Google Git
Sign in
code / google-api-go-client / 9d4f0b92ed941024b2e4f36961b2220d52f24caf / . / cloudasset / v1p4beta1 / cloudasset-api.json
blob: 5852aa5f72f6b760a8264e57e48bac886cdeca76 [file] [log] [blame]
{
"auth": {
"oauth2": {
"scopes": {
"https://www.googleapis.com/auth/cloud-platform": {
"description": "View and manage your data across Google Cloud Platform services"
}
}
}
},
"basePath": "",
"baseUrl": "https://cloudasset.googleapis.com/",
"batchPath": "batch",
"canonicalName": "Cloud Asset",
"description": "The cloud asset API manages the history and inventory of cloud resources.",
"discoveryVersion": "v1",
"documentationLink": "https://cloud.google.com/asset-inventory/docs/quickstart",
"fullyEncodeReservedExpansion": true,
"icons": {
"x16": "http://www.google.com/images/icons/product/search-16.gif",
"x32": "http://www.google.com/images/icons/product/search-32.gif"
},
"id": "cloudasset:v1p4beta1",
"kind": "discovery#restDescription",
"mtlsRootUrl": "https://cloudasset.mtls.googleapis.com/",
"name": "cloudasset",
"ownerDomain": "google.com",
"ownerName": "Google",
"parameters": {
"$.xgafv": {
"description": "V1 error format.",
"enum": [
"1",
"2"
],
"enumDescriptions": [
"v1 error format",
"v2 error format"
],
"location": "query",
"type": "string"
},
"access_token": {
"description": "OAuth access token.",
"location": "query",
"type": "string"
},
"alt": {
"default": "json",
"description": "Data format for response.",
"enum": [
"json",
"media",
"proto"
],
"enumDescriptions": [
"Responses with Content-Type of application/json",
"Media download with context-dependent Content-Type",
"Responses with Content-Type of application/x-protobuf"
],
"location": "query",
"type": "string"
},
"callback": {
"description": "JSONP",
"location": "query",
"type": "string"
},
"fields": {
"description": "Selector specifying which fields to include in a partial response.",
"location": "query",
"type": "string"
},
"key": {
"description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
"location": "query",
"type": "string"
},
"oauth_token": {
"description": "OAuth 2.0 token for the current user.",
"location": "query",
"type": "string"
},
"prettyPrint": {
"default": "true",
"description": "Returns response with indentations and line breaks.",
"location": "query",
"type": "boolean"
},
"quotaUser": {
"description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
"location": "query",
"type": "string"
},
"uploadType": {
"description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
"location": "query",
"type": "string"
},
"upload_protocol": {
"description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
"location": "query",
"type": "string"
}
},
"protocol": "rest",
"resources": {
"v1p4beta1": {
"methods": {
"analyzeIamPolicy": {
"description": "Analyzes IAM policies based on the specified request. Returns\na list of IamPolicyAnalysisResult matching the request.",
"flatPath": "v1p4beta1/{v1p4beta1Id}/{v1p4beta1Id1}:analyzeIamPolicy",
"httpMethod": "GET",
"id": "cloudasset.analyzeIamPolicy",
"parameterOrder": [
"parent"
],
"parameters": {
"analysisQuery.accessSelector.permissions": {
"description": "Optional. The permissions to appear in result.",
"location": "query",
"repeated": true,
"type": "string"
},
"analysisQuery.accessSelector.roles": {
"description": "Optional. The roles to appear in result.",
"location": "query",
"repeated": true,
"type": "string"
},
"analysisQuery.identitySelector.identity": {
"description": "Required. The identity appear in the form of members in\n[IAM policy\nbinding](https://cloud.google.com/iam/reference/rest/v1/Binding).",
"location": "query",
"type": "string"
},
"analysisQuery.resourceSelector.fullResourceName": {
"description": "Required. The [full resource\nname](https://cloud.google.com/apis/design/resource_names#full_resource_name)\n.",
"location": "query",
"type": "string"
},
"options.analyzeServiceAccountImpersonation": {
"description": "Optional. If true, the response will include access analysis from identities to\nresources via service account impersonation. This is a very expensive\noperation, because many derived queries will be executed. We highly\nrecommend you use ExportIamPolicyAnalysis rpc instead.\n\nFor example, if the request analyzes for which resources user A has\npermission P, and there's an IAM policy states user A has\niam.serviceAccounts.getAccessToken permission to a service account SA,\nand there's another IAM policy states service account SA has permission P\nto a GCP folder F, then user A potentially has access to the GCP folder\nF. And those advanced analysis results will be included in\nAnalyzeIamPolicyResponse.service_account_impersonation_analysis.\n\nAnother example, if the request analyzes for who has\npermission P to a GCP folder F, and there's an IAM policy states user A\nhas iam.serviceAccounts.actAs permission to a service account SA, and\nthere's another IAM policy states service account SA has permission P to\nthe GCP folder F, then user A potentially has access to the GCP folder\nF. And those advanced analysis results will be included in\nAnalyzeIamPolicyResponse.service_account_impersonation_analysis.\n\nDefault is false.",
"location": "query",
"type": "boolean"
},
"options.executionTimeout": {
"description": "Optional. Amount of time executable has to complete. See JSON representation of\n[Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).\n\nIf this field is set with a value less than the RPC deadline, and the\nexecution of your query hasn't finished in the specified\nexecution timeout, you will get a response with partial result.\nOtherwise, your query's execution will continue until the RPC deadline.\nIf it's not finished until then, you will get a DEADLINE_EXCEEDED error.\n\nDefault is empty.",
"format": "google-duration",
"location": "query",
"type": "string"
},
"options.expandGroups": {
"description": "Optional. If true, the identities section of the result will expand any\nGoogle groups appearing in an IAM policy binding.\n\nIf identity_selector is specified, the identity in the result will\nbe determined by the selector, and this flag will have no effect.\n\nDefault is false.",
"location": "query",
"type": "boolean"
},
"options.expandResources": {
"description": "Optional. If true, the resource section of the result will expand any\nresource attached to an IAM policy to include resources lower in the\nresource hierarchy.\n\nFor example, if the request analyzes for which resources user A has\npermission P, and the results include an IAM policy with P on a GCP\nfolder, the results will also include resources in that folder with\npermission P.\n\nIf resource_selector is specified, the resource section of the result\nwill be determined by the selector, and this flag will have no effect.\nDefault is false.",
"location": "query",
"type": "boolean"
},
"options.expandRoles": {
"description": "Optional. If true, the access section of result will expand any roles\nappearing in IAM policy bindings to include their permissions.\n\nIf access_selector is specified, the access section of the result\nwill be determined by the selector, and this flag will have no effect.\n\nDefault is false.",
"location": "query",
"type": "boolean"
},
"options.outputGroupEdges": {
"description": "Optional. If true, the result will output group identity edges, starting\nfrom the binding's group members, to any expanded identities.\nDefault is false.",
"location": "query",
"type": "boolean"
},
"options.outputResourceEdges": {
"description": "Optional. If true, the result will output resource edges, starting\nfrom the policy attached resource, to any expanded resources.\nDefault is false.",
"location": "query",
"type": "boolean"
},
"parent": {
"description": "Required. The relative name of the root asset. Only resources and IAM policies within\nthe parent will be analyzed. This can only be an organization number (such\nas \"organizations/123\") or a folder number (such as \"folders/123\").",
"location": "path",
"pattern": "^[^/]+/[^/]+$",
"required": true,
"type": "string"
}
},
"path": "v1p4beta1/{+parent}:analyzeIamPolicy",
"response": {
"$ref": "AnalyzeIamPolicyResponse"
},
"scopes": [
"https://www.googleapis.com/auth/cloud-platform"
]
},
"exportIamPolicyAnalysis": {
"description": "Exports IAM policy analysis based on the specified request. This API\nimplements the google.longrunning.Operation API allowing you to keep\ntrack of the export. The metadata contains the request to help callers to\nmap responses to requests.",
"flatPath": "v1p4beta1/{v1p4beta1Id}/{v1p4beta1Id1}:exportIamPolicyAnalysis",
"httpMethod": "POST",
"id": "cloudasset.exportIamPolicyAnalysis",
"parameterOrder": [
"parent"
],
"parameters": {
"parent": {
"description": "Required. The relative name of the root asset. Only resources and IAM policies within\nthe parent will be analyzed. This can only be an organization number (such\nas \"organizations/123\") or a folder number (such as \"folders/123\").",
"location": "path",
"pattern": "^[^/]+/[^/]+$",
"required": true,
"type": "string"
}
},
"path": "v1p4beta1/{+parent}:exportIamPolicyAnalysis",
"request": {
"$ref": "ExportIamPolicyAnalysisRequest"
},
"response": {
"$ref": "Operation"
},
"scopes": [
"https://www.googleapis.com/auth/cloud-platform"
]
}
}
}
},
"revision": "20200410",
"rootUrl": "https://cloudasset.googleapis.com/",
"schemas": {
"AccessSelector": {
"description": "Specifies roles and/or permissions to analyze, to determine both the\nidentities possessing them and the resources they control. If multiple\nvalues are specified, results will include identities and resources\nmatching any of them.",
"id": "AccessSelector",
"properties": {
"permissions": {
"description": "Optional. The permissions to appear in result.",
"items": {
"type": "string"
},
"type": "array"
},
"roles": {
"description": "Optional. The roles to appear in result.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"AnalyzeIamPolicyResponse": {
"description": "A response message for AssetService.AnalyzeIamPolicy.",
"id": "AnalyzeIamPolicyResponse",
"properties": {
"fullyExplored": {
"description": "Represents whether all entries in the main_analysis and\nservice_account_impersonation_analysis have been fully explored to\nanswer the query in the request.",
"type": "boolean"
},
"mainAnalysis": {
"$ref": "IamPolicyAnalysis",
"description": "The main analysis that matches the original request."
},
"nonCriticalErrors": {
"description": "A list of non-critical errors happened during the request handling to\nexplain why `fully_explored` is false, or empty if no error happened.",
"items": {
"$ref": "GoogleCloudAssetV1p4beta1AnalysisState"
},
"type": "array"
},
"serviceAccountImpersonationAnalysis": {
"description": "The service account impersonation analysis if\nAnalyzeIamPolicyRequest.analyze_service_account_impersonation is\nenabled.",
"items": {
"$ref": "IamPolicyAnalysis"
},
"type": "array"
}
},
"type": "object"
},
"Binding": {
"description": "Associates `members` with a `role`.",
"id": "Binding",
"properties": {
"condition": {
"$ref": "Expr",
"description": "The condition that is associated with this binding.\nNOTE: An unsatisfied condition will not allow user access via current\nbinding. Different bindings, including their conditions, are examined\nindependently."
},
"members": {
"description": "Specifies the identities requesting access for a Cloud Platform resource.\n`members` can have the following values:\n\n* `allUsers`: A special identifier that represents anyone who is\n on the internet; with or without a Google account.\n\n* `allAuthenticatedUsers`: A special identifier that represents anyone\n who is authenticated with a Google account or a service account.\n\n* `user:{emailid}`: An email address that represents a specific Google\n account. For example, `alice@example.com` .\n\n\n* `serviceAccount:{emailid}`: An email address that represents a service\n account. For example, `my-other-app@appspot.gserviceaccount.com`.\n\n* `group:{emailid}`: An email address that represents a Google group.\n For example, `admins@example.com`.\n\n* `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique\n identifier) representing a user that has been recently deleted. For\n example, `alice@example.com?uid=123456789012345678901`. If the user is\n recovered, this value reverts to `user:{emailid}` and the recovered user\n retains the role in the binding.\n\n* `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus\n unique identifier) representing a service account that has been recently\n deleted. For example,\n `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.\n If the service account is undeleted, this value reverts to\n `serviceAccount:{emailid}` and the undeleted service account retains the\n role in the binding.\n\n* `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique\n identifier) representing a Google group that has been recently\n deleted. For example, `admins@example.com?uid=123456789012345678901`. If\n the group is recovered, this value reverts to `group:{emailid}` and the\n recovered group retains the role in the binding.\n\n\n* `domain:{domain}`: The G Suite domain (primary) that represents all the\n users of that domain. For example, `google.com` or `example.com`.\n\n",
"items": {
"type": "string"
},
"type": "array"
},
"role": {
"description": "Role that is assigned to `members`.\nFor example, `roles/viewer`, `roles/editor`, or `roles/owner`.",
"type": "string"
}
},
"type": "object"
},
"ExportIamPolicyAnalysisRequest": {
"description": "A request message for AssetService.ExportIamPolicyAnalysis.",
"id": "ExportIamPolicyAnalysisRequest",
"properties": {
"analysisQuery": {
"$ref": "IamPolicyAnalysisQuery",
"description": "Required. The request query."
},
"options": {
"$ref": "Options",
"description": "Optional. The request options."
},
"outputConfig": {
"$ref": "IamPolicyAnalysisOutputConfig",
"description": "Required. Output configuration indicating where the results will be output to."
}
},
"type": "object"
},
"Expr": {
"description": "Represents a textual expression in the Common Expression Language (CEL)\nsyntax. CEL is a C-like expression language. The syntax and semantics of CEL\nare documented at https://github.com/google/cel-spec.\n\nExample (Comparison):\n\n title: \"Summary size limit\"\n description: \"Determines if a summary is less than 100 chars\"\n expression: \"document.summary.size() \u003c 100\"\n\nExample (Equality):\n\n title: \"Requestor is owner\"\n description: \"Determines if requestor is the document owner\"\n expression: \"document.owner == request.auth.claims.email\"\n\nExample (Logic):\n\n title: \"Public documents\"\n description: \"Determine whether the document should be publicly visible\"\n expression: \"document.type != 'private' \u0026\u0026 document.type != 'internal'\"\n\nExample (Data Manipulation):\n\n title: \"Notification string\"\n description: \"Create a notification string with a timestamp.\"\n expression: \"'New message received at ' + string(document.create_time)\"\n\nThe exact variables and functions that may be referenced within an expression\nare determined by the service that evaluates it. See the service\ndocumentation for additional information.",
"id": "Expr",
"properties": {
"description": {
"description": "Optional. Description of the expression. This is a longer text which\ndescribes the expression, e.g. when hovered over it in a UI.",
"type": "string"
},
"expression": {
"description": "Textual representation of an expression in Common Expression Language\nsyntax.",
"type": "string"
},
"location": {
"description": "Optional. String indicating the location of the expression for error\nreporting, e.g. a file name and a position in the file.",
"type": "string"
},
"title": {
"description": "Optional. Title for the expression, i.e. a short string describing\nits purpose. This can be used e.g. in UIs which allow to enter the\nexpression.",
"type": "string"
}
},
"type": "object"
},
"GcsDestination": {
"description": "A Cloud Storage location.",
"id": "GcsDestination",
"properties": {
"uri": {
"description": "Required. The uri of the Cloud Storage object. It's the same uri that is used by\ngsutil. For example: \"gs://bucket_name/object_name\". See [Viewing and\nEditing Object\nMetadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)\nfor more information.",
"type": "string"
}
},
"type": "object"
},
"GoogleCloudAssetV1p4beta1Access": {
"description": "A role or permission that appears in an access control list.",
"id": "GoogleCloudAssetV1p4beta1Access",
"properties": {
"analysisState": {
"$ref": "GoogleCloudAssetV1p4beta1AnalysisState",
"description": "The analysis state of this access node."
},
"permission": {
"description": "The permission.",
"type": "string"
},
"role": {
"description": "The role.",
"type": "string"
}
},
"type": "object"
},
"GoogleCloudAssetV1p4beta1AccessControlList": {
"description": "An access control list, derived from the above IAM policy binding, which\ncontains a set of resources and accesses. May include one\nitem from each set to compose an access control entry.\n\nNOTICE that there could be multiple access control lists for one IAM policy\nbinding. The access control lists are created based on resource and access\ncombinations.\n\nFor example, assume we have the following cases in one IAM policy binding:\n- Permission P1 and P2 apply to resource R1 and R2;\n- Permission P3 applies to resource R2 and R3;\n\nThis will result in the following access control lists:\n- AccessControlList 1: [R1, R2], [P1, P2]\n- AccessControlList 2: [R2, R3], [P3]",
"id": "GoogleCloudAssetV1p4beta1AccessControlList",
"properties": {
"accesses": {
"description": "The accesses that match one of the following conditions:\n- The access_selector, if it is specified in request;\n- Otherwise, access specifiers reachable from the policy binding's role.",
"items": {
"$ref": "GoogleCloudAssetV1p4beta1Access"
},
"type": "array"
},
"resourceEdges": {
"description": "Resource edges of the graph starting from the policy attached\nresource to any descendant resources. The Edge.source_node contains\nthe full resource name of a parent resource and Edge.target_node\ncontains the full resource name of a child resource. This field is\npresent only if the output_resource_edges option is enabled in request.",
"items": {
"$ref": "GoogleCloudAssetV1p4beta1Edge"
},
"type": "array"
},
"resources": {
"description": "The resources that match one of the following conditions:\n- The resource_selector, if it is specified in request;\n- Otherwise, resources reachable from the policy attached resource.",
"items": {
"$ref": "GoogleCloudAssetV1p4beta1Resource"
},
"type": "array"
}
},
"type": "object"
},
"GoogleCloudAssetV1p4beta1AnalysisState": {
"description": "Represents analysis state of each node in the result graph or non-critical\nerrors in the response.",
"id": "GoogleCloudAssetV1p4beta1AnalysisState",
"properties": {
"cause": {
"description": "The human-readable description of the cause of failure.",
"type": "string"
},
"code": {
"description": "The Google standard error code that best describes the state.\nFor example:\n- OK means the node has been successfully explored;\n- PERMISSION_DENIED means an access denied error is encountered;\n- DEADLINE_EXCEEDED means the node hasn't been explored in time;",
"enum": [
"OK",
"CANCELLED",
"UNKNOWN",
"INVALID_ARGUMENT",
"DEADLINE_EXCEEDED",
"NOT_FOUND",
"ALREADY_EXISTS",
"PERMISSION_DENIED",
"UNAUTHENTICATED",
"RESOURCE_EXHAUSTED",
"FAILED_PRECONDITION",
"ABORTED",
"OUT_OF_RANGE",
"UNIMPLEMENTED",
"INTERNAL",
"UNAVAILABLE",
"DATA_LOSS"
],
"enumDescriptions": [
"Not an error; returned on success\n\nHTTP Mapping: 200 OK",
"The operation was cancelled, typically by the caller.\n\nHTTP Mapping: 499 Client Closed Request",
"Unknown error. For example, this error may be returned when\na `Status` value received from another address space belongs to\nan error space that is not known in this address space. Also\nerrors raised by APIs that do not return enough error information\nmay be converted to this error.\n\nHTTP Mapping: 500 Internal Server Error",
"The client specified an invalid argument. Note that this differs\nfrom `FAILED_PRECONDITION`. `INVALID_ARGUMENT` indicates arguments\nthat are problematic regardless of the state of the system\n(e.g., a malformed file name).\n\nHTTP Mapping: 400 Bad Request",
"The deadline expired before the operation could complete. For operations\nthat change the state of the system, this error may be returned\neven if the operation has completed successfully. For example, a\nsuccessful response from a server could have been delayed long\nenough for the deadline to expire.\n\nHTTP Mapping: 504 Gateway Timeout",
"Some requested entity (e.g., file or directory) was not found.\n\nNote to server developers: if a request is denied for an entire class\nof users, such as gradual feature rollout or undocumented whitelist,\n`NOT_FOUND` may be used. If a request is denied for some users within\na class of users, such as user-based access control, `PERMISSION_DENIED`\nmust be used.\n\nHTTP Mapping: 404 Not Found",
"The entity that a client attempted to create (e.g., file or directory)\nalready exists.\n\nHTTP Mapping: 409 Conflict",
"The caller does not have permission to execute the specified\noperation. `PERMISSION_DENIED` must not be used for rejections\ncaused by exhausting some resource (use `RESOURCE_EXHAUSTED`\ninstead for those errors). `PERMISSION_DENIED` must not be\nused if the caller can not be identified (use `UNAUTHENTICATED`\ninstead for those errors). This error code does not imply the\nrequest is valid or the requested entity exists or satisfies\nother pre-conditions.\n\nHTTP Mapping: 403 Forbidden",
"The request does not have valid authentication credentials for the\noperation.\n\nHTTP Mapping: 401 Unauthorized",
"Some resource has been exhausted, perhaps a per-user quota, or\nperhaps the entire file system is out of space.\n\nHTTP Mapping: 429 Too Many Requests",
"The operation was rejected because the system is not in a state\nrequired for the operation's execution. For example, the directory\nto be deleted is non-empty, an rmdir operation is applied to\na non-directory, etc.\n\nService implementors can use the following guidelines to decide\nbetween `FAILED_PRECONDITION`, `ABORTED`, and `UNAVAILABLE`:\n (a) Use `UNAVAILABLE` if the client can retry just the failing call.\n (b) Use `ABORTED` if the client should retry at a higher level\n (e.g., when a client-specified test-and-set fails, indicating the\n client should restart a read-modify-write sequence).\n (c) Use `FAILED_PRECONDITION` if the client should not retry until\n the system state has been explicitly fixed. E.g., if an \"rmdir\"\n fails because the directory is non-empty, `FAILED_PRECONDITION`\n should be returned since the client should not retry unless\n the files are deleted from the directory.\n\nHTTP Mapping: 400 Bad Request",
"The operation was aborted, typically due to a concurrency issue such as\na sequencer check failure or transaction abort.\n\nSee the guidelines above for deciding between `FAILED_PRECONDITION`,\n`ABORTED`, and `UNAVAILABLE`.\n\nHTTP Mapping: 409 Conflict",
"The operation was attempted past the valid range. E.g., seeking or\nreading past end-of-file.\n\nUnlike `INVALID_ARGUMENT`, this error indicates a problem that may\nbe fixed if the system state changes. For example, a 32-bit file\nsystem will generate `INVALID_ARGUMENT` if asked to read at an\noffset that is not in the range [0,2^32-1], but it will generate\n`OUT_OF_RANGE` if asked to read from an offset past the current\nfile size.\n\nThere is a fair bit of overlap between `FAILED_PRECONDITION` and\n`OUT_OF_RANGE`. We recommend using `OUT_OF_RANGE` (the more specific\nerror) when it applies so that callers who are iterating through\na space can easily look for an `OUT_OF_RANGE` error to detect when\nthey are done.\n\nHTTP Mapping: 400 Bad Request",
"The operation is not implemented or is not supported/enabled in this\nservice.\n\nHTTP Mapping: 501 Not Implemented",
"Internal errors. This means that some invariants expected by the\nunderlying system have been broken. This error code is reserved\nfor serious errors.\n\nHTTP Mapping: 500 Internal Server Error",
"The service is currently unavailable. This is most likely a\ntransient condition, which can be corrected by retrying with\na backoff. Note that it is not always safe to retry\nnon-idempotent operations.\n\nSee the guidelines above for deciding between `FAILED_PRECONDITION`,\n`ABORTED`, and `UNAVAILABLE`.\n\nHTTP Mapping: 503 Service Unavailable",
"Unrecoverable data loss or corruption.\n\nHTTP Mapping: 500 Internal Server Error"
],
"type": "string"
}
},
"type": "object"
},
"GoogleCloudAssetV1p4beta1Edge": {
"description": "A directional edge.",
"id": "GoogleCloudAssetV1p4beta1Edge",
"properties": {
"sourceNode": {
"description": "The source node of the edge.",
"type": "string"
},
"targetNode": {
"description": "The target node of the edge.",
"type": "string"
}
},
"type": "object"
},
"GoogleCloudAssetV1p4beta1Identity": {
"description": "An identity that appears in an access control list.",
"id": "GoogleCloudAssetV1p4beta1Identity",
"properties": {
"analysisState": {
"$ref": "GoogleCloudAssetV1p4beta1AnalysisState",
"description": "The analysis state of this identity node."
},
"name": {
"description": "The identity name in any form of members appear in\n[IAM policy\nbinding](https://cloud.google.com/iam/reference/rest/v1/Binding), such\nas:\n- user:foo@google.com\n- group:group1@google.com\n- serviceAccount:s1@prj1.iam.gserviceaccount.com\n- projectOwner:some_project_id\n- domain:google.com\n- allUsers\n- etc.",
"type": "string"
}
},
"type": "object"
},
"GoogleCloudAssetV1p4beta1IdentityList": {
"id": "GoogleCloudAssetV1p4beta1IdentityList",
"properties": {
"groupEdges": {
"description": "Group identity edges of the graph starting from the binding's\ngroup members to any node of the identities. The Edge.source_node\ncontains a group, such as \"group:parent@google.com\". The\nEdge.target_node contains a member of the group,\nsuch as \"group:child@google.com\" or \"user:foo@google.com\".\nThis field is present only if the output_group_edges option is enabled in\nrequest.",
"items": {
"$ref": "GoogleCloudAssetV1p4beta1Edge"
},
"type": "array"
},
"identities": {
"description": "Only the identities that match one of the following conditions will be\npresented:\n- The identity_selector, if it is specified in request;\n- Otherwise, identities reachable from the policy binding's members.",
"items": {
"$ref": "GoogleCloudAssetV1p4beta1Identity"
},
"type": "array"
}
},
"type": "object"
},
"GoogleCloudAssetV1p4beta1Resource": {
"description": "A GCP resource that appears in an access control list.",
"id": "GoogleCloudAssetV1p4beta1Resource",
"properties": {
"analysisState": {
"$ref": "GoogleCloudAssetV1p4beta1AnalysisState",
"description": "The analysis state of this resource node."
},
"fullResourceName": {
"description": "The [full resource name](https://aip.dev/122#full-resource-names).",
"type": "string"
}
},
"type": "object"
},
"IamPolicyAnalysis": {
"description": "An analysis message to group the query and results.",
"id": "IamPolicyAnalysis",
"properties": {
"analysisQuery": {
"$ref": "IamPolicyAnalysisQuery",
"description": "The analysis query."
},
"analysisResults": {
"description": "A list of IamPolicyAnalysisResult that matches the analysis query, or\nempty if no result is found.",
"items": {
"$ref": "IamPolicyAnalysisResult"
},
"type": "array"
},
"fullyExplored": {
"description": "Represents whether all entries in the analysis_results have been\nfully explored to answer the query.",
"type": "boolean"
}
},
"type": "object"
},
"IamPolicyAnalysisOutputConfig": {
"description": "Output configuration for export IAM policy analysis destination.",
"id": "IamPolicyAnalysisOutputConfig",
"properties": {
"gcsDestination": {
"$ref": "GcsDestination",
"description": "Destination on Cloud Storage."
}
},
"type": "object"
},
"IamPolicyAnalysisQuery": {
"description": "IAM policy analysis query message.",
"id": "IamPolicyAnalysisQuery",
"properties": {
"accessSelector": {
"$ref": "AccessSelector",
"description": "Optional. Specifies roles or permissions for analysis. Leaving it empty\nmeans ANY."
},
"identitySelector": {
"$ref": "IdentitySelector",
"description": "Optional. Specifies an identity for analysis. Leaving it empty means ANY."
},
"parent": {
"description": "Required. The relative name of the root asset. Only resources and IAM policies within\nthe parent will be analyzed. This can only be an organization number (such\nas \"organizations/123\") or a folder number (such as \"folders/123\").",
"type": "string"
},
"resourceSelector": {
"$ref": "ResourceSelector",
"description": "Optional. Specifies a resource for analysis. Leaving it empty means ANY."
}
},
"type": "object"
},
"IamPolicyAnalysisResult": {
"description": "IAM Policy analysis result, consisting of one IAM policy binding and derived\naccess control lists.",
"id": "IamPolicyAnalysisResult",
"properties": {
"accessControlLists": {
"description": "The access control lists derived from the iam_binding that match or\npotentially match resource and access selectors specified in the request.",
"items": {
"$ref": "GoogleCloudAssetV1p4beta1AccessControlList"
},
"type": "array"
},
"attachedResourceFullName": {
"description": "The full name of the resource to which the iam_binding policy attaches.",
"type": "string"
},
"fullyExplored": {
"description": "Represents whether all nodes in the transitive closure of the\niam_binding node have been explored.",
"type": "boolean"
},
"iamBinding": {
"$ref": "Binding",
"description": "The Cloud IAM policy binding under analysis."
},
"identityList": {
"$ref": "GoogleCloudAssetV1p4beta1IdentityList",
"description": "The identity list derived from members of the iam_binding that match or\npotentially match identity selector specified in the request."
}
},
"type": "object"
},
"IdentitySelector": {
"description": "Specifies an identity for which to determine resource access, based on\nroles assigned either directly to them or to the groups they belong to,\ndirectly or indirectly.",
"id": "IdentitySelector",
"properties": {
"identity": {
"description": "Required. The identity appear in the form of members in\n[IAM policy\nbinding](https://cloud.google.com/iam/reference/rest/v1/Binding).",
"type": "string"
}
},
"type": "object"
},
"Operation": {
"description": "This resource represents a long-running operation that is the result of a\nnetwork API call.",
"id": "Operation",
"properties": {
"done": {
"description": "If the value is `false`, it means the operation is still in progress.\nIf `true`, the operation is completed, and either `error` or `response` is\navailable.",
"type": "boolean"
},
"error": {
"$ref": "Status",
"description": "The error result of the operation in case of failure or cancellation."
},
"metadata": {
"additionalProperties": {
"description": "Properties of the object. Contains field @type with type URL.",
"type": "any"
},
"description": "Service-specific metadata associated with the operation. It typically\ncontains progress information and common metadata such as create time.\nSome services might not provide such metadata. Any method that returns a\nlong-running operation should document the metadata type, if any.",
"type": "object"
},
"name": {
"description": "The server-assigned name, which is only unique within the same service that\noriginally returns it. If you use the default HTTP mapping, the\n`name` should be a resource name ending with `operations/{unique_id}`.",
"type": "string"
},
"response": {
"additionalProperties": {
"description": "Properties of the object. Contains field @type with type URL.",
"type": "any"
},
"description": "The normal response of the operation in case of success. If the original\nmethod returns no data on success, such as `Delete`, the response is\n`google.protobuf.Empty`. If the original method is standard\n`Get`/`Create`/`Update`, the response should be the resource. For other\nmethods, the response should have the type `XxxResponse`, where `Xxx`\nis the original method name. For example, if the original method name\nis `TakeSnapshot()`, the inferred response type is\n`TakeSnapshotResponse`.",
"type": "object"
}
},
"type": "object"
},
"Options": {
"description": "Contains request options.",
"id": "Options",
"properties": {
"analyzeServiceAccountImpersonation": {
"description": "Optional. If true, the response will include access analysis from identities to\nresources via service account impersonation. This is a very expensive\noperation, because many derived queries will be executed.\n\nFor example, if the request analyzes for which resources user A has\npermission P, and there's an IAM policy states user A has\niam.serviceAccounts.getAccessToken permission to a service account SA,\nand there's another IAM policy states service account SA has permission P\nto a GCP folder F, then user A potentially has access to the GCP folder\nF. And those advanced analysis results will be included in\nAnalyzeIamPolicyResponse.service_account_impersonation_analysis.\n\nAnother example, if the request analyzes for who has\npermission P to a GCP folder F, and there's an IAM policy states user A\nhas iam.serviceAccounts.actAs permission to a service account SA, and\nthere's another IAM policy states service account SA has permission P to\nthe GCP folder F, then user A potentially has access to the GCP folder\nF. And those advanced analysis results will be included in\nAnalyzeIamPolicyResponse.service_account_impersonation_analysis.\n\nDefault is false.",
"type": "boolean"
},
"expandGroups": {
"description": "Optional. If true, the identities section of the result will expand any\nGoogle groups appearing in an IAM policy binding.\n\nIf identity_selector is specified, the identity in the result will\nbe determined by the selector, and this flag will have no effect.\n\nDefault is false.",
"type": "boolean"
},
"expandResources": {
"description": "Optional. If true, the resource section of the result will expand any\nresource attached to an IAM policy to include resources lower in the\nresource hierarchy.\n\nFor example, if the request analyzes for which resources user A has\npermission P, and the results include an IAM policy with P on a GCP\nfolder, the results will also include resources in that folder with\npermission P.\n\nIf resource_selector is specified, the resource section of the result\nwill be determined by the selector, and this flag will have no effect.\nDefault is false.",
"type": "boolean"
},
"expandRoles": {
"description": "Optional. If true, the access section of result will expand any roles\nappearing in IAM policy bindings to include their permissions.\n\nIf access_selector is specified, the access section of the result\nwill be determined by the selector, and this flag will have no effect.\n\nDefault is false.",
"type": "boolean"
},
"outputGroupEdges": {
"description": "Optional. If true, the result will output group identity edges, starting\nfrom the binding's group members, to any expanded identities.\nDefault is false.",
"type": "boolean"
},
"outputResourceEdges": {
"description": "Optional. If true, the result will output resource edges, starting\nfrom the policy attached resource, to any expanded resources.\nDefault is false.",
"type": "boolean"
}
},
"type": "object"
},
"ResourceSelector": {
"description": "Specifies the resource to analyze for access policies, which may be set\ndirectly on the resource, or on ancestors such as organizations, folders or\nprojects. At least one of ResourceSelector, IdentitySelector or\nAccessSelector must be specified in a request.",
"id": "ResourceSelector",
"properties": {
"fullResourceName": {
"description": "Required. The [full resource\nname](https://cloud.google.com/apis/design/resource_names#full_resource_name)\n.",
"type": "string"
}
},
"type": "object"
},
"Status": {
"description": "The `Status` type defines a logical error model that is suitable for\ndifferent programming environments, including REST APIs and RPC APIs. It is\nused by [gRPC](https://github.com/grpc). Each `Status` message contains\nthree pieces of data: error code, error message, and error details.\n\nYou can find out more about this error model and how to work with it in the\n[API Design Guide](https://cloud.google.com/apis/design/errors).",
"id": "Status",
"properties": {
"code": {
"description": "The status code, which should be an enum value of google.rpc.Code.",
"format": "int32",
"type": "integer"
},
"details": {
"description": "A list of messages that carry the error details. There is a common set of\nmessage types for APIs to use.",
"items": {
"additionalProperties": {
"description": "Properties of the object. Contains field @type with type URL.",
"type": "any"
},
"type": "object"
},
"type": "array"
},
"message": {
"description": "A developer-facing error message, which should be in English. Any\nuser-facing error message should be localized and sent in the\ngoogle.rpc.Status.details field, or localized by the client.",
"type": "string"
}
},
"type": "object"
}
},
"servicePath": "",
"title": "Cloud Asset API",
"version": "v1p4beta1",
"version_module": true
}