the updated policy.
//
// This pattern helps prevent conflicts between concurrent updates.
UpdatePolicy(context.Context, *UpdatePolicyRequest) (*longrunningpb.Operation, error)
// Deletes a policy. This action is permanent.
DeletePolicy(context.Context, *DeletePolicyRequest) (*longrunningpb.Operation, error)
}
Data for an IAM policy.
type Policy struct {
// Immutable. The resource name of the `Policy`, which must be unique. Format:
// `policies/{attachment_point}/denypolicies/{policy_id}`
//
// The attachment point is identified by its URL-encoded full resource name,
// which means that the forward-slash character, `/`, must be written as
// `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, requests can use the alphanumeric or the numeric ID.
// Responses always contain the numeric ID.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// Immutable. The globally unique ID of the `Policy`. Assigned automatically when the
// `Policy` is created.
Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
// Output only. The kind of the `Policy`. Always contains the value `DenyPolicy`.
Kind string `protobuf:"bytes,3,opt,name=kind,proto3" json:"kind,omitempty"`
// A user-specified description of the `Policy`. This value can be up to 63
// characters.
DisplayName string `protobuf:"bytes,4,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"`
// A key-value map to store arbitrary metadata for the `Policy`. Keys
// can be up to 63 characters. Values can be up to 255 characters.
Annotations map[string]string `protobuf:"bytes,5,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
// An opaque tag that identifies the current version of the `Policy`. IAM uses
// this value to help manage concurrent updates, so they do not cause one
// update to be overwritten by another.
//
// If this field is present in a [CreatePolicy][] request, the value is
// ignored.
Etag string `protobuf:"bytes,6,opt,name=etag,proto3" json:"etag,omitempty"`
// Output only. The time when the `Policy` was created.
CreateTime *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
// Output only. The time when the `Policy` was last updated.
UpdateTime *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
// Output only. The time when the `Policy` was deleted. Empty if the policy is not deleted.
DeleteTime *timestamppb.Timestamp `protobuf:"bytes,9,opt,name=delete_time,json=deleteTime,proto3" json:"delete_time,omitempty"`
// A list of rules that specify the behavior of the `Policy`. All of the rules
// should be of the `kind` specified in the `Policy`.
Rules []*PolicyRule `protobuf:"bytes,10,rep,name=rules,proto3" json:"rules,omitempty"`
// Immutable. Specifies that this policy is managed by an authority and can only be
// modified by that authority. Usage is restricted.
ManagingAuthority string `protobuf:"bytes,11,opt,name=managing_authority,json=managingAuthority,proto3" json:"managing_authority,omitempty"`
// contains filtered or unexported fields
}
func (*Policy) Descriptor() ([]byte, []int)
Deprecated: Use Policy.ProtoReflect.Descriptor instead.
func (x *Policy) GetAnnotations() map[string]string
func (x *Policy) GetCreateTime() *timestamppb.Timestamp
func (x *Policy) GetDeleteTime() *timestamppb.Timestamp
func (x *Policy) GetDisplayName() string
func (x *Policy) GetEtag() string
func (x *Policy) GetKind() string
func (x *Policy) GetManagingAuthority() string
func (x *Policy) GetName() string
func (x *Policy) GetRules() []*PolicyRule
func (x *Policy) GetUid() string
func (x *Policy) GetUpdateTime() *timestamppb.Timestamp
func (*Policy) ProtoMessage()
func (x *Policy) ProtoReflect() protoreflect.Message
func (x *Policy) Reset()
func (x *Policy) String() string
Metadata for long-running `Policy` operations.
type PolicyOperationMetadata struct {
// Timestamp when the `google.longrunning.Operation` was created.
CreateTime *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
// contains filtered or unexported fields
}
func (*PolicyOperationMetadata) Descriptor() ([]byte, []int)
Deprecated: Use PolicyOperationMetadata.ProtoReflect.Descriptor instead.
func (x *PolicyOperationMetadata) GetCreateTime() *timestamppb.Timestamp
func (*PolicyOperationMetadata) ProtoMessage()
func (x *PolicyOperationMetadata) ProtoReflect() protoreflect.Message
func (x *PolicyOperationMetadata) Reset()
func (x *PolicyOperationMetadata) String() string
A single rule in a `Policy`.
type PolicyRule struct {
// Types that are assignable to Kind:
//
// *PolicyRule_DenyRule
Kind isPolicyRule_Kind `protobuf_oneof:"kind"`
// A user-specified description of the rule. This value can be up to 256
// characters.
Description string `protobuf:"bytes,1,opt,name=description,proto3" json:"description,omitempty"`
// contains filtered or unexported fields
}
func (*PolicyRule) Descriptor() ([]byte, []int)
Deprecated: Use PolicyRule.ProtoReflect.Descriptor instead.
func (x *PolicyRule) GetDenyRule() *DenyRule
func (x *PolicyRule) GetDescription() string
func (m *PolicyRule) GetKind() isPolicyRule_Kind
func (*PolicyRule) ProtoMessage()
func (x *PolicyRule) ProtoReflect() protoreflect.Message
func (x *PolicyRule) Reset()
func (x *PolicyRule) String() string
type PolicyRule_DenyRule struct {
// A rule for a deny policy.
DenyRule *DenyRule `protobuf:"bytes,2,opt,name=deny_rule,json=denyRule,proto3,oneof"`
}
UnimplementedPoliciesServer can be embedded to have forward compatible implementations.
type UnimplementedPoliciesServer struct {
}
func (*UnimplementedPoliciesServer) CreatePolicy(context.Context, *CreatePolicyRequest) (*longrunningpb.Operation, error)
func (*UnimplementedPoliciesServer) DeletePolicy(context.Context, *DeletePolicyRequest) (*longrunningpb.Operation, error)
func (*UnimplementedPoliciesServer) GetPolicy(context.Context, *GetPolicyRequest) (*Policy, error)
func (*UnimplementedPoliciesServer) ListPolicies(context.Context, *ListPoliciesRequest) (*ListPoliciesResponse, error)
func (*UnimplementedPoliciesServer) UpdatePolicy(context.Context, *UpdatePolicyRequest) (*longrunningpb.Operation, error)
Request message for `UpdatePolicy`.
type UpdatePolicyRequest struct {
// Required. The policy to update.
//
// To prevent conflicting updates, the `etag` value must match the value that
// is stored in IAM. If the `etag` values do not match, the request fails with
// a `409` error code and `ABORTED` status.
Policy *Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
// contains filtered or unexported fields
}
func (*UpdatePolicyRequest) Descriptor() ([]byte, []int)
Deprecated: Use UpdatePolicyRequest.ProtoReflect.Descriptor instead.
func (x *UpdatePolicyRequest) GetPolicy() *Policy
func (*UpdatePolicyRequest) ProtoMessage()
func (x *UpdatePolicyRequest) ProtoReflect() protoreflect.Message
func (x *UpdatePolicyRequest) Reset()
func (x *UpdatePolicyRequest) String() string