1// Copyright 2021 Google LLC. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Code generated file. DO NOT EDIT. 6 7// Package policytroubleshooter provides access to the Policy Troubleshooter API. 8// 9// For product documentation, see: https://cloud.google.com/iam/ 10// 11// Creating a client 12// 13// Usage example: 14// 15// import "google.golang.org/api/policytroubleshooter/v1beta" 16// ... 17// ctx := context.Background() 18// policytroubleshooterService, err := policytroubleshooter.NewService(ctx) 19// 20// In this example, Google Application Default Credentials are used for authentication. 21// 22// For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 23// 24// Other authentication options 25// 26// To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey: 27// 28// policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithAPIKey("AIza...")) 29// 30// To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource: 31// 32// config := &oauth2.Config{...} 33// // ... 34// token, err := config.Exchange(ctx, ...) 35// policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 36// 37// See https://godoc.org/google.golang.org/api/option/ for details on options. 38package policytroubleshooter // import "google.golang.org/api/policytroubleshooter/v1beta" 39 40import ( 41 "bytes" 42 "context" 43 "encoding/json" 44 "errors" 45 "fmt" 46 "io" 47 "net/http" 48 "net/url" 49 "strconv" 50 "strings" 51 52 googleapi "google.golang.org/api/googleapi" 53 gensupport "google.golang.org/api/internal/gensupport" 54 option "google.golang.org/api/option" 55 internaloption "google.golang.org/api/option/internaloption" 56 htransport "google.golang.org/api/transport/http" 57) 58 59// Always reference these packages, just in case the auto-generated code 60// below doesn't. 61var _ = bytes.NewBuffer 62var _ = strconv.Itoa 63var _ = fmt.Sprintf 64var _ = json.NewDecoder 65var _ = io.Copy 66var _ = url.Parse 67var _ = gensupport.MarshalJSON 68var _ = googleapi.Version 69var _ = errors.New 70var _ = strings.Replace 71var _ = context.Canceled 72var _ = internaloption.WithDefaultEndpoint 73 74const apiId = "policytroubleshooter:v1beta" 75const apiName = "policytroubleshooter" 76const apiVersion = "v1beta" 77const basePath = "https://policytroubleshooter.googleapis.com/" 78const mtlsBasePath = "https://policytroubleshooter.mtls.googleapis.com/" 79 80// OAuth2 scopes used by this API. 81const ( 82 // See, edit, configure, and delete your Google Cloud Platform data 83 CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform" 84) 85 86// NewService creates a new Service. 87func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 88 scopesOption := option.WithScopes( 89 "https://www.googleapis.com/auth/cloud-platform", 90 ) 91 // NOTE: prepend, so we don't override user-specified scopes. 92 opts = append([]option.ClientOption{scopesOption}, opts...) 93 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 94 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 95 client, endpoint, err := htransport.NewClient(ctx, opts...) 96 if err != nil { 97 return nil, err 98 } 99 s, err := New(client) 100 if err != nil { 101 return nil, err 102 } 103 if endpoint != "" { 104 s.BasePath = endpoint 105 } 106 return s, nil 107} 108 109// New creates a new Service. It uses the provided http.Client for requests. 110// 111// Deprecated: please use NewService instead. 112// To provide a custom HTTP client, use option.WithHTTPClient. 113// If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 114func New(client *http.Client) (*Service, error) { 115 if client == nil { 116 return nil, errors.New("client is nil") 117 } 118 s := &Service{client: client, BasePath: basePath} 119 s.Iam = NewIamService(s) 120 return s, nil 121} 122 123type Service struct { 124 client *http.Client 125 BasePath string // API endpoint base URL 126 UserAgent string // optional additional User-Agent fragment 127 128 Iam *IamService 129} 130 131func (s *Service) userAgent() string { 132 if s.UserAgent == "" { 133 return googleapi.UserAgent 134 } 135 return googleapi.UserAgent + " " + s.UserAgent 136} 137 138func NewIamService(s *Service) *IamService { 139 rs := &IamService{s: s} 140 return rs 141} 142 143type IamService struct { 144 s *Service 145} 146 147// GoogleCloudPolicytroubleshooterV1betaAccessTuple: Information about 148// the member, resource, and permission to check. 149type GoogleCloudPolicytroubleshooterV1betaAccessTuple struct { 150 // FullResourceName: Required. The full resource name that identifies 151 // the resource. For example, 152 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/inst 153 // ances/my-instance`. For examples of full resource names for Google 154 // Cloud services, see 155 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 156 FullResourceName string `json:"fullResourceName,omitempty"` 157 158 // Permission: Required. The IAM permission to check for the specified 159 // member and resource. For a complete list of IAM permissions, see 160 // https://cloud.google.com/iam/help/permissions/reference. For a 161 // complete list of predefined IAM roles and the permissions in each 162 // role, see https://cloud.google.com/iam/help/roles/reference. 163 Permission string `json:"permission,omitempty"` 164 165 // Principal: Required. The member, or principal, whose access you want 166 // to check, in the form of the email address that represents that 167 // member. For example, `alice@example.com` or 168 // `my-service-account@my-project.iam.gserviceaccount.com`. The member 169 // must be a Google Account or a service account. Other types of members 170 // are not supported. 171 Principal string `json:"principal,omitempty"` 172 173 // ForceSendFields is a list of field names (e.g. "FullResourceName") to 174 // unconditionally include in API requests. By default, fields with 175 // empty values are omitted from API requests. However, any non-pointer, 176 // non-interface field appearing in ForceSendFields will be sent to the 177 // server regardless of whether the field is empty or not. This may be 178 // used to include empty fields in Patch requests. 179 ForceSendFields []string `json:"-"` 180 181 // NullFields is a list of field names (e.g. "FullResourceName") to 182 // include in API requests with the JSON null value. By default, fields 183 // with empty values are omitted from API requests. However, any field 184 // with an empty value appearing in NullFields will be sent to the 185 // server as null. It is an error if a field in this list has a 186 // non-empty value. This may be used to include null fields in Patch 187 // requests. 188 NullFields []string `json:"-"` 189} 190 191func (s *GoogleCloudPolicytroubleshooterV1betaAccessTuple) MarshalJSON() ([]byte, error) { 192 type NoMethod GoogleCloudPolicytroubleshooterV1betaAccessTuple 193 raw := NoMethod(*s) 194 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 195} 196 197// GoogleCloudPolicytroubleshooterV1betaBindingExplanation: Details 198// about how a binding in a policy affects a member's ability to use a 199// permission. 200type GoogleCloudPolicytroubleshooterV1betaBindingExplanation struct { 201 // Access: Indicates whether _this binding_ provides the specified 202 // permission to the specified member for the specified resource. This 203 // field does _not_ indicate whether the member actually has the 204 // permission for the resource. There might be another binding that 205 // overrides this binding. To determine whether the member actually has 206 // the permission, use the `access` field in the 207 // TroubleshootIamPolicyResponse. 208 // 209 // Possible values: 210 // "ACCESS_STATE_UNSPECIFIED" - Reserved for future use. 211 // "GRANTED" - The member has the permission. 212 // "NOT_GRANTED" - The member does not have the permission. 213 // "UNKNOWN_CONDITIONAL" - The member has the permission only if a 214 // condition expression evaluates to `true`. 215 // "UNKNOWN_INFO_DENIED" - The sender of the request does not have 216 // access to all of the policies that Policy Troubleshooter needs to 217 // evaluate. 218 Access string `json:"access,omitempty"` 219 220 // Condition: A condition expression that prevents access unless the 221 // expression evaluates to `true`. To learn about IAM Conditions, see 222 // http://cloud.google.com/iam/help/conditions/overview. 223 Condition *GoogleTypeExpr `json:"condition,omitempty"` 224 225 // Memberships: Indicates whether each member in the binding includes 226 // the member specified in the request, either directly or indirectly. 227 // Each key identifies a member in the binding, and each value indicates 228 // whether the member in the binding includes the member in the request. 229 // For example, suppose that a binding includes the following members: * 230 // `user:alice@example.com` * `group:product-eng@example.com` You want 231 // to troubleshoot access for `user:bob@example.com`. This user is a 232 // member of the group `group:product-eng@example.com`. For the first 233 // member in the binding, the key is `user:alice@example.com`, and the 234 // `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. 235 // For the second member in the binding, the key is 236 // `group:product-eng@example.com`, and the `membership` field in the 237 // value is set to `MEMBERSHIP_INCLUDED`. 238 Memberships map[string]GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership `json:"memberships,omitempty"` 239 240 // Relevance: The relevance of this binding to the overall determination 241 // for the entire policy. 242 // 243 // Possible values: 244 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Reserved for future use. 245 // "NORMAL" - The data point has a limited effect on the result. 246 // Changing the data point is unlikely to affect the overall 247 // determination. 248 // "HIGH" - The data point has a strong effect on the result. Changing 249 // the data point is likely to affect the overall determination. 250 Relevance string `json:"relevance,omitempty"` 251 252 // Role: The role that this binding grants. For example, 253 // `roles/compute.serviceAgent`. For a complete list of predefined IAM 254 // roles, as well as the permissions in each role, see 255 // https://cloud.google.com/iam/help/roles/reference. 256 Role string `json:"role,omitempty"` 257 258 // RolePermission: Indicates whether the role granted by this binding 259 // contains the specified permission. 260 // 261 // Possible values: 262 // "ROLE_PERMISSION_UNSPECIFIED" - Reserved for future use. 263 // "ROLE_PERMISSION_INCLUDED" - The permission is included in the 264 // role. 265 // "ROLE_PERMISSION_NOT_INCLUDED" - The permission is not included in 266 // the role. 267 // "ROLE_PERMISSION_UNKNOWN_INFO_DENIED" - The sender of the request 268 // is not allowed to access the binding. 269 RolePermission string `json:"rolePermission,omitempty"` 270 271 // RolePermissionRelevance: The relevance of the permission's existence, 272 // or nonexistence, in the role to the overall determination for the 273 // entire policy. 274 // 275 // Possible values: 276 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Reserved for future use. 277 // "NORMAL" - The data point has a limited effect on the result. 278 // Changing the data point is unlikely to affect the overall 279 // determination. 280 // "HIGH" - The data point has a strong effect on the result. Changing 281 // the data point is likely to affect the overall determination. 282 RolePermissionRelevance string `json:"rolePermissionRelevance,omitempty"` 283 284 // ForceSendFields is a list of field names (e.g. "Access") to 285 // unconditionally include in API requests. By default, fields with 286 // empty values are omitted from API requests. However, any non-pointer, 287 // non-interface field appearing in ForceSendFields will be sent to the 288 // server regardless of whether the field is empty or not. This may be 289 // used to include empty fields in Patch requests. 290 ForceSendFields []string `json:"-"` 291 292 // NullFields is a list of field names (e.g. "Access") to include in API 293 // requests with the JSON null value. By default, fields with empty 294 // values are omitted from API requests. However, any field with an 295 // empty value appearing in NullFields will be sent to the server as 296 // null. It is an error if a field in this list has a non-empty value. 297 // This may be used to include null fields in Patch requests. 298 NullFields []string `json:"-"` 299} 300 301func (s *GoogleCloudPolicytroubleshooterV1betaBindingExplanation) MarshalJSON() ([]byte, error) { 302 type NoMethod GoogleCloudPolicytroubleshooterV1betaBindingExplanation 303 raw := NoMethod(*s) 304 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 305} 306 307// GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMember 308// ship: Details about whether the binding includes the member. 309type GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership struct { 310 // Membership: Indicates whether the binding includes the member. 311 // 312 // Possible values: 313 // "MEMBERSHIP_UNSPECIFIED" - Reserved for future use. 314 // "MEMBERSHIP_INCLUDED" - The binding includes the member. The member 315 // can be included directly or indirectly. For example: * A member is 316 // included directly if that member is listed in the binding. * A member 317 // is included indirectly if that member is in a Google group or G Suite 318 // domain that is listed in the binding. 319 // "MEMBERSHIP_NOT_INCLUDED" - The binding does not include the 320 // member. 321 // "MEMBERSHIP_UNKNOWN_INFO_DENIED" - The sender of the request is not 322 // allowed to access the binding. 323 // "MEMBERSHIP_UNKNOWN_UNSUPPORTED" - The member is an unsupported 324 // type. Only Google Accounts and service accounts are supported. 325 Membership string `json:"membership,omitempty"` 326 327 // Relevance: The relevance of the member's status to the overall 328 // determination for the binding. 329 // 330 // Possible values: 331 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Reserved for future use. 332 // "NORMAL" - The data point has a limited effect on the result. 333 // Changing the data point is unlikely to affect the overall 334 // determination. 335 // "HIGH" - The data point has a strong effect on the result. Changing 336 // the data point is likely to affect the overall determination. 337 Relevance string `json:"relevance,omitempty"` 338 339 // ForceSendFields is a list of field names (e.g. "Membership") to 340 // unconditionally include in API requests. By default, fields with 341 // empty values are omitted from API requests. However, any non-pointer, 342 // non-interface field appearing in ForceSendFields will be sent to the 343 // server regardless of whether the field is empty or not. This may be 344 // used to include empty fields in Patch requests. 345 ForceSendFields []string `json:"-"` 346 347 // NullFields is a list of field names (e.g. "Membership") to include in 348 // API requests with the JSON null value. By default, fields with empty 349 // values are omitted from API requests. However, any field with an 350 // empty value appearing in NullFields will be sent to the server as 351 // null. It is an error if a field in this list has a non-empty value. 352 // This may be used to include null fields in Patch requests. 353 NullFields []string `json:"-"` 354} 355 356func (s *GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership) MarshalJSON() ([]byte, error) { 357 type NoMethod GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership 358 raw := NoMethod(*s) 359 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 360} 361 362// GoogleCloudPolicytroubleshooterV1betaExplainedPolicy: Details about 363// how a specific IAM Policy contributed to the access check. 364type GoogleCloudPolicytroubleshooterV1betaExplainedPolicy struct { 365 // Access: Indicates whether _this policy_ provides the specified 366 // permission to the specified member for the specified resource. This 367 // field does _not_ indicate whether the member actually has the 368 // permission for the resource. There might be another policy that 369 // overrides this policy. To determine whether the member actually has 370 // the permission, use the `access` field in the 371 // TroubleshootIamPolicyResponse. 372 // 373 // Possible values: 374 // "ACCESS_STATE_UNSPECIFIED" - Reserved for future use. 375 // "GRANTED" - The member has the permission. 376 // "NOT_GRANTED" - The member does not have the permission. 377 // "UNKNOWN_CONDITIONAL" - The member has the permission only if a 378 // condition expression evaluates to `true`. 379 // "UNKNOWN_INFO_DENIED" - The sender of the request does not have 380 // access to all of the policies that Policy Troubleshooter needs to 381 // evaluate. 382 Access string `json:"access,omitempty"` 383 384 // BindingExplanations: Details about how each binding in the policy 385 // affects the member's ability, or inability, to use the permission for 386 // the resource. If the sender of the request does not have access to 387 // the policy, this field is omitted. 388 BindingExplanations []*GoogleCloudPolicytroubleshooterV1betaBindingExplanation `json:"bindingExplanations,omitempty"` 389 390 // FullResourceName: The full resource name that identifies the 391 // resource. For example, 392 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/inst 393 // ances/my-instance`. If the sender of the request does not have access 394 // to the policy, this field is omitted. For examples of full resource 395 // names for Google Cloud services, see 396 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 397 FullResourceName string `json:"fullResourceName,omitempty"` 398 399 // Policy: The IAM policy attached to the resource. If the sender of the 400 // request does not have access to the policy, this field is empty. 401 Policy *GoogleIamV1Policy `json:"policy,omitempty"` 402 403 // Relevance: The relevance of this policy to the overall determination 404 // in the TroubleshootIamPolicyResponse. If the sender of the request 405 // does not have access to the policy, this field is omitted. 406 // 407 // Possible values: 408 // "HEURISTIC_RELEVANCE_UNSPECIFIED" - Reserved for future use. 409 // "NORMAL" - The data point has a limited effect on the result. 410 // Changing the data point is unlikely to affect the overall 411 // determination. 412 // "HIGH" - The data point has a strong effect on the result. Changing 413 // the data point is likely to affect the overall determination. 414 Relevance string `json:"relevance,omitempty"` 415 416 // ForceSendFields is a list of field names (e.g. "Access") to 417 // unconditionally include in API requests. By default, fields with 418 // empty values are omitted from API requests. However, any non-pointer, 419 // non-interface field appearing in ForceSendFields will be sent to the 420 // server regardless of whether the field is empty or not. This may be 421 // used to include empty fields in Patch requests. 422 ForceSendFields []string `json:"-"` 423 424 // NullFields is a list of field names (e.g. "Access") to include in API 425 // requests with the JSON null value. By default, fields with empty 426 // values are omitted from API requests. However, any field with an 427 // empty value appearing in NullFields will be sent to the server as 428 // null. It is an error if a field in this list has a non-empty value. 429 // This may be used to include null fields in Patch requests. 430 NullFields []string `json:"-"` 431} 432 433func (s *GoogleCloudPolicytroubleshooterV1betaExplainedPolicy) MarshalJSON() ([]byte, error) { 434 type NoMethod GoogleCloudPolicytroubleshooterV1betaExplainedPolicy 435 raw := NoMethod(*s) 436 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 437} 438 439// GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest: 440// Request for TroubleshootIamPolicy. 441type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest struct { 442 // AccessTuple: The information to use for checking whether a member has 443 // a permission for a resource. 444 AccessTuple *GoogleCloudPolicytroubleshooterV1betaAccessTuple `json:"accessTuple,omitempty"` 445 446 // ForceSendFields is a list of field names (e.g. "AccessTuple") to 447 // unconditionally include in API requests. By default, fields with 448 // empty values are omitted from API requests. However, any non-pointer, 449 // non-interface field appearing in ForceSendFields will be sent to the 450 // server regardless of whether the field is empty or not. This may be 451 // used to include empty fields in Patch requests. 452 ForceSendFields []string `json:"-"` 453 454 // NullFields is a list of field names (e.g. "AccessTuple") to include 455 // in API requests with the JSON null value. By default, fields with 456 // empty values are omitted from API requests. However, any field with 457 // an empty value appearing in NullFields will be sent to the server as 458 // null. It is an error if a field in this list has a non-empty value. 459 // This may be used to include null fields in Patch requests. 460 NullFields []string `json:"-"` 461} 462 463func (s *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest) MarshalJSON() ([]byte, error) { 464 type NoMethod GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest 465 raw := NoMethod(*s) 466 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 467} 468 469// GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse: 470// Response for TroubleshootIamPolicy. 471type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse struct { 472 // Access: Indicates whether the member has the specified permission for 473 // the specified resource, based on evaluating all of the applicable 474 // policies. 475 // 476 // Possible values: 477 // "ACCESS_STATE_UNSPECIFIED" - Reserved for future use. 478 // "GRANTED" - The member has the permission. 479 // "NOT_GRANTED" - The member does not have the permission. 480 // "UNKNOWN_CONDITIONAL" - The member has the permission only if a 481 // condition expression evaluates to `true`. 482 // "UNKNOWN_INFO_DENIED" - The sender of the request does not have 483 // access to all of the policies that Policy Troubleshooter needs to 484 // evaluate. 485 Access string `json:"access,omitempty"` 486 487 // ExplainedPolicies: List of IAM policies that were evaluated to check 488 // the member's permissions, with annotations to indicate how each 489 // policy contributed to the final result. The list of policies can 490 // include the policy for the resource itself. It can also include 491 // policies that are inherited from higher levels of the resource 492 // hierarchy, including the organization, the folder, and the project. 493 // To learn more about the resource hierarchy, see 494 // https://cloud.google.com/iam/help/resource-hierarchy. 495 ExplainedPolicies []*GoogleCloudPolicytroubleshooterV1betaExplainedPolicy `json:"explainedPolicies,omitempty"` 496 497 // ServerResponse contains the HTTP response code and headers from the 498 // server. 499 googleapi.ServerResponse `json:"-"` 500 501 // ForceSendFields is a list of field names (e.g. "Access") to 502 // unconditionally include in API requests. By default, fields with 503 // empty values are omitted from API requests. However, any non-pointer, 504 // non-interface field appearing in ForceSendFields will be sent to the 505 // server regardless of whether the field is empty or not. This may be 506 // used to include empty fields in Patch requests. 507 ForceSendFields []string `json:"-"` 508 509 // NullFields is a list of field names (e.g. "Access") to include in API 510 // requests with the JSON null value. By default, fields with empty 511 // values are omitted from API requests. However, any field with an 512 // empty value appearing in NullFields will be sent to the server as 513 // null. It is an error if a field in this list has a non-empty value. 514 // This may be used to include null fields in Patch requests. 515 NullFields []string `json:"-"` 516} 517 518func (s *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse) MarshalJSON() ([]byte, error) { 519 type NoMethod GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse 520 raw := NoMethod(*s) 521 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 522} 523 524// GoogleIamV1AuditConfig: Specifies the audit configuration for a 525// service. The configuration determines which permission types are 526// logged, and what identities, if any, are exempted from logging. An 527// AuditConfig must have one or more AuditLogConfigs. If there are 528// AuditConfigs for both `allServices` and a specific service, the union 529// of the two AuditConfigs is used for that service: the log_types 530// specified in each AuditConfig are enabled, and the exempted_members 531// in each AuditLogConfig are exempted. Example Policy with multiple 532// AuditConfigs: { "audit_configs": [ { "service": "allServices", 533// "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": 534// [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { 535// "log_type": "ADMIN_READ" } ] }, { "service": 536// "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": 537// "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ 538// "user:aliya@example.com" ] } ] } ] } For sampleservice, this policy 539// enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts 540// jose@example.com from DATA_READ logging, and aliya@example.com from 541// DATA_WRITE logging. 542type GoogleIamV1AuditConfig struct { 543 // AuditLogConfigs: The configuration for logging of each type of 544 // permission. 545 AuditLogConfigs []*GoogleIamV1AuditLogConfig `json:"auditLogConfigs,omitempty"` 546 547 // Service: Specifies a service that will be enabled for audit logging. 548 // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 549 // `allServices` is a special value that covers all services. 550 Service string `json:"service,omitempty"` 551 552 // ForceSendFields is a list of field names (e.g. "AuditLogConfigs") to 553 // unconditionally include in API requests. By default, fields with 554 // empty values are omitted from API requests. However, any non-pointer, 555 // non-interface field appearing in ForceSendFields will be sent to the 556 // server regardless of whether the field is empty or not. This may be 557 // used to include empty fields in Patch requests. 558 ForceSendFields []string `json:"-"` 559 560 // NullFields is a list of field names (e.g. "AuditLogConfigs") to 561 // include in API requests with the JSON null value. By default, fields 562 // with empty values are omitted from API requests. However, any field 563 // with an empty value appearing in NullFields will be sent to the 564 // server as null. It is an error if a field in this list has a 565 // non-empty value. This may be used to include null fields in Patch 566 // requests. 567 NullFields []string `json:"-"` 568} 569 570func (s *GoogleIamV1AuditConfig) MarshalJSON() ([]byte, error) { 571 type NoMethod GoogleIamV1AuditConfig 572 raw := NoMethod(*s) 573 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 574} 575 576// GoogleIamV1AuditLogConfig: Provides the configuration for logging a 577// type of permissions. Example: { "audit_log_configs": [ { "log_type": 578// "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { 579// "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 580// 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ 581// logging. 582type GoogleIamV1AuditLogConfig struct { 583 // ExemptedMembers: Specifies the identities that do not cause logging 584 // for this type of permission. Follows the same format of 585 // Binding.members. 586 ExemptedMembers []string `json:"exemptedMembers,omitempty"` 587 588 // LogType: The log type that this config enables. 589 // 590 // Possible values: 591 // "LOG_TYPE_UNSPECIFIED" - Default case. Should never be this. 592 // "ADMIN_READ" - Admin reads. Example: CloudIAM getIamPolicy 593 // "DATA_WRITE" - Data writes. Example: CloudSQL Users create 594 // "DATA_READ" - Data reads. Example: CloudSQL Users list 595 LogType string `json:"logType,omitempty"` 596 597 // ForceSendFields is a list of field names (e.g. "ExemptedMembers") to 598 // unconditionally include in API requests. By default, fields with 599 // empty values are omitted from API requests. However, any non-pointer, 600 // non-interface field appearing in ForceSendFields will be sent to the 601 // server regardless of whether the field is empty or not. This may be 602 // used to include empty fields in Patch requests. 603 ForceSendFields []string `json:"-"` 604 605 // NullFields is a list of field names (e.g. "ExemptedMembers") to 606 // include in API requests with the JSON null value. By default, fields 607 // with empty values are omitted from API requests. However, any field 608 // with an empty value appearing in NullFields will be sent to the 609 // server as null. It is an error if a field in this list has a 610 // non-empty value. This may be used to include null fields in Patch 611 // requests. 612 NullFields []string `json:"-"` 613} 614 615func (s *GoogleIamV1AuditLogConfig) MarshalJSON() ([]byte, error) { 616 type NoMethod GoogleIamV1AuditLogConfig 617 raw := NoMethod(*s) 618 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 619} 620 621// GoogleIamV1Binding: Associates `members` with a `role`. 622type GoogleIamV1Binding struct { 623 // Condition: The condition that is associated with this binding. If the 624 // condition evaluates to `true`, then this binding applies to the 625 // current request. If the condition evaluates to `false`, then this 626 // binding does not apply to the current request. However, a different 627 // role binding might grant the same role to one or more of the members 628 // in this binding. To learn which resources support conditions in their 629 // IAM policies, see the IAM documentation 630 // (https://cloud.google.com/iam/help/conditions/resource-policies). 631 Condition *GoogleTypeExpr `json:"condition,omitempty"` 632 633 // Members: Specifies the identities requesting access for a Cloud 634 // Platform resource. `members` can have the following values: * 635 // `allUsers`: A special identifier that represents anyone who is on the 636 // internet; with or without a Google account. * 637 // `allAuthenticatedUsers`: A special identifier that represents anyone 638 // who is authenticated with a Google account or a service account. * 639 // `user:{emailid}`: An email address that represents a specific Google 640 // account. For example, `alice@example.com` . * 641 // `serviceAccount:{emailid}`: An email address that represents a 642 // service account. For example, 643 // `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An 644 // email address that represents a Google group. For example, 645 // `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An 646 // email address (plus unique identifier) representing a user that has 647 // been recently deleted. For example, 648 // `alice@example.com?uid=123456789012345678901`. If the user is 649 // recovered, this value reverts to `user:{emailid}` and the recovered 650 // user retains the role in the binding. * 651 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address 652 // (plus unique identifier) representing a service account that has been 653 // recently deleted. For example, 654 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. 655 // If the service account is undeleted, this value reverts to 656 // `serviceAccount:{emailid}` and the undeleted service account retains 657 // the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: 658 // An email address (plus unique identifier) representing a Google group 659 // that has been recently deleted. For example, 660 // `admins@example.com?uid=123456789012345678901`. If the group is 661 // recovered, this value reverts to `group:{emailid}` and the recovered 662 // group retains the role in the binding. * `domain:{domain}`: The G 663 // Suite domain (primary) that represents all the users of that domain. 664 // For example, `google.com` or `example.com`. 665 Members []string `json:"members,omitempty"` 666 667 // Role: Role that is assigned to `members`. For example, 668 // `roles/viewer`, `roles/editor`, or `roles/owner`. 669 Role string `json:"role,omitempty"` 670 671 // ForceSendFields is a list of field names (e.g. "Condition") to 672 // unconditionally include in API requests. By default, fields with 673 // empty values are omitted from API requests. However, any non-pointer, 674 // non-interface field appearing in ForceSendFields will be sent to the 675 // server regardless of whether the field is empty or not. This may be 676 // used to include empty fields in Patch requests. 677 ForceSendFields []string `json:"-"` 678 679 // NullFields is a list of field names (e.g. "Condition") to include in 680 // API requests with the JSON null value. By default, fields with empty 681 // values are omitted from API requests. However, any field with an 682 // empty value appearing in NullFields will be sent to the server as 683 // null. It is an error if a field in this list has a non-empty value. 684 // This may be used to include null fields in Patch requests. 685 NullFields []string `json:"-"` 686} 687 688func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error) { 689 type NoMethod GoogleIamV1Binding 690 raw := NoMethod(*s) 691 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 692} 693 694// GoogleIamV1Policy: An Identity and Access Management (IAM) policy, 695// which specifies access controls for Google Cloud resources. A 696// `Policy` is a collection of `bindings`. A `binding` binds one or more 697// `members` to a single `role`. Members can be user accounts, service 698// accounts, Google groups, and domains (such as G Suite). A `role` is a 699// named list of permissions; each `role` can be an IAM predefined role 700// or a user-created custom role. For some types of Google Cloud 701// resources, a `binding` can also specify a `condition`, which is a 702// logical expression that allows access to a resource only if the 703// expression evaluates to `true`. A condition can add constraints based 704// on attributes of the request, the resource, or both. To learn which 705// resources support conditions in their IAM policies, see the IAM 706// documentation 707// (https://cloud.google.com/iam/help/conditions/resource-policies). 708// **JSON example:** { "bindings": [ { "role": 709// "roles/resourcemanager.organizationAdmin", "members": [ 710// "user:mike@example.com", "group:admins@example.com", 711// "domain:google.com", 712// "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { 713// "role": "roles/resourcemanager.organizationViewer", "members": [ 714// "user:eve@example.com" ], "condition": { "title": "expirable access", 715// "description": "Does not grant access after Sep 2020", "expression": 716// "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], 717// "etag": "BwWWja0YfJA=", "version": 3 } **YAML example:** bindings: - 718// members: - user:mike@example.com - group:admins@example.com - 719// domain:google.com - 720// serviceAccount:my-project-id@appspot.gserviceaccount.com role: 721// roles/resourcemanager.organizationAdmin - members: - 722// user:eve@example.com role: roles/resourcemanager.organizationViewer 723// condition: title: expirable access description: Does not grant access 724// after Sep 2020 expression: request.time < 725// timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 726// 3 For a description of IAM and its features, see the IAM 727// documentation (https://cloud.google.com/iam/docs/). 728type GoogleIamV1Policy struct { 729 // AuditConfigs: Specifies cloud audit logging configuration for this 730 // policy. 731 AuditConfigs []*GoogleIamV1AuditConfig `json:"auditConfigs,omitempty"` 732 733 // Bindings: Associates a list of `members` to a `role`. Optionally, may 734 // specify a `condition` that determines how and when the `bindings` are 735 // applied. Each of the `bindings` must contain at least one member. 736 Bindings []*GoogleIamV1Binding `json:"bindings,omitempty"` 737 738 // Etag: `etag` is used for optimistic concurrency control as a way to 739 // help prevent simultaneous updates of a policy from overwriting each 740 // other. It is strongly suggested that systems make use of the `etag` 741 // in the read-modify-write cycle to perform policy updates in order to 742 // avoid race conditions: An `etag` is returned in the response to 743 // `getIamPolicy`, and systems are expected to put that etag in the 744 // request to `setIamPolicy` to ensure that their change will be applied 745 // to the same version of the policy. **Important:** If you use IAM 746 // Conditions, you must include the `etag` field whenever you call 747 // `setIamPolicy`. If you omit this field, then IAM allows you to 748 // overwrite a version `3` policy with a version `1` policy, and all of 749 // the conditions in the version `3` policy are lost. 750 Etag string `json:"etag,omitempty"` 751 752 // Version: Specifies the format of the policy. Valid values are `0`, 753 // `1`, and `3`. Requests that specify an invalid value are rejected. 754 // Any operation that affects conditional role bindings must specify 755 // version `3`. This requirement applies to the following operations: * 756 // Getting a policy that includes a conditional role binding * Adding a 757 // conditional role binding to a policy * Changing a conditional role 758 // binding in a policy * Removing any role binding, with or without a 759 // condition, from a policy that includes conditions **Important:** If 760 // you use IAM Conditions, you must include the `etag` field whenever 761 // you call `setIamPolicy`. If you omit this field, then IAM allows you 762 // to overwrite a version `3` policy with a version `1` policy, and all 763 // of the conditions in the version `3` policy are lost. If a policy 764 // does not include any conditions, operations on that policy may 765 // specify any valid version or leave the field unset. To learn which 766 // resources support conditions in their IAM policies, see the IAM 767 // documentation 768 // (https://cloud.google.com/iam/help/conditions/resource-policies). 769 Version int64 `json:"version,omitempty"` 770 771 // ForceSendFields is a list of field names (e.g. "AuditConfigs") to 772 // unconditionally include in API requests. By default, fields with 773 // empty values are omitted from API requests. However, any non-pointer, 774 // non-interface field appearing in ForceSendFields will be sent to the 775 // server regardless of whether the field is empty or not. This may be 776 // used to include empty fields in Patch requests. 777 ForceSendFields []string `json:"-"` 778 779 // NullFields is a list of field names (e.g. "AuditConfigs") to include 780 // in API requests with the JSON null value. By default, fields with 781 // empty values are omitted from API requests. However, any field with 782 // an empty value appearing in NullFields will be sent to the server as 783 // null. It is an error if a field in this list has a non-empty value. 784 // This may be used to include null fields in Patch requests. 785 NullFields []string `json:"-"` 786} 787 788func (s *GoogleIamV1Policy) MarshalJSON() ([]byte, error) { 789 type NoMethod GoogleIamV1Policy 790 raw := NoMethod(*s) 791 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 792} 793 794// GoogleTypeExpr: Represents a textual expression in the Common 795// Expression Language (CEL) syntax. CEL is a C-like expression 796// language. The syntax and semantics of CEL are documented at 797// https://github.com/google/cel-spec. Example (Comparison): title: 798// "Summary size limit" description: "Determines if a summary is less 799// than 100 chars" expression: "document.summary.size() < 100" Example 800// (Equality): title: "Requestor is owner" description: "Determines if 801// requestor is the document owner" expression: "document.owner == 802// request.auth.claims.email" Example (Logic): title: "Public documents" 803// description: "Determine whether the document should be publicly 804// visible" expression: "document.type != 'private' && document.type != 805// 'internal'" Example (Data Manipulation): title: "Notification string" 806// description: "Create a notification string with a timestamp." 807// expression: "'New message received at ' + 808// string(document.create_time)" The exact variables and functions that 809// may be referenced within an expression are determined by the service 810// that evaluates it. See the service documentation for additional 811// information. 812type GoogleTypeExpr struct { 813 // Description: Optional. Description of the expression. This is a 814 // longer text which describes the expression, e.g. when hovered over it 815 // in a UI. 816 Description string `json:"description,omitempty"` 817 818 // Expression: Textual representation of an expression in Common 819 // Expression Language syntax. 820 Expression string `json:"expression,omitempty"` 821 822 // Location: Optional. String indicating the location of the expression 823 // for error reporting, e.g. a file name and a position in the file. 824 Location string `json:"location,omitempty"` 825 826 // Title: Optional. Title for the expression, i.e. a short string 827 // describing its purpose. This can be used e.g. in UIs which allow to 828 // enter the expression. 829 Title string `json:"title,omitempty"` 830 831 // ForceSendFields is a list of field names (e.g. "Description") to 832 // unconditionally include in API requests. By default, fields with 833 // empty values are omitted from API requests. However, any non-pointer, 834 // non-interface field appearing in ForceSendFields will be sent to the 835 // server regardless of whether the field is empty or not. This may be 836 // used to include empty fields in Patch requests. 837 ForceSendFields []string `json:"-"` 838 839 // NullFields is a list of field names (e.g. "Description") to include 840 // in API requests with the JSON null value. By default, fields with 841 // empty values are omitted from API requests. However, any field with 842 // an empty value appearing in NullFields will be sent to the server as 843 // null. It is an error if a field in this list has a non-empty value. 844 // This may be used to include null fields in Patch requests. 845 NullFields []string `json:"-"` 846} 847 848func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error) { 849 type NoMethod GoogleTypeExpr 850 raw := NoMethod(*s) 851 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 852} 853 854// method id "policytroubleshooter.iam.troubleshoot": 855 856type IamTroubleshootCall struct { 857 s *Service 858 googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest 859 urlParams_ gensupport.URLParams 860 ctx_ context.Context 861 header_ http.Header 862} 863 864// Troubleshoot: Checks whether a member has a specific permission for a 865// specific resource, and explains why the member does or does not have 866// that permission. 867func (r *IamService) Troubleshoot(googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest) *IamTroubleshootCall { 868 c := &IamTroubleshootCall{s: r.s, urlParams_: make(gensupport.URLParams)} 869 c.googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest = googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest 870 return c 871} 872 873// Fields allows partial responses to be retrieved. See 874// https://developers.google.com/gdata/docs/2.0/basics#PartialResponse 875// for more information. 876func (c *IamTroubleshootCall) Fields(s ...googleapi.Field) *IamTroubleshootCall { 877 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 878 return c 879} 880 881// Context sets the context to be used in this call's Do method. Any 882// pending HTTP request will be aborted if the provided context is 883// canceled. 884func (c *IamTroubleshootCall) Context(ctx context.Context) *IamTroubleshootCall { 885 c.ctx_ = ctx 886 return c 887} 888 889// Header returns an http.Header that can be modified by the caller to 890// add HTTP headers to the request. 891func (c *IamTroubleshootCall) Header() http.Header { 892 if c.header_ == nil { 893 c.header_ = make(http.Header) 894 } 895 return c.header_ 896} 897 898func (c *IamTroubleshootCall) doRequest(alt string) (*http.Response, error) { 899 reqHeaders := make(http.Header) 900 reqHeaders.Set("x-goog-api-client", "gl-go/"+gensupport.GoVersion()+" gdcl/20210502") 901 for k, v := range c.header_ { 902 reqHeaders[k] = v 903 } 904 reqHeaders.Set("User-Agent", c.s.userAgent()) 905 var body io.Reader = nil 906 body, err := googleapi.WithoutDataWrapper.JSONReader(c.googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest) 907 if err != nil { 908 return nil, err 909 } 910 reqHeaders.Set("Content-Type", "application/json") 911 c.urlParams_.Set("alt", alt) 912 c.urlParams_.Set("prettyPrint", "false") 913 urls := googleapi.ResolveRelative(c.s.BasePath, "v1beta/iam:troubleshoot") 914 urls += "?" + c.urlParams_.Encode() 915 req, err := http.NewRequest("POST", urls, body) 916 if err != nil { 917 return nil, err 918 } 919 req.Header = reqHeaders 920 return gensupport.SendRequest(c.ctx_, c.s.client, req) 921} 922 923// Do executes the "policytroubleshooter.iam.troubleshoot" call. 924// Exactly one of 925// *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse 926// or error will be non-nil. Any non-2xx status code is an error. 927// Response headers are in either 928// *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse.Se 929// rverResponse.Header or (if a response was returned at all) in 930// error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 931// whether the returned error was because http.StatusNotModified was 932// returned. 933func (c *IamTroubleshootCall) Do(opts ...googleapi.CallOption) (*GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse, error) { 934 gensupport.SetOptions(c.urlParams_, opts...) 935 res, err := c.doRequest("json") 936 if res != nil && res.StatusCode == http.StatusNotModified { 937 if res.Body != nil { 938 res.Body.Close() 939 } 940 return nil, &googleapi.Error{ 941 Code: res.StatusCode, 942 Header: res.Header, 943 } 944 } 945 if err != nil { 946 return nil, err 947 } 948 defer googleapi.CloseBody(res) 949 if err := googleapi.CheckResponse(res); err != nil { 950 return nil, err 951 } 952 ret := &GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse{ 953 ServerResponse: googleapi.ServerResponse{ 954 Header: res.Header, 955 HTTPStatusCode: res.StatusCode, 956 }, 957 } 958 target := &ret 959 if err := gensupport.DecodeResponse(target, res); err != nil { 960 return nil, err 961 } 962 return ret, nil 963 // { 964 // "description": "Checks whether a member has a specific permission for a specific resource, and explains why the member does or does not have that permission.", 965 // "flatPath": "v1beta/iam:troubleshoot", 966 // "httpMethod": "POST", 967 // "id": "policytroubleshooter.iam.troubleshoot", 968 // "parameterOrder": [], 969 // "parameters": {}, 970 // "path": "v1beta/iam:troubleshoot", 971 // "request": { 972 // "$ref": "GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest" 973 // }, 974 // "response": { 975 // "$ref": "GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse" 976 // }, 977 // "scopes": [ 978 // "https://www.googleapis.com/auth/cloud-platform" 979 // ] 980 // } 981 982} 983