1 // Copyright 2022 Google LLC. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Code generated file. DO NOT EDIT. 6 7 // Package cloudasset provides access to the Cloud Asset API. 8 // 9 // For product documentation, see: https://cloud.google.com/asset-inventory/docs/quickstart 10 // 11 // # Creating a client 12 // 13 // Usage example: 14 // 15 // import "google.golang.org/api/cloudasset/v1p4beta1" 16 // ... 17 // ctx := context.Background() 18 // cloudassetService, err := cloudasset.NewService(ctx) 19 // 20 // In this example, Google Application Default Credentials are used for authentication. 21 // 22 // For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 23 // 24 // # Other authentication options 25 // 26 // To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey: 27 // 28 // cloudassetService, err := cloudasset.NewService(ctx, option.WithAPIKey("AIza...")) 29 // 30 // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource: 31 // 32 // config := &oauth2.Config{...} 33 // // ... 34 // token, err := config.Exchange(ctx, ...) 35 // cloudassetService, err := cloudasset.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 36 // 37 // See https://godoc.org/google.golang.org/api/option/ for details on options. 38 package cloudasset // import "google.golang.org/api/cloudasset/v1p4beta1" 39 40 import ( 41 "bytes" 42 "context" 43 "encoding/json" 44 "errors" 45 "fmt" 46 "io" 47 "net/http" 48 "net/url" 49 "strconv" 50 "strings" 51 52 googleapi "google.golang.org/api/googleapi" 53 internal "google.golang.org/api/internal" 54 gensupport "google.golang.org/api/internal/gensupport" 55 option "google.golang.org/api/option" 56 internaloption "google.golang.org/api/option/internaloption" 57 htransport "google.golang.org/api/transport/http" 58 ) 59 60 // Always reference these packages, just in case the auto-generated code 61 // below doesn't. 62 var _ = bytes.NewBuffer 63 var _ = strconv.Itoa 64 var _ = fmt.Sprintf 65 var _ = json.NewDecoder 66 var _ = io.Copy 67 var _ = url.Parse 68 var _ = gensupport.MarshalJSON 69 var _ = googleapi.Version 70 var _ = errors.New 71 var _ = strings.Replace 72 var _ = context.Canceled 73 var _ = internaloption.WithDefaultEndpoint 74 75 const apiId = "cloudasset:v1p4beta1" 76 const apiName = "cloudasset" 77 const apiVersion = "v1p4beta1" 78 const basePath = "https://cloudasset.googleapis.com/" 79 const mtlsBasePath = "https://cloudasset.mtls.googleapis.com/" 80 81 // OAuth2 scopes used by this API. 82 const ( 83 // See, edit, configure, and delete your Google Cloud data and see the 84 // email address for your Google Account. 85 CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform" 86 ) 87 88 // NewService creates a new Service. 89 func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 90 scopesOption := internaloption.WithDefaultScopes( 91 "https://www.googleapis.com/auth/cloud-platform", 92 ) 93 // NOTE: prepend, so we don't override user-specified scopes. 94 opts = append([]option.ClientOption{scopesOption}, opts...) 95 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 96 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 97 client, endpoint, err := htransport.NewClient(ctx, opts...) 98 if err != nil { 99 return nil, err 100 } 101 s, err := New(client) 102 if err != nil { 103 return nil, err 104 } 105 if endpoint != "" { 106 s.BasePath = endpoint 107 } 108 return s, nil 109 } 110 111 // New creates a new Service. It uses the provided http.Client for requests. 112 // 113 // Deprecated: please use NewService instead. 114 // To provide a custom HTTP client, use option.WithHTTPClient. 115 // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 116 func New(client *http.Client) (*Service, error) { 117 if client == nil { 118 return nil, errors.New("client is nil") 119 } 120 s := &Service{client: client, BasePath: basePath} 121 s.V1p4beta1 = NewV1p4beta1Service(s) 122 return s, nil 123 } 124 125 type Service struct { 126 client *http.Client 127 BasePath string // API endpoint base URL 128 UserAgent string // optional additional User-Agent fragment 129 130 V1p4beta1 *V1p4beta1Service 131 } 132 133 func (s *Service) userAgent() string { 134 if s.UserAgent == "" { 135 return googleapi.UserAgent 136 } 137 return googleapi.UserAgent + " " + s.UserAgent 138 } 139 140 func NewV1p4beta1Service(s *Service) *V1p4beta1Service { 141 rs := &V1p4beta1Service{s: s} 142 return rs 143 } 144 145 type V1p4beta1Service struct { 146 s *Service 147 } 148 149 // AccessSelector: Specifies roles and/or permissions to analyze, to 150 // determine both the identities possessing them and the resources they 151 // control. If multiple values are specified, results will include 152 // identities and resources matching any of them. The total number of 153 // roles and permissions should be equal or less than 10. 154 type AccessSelector struct { 155 // Permissions: Optional. The permissions to appear in result. 156 Permissions []string `json:"permissions,omitempty"` 157 158 // Roles: Optional. The roles to appear in result. 159 Roles []string `json:"roles,omitempty"` 160 161 // ForceSendFields is a list of field names (e.g. "Permissions") to 162 // unconditionally include in API requests. By default, fields with 163 // empty or default values are omitted from API requests. However, any 164 // non-pointer, non-interface field appearing in ForceSendFields will be 165 // sent to the server regardless of whether the field is empty or not. 166 // This may be used to include empty fields in Patch requests. 167 ForceSendFields []string `json:"-"` 168 169 // NullFields is a list of field names (e.g. "Permissions") to include 170 // in API requests with the JSON null value. By default, fields with 171 // empty values are omitted from API requests. However, any field with 172 // an empty value appearing in NullFields will be sent to the server as 173 // null. It is an error if a field in this list has a non-empty value. 174 // This may be used to include null fields in Patch requests. 175 NullFields []string `json:"-"` 176 } 177 178 func (s *AccessSelector) MarshalJSON() ([]byte, error) { 179 type NoMethod AccessSelector 180 raw := NoMethod(*s) 181 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 182 } 183 184 // AnalyzeIamPolicyLongrunningMetadata: Represents the metadata of the 185 // longrunning operation for the AnalyzeIamPolicyLongrunning rpc. 186 type AnalyzeIamPolicyLongrunningMetadata struct { 187 // CreateTime: Output only. The time the operation was created. 188 CreateTime string `json:"createTime,omitempty"` 189 190 // ForceSendFields is a list of field names (e.g. "CreateTime") to 191 // unconditionally include in API requests. By default, fields with 192 // empty or default values are omitted from API requests. However, any 193 // non-pointer, non-interface field appearing in ForceSendFields will be 194 // sent to the server regardless of whether the field is empty or not. 195 // This may be used to include empty fields in Patch requests. 196 ForceSendFields []string `json:"-"` 197 198 // NullFields is a list of field names (e.g. "CreateTime") to include in 199 // API requests with the JSON null value. By default, fields with empty 200 // values are omitted from API requests. However, any field with an 201 // empty value appearing in NullFields will be sent to the server as 202 // null. It is an error if a field in this list has a non-empty value. 203 // This may be used to include null fields in Patch requests. 204 NullFields []string `json:"-"` 205 } 206 207 func (s *AnalyzeIamPolicyLongrunningMetadata) MarshalJSON() ([]byte, error) { 208 type NoMethod AnalyzeIamPolicyLongrunningMetadata 209 raw := NoMethod(*s) 210 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 211 } 212 213 // AnalyzeIamPolicyLongrunningResponse: A response message for 214 // AssetService.AnalyzeIamPolicyLongrunning. 215 type AnalyzeIamPolicyLongrunningResponse struct { 216 } 217 218 // AnalyzeIamPolicyResponse: A response message for 219 // AssetService.AnalyzeIamPolicy. 220 type AnalyzeIamPolicyResponse struct { 221 // FullyExplored: Represents whether all entries in the main_analysis 222 // and service_account_impersonation_analysis have been fully explored 223 // to answer the query in the request. 224 FullyExplored bool `json:"fullyExplored,omitempty"` 225 226 // MainAnalysis: The main analysis that matches the original request. 227 MainAnalysis *IamPolicyAnalysis `json:"mainAnalysis,omitempty"` 228 229 // NonCriticalErrors: A list of non-critical errors happened during the 230 // request handling to explain why `fully_explored` is false, or empty 231 // if no error happened. 232 NonCriticalErrors []*GoogleCloudAssetV1p4beta1AnalysisState `json:"nonCriticalErrors,omitempty"` 233 234 // ServiceAccountImpersonationAnalysis: The service account 235 // impersonation analysis if 236 // AnalyzeIamPolicyRequest.analyze_service_account_impersonation is 237 // enabled. 238 ServiceAccountImpersonationAnalysis []*IamPolicyAnalysis `json:"serviceAccountImpersonationAnalysis,omitempty"` 239 240 // ServerResponse contains the HTTP response code and headers from the 241 // server. 242 googleapi.ServerResponse `json:"-"` 243 244 // ForceSendFields is a list of field names (e.g. "FullyExplored") to 245 // unconditionally include in API requests. By default, fields with 246 // empty or default values are omitted from API requests. However, any 247 // non-pointer, non-interface field appearing in ForceSendFields will be 248 // sent to the server regardless of whether the field is empty or not. 249 // This may be used to include empty fields in Patch requests. 250 ForceSendFields []string `json:"-"` 251 252 // NullFields is a list of field names (e.g. "FullyExplored") to include 253 // in API requests with the JSON null value. By default, fields with 254 // empty values are omitted from API requests. However, any field with 255 // an empty value appearing in NullFields will be sent to the server as 256 // null. It is an error if a field in this list has a non-empty value. 257 // This may be used to include null fields in Patch requests. 258 NullFields []string `json:"-"` 259 } 260 261 func (s *AnalyzeIamPolicyResponse) MarshalJSON() ([]byte, error) { 262 type NoMethod AnalyzeIamPolicyResponse 263 raw := NoMethod(*s) 264 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 265 } 266 267 // AuditConfig: Specifies the audit configuration for a service. The 268 // configuration determines which permission types are logged, and what 269 // identities, if any, are exempted from logging. An AuditConfig must 270 // have one or more AuditLogConfigs. If there are AuditConfigs for both 271 // `allServices` and a specific service, the union of the two 272 // AuditConfigs is used for that service: the log_types specified in 273 // each AuditConfig are enabled, and the exempted_members in each 274 // AuditLogConfig are exempted. Example Policy with multiple 275 // AuditConfigs: { "audit_configs": [ { "service": "allServices", 276 // "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": 277 // [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { 278 // "log_type": "ADMIN_READ" } ] }, { "service": 279 // "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": 280 // "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ 281 // "user:aliya@example.com" ] } ] } ] } For sampleservice, this policy 282 // enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts 283 // `jose@example.com` from DATA_READ logging, and `aliya@example.com` 284 // from DATA_WRITE logging. 285 type AuditConfig struct { 286 // AuditLogConfigs: The configuration for logging of each type of 287 // permission. 288 AuditLogConfigs []*AuditLogConfig `json:"auditLogConfigs,omitempty"` 289 290 // Service: Specifies a service that will be enabled for audit logging. 291 // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 292 // `allServices` is a special value that covers all services. 293 Service string `json:"service,omitempty"` 294 295 // ForceSendFields is a list of field names (e.g. "AuditLogConfigs") to 296 // unconditionally include in API requests. By default, fields with 297 // empty or default values are omitted from API requests. However, any 298 // non-pointer, non-interface field appearing in ForceSendFields will be 299 // sent to the server regardless of whether the field is empty or not. 300 // This may be used to include empty fields in Patch requests. 301 ForceSendFields []string `json:"-"` 302 303 // NullFields is a list of field names (e.g. "AuditLogConfigs") to 304 // include in API requests with the JSON null value. By default, fields 305 // with empty values are omitted from API requests. However, any field 306 // with an empty value appearing in NullFields will be sent to the 307 // server as null. It is an error if a field in this list has a 308 // non-empty value. This may be used to include null fields in Patch 309 // requests. 310 NullFields []string `json:"-"` 311 } 312 313 func (s *AuditConfig) MarshalJSON() ([]byte, error) { 314 type NoMethod AuditConfig 315 raw := NoMethod(*s) 316 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 317 } 318 319 // AuditLogConfig: Provides the configuration for logging a type of 320 // permissions. Example: { "audit_log_configs": [ { "log_type": 321 // "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { 322 // "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 323 // 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ 324 // logging. 325 type AuditLogConfig struct { 326 // ExemptedMembers: Specifies the identities that do not cause logging 327 // for this type of permission. Follows the same format of 328 // Binding.members. 329 ExemptedMembers []string `json:"exemptedMembers,omitempty"` 330 331 // LogType: The log type that this config enables. 332 // 333 // Possible values: 334 // "LOG_TYPE_UNSPECIFIED" - Default case. Should never be this. 335 // "ADMIN_READ" - Admin reads. Example: CloudIAM getIamPolicy 336 // "DATA_WRITE" - Data writes. Example: CloudSQL Users create 337 // "DATA_READ" - Data reads. Example: CloudSQL Users list 338 LogType string `json:"logType,omitempty"` 339 340 // ForceSendFields is a list of field names (e.g. "ExemptedMembers") to 341 // unconditionally include in API requests. By default, fields with 342 // empty or default values are omitted from API requests. However, any 343 // non-pointer, non-interface field appearing in ForceSendFields will be 344 // sent to the server regardless of whether the field is empty or not. 345 // This may be used to include empty fields in Patch requests. 346 ForceSendFields []string `json:"-"` 347 348 // NullFields is a list of field names (e.g. "ExemptedMembers") to 349 // include in API requests with the JSON null value. By default, fields 350 // with empty values are omitted from API requests. However, any field 351 // with an empty value appearing in NullFields will be sent to the 352 // server as null. It is an error if a field in this list has a 353 // non-empty value. This may be used to include null fields in Patch 354 // requests. 355 NullFields []string `json:"-"` 356 } 357 358 func (s *AuditLogConfig) MarshalJSON() ([]byte, error) { 359 type NoMethod AuditLogConfig 360 raw := NoMethod(*s) 361 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 362 } 363 364 // Binding: Associates `members`, or principals, with a `role`. 365 type Binding struct { 366 // Condition: The condition that is associated with this binding. If the 367 // condition evaluates to `true`, then this binding applies to the 368 // current request. If the condition evaluates to `false`, then this 369 // binding does not apply to the current request. However, a different 370 // role binding might grant the same role to one or more of the 371 // principals in this binding. To learn which resources support 372 // conditions in their IAM policies, see the IAM documentation 373 // (https://cloud.google.com/iam/help/conditions/resource-policies). 374 Condition *Expr `json:"condition,omitempty"` 375 376 // Members: Specifies the principals requesting access for a Google 377 // Cloud resource. `members` can have the following values: * 378 // `allUsers`: A special identifier that represents anyone who is on the 379 // internet; with or without a Google account. * 380 // `allAuthenticatedUsers`: A special identifier that represents anyone 381 // who is authenticated with a Google account or a service account. * 382 // `user:{emailid}`: An email address that represents a specific Google 383 // account. For example, `alice@example.com` . * 384 // `serviceAccount:{emailid}`: An email address that represents a 385 // service account. For example, 386 // `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An 387 // email address that represents a Google group. For example, 388 // `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An 389 // email address (plus unique identifier) representing a user that has 390 // been recently deleted. For example, 391 // `alice@example.com?uid=123456789012345678901`. If the user is 392 // recovered, this value reverts to `user:{emailid}` and the recovered 393 // user retains the role in the binding. * 394 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address 395 // (plus unique identifier) representing a service account that has been 396 // recently deleted. For example, 397 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. 398 // If the service account is undeleted, this value reverts to 399 // `serviceAccount:{emailid}` and the undeleted service account retains 400 // the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: 401 // An email address (plus unique identifier) representing a Google group 402 // that has been recently deleted. For example, 403 // `admins@example.com?uid=123456789012345678901`. If the group is 404 // recovered, this value reverts to `group:{emailid}` and the recovered 405 // group retains the role in the binding. * `domain:{domain}`: The G 406 // Suite domain (primary) that represents all the users of that domain. 407 // For example, `google.com` or `example.com`. 408 Members []string `json:"members,omitempty"` 409 410 // Role: Role that is assigned to the list of `members`, or principals. 411 // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 412 Role string `json:"role,omitempty"` 413 414 // ForceSendFields is a list of field names (e.g. "Condition") to 415 // unconditionally include in API requests. By default, fields with 416 // empty or default values are omitted from API requests. However, any 417 // non-pointer, non-interface field appearing in ForceSendFields will be 418 // sent to the server regardless of whether the field is empty or not. 419 // This may be used to include empty fields in Patch requests. 420 ForceSendFields []string `json:"-"` 421 422 // NullFields is a list of field names (e.g. "Condition") to include in 423 // API requests with the JSON null value. By default, fields with empty 424 // values are omitted from API requests. However, any field with an 425 // empty value appearing in NullFields will be sent to the server as 426 // null. It is an error if a field in this list has a non-empty value. 427 // This may be used to include null fields in Patch requests. 428 NullFields []string `json:"-"` 429 } 430 431 func (s *Binding) MarshalJSON() ([]byte, error) { 432 type NoMethod Binding 433 raw := NoMethod(*s) 434 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 435 } 436 437 // ExportIamPolicyAnalysisRequest: A request message for 438 // AssetService.ExportIamPolicyAnalysis. 439 type ExportIamPolicyAnalysisRequest struct { 440 // AnalysisQuery: Required. The request query. 441 AnalysisQuery *IamPolicyAnalysisQuery `json:"analysisQuery,omitempty"` 442 443 // Options: Optional. The request options. 444 Options *Options `json:"options,omitempty"` 445 446 // OutputConfig: Required. Output configuration indicating where the 447 // results will be output to. 448 OutputConfig *IamPolicyAnalysisOutputConfig `json:"outputConfig,omitempty"` 449 450 // ForceSendFields is a list of field names (e.g. "AnalysisQuery") to 451 // unconditionally include in API requests. By default, fields with 452 // empty or default values are omitted from API requests. However, any 453 // non-pointer, non-interface field appearing in ForceSendFields will be 454 // sent to the server regardless of whether the field is empty or not. 455 // This may be used to include empty fields in Patch requests. 456 ForceSendFields []string `json:"-"` 457 458 // NullFields is a list of field names (e.g. "AnalysisQuery") to include 459 // in API requests with the JSON null value. By default, fields with 460 // empty values are omitted from API requests. However, any field with 461 // an empty value appearing in NullFields will be sent to the server as 462 // null. It is an error if a field in this list has a non-empty value. 463 // This may be used to include null fields in Patch requests. 464 NullFields []string `json:"-"` 465 } 466 467 func (s *ExportIamPolicyAnalysisRequest) MarshalJSON() ([]byte, error) { 468 type NoMethod ExportIamPolicyAnalysisRequest 469 raw := NoMethod(*s) 470 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 471 } 472 473 // Expr: Represents a textual expression in the Common Expression 474 // Language (CEL) syntax. CEL is a C-like expression language. The 475 // syntax and semantics of CEL are documented at 476 // https://github.com/google/cel-spec. Example (Comparison): title: 477 // "Summary size limit" description: "Determines if a summary is less 478 // than 100 chars" expression: "document.summary.size() < 100" Example 479 // (Equality): title: "Requestor is owner" description: "Determines if 480 // requestor is the document owner" expression: "document.owner == 481 // request.auth.claims.email" Example (Logic): title: "Public documents" 482 // description: "Determine whether the document should be publicly 483 // visible" expression: "document.type != 'private' && document.type != 484 // 'internal'" Example (Data Manipulation): title: "Notification string" 485 // description: "Create a notification string with a timestamp." 486 // expression: "'New message received at ' + 487 // string(document.create_time)" The exact variables and functions that 488 // may be referenced within an expression are determined by the service 489 // that evaluates it. See the service documentation for additional 490 // information. 491 type Expr struct { 492 // Description: Optional. Description of the expression. This is a 493 // longer text which describes the expression, e.g. when hovered over it 494 // in a UI. 495 Description string `json:"description,omitempty"` 496 497 // Expression: Textual representation of an expression in Common 498 // Expression Language syntax. 499 Expression string `json:"expression,omitempty"` 500 501 // Location: Optional. String indicating the location of the expression 502 // for error reporting, e.g. a file name and a position in the file. 503 Location string `json:"location,omitempty"` 504 505 // Title: Optional. Title for the expression, i.e. a short string 506 // describing its purpose. This can be used e.g. in UIs which allow to 507 // enter the expression. 508 Title string `json:"title,omitempty"` 509 510 // ForceSendFields is a list of field names (e.g. "Description") to 511 // unconditionally include in API requests. By default, fields with 512 // empty or default values are omitted from API requests. However, any 513 // non-pointer, non-interface field appearing in ForceSendFields will be 514 // sent to the server regardless of whether the field is empty or not. 515 // This may be used to include empty fields in Patch requests. 516 ForceSendFields []string `json:"-"` 517 518 // NullFields is a list of field names (e.g. "Description") to include 519 // in API requests with the JSON null value. By default, fields with 520 // empty values are omitted from API requests. However, any field with 521 // an empty value appearing in NullFields will be sent to the server as 522 // null. It is an error if a field in this list has a non-empty value. 523 // This may be used to include null fields in Patch requests. 524 NullFields []string `json:"-"` 525 } 526 527 func (s *Expr) MarshalJSON() ([]byte, error) { 528 type NoMethod Expr 529 raw := NoMethod(*s) 530 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 531 } 532 533 // GcsDestination: A Cloud Storage location. 534 type GcsDestination struct { 535 // Uri: Required. The uri of the Cloud Storage object. It's the same uri 536 // that is used by gsutil. For example: "gs://bucket_name/object_name". 537 // See [Quickstart: Using the gsutil tool] 538 // (https://cloud.google.com/storage/docs/quickstart-gsutil) for 539 // examples. 540 Uri string `json:"uri,omitempty"` 541 542 // ForceSendFields is a list of field names (e.g. "Uri") to 543 // unconditionally include in API requests. By default, fields with 544 // empty or default values are omitted from API requests. However, any 545 // non-pointer, non-interface field appearing in ForceSendFields will be 546 // sent to the server regardless of whether the field is empty or not. 547 // This may be used to include empty fields in Patch requests. 548 ForceSendFields []string `json:"-"` 549 550 // NullFields is a list of field names (e.g. "Uri") to include in API 551 // requests with the JSON null value. By default, fields with empty 552 // values are omitted from API requests. However, any field with an 553 // empty value appearing in NullFields will be sent to the server as 554 // null. It is an error if a field in this list has a non-empty value. 555 // This may be used to include null fields in Patch requests. 556 NullFields []string `json:"-"` 557 } 558 559 func (s *GcsDestination) MarshalJSON() ([]byte, error) { 560 type NoMethod GcsDestination 561 raw := NoMethod(*s) 562 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 563 } 564 565 // GoogleCloudAssetV1p4beta1Access: An IAM role or permission under 566 // analysis. 567 type GoogleCloudAssetV1p4beta1Access struct { 568 // AnalysisState: The analysis state of this access. 569 AnalysisState *GoogleCloudAssetV1p4beta1AnalysisState `json:"analysisState,omitempty"` 570 571 // Permission: The permission. 572 Permission string `json:"permission,omitempty"` 573 574 // Role: The role. 575 Role string `json:"role,omitempty"` 576 577 // ForceSendFields is a list of field names (e.g. "AnalysisState") to 578 // unconditionally include in API requests. By default, fields with 579 // empty or default values are omitted from API requests. However, any 580 // non-pointer, non-interface field appearing in ForceSendFields will be 581 // sent to the server regardless of whether the field is empty or not. 582 // This may be used to include empty fields in Patch requests. 583 ForceSendFields []string `json:"-"` 584 585 // NullFields is a list of field names (e.g. "AnalysisState") to include 586 // in API requests with the JSON null value. By default, fields with 587 // empty values are omitted from API requests. However, any field with 588 // an empty value appearing in NullFields will be sent to the server as 589 // null. It is an error if a field in this list has a non-empty value. 590 // This may be used to include null fields in Patch requests. 591 NullFields []string `json:"-"` 592 } 593 594 func (s *GoogleCloudAssetV1p4beta1Access) MarshalJSON() ([]byte, error) { 595 type NoMethod GoogleCloudAssetV1p4beta1Access 596 raw := NoMethod(*s) 597 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 598 } 599 600 // GoogleCloudAssetV1p4beta1AccessControlList: An access control list, 601 // derived from the above IAM policy binding, which contains a set of 602 // resources and accesses. May include one item from each set to compose 603 // an access control entry. NOTICE that there could be multiple access 604 // control lists for one IAM policy binding. The access control lists 605 // are created based on resource and access combinations. For example, 606 // assume we have the following cases in one IAM policy binding: - 607 // Permission P1 and P2 apply to resource R1 and R2; - Permission P3 608 // applies to resource R2 and R3; This will result in the following 609 // access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - 610 // AccessControlList 2: [R2, R3], [P3] 611 type GoogleCloudAssetV1p4beta1AccessControlList struct { 612 // Accesses: The accesses that match one of the following conditions: - 613 // The access_selector, if it is specified in request; - Otherwise, 614 // access specifiers reachable from the policy binding's role. 615 Accesses []*GoogleCloudAssetV1p4beta1Access `json:"accesses,omitempty"` 616 617 // ResourceEdges: Resource edges of the graph starting from the policy 618 // attached resource to any descendant resources. The Edge.source_node 619 // contains the full resource name of a parent resource and 620 // Edge.target_node contains the full resource name of a child resource. 621 // This field is present only if the output_resource_edges option is 622 // enabled in request. 623 ResourceEdges []*GoogleCloudAssetV1p4beta1Edge `json:"resourceEdges,omitempty"` 624 625 // Resources: The resources that match one of the following conditions: 626 // - The resource_selector, if it is specified in request; - Otherwise, 627 // resources reachable from the policy attached resource. 628 Resources []*GoogleCloudAssetV1p4beta1Resource `json:"resources,omitempty"` 629 630 // ForceSendFields is a list of field names (e.g. "Accesses") to 631 // unconditionally include in API requests. By default, fields with 632 // empty or default values are omitted from API requests. However, any 633 // non-pointer, non-interface field appearing in ForceSendFields will be 634 // sent to the server regardless of whether the field is empty or not. 635 // This may be used to include empty fields in Patch requests. 636 ForceSendFields []string `json:"-"` 637 638 // NullFields is a list of field names (e.g. "Accesses") to include in 639 // API requests with the JSON null value. By default, fields with empty 640 // values are omitted from API requests. However, any field with an 641 // empty value appearing in NullFields will be sent to the server as 642 // null. It is an error if a field in this list has a non-empty value. 643 // This may be used to include null fields in Patch requests. 644 NullFields []string `json:"-"` 645 } 646 647 func (s *GoogleCloudAssetV1p4beta1AccessControlList) MarshalJSON() ([]byte, error) { 648 type NoMethod GoogleCloudAssetV1p4beta1AccessControlList 649 raw := NoMethod(*s) 650 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 651 } 652 653 // GoogleCloudAssetV1p4beta1AnalysisState: Represents the detailed state 654 // of an entity under analysis, such as a resource, an identity or an 655 // access. 656 type GoogleCloudAssetV1p4beta1AnalysisState struct { 657 // Cause: The human-readable description of the cause of failure. 658 Cause string `json:"cause,omitempty"` 659 660 // Code: The Google standard error code that best describes the state. 661 // For example: - OK means the analysis on this entity has been 662 // successfully finished; - PERMISSION_DENIED means an access denied 663 // error is encountered; - DEADLINE_EXCEEDED means the analysis on this 664 // entity hasn't been started in time; 665 // 666 // Possible values: 667 // "OK" - Not an error; returned on success HTTP Mapping: 200 OK 668 // "CANCELLED" - The operation was cancelled, typically by the caller. 669 // HTTP Mapping: 499 Client Closed Request 670 // "UNKNOWN" - Unknown error. For example, this error may be returned 671 // when a `Status` value received from another address space belongs to 672 // an error space that is not known in this address space. Also errors 673 // raised by APIs that do not return enough error information may be 674 // converted to this error. HTTP Mapping: 500 Internal Server Error 675 // "INVALID_ARGUMENT" - The client specified an invalid argument. Note 676 // that this differs from `FAILED_PRECONDITION`. `INVALID_ARGUMENT` 677 // indicates arguments that are problematic regardless of the state of 678 // the system (e.g., a malformed file name). HTTP Mapping: 400 Bad 679 // Request 680 // "DEADLINE_EXCEEDED" - The deadline expired before the operation 681 // could complete. For operations that change the state of the system, 682 // this error may be returned even if the operation has completed 683 // successfully. For example, a successful response from a server could 684 // have been delayed long enough for the deadline to expire. HTTP 685 // Mapping: 504 Gateway Timeout 686 // "NOT_FOUND" - Some requested entity (e.g., file or directory) was 687 // not found. Note to server developers: if a request is denied for an 688 // entire class of users, such as gradual feature rollout or 689 // undocumented allowlist, `NOT_FOUND` may be used. If a request is 690 // denied for some users within a class of users, such as user-based 691 // access control, `PERMISSION_DENIED` must be used. HTTP Mapping: 404 692 // Not Found 693 // "ALREADY_EXISTS" - The entity that a client attempted to create 694 // (e.g., file or directory) already exists. HTTP Mapping: 409 Conflict 695 // "PERMISSION_DENIED" - The caller does not have permission to 696 // execute the specified operation. `PERMISSION_DENIED` must not be used 697 // for rejections caused by exhausting some resource (use 698 // `RESOURCE_EXHAUSTED` instead for those errors). `PERMISSION_DENIED` 699 // must not be used if the caller can not be identified (use 700 // `UNAUTHENTICATED` instead for those errors). This error code does not 701 // imply the request is valid or the requested entity exists or 702 // satisfies other pre-conditions. HTTP Mapping: 403 Forbidden 703 // "UNAUTHENTICATED" - The request does not have valid authentication 704 // credentials for the operation. HTTP Mapping: 401 Unauthorized 705 // "RESOURCE_EXHAUSTED" - Some resource has been exhausted, perhaps a 706 // per-user quota, or perhaps the entire file system is out of space. 707 // HTTP Mapping: 429 Too Many Requests 708 // "FAILED_PRECONDITION" - The operation was rejected because the 709 // system is not in a state required for the operation's execution. For 710 // example, the directory to be deleted is non-empty, an rmdir operation 711 // is applied to a non-directory, etc. Service implementors can use the 712 // following guidelines to decide between `FAILED_PRECONDITION`, 713 // `ABORTED`, and `UNAVAILABLE`: (a) Use `UNAVAILABLE` if the client can 714 // retry just the failing call. (b) Use `ABORTED` if the client should 715 // retry at a higher level. For example, when a client-specified 716 // test-and-set fails, indicating the client should restart a 717 // read-modify-write sequence. (c) Use `FAILED_PRECONDITION` if the 718 // client should not retry until the system state has been explicitly 719 // fixed. For example, if an "rmdir" fails because the directory is 720 // non-empty, `FAILED_PRECONDITION` should be returned since the client 721 // should not retry unless the files are deleted from the directory. 722 // HTTP Mapping: 400 Bad Request 723 // "ABORTED" - The operation was aborted, typically due to a 724 // concurrency issue such as a sequencer check failure or transaction 725 // abort. See the guidelines above for deciding between 726 // `FAILED_PRECONDITION`, `ABORTED`, and `UNAVAILABLE`. HTTP Mapping: 727 // 409 Conflict 728 // "OUT_OF_RANGE" - The operation was attempted past the valid range. 729 // E.g., seeking or reading past end-of-file. Unlike `INVALID_ARGUMENT`, 730 // this error indicates a problem that may be fixed if the system state 731 // changes. For example, a 32-bit file system will generate 732 // `INVALID_ARGUMENT` if asked to read at an offset that is not in the 733 // range [0,2^32-1], but it will generate `OUT_OF_RANGE` if asked to 734 // read from an offset past the current file size. There is a fair bit 735 // of overlap between `FAILED_PRECONDITION` and `OUT_OF_RANGE`. We 736 // recommend using `OUT_OF_RANGE` (the more specific error) when it 737 // applies so that callers who are iterating through a space can easily 738 // look for an `OUT_OF_RANGE` error to detect when they are done. HTTP 739 // Mapping: 400 Bad Request 740 // "UNIMPLEMENTED" - The operation is not implemented or is not 741 // supported/enabled in this service. HTTP Mapping: 501 Not Implemented 742 // "INTERNAL" - Internal errors. This means that some invariants 743 // expected by the underlying system have been broken. This error code 744 // is reserved for serious errors. HTTP Mapping: 500 Internal Server 745 // Error 746 // "UNAVAILABLE" - The service is currently unavailable. This is most 747 // likely a transient condition, which can be corrected by retrying with 748 // a backoff. Note that it is not always safe to retry non-idempotent 749 // operations. See the guidelines above for deciding between 750 // `FAILED_PRECONDITION`, `ABORTED`, and `UNAVAILABLE`. HTTP Mapping: 751 // 503 Service Unavailable 752 // "DATA_LOSS" - Unrecoverable data loss or corruption. HTTP Mapping: 753 // 500 Internal Server Error 754 Code string `json:"code,omitempty"` 755 756 // ForceSendFields is a list of field names (e.g. "Cause") to 757 // unconditionally include in API requests. By default, fields with 758 // empty or default values are omitted from API requests. However, any 759 // non-pointer, non-interface field appearing in ForceSendFields will be 760 // sent to the server regardless of whether the field is empty or not. 761 // This may be used to include empty fields in Patch requests. 762 ForceSendFields []string `json:"-"` 763 764 // NullFields is a list of field names (e.g. "Cause") to include in API 765 // requests with the JSON null value. By default, fields with empty 766 // values are omitted from API requests. However, any field with an 767 // empty value appearing in NullFields will be sent to the server as 768 // null. It is an error if a field in this list has a non-empty value. 769 // This may be used to include null fields in Patch requests. 770 NullFields []string `json:"-"` 771 } 772 773 func (s *GoogleCloudAssetV1p4beta1AnalysisState) MarshalJSON() ([]byte, error) { 774 type NoMethod GoogleCloudAssetV1p4beta1AnalysisState 775 raw := NoMethod(*s) 776 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 777 } 778 779 // GoogleCloudAssetV1p4beta1Edge: A directional edge. 780 type GoogleCloudAssetV1p4beta1Edge struct { 781 // SourceNode: The source node of the edge. 782 SourceNode string `json:"sourceNode,omitempty"` 783 784 // TargetNode: The target node of the edge. 785 TargetNode string `json:"targetNode,omitempty"` 786 787 // ForceSendFields is a list of field names (e.g. "SourceNode") to 788 // unconditionally include in API requests. By default, fields with 789 // empty or default values are omitted from API requests. However, any 790 // non-pointer, non-interface field appearing in ForceSendFields will be 791 // sent to the server regardless of whether the field is empty or not. 792 // This may be used to include empty fields in Patch requests. 793 ForceSendFields []string `json:"-"` 794 795 // NullFields is a list of field names (e.g. "SourceNode") to include in 796 // API requests with the JSON null value. By default, fields with empty 797 // values are omitted from API requests. However, any field with an 798 // empty value appearing in NullFields will be sent to the server as 799 // null. It is an error if a field in this list has a non-empty value. 800 // This may be used to include null fields in Patch requests. 801 NullFields []string `json:"-"` 802 } 803 804 func (s *GoogleCloudAssetV1p4beta1Edge) MarshalJSON() ([]byte, error) { 805 type NoMethod GoogleCloudAssetV1p4beta1Edge 806 raw := NoMethod(*s) 807 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 808 } 809 810 // GoogleCloudAssetV1p4beta1Identity: An identity under analysis. 811 type GoogleCloudAssetV1p4beta1Identity struct { 812 // AnalysisState: The analysis state of this identity. 813 AnalysisState *GoogleCloudAssetV1p4beta1AnalysisState `json:"analysisState,omitempty"` 814 815 // Name: The identity name in any form of members appear in IAM policy 816 // binding (https://cloud.google.com/iam/reference/rest/v1/Binding), 817 // such as: - user:foo@google.com - group:group1@google.com - 818 // serviceAccount:s1@prj1.iam.gserviceaccount.com - 819 // projectOwner:some_project_id - domain:google.com - allUsers - etc. 820 Name string `json:"name,omitempty"` 821 822 // ForceSendFields is a list of field names (e.g. "AnalysisState") to 823 // unconditionally include in API requests. By default, fields with 824 // empty or default values are omitted from API requests. However, any 825 // non-pointer, non-interface field appearing in ForceSendFields will be 826 // sent to the server regardless of whether the field is empty or not. 827 // This may be used to include empty fields in Patch requests. 828 ForceSendFields []string `json:"-"` 829 830 // NullFields is a list of field names (e.g. "AnalysisState") to include 831 // in API requests with the JSON null value. By default, fields with 832 // empty values are omitted from API requests. However, any field with 833 // an empty value appearing in NullFields will be sent to the server as 834 // null. It is an error if a field in this list has a non-empty value. 835 // This may be used to include null fields in Patch requests. 836 NullFields []string `json:"-"` 837 } 838 839 func (s *GoogleCloudAssetV1p4beta1Identity) MarshalJSON() ([]byte, error) { 840 type NoMethod GoogleCloudAssetV1p4beta1Identity 841 raw := NoMethod(*s) 842 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 843 } 844 845 type GoogleCloudAssetV1p4beta1IdentityList struct { 846 // GroupEdges: Group identity edges of the graph starting from the 847 // binding's group members to any node of the identities. The 848 // Edge.source_node contains a group, such as "group:parent@google.com". 849 // The Edge.target_node contains a member of the group, such as 850 // "group:child@google.com" or "user:foo@google.com". This field is 851 // present only if the output_group_edges option is enabled in request. 852 GroupEdges []*GoogleCloudAssetV1p4beta1Edge `json:"groupEdges,omitempty"` 853 854 // Identities: Only the identities that match one of the following 855 // conditions will be presented: - The identity_selector, if it is 856 // specified in request; - Otherwise, identities reachable from the 857 // policy binding's members. 858 Identities []*GoogleCloudAssetV1p4beta1Identity `json:"identities,omitempty"` 859 860 // ForceSendFields is a list of field names (e.g. "GroupEdges") to 861 // unconditionally include in API requests. By default, fields with 862 // empty or default values are omitted from API requests. However, any 863 // non-pointer, non-interface field appearing in ForceSendFields will be 864 // sent to the server regardless of whether the field is empty or not. 865 // This may be used to include empty fields in Patch requests. 866 ForceSendFields []string `json:"-"` 867 868 // NullFields is a list of field names (e.g. "GroupEdges") to include in 869 // API requests with the JSON null value. By default, fields with empty 870 // values are omitted from API requests. However, any field with an 871 // empty value appearing in NullFields will be sent to the server as 872 // null. It is an error if a field in this list has a non-empty value. 873 // This may be used to include null fields in Patch requests. 874 NullFields []string `json:"-"` 875 } 876 877 func (s *GoogleCloudAssetV1p4beta1IdentityList) MarshalJSON() ([]byte, error) { 878 type NoMethod GoogleCloudAssetV1p4beta1IdentityList 879 raw := NoMethod(*s) 880 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 881 } 882 883 // GoogleCloudAssetV1p4beta1Resource: A Google Cloud resource under 884 // analysis. 885 type GoogleCloudAssetV1p4beta1Resource struct { 886 // AnalysisState: The analysis state of this resource. 887 AnalysisState *GoogleCloudAssetV1p4beta1AnalysisState `json:"analysisState,omitempty"` 888 889 // FullResourceName: The full resource name 890 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) 891 FullResourceName string `json:"fullResourceName,omitempty"` 892 893 // ForceSendFields is a list of field names (e.g. "AnalysisState") to 894 // unconditionally include in API requests. By default, fields with 895 // empty or default values are omitted from API requests. However, any 896 // non-pointer, non-interface field appearing in ForceSendFields will be 897 // sent to the server regardless of whether the field is empty or not. 898 // This may be used to include empty fields in Patch requests. 899 ForceSendFields []string `json:"-"` 900 901 // NullFields is a list of field names (e.g. "AnalysisState") to include 902 // in API requests with the JSON null value. By default, fields with 903 // empty values are omitted from API requests. However, any field with 904 // an empty value appearing in NullFields will be sent to the server as 905 // null. It is an error if a field in this list has a non-empty value. 906 // This may be used to include null fields in Patch requests. 907 NullFields []string `json:"-"` 908 } 909 910 func (s *GoogleCloudAssetV1p4beta1Resource) MarshalJSON() ([]byte, error) { 911 type NoMethod GoogleCloudAssetV1p4beta1Resource 912 raw := NoMethod(*s) 913 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 914 } 915 916 // GoogleCloudAssetV1p7beta1Asset: An asset in Google Cloud. An asset 917 // can be any resource in the Google Cloud resource hierarchy 918 // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 919 // a resource outside the Google Cloud resource hierarchy (such as 920 // Google Kubernetes Engine clusters and objects), or a policy (e.g. 921 // Cloud IAM policy). See Supported asset types 922 // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) 923 // for more information. 924 type GoogleCloudAssetV1p7beta1Asset struct { 925 // AccessLevel: Please also refer to the access level user guide 926 // (https://cloud.google.com/access-context-manager/docs/overview#access-levels). 927 AccessLevel *GoogleIdentityAccesscontextmanagerV1AccessLevel `json:"accessLevel,omitempty"` 928 929 // AccessPolicy: Please also refer to the access policy user guide 930 // (https://cloud.google.com/access-context-manager/docs/overview#access-policies). 931 AccessPolicy *GoogleIdentityAccesscontextmanagerV1AccessPolicy `json:"accessPolicy,omitempty"` 932 933 // Ancestors: The ancestry path of an asset in Google Cloud resource 934 // hierarchy 935 // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 936 // represented as a list of relative resource names. An ancestry path 937 // starts with the closest ancestor in the hierarchy and ends at root. 938 // If the asset is a project, folder, or organization, the ancestry path 939 // starts from the asset itself. Example: `["projects/123456789", 940 // "folders/5432", "organizations/1234"]` 941 Ancestors []string `json:"ancestors,omitempty"` 942 943 // AssetType: The type of the asset. Example: 944 // `compute.googleapis.com/Disk` See Supported asset types 945 // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) 946 // for more information. 947 AssetType string `json:"assetType,omitempty"` 948 949 // IamPolicy: A representation of the Cloud IAM policy set on a Google 950 // Cloud resource. There can be a maximum of one Cloud IAM policy set on 951 // any given resource. In addition, Cloud IAM policies inherit their 952 // granted access scope from any policies set on parent resources in the 953 // resource hierarchy. Therefore, the effectively policy is the union of 954 // both the policy set on this resource and each policy set on all of 955 // the resource's ancestry resource levels in the hierarchy. See this 956 // topic (https://cloud.google.com/iam/help/allow-policies/inheritance) 957 // for more information. 958 IamPolicy *Policy `json:"iamPolicy,omitempty"` 959 960 // Name: The full name of the asset. Example: 961 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instance 962 // s/instance1` See Resource names 963 // (https://cloud.google.com/apis/design/resource_names#full_resource_name) 964 // for more information. 965 Name string `json:"name,omitempty"` 966 967 // OrgPolicy: A representation of an organization policy 968 // (https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy). 969 // There can be more than one organization policy with different 970 // constraints set on a given resource. 971 OrgPolicy []*GoogleCloudOrgpolicyV1Policy `json:"orgPolicy,omitempty"` 972 973 // RelatedAssets: The related assets of the asset of one relationship 974 // type. One asset only represents one type of relationship. 975 RelatedAssets *GoogleCloudAssetV1p7beta1RelatedAssets `json:"relatedAssets,omitempty"` 976 977 // Resource: A representation of the resource. 978 Resource *GoogleCloudAssetV1p7beta1Resource `json:"resource,omitempty"` 979 980 // ServicePerimeter: Please also refer to the service perimeter user 981 // guide (https://cloud.google.com/vpc-service-controls/docs/overview). 982 ServicePerimeter *GoogleIdentityAccesscontextmanagerV1ServicePerimeter `json:"servicePerimeter,omitempty"` 983 984 // UpdateTime: The last update timestamp of an asset. update_time is 985 // updated when create/update/delete operation is performed. 986 UpdateTime string `json:"updateTime,omitempty"` 987 988 // ForceSendFields is a list of field names (e.g. "AccessLevel") to 989 // unconditionally include in API requests. By default, fields with 990 // empty or default values are omitted from API requests. However, any 991 // non-pointer, non-interface field appearing in ForceSendFields will be 992 // sent to the server regardless of whether the field is empty or not. 993 // This may be used to include empty fields in Patch requests. 994 ForceSendFields []string `json:"-"` 995 996 // NullFields is a list of field names (e.g. "AccessLevel") to include 997 // in API requests with the JSON null value. By default, fields with 998 // empty values are omitted from API requests. However, any field with 999 // an empty value appearing in NullFields will be sent to the server as 1000 // null. It is an error if a field in this list has a non-empty value. 1001 // This may be used to include null fields in Patch requests. 1002 NullFields []string `json:"-"` 1003 } 1004 1005 func (s *GoogleCloudAssetV1p7beta1Asset) MarshalJSON() ([]byte, error) { 1006 type NoMethod GoogleCloudAssetV1p7beta1Asset 1007 raw := NoMethod(*s) 1008 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1009 } 1010 1011 // GoogleCloudAssetV1p7beta1RelatedAsset: An asset identify in Google 1012 // Cloud which contains its name, type and ancestors. An asset can be 1013 // any resource in the Google Cloud resource hierarchy 1014 // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 1015 // a resource outside the Google Cloud resource hierarchy (such as 1016 // Google Kubernetes Engine clusters and objects), or a policy (e.g. 1017 // Cloud IAM policy). See Supported asset types 1018 // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) 1019 // for more information. 1020 type GoogleCloudAssetV1p7beta1RelatedAsset struct { 1021 // Ancestors: The ancestors of an asset in Google Cloud resource 1022 // hierarchy 1023 // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 1024 // represented as a list of relative resource names. An ancestry path 1025 // starts with the closest ancestor in the hierarchy and ends at root. 1026 // Example: `["projects/123456789", "folders/5432", 1027 // "organizations/1234"]` 1028 Ancestors []string `json:"ancestors,omitempty"` 1029 1030 // Asset: The full name of the asset. Example: 1031 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instance 1032 // s/instance1` See Resource names 1033 // (https://cloud.google.com/apis/design/resource_names#full_resource_name) 1034 // for more information. 1035 Asset string `json:"asset,omitempty"` 1036 1037 // AssetType: The type of the asset. Example: 1038 // `compute.googleapis.com/Disk` See Supported asset types 1039 // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) 1040 // for more information. 1041 AssetType string `json:"assetType,omitempty"` 1042 1043 // ForceSendFields is a list of field names (e.g. "Ancestors") to 1044 // unconditionally include in API requests. By default, fields with 1045 // empty or default values are omitted from API requests. However, any 1046 // non-pointer, non-interface field appearing in ForceSendFields will be 1047 // sent to the server regardless of whether the field is empty or not. 1048 // This may be used to include empty fields in Patch requests. 1049 ForceSendFields []string `json:"-"` 1050 1051 // NullFields is a list of field names (e.g. "Ancestors") to include in 1052 // API requests with the JSON null value. By default, fields with empty 1053 // values are omitted from API requests. However, any field with an 1054 // empty value appearing in NullFields will be sent to the server as 1055 // null. It is an error if a field in this list has a non-empty value. 1056 // This may be used to include null fields in Patch requests. 1057 NullFields []string `json:"-"` 1058 } 1059 1060 func (s *GoogleCloudAssetV1p7beta1RelatedAsset) MarshalJSON() ([]byte, error) { 1061 type NoMethod GoogleCloudAssetV1p7beta1RelatedAsset 1062 raw := NoMethod(*s) 1063 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1064 } 1065 1066 // GoogleCloudAssetV1p7beta1RelatedAssets: The detailed related assets 1067 // with the `relationship_type`. 1068 type GoogleCloudAssetV1p7beta1RelatedAssets struct { 1069 // Assets: The peer resources of the relationship. 1070 Assets []*GoogleCloudAssetV1p7beta1RelatedAsset `json:"assets,omitempty"` 1071 1072 // RelationshipAttributes: The detailed relation attributes. 1073 RelationshipAttributes *GoogleCloudAssetV1p7beta1RelationshipAttributes `json:"relationshipAttributes,omitempty"` 1074 1075 // ForceSendFields is a list of field names (e.g. "Assets") to 1076 // unconditionally include in API requests. By default, fields with 1077 // empty or default values are omitted from API requests. However, any 1078 // non-pointer, non-interface field appearing in ForceSendFields will be 1079 // sent to the server regardless of whether the field is empty or not. 1080 // This may be used to include empty fields in Patch requests. 1081 ForceSendFields []string `json:"-"` 1082 1083 // NullFields is a list of field names (e.g. "Assets") to include in API 1084 // requests with the JSON null value. By default, fields with empty 1085 // values are omitted from API requests. However, any field with an 1086 // empty value appearing in NullFields will be sent to the server as 1087 // null. It is an error if a field in this list has a non-empty value. 1088 // This may be used to include null fields in Patch requests. 1089 NullFields []string `json:"-"` 1090 } 1091 1092 func (s *GoogleCloudAssetV1p7beta1RelatedAssets) MarshalJSON() ([]byte, error) { 1093 type NoMethod GoogleCloudAssetV1p7beta1RelatedAssets 1094 raw := NoMethod(*s) 1095 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1096 } 1097 1098 // GoogleCloudAssetV1p7beta1RelationshipAttributes: The relationship 1099 // attributes which include `type`, `source_resource_type`, 1100 // `target_resource_type` and `action`. 1101 type GoogleCloudAssetV1p7beta1RelationshipAttributes struct { 1102 // Action: The detail of the relationship, e.g. `contains`, `attaches` 1103 Action string `json:"action,omitempty"` 1104 1105 // SourceResourceType: The source asset type. Example: 1106 // `compute.googleapis.com/Instance` 1107 SourceResourceType string `json:"sourceResourceType,omitempty"` 1108 1109 // TargetResourceType: The target asset type. Example: 1110 // `compute.googleapis.com/Disk` 1111 TargetResourceType string `json:"targetResourceType,omitempty"` 1112 1113 // Type: The unique identifier of the relationship type. Example: 1114 // `INSTANCE_TO_INSTANCEGROUP` 1115 Type string `json:"type,omitempty"` 1116 1117 // ForceSendFields is a list of field names (e.g. "Action") to 1118 // unconditionally include in API requests. By default, fields with 1119 // empty or default values are omitted from API requests. However, any 1120 // non-pointer, non-interface field appearing in ForceSendFields will be 1121 // sent to the server regardless of whether the field is empty or not. 1122 // This may be used to include empty fields in Patch requests. 1123 ForceSendFields []string `json:"-"` 1124 1125 // NullFields is a list of field names (e.g. "Action") to include in API 1126 // requests with the JSON null value. By default, fields with empty 1127 // values are omitted from API requests. However, any field with an 1128 // empty value appearing in NullFields will be sent to the server as 1129 // null. It is an error if a field in this list has a non-empty value. 1130 // This may be used to include null fields in Patch requests. 1131 NullFields []string `json:"-"` 1132 } 1133 1134 func (s *GoogleCloudAssetV1p7beta1RelationshipAttributes) MarshalJSON() ([]byte, error) { 1135 type NoMethod GoogleCloudAssetV1p7beta1RelationshipAttributes 1136 raw := NoMethod(*s) 1137 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1138 } 1139 1140 // GoogleCloudAssetV1p7beta1Resource: A representation of a Google Cloud 1141 // resource. 1142 type GoogleCloudAssetV1p7beta1Resource struct { 1143 // Data: The content of the resource, in which some sensitive fields are 1144 // removed and may not be present. 1145 Data googleapi.RawMessage `json:"data,omitempty"` 1146 1147 // DiscoveryDocumentUri: The URL of the discovery document containing 1148 // the resource's JSON schema. Example: 1149 // `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest` This 1150 // value is unspecified for resources that do not have an API based on a 1151 // discovery document, such as Cloud Bigtable. 1152 DiscoveryDocumentUri string `json:"discoveryDocumentUri,omitempty"` 1153 1154 // DiscoveryName: The JSON schema name listed in the discovery document. 1155 // Example: `Project` This value is unspecified for resources that do 1156 // not have an API based on a discovery document, such as Cloud 1157 // Bigtable. 1158 DiscoveryName string `json:"discoveryName,omitempty"` 1159 1160 // Location: The location of the resource in Google Cloud, such as its 1161 // zone and region. For more information, see 1162 // https://cloud.google.com/about/locations/. 1163 Location string `json:"location,omitempty"` 1164 1165 // Parent: The full name of the immediate parent of this resource. See 1166 // Resource Names 1167 // (https://cloud.google.com/apis/design/resource_names#full_resource_name) 1168 // for more information. For Google Cloud assets, this value is the 1169 // parent resource defined in the Cloud IAM policy hierarchy 1170 // (https://cloud.google.com/iam/docs/overview#policy_hierarchy). 1171 // Example: 1172 // `//cloudresourcemanager.googleapis.com/projects/my_project_123` For 1173 // third-party assets, this field may be set differently. 1174 Parent string `json:"parent,omitempty"` 1175 1176 // ResourceUrl: The REST URL for accessing the resource. An HTTP `GET` 1177 // request using this URL returns the resource itself. Example: 1178 // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-12 1179 // 3` This value is unspecified for resources without a REST API. 1180 ResourceUrl string `json:"resourceUrl,omitempty"` 1181 1182 // Version: The API version. Example: `v1` 1183 Version string `json:"version,omitempty"` 1184 1185 // ForceSendFields is a list of field names (e.g. "Data") to 1186 // unconditionally include in API requests. By default, fields with 1187 // empty or default values are omitted from API requests. However, any 1188 // non-pointer, non-interface field appearing in ForceSendFields will be 1189 // sent to the server regardless of whether the field is empty or not. 1190 // This may be used to include empty fields in Patch requests. 1191 ForceSendFields []string `json:"-"` 1192 1193 // NullFields is a list of field names (e.g. "Data") to include in API 1194 // requests with the JSON null value. By default, fields with empty 1195 // values are omitted from API requests. However, any field with an 1196 // empty value appearing in NullFields will be sent to the server as 1197 // null. It is an error if a field in this list has a non-empty value. 1198 // This may be used to include null fields in Patch requests. 1199 NullFields []string `json:"-"` 1200 } 1201 1202 func (s *GoogleCloudAssetV1p7beta1Resource) MarshalJSON() ([]byte, error) { 1203 type NoMethod GoogleCloudAssetV1p7beta1Resource 1204 raw := NoMethod(*s) 1205 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1206 } 1207 1208 // GoogleCloudOrgpolicyV1BooleanPolicy: Used in `policy_type` to specify 1209 // how `boolean_policy` will behave at this resource. 1210 type GoogleCloudOrgpolicyV1BooleanPolicy struct { 1211 // Enforced: If `true`, then the `Policy` is enforced. If `false`, then 1212 // any configuration is acceptable. Suppose you have a `Constraint` 1213 // `constraints/compute.disableSerialPortAccess` with 1214 // `constraint_default` set to `ALLOW`. A `Policy` for that `Constraint` 1215 // exhibits the following behavior: - If the `Policy` at this resource 1216 // has enforced set to `false`, serial port connection attempts will be 1217 // allowed. - If the `Policy` at this resource has enforced set to 1218 // `true`, serial port connection attempts will be refused. - If the 1219 // `Policy` at this resource is `RestoreDefault`, serial port connection 1220 // attempts will be allowed. - If no `Policy` is set at this resource or 1221 // anywhere higher in the resource hierarchy, serial port connection 1222 // attempts will be allowed. - If no `Policy` is set at this resource, 1223 // but one exists higher in the resource hierarchy, the behavior is as 1224 // if the`Policy` were set at this resource. The following examples 1225 // demonstrate the different possible layerings: Example 1 (nearest 1226 // `Constraint` wins): `organizations/foo` has a `Policy` with: 1227 // {enforced: false} `projects/bar` has no `Policy` set. The constraint 1228 // at `projects/bar` and `organizations/foo` will not be enforced. 1229 // Example 2 (enforcement gets replaced): `organizations/foo` has a 1230 // `Policy` with: {enforced: false} `projects/bar` has a `Policy` with: 1231 // {enforced: true} The constraint at `organizations/foo` is not 1232 // enforced. The constraint at `projects/bar` is enforced. Example 3 1233 // (RestoreDefault): `organizations/foo` has a `Policy` with: {enforced: 1234 // true} `projects/bar` has a `Policy` with: {RestoreDefault: {}} The 1235 // constraint at `organizations/foo` is enforced. The constraint at 1236 // `projects/bar` is not enforced, because `constraint_default` for the 1237 // `Constraint` is `ALLOW`. 1238 Enforced bool `json:"enforced,omitempty"` 1239 1240 // ForceSendFields is a list of field names (e.g. "Enforced") to 1241 // unconditionally include in API requests. By default, fields with 1242 // empty or default values are omitted from API requests. However, any 1243 // non-pointer, non-interface field appearing in ForceSendFields will be 1244 // sent to the server regardless of whether the field is empty or not. 1245 // This may be used to include empty fields in Patch requests. 1246 ForceSendFields []string `json:"-"` 1247 1248 // NullFields is a list of field names (e.g. "Enforced") to include in 1249 // API requests with the JSON null value. By default, fields with empty 1250 // values are omitted from API requests. However, any field with an 1251 // empty value appearing in NullFields will be sent to the server as 1252 // null. It is an error if a field in this list has a non-empty value. 1253 // This may be used to include null fields in Patch requests. 1254 NullFields []string `json:"-"` 1255 } 1256 1257 func (s *GoogleCloudOrgpolicyV1BooleanPolicy) MarshalJSON() ([]byte, error) { 1258 type NoMethod GoogleCloudOrgpolicyV1BooleanPolicy 1259 raw := NoMethod(*s) 1260 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1261 } 1262 1263 // GoogleCloudOrgpolicyV1ListPolicy: Used in `policy_type` to specify 1264 // how `list_policy` behaves at this resource. `ListPolicy` can define 1265 // specific values and subtrees of Cloud Resource Manager resource 1266 // hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed 1267 // or denied by setting the `allowed_values` and `denied_values` fields. 1268 // This is achieved by using the `under:` and optional `is:` prefixes. 1269 // The `under:` prefix is used to denote resource subtree values. The 1270 // `is:` prefix is used to denote specific values, and is required only 1271 // if the value contains a ":". Values prefixed with "is:" are treated 1272 // the same as values with no prefix. Ancestry subtrees must be in one 1273 // of the following formats: - "projects/", e.g. 1274 // "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - 1275 // "organizations/", e.g. "organizations/1234" The `supports_under` 1276 // field of the associated `Constraint` defines whether ancestry 1277 // prefixes can be used. You can set `allowed_values` and 1278 // `denied_values` in the same `Policy` if `all_values` is 1279 // `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny 1280 // all values. If `all_values` is set to either `ALLOW` or `DENY`, 1281 // `allowed_values` and `denied_values` must be unset. 1282 type GoogleCloudOrgpolicyV1ListPolicy struct { 1283 // AllValues: The policy all_values state. 1284 // 1285 // Possible values: 1286 // "ALL_VALUES_UNSPECIFIED" - Indicates that allowed_values or 1287 // denied_values must be set. 1288 // "ALLOW" - A policy with this set allows all values. 1289 // "DENY" - A policy with this set denies all values. 1290 AllValues string `json:"allValues,omitempty"` 1291 1292 // AllowedValues: List of values allowed at this resource. Can only be 1293 // set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`. 1294 AllowedValues []string `json:"allowedValues,omitempty"` 1295 1296 // DeniedValues: List of values denied at this resource. Can only be set 1297 // if `all_values` is set to `ALL_VALUES_UNSPECIFIED`. 1298 DeniedValues []string `json:"deniedValues,omitempty"` 1299 1300 // InheritFromParent: Determines the inheritance behavior for this 1301 // `Policy`. By default, a `ListPolicy` set at a resource supersedes any 1302 // `Policy` set anywhere up the resource hierarchy. However, if 1303 // `inherit_from_parent` is set to `true`, then the values from the 1304 // effective `Policy` of the parent resource are inherited, meaning the 1305 // values set in this `Policy` are added to the values inherited up the 1306 // hierarchy. Setting `Policy` hierarchies that inherit both allowed 1307 // values and denied values isn't recommended in most circumstances to 1308 // keep the configuration simple and understandable. However, it is 1309 // possible to set a `Policy` with `allowed_values` set that inherits a 1310 // `Policy` with `denied_values` set. In this case, the values that are 1311 // allowed must be in `allowed_values` and not present in 1312 // `denied_values`. For example, suppose you have a `Constraint` 1313 // `constraints/serviceuser.services`, which has a `constraint_type` of 1314 // `list_constraint`, and with `constraint_default` set to `ALLOW`. 1315 // Suppose that at the Organization level, a `Policy` is applied that 1316 // restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1317 // `Policy` is applied to a project below the Organization that has 1318 // `inherit_from_parent` set to `false` and field all_values set to 1319 // DENY, then an attempt to activate any API will be denied. The 1320 // following examples demonstrate different possible layerings for 1321 // `projects/bar` parented by `organizations/foo`: Example 1 (no 1322 // inherited values): `organizations/foo` has a `Policy` with values: 1323 // {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has 1324 // `inherit_from_parent` `false` and values: {allowed_values: "E3" 1325 // allowed_values: "E4"} The accepted values at `organizations/foo` are 1326 // `E1`, `E2`. The accepted values at `projects/bar` are `E3`, and `E4`. 1327 // Example 2 (inherited values): `organizations/foo` has a `Policy` with 1328 // values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has 1329 // a `Policy` with values: {value: "E3" value: "E4" inherit_from_parent: 1330 // true} The accepted values at `organizations/foo` are `E1`, `E2`. The 1331 // accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1332 // Example 3 (inheriting both allowed and denied values): 1333 // `organizations/foo` has a `Policy` with values: {allowed_values: "E1" 1334 // allowed_values: "E2"} `projects/bar` has a `Policy` with: 1335 // {denied_values: "E1"} The accepted values at `organizations/foo` are 1336 // `E1`, `E2`. The value accepted at `projects/bar` is `E2`. Example 4 1337 // (RestoreDefault): `organizations/foo` has a `Policy` with values: 1338 // {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a 1339 // `Policy` with values: {RestoreDefault: {}} The accepted values at 1340 // `organizations/foo` are `E1`, `E2`. The accepted values at 1341 // `projects/bar` are either all or none depending on the value of 1342 // `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 5 1343 // (no policy inherits parent policy): `organizations/foo` has no 1344 // `Policy` set. `projects/bar` has no `Policy` set. The accepted values 1345 // at both levels are either all or none depending on the value of 1346 // `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 1347 // (ListConstraint allowing all): `organizations/foo` has a `Policy` 1348 // with values: {allowed_values: "E1" allowed_values: "E2"} 1349 // `projects/bar` has a `Policy` with: {all: ALLOW} The accepted values 1350 // at `organizations/foo` are `E1`, E2`. Any value is accepted at 1351 // `projects/bar`. Example 7 (ListConstraint allowing none): 1352 // `organizations/foo` has a `Policy` with values: {allowed_values: "E1" 1353 // allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: DENY} 1354 // The accepted values at `organizations/foo` are `E1`, E2`. No value is 1355 // accepted at `projects/bar`. Example 10 (allowed and denied subtrees 1356 // of Resource Manager hierarchy): Given the following resource 1357 // hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` 1358 // has a `Policy` with values: {allowed_values: 1359 // "under:organizations/O1"} `projects/bar` has a `Policy` with: 1360 // {allowed_values: "under:projects/P3"} {denied_values: 1361 // "under:folders/F2"} The accepted values at `organizations/foo` are 1362 // `organizations/O1`, `folders/F1`, `folders/F2`, `projects/P1`, 1363 // `projects/P2`, `projects/P3`. The accepted values at `projects/bar` 1364 // are `organizations/O1`, `folders/F1`, `projects/P1`. 1365 InheritFromParent bool `json:"inheritFromParent,omitempty"` 1366 1367 // SuggestedValue: Optional. The Google Cloud Console will try to 1368 // default to a configuration that matches the value specified in this 1369 // `Policy`. If `suggested_value` is not set, it will inherit the value 1370 // specified higher in the hierarchy, unless `inherit_from_parent` is 1371 // `false`. 1372 SuggestedValue string `json:"suggestedValue,omitempty"` 1373 1374 // ForceSendFields is a list of field names (e.g. "AllValues") to 1375 // unconditionally include in API requests. By default, fields with 1376 // empty or default values are omitted from API requests. However, any 1377 // non-pointer, non-interface field appearing in ForceSendFields will be 1378 // sent to the server regardless of whether the field is empty or not. 1379 // This may be used to include empty fields in Patch requests. 1380 ForceSendFields []string `json:"-"` 1381 1382 // NullFields is a list of field names (e.g. "AllValues") to include in 1383 // API requests with the JSON null value. By default, fields with empty 1384 // values are omitted from API requests. However, any field with an 1385 // empty value appearing in NullFields will be sent to the server as 1386 // null. It is an error if a field in this list has a non-empty value. 1387 // This may be used to include null fields in Patch requests. 1388 NullFields []string `json:"-"` 1389 } 1390 1391 func (s *GoogleCloudOrgpolicyV1ListPolicy) MarshalJSON() ([]byte, error) { 1392 type NoMethod GoogleCloudOrgpolicyV1ListPolicy 1393 raw := NoMethod(*s) 1394 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1395 } 1396 1397 // GoogleCloudOrgpolicyV1Policy: Defines a Cloud Organization `Policy` 1398 // which is used to specify `Constraints` for configurations of Cloud 1399 // Platform resources. 1400 type GoogleCloudOrgpolicyV1Policy struct { 1401 // BooleanPolicy: For boolean `Constraints`, whether to enforce the 1402 // `Constraint` or not. 1403 BooleanPolicy *GoogleCloudOrgpolicyV1BooleanPolicy `json:"booleanPolicy,omitempty"` 1404 1405 // Constraint: The name of the `Constraint` the `Policy` is configuring, 1406 // for example, `constraints/serviceuser.services`. A list of available 1407 // constraints 1408 // (/resource-manager/docs/organization-policy/org-policy-constraints) 1409 // is available. Immutable after creation. 1410 Constraint string `json:"constraint,omitempty"` 1411 1412 // Etag: An opaque tag indicating the current version of the `Policy`, 1413 // used for concurrency control. When the `Policy` is returned from 1414 // either a `GetPolicy` or a `ListOrgPolicy` request, this `etag` 1415 // indicates the version of the current `Policy` to use when executing a 1416 // read-modify-write loop. When the `Policy` is returned from a 1417 // `GetEffectivePolicy` request, the `etag` will be unset. When the 1418 // `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1419 // that was returned from a `GetOrgPolicy` request as part of a 1420 // read-modify-write loop for concurrency control. Not setting the 1421 // `etag`in a `SetOrgPolicy` request will result in an unconditional 1422 // write of the `Policy`. 1423 Etag string `json:"etag,omitempty"` 1424 1425 // ListPolicy: List of values either allowed or disallowed. 1426 ListPolicy *GoogleCloudOrgpolicyV1ListPolicy `json:"listPolicy,omitempty"` 1427 1428 // RestoreDefault: Restores the default behavior of the constraint; 1429 // independent of `Constraint` type. 1430 RestoreDefault *GoogleCloudOrgpolicyV1RestoreDefault `json:"restoreDefault,omitempty"` 1431 1432 // UpdateTime: The time stamp the `Policy` was previously updated. This 1433 // is set by the server, not specified by the caller, and represents the 1434 // last time a call to `SetOrgPolicy` was made for that `Policy`. Any 1435 // value set by the client will be ignored. 1436 UpdateTime string `json:"updateTime,omitempty"` 1437 1438 // Version: Version of the `Policy`. Default version is 0; 1439 Version int64 `json:"version,omitempty"` 1440 1441 // ForceSendFields is a list of field names (e.g. "BooleanPolicy") to 1442 // unconditionally include in API requests. By default, fields with 1443 // empty or default values are omitted from API requests. However, any 1444 // non-pointer, non-interface field appearing in ForceSendFields will be 1445 // sent to the server regardless of whether the field is empty or not. 1446 // This may be used to include empty fields in Patch requests. 1447 ForceSendFields []string `json:"-"` 1448 1449 // NullFields is a list of field names (e.g. "BooleanPolicy") to include 1450 // in API requests with the JSON null value. By default, fields with 1451 // empty values are omitted from API requests. However, any field with 1452 // an empty value appearing in NullFields will be sent to the server as 1453 // null. It is an error if a field in this list has a non-empty value. 1454 // This may be used to include null fields in Patch requests. 1455 NullFields []string `json:"-"` 1456 } 1457 1458 func (s *GoogleCloudOrgpolicyV1Policy) MarshalJSON() ([]byte, error) { 1459 type NoMethod GoogleCloudOrgpolicyV1Policy 1460 raw := NoMethod(*s) 1461 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1462 } 1463 1464 // GoogleCloudOrgpolicyV1RestoreDefault: Ignores policies set above this 1465 // resource and restores the `constraint_default` enforcement behavior 1466 // of the specific `Constraint` at this resource. Suppose that 1467 // `constraint_default` is set to `ALLOW` for the `Constraint` 1468 // `constraints/serviceuser.services`. Suppose that organization foo.com 1469 // sets a `Policy` at their Organization resource node that restricts 1470 // the allowed service activations to deny all service activations. They 1471 // could then set a `Policy` with the `policy_type` `restore_default` on 1472 // several experimental projects, restoring the `constraint_default` 1473 // enforcement of the `Constraint` for only those projects, allowing 1474 // those projects to have all services activated. 1475 type GoogleCloudOrgpolicyV1RestoreDefault struct { 1476 } 1477 1478 // GoogleIdentityAccesscontextmanagerV1AccessLevel: An `AccessLevel` is 1479 // a label that can be applied to requests to Google Cloud services, 1480 // along with a list of requirements necessary for the label to be 1481 // applied. 1482 type GoogleIdentityAccesscontextmanagerV1AccessLevel struct { 1483 // Basic: A `BasicLevel` composed of `Conditions`. 1484 Basic *GoogleIdentityAccesscontextmanagerV1BasicLevel `json:"basic,omitempty"` 1485 1486 // Custom: A `CustomLevel` written in the Common Expression Language. 1487 Custom *GoogleIdentityAccesscontextmanagerV1CustomLevel `json:"custom,omitempty"` 1488 1489 // Description: Description of the `AccessLevel` and its use. Does not 1490 // affect behavior. 1491 Description string `json:"description,omitempty"` 1492 1493 // Name: Required. Resource name for the Access Level. The `short_name` 1494 // component must begin with a letter and only include alphanumeric and 1495 // '_'. Format: 1496 // `accessPolicies/{access_policy}/accessLevels/{access_level}`. The 1497 // maximum length of the `access_level` component is 50 characters. 1498 Name string `json:"name,omitempty"` 1499 1500 // Title: Human readable title. Must be unique within the Policy. 1501 Title string `json:"title,omitempty"` 1502 1503 // ForceSendFields is a list of field names (e.g. "Basic") to 1504 // unconditionally include in API requests. By default, fields with 1505 // empty or default values are omitted from API requests. However, any 1506 // non-pointer, non-interface field appearing in ForceSendFields will be 1507 // sent to the server regardless of whether the field is empty or not. 1508 // This may be used to include empty fields in Patch requests. 1509 ForceSendFields []string `json:"-"` 1510 1511 // NullFields is a list of field names (e.g. "Basic") to include in API 1512 // requests with the JSON null value. By default, fields with empty 1513 // values are omitted from API requests. However, any field with an 1514 // empty value appearing in NullFields will be sent to the server as 1515 // null. It is an error if a field in this list has a non-empty value. 1516 // This may be used to include null fields in Patch requests. 1517 NullFields []string `json:"-"` 1518 } 1519 1520 func (s *GoogleIdentityAccesscontextmanagerV1AccessLevel) MarshalJSON() ([]byte, error) { 1521 type NoMethod GoogleIdentityAccesscontextmanagerV1AccessLevel 1522 raw := NoMethod(*s) 1523 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1524 } 1525 1526 // GoogleIdentityAccesscontextmanagerV1AccessPolicy: `AccessPolicy` is a 1527 // container for `AccessLevels` (which define the necessary attributes 1528 // to use Google Cloud services) and `ServicePerimeters` (which define 1529 // regions of services able to freely pass data within a perimeter). An 1530 // access policy is globally visible within an organization, and the 1531 // restrictions it specifies apply to all projects within an 1532 // organization. 1533 type GoogleIdentityAccesscontextmanagerV1AccessPolicy struct { 1534 // Etag: Output only. An opaque identifier for the current version of 1535 // the `AccessPolicy`. This will always be a strongly validated etag, 1536 // meaning that two Access Polices will be identical if and only if 1537 // their etags are identical. Clients should not expect this to be in 1538 // any specific format. 1539 Etag string `json:"etag,omitempty"` 1540 1541 // Name: Output only. Resource name of the `AccessPolicy`. Format: 1542 // `accessPolicies/{access_policy}` 1543 Name string `json:"name,omitempty"` 1544 1545 // Parent: Required. The parent of this `AccessPolicy` in the Cloud 1546 // Resource Hierarchy. Currently immutable once created. Format: 1547 // `organizations/{organization_id}` 1548 Parent string `json:"parent,omitempty"` 1549 1550 // Scopes: The scopes of a policy define which resources an ACM policy 1551 // can restrict, and where ACM resources can be referenced. For example, 1552 // a policy with scopes=["folders/123"] has the following behavior: - 1553 // vpcsc perimeters can only restrict projects within folders/123 - 1554 // access levels can only be referenced by resources within folders/123. 1555 // If empty, there are no limitations on which resources can be 1556 // restricted by an ACM policy, and there are no limitations on where 1557 // ACM resources can be referenced. Only one policy can include a given 1558 // scope (attempting to create a second policy which includes 1559 // "folders/123" will result in an error). Currently, scopes cannot be 1560 // modified after a policy is created. Currently, policies can only have 1561 // a single scope. Format: list of `folders/{folder_number}` or 1562 // `projects/{project_number}` 1563 Scopes []string `json:"scopes,omitempty"` 1564 1565 // Title: Required. Human readable title. Does not affect behavior. 1566 Title string `json:"title,omitempty"` 1567 1568 // ForceSendFields is a list of field names (e.g. "Etag") to 1569 // unconditionally include in API requests. By default, fields with 1570 // empty or default values are omitted from API requests. However, any 1571 // non-pointer, non-interface field appearing in ForceSendFields will be 1572 // sent to the server regardless of whether the field is empty or not. 1573 // This may be used to include empty fields in Patch requests. 1574 ForceSendFields []string `json:"-"` 1575 1576 // NullFields is a list of field names (e.g. "Etag") to include in API 1577 // requests with the JSON null value. By default, fields with empty 1578 // values are omitted from API requests. However, any field with an 1579 // empty value appearing in NullFields will be sent to the server as 1580 // null. It is an error if a field in this list has a non-empty value. 1581 // This may be used to include null fields in Patch requests. 1582 NullFields []string `json:"-"` 1583 } 1584 1585 func (s *GoogleIdentityAccesscontextmanagerV1AccessPolicy) MarshalJSON() ([]byte, error) { 1586 type NoMethod GoogleIdentityAccesscontextmanagerV1AccessPolicy 1587 raw := NoMethod(*s) 1588 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1589 } 1590 1591 // GoogleIdentityAccesscontextmanagerV1ApiOperation: Identification for 1592 // an API Operation. 1593 type GoogleIdentityAccesscontextmanagerV1ApiOperation struct { 1594 // MethodSelectors: API methods or permissions to allow. Method or 1595 // permission must belong to the service specified by `service_name` 1596 // field. A single MethodSelector entry with `*` specified for the 1597 // `method` field will allow all methods AND permissions for the service 1598 // specified in `service_name`. 1599 MethodSelectors []*GoogleIdentityAccesscontextmanagerV1MethodSelector `json:"methodSelectors,omitempty"` 1600 1601 // ServiceName: The name of the API whose methods or permissions the 1602 // IngressPolicy or EgressPolicy want to allow. A single ApiOperation 1603 // with `service_name` field set to `*` will allow all methods AND 1604 // permissions for all services. 1605 ServiceName string `json:"serviceName,omitempty"` 1606 1607 // ForceSendFields is a list of field names (e.g. "MethodSelectors") to 1608 // unconditionally include in API requests. By default, fields with 1609 // empty or default values are omitted from API requests. However, any 1610 // non-pointer, non-interface field appearing in ForceSendFields will be 1611 // sent to the server regardless of whether the field is empty or not. 1612 // This may be used to include empty fields in Patch requests. 1613 ForceSendFields []string `json:"-"` 1614 1615 // NullFields is a list of field names (e.g. "MethodSelectors") to 1616 // include in API requests with the JSON null value. By default, fields 1617 // with empty values are omitted from API requests. However, any field 1618 // with an empty value appearing in NullFields will be sent to the 1619 // server as null. It is an error if a field in this list has a 1620 // non-empty value. This may be used to include null fields in Patch 1621 // requests. 1622 NullFields []string `json:"-"` 1623 } 1624 1625 func (s *GoogleIdentityAccesscontextmanagerV1ApiOperation) MarshalJSON() ([]byte, error) { 1626 type NoMethod GoogleIdentityAccesscontextmanagerV1ApiOperation 1627 raw := NoMethod(*s) 1628 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1629 } 1630 1631 // GoogleIdentityAccesscontextmanagerV1BasicLevel: `BasicLevel` is an 1632 // `AccessLevel` using a set of recommended features. 1633 type GoogleIdentityAccesscontextmanagerV1BasicLevel struct { 1634 // CombiningFunction: How the `conditions` list should be combined to 1635 // determine if a request is granted this `AccessLevel`. If AND is used, 1636 // each `Condition` in `conditions` must be satisfied for the 1637 // `AccessLevel` to be applied. If OR is used, at least one `Condition` 1638 // in `conditions` must be satisfied for the `AccessLevel` to be 1639 // applied. Default behavior is AND. 1640 // 1641 // Possible values: 1642 // "AND" - All `Conditions` must be true for the `BasicLevel` to be 1643 // true. 1644 // "OR" - If at least one `Condition` is true, then the `BasicLevel` 1645 // is true. 1646 CombiningFunction string `json:"combiningFunction,omitempty"` 1647 1648 // Conditions: Required. A list of requirements for the `AccessLevel` to 1649 // be granted. 1650 Conditions []*GoogleIdentityAccesscontextmanagerV1Condition `json:"conditions,omitempty"` 1651 1652 // ForceSendFields is a list of field names (e.g. "CombiningFunction") 1653 // to unconditionally include in API requests. By default, fields with 1654 // empty or default values are omitted from API requests. However, any 1655 // non-pointer, non-interface field appearing in ForceSendFields will be 1656 // sent to the server regardless of whether the field is empty or not. 1657 // This may be used to include empty fields in Patch requests. 1658 ForceSendFields []string `json:"-"` 1659 1660 // NullFields is a list of field names (e.g. "CombiningFunction") to 1661 // include in API requests with the JSON null value. By default, fields 1662 // with empty values are omitted from API requests. However, any field 1663 // with an empty value appearing in NullFields will be sent to the 1664 // server as null. It is an error if a field in this list has a 1665 // non-empty value. This may be used to include null fields in Patch 1666 // requests. 1667 NullFields []string `json:"-"` 1668 } 1669 1670 func (s *GoogleIdentityAccesscontextmanagerV1BasicLevel) MarshalJSON() ([]byte, error) { 1671 type NoMethod GoogleIdentityAccesscontextmanagerV1BasicLevel 1672 raw := NoMethod(*s) 1673 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1674 } 1675 1676 // GoogleIdentityAccesscontextmanagerV1Condition: A condition necessary 1677 // for an `AccessLevel` to be granted. The Condition is an AND over its 1678 // fields. So a Condition is true if: 1) the request IP is from one of 1679 // the listed subnetworks AND 2) the originating device complies with 1680 // the listed device policy AND 3) all listed access levels are granted 1681 // AND 4) the request was sent at a time allowed by the 1682 // DateTimeRestriction. 1683 type GoogleIdentityAccesscontextmanagerV1Condition struct { 1684 // DevicePolicy: Device specific restrictions, all restrictions must 1685 // hold for the Condition to be true. If not specified, all devices are 1686 // allowed. 1687 DevicePolicy *GoogleIdentityAccesscontextmanagerV1DevicePolicy `json:"devicePolicy,omitempty"` 1688 1689 // IpSubnetworks: CIDR block IP subnetwork specification. May be IPv4 or 1690 // IPv6. Note that for a CIDR IP address block, the specified IP address 1691 // portion must be properly truncated (i.e. all the host bits must be 1692 // zero) or the input is considered malformed. For example, 1693 // "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for 1694 // IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. 1695 // The originating IP of a request must be in one of the listed subnets 1696 // in order for this Condition to be true. If empty, all IP addresses 1697 // are allowed. 1698 IpSubnetworks []string `json:"ipSubnetworks,omitempty"` 1699 1700 // Members: The request must be made by one of the provided user or 1701 // service accounts. Groups are not supported. Syntax: `user:{emailid}` 1702 // `serviceAccount:{emailid}` If not specified, a request may come from 1703 // any user. 1704 Members []string `json:"members,omitempty"` 1705 1706 // Negate: Whether to negate the Condition. If true, the Condition 1707 // becomes a NAND over its non-empty fields, each field must be false 1708 // for the Condition overall to be satisfied. Defaults to false. 1709 Negate bool `json:"negate,omitempty"` 1710 1711 // Regions: The request must originate from one of the provided 1712 // countries/regions. Must be valid ISO 3166-1 alpha-2 codes. 1713 Regions []string `json:"regions,omitempty"` 1714 1715 // RequiredAccessLevels: A list of other access levels defined in the 1716 // same `Policy`, referenced by resource name. Referencing an 1717 // `AccessLevel` which does not exist is an error. All access levels 1718 // listed must be granted for the Condition to be true. Example: 1719 // "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME" 1720 RequiredAccessLevels []string `json:"requiredAccessLevels,omitempty"` 1721 1722 // ForceSendFields is a list of field names (e.g. "DevicePolicy") to 1723 // unconditionally include in API requests. By default, fields with 1724 // empty or default values are omitted from API requests. However, any 1725 // non-pointer, non-interface field appearing in ForceSendFields will be 1726 // sent to the server regardless of whether the field is empty or not. 1727 // This may be used to include empty fields in Patch requests. 1728 ForceSendFields []string `json:"-"` 1729 1730 // NullFields is a list of field names (e.g. "DevicePolicy") to include 1731 // in API requests with the JSON null value. By default, fields with 1732 // empty values are omitted from API requests. However, any field with 1733 // an empty value appearing in NullFields will be sent to the server as 1734 // null. It is an error if a field in this list has a non-empty value. 1735 // This may be used to include null fields in Patch requests. 1736 NullFields []string `json:"-"` 1737 } 1738 1739 func (s *GoogleIdentityAccesscontextmanagerV1Condition) MarshalJSON() ([]byte, error) { 1740 type NoMethod GoogleIdentityAccesscontextmanagerV1Condition 1741 raw := NoMethod(*s) 1742 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1743 } 1744 1745 // GoogleIdentityAccesscontextmanagerV1CustomLevel: `CustomLevel` is an 1746 // `AccessLevel` using the Cloud Common Expression Language to represent 1747 // the necessary conditions for the level to apply to a request. See CEL 1748 // spec at: https://github.com/google/cel-spec 1749 type GoogleIdentityAccesscontextmanagerV1CustomLevel struct { 1750 // Expr: Required. A Cloud CEL expression evaluating to a boolean. 1751 Expr *Expr `json:"expr,omitempty"` 1752 1753 // ForceSendFields is a list of field names (e.g. "Expr") to 1754 // unconditionally include in API requests. By default, fields with 1755 // empty or default values are omitted from API requests. However, any 1756 // non-pointer, non-interface field appearing in ForceSendFields will be 1757 // sent to the server regardless of whether the field is empty or not. 1758 // This may be used to include empty fields in Patch requests. 1759 ForceSendFields []string `json:"-"` 1760 1761 // NullFields is a list of field names (e.g. "Expr") to include in API 1762 // requests with the JSON null value. By default, fields with empty 1763 // values are omitted from API requests. However, any field with an 1764 // empty value appearing in NullFields will be sent to the server as 1765 // null. It is an error if a field in this list has a non-empty value. 1766 // This may be used to include null fields in Patch requests. 1767 NullFields []string `json:"-"` 1768 } 1769 1770 func (s *GoogleIdentityAccesscontextmanagerV1CustomLevel) MarshalJSON() ([]byte, error) { 1771 type NoMethod GoogleIdentityAccesscontextmanagerV1CustomLevel 1772 raw := NoMethod(*s) 1773 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1774 } 1775 1776 // GoogleIdentityAccesscontextmanagerV1DevicePolicy: `DevicePolicy` 1777 // specifies device specific restrictions necessary to acquire a given 1778 // access level. A `DevicePolicy` specifies requirements for requests 1779 // from devices to be granted access levels, it does not do any 1780 // enforcement on the device. `DevicePolicy` acts as an AND over all 1781 // specified fields, and each repeated field is an OR over its elements. 1782 // Any unset fields are ignored. For example, if the proto is { os_type 1783 // : DESKTOP_WINDOWS, os_type : DESKTOP_LINUX, encryption_status: 1784 // ENCRYPTED}, then the DevicePolicy will be true for requests 1785 // originating from encrypted Linux desktops and encrypted Windows 1786 // desktops. 1787 type GoogleIdentityAccesscontextmanagerV1DevicePolicy struct { 1788 // AllowedDeviceManagementLevels: Allowed device management levels, an 1789 // empty list allows all management levels. 1790 // 1791 // Possible values: 1792 // "MANAGEMENT_UNSPECIFIED" - The device's management level is not 1793 // specified or not known. 1794 // "NONE" - The device is not managed. 1795 // "BASIC" - Basic management is enabled, which is generally limited 1796 // to monitoring and wiping the corporate account. 1797 // "COMPLETE" - Complete device management. This includes more 1798 // thorough monitoring and the ability to directly manage the device 1799 // (such as remote wiping). This can be enabled through the Android 1800 // Enterprise Platform. 1801 AllowedDeviceManagementLevels []string `json:"allowedDeviceManagementLevels,omitempty"` 1802 1803 // AllowedEncryptionStatuses: Allowed encryptions statuses, an empty 1804 // list allows all statuses. 1805 // 1806 // Possible values: 1807 // "ENCRYPTION_UNSPECIFIED" - The encryption status of the device is 1808 // not specified or not known. 1809 // "ENCRYPTION_UNSUPPORTED" - The device does not support encryption. 1810 // "UNENCRYPTED" - The device supports encryption, but is currently 1811 // unencrypted. 1812 // "ENCRYPTED" - The device is encrypted. 1813 AllowedEncryptionStatuses []string `json:"allowedEncryptionStatuses,omitempty"` 1814 1815 // OsConstraints: Allowed OS versions, an empty list allows all types 1816 // and all versions. 1817 OsConstraints []*GoogleIdentityAccesscontextmanagerV1OsConstraint `json:"osConstraints,omitempty"` 1818 1819 // RequireAdminApproval: Whether the device needs to be approved by the 1820 // customer admin. 1821 RequireAdminApproval bool `json:"requireAdminApproval,omitempty"` 1822 1823 // RequireCorpOwned: Whether the device needs to be corp owned. 1824 RequireCorpOwned bool `json:"requireCorpOwned,omitempty"` 1825 1826 // RequireScreenlock: Whether or not screenlock is required for the 1827 // DevicePolicy to be true. Defaults to `false`. 1828 RequireScreenlock bool `json:"requireScreenlock,omitempty"` 1829 1830 // ForceSendFields is a list of field names (e.g. 1831 // "AllowedDeviceManagementLevels") to unconditionally include in API 1832 // requests. By default, fields with empty or default values are omitted 1833 // from API requests. However, any non-pointer, non-interface field 1834 // appearing in ForceSendFields will be sent to the server regardless of 1835 // whether the field is empty or not. This may be used to include empty 1836 // fields in Patch requests. 1837 ForceSendFields []string `json:"-"` 1838 1839 // NullFields is a list of field names (e.g. 1840 // "AllowedDeviceManagementLevels") to include in API requests with the 1841 // JSON null value. By default, fields with empty values are omitted 1842 // from API requests. However, any field with an empty value appearing 1843 // in NullFields will be sent to the server as null. It is an error if a 1844 // field in this list has a non-empty value. This may be used to include 1845 // null fields in Patch requests. 1846 NullFields []string `json:"-"` 1847 } 1848 1849 func (s *GoogleIdentityAccesscontextmanagerV1DevicePolicy) MarshalJSON() ([]byte, error) { 1850 type NoMethod GoogleIdentityAccesscontextmanagerV1DevicePolicy 1851 raw := NoMethod(*s) 1852 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1853 } 1854 1855 // GoogleIdentityAccesscontextmanagerV1EgressFrom: Defines the 1856 // conditions under which an EgressPolicy matches a request. Conditions 1857 // based on information about the source of the request. Note that if 1858 // the destination of the request is also protected by a 1859 // ServicePerimeter, then that ServicePerimeter must have an 1860 // IngressPolicy which allows access in order for this request to 1861 // succeed. 1862 type GoogleIdentityAccesscontextmanagerV1EgressFrom struct { 1863 // Identities: A list of identities that are allowed access through this 1864 // [EgressPolicy]. Should be in the format of email address. The email 1865 // address should represent individual user or service account only. 1866 Identities []string `json:"identities,omitempty"` 1867 1868 // IdentityType: Specifies the type of identities that are allowed 1869 // access to outside the perimeter. If left unspecified, then members of 1870 // `identities` field will be allowed access. 1871 // 1872 // Possible values: 1873 // "IDENTITY_TYPE_UNSPECIFIED" - No blanket identity group specified. 1874 // "ANY_IDENTITY" - Authorize access from all identities outside the 1875 // perimeter. 1876 // "ANY_USER_ACCOUNT" - Authorize access from all human users outside 1877 // the perimeter. 1878 // "ANY_SERVICE_ACCOUNT" - Authorize access from all service accounts 1879 // outside the perimeter. 1880 IdentityType string `json:"identityType,omitempty"` 1881 1882 // ForceSendFields is a list of field names (e.g. "Identities") to 1883 // unconditionally include in API requests. By default, fields with 1884 // empty or default values are omitted from API requests. However, any 1885 // non-pointer, non-interface field appearing in ForceSendFields will be 1886 // sent to the server regardless of whether the field is empty or not. 1887 // This may be used to include empty fields in Patch requests. 1888 ForceSendFields []string `json:"-"` 1889 1890 // NullFields is a list of field names (e.g. "Identities") to include in 1891 // API requests with the JSON null value. By default, fields with empty 1892 // values are omitted from API requests. However, any field with an 1893 // empty value appearing in NullFields will be sent to the server as 1894 // null. It is an error if a field in this list has a non-empty value. 1895 // This may be used to include null fields in Patch requests. 1896 NullFields []string `json:"-"` 1897 } 1898 1899 func (s *GoogleIdentityAccesscontextmanagerV1EgressFrom) MarshalJSON() ([]byte, error) { 1900 type NoMethod GoogleIdentityAccesscontextmanagerV1EgressFrom 1901 raw := NoMethod(*s) 1902 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1903 } 1904 1905 // GoogleIdentityAccesscontextmanagerV1EgressPolicy: Policy for egress 1906 // from perimeter. EgressPolicies match requests based on `egress_from` 1907 // and `egress_to` stanzas. For an EgressPolicy to match, both 1908 // `egress_from` and `egress_to` stanzas must be matched. If an 1909 // EgressPolicy matches a request, the request is allowed to span the 1910 // ServicePerimeter boundary. For example, an EgressPolicy can be used 1911 // to allow VMs on networks within the ServicePerimeter to access a 1912 // defined set of projects outside the perimeter in certain contexts 1913 // (e.g. to read data from a Cloud Storage bucket or query against a 1914 // BigQuery dataset). EgressPolicies are concerned with the *resources* 1915 // that a request relates as well as the API services and API actions 1916 // being used. They do not related to the direction of data movement. 1917 // More detailed documentation for this concept can be found in the 1918 // descriptions of EgressFrom and EgressTo. 1919 type GoogleIdentityAccesscontextmanagerV1EgressPolicy struct { 1920 // EgressFrom: Defines conditions on the source of a request causing 1921 // this EgressPolicy to apply. 1922 EgressFrom *GoogleIdentityAccesscontextmanagerV1EgressFrom `json:"egressFrom,omitempty"` 1923 1924 // EgressTo: Defines the conditions on the ApiOperation and destination 1925 // resources that cause this EgressPolicy to apply. 1926 EgressTo *GoogleIdentityAccesscontextmanagerV1EgressTo `json:"egressTo,omitempty"` 1927 1928 // ForceSendFields is a list of field names (e.g. "EgressFrom") to 1929 // unconditionally include in API requests. By default, fields with 1930 // empty or default values are omitted from API requests. However, any 1931 // non-pointer, non-interface field appearing in ForceSendFields will be 1932 // sent to the server regardless of whether the field is empty or not. 1933 // This may be used to include empty fields in Patch requests. 1934 ForceSendFields []string `json:"-"` 1935 1936 // NullFields is a list of field names (e.g. "EgressFrom") to include in 1937 // API requests with the JSON null value. By default, fields with empty 1938 // values are omitted from API requests. However, any field with an 1939 // empty value appearing in NullFields will be sent to the server as 1940 // null. It is an error if a field in this list has a non-empty value. 1941 // This may be used to include null fields in Patch requests. 1942 NullFields []string `json:"-"` 1943 } 1944 1945 func (s *GoogleIdentityAccesscontextmanagerV1EgressPolicy) MarshalJSON() ([]byte, error) { 1946 type NoMethod GoogleIdentityAccesscontextmanagerV1EgressPolicy 1947 raw := NoMethod(*s) 1948 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 1949 } 1950 1951 // GoogleIdentityAccesscontextmanagerV1EgressTo: Defines the conditions 1952 // under which an EgressPolicy matches a request. Conditions are based 1953 // on information about the ApiOperation intended to be performed on the 1954 // `resources` specified. Note that if the destination of the request is 1955 // also protected by a ServicePerimeter, then that ServicePerimeter must 1956 // have an IngressPolicy which allows access in order for this request 1957 // to succeed. The request must match `operations` AND `resources` 1958 // fields in order to be allowed egress out of the perimeter. 1959 type GoogleIdentityAccesscontextmanagerV1EgressTo struct { 1960 // ExternalResources: A list of external resources that are allowed to 1961 // be accessed. A request matches if it contains an external resource in 1962 // this list (Example: s3://bucket/path). Currently '*' is not allowed. 1963 ExternalResources []string `json:"externalResources,omitempty"` 1964 1965 // Operations: A list of ApiOperations allowed to be performed by the 1966 // sources specified in the corresponding EgressFrom. A request matches 1967 // if it uses an operation/service in this list. 1968 Operations []*GoogleIdentityAccesscontextmanagerV1ApiOperation `json:"operations,omitempty"` 1969 1970 // Resources: A list of resources, currently only projects in the form 1971 // `projects/`, that are allowed to be accessed by sources defined in 1972 // the corresponding EgressFrom. A request matches if it contains a 1973 // resource in this list. If `*` is specified for `resources`, then this 1974 // EgressTo rule will authorize access to all resources outside the 1975 // perimeter. 1976 Resources []string `json:"resources,omitempty"` 1977 1978 // ForceSendFields is a list of field names (e.g. "ExternalResources") 1979 // to unconditionally include in API requests. By default, fields with 1980 // empty or default values are omitted from API requests. However, any 1981 // non-pointer, non-interface field appearing in ForceSendFields will be 1982 // sent to the server regardless of whether the field is empty or not. 1983 // This may be used to include empty fields in Patch requests. 1984 ForceSendFields []string `json:"-"` 1985 1986 // NullFields is a list of field names (e.g. "ExternalResources") to 1987 // include in API requests with the JSON null value. By default, fields 1988 // with empty values are omitted from API requests. However, any field 1989 // with an empty value appearing in NullFields will be sent to the 1990 // server as null. It is an error if a field in this list has a 1991 // non-empty value. This may be used to include null fields in Patch 1992 // requests. 1993 NullFields []string `json:"-"` 1994 } 1995 1996 func (s *GoogleIdentityAccesscontextmanagerV1EgressTo) MarshalJSON() ([]byte, error) { 1997 type NoMethod GoogleIdentityAccesscontextmanagerV1EgressTo 1998 raw := NoMethod(*s) 1999 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2000 } 2001 2002 // GoogleIdentityAccesscontextmanagerV1IngressFrom: Defines the 2003 // conditions under which an IngressPolicy matches a request. Conditions 2004 // are based on information about the source of the request. The request 2005 // must satisfy what is defined in `sources` AND identity related fields 2006 // in order to match. 2007 type GoogleIdentityAccesscontextmanagerV1IngressFrom struct { 2008 // Identities: A list of identities that are allowed access through this 2009 // ingress policy. Should be in the format of email address. The email 2010 // address should represent individual user or service account only. 2011 Identities []string `json:"identities,omitempty"` 2012 2013 // IdentityType: Specifies the type of identities that are allowed 2014 // access from outside the perimeter. If left unspecified, then members 2015 // of `identities` field will be allowed access. 2016 // 2017 // Possible values: 2018 // "IDENTITY_TYPE_UNSPECIFIED" - No blanket identity group specified. 2019 // "ANY_IDENTITY" - Authorize access from all identities outside the 2020 // perimeter. 2021 // "ANY_USER_ACCOUNT" - Authorize access from all human users outside 2022 // the perimeter. 2023 // "ANY_SERVICE_ACCOUNT" - Authorize access from all service accounts 2024 // outside the perimeter. 2025 IdentityType string `json:"identityType,omitempty"` 2026 2027 // Sources: Sources that this IngressPolicy authorizes access from. 2028 Sources []*GoogleIdentityAccesscontextmanagerV1IngressSource `json:"sources,omitempty"` 2029 2030 // ForceSendFields is a list of field names (e.g. "Identities") to 2031 // unconditionally include in API requests. By default, fields with 2032 // empty or default values are omitted from API requests. However, any 2033 // non-pointer, non-interface field appearing in ForceSendFields will be 2034 // sent to the server regardless of whether the field is empty or not. 2035 // This may be used to include empty fields in Patch requests. 2036 ForceSendFields []string `json:"-"` 2037 2038 // NullFields is a list of field names (e.g. "Identities") to include in 2039 // API requests with the JSON null value. By default, fields with empty 2040 // values are omitted from API requests. However, any field with an 2041 // empty value appearing in NullFields will be sent to the server as 2042 // null. It is an error if a field in this list has a non-empty value. 2043 // This may be used to include null fields in Patch requests. 2044 NullFields []string `json:"-"` 2045 } 2046 2047 func (s *GoogleIdentityAccesscontextmanagerV1IngressFrom) MarshalJSON() ([]byte, error) { 2048 type NoMethod GoogleIdentityAccesscontextmanagerV1IngressFrom 2049 raw := NoMethod(*s) 2050 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2051 } 2052 2053 // GoogleIdentityAccesscontextmanagerV1IngressPolicy: Policy for ingress 2054 // into ServicePerimeter. IngressPolicies match requests based on 2055 // `ingress_from` and `ingress_to` stanzas. For an ingress policy to 2056 // match, both the `ingress_from` and `ingress_to` stanzas must be 2057 // matched. If an IngressPolicy matches a request, the request is 2058 // allowed through the perimeter boundary from outside the perimeter. 2059 // For example, access from the internet can be allowed either based on 2060 // an AccessLevel or, for traffic hosted on Google Cloud, the project of 2061 // the source network. For access from private networks, using the 2062 // project of the hosting network is required. Individual ingress 2063 // policies can be limited by restricting which services and/or actions 2064 // they match using the `ingress_to` field. 2065 type GoogleIdentityAccesscontextmanagerV1IngressPolicy struct { 2066 // IngressFrom: Defines the conditions on the source of a request 2067 // causing this IngressPolicy to apply. 2068 IngressFrom *GoogleIdentityAccesscontextmanagerV1IngressFrom `json:"ingressFrom,omitempty"` 2069 2070 // IngressTo: Defines the conditions on the ApiOperation and request 2071 // destination that cause this IngressPolicy to apply. 2072 IngressTo *GoogleIdentityAccesscontextmanagerV1IngressTo `json:"ingressTo,omitempty"` 2073 2074 // ForceSendFields is a list of field names (e.g. "IngressFrom") to 2075 // unconditionally include in API requests. By default, fields with 2076 // empty or default values are omitted from API requests. However, any 2077 // non-pointer, non-interface field appearing in ForceSendFields will be 2078 // sent to the server regardless of whether the field is empty or not. 2079 // This may be used to include empty fields in Patch requests. 2080 ForceSendFields []string `json:"-"` 2081 2082 // NullFields is a list of field names (e.g. "IngressFrom") to include 2083 // in API requests with the JSON null value. By default, fields with 2084 // empty values are omitted from API requests. However, any field with 2085 // an empty value appearing in NullFields will be sent to the server as 2086 // null. It is an error if a field in this list has a non-empty value. 2087 // This may be used to include null fields in Patch requests. 2088 NullFields []string `json:"-"` 2089 } 2090 2091 func (s *GoogleIdentityAccesscontextmanagerV1IngressPolicy) MarshalJSON() ([]byte, error) { 2092 type NoMethod GoogleIdentityAccesscontextmanagerV1IngressPolicy 2093 raw := NoMethod(*s) 2094 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2095 } 2096 2097 // GoogleIdentityAccesscontextmanagerV1IngressSource: The source that 2098 // IngressPolicy authorizes access from. 2099 type GoogleIdentityAccesscontextmanagerV1IngressSource struct { 2100 // AccessLevel: An AccessLevel resource name that allow resources within 2101 // the ServicePerimeters to be accessed from the internet. AccessLevels 2102 // listed must be in the same policy as this ServicePerimeter. 2103 // Referencing a nonexistent AccessLevel will cause an error. If no 2104 // AccessLevel names are listed, resources within the perimeter can only 2105 // be accessed via Google Cloud calls with request origins within the 2106 // perimeter. Example: `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. 2107 // If a single `*` is specified for `access_level`, then all 2108 // IngressSources will be allowed. 2109 AccessLevel string `json:"accessLevel,omitempty"` 2110 2111 // Resource: A Google Cloud resource that is allowed to ingress the 2112 // perimeter. Requests from these resources will be allowed to access 2113 // perimeter data. Currently only projects are allowed. Format: 2114 // `projects/{project_number}` The project may be in any Google Cloud 2115 // organization, not just the organization that the perimeter is defined 2116 // in. `*` is not allowed, the case of allowing all Google Cloud 2117 // resources only is not supported. 2118 Resource string `json:"resource,omitempty"` 2119 2120 // ForceSendFields is a list of field names (e.g. "AccessLevel") to 2121 // unconditionally include in API requests. By default, fields with 2122 // empty or default values are omitted from API requests. However, any 2123 // non-pointer, non-interface field appearing in ForceSendFields will be 2124 // sent to the server regardless of whether the field is empty or not. 2125 // This may be used to include empty fields in Patch requests. 2126 ForceSendFields []string `json:"-"` 2127 2128 // NullFields is a list of field names (e.g. "AccessLevel") to include 2129 // in API requests with the JSON null value. By default, fields with 2130 // empty values are omitted from API requests. However, any field with 2131 // an empty value appearing in NullFields will be sent to the server as 2132 // null. It is an error if a field in this list has a non-empty value. 2133 // This may be used to include null fields in Patch requests. 2134 NullFields []string `json:"-"` 2135 } 2136 2137 func (s *GoogleIdentityAccesscontextmanagerV1IngressSource) MarshalJSON() ([]byte, error) { 2138 type NoMethod GoogleIdentityAccesscontextmanagerV1IngressSource 2139 raw := NoMethod(*s) 2140 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2141 } 2142 2143 // GoogleIdentityAccesscontextmanagerV1IngressTo: Defines the conditions 2144 // under which an IngressPolicy matches a request. Conditions are based 2145 // on information about the ApiOperation intended to be performed on the 2146 // target resource of the request. The request must satisfy what is 2147 // defined in `operations` AND `resources` in order to match. 2148 type GoogleIdentityAccesscontextmanagerV1IngressTo struct { 2149 // Operations: A list of ApiOperations allowed to be performed by the 2150 // sources specified in corresponding IngressFrom in this 2151 // ServicePerimeter. 2152 Operations []*GoogleIdentityAccesscontextmanagerV1ApiOperation `json:"operations,omitempty"` 2153 2154 // Resources: A list of resources, currently only projects in the form 2155 // `projects/`, protected by this ServicePerimeter that are allowed to 2156 // be accessed by sources defined in the corresponding IngressFrom. If a 2157 // single `*` is specified, then access to all resources inside the 2158 // perimeter are allowed. 2159 Resources []string `json:"resources,omitempty"` 2160 2161 // ForceSendFields is a list of field names (e.g. "Operations") to 2162 // unconditionally include in API requests. By default, fields with 2163 // empty or default values are omitted from API requests. However, any 2164 // non-pointer, non-interface field appearing in ForceSendFields will be 2165 // sent to the server regardless of whether the field is empty or not. 2166 // This may be used to include empty fields in Patch requests. 2167 ForceSendFields []string `json:"-"` 2168 2169 // NullFields is a list of field names (e.g. "Operations") to include in 2170 // API requests with the JSON null value. By default, fields with empty 2171 // values are omitted from API requests. However, any field with an 2172 // empty value appearing in NullFields will be sent to the server as 2173 // null. It is an error if a field in this list has a non-empty value. 2174 // This may be used to include null fields in Patch requests. 2175 NullFields []string `json:"-"` 2176 } 2177 2178 func (s *GoogleIdentityAccesscontextmanagerV1IngressTo) MarshalJSON() ([]byte, error) { 2179 type NoMethod GoogleIdentityAccesscontextmanagerV1IngressTo 2180 raw := NoMethod(*s) 2181 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2182 } 2183 2184 // GoogleIdentityAccesscontextmanagerV1MethodSelector: An allowed method 2185 // or permission of a service specified in ApiOperation. 2186 type GoogleIdentityAccesscontextmanagerV1MethodSelector struct { 2187 // Method: Value for `method` should be a valid method name for the 2188 // corresponding `service_name` in ApiOperation. If `*` used as value 2189 // for `method`, then ALL methods and permissions are allowed. 2190 Method string `json:"method,omitempty"` 2191 2192 // Permission: Value for `permission` should be a valid Cloud IAM 2193 // permission for the corresponding `service_name` in ApiOperation. 2194 Permission string `json:"permission,omitempty"` 2195 2196 // ForceSendFields is a list of field names (e.g. "Method") to 2197 // unconditionally include in API requests. By default, fields with 2198 // empty or default values are omitted from API requests. However, any 2199 // non-pointer, non-interface field appearing in ForceSendFields will be 2200 // sent to the server regardless of whether the field is empty or not. 2201 // This may be used to include empty fields in Patch requests. 2202 ForceSendFields []string `json:"-"` 2203 2204 // NullFields is a list of field names (e.g. "Method") to include in API 2205 // requests with the JSON null value. By default, fields with empty 2206 // values are omitted from API requests. However, any field with an 2207 // empty value appearing in NullFields will be sent to the server as 2208 // null. It is an error if a field in this list has a non-empty value. 2209 // This may be used to include null fields in Patch requests. 2210 NullFields []string `json:"-"` 2211 } 2212 2213 func (s *GoogleIdentityAccesscontextmanagerV1MethodSelector) MarshalJSON() ([]byte, error) { 2214 type NoMethod GoogleIdentityAccesscontextmanagerV1MethodSelector 2215 raw := NoMethod(*s) 2216 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2217 } 2218 2219 // GoogleIdentityAccesscontextmanagerV1OsConstraint: A restriction on 2220 // the OS type and version of devices making requests. 2221 type GoogleIdentityAccesscontextmanagerV1OsConstraint struct { 2222 // MinimumVersion: The minimum allowed OS version. If not set, any 2223 // version of this OS satisfies the constraint. Format: 2224 // "major.minor.patch". Examples: "10.5.301", "9.2.1". 2225 MinimumVersion string `json:"minimumVersion,omitempty"` 2226 2227 // OsType: Required. The allowed OS type. 2228 // 2229 // Possible values: 2230 // "OS_UNSPECIFIED" - The operating system of the device is not 2231 // specified or not known. 2232 // "DESKTOP_MAC" - A desktop Mac operating system. 2233 // "DESKTOP_WINDOWS" - A desktop Windows operating system. 2234 // "DESKTOP_LINUX" - A desktop Linux operating system. 2235 // "DESKTOP_CHROME_OS" - A desktop ChromeOS operating system. 2236 // "ANDROID" - An Android operating system. 2237 // "IOS" - An iOS operating system. 2238 OsType string `json:"osType,omitempty"` 2239 2240 // RequireVerifiedChromeOs: Only allows requests from devices with a 2241 // verified Chrome OS. Verifications includes requirements that the 2242 // device is enterprise-managed, conformant to domain policies, and the 2243 // caller has permission to call the API targeted by the request. 2244 RequireVerifiedChromeOs bool `json:"requireVerifiedChromeOs,omitempty"` 2245 2246 // ForceSendFields is a list of field names (e.g. "MinimumVersion") to 2247 // unconditionally include in API requests. By default, fields with 2248 // empty or default values are omitted from API requests. However, any 2249 // non-pointer, non-interface field appearing in ForceSendFields will be 2250 // sent to the server regardless of whether the field is empty or not. 2251 // This may be used to include empty fields in Patch requests. 2252 ForceSendFields []string `json:"-"` 2253 2254 // NullFields is a list of field names (e.g. "MinimumVersion") to 2255 // include in API requests with the JSON null value. By default, fields 2256 // with empty values are omitted from API requests. However, any field 2257 // with an empty value appearing in NullFields will be sent to the 2258 // server as null. It is an error if a field in this list has a 2259 // non-empty value. This may be used to include null fields in Patch 2260 // requests. 2261 NullFields []string `json:"-"` 2262 } 2263 2264 func (s *GoogleIdentityAccesscontextmanagerV1OsConstraint) MarshalJSON() ([]byte, error) { 2265 type NoMethod GoogleIdentityAccesscontextmanagerV1OsConstraint 2266 raw := NoMethod(*s) 2267 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2268 } 2269 2270 // GoogleIdentityAccesscontextmanagerV1ServicePerimeter: 2271 // `ServicePerimeter` describes a set of Google Cloud resources which 2272 // can freely import and export data amongst themselves, but not export 2273 // outside of the `ServicePerimeter`. If a request with a source within 2274 // this `ServicePerimeter` has a target outside of the 2275 // `ServicePerimeter`, the request will be blocked. Otherwise the 2276 // request is allowed. There are two types of Service Perimeter - 2277 // Regular and Bridge. Regular Service Perimeters cannot overlap, a 2278 // single Google Cloud project can only belong to a single regular 2279 // Service Perimeter. Service Perimeter Bridges can contain only Google 2280 // Cloud projects as members, a single Google Cloud project may belong 2281 // to multiple Service Perimeter Bridges. 2282 type GoogleIdentityAccesscontextmanagerV1ServicePerimeter struct { 2283 // Description: Description of the `ServicePerimeter` and its use. Does 2284 // not affect behavior. 2285 Description string `json:"description,omitempty"` 2286 2287 // Name: Required. Resource name for the ServicePerimeter. The 2288 // `short_name` component must begin with a letter and only include 2289 // alphanumeric and '_'. Format: 2290 // `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` 2291 Name string `json:"name,omitempty"` 2292 2293 // PerimeterType: Perimeter type indicator. A single project is allowed 2294 // to be a member of single regular perimeter, but multiple service 2295 // perimeter bridges. A project cannot be a included in a perimeter 2296 // bridge without being included in regular perimeter. For perimeter 2297 // bridges, the restricted service list as well as access level lists 2298 // must be empty. 2299 // 2300 // Possible values: 2301 // "PERIMETER_TYPE_REGULAR" - Regular Perimeter. 2302 // "PERIMETER_TYPE_BRIDGE" - Perimeter Bridge. 2303 PerimeterType string `json:"perimeterType,omitempty"` 2304 2305 // Spec: Proposed (or dry run) ServicePerimeter configuration. This 2306 // configuration allows to specify and test ServicePerimeter 2307 // configuration without enforcing actual access restrictions. Only 2308 // allowed to be set when the "use_explicit_dry_run_spec" flag is set. 2309 Spec *GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig `json:"spec,omitempty"` 2310 2311 // Status: Current ServicePerimeter configuration. Specifies sets of 2312 // resources, restricted services and access levels that determine 2313 // perimeter content and boundaries. 2314 Status *GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig `json:"status,omitempty"` 2315 2316 // Title: Human readable title. Must be unique within the Policy. 2317 Title string `json:"title,omitempty"` 2318 2319 // UseExplicitDryRunSpec: Use explicit dry run spec flag. Ordinarily, a 2320 // dry-run spec implicitly exists for all Service Perimeters, and that 2321 // spec is identical to the status for those Service Perimeters. When 2322 // this flag is set, it inhibits the generation of the implicit spec, 2323 // thereby allowing the user to explicitly provide a configuration 2324 // ("spec") to use in a dry-run version of the Service Perimeter. This 2325 // allows the user to test changes to the enforced config ("status") 2326 // without actually enforcing them. This testing is done through 2327 // analyzing the differences between currently enforced and suggested 2328 // restrictions. use_explicit_dry_run_spec must bet set to True if any 2329 // of the fields in the spec are set to non-default values. 2330 UseExplicitDryRunSpec bool `json:"useExplicitDryRunSpec,omitempty"` 2331 2332 // ForceSendFields is a list of field names (e.g. "Description") to 2333 // unconditionally include in API requests. By default, fields with 2334 // empty or default values are omitted from API requests. However, any 2335 // non-pointer, non-interface field appearing in ForceSendFields will be 2336 // sent to the server regardless of whether the field is empty or not. 2337 // This may be used to include empty fields in Patch requests. 2338 ForceSendFields []string `json:"-"` 2339 2340 // NullFields is a list of field names (e.g. "Description") to include 2341 // in API requests with the JSON null value. By default, fields with 2342 // empty values are omitted from API requests. However, any field with 2343 // an empty value appearing in NullFields will be sent to the server as 2344 // null. It is an error if a field in this list has a non-empty value. 2345 // This may be used to include null fields in Patch requests. 2346 NullFields []string `json:"-"` 2347 } 2348 2349 func (s *GoogleIdentityAccesscontextmanagerV1ServicePerimeter) MarshalJSON() ([]byte, error) { 2350 type NoMethod GoogleIdentityAccesscontextmanagerV1ServicePerimeter 2351 raw := NoMethod(*s) 2352 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2353 } 2354 2355 // GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig: 2356 // `ServicePerimeterConfig` specifies a set of Google Cloud resources 2357 // that describe specific Service Perimeter configuration. 2358 type GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig struct { 2359 // AccessLevels: A list of `AccessLevel` resource names that allow 2360 // resources within the `ServicePerimeter` to be accessed from the 2361 // internet. `AccessLevels` listed must be in the same policy as this 2362 // `ServicePerimeter`. Referencing a nonexistent `AccessLevel` is a 2363 // syntax error. If no `AccessLevel` names are listed, resources within 2364 // the perimeter can only be accessed via Google Cloud calls with 2365 // request origins within the perimeter. Example: 2366 // "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service 2367 // Perimeter Bridge, must be empty. 2368 AccessLevels []string `json:"accessLevels,omitempty"` 2369 2370 // EgressPolicies: List of EgressPolicies to apply to the perimeter. A 2371 // perimeter may have multiple EgressPolicies, each of which is 2372 // evaluated separately. Access is granted if any EgressPolicy grants 2373 // it. Must be empty for a perimeter bridge. 2374 EgressPolicies []*GoogleIdentityAccesscontextmanagerV1EgressPolicy `json:"egressPolicies,omitempty"` 2375 2376 // IngressPolicies: List of IngressPolicies to apply to the perimeter. A 2377 // perimeter may have multiple IngressPolicies, each of which is 2378 // evaluated separately. Access is granted if any Ingress Policy grants 2379 // it. Must be empty for a perimeter bridge. 2380 IngressPolicies []*GoogleIdentityAccesscontextmanagerV1IngressPolicy `json:"ingressPolicies,omitempty"` 2381 2382 // Resources: A list of Google Cloud resources that are inside of the 2383 // service perimeter. Currently only projects are allowed. Format: 2384 // `projects/{project_number}` 2385 Resources []string `json:"resources,omitempty"` 2386 2387 // RestrictedServices: Google Cloud services that are subject to the 2388 // Service Perimeter restrictions. For example, if 2389 // `storage.googleapis.com` is specified, access to the storage buckets 2390 // inside the perimeter must meet the perimeter's access restrictions. 2391 RestrictedServices []string `json:"restrictedServices,omitempty"` 2392 2393 // VpcAccessibleServices: Configuration for APIs allowed within 2394 // Perimeter. 2395 VpcAccessibleServices *GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices `json:"vpcAccessibleServices,omitempty"` 2396 2397 // ForceSendFields is a list of field names (e.g. "AccessLevels") to 2398 // unconditionally include in API requests. By default, fields with 2399 // empty or default values are omitted from API requests. However, any 2400 // non-pointer, non-interface field appearing in ForceSendFields will be 2401 // sent to the server regardless of whether the field is empty or not. 2402 // This may be used to include empty fields in Patch requests. 2403 ForceSendFields []string `json:"-"` 2404 2405 // NullFields is a list of field names (e.g. "AccessLevels") to include 2406 // in API requests with the JSON null value. By default, fields with 2407 // empty values are omitted from API requests. However, any field with 2408 // an empty value appearing in NullFields will be sent to the server as 2409 // null. It is an error if a field in this list has a non-empty value. 2410 // This may be used to include null fields in Patch requests. 2411 NullFields []string `json:"-"` 2412 } 2413 2414 func (s *GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig) MarshalJSON() ([]byte, error) { 2415 type NoMethod GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig 2416 raw := NoMethod(*s) 2417 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2418 } 2419 2420 // GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices: Specifies 2421 // how APIs are allowed to communicate within the Service Perimeter. 2422 type GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices struct { 2423 // AllowedServices: The list of APIs usable within the Service 2424 // Perimeter. Must be empty unless 'enable_restriction' is True. You can 2425 // specify a list of individual services, as well as include the 2426 // 'RESTRICTED-SERVICES' value, which automatically includes all of the 2427 // services protected by the perimeter. 2428 AllowedServices []string `json:"allowedServices,omitempty"` 2429 2430 // EnableRestriction: Whether to restrict API calls within the Service 2431 // Perimeter to the list of APIs specified in 'allowed_services'. 2432 EnableRestriction bool `json:"enableRestriction,omitempty"` 2433 2434 // ForceSendFields is a list of field names (e.g. "AllowedServices") to 2435 // unconditionally include in API requests. By default, fields with 2436 // empty or default values are omitted from API requests. However, any 2437 // non-pointer, non-interface field appearing in ForceSendFields will be 2438 // sent to the server regardless of whether the field is empty or not. 2439 // This may be used to include empty fields in Patch requests. 2440 ForceSendFields []string `json:"-"` 2441 2442 // NullFields is a list of field names (e.g. "AllowedServices") to 2443 // include in API requests with the JSON null value. By default, fields 2444 // with empty values are omitted from API requests. However, any field 2445 // with an empty value appearing in NullFields will be sent to the 2446 // server as null. It is an error if a field in this list has a 2447 // non-empty value. This may be used to include null fields in Patch 2448 // requests. 2449 NullFields []string `json:"-"` 2450 } 2451 2452 func (s *GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices) MarshalJSON() ([]byte, error) { 2453 type NoMethod GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices 2454 raw := NoMethod(*s) 2455 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2456 } 2457 2458 // IamPolicyAnalysis: An analysis message to group the query and 2459 // results. 2460 type IamPolicyAnalysis struct { 2461 // AnalysisQuery: The analysis query. 2462 AnalysisQuery *IamPolicyAnalysisQuery `json:"analysisQuery,omitempty"` 2463 2464 // AnalysisResults: A list of IamPolicyAnalysisResult that matches the 2465 // analysis query, or empty if no result is found. 2466 AnalysisResults []*IamPolicyAnalysisResult `json:"analysisResults,omitempty"` 2467 2468 // FullyExplored: Represents whether all entries in the analysis_results 2469 // have been fully explored to answer the query. 2470 FullyExplored bool `json:"fullyExplored,omitempty"` 2471 2472 // ForceSendFields is a list of field names (e.g. "AnalysisQuery") to 2473 // unconditionally include in API requests. By default, fields with 2474 // empty or default values are omitted from API requests. However, any 2475 // non-pointer, non-interface field appearing in ForceSendFields will be 2476 // sent to the server regardless of whether the field is empty or not. 2477 // This may be used to include empty fields in Patch requests. 2478 ForceSendFields []string `json:"-"` 2479 2480 // NullFields is a list of field names (e.g. "AnalysisQuery") to include 2481 // in API requests with the JSON null value. By default, fields with 2482 // empty values are omitted from API requests. However, any field with 2483 // an empty value appearing in NullFields will be sent to the server as 2484 // null. It is an error if a field in this list has a non-empty value. 2485 // This may be used to include null fields in Patch requests. 2486 NullFields []string `json:"-"` 2487 } 2488 2489 func (s *IamPolicyAnalysis) MarshalJSON() ([]byte, error) { 2490 type NoMethod IamPolicyAnalysis 2491 raw := NoMethod(*s) 2492 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2493 } 2494 2495 // IamPolicyAnalysisOutputConfig: Output configuration for export IAM 2496 // policy analysis destination. 2497 type IamPolicyAnalysisOutputConfig struct { 2498 // GcsDestination: Destination on Cloud Storage. 2499 GcsDestination *GcsDestination `json:"gcsDestination,omitempty"` 2500 2501 // ForceSendFields is a list of field names (e.g. "GcsDestination") to 2502 // unconditionally include in API requests. By default, fields with 2503 // empty or default values are omitted from API requests. However, any 2504 // non-pointer, non-interface field appearing in ForceSendFields will be 2505 // sent to the server regardless of whether the field is empty or not. 2506 // This may be used to include empty fields in Patch requests. 2507 ForceSendFields []string `json:"-"` 2508 2509 // NullFields is a list of field names (e.g. "GcsDestination") to 2510 // include in API requests with the JSON null value. By default, fields 2511 // with empty values are omitted from API requests. However, any field 2512 // with an empty value appearing in NullFields will be sent to the 2513 // server as null. It is an error if a field in this list has a 2514 // non-empty value. This may be used to include null fields in Patch 2515 // requests. 2516 NullFields []string `json:"-"` 2517 } 2518 2519 func (s *IamPolicyAnalysisOutputConfig) MarshalJSON() ([]byte, error) { 2520 type NoMethod IamPolicyAnalysisOutputConfig 2521 raw := NoMethod(*s) 2522 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2523 } 2524 2525 // IamPolicyAnalysisQuery: IAM policy analysis query message. 2526 type IamPolicyAnalysisQuery struct { 2527 // AccessSelector: Optional. Specifies roles or permissions for 2528 // analysis. This is optional. 2529 AccessSelector *AccessSelector `json:"accessSelector,omitempty"` 2530 2531 // IdentitySelector: Optional. Specifies an identity for analysis. 2532 IdentitySelector *IdentitySelector `json:"identitySelector,omitempty"` 2533 2534 // Parent: Required. The relative name of the root asset. Only resources 2535 // and IAM policies within the parent will be analyzed. This can only be 2536 // an organization number (such as "organizations/123"), a folder number 2537 // (such as "folders/123"), a project ID (such as 2538 // "projects/my-project-id"), or a project number (such as 2539 // "projects/12345"). To know how to get organization id, visit here 2540 // (https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). 2541 // To know how to get folder or project id, visit here 2542 // (https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). 2543 Parent string `json:"parent,omitempty"` 2544 2545 // ResourceSelector: Optional. Specifies a resource for analysis. 2546 ResourceSelector *ResourceSelector `json:"resourceSelector,omitempty"` 2547 2548 // ForceSendFields is a list of field names (e.g. "AccessSelector") to 2549 // unconditionally include in API requests. By default, fields with 2550 // empty or default values are omitted from API requests. However, any 2551 // non-pointer, non-interface field appearing in ForceSendFields will be 2552 // sent to the server regardless of whether the field is empty or not. 2553 // This may be used to include empty fields in Patch requests. 2554 ForceSendFields []string `json:"-"` 2555 2556 // NullFields is a list of field names (e.g. "AccessSelector") to 2557 // include in API requests with the JSON null value. By default, fields 2558 // with empty values are omitted from API requests. However, any field 2559 // with an empty value appearing in NullFields will be sent to the 2560 // server as null. It is an error if a field in this list has a 2561 // non-empty value. This may be used to include null fields in Patch 2562 // requests. 2563 NullFields []string `json:"-"` 2564 } 2565 2566 func (s *IamPolicyAnalysisQuery) MarshalJSON() ([]byte, error) { 2567 type NoMethod IamPolicyAnalysisQuery 2568 raw := NoMethod(*s) 2569 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2570 } 2571 2572 // IamPolicyAnalysisResult: IAM Policy analysis result, consisting of 2573 // one IAM policy binding and derived access control lists. 2574 type IamPolicyAnalysisResult struct { 2575 // AccessControlLists: The access control lists derived from the 2576 // iam_binding that match or potentially match resource and access 2577 // selectors specified in the request. 2578 AccessControlLists []*GoogleCloudAssetV1p4beta1AccessControlList `json:"accessControlLists,omitempty"` 2579 2580 // AttachedResourceFullName: The full resource name 2581 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) 2582 // of the resource to which the iam_binding policy attaches. 2583 AttachedResourceFullName string `json:"attachedResourceFullName,omitempty"` 2584 2585 // FullyExplored: Represents whether all analyses on the iam_binding 2586 // have successfully finished. 2587 FullyExplored bool `json:"fullyExplored,omitempty"` 2588 2589 // IamBinding: The Cloud IAM policy binding under analysis. 2590 IamBinding *Binding `json:"iamBinding,omitempty"` 2591 2592 // IdentityList: The identity list derived from members of the 2593 // iam_binding that match or potentially match identity selector 2594 // specified in the request. 2595 IdentityList *GoogleCloudAssetV1p4beta1IdentityList `json:"identityList,omitempty"` 2596 2597 // ForceSendFields is a list of field names (e.g. "AccessControlLists") 2598 // to unconditionally include in API requests. By default, fields with 2599 // empty or default values are omitted from API requests. However, any 2600 // non-pointer, non-interface field appearing in ForceSendFields will be 2601 // sent to the server regardless of whether the field is empty or not. 2602 // This may be used to include empty fields in Patch requests. 2603 ForceSendFields []string `json:"-"` 2604 2605 // NullFields is a list of field names (e.g. "AccessControlLists") to 2606 // include in API requests with the JSON null value. By default, fields 2607 // with empty values are omitted from API requests. However, any field 2608 // with an empty value appearing in NullFields will be sent to the 2609 // server as null. It is an error if a field in this list has a 2610 // non-empty value. This may be used to include null fields in Patch 2611 // requests. 2612 NullFields []string `json:"-"` 2613 } 2614 2615 func (s *IamPolicyAnalysisResult) MarshalJSON() ([]byte, error) { 2616 type NoMethod IamPolicyAnalysisResult 2617 raw := NoMethod(*s) 2618 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2619 } 2620 2621 // IdentitySelector: Specifies an identity for which to determine 2622 // resource access, based on roles assigned either directly to them or 2623 // to the groups they belong to, directly or indirectly. 2624 type IdentitySelector struct { 2625 // Identity: Required. The identity appear in the form of members in IAM 2626 // policy binding 2627 // (https://cloud.google.com/iam/reference/rest/v1/Binding). The 2628 // examples of supported forms are: "user:mike@example.com", 2629 // "group:admins@example.com", "domain:google.com", 2630 // "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice 2631 // that wildcard characters (such as * and ?) are not supported. You 2632 // must give a specific identity. 2633 Identity string `json:"identity,omitempty"` 2634 2635 // ForceSendFields is a list of field names (e.g. "Identity") to 2636 // unconditionally include in API requests. By default, fields with 2637 // empty or default values are omitted from API requests. However, any 2638 // non-pointer, non-interface field appearing in ForceSendFields will be 2639 // sent to the server regardless of whether the field is empty or not. 2640 // This may be used to include empty fields in Patch requests. 2641 ForceSendFields []string `json:"-"` 2642 2643 // NullFields is a list of field names (e.g. "Identity") to include in 2644 // API requests with the JSON null value. By default, fields with empty 2645 // values are omitted from API requests. However, any field with an 2646 // empty value appearing in NullFields will be sent to the server as 2647 // null. It is an error if a field in this list has a non-empty value. 2648 // This may be used to include null fields in Patch requests. 2649 NullFields []string `json:"-"` 2650 } 2651 2652 func (s *IdentitySelector) MarshalJSON() ([]byte, error) { 2653 type NoMethod IdentitySelector 2654 raw := NoMethod(*s) 2655 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2656 } 2657 2658 // Operation: This resource represents a long-running operation that is 2659 // the result of a network API call. 2660 type Operation struct { 2661 // Done: If the value is `false`, it means the operation is still in 2662 // progress. If `true`, the operation is completed, and either `error` 2663 // or `response` is available. 2664 Done bool `json:"done,omitempty"` 2665 2666 // Error: The error result of the operation in case of failure or 2667 // cancellation. 2668 Error *Status `json:"error,omitempty"` 2669 2670 // Metadata: Service-specific metadata associated with the operation. It 2671 // typically contains progress information and common metadata such as 2672 // create time. Some services might not provide such metadata. Any 2673 // method that returns a long-running operation should document the 2674 // metadata type, if any. 2675 Metadata googleapi.RawMessage `json:"metadata,omitempty"` 2676 2677 // Name: The server-assigned name, which is only unique within the same 2678 // service that originally returns it. If you use the default HTTP 2679 // mapping, the `name` should be a resource name ending with 2680 // `operations/{unique_id}`. 2681 Name string `json:"name,omitempty"` 2682 2683 // Response: The normal response of the operation in case of success. If 2684 // the original method returns no data on success, such as `Delete`, the 2685 // response is `google.protobuf.Empty`. If the original method is 2686 // standard `Get`/`Create`/`Update`, the response should be the 2687 // resource. For other methods, the response should have the type 2688 // `XxxResponse`, where `Xxx` is the original method name. For example, 2689 // if the original method name is `TakeSnapshot()`, the inferred 2690 // response type is `TakeSnapshotResponse`. 2691 Response googleapi.RawMessage `json:"response,omitempty"` 2692 2693 // ServerResponse contains the HTTP response code and headers from the 2694 // server. 2695 googleapi.ServerResponse `json:"-"` 2696 2697 // ForceSendFields is a list of field names (e.g. "Done") to 2698 // unconditionally include in API requests. By default, fields with 2699 // empty or default values are omitted from API requests. However, any 2700 // non-pointer, non-interface field appearing in ForceSendFields will be 2701 // sent to the server regardless of whether the field is empty or not. 2702 // This may be used to include empty fields in Patch requests. 2703 ForceSendFields []string `json:"-"` 2704 2705 // NullFields is a list of field names (e.g. "Done") to include in API 2706 // requests with the JSON null value. By default, fields with empty 2707 // values are omitted from API requests. However, any field with an 2708 // empty value appearing in NullFields will be sent to the server as 2709 // null. It is an error if a field in this list has a non-empty value. 2710 // This may be used to include null fields in Patch requests. 2711 NullFields []string `json:"-"` 2712 } 2713 2714 func (s *Operation) MarshalJSON() ([]byte, error) { 2715 type NoMethod Operation 2716 raw := NoMethod(*s) 2717 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2718 } 2719 2720 // Options: Contains request options. 2721 type Options struct { 2722 // AnalyzeServiceAccountImpersonation: Optional. If true, the response 2723 // will include access analysis from identities to resources via service 2724 // account impersonation. This is a very expensive operation, because 2725 // many derived queries will be executed. For example, if the request 2726 // analyzes for which resources user A has permission P, and there's an 2727 // IAM policy states user A has iam.serviceAccounts.getAccessToken 2728 // permission to a service account SA, and there's another IAM policy 2729 // states service account SA has permission P to a GCP folder F, then 2730 // user A potentially has access to the GCP folder F. And those advanced 2731 // analysis results will be included in 2732 // AnalyzeIamPolicyResponse.service_account_impersonation_analysis. 2733 // Another example, if the request analyzes for who has permission P to 2734 // a GCP folder F, and there's an IAM policy states user A has 2735 // iam.serviceAccounts.actAs permission to a service account SA, and 2736 // there's another IAM policy states service account SA has permission P 2737 // to the GCP folder F, then user A potentially has access to the GCP 2738 // folder F. And those advanced analysis results will be included in 2739 // AnalyzeIamPolicyResponse.service_account_impersonation_analysis. 2740 // Default is false. 2741 AnalyzeServiceAccountImpersonation bool `json:"analyzeServiceAccountImpersonation,omitempty"` 2742 2743 // ExpandGroups: Optional. If true, the identities section of the result 2744 // will expand any Google groups appearing in an IAM policy binding. If 2745 // identity_selector is specified, the identity in the result will be 2746 // determined by the selector, and this flag will have no effect. 2747 // Default is false. 2748 ExpandGroups bool `json:"expandGroups,omitempty"` 2749 2750 // ExpandResources: Optional. If true, the resource section of the 2751 // result will expand any resource attached to an IAM policy to include 2752 // resources lower in the resource hierarchy. For example, if the 2753 // request analyzes for which resources user A has permission P, and the 2754 // results include an IAM policy with P on a GCP folder, the results 2755 // will also include resources in that folder with permission P. If 2756 // resource_selector is specified, the resource section of the result 2757 // will be determined by the selector, and this flag will have no 2758 // effect. Default is false. 2759 ExpandResources bool `json:"expandResources,omitempty"` 2760 2761 // ExpandRoles: Optional. If true, the access section of result will 2762 // expand any roles appearing in IAM policy bindings to include their 2763 // permissions. If access_selector is specified, the access section of 2764 // the result will be determined by the selector, and this flag will 2765 // have no effect. Default is false. 2766 ExpandRoles bool `json:"expandRoles,omitempty"` 2767 2768 // OutputGroupEdges: Optional. If true, the result will output group 2769 // identity edges, starting from the binding's group members, to any 2770 // expanded identities. Default is false. 2771 OutputGroupEdges bool `json:"outputGroupEdges,omitempty"` 2772 2773 // OutputResourceEdges: Optional. If true, the result will output 2774 // resource edges, starting from the policy attached resource, to any 2775 // expanded resources. Default is false. 2776 OutputResourceEdges bool `json:"outputResourceEdges,omitempty"` 2777 2778 // ForceSendFields is a list of field names (e.g. 2779 // "AnalyzeServiceAccountImpersonation") to unconditionally include in 2780 // API requests. By default, fields with empty or default values are 2781 // omitted from API requests. However, any non-pointer, non-interface 2782 // field appearing in ForceSendFields will be sent to the server 2783 // regardless of whether the field is empty or not. This may be used to 2784 // include empty fields in Patch requests. 2785 ForceSendFields []string `json:"-"` 2786 2787 // NullFields is a list of field names (e.g. 2788 // "AnalyzeServiceAccountImpersonation") to include in API requests with 2789 // the JSON null value. By default, fields with empty values are omitted 2790 // from API requests. However, any field with an empty value appearing 2791 // in NullFields will be sent to the server as null. It is an error if a 2792 // field in this list has a non-empty value. This may be used to include 2793 // null fields in Patch requests. 2794 NullFields []string `json:"-"` 2795 } 2796 2797 func (s *Options) MarshalJSON() ([]byte, error) { 2798 type NoMethod Options 2799 raw := NoMethod(*s) 2800 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2801 } 2802 2803 // Policy: An Identity and Access Management (IAM) policy, which 2804 // specifies access controls for Google Cloud resources. A `Policy` is a 2805 // collection of `bindings`. A `binding` binds one or more `members`, or 2806 // principals, to a single `role`. Principals can be user accounts, 2807 // service accounts, Google groups, and domains (such as G Suite). A 2808 // `role` is a named list of permissions; each `role` can be an IAM 2809 // predefined role or a user-created custom role. For some types of 2810 // Google Cloud resources, a `binding` can also specify a `condition`, 2811 // which is a logical expression that allows access to a resource only 2812 // if the expression evaluates to `true`. A condition can add 2813 // constraints based on attributes of the request, the resource, or 2814 // both. To learn which resources support conditions in their IAM 2815 // policies, see the IAM documentation 2816 // (https://cloud.google.com/iam/help/conditions/resource-policies). 2817 // **JSON example:** { "bindings": [ { "role": 2818 // "roles/resourcemanager.organizationAdmin", "members": [ 2819 // "user:mike@example.com", "group:admins@example.com", 2820 // "domain:google.com", 2821 // "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { 2822 // "role": "roles/resourcemanager.organizationViewer", "members": [ 2823 // "user:eve@example.com" ], "condition": { "title": "expirable access", 2824 // "description": "Does not grant access after Sep 2020", "expression": 2825 // "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], 2826 // "etag": "BwWWja0YfJA=", "version": 3 } **YAML example:** bindings: - 2827 // members: - user:mike@example.com - group:admins@example.com - 2828 // domain:google.com - 2829 // serviceAccount:my-project-id@appspot.gserviceaccount.com role: 2830 // roles/resourcemanager.organizationAdmin - members: - 2831 // user:eve@example.com role: roles/resourcemanager.organizationViewer 2832 // condition: title: expirable access description: Does not grant access 2833 // after Sep 2020 expression: request.time < 2834 // timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 2835 // For a description of IAM and its features, see the IAM documentation 2836 // (https://cloud.google.com/iam/docs/). 2837 type Policy struct { 2838 // AuditConfigs: Specifies cloud audit logging configuration for this 2839 // policy. 2840 AuditConfigs []*AuditConfig `json:"auditConfigs,omitempty"` 2841 2842 // Bindings: Associates a list of `members`, or principals, with a 2843 // `role`. Optionally, may specify a `condition` that determines how and 2844 // when the `bindings` are applied. Each of the `bindings` must contain 2845 // at least one principal. The `bindings` in a `Policy` can refer to up 2846 // to 1,500 principals; up to 250 of these principals can be Google 2847 // groups. Each occurrence of a principal counts towards these limits. 2848 // For example, if the `bindings` grant 50 different roles to 2849 // `user:alice@example.com`, and not to any other principal, then you 2850 // can add another 1,450 principals to the `bindings` in the `Policy`. 2851 Bindings []*Binding `json:"bindings,omitempty"` 2852 2853 // Etag: `etag` is used for optimistic concurrency control as a way to 2854 // help prevent simultaneous updates of a policy from overwriting each 2855 // other. It is strongly suggested that systems make use of the `etag` 2856 // in the read-modify-write cycle to perform policy updates in order to 2857 // avoid race conditions: An `etag` is returned in the response to 2858 // `getIamPolicy`, and systems are expected to put that etag in the 2859 // request to `setIamPolicy` to ensure that their change will be applied 2860 // to the same version of the policy. **Important:** If you use IAM 2861 // Conditions, you must include the `etag` field whenever you call 2862 // `setIamPolicy`. If you omit this field, then IAM allows you to 2863 // overwrite a version `3` policy with a version `1` policy, and all of 2864 // the conditions in the version `3` policy are lost. 2865 Etag string `json:"etag,omitempty"` 2866 2867 // Version: Specifies the format of the policy. Valid values are `0`, 2868 // `1`, and `3`. Requests that specify an invalid value are rejected. 2869 // Any operation that affects conditional role bindings must specify 2870 // version `3`. This requirement applies to the following operations: * 2871 // Getting a policy that includes a conditional role binding * Adding a 2872 // conditional role binding to a policy * Changing a conditional role 2873 // binding in a policy * Removing any role binding, with or without a 2874 // condition, from a policy that includes conditions **Important:** If 2875 // you use IAM Conditions, you must include the `etag` field whenever 2876 // you call `setIamPolicy`. If you omit this field, then IAM allows you 2877 // to overwrite a version `3` policy with a version `1` policy, and all 2878 // of the conditions in the version `3` policy are lost. If a policy 2879 // does not include any conditions, operations on that policy may 2880 // specify any valid version or leave the field unset. To learn which 2881 // resources support conditions in their IAM policies, see the IAM 2882 // documentation 2883 // (https://cloud.google.com/iam/help/conditions/resource-policies). 2884 Version int64 `json:"version,omitempty"` 2885 2886 // ForceSendFields is a list of field names (e.g. "AuditConfigs") to 2887 // unconditionally include in API requests. By default, fields with 2888 // empty or default values are omitted from API requests. However, any 2889 // non-pointer, non-interface field appearing in ForceSendFields will be 2890 // sent to the server regardless of whether the field is empty or not. 2891 // This may be used to include empty fields in Patch requests. 2892 ForceSendFields []string `json:"-"` 2893 2894 // NullFields is a list of field names (e.g. "AuditConfigs") to include 2895 // in API requests with the JSON null value. By default, fields with 2896 // empty values are omitted from API requests. However, any field with 2897 // an empty value appearing in NullFields will be sent to the server as 2898 // null. It is an error if a field in this list has a non-empty value. 2899 // This may be used to include null fields in Patch requests. 2900 NullFields []string `json:"-"` 2901 } 2902 2903 func (s *Policy) MarshalJSON() ([]byte, error) { 2904 type NoMethod Policy 2905 raw := NoMethod(*s) 2906 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2907 } 2908 2909 // ResourceSelector: Specifies the resource to analyze for access 2910 // policies, which may be set directly on the resource, or on ancestors 2911 // such as organizations, folders or projects. 2912 type ResourceSelector struct { 2913 // FullResourceName: Required. The full resource name 2914 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) 2915 // of a resource of supported resource types 2916 // (https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). 2917 FullResourceName string `json:"fullResourceName,omitempty"` 2918 2919 // ForceSendFields is a list of field names (e.g. "FullResourceName") to 2920 // unconditionally include in API requests. By default, fields with 2921 // empty or default values are omitted from API requests. However, any 2922 // non-pointer, non-interface field appearing in ForceSendFields will be 2923 // sent to the server regardless of whether the field is empty or not. 2924 // This may be used to include empty fields in Patch requests. 2925 ForceSendFields []string `json:"-"` 2926 2927 // NullFields is a list of field names (e.g. "FullResourceName") to 2928 // include in API requests with the JSON null value. By default, fields 2929 // with empty values are omitted from API requests. However, any field 2930 // with an empty value appearing in NullFields will be sent to the 2931 // server as null. It is an error if a field in this list has a 2932 // non-empty value. This may be used to include null fields in Patch 2933 // requests. 2934 NullFields []string `json:"-"` 2935 } 2936 2937 func (s *ResourceSelector) MarshalJSON() ([]byte, error) { 2938 type NoMethod ResourceSelector 2939 raw := NoMethod(*s) 2940 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2941 } 2942 2943 // Status: The `Status` type defines a logical error model that is 2944 // suitable for different programming environments, including REST APIs 2945 // and RPC APIs. It is used by gRPC (https://github.com/grpc). Each 2946 // `Status` message contains three pieces of data: error code, error 2947 // message, and error details. You can find out more about this error 2948 // model and how to work with it in the API Design Guide 2949 // (https://cloud.google.com/apis/design/errors). 2950 type Status struct { 2951 // Code: The status code, which should be an enum value of 2952 // google.rpc.Code. 2953 Code int64 `json:"code,omitempty"` 2954 2955 // Details: A list of messages that carry the error details. There is a 2956 // common set of message types for APIs to use. 2957 Details []googleapi.RawMessage `json:"details,omitempty"` 2958 2959 // Message: A developer-facing error message, which should be in 2960 // English. Any user-facing error message should be localized and sent 2961 // in the google.rpc.Status.details field, or localized by the client. 2962 Message string `json:"message,omitempty"` 2963 2964 // ForceSendFields is a list of field names (e.g. "Code") to 2965 // unconditionally include in API requests. By default, fields with 2966 // empty or default values are omitted from API requests. However, any 2967 // non-pointer, non-interface field appearing in ForceSendFields will be 2968 // sent to the server regardless of whether the field is empty or not. 2969 // This may be used to include empty fields in Patch requests. 2970 ForceSendFields []string `json:"-"` 2971 2972 // NullFields is a list of field names (e.g. "Code") to include in API 2973 // requests with the JSON null value. By default, fields with empty 2974 // values are omitted from API requests. However, any field with an 2975 // empty value appearing in NullFields will be sent to the server as 2976 // null. It is an error if a field in this list has a non-empty value. 2977 // This may be used to include null fields in Patch requests. 2978 NullFields []string `json:"-"` 2979 } 2980 2981 func (s *Status) MarshalJSON() ([]byte, error) { 2982 type NoMethod Status 2983 raw := NoMethod(*s) 2984 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 2985 } 2986 2987 // method id "cloudasset.analyzeIamPolicy": 2988 2989 type V1p4beta1AnalyzeIamPolicyCall struct { 2990 s *Service 2991 parent string 2992 urlParams_ gensupport.URLParams 2993 ifNoneMatch_ string 2994 ctx_ context.Context 2995 header_ http.Header 2996 } 2997 2998 // AnalyzeIamPolicy: Analyzes IAM policies to answer which identities 2999 // have what accesses on which resources. 3000 // 3001 // - parent: The relative name of the root asset. Only resources and IAM 3002 // policies within the parent will be analyzed. This can only be an 3003 // organization number (such as "organizations/123"), a folder number 3004 // (such as "folders/123"), a project ID (such as 3005 // "projects/my-project-id"), or a project number (such as 3006 // "projects/12345"). To know how to get organization id, visit here 3007 // (https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). 3008 // To know how to get folder or project id, visit here 3009 // (https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). 3010 func (r *V1p4beta1Service) AnalyzeIamPolicy(parent string) *V1p4beta1AnalyzeIamPolicyCall { 3011 c := &V1p4beta1AnalyzeIamPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3012 c.parent = parent 3013 return c 3014 } 3015 3016 // AnalysisQueryAccessSelectorPermissions sets the optional parameter 3017 // "analysisQuery.accessSelector.permissions": The permissions to appear 3018 // in result. 3019 func (c *V1p4beta1AnalyzeIamPolicyCall) AnalysisQueryAccessSelectorPermissions(analysisQueryAccessSelectorPermissions ...string) *V1p4beta1AnalyzeIamPolicyCall { 3020 c.urlParams_.SetMulti("analysisQuery.accessSelector.permissions", append([]string{}, analysisQueryAccessSelectorPermissions...)) 3021 return c 3022 } 3023 3024 // AnalysisQueryAccessSelectorRoles sets the optional parameter 3025 // "analysisQuery.accessSelector.roles": The roles to appear in result. 3026 func (c *V1p4beta1AnalyzeIamPolicyCall) AnalysisQueryAccessSelectorRoles(analysisQueryAccessSelectorRoles ...string) *V1p4beta1AnalyzeIamPolicyCall { 3027 c.urlParams_.SetMulti("analysisQuery.accessSelector.roles", append([]string{}, analysisQueryAccessSelectorRoles...)) 3028 return c 3029 } 3030 3031 // AnalysisQueryIdentitySelectorIdentity sets the optional parameter 3032 // "analysisQuery.identitySelector.identity": Required. The identity 3033 // appear in the form of members in IAM policy binding 3034 // (https://cloud.google.com/iam/reference/rest/v1/Binding). The 3035 // examples of supported forms are: "user:mike@example.com", 3036 // "group:admins@example.com", "domain:google.com", 3037 // "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice 3038 // that wildcard characters (such as * and ?) are not supported. You 3039 // must give a specific identity. 3040 func (c *V1p4beta1AnalyzeIamPolicyCall) AnalysisQueryIdentitySelectorIdentity(analysisQueryIdentitySelectorIdentity string) *V1p4beta1AnalyzeIamPolicyCall { 3041 c.urlParams_.Set("analysisQuery.identitySelector.identity", analysisQueryIdentitySelectorIdentity) 3042 return c 3043 } 3044 3045 // AnalysisQueryResourceSelectorFullResourceName sets the optional 3046 // parameter "analysisQuery.resourceSelector.fullResourceName": 3047 // Required. The full resource name 3048 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) 3049 // of a resource of supported resource types 3050 // (https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). 3051 func (c *V1p4beta1AnalyzeIamPolicyCall) AnalysisQueryResourceSelectorFullResourceName(analysisQueryResourceSelectorFullResourceName string) *V1p4beta1AnalyzeIamPolicyCall { 3052 c.urlParams_.Set("analysisQuery.resourceSelector.fullResourceName", analysisQueryResourceSelectorFullResourceName) 3053 return c 3054 } 3055 3056 // OptionsAnalyzeServiceAccountImpersonation sets the optional parameter 3057 // "options.analyzeServiceAccountImpersonation": If true, the response 3058 // will include access analysis from identities to resources via service 3059 // account impersonation. This is a very expensive operation, because 3060 // many derived queries will be executed. We highly recommend you use 3061 // AssetService.ExportIamPolicyAnalysis rpc instead. For example, if the 3062 // request analyzes for which resources user A has permission P, and 3063 // there's an IAM policy states user A has 3064 // iam.serviceAccounts.getAccessToken permission to a service account 3065 // SA, and there's another IAM policy states service account SA has 3066 // permission P to a GCP folder F, then user A potentially has access to 3067 // the GCP folder F. And those advanced analysis results will be 3068 // included in 3069 // AnalyzeIamPolicyResponse.service_account_impersonation_analysis. 3070 // Another example, if the request analyzes for who has permission P to 3071 // a GCP folder F, and there's an IAM policy states user A has 3072 // iam.serviceAccounts.actAs permission to a service account SA, and 3073 // there's another IAM policy states service account SA has permission P 3074 // to the GCP folder F, then user A potentially has access to the GCP 3075 // folder F. And those advanced analysis results will be included in 3076 // AnalyzeIamPolicyResponse.service_account_impersonation_analysis. 3077 // Default is false. 3078 func (c *V1p4beta1AnalyzeIamPolicyCall) OptionsAnalyzeServiceAccountImpersonation(optionsAnalyzeServiceAccountImpersonation bool) *V1p4beta1AnalyzeIamPolicyCall { 3079 c.urlParams_.Set("options.analyzeServiceAccountImpersonation", fmt.Sprint(optionsAnalyzeServiceAccountImpersonation)) 3080 return c 3081 } 3082 3083 // OptionsExecutionTimeout sets the optional parameter 3084 // "options.executionTimeout": Amount of time executable has to 3085 // complete. See JSON representation of Duration 3086 // (https://developers.google.com/protocol-buffers/docs/proto3#json). If 3087 // this field is set with a value less than the RPC deadline, and the 3088 // execution of your query hasn't finished in the specified execution 3089 // timeout, you will get a response with partial result. Otherwise, your 3090 // query's execution will continue until the RPC deadline. If it's not 3091 // finished until then, you will get a DEADLINE_EXCEEDED error. Default 3092 // is empty. 3093 func (c *V1p4beta1AnalyzeIamPolicyCall) OptionsExecutionTimeout(optionsExecutionTimeout string) *V1p4beta1AnalyzeIamPolicyCall { 3094 c.urlParams_.Set("options.executionTimeout", optionsExecutionTimeout) 3095 return c 3096 } 3097 3098 // OptionsExpandGroups sets the optional parameter 3099 // "options.expandGroups": If true, the identities section of the result 3100 // will expand any Google groups appearing in an IAM policy binding. If 3101 // identity_selector is specified, the identity in the result will be 3102 // determined by the selector, and this flag will have no effect. 3103 // Default is false. 3104 func (c *V1p4beta1AnalyzeIamPolicyCall) OptionsExpandGroups(optionsExpandGroups bool) *V1p4beta1AnalyzeIamPolicyCall { 3105 c.urlParams_.Set("options.expandGroups", fmt.Sprint(optionsExpandGroups)) 3106 return c 3107 } 3108 3109 // OptionsExpandResources sets the optional parameter 3110 // "options.expandResources": If true, the resource section of the 3111 // result will expand any resource attached to an IAM policy to include 3112 // resources lower in the resource hierarchy. For example, if the 3113 // request analyzes for which resources user A has permission P, and the 3114 // results include an IAM policy with P on a GCP folder, the results 3115 // will also include resources in that folder with permission P. If 3116 // resource_selector is specified, the resource section of the result 3117 // will be determined by the selector, and this flag will have no 3118 // effect. Default is false. 3119 func (c *V1p4beta1AnalyzeIamPolicyCall) OptionsExpandResources(optionsExpandResources bool) *V1p4beta1AnalyzeIamPolicyCall { 3120 c.urlParams_.Set("options.expandResources", fmt.Sprint(optionsExpandResources)) 3121 return c 3122 } 3123 3124 // OptionsExpandRoles sets the optional parameter "options.expandRoles": 3125 // If true, the access section of result will expand any roles appearing 3126 // in IAM policy bindings to include their permissions. If 3127 // access_selector is specified, the access section of the result will 3128 // be determined by the selector, and this flag will have no effect. 3129 // Default is false. 3130 func (c *V1p4beta1AnalyzeIamPolicyCall) OptionsExpandRoles(optionsExpandRoles bool) *V1p4beta1AnalyzeIamPolicyCall { 3131 c.urlParams_.Set("options.expandRoles", fmt.Sprint(optionsExpandRoles)) 3132 return c 3133 } 3134 3135 // OptionsOutputGroupEdges sets the optional parameter 3136 // "options.outputGroupEdges": If true, the result will output group 3137 // identity edges, starting from the binding's group members, to any 3138 // expanded identities. Default is false. 3139 func (c *V1p4beta1AnalyzeIamPolicyCall) OptionsOutputGroupEdges(optionsOutputGroupEdges bool) *V1p4beta1AnalyzeIamPolicyCall { 3140 c.urlParams_.Set("options.outputGroupEdges", fmt.Sprint(optionsOutputGroupEdges)) 3141 return c 3142 } 3143 3144 // OptionsOutputResourceEdges sets the optional parameter 3145 // "options.outputResourceEdges": If true, the result will output 3146 // resource edges, starting from the policy attached resource, to any 3147 // expanded resources. Default is false. 3148 func (c *V1p4beta1AnalyzeIamPolicyCall) OptionsOutputResourceEdges(optionsOutputResourceEdges bool) *V1p4beta1AnalyzeIamPolicyCall { 3149 c.urlParams_.Set("options.outputResourceEdges", fmt.Sprint(optionsOutputResourceEdges)) 3150 return c 3151 } 3152 3153 // Fields allows partial responses to be retrieved. See 3154 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse 3155 // for more information. 3156 func (c *V1p4beta1AnalyzeIamPolicyCall) Fields(s ...googleapi.Field) *V1p4beta1AnalyzeIamPolicyCall { 3157 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3158 return c 3159 } 3160 3161 // IfNoneMatch sets the optional parameter which makes the operation 3162 // fail if the object's ETag matches the given value. This is useful for 3163 // getting updates only after the object has changed since the last 3164 // request. Use googleapi.IsNotModified to check whether the response 3165 // error from Do is the result of In-None-Match. 3166 func (c *V1p4beta1AnalyzeIamPolicyCall) IfNoneMatch(entityTag string) *V1p4beta1AnalyzeIamPolicyCall { 3167 c.ifNoneMatch_ = entityTag 3168 return c 3169 } 3170 3171 // Context sets the context to be used in this call's Do method. Any 3172 // pending HTTP request will be aborted if the provided context is 3173 // canceled. 3174 func (c *V1p4beta1AnalyzeIamPolicyCall) Context(ctx context.Context) *V1p4beta1AnalyzeIamPolicyCall { 3175 c.ctx_ = ctx 3176 return c 3177 } 3178 3179 // Header returns an http.Header that can be modified by the caller to 3180 // add HTTP headers to the request. 3181 func (c *V1p4beta1AnalyzeIamPolicyCall) Header() http.Header { 3182 if c.header_ == nil { 3183 c.header_ = make(http.Header) 3184 } 3185 return c.header_ 3186 } 3187 3188 func (c *V1p4beta1AnalyzeIamPolicyCall) doRequest(alt string) (*http.Response, error) { 3189 reqHeaders := make(http.Header) 3190 reqHeaders.Set("x-goog-api-client", "gl-go/"+gensupport.GoVersion()+" gdcl/"+internal.Version) 3191 for k, v := range c.header_ { 3192 reqHeaders[k] = v 3193 } 3194 reqHeaders.Set("User-Agent", c.s.userAgent()) 3195 if c.ifNoneMatch_ != "" { 3196 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 3197 } 3198 var body io.Reader = nil 3199 c.urlParams_.Set("alt", alt) 3200 c.urlParams_.Set("prettyPrint", "false") 3201 urls := googleapi.ResolveRelative(c.s.BasePath, "v1p4beta1/{+parent}:analyzeIamPolicy") 3202 urls += "?" + c.urlParams_.Encode() 3203 req, err := http.NewRequest("GET", urls, body) 3204 if err != nil { 3205 return nil, err 3206 } 3207 req.Header = reqHeaders 3208 googleapi.Expand(req.URL, map[string]string{ 3209 "parent": c.parent, 3210 }) 3211 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3212 } 3213 3214 // Do executes the "cloudasset.analyzeIamPolicy" call. 3215 // Exactly one of *AnalyzeIamPolicyResponse or error will be non-nil. 3216 // Any non-2xx status code is an error. Response headers are in either 3217 // *AnalyzeIamPolicyResponse.ServerResponse.Header or (if a response was 3218 // returned at all) in error.(*googleapi.Error).Header. Use 3219 // googleapi.IsNotModified to check whether the returned error was 3220 // because http.StatusNotModified was returned. 3221 func (c *V1p4beta1AnalyzeIamPolicyCall) Do(opts ...googleapi.CallOption) (*AnalyzeIamPolicyResponse, error) { 3222 gensupport.SetOptions(c.urlParams_, opts...) 3223 res, err := c.doRequest("json") 3224 if res != nil && res.StatusCode == http.StatusNotModified { 3225 if res.Body != nil { 3226 res.Body.Close() 3227 } 3228 return nil, &googleapi.Error{ 3229 Code: res.StatusCode, 3230 Header: res.Header, 3231 } 3232 } 3233 if err != nil { 3234 return nil, err 3235 } 3236 defer googleapi.CloseBody(res) 3237 if err := googleapi.CheckResponse(res); err != nil { 3238 return nil, err 3239 } 3240 ret := &AnalyzeIamPolicyResponse{ 3241 ServerResponse: googleapi.ServerResponse{ 3242 Header: res.Header, 3243 HTTPStatusCode: res.StatusCode, 3244 }, 3245 } 3246 target := &ret 3247 if err := gensupport.DecodeResponse(target, res); err != nil { 3248 return nil, err 3249 } 3250 return ret, nil 3251 // { 3252 // "description": "Analyzes IAM policies to answer which identities have what accesses on which resources.", 3253 // "flatPath": "v1p4beta1/{v1p4beta1Id}/{v1p4beta1Id1}:analyzeIamPolicy", 3254 // "httpMethod": "GET", 3255 // "id": "cloudasset.analyzeIamPolicy", 3256 // "parameterOrder": [ 3257 // "parent" 3258 // ], 3259 // "parameters": { 3260 // "analysisQuery.accessSelector.permissions": { 3261 // "description": "Optional. The permissions to appear in result.", 3262 // "location": "query", 3263 // "repeated": true, 3264 // "type": "string" 3265 // }, 3266 // "analysisQuery.accessSelector.roles": { 3267 // "description": "Optional. The roles to appear in result.", 3268 // "location": "query", 3269 // "repeated": true, 3270 // "type": "string" 3271 // }, 3272 // "analysisQuery.identitySelector.identity": { 3273 // "description": "Required. The identity appear in the form of members in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: \"user:mike@example.com\", \"group:admins@example.com\", \"domain:google.com\", \"serviceAccount:my-project-id@appspot.gserviceaccount.com\". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.", 3274 // "location": "query", 3275 // "type": "string" 3276 // }, 3277 // "analysisQuery.resourceSelector.fullResourceName": { 3278 // "description": "Required. The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of [supported resource types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).", 3279 // "location": "query", 3280 // "type": "string" 3281 // }, 3282 // "options.analyzeServiceAccountImpersonation": { 3283 // "description": "Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.ExportIamPolicyAnalysis rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Default is false.", 3284 // "location": "query", 3285 // "type": "boolean" 3286 // }, 3287 // "options.executionTimeout": { 3288 // "description": "Optional. Amount of time executable has to complete. See JSON representation of [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). If this field is set with a value less than the RPC deadline, and the execution of your query hasn't finished in the specified execution timeout, you will get a response with partial result. Otherwise, your query's execution will continue until the RPC deadline. If it's not finished until then, you will get a DEADLINE_EXCEEDED error. Default is empty.", 3289 // "format": "google-duration", 3290 // "location": "query", 3291 // "type": "string" 3292 // }, 3293 // "options.expandGroups": { 3294 // "description": "Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If identity_selector is specified, the identity in the result will be determined by the selector, and this flag will have no effect. Default is false.", 3295 // "location": "query", 3296 // "type": "boolean" 3297 // }, 3298 // "options.expandResources": { 3299 // "description": "Optional. If true, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If resource_selector is specified, the resource section of the result will be determined by the selector, and this flag will have no effect. Default is false.", 3300 // "location": "query", 3301 // "type": "boolean" 3302 // }, 3303 // "options.expandRoles": { 3304 // "description": "Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If access_selector is specified, the access section of the result will be determined by the selector, and this flag will have no effect. Default is false.", 3305 // "location": "query", 3306 // "type": "boolean" 3307 // }, 3308 // "options.outputGroupEdges": { 3309 // "description": "Optional. If true, the result will output group identity edges, starting from the binding's group members, to any expanded identities. Default is false.", 3310 // "location": "query", 3311 // "type": "boolean" 3312 // }, 3313 // "options.outputResourceEdges": { 3314 // "description": "Optional. If true, the result will output resource edges, starting from the policy attached resource, to any expanded resources. Default is false.", 3315 // "location": "query", 3316 // "type": "boolean" 3317 // }, 3318 // "parent": { 3319 // "description": "Required. The relative name of the root asset. Only resources and IAM policies within the parent will be analyzed. This can only be an organization number (such as \"organizations/123\"), a folder number (such as \"folders/123\"), a project ID (such as \"projects/my-project-id\"), or a project number (such as \"projects/12345\"). To know how to get organization id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). To know how to get folder or project id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).", 3320 // "location": "path", 3321 // "pattern": "^[^/]+/[^/]+$", 3322 // "required": true, 3323 // "type": "string" 3324 // } 3325 // }, 3326 // "path": "v1p4beta1/{+parent}:analyzeIamPolicy", 3327 // "response": { 3328 // "$ref": "AnalyzeIamPolicyResponse" 3329 // }, 3330 // "scopes": [ 3331 // "https://www.googleapis.com/auth/cloud-platform" 3332 // ] 3333 // } 3334 3335 } 3336 3337 // method id "cloudasset.exportIamPolicyAnalysis": 3338 3339 type V1p4beta1ExportIamPolicyAnalysisCall struct { 3340 s *Service 3341 parent string 3342 exportiampolicyanalysisrequest *ExportIamPolicyAnalysisRequest 3343 urlParams_ gensupport.URLParams 3344 ctx_ context.Context 3345 header_ http.Header 3346 } 3347 3348 // ExportIamPolicyAnalysis: Exports the answers of which identities have 3349 // what accesses on which resources to a Google Cloud Storage 3350 // destination. The output format is the JSON format that represents a 3351 // AnalyzeIamPolicyResponse in the JSON format. This method implements 3352 // the google.longrunning.Operation, which allows you to keep track of 3353 // the export. We recommend intervals of at least 2 seconds with 3354 // exponential retry to poll the export operation result. The metadata 3355 // contains the request to help callers to map responses to requests. 3356 // 3357 // - parent: The relative name of the root asset. Only resources and IAM 3358 // policies within the parent will be analyzed. This can only be an 3359 // organization number (such as "organizations/123"), a folder number 3360 // (such as "folders/123"), a project ID (such as 3361 // "projects/my-project-id"), or a project number (such as 3362 // "projects/12345"). To know how to get organization id, visit here 3363 // (https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). 3364 // To know how to get folder or project id, visit here 3365 // (https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). 3366 func (r *V1p4beta1Service) ExportIamPolicyAnalysis(parent string, exportiampolicyanalysisrequest *ExportIamPolicyAnalysisRequest) *V1p4beta1ExportIamPolicyAnalysisCall { 3367 c := &V1p4beta1ExportIamPolicyAnalysisCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3368 c.parent = parent 3369 c.exportiampolicyanalysisrequest = exportiampolicyanalysisrequest 3370 return c 3371 } 3372 3373 // Fields allows partial responses to be retrieved. See 3374 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse 3375 // for more information. 3376 func (c *V1p4beta1ExportIamPolicyAnalysisCall) Fields(s ...googleapi.Field) *V1p4beta1ExportIamPolicyAnalysisCall { 3377 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3378 return c 3379 } 3380 3381 // Context sets the context to be used in this call's Do method. Any 3382 // pending HTTP request will be aborted if the provided context is 3383 // canceled. 3384 func (c *V1p4beta1ExportIamPolicyAnalysisCall) Context(ctx context.Context) *V1p4beta1ExportIamPolicyAnalysisCall { 3385 c.ctx_ = ctx 3386 return c 3387 } 3388 3389 // Header returns an http.Header that can be modified by the caller to 3390 // add HTTP headers to the request. 3391 func (c *V1p4beta1ExportIamPolicyAnalysisCall) Header() http.Header { 3392 if c.header_ == nil { 3393 c.header_ = make(http.Header) 3394 } 3395 return c.header_ 3396 } 3397 3398 func (c *V1p4beta1ExportIamPolicyAnalysisCall) doRequest(alt string) (*http.Response, error) { 3399 reqHeaders := make(http.Header) 3400 reqHeaders.Set("x-goog-api-client", "gl-go/"+gensupport.GoVersion()+" gdcl/"+internal.Version) 3401 for k, v := range c.header_ { 3402 reqHeaders[k] = v 3403 } 3404 reqHeaders.Set("User-Agent", c.s.userAgent()) 3405 var body io.Reader = nil 3406 body, err := googleapi.WithoutDataWrapper.JSONReader(c.exportiampolicyanalysisrequest) 3407 if err != nil { 3408 return nil, err 3409 } 3410 reqHeaders.Set("Content-Type", "application/json") 3411 c.urlParams_.Set("alt", alt) 3412 c.urlParams_.Set("prettyPrint", "false") 3413 urls := googleapi.ResolveRelative(c.s.BasePath, "v1p4beta1/{+parent}:exportIamPolicyAnalysis") 3414 urls += "?" + c.urlParams_.Encode() 3415 req, err := http.NewRequest("POST", urls, body) 3416 if err != nil { 3417 return nil, err 3418 } 3419 req.Header = reqHeaders 3420 googleapi.Expand(req.URL, map[string]string{ 3421 "parent": c.parent, 3422 }) 3423 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3424 } 3425 3426 // Do executes the "cloudasset.exportIamPolicyAnalysis" call. 3427 // Exactly one of *Operation or error will be non-nil. Any non-2xx 3428 // status code is an error. Response headers are in either 3429 // *Operation.ServerResponse.Header or (if a response was returned at 3430 // all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified 3431 // to check whether the returned error was because 3432 // http.StatusNotModified was returned. 3433 func (c *V1p4beta1ExportIamPolicyAnalysisCall) Do(opts ...googleapi.CallOption) (*Operation, error) { 3434 gensupport.SetOptions(c.urlParams_, opts...) 3435 res, err := c.doRequest("json") 3436 if res != nil && res.StatusCode == http.StatusNotModified { 3437 if res.Body != nil { 3438 res.Body.Close() 3439 } 3440 return nil, &googleapi.Error{ 3441 Code: res.StatusCode, 3442 Header: res.Header, 3443 } 3444 } 3445 if err != nil { 3446 return nil, err 3447 } 3448 defer googleapi.CloseBody(res) 3449 if err := googleapi.CheckResponse(res); err != nil { 3450 return nil, err 3451 } 3452 ret := &Operation{ 3453 ServerResponse: googleapi.ServerResponse{ 3454 Header: res.Header, 3455 HTTPStatusCode: res.StatusCode, 3456 }, 3457 } 3458 target := &ret 3459 if err := gensupport.DecodeResponse(target, res); err != nil { 3460 return nil, err 3461 } 3462 return ret, nil 3463 // { 3464 // "description": "Exports the answers of which identities have what accesses on which resources to a Google Cloud Storage destination. The output format is the JSON format that represents a AnalyzeIamPolicyResponse in the JSON format. This method implements the google.longrunning.Operation, which allows you to keep track of the export. We recommend intervals of at least 2 seconds with exponential retry to poll the export operation result. The metadata contains the request to help callers to map responses to requests.", 3465 // "flatPath": "v1p4beta1/{v1p4beta1Id}/{v1p4beta1Id1}:exportIamPolicyAnalysis", 3466 // "httpMethod": "POST", 3467 // "id": "cloudasset.exportIamPolicyAnalysis", 3468 // "parameterOrder": [ 3469 // "parent" 3470 // ], 3471 // "parameters": { 3472 // "parent": { 3473 // "description": "Required. The relative name of the root asset. Only resources and IAM policies within the parent will be analyzed. This can only be an organization number (such as \"organizations/123\"), a folder number (such as \"folders/123\"), a project ID (such as \"projects/my-project-id\"), or a project number (such as \"projects/12345\"). To know how to get organization id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). To know how to get folder or project id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).", 3474 // "location": "path", 3475 // "pattern": "^[^/]+/[^/]+$", 3476 // "required": true, 3477 // "type": "string" 3478 // } 3479 // }, 3480 // "path": "v1p4beta1/{+parent}:exportIamPolicyAnalysis", 3481 // "request": { 3482 // "$ref": "ExportIamPolicyAnalysisRequest" 3483 // }, 3484 // "response": { 3485 // "$ref": "Operation" 3486 // }, 3487 // "scopes": [ 3488 // "https://www.googleapis.com/auth/cloud-platform" 3489 // ] 3490 // } 3491 3492 } 3493