1 // Copyright 2024 Google LLC. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Code generated file. DO NOT EDIT. 6 7 // Package policytroubleshooter provides access to the Policy Troubleshooter API. 8 // 9 // For product documentation, see: https://cloud.google.com/iam/ 10 // 11 // # Library status 12 // 13 // These client libraries are officially supported by Google. However, this 14 // library is considered complete and is in maintenance mode. This means 15 // that we will address critical bugs and security issues but will not add 16 // any new features. 17 // 18 // When possible, we recommend using our newer 19 // [Cloud Client Libraries for Go](https://pkg.go.dev/cloud.google.com/go) 20 // that are still actively being worked and iterated on. 21 // 22 // # Creating a client 23 // 24 // Usage example: 25 // 26 // import "google.golang.org/api/policytroubleshooter/v1" 27 // ... 28 // ctx := context.Background() 29 // policytroubleshooterService, err := policytroubleshooter.NewService(ctx) 30 // 31 // In this example, Google Application Default Credentials are used for 32 // authentication. For information on how to create and obtain Application 33 // Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 34 // 35 // # Other authentication options 36 // 37 // To use an API key for authentication (note: some APIs do not support API 38 // keys), use [google.golang.org/api/option.WithAPIKey]: 39 // 40 // policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithAPIKey("AIza...")) 41 // 42 // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth 43 // flow, use [google.golang.org/api/option.WithTokenSource]: 44 // 45 // config := &oauth2.Config{...} 46 // // ... 47 // token, err := config.Exchange(ctx, ...) 48 // policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 49 // 50 // See [google.golang.org/api/option.ClientOption] for details on options. 51 package policytroubleshooter // import "google.golang.org/api/policytroubleshooter/v1" 52 53 import ( 54 "bytes" 55 "context" 56 "encoding/json" 57 "errors" 58 "fmt" 59 "io" 60 "net/http" 61 "net/url" 62 "strconv" 63 "strings" 64 65 googleapi "google.golang.org/api/googleapi" 66 internal "google.golang.org/api/internal" 67 gensupport "google.golang.org/api/internal/gensupport" 68 option "google.golang.org/api/option" 69 internaloption "google.golang.org/api/option/internaloption" 70 htransport "google.golang.org/api/transport/http" 71 ) 72 73 // Always reference these packages, just in case the auto-generated code 74 // below doesn't. 75 var _ = bytes.NewBuffer 76 var _ = strconv.Itoa 77 var _ = fmt.Sprintf 78 var _ = json.NewDecoder 79 var _ = io.Copy 80 var _ = url.Parse 81 var _ = gensupport.MarshalJSON 82 var _ = googleapi.Version 83 var _ = errors.New 84 var _ = strings.Replace 85 var _ = context.Canceled 86 var _ = internaloption.WithDefaultEndpoint 87 var _ = internal.Version 88 89 const apiId = "policytroubleshooter:v1" 90 const apiName = "policytroubleshooter" 91 const apiVersion = "v1" 92 const basePath = "https://policytroubleshooter.googleapis.com/" 93 const basePathTemplate = "https://policytroubleshooter.UNIVERSE_DOMAIN/" 94 const mtlsBasePath = "https://policytroubleshooter.mtls.googleapis.com/" 95 96 // OAuth2 scopes used by this API. 97 const ( 98 // See, edit, configure, and delete your Google Cloud data and see the email 99 // address for your Google Account. 100 CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform" 101 ) 102 103 // NewService creates a new Service. 104 func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 105 scopesOption := internaloption.WithDefaultScopes( 106 "https://www.googleapis.com/auth/cloud-platform", 107 ) 108 // NOTE: prepend, so we don't override user-specified scopes. 109 opts = append([]option.ClientOption{scopesOption}, opts...) 110 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 111 opts = append(opts, internaloption.WithDefaultEndpointTemplate(basePathTemplate)) 112 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 113 opts = append(opts, internaloption.EnableNewAuthLibrary()) 114 client, endpoint, err := htransport.NewClient(ctx, opts...) 115 if err != nil { 116 return nil, err 117 } 118 s, err := New(client) 119 if err != nil { 120 return nil, err 121 } 122 if endpoint != "" { 123 s.BasePath = endpoint 124 } 125 return s, nil 126 } 127 128 // New creates a new Service. It uses the provided http.Client for requests. 129 // 130 // Deprecated: please use NewService instead. 131 // To provide a custom HTTP client, use option.WithHTTPClient. 132 // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 133 func New(client *http.Client) (*Service, error) { 134 if client == nil { 135 return nil, errors.New("client is nil") 136 } 137 s := &Service{client: client, BasePath: basePath} 138 s.Iam = NewIamService(s) 139 return s, nil 140 } 141 142 type Service struct { 143 client *http.Client 144 BasePath string // API endpoint base URL 145 UserAgent string // optional additional User-Agent fragment 146 147 Iam *IamService 148 } 149 150 func (s *Service) userAgent() string { 151 if s.UserAgent == "" { 152 return googleapi.UserAgent 153 } 154 return googleapi.UserAgent + " " + s.UserAgent 155 } 156 157 func NewIamService(s *Service) *IamService { 158 rs := &IamService{s: s} 159 return rs 160 } 161 162 type IamService struct { 163 s *Service 164 } 165 166 // GoogleCloudPolicytroubleshooterV1AccessTuple: Information about the 167 // principal, resource, and permission to check. 168 type GoogleCloudPolicytroubleshooterV1AccessTuple struct { 169 // FullResourceName: Required. The full resource name that identifies the 170 // resource. For example, 171 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/m 172 // y-instance`. For examples of full resource names for Google Cloud services, 173 // see https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 174 FullResourceName string `json:"fullResourceName,omitempty"` 175 // Permission: Required. The IAM permission to check for the specified 176 // principal and resource. For a complete list of IAM permissions, see 177 // https://cloud.google.com/iam/help/permissions/reference. For a complete list 178 // of predefined IAM roles and the permissions in each role, see 179 // https://cloud.google.com/iam/help/roles/reference. 180 Permission string `json:"permission,omitempty"` 181 // Principal: Required. The principal whose access you want to check, in the 182 // form of the email address that represents that principal. For example, 183 // `alice@example.com` or 184 // `my-service-account@my-project.iam.gserviceaccount.com`. The principal must 185 // be a Google Account or a service account. Other types of principals are not 186 // supported. 187 Principal string `json:"principal,omitempty"` 188 // ForceSendFields is a list of field names (e.g. "FullResourceName") to 189 // unconditionally include in API requests. By default, fields with empty or 190 // default values are omitted from API requests. See 191 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 192 // details. 193 ForceSendFields []string `json:"-"` 194 // NullFields is a list of field names (e.g. "FullResourceName") to include in 195 // API requests with the JSON null value. By default, fields with empty values 196 // are omitted from API requests. See 197 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 198 NullFields []string `json:"-"` 199 } 200 201 func (s *GoogleCloudPolicytroubleshooterV1AccessTuple) MarshalJSON() ([]byte, error) { 202 type NoMethod GoogleCloudPolicytroubleshooterV1AccessTuple 203 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 204 } 205 206 // GoogleCloudPolicytroubleshooterV1BindingExplanation: Details about how a 207 // binding in a policy affects a principal's ability to use a permission. 208 type GoogleCloudPolicytroubleshooterV1BindingExplanation struct { 209 // Access: Required. Indicates whether _this binding_ provides the specified 210 // permission to the specified principal for the specified resource. This field 211 // does _not_ indicate whether the principal actually has the permission for 212 // the resource. There might be another binding that overrides this binding. To 213 // determine whether the principal actually has the permission, use the 214 // `access` field in the TroubleshootIamPolicyResponse. 215 // 216 // Possible values: 217 // "ACCESS_STATE_UNSPECIFIED" - Default value. This value is unused. 218 // "GRANTED" - The principal has the permission. 219 // "NOT_GRANTED" - The principal does not have the permission. 220 // "UNKNOWN_CONDITIONAL" - The principal has the permission only if a 221 // condition expression evaluates to `true`. 222 // "UNKNOWN_INFO_DENIED" - The sender of the request does not have access to 223 // all of the policies that Policy Troubleshooter needs to evaluate. 224 Access string `json:"access,omitempty"` 225 // Condition: A condition expression that prevents this binding from granting 226 // access unless the expression evaluates to `true`. To learn about IAM 227 // Conditions, see https://cloud.google.com/iam/help/conditions/overview. 228 Condition *GoogleTypeExpr `json:"condition,omitempty"` 229 // Memberships: Indicates whether each principal in the binding includes the 230 // principal specified in the request, either directly or indirectly. Each key 231 // identifies a principal in the binding, and each value indicates whether the 232 // principal in the binding includes the principal in the request. For example, 233 // suppose that a binding includes the following principals: * 234 // `user:alice@example.com` * `group:product-eng@example.com` You want to 235 // troubleshoot access for `user:bob@example.com`. This user is a principal of 236 // the group `group:product-eng@example.com`. For the first principal in the 237 // binding, the key is `user:alice@example.com`, and the `membership` field in 238 // the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second principal in 239 // the binding, the key is `group:product-eng@example.com`, and the 240 // `membership` field in the value is set to `MEMBERSHIP_INCLUDED`. 241 Memberships map[string]GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership `json:"memberships,omitempty"` 242 // Relevance: The relevance of this binding to the overall determination for 243 // the entire policy. 244 // 245 // Possible values: 246 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value. This value is unused. 247 // "NORMAL" - The data point has a limited effect on the result. Changing the 248 // data point is unlikely to affect the overall determination. 249 // "HIGH" - The data point has a strong effect on the result. Changing the 250 // data point is likely to affect the overall determination. 251 Relevance string `json:"relevance,omitempty"` 252 // Role: The role that this binding grants. For example, 253 // `roles/compute.serviceAgent`. For a complete list of predefined IAM roles, 254 // as well as the permissions in each role, see 255 // https://cloud.google.com/iam/help/roles/reference. 256 Role string `json:"role,omitempty"` 257 // RolePermission: Indicates whether the role granted by this binding contains 258 // the specified permission. 259 // 260 // Possible values: 261 // "ROLE_PERMISSION_UNSPECIFIED" - Default value. This value is unused. 262 // "ROLE_PERMISSION_INCLUDED" - The permission is included in the role. 263 // "ROLE_PERMISSION_NOT_INCLUDED" - The permission is not included in the 264 // role. 265 // "ROLE_PERMISSION_UNKNOWN_INFO_DENIED" - The sender of the request is not 266 // allowed to access the binding. 267 RolePermission string `json:"rolePermission,omitempty"` 268 // RolePermissionRelevance: The relevance of the permission's existence, or 269 // nonexistence, in the role to the overall determination for the entire 270 // policy. 271 // 272 // Possible values: 273 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value. This value is unused. 274 // "NORMAL" - The data point has a limited effect on the result. Changing the 275 // data point is unlikely to affect the overall determination. 276 // "HIGH" - The data point has a strong effect on the result. Changing the 277 // data point is likely to affect the overall determination. 278 RolePermissionRelevance string `json:"rolePermissionRelevance,omitempty"` 279 // ForceSendFields is a list of field names (e.g. "Access") to unconditionally 280 // include in API requests. By default, fields with empty or default values are 281 // omitted from API requests. See 282 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 283 // details. 284 ForceSendFields []string `json:"-"` 285 // NullFields is a list of field names (e.g. "Access") to include in API 286 // requests with the JSON null value. By default, fields with empty values are 287 // omitted from API requests. See 288 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 289 NullFields []string `json:"-"` 290 } 291 292 func (s *GoogleCloudPolicytroubleshooterV1BindingExplanation) MarshalJSON() ([]byte, error) { 293 type NoMethod GoogleCloudPolicytroubleshooterV1BindingExplanation 294 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 295 } 296 297 // GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership: 298 // Details about whether the binding includes the principal. 299 type GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership struct { 300 // Membership: Indicates whether the binding includes the principal. 301 // 302 // Possible values: 303 // "MEMBERSHIP_UNSPECIFIED" - Default value. This value is unused. 304 // "MEMBERSHIP_INCLUDED" - The binding includes the principal. The principal 305 // can be included directly or indirectly. For example: * A principal is 306 // included directly if that principal is listed in the binding. * A principal 307 // is included indirectly if that principal is in a Google group or Google 308 // Workspace domain that is listed in the binding. 309 // "MEMBERSHIP_NOT_INCLUDED" - The binding does not include the principal. 310 // "MEMBERSHIP_UNKNOWN_INFO_DENIED" - The sender of the request is not 311 // allowed to access the binding. 312 // "MEMBERSHIP_UNKNOWN_UNSUPPORTED" - The principal is an unsupported type. 313 // Only Google Accounts and service accounts are supported. 314 Membership string `json:"membership,omitempty"` 315 // Relevance: The relevance of the principal's status to the overall 316 // determination for the binding. 317 // 318 // Possible values: 319 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value. This value is unused. 320 // "NORMAL" - The data point has a limited effect on the result. Changing the 321 // data point is unlikely to affect the overall determination. 322 // "HIGH" - The data point has a strong effect on the result. Changing the 323 // data point is likely to affect the overall determination. 324 Relevance string `json:"relevance,omitempty"` 325 // ForceSendFields is a list of field names (e.g. "Membership") to 326 // unconditionally include in API requests. By default, fields with empty or 327 // default values are omitted from API requests. See 328 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 329 // details. 330 ForceSendFields []string `json:"-"` 331 // NullFields is a list of field names (e.g. "Membership") to include in API 332 // requests with the JSON null value. By default, fields with empty values are 333 // omitted from API requests. See 334 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 335 NullFields []string `json:"-"` 336 } 337 338 func (s *GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership) MarshalJSON() ([]byte, error) { 339 type NoMethod GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership 340 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 341 } 342 343 // GoogleCloudPolicytroubleshooterV1ExplainedPolicy: Details about how a 344 // specific IAM Policy contributed to the access check. 345 type GoogleCloudPolicytroubleshooterV1ExplainedPolicy struct { 346 // Access: Indicates whether _this policy_ provides the specified permission to 347 // the specified principal for the specified resource. This field does _not_ 348 // indicate whether the principal actually has the permission for the resource. 349 // There might be another policy that overrides this policy. To determine 350 // whether the principal actually has the permission, use the `access` field in 351 // the TroubleshootIamPolicyResponse. 352 // 353 // Possible values: 354 // "ACCESS_STATE_UNSPECIFIED" - Default value. This value is unused. 355 // "GRANTED" - The principal has the permission. 356 // "NOT_GRANTED" - The principal does not have the permission. 357 // "UNKNOWN_CONDITIONAL" - The principal has the permission only if a 358 // condition expression evaluates to `true`. 359 // "UNKNOWN_INFO_DENIED" - The sender of the request does not have access to 360 // all of the policies that Policy Troubleshooter needs to evaluate. 361 Access string `json:"access,omitempty"` 362 // BindingExplanations: Details about how each binding in the policy affects 363 // the principal's ability, or inability, to use the permission for the 364 // resource. If the sender of the request does not have access to the policy, 365 // this field is omitted. 366 BindingExplanations []*GoogleCloudPolicytroubleshooterV1BindingExplanation `json:"bindingExplanations,omitempty"` 367 // FullResourceName: The full resource name that identifies the resource. For 368 // example, 369 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/m 370 // y-instance`. If the sender of the request does not have access to the 371 // policy, this field is omitted. For examples of full resource names for 372 // Google Cloud services, see 373 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 374 FullResourceName string `json:"fullResourceName,omitempty"` 375 // Policy: The IAM policy attached to the resource. If the sender of the 376 // request does not have access to the policy, this field is empty. 377 Policy *GoogleIamV1Policy `json:"policy,omitempty"` 378 // Relevance: The relevance of this policy to the overall determination in the 379 // TroubleshootIamPolicyResponse. If the sender of the request does not have 380 // access to the policy, this field is omitted. 381 // 382 // Possible values: 383 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value. This value is unused. 384 // "NORMAL" - The data point has a limited effect on the result. Changing the 385 // data point is unlikely to affect the overall determination. 386 // "HIGH" - The data point has a strong effect on the result. Changing the 387 // data point is likely to affect the overall determination. 388 Relevance string `json:"relevance,omitempty"` 389 // ForceSendFields is a list of field names (e.g. "Access") to unconditionally 390 // include in API requests. By default, fields with empty or default values are 391 // omitted from API requests. See 392 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 393 // details. 394 ForceSendFields []string `json:"-"` 395 // NullFields is a list of field names (e.g. "Access") to include in API 396 // requests with the JSON null value. By default, fields with empty values are 397 // omitted from API requests. See 398 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 399 NullFields []string `json:"-"` 400 } 401 402 func (s *GoogleCloudPolicytroubleshooterV1ExplainedPolicy) MarshalJSON() ([]byte, error) { 403 type NoMethod GoogleCloudPolicytroubleshooterV1ExplainedPolicy 404 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 405 } 406 407 // GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest: Request for 408 // TroubleshootIamPolicy. 409 type GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest struct { 410 // AccessTuple: The information to use for checking whether a principal has a 411 // permission for a resource. 412 AccessTuple *GoogleCloudPolicytroubleshooterV1AccessTuple `json:"accessTuple,omitempty"` 413 // ForceSendFields is a list of field names (e.g. "AccessTuple") to 414 // unconditionally include in API requests. By default, fields with empty or 415 // default values are omitted from API requests. See 416 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 417 // details. 418 ForceSendFields []string `json:"-"` 419 // NullFields is a list of field names (e.g. "AccessTuple") to include in API 420 // requests with the JSON null value. By default, fields with empty values are 421 // omitted from API requests. See 422 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 423 NullFields []string `json:"-"` 424 } 425 426 func (s *GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest) MarshalJSON() ([]byte, error) { 427 type NoMethod GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest 428 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 429 } 430 431 // GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse: Response for 432 // TroubleshootIamPolicy. 433 type GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse struct { 434 // Access: Indicates whether the principal has the specified permission for the 435 // specified resource, based on evaluating all of the applicable IAM policies. 436 // 437 // Possible values: 438 // "ACCESS_STATE_UNSPECIFIED" - Default value. This value is unused. 439 // "GRANTED" - The principal has the permission. 440 // "NOT_GRANTED" - The principal does not have the permission. 441 // "UNKNOWN_CONDITIONAL" - The principal has the permission only if a 442 // condition expression evaluates to `true`. 443 // "UNKNOWN_INFO_DENIED" - The sender of the request does not have access to 444 // all of the policies that Policy Troubleshooter needs to evaluate. 445 Access string `json:"access,omitempty"` 446 // Errors: The general errors contained in the troubleshooting response. 447 Errors []*GoogleRpcStatus `json:"errors,omitempty"` 448 // ExplainedPolicies: List of IAM policies that were evaluated to check the 449 // principal's permissions, with annotations to indicate how each policy 450 // contributed to the final result. The list of policies can include the policy 451 // for the resource itself. It can also include policies that are inherited 452 // from higher levels of the resource hierarchy, including the organization, 453 // the folder, and the project. To learn more about the resource hierarchy, see 454 // https://cloud.google.com/iam/help/resource-hierarchy. 455 ExplainedPolicies []*GoogleCloudPolicytroubleshooterV1ExplainedPolicy `json:"explainedPolicies,omitempty"` 456 457 // ServerResponse contains the HTTP response code and headers from the server. 458 googleapi.ServerResponse `json:"-"` 459 // ForceSendFields is a list of field names (e.g. "Access") to unconditionally 460 // include in API requests. By default, fields with empty or default values are 461 // omitted from API requests. See 462 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 463 // details. 464 ForceSendFields []string `json:"-"` 465 // NullFields is a list of field names (e.g. "Access") to include in API 466 // requests with the JSON null value. By default, fields with empty values are 467 // omitted from API requests. See 468 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 469 NullFields []string `json:"-"` 470 } 471 472 func (s *GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse) MarshalJSON() ([]byte, error) { 473 type NoMethod GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse 474 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 475 } 476 477 // GoogleIamV1AuditConfig: Specifies the audit configuration for a service. The 478 // configuration determines which permission types are logged, and what 479 // identities, if any, are exempted from logging. An AuditConfig must have one 480 // or more AuditLogConfigs. If there are AuditConfigs for both `allServices` 481 // and a specific service, the union of the two AuditConfigs is used for that 482 // service: the log_types specified in each AuditConfig are enabled, and the 483 // exempted_members in each AuditLogConfig are exempted. Example Policy with 484 // multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", 485 // "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ 486 // "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": 487 // "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", 488 // "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": 489 // "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For 490 // sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 491 // logging. It also exempts `jose@example.com` from DATA_READ logging, and 492 // `aliya@example.com` from DATA_WRITE logging. 493 type GoogleIamV1AuditConfig struct { 494 // AuditLogConfigs: The configuration for logging of each type of permission. 495 AuditLogConfigs []*GoogleIamV1AuditLogConfig `json:"auditLogConfigs,omitempty"` 496 // Service: Specifies a service that will be enabled for audit logging. For 497 // example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` 498 // is a special value that covers all services. 499 Service string `json:"service,omitempty"` 500 // ForceSendFields is a list of field names (e.g. "AuditLogConfigs") to 501 // unconditionally include in API requests. By default, fields with empty or 502 // default values are omitted from API requests. See 503 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 504 // details. 505 ForceSendFields []string `json:"-"` 506 // NullFields is a list of field names (e.g. "AuditLogConfigs") to include in 507 // API requests with the JSON null value. By default, fields with empty values 508 // are omitted from API requests. See 509 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 510 NullFields []string `json:"-"` 511 } 512 513 func (s *GoogleIamV1AuditConfig) MarshalJSON() ([]byte, error) { 514 type NoMethod GoogleIamV1AuditConfig 515 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 516 } 517 518 // GoogleIamV1AuditLogConfig: Provides the configuration for logging a type of 519 // permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", 520 // "exempted_members": [ "user:jose@example.com" ] }, { "log_type": 521 // "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while 522 // exempting jose@example.com from DATA_READ logging. 523 type GoogleIamV1AuditLogConfig struct { 524 // ExemptedMembers: Specifies the identities that do not cause logging for this 525 // type of permission. Follows the same format of Binding.members. 526 ExemptedMembers []string `json:"exemptedMembers,omitempty"` 527 // LogType: The log type that this config enables. 528 // 529 // Possible values: 530 // "LOG_TYPE_UNSPECIFIED" - Default case. Should never be this. 531 // "ADMIN_READ" - Admin reads. Example: CloudIAM getIamPolicy 532 // "DATA_WRITE" - Data writes. Example: CloudSQL Users create 533 // "DATA_READ" - Data reads. Example: CloudSQL Users list 534 LogType string `json:"logType,omitempty"` 535 // ForceSendFields is a list of field names (e.g. "ExemptedMembers") to 536 // unconditionally include in API requests. By default, fields with empty or 537 // default values are omitted from API requests. See 538 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 539 // details. 540 ForceSendFields []string `json:"-"` 541 // NullFields is a list of field names (e.g. "ExemptedMembers") to include in 542 // API requests with the JSON null value. By default, fields with empty values 543 // are omitted from API requests. See 544 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 545 NullFields []string `json:"-"` 546 } 547 548 func (s *GoogleIamV1AuditLogConfig) MarshalJSON() ([]byte, error) { 549 type NoMethod GoogleIamV1AuditLogConfig 550 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 551 } 552 553 // GoogleIamV1Binding: Associates `members`, or principals, with a `role`. 554 type GoogleIamV1Binding struct { 555 // Condition: The condition that is associated with this binding. If the 556 // condition evaluates to `true`, then this binding applies to the current 557 // request. If the condition evaluates to `false`, then this binding does not 558 // apply to the current request. However, a different role binding might grant 559 // the same role to one or more of the principals in this binding. To learn 560 // which resources support conditions in their IAM policies, see the IAM 561 // documentation 562 // (https://cloud.google.com/iam/help/conditions/resource-policies). 563 Condition *GoogleTypeExpr `json:"condition,omitempty"` 564 // Members: Specifies the principals requesting access for a Google Cloud 565 // resource. `members` can have the following values: * `allUsers`: A special 566 // identifier that represents anyone who is on the internet; with or without a 567 // Google account. * `allAuthenticatedUsers`: A special identifier that 568 // represents anyone who is authenticated with a Google account or a service 569 // account. Does not include identities that come from external identity 570 // providers (IdPs) through identity federation. * `user:{emailid}`: An email 571 // address that represents a specific Google account. For example, 572 // `alice@example.com` . * `serviceAccount:{emailid}`: An email address that 573 // represents a Google service account. For example, 574 // `my-other-app@appspot.gserviceaccount.com`. * 575 // `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An 576 // identifier for a Kubernetes service account 577 // (https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). 578 // For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * 579 // `group:{emailid}`: An email address that represents a Google group. For 580 // example, `admins@example.com`. * `domain:{domain}`: The G Suite domain 581 // (primary) that represents all the users of that domain. For example, 582 // `google.com` or `example.com`. * 583 // `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/sub 584 // ject/{subject_attribute_value}`: A single identity in a workforce identity 585 // pool. * 586 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 587 // group/{group_id}`: All workforce identities in a group. * 588 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 589 // attribute.{attribute_name}/{attribute_value}`: All workforce identities with 590 // a specific attribute value. * 591 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 592 // *`: All identities in a workforce identity pool. * 593 // `principal://iam.googleapis.com/projects/{project_number}/locations/global/wo 594 // rkloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single 595 // identity in a workload identity pool. * 596 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 597 // /workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool 598 // group. * 599 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 600 // /workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value} 601 // `: All identities in a workload identity pool with a certain attribute. * 602 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 603 // /workloadIdentityPools/{pool_id}/*`: All identities in a workload identity 604 // pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus 605 // unique identifier) representing a user that has been recently deleted. For 606 // example, `alice@example.com?uid=123456789012345678901`. If the user is 607 // recovered, this value reverts to `user:{emailid}` and the recovered user 608 // retains the role in the binding. * 609 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus 610 // unique identifier) representing a service account that has been recently 611 // deleted. For example, 612 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the 613 // service account is undeleted, this value reverts to 614 // `serviceAccount:{emailid}` and the undeleted service account retains the 615 // role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email 616 // address (plus unique identifier) representing a Google group that has been 617 // recently deleted. For example, 618 // `admins@example.com?uid=123456789012345678901`. If the group is recovered, 619 // this value reverts to `group:{emailid}` and the recovered group retains the 620 // role in the binding. * 621 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool 622 // _id}/subject/{subject_attribute_value}`: Deleted single identity in a 623 // workforce identity pool. For example, 624 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-po 625 // ol-id/subject/my-subject-attribute-value`. 626 Members []string `json:"members,omitempty"` 627 // Role: Role that is assigned to the list of `members`, or principals. For 628 // example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview 629 // of the IAM roles and permissions, see the IAM documentation 630 // (https://cloud.google.com/iam/docs/roles-overview). For a list of the 631 // available pre-defined roles, see here 632 // (https://cloud.google.com/iam/docs/understanding-roles). 633 Role string `json:"role,omitempty"` 634 // ForceSendFields is a list of field names (e.g. "Condition") to 635 // unconditionally include in API requests. By default, fields with empty or 636 // default values are omitted from API requests. See 637 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 638 // details. 639 ForceSendFields []string `json:"-"` 640 // NullFields is a list of field names (e.g. "Condition") to include in API 641 // requests with the JSON null value. By default, fields with empty values are 642 // omitted from API requests. See 643 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 644 NullFields []string `json:"-"` 645 } 646 647 func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error) { 648 type NoMethod GoogleIamV1Binding 649 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 650 } 651 652 // GoogleIamV1Policy: An Identity and Access Management (IAM) policy, which 653 // specifies access controls for Google Cloud resources. A `Policy` is a 654 // collection of `bindings`. A `binding` binds one or more `members`, or 655 // principals, to a single `role`. Principals can be user accounts, service 656 // accounts, Google groups, and domains (such as G Suite). A `role` is a named 657 // list of permissions; each `role` can be an IAM predefined role or a 658 // user-created custom role. For some types of Google Cloud resources, a 659 // `binding` can also specify a `condition`, which is a logical expression that 660 // allows access to a resource only if the expression evaluates to `true`. A 661 // condition can add constraints based on attributes of the request, the 662 // resource, or both. To learn which resources support conditions in their IAM 663 // policies, see the IAM documentation 664 // (https://cloud.google.com/iam/help/conditions/resource-policies). **JSON 665 // example:** ``` { "bindings": [ { "role": 666 // "roles/resourcemanager.organizationAdmin", "members": [ 667 // "user:mike@example.com", "group:admins@example.com", "domain:google.com", 668 // "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": 669 // "roles/resourcemanager.organizationViewer", "members": [ 670 // "user:eve@example.com" ], "condition": { "title": "expirable access", 671 // "description": "Does not grant access after Sep 2020", "expression": 672 // "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": 673 // "BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: - 674 // members: - user:mike@example.com - group:admins@example.com - 675 // domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com 676 // role: roles/resourcemanager.organizationAdmin - members: - 677 // user:eve@example.com role: roles/resourcemanager.organizationViewer 678 // condition: title: expirable access description: Does not grant access after 679 // Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') 680 // etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, 681 // see the IAM documentation (https://cloud.google.com/iam/docs/). 682 type GoogleIamV1Policy struct { 683 // AuditConfigs: Specifies cloud audit logging configuration for this policy. 684 AuditConfigs []*GoogleIamV1AuditConfig `json:"auditConfigs,omitempty"` 685 // Bindings: Associates a list of `members`, or principals, with a `role`. 686 // Optionally, may specify a `condition` that determines how and when the 687 // `bindings` are applied. Each of the `bindings` must contain at least one 688 // principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; 689 // up to 250 of these principals can be Google groups. Each occurrence of a 690 // principal counts towards these limits. For example, if the `bindings` grant 691 // 50 different roles to `user:alice@example.com`, and not to any other 692 // principal, then you can add another 1,450 principals to the `bindings` in 693 // the `Policy`. 694 Bindings []*GoogleIamV1Binding `json:"bindings,omitempty"` 695 // Etag: `etag` is used for optimistic concurrency control as a way to help 696 // prevent simultaneous updates of a policy from overwriting each other. It is 697 // strongly suggested that systems make use of the `etag` in the 698 // read-modify-write cycle to perform policy updates in order to avoid race 699 // conditions: An `etag` is returned in the response to `getIamPolicy`, and 700 // systems are expected to put that etag in the request to `setIamPolicy` to 701 // ensure that their change will be applied to the same version of the policy. 702 // **Important:** If you use IAM Conditions, you must include the `etag` field 703 // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 704 // you to overwrite a version `3` policy with a version `1` policy, and all of 705 // the conditions in the version `3` policy are lost. 706 Etag string `json:"etag,omitempty"` 707 // Version: Specifies the format of the policy. Valid values are `0`, `1`, and 708 // `3`. Requests that specify an invalid value are rejected. Any operation that 709 // affects conditional role bindings must specify version `3`. This requirement 710 // applies to the following operations: * Getting a policy that includes a 711 // conditional role binding * Adding a conditional role binding to a policy * 712 // Changing a conditional role binding in a policy * Removing any role binding, 713 // with or without a condition, from a policy that includes conditions 714 // **Important:** If you use IAM Conditions, you must include the `etag` field 715 // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 716 // you to overwrite a version `3` policy with a version `1` policy, and all of 717 // the conditions in the version `3` policy are lost. If a policy does not 718 // include any conditions, operations on that policy may specify any valid 719 // version or leave the field unset. To learn which resources support 720 // conditions in their IAM policies, see the IAM documentation 721 // (https://cloud.google.com/iam/help/conditions/resource-policies). 722 Version int64 `json:"version,omitempty"` 723 // ForceSendFields is a list of field names (e.g. "AuditConfigs") to 724 // unconditionally include in API requests. By default, fields with empty or 725 // default values are omitted from API requests. See 726 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 727 // details. 728 ForceSendFields []string `json:"-"` 729 // NullFields is a list of field names (e.g. "AuditConfigs") to include in API 730 // requests with the JSON null value. By default, fields with empty values are 731 // omitted from API requests. See 732 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 733 NullFields []string `json:"-"` 734 } 735 736 func (s *GoogleIamV1Policy) MarshalJSON() ([]byte, error) { 737 type NoMethod GoogleIamV1Policy 738 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 739 } 740 741 // GoogleRpcStatus: The `Status` type defines a logical error model that is 742 // suitable for different programming environments, including REST APIs and RPC 743 // APIs. It is used by gRPC (https://github.com/grpc). Each `Status` message 744 // contains three pieces of data: error code, error message, and error details. 745 // You can find out more about this error model and how to work with it in the 746 // API Design Guide (https://cloud.google.com/apis/design/errors). 747 type GoogleRpcStatus struct { 748 // Code: The status code, which should be an enum value of google.rpc.Code. 749 Code int64 `json:"code,omitempty"` 750 // Details: A list of messages that carry the error details. There is a common 751 // set of message types for APIs to use. 752 Details []googleapi.RawMessage `json:"details,omitempty"` 753 // Message: A developer-facing error message, which should be in English. Any 754 // user-facing error message should be localized and sent in the 755 // google.rpc.Status.details field, or localized by the client. 756 Message string `json:"message,omitempty"` 757 // ForceSendFields is a list of field names (e.g. "Code") to unconditionally 758 // include in API requests. By default, fields with empty or default values are 759 // omitted from API requests. See 760 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 761 // details. 762 ForceSendFields []string `json:"-"` 763 // NullFields is a list of field names (e.g. "Code") to include in API requests 764 // with the JSON null value. By default, fields with empty values are omitted 765 // from API requests. See 766 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 767 NullFields []string `json:"-"` 768 } 769 770 func (s *GoogleRpcStatus) MarshalJSON() ([]byte, error) { 771 type NoMethod GoogleRpcStatus 772 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 773 } 774 775 // GoogleTypeExpr: Represents a textual expression in the Common Expression 776 // Language (CEL) syntax. CEL is a C-like expression language. The syntax and 777 // semantics of CEL are documented at https://github.com/google/cel-spec. 778 // Example (Comparison): title: "Summary size limit" description: "Determines 779 // if a summary is less than 100 chars" expression: "document.summary.size() < 780 // 100" Example (Equality): title: "Requestor is owner" description: 781 // "Determines if requestor is the document owner" expression: "document.owner 782 // == request.auth.claims.email" Example (Logic): title: "Public documents" 783 // description: "Determine whether the document should be publicly visible" 784 // expression: "document.type != 'private' && document.type != 'internal'" 785 // Example (Data Manipulation): title: "Notification string" description: 786 // "Create a notification string with a timestamp." expression: "'New message 787 // received at ' + string(document.create_time)" The exact variables and 788 // functions that may be referenced within an expression are determined by the 789 // service that evaluates it. See the service documentation for additional 790 // information. 791 type GoogleTypeExpr struct { 792 // Description: Optional. Description of the expression. This is a longer text 793 // which describes the expression, e.g. when hovered over it in a UI. 794 Description string `json:"description,omitempty"` 795 // Expression: Textual representation of an expression in Common Expression 796 // Language syntax. 797 Expression string `json:"expression,omitempty"` 798 // Location: Optional. String indicating the location of the expression for 799 // error reporting, e.g. a file name and a position in the file. 800 Location string `json:"location,omitempty"` 801 // Title: Optional. Title for the expression, i.e. a short string describing 802 // its purpose. This can be used e.g. in UIs which allow to enter the 803 // expression. 804 Title string `json:"title,omitempty"` 805 // ForceSendFields is a list of field names (e.g. "Description") to 806 // unconditionally include in API requests. By default, fields with empty or 807 // default values are omitted from API requests. See 808 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 809 // details. 810 ForceSendFields []string `json:"-"` 811 // NullFields is a list of field names (e.g. "Description") to include in API 812 // requests with the JSON null value. By default, fields with empty values are 813 // omitted from API requests. See 814 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 815 NullFields []string `json:"-"` 816 } 817 818 func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error) { 819 type NoMethod GoogleTypeExpr 820 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 821 } 822 823 type IamTroubleshootCall struct { 824 s *Service 825 googlecloudpolicytroubleshooterv1troubleshootiampolicyrequest *GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest 826 urlParams_ gensupport.URLParams 827 ctx_ context.Context 828 header_ http.Header 829 } 830 831 // Troubleshoot: Checks whether a principal has a specific permission for a 832 // specific resource, and explains why the principal does or does not have that 833 // permission. 834 func (r *IamService) Troubleshoot(googlecloudpolicytroubleshooterv1troubleshootiampolicyrequest *GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest) *IamTroubleshootCall { 835 c := &IamTroubleshootCall{s: r.s, urlParams_: make(gensupport.URLParams)} 836 c.googlecloudpolicytroubleshooterv1troubleshootiampolicyrequest = googlecloudpolicytroubleshooterv1troubleshootiampolicyrequest 837 return c 838 } 839 840 // Fields allows partial responses to be retrieved. See 841 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 842 // details. 843 func (c *IamTroubleshootCall) Fields(s ...googleapi.Field) *IamTroubleshootCall { 844 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 845 return c 846 } 847 848 // Context sets the context to be used in this call's Do method. 849 func (c *IamTroubleshootCall) Context(ctx context.Context) *IamTroubleshootCall { 850 c.ctx_ = ctx 851 return c 852 } 853 854 // Header returns a http.Header that can be modified by the caller to add 855 // headers to the request. 856 func (c *IamTroubleshootCall) Header() http.Header { 857 if c.header_ == nil { 858 c.header_ = make(http.Header) 859 } 860 return c.header_ 861 } 862 863 func (c *IamTroubleshootCall) doRequest(alt string) (*http.Response, error) { 864 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 865 var body io.Reader = nil 866 body, err := googleapi.WithoutDataWrapper.JSONReader(c.googlecloudpolicytroubleshooterv1troubleshootiampolicyrequest) 867 if err != nil { 868 return nil, err 869 } 870 c.urlParams_.Set("alt", alt) 871 c.urlParams_.Set("prettyPrint", "false") 872 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/iam:troubleshoot") 873 urls += "?" + c.urlParams_.Encode() 874 req, err := http.NewRequest("POST", urls, body) 875 if err != nil { 876 return nil, err 877 } 878 req.Header = reqHeaders 879 return gensupport.SendRequest(c.ctx_, c.s.client, req) 880 } 881 882 // Do executes the "policytroubleshooter.iam.troubleshoot" call. 883 // Any non-2xx status code is an error. Response headers are in either 884 // *GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse.ServerRespons 885 // e.Header or (if a response was returned at all) in 886 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 887 // whether the returned error was because http.StatusNotModified was returned. 888 func (c *IamTroubleshootCall) Do(opts ...googleapi.CallOption) (*GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse, error) { 889 gensupport.SetOptions(c.urlParams_, opts...) 890 res, err := c.doRequest("json") 891 if res != nil && res.StatusCode == http.StatusNotModified { 892 if res.Body != nil { 893 res.Body.Close() 894 } 895 return nil, gensupport.WrapError(&googleapi.Error{ 896 Code: res.StatusCode, 897 Header: res.Header, 898 }) 899 } 900 if err != nil { 901 return nil, err 902 } 903 defer googleapi.CloseBody(res) 904 if err := googleapi.CheckResponse(res); err != nil { 905 return nil, gensupport.WrapError(err) 906 } 907 ret := &GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse{ 908 ServerResponse: googleapi.ServerResponse{ 909 Header: res.Header, 910 HTTPStatusCode: res.StatusCode, 911 }, 912 } 913 target := &ret 914 if err := gensupport.DecodeResponse(target, res); err != nil { 915 return nil, err 916 } 917 return ret, nil 918 } 919