Index
AccessContextManager
(interface)AccessContextManagerOperationMetadata
(message)AccessLevel
(message)AccessPolicy
(message)Application
(message)AuthorizedOrgsDesc
(message)AuthorizedOrgsDesc.AssetType
(enum)AuthorizedOrgsDesc.AuthorizationDirection
(enum)AuthorizedOrgsDesc.AuthorizationType
(enum)BasicLevel
(message)BasicLevel.ConditionCombiningFunction
(enum)CommitServicePerimetersRequest
(message)CommitServicePerimetersResponse
(message)Condition
(message)CreateAccessLevelRequest
(message)CreateAuthorizedOrgsDescRequest
(message)CreateGcpUserAccessBindingRequest
(message)CreateServicePerimeterRequest
(message)CustomLevel
(message)DeleteAccessLevelRequest
(message)DeleteAccessPolicyRequest
(message)DeleteAuthorizedOrgsDescRequest
(message)DeleteGcpUserAccessBindingRequest
(message)DeleteServicePerimeterRequest
(message)DevicePolicy
(message)GcpUserAccessBinding
(message)GcpUserAccessBindingOperationMetadata
(message)GetAccessLevelRequest
(message)GetAccessPolicyRequest
(message)GetAuthorizedOrgsDescRequest
(message)GetGcpUserAccessBindingRequest
(message)GetServicePerimeterRequest
(message)GetSupportedServiceRequest
(message)LevelFormat
(enum)ListAccessLevelsRequest
(message)ListAccessLevelsResponse
(message)ListAccessPoliciesRequest
(message)ListAccessPoliciesResponse
(message)ListAuthorizedOrgsDescsRequest
(message)ListAuthorizedOrgsDescsResponse
(message)ListGcpUserAccessBindingsRequest
(message)ListGcpUserAccessBindingsResponse
(message)ListServicePerimetersRequest
(message)ListServicePerimetersResponse
(message)ListSupportedServicesRequest
(message)ListSupportedServicesResponse
(message)OsConstraint
(message)ReauthSettings
(message)ReauthSettings.ReauthMethod
(enum)ReplaceAccessLevelsRequest
(message)ReplaceAccessLevelsResponse
(message)ReplaceServicePerimetersRequest
(message)ReplaceServicePerimetersResponse
(message)ServicePerimeter
(message)ServicePerimeter.PerimeterType
(enum)ServicePerimeterConfig
(message)ServicePerimeterConfig.ApiOperation
(message)ServicePerimeterConfig.EgressFrom
(message)ServicePerimeterConfig.EgressPolicy
(message)ServicePerimeterConfig.EgressSource
(message)ServicePerimeterConfig.EgressTo
(message)ServicePerimeterConfig.IdentityType
(enum)ServicePerimeterConfig.IngressFrom
(message)ServicePerimeterConfig.IngressPolicy
(message)ServicePerimeterConfig.IngressSource
(message)ServicePerimeterConfig.IngressTo
(message)ServicePerimeterConfig.MethodSelector
(message)ServicePerimeterConfig.SourceRestriction
(enum)ServicePerimeterConfig.VpcAccessibleServices
(message)ServiceSupportStage
(enum)SupportedService
(message)UpdateAccessLevelRequest
(message)UpdateAccessPolicyRequest
(message)UpdateAuthorizedOrgsDescRequest
(message)UpdateGcpUserAccessBindingRequest
(message)UpdateServicePerimeterRequest
(message)VpcNetworkSource
(message)VpcSubNetwork
(message)
AccessContextManager
API for setting access levels
and service perimeters
for Google Cloud projects. Each organization has one access policy
that contains the access levels
and service perimeters
. This access policy
is applicable to all resources in the organization.
CommitServicePerimeters |
---|
Commits the dry-run specification for all the
|
CreateAccessLevel |
---|
Creates an
|
CreateAccessPolicy |
---|
Creates an access policy. This method fails if the organization already has an access policy. The long-running operation has a successful status after the access policy propagates to long-lasting storage. Syntactic and basic semantic errors are returned in
|
CreateAuthorizedOrgsDesc |
---|
Creates an
|
CreateGcpUserAccessBinding |
---|
Creates a
|
CreateServicePerimeter |
---|
Creates a
|
DeleteAccessLevel |
---|
Deletes an
|
DeleteAccessPolicy |
---|
Deletes an
|
DeleteAuthorizedOrgsDesc |
---|
Deletes an
|
DeleteGcpUserAccessBinding |
---|
Deletes a
|
DeleteServicePerimeter |
---|
Deletes a
|
GetAccessLevel |
---|
Gets an
|
GetAccessPolicy |
---|
Returns an
|
GetAuthorizedOrgsDesc |
---|
Gets an
|
GetGcpUserAccessBinding |
---|
Gets the
|
GetIamPolicy |
---|
Gets the IAM policy for the specified Access Context Manager
|
GetServicePerimeter |
---|
Gets a
|
GetSupportedService |
---|
Get a
|
ListAccessLevels |
---|
Lists all
|
ListAccessPolicies |
---|
Lists all
|
ListAuthorizedOrgsDescs |
---|
Lists all
|
ListGcpUserAccessBindings |
---|
Lists all
|
ListServicePerimeters |
---|
Lists all
|
ListSupportedServices |
---|
Lists all
|
ReplaceAccessLevels |
---|
Replaces all existing
|
ReplaceServicePerimeters |
---|
Replace all existing
|
SetIamPolicy |
---|
Sets the IAM policy for the specified Access Context Manager
|
TestIamPermissions |
---|
Returns the IAM permissions that the caller has on the specified Access Context Manager resource. The resource can be an
|
UpdateAccessLevel |
---|
Updates an
|
UpdateAccessPolicy |
---|
Updates an
|
UpdateAuthorizedOrgsDesc |
---|
Updates an
|
UpdateGcpUserAccessBinding |
---|
Updates a
|
UpdateServicePerimeter |
---|
Updates a
|
AccessContextManagerOperationMetadata
This type has no fields.
Metadata of Access Context Manager's Long Running Operations.
AccessLevel
An AccessLevel
is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied.
Fields | |
---|---|
name |
Identifier. Resource name for the The After you create an |
title |
Human readable title. Must be unique within the Policy. |
description |
Description of the |
Union field level . Required. Describes the necessary conditions for the level to apply. level can be only one of the following: |
|
basic |
A |
custom |
A |
AccessPolicy
AccessPolicy
is a container for AccessLevels
(which define the necessary attributes to use Google Cloud services) and ServicePerimeters
(which define regions of services able to freely pass data within a perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply to all projects within an organization.
Fields | |
---|---|
name |
Identifier. Resource name of the |
parent |
Immutable. The parent of this |
title |
Required. Human readable title. Does not affect behavior. |
scopes[] |
The scopes of the
If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of |
etag |
Output only. An opaque identifier for the current version of the |
Application
An application that accesses Google Cloud APIs.
Fields | |
---|---|
Union field identifier . An identifier of the application. identifier can be only one of the following: |
|
client_id |
The OAuth client ID of the application. |
name |
The name of the application. Example: "Cloud Console" |
AuthorizedOrgsDesc
AuthorizedOrgsDesc
contains data for an organization's authorization policy.
Fields | |
---|---|
name |
Identifier. Resource name for the The After you create an |
authorization_type |
A granular control type for authorization levels. Valid value is |
asset_type |
The asset type of this authorized orgs desc. Valid values are |
authorization_direction |
The direction of the authorization relationship between this organization and the organizations listed in the
For the authorization relationship to take effect, all of the organizations must authorize and specify the appropriate relationship direction. For example, if organization A authorized organization B and C to evaluate its traffic, by specifying |
orgs[] |
The list of organization ids in this AuthorizedOrgsDesc. Format: |
AssetType
The type of entities that need to use the authorization relationship during evaluation, such as a device. Valid values are ASSET_TYPE_DEVICE
, and ASSET_TYPE_CREDENTIAL_STRENGTH
.
Enums | |
---|---|
ASSET_TYPE_UNSPECIFIED |
No asset type specified. |
ASSET_TYPE_DEVICE |
Device asset type. |
ASSET_TYPE_CREDENTIAL_STRENGTH |
Credential strength asset type. |
AuthorizationDirection
Authorization direction of specified organizations in AuthorizedOrgsDesc [com.google.identity.accesscontextmanager.v1alpha.AuthorizedOrgsDesc].
Enums | |
---|---|
AUTHORIZATION_DIRECTION_UNSPECIFIED |
No direction specified. |
AUTHORIZATION_DIRECTION_TO |
Specified orgs will evaluate traffic. |
AUTHORIZATION_DIRECTION_FROM |
Specified orgs' traffic will be evaluated. |
AuthorizationType
A granular control type for authorization levels. Valid value is AUTHORIZATION_TYPE_TRUST
.
Enums | |
---|---|
AUTHORIZATION_TYPE_UNSPECIFIED |
No authorization type specified. |
AUTHORIZATION_TYPE_TRUST |
This authorization relationship is "trust". |
BasicLevel
BasicLevel
is an AccessLevel
using a set of recommended features.
Fields | |
---|---|
conditions[] |
Required. A list of requirements for the |
combining_function |
How the |
ConditionCombiningFunction
Options for how the conditions
list should be combined to determine if this AccessLevel
is applied. Default is AND.
Enums | |
---|---|
AND |
All Conditions must be true for the BasicLevel to be true. |
OR |
If at least one Condition is true, then the BasicLevel is true. |
CommitServicePerimetersRequest
A request to commit dry-run specs in all Service Perimeters
belonging to an Access Policy
.
Fields | |
---|---|
parent |
Required. Resource name for the parent Format: |
etag |
Optional. The etag for the version of the |
CommitServicePerimetersResponse
A response to CommitServicePerimetersRequest. This will be put inside of Operation.response field.
Fields | |
---|---|
service_perimeters[] |
List of all the |
Condition
A condition necessary for an AccessLevel
to be granted. The Condition is an AND over its fields. So a Condition is true if: 1) the request IP is from one of the listed subnetworks AND 2) the originating device complies with the listed device policy AND 3) all listed access levels are granted AND 4) the request was sent at a time allowed by the DateTimeRestriction AND 5) the request was sent from one of the specified vpc_network_sources.
Fields | |
---|---|
ip_subnetworks[] |
CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If this field is empty, all IP addresses are allowed. |
device_policy |
Device specific restrictions, all restrictions must hold for the Condition to be true. If not specified, all devices are allowed. |
required_access_levels[] |
A list of other access levels defined in the same |
negate |
Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields. Any non-empty field criteria evaluating to false will result in the Condition to be satisfied. Defaults to false. |
members[] |
The request must be made by one of the provided user or service accounts. Groups are not supported. Syntax: |
regions[] |
The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes. |
vpc_network_sources[] |
The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with |
CreateAccessLevelRequest
A request to create an AccessLevel
.
Fields | |
---|---|
parent |
Required. Resource name for the access policy which owns this Format: |
access_level |
Required. The |
CreateAuthorizedOrgsDescRequest
A request to create a AuthorizedOrgsDesc
.
Fields | |
---|---|
parent |
Required. Resource name for the access policy which owns this Format: |
authorized_orgs_desc |
Required. The |
CreateGcpUserAccessBindingRequest
Request of CreateGcpUserAccessBinding
.
Fields | |
---|---|
parent |
Required. Example: "organizations/256" |
gcp_user_access_binding |
Required. |
CreateServicePerimeterRequest
A request to create a ServicePerimeter
.
Fields | |
---|---|
parent |
Required. Resource name for the access policy which owns this Format: |
service_perimeter |
Required. The |
CustomLevel
CustomLevel
is an AccessLevel
using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. See CEL spec at: https://github.com/google/cel-spec
Fields | |
---|---|
expr |
Required. A Cloud CEL expression evaluating to a boolean. |
DeleteAccessLevelRequest
A request to delete an AccessLevel
.
Fields | |
---|---|
name |
Required. Resource name for the Format: |
DeleteAccessPolicyRequest
A request to delete an AccessPolicy
.
Fields | |
---|---|
name |
Required. Resource name for the access policy to delete. Format |
DeleteAuthorizedOrgsDescRequest
A request to delete a AuthorizedOrgsDesc
.
Fields | |
---|---|
name |
Required. Resource name for the Format: |
DeleteGcpUserAccessBindingRequest
Request of DeleteGcpUserAccessBinding
.
Fields | |
---|---|
name |
Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" |
DeleteServicePerimeterRequest
A request to delete a ServicePerimeter
.
Fields | |
---|---|
name |
Required. Resource name for the Format: |
DevicePolicy
DevicePolicy
specifies device specific restrictions necessary to acquire a given access level. A DevicePolicy
specifies requirements for requests from devices to be granted access levels, it does not do any enforcement on the device. DevicePolicy
acts as an AND over all specified fields, and each repeated field is an OR over its elements. Any unset fields are ignored. For example, if the proto is { os_type : DESKTOP_WINDOWS, os_type : DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be true for requests originating from encrypted Linux desktops and encrypted Windows desktops.
Fields | |
---|---|
require_screenlock |
Whether or not screenlock is required for the DevicePolicy to be true. Defaults to |
allowed_encryption_statuses[] |
Allowed encryptions statuses, an empty list allows all statuses. |
os_constraints[] |
Allowed OS versions, an empty list allows all types and all versions. |
allowed_device_management_levels[] |
Allowed device management levels, an empty list allows all management levels. |
require_admin_approval |
Whether the device needs to be approved by the customer admin. |
require_corp_owned |
Whether the device needs to be corp owned. |
GcpUserAccessBinding
Restricts access to Cloud Console and Google Cloud APIs for a set of users using Context-Aware Access.
Fields | |
---|---|
name |
Immutable. Identifier. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" |
group_key |
Optional. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht" |
access_levels[] |
Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" |
dry_run_access_levels[] |
Optional. Dry run access level that will be evaluated but will not be enforced. The access denial based on dry run policy will be logged. Only one access level is supported, not multiple. This list must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" |
reauth_settings |
Optional. GCSL policy for the group key. |
restricted_client_applications[] |
Optional. A list of applications that are subject to this binding's restrictions. If the list is empty, the binding restrictions will universally apply to all applications. |
GcpUserAccessBindingOperationMetadata
This type has no fields.
Metadata of GCP Access Binding Long Running Operations.
GetAccessLevelRequest
A request to get a particular AccessLevel
.
Fields | |
---|---|
name |
Required. Resource name for the Format: |
access_level_format |
Whether to return |
GetAccessPolicyRequest
A request to get a particular AccessPolicy
.
Fields | |
---|---|
name |
Required. Resource name for the access policy to get. Format |
GetAuthorizedOrgsDescRequest
A request to get a particular AuthorizedOrgsDesc
.
Fields | |
---|---|
name |
Required. Resource name for the Format: |
GetGcpUserAccessBindingRequest
Request of GetGcpUserAccessBinding
.
Fields | |
---|---|
name |
Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" |
GetServicePerimeterRequest
A request to get a particular ServicePerimeter
.
Fields | |
---|---|
name |
Required. Resource name for the Format: |
GetSupportedServiceRequest
Determines whether the service is supported by VPC Service Controls. The SupportStatus
field of the returned response indicates whether the service is fully supported by VPC Service Controls.
Fields | |
---|---|
name |
The name of the service to get information about. The names must be in the same format as used in defining a service perimeter, for example, |
LevelFormat
The format used in an AccessLevel
.
Enums | |
---|---|
LEVEL_FORMAT_UNSPECIFIED |
The format was not specified. |
AS_DEFINED |
Uses the format the resource was defined in. BasicLevels are returned as BasicLevels, CustomLevels are returned as CustomLevels. |
CEL |
Use Cloud Common Expression Language when returning the resource. Both BasicLevels and CustomLevels are returned as CustomLevels. |
ListAccessLevelsRequest
A request to list all AccessLevels
in an AccessPolicy
.
Fields | |
---|---|
parent |
Required. Resource name for the access policy to list Format: |
page_size |
Number of |
page_token |
Next page token for the next batch of |
access_level_format |
Whether to return |
ListAccessLevelsResponse
A response to ListAccessLevelsRequest
.
Fields | |
---|---|
access_levels[] |
List of the |
next_page_token |
The pagination token to retrieve the next page of results. If the value is empty, no further results remain. |
ListAccessPoliciesRequest
A request to list all AccessPolicies
for a container.
Fields | |
---|---|
parent |
Required. Resource name for the container to list AccessPolicy instances from. Format: |
page_size |
Number of AccessPolicy instances to include in the list. Default 100. |
page_token |
Next page token for the next batch of AccessPolicy instances. Defaults to the first page of results. |
ListAccessPoliciesResponse
A response to ListAccessPoliciesRequest
.
Fields | |
---|---|
access_policies[] |
List of the AccessPolicy instances. |
next_page_token |
The pagination token to retrieve the next page of results. If the value is empty, no further results remain. |
ListAuthorizedOrgsDescsRequest
A request to list of all of the AuthorizedOrgsDesc
in an AccessPolicy
.
Fields | |
---|---|
parent |
Required. Resource name for the access policy to list Format: |
page_size |
Number of |
page_token |
Next page token for the next batch of |
ListAuthorizedOrgsDescsResponse
A response to ListAuthorizedOrgsDescsRequest
.
Fields | |
---|---|
authorized_orgs_descs[] |
List of the |
next_page_token |
The pagination token to retrieve the next page of results. If the value is empty, no further results remain. |
ListGcpUserAccessBindingsRequest
Request of ListGcpUserAccessBindings
.
Fields | |
---|---|
parent |
Required. Example: "organizations/256" |
page_size |
Optional. Maximum number of items to return. The server may return fewer items. If left blank, the server may return any number of items. |
page_token |
Optional. If left blank, returns the first page. To enumerate all items, use the |
filter |
Optional. The literal filter pipelines to be returned. See https://google.aip.dev/160 for more details. Accepts values: * principal:group_key * principal:service_account OR principal:service_account_project_number. If this field is empty or not one of the above, the default value is "principal:group_key". |
ListGcpUserAccessBindingsResponse
Response of ListGcpUserAccessBindings
.
Fields | |
---|---|
gcp_user_access_bindings[] |
|
next_page_token |
Token to get the next page of items. If blank, there are no more items. |
ListServicePerimetersRequest
A request to list all ServicePerimeters
in an AccessPolicy
.
Fields | |
---|---|
parent |
Required. Resource name for the access policy to list Format: |
page_size |
Number of |
page_token |
Next page token for the next batch of |
ListServicePerimetersResponse
A response to ListServicePerimetersRequest
.
Fields | |
---|---|
service_perimeters[] |
List of the |
next_page_token |
The pagination token to retrieve the next page of results. If the value is empty, no further results remain. |
ListSupportedServicesRequest
Lists the services that VPC Service Controls supports. The services that are in this list either fully support VPC Service Controls or the integration of this service with VPC Service Controls is in Preview stage. Services that aren't in this list don't support VPC Service Controls and aren't guaranteed to function properly in a VPC Service Controls environment.
Fields | |
---|---|
page_size |
This flag specifies the maximum number of services to return per page. Default is 100. |
page_token |
Token to start on a later page. Default is the first page. |
ListSupportedServicesResponse
A response to ListSupportedServicesRequest
.
Fields | |
---|---|
supported_services[] |
List of |
next_page_token |
The pagination token to retrieve the next page of results. If the value is empty, no further results remain. |
OsConstraint
A restriction on the OS type and version of devices making requests.
Fields | |
---|---|
os_type |
Required. The allowed OS type. |
minimum_version |
The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: |
require_verified_chrome_os |
Only allows requests from devices with a verified Chrome OS. Verifications includes requirements that the device is enterprise-managed, conformant to domain policies, and the caller has permission to call the API targeted by the request. |
ReauthSettings
Stores settings related to Google Cloud Session Length including session duration, the type of challenge (i.e. method) they should face when their session expires, and other related settings.
Fields | |
---|---|
reauth_method |
Optional. Reauth method when users GCP session is up. |
session_length |
Optional. The session length. Setting this field to zero is equal to disabling. Reauth. Also can set infinite session by flipping the enabled bit to false below. If use_oidc_max_age is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param. |
max_inactivity |
Optional. How long a user is allowed to take between actions before a new access token must be issued. Presently only set for Cloud Apps. |
use_oidc_max_age |
Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the session_length field and the max_age OIDC param. |
session_length_enabled |
Optional. Big red button to turn off GCSL. When false, all fields set above will be disregarded and the session length is basically infinite. |
ReauthMethod
The reauth challenges proposed to users when the GCP session length is up.
Enums | |
---|---|
REAUTH_METHOD_UNSPECIFIED |
If method undefined in API, we will use LOGIN by default. |
LOGIN |
The user will prompted to perform regular login. Users who are enrolled for two-step verification and haven't chosen to "Remember this computer" will be prompted for their second factor. |
SECURITY_KEY |
The user will be prompted to autheticate using their security key. If no security key has been configured, then we will fallback to LOGIN. |
PASSWORD |
The user will be prompted for their password. |
ReplaceAccessLevelsRequest
A request to replace all existing Access Levels in an Access Policy with the Access Levels provided. This is done atomically.
Fields | |
---|---|
parent |
Required. Resource name for the access policy which owns these Format: |
access_levels[] |
Required. The desired |
etag |
Optional. The etag for the version of the |
ReplaceAccessLevelsResponse
A response to ReplaceAccessLevelsRequest. This will be put inside of Operation.response field.
Fields | |
---|---|
access_levels[] |
List of the |
ReplaceServicePerimetersRequest
A request to replace all existing Service Perimeters in an Access Policy with the Service Perimeters provided. This is done atomically.
Fields | |
---|---|
parent |
Required. Resource name for the access policy which owns these Format: |
service_perimeters[] |
Required. The desired |
etag |
Optional. The etag for the version of the |
ReplaceServicePerimetersResponse
A response to ReplaceServicePerimetersRequest. This will be put inside of Operation.response field.
Fields | |
---|---|
service_perimeters[] |
List of the |
ServicePerimeter
ServicePerimeter
describes a set of Google Cloud resources which can freely import and export data amongst themselves, but not export outside of the ServicePerimeter
. If a request with a source within this ServicePerimeter
has a target outside of the ServicePerimeter
, the request is blocked. Otherwise the request is allowed. There are two types of service perimeter: regular and bridge. Regular perimeters cannot overlap, a single Google Cloud project or VPC network can only belong to a single regular perimeter. Perimeter bridges can contain only Google Cloud projects as members, a single Google Cloud project might belong to multiple Service perimeter bridges.
Fields | |
---|---|
name |
Identifier. Resource name for the The After you create a |
title |
Human readable title. Must be unique within the Policy. |
description |
Description of the |
perimeter_type |
Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but a project can be in multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. |
status |
Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries. |
spec |
Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set. |
use_explicit_dry_run_spec |
Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values. |
PerimeterType
Specifies the type of the Perimeter. There are two types: regular and bridge. Regular Service Perimeter contains resources, access levels, and restricted services. Every resource can be in at most ONE regular Service Perimeter.
In addition to being in a regular service perimeter, a resource can also be in zero or more perimeter bridges. A perimeter bridge only contains resources. Cross project operations are permitted if all effected resources share some perimeter (whether bridge or regular). Perimeter Bridge does not contain access levels or services: those are governed entirely by the regular perimeter that resource is in.
Perimeter Bridges are typically useful when building more complex toplogies with many independent perimeters that need to share some data with a common perimeter, but should not be able to share data among themselves.
Enums | |
---|---|
PERIMETER_TYPE_REGULAR |
Regular Perimeter. When no value is specified, the perimeter uses this type. |
PERIMETER_TYPE_BRIDGE |
Perimeter Bridge. |
ServicePerimeterConfig
ServicePerimeterConfig
specifies a set of Google Cloud resources that describe specific Service Perimeter configuration.
Fields | |
---|---|
resources[] |
A list Google Cloud resources that are inside of the service perimeter. Only projects and VPCs are allowed. Project format: |
access_levels[] |
A list of |
restricted_services[] |
Google Cloud services that are subject to the Service Perimeter restrictions. For example, if |
vpc_accessible_services |
Configuration for APIs allowed within Perimeter. |
ingress_policies[] |
List of |
egress_policies[] |
List of |
ApiOperation
Identification for an API Operation.
Fields | |
---|---|
service_name |
The name of the API whose methods or permissions the |
method_selectors[] |
API methods or permissions to allow. Method or permission must belong to the service specified by |
EgressFrom
Defines the conditions under which an EgressPolicy
matches a request. Conditions based on information about the source of the request. Note that if the destination of the request also is protected by a ServicePerimeter
, then that ServicePerimeter
must have an IngressPolicy
which allows access in order for this request to succeed.
Fields | |
---|---|
identities[] |
A list of identities that are allowed access through |
identity_type |
Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of |
sources[] |
Sources that this |
source_restriction |
Whether to enforce traffic restrictions based on |
EgressPolicy
Policy for egress from perimeter.
EgressPolicies
match requests based on egress_from
and egress_to
stanzas. For an EgressPolicy
to match, both egress_from
and egress_to
stanzas must be matched. If an EgressPolicy
matches a request, the request is allowed to span the ServicePerimeter
boundary. For example, an EgressPolicy
can be used to allow VMs on networks within the ServicePerimeter
to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).
EgressPolicies
are concerned with the resources that a request relates as well as the API services and API actions being used. They do not related to the direction of data movement. More detailed documentation for this concept can be found in the descriptions of EgressFrom
and EgressTo
.
Fields | |
---|---|
egress_from |
Defines conditions on the source of a request causing this |
egress_to |
Defines the conditions on the |
EgressSource
The source that EgressPolicy
authorizes access from inside the ServicePerimeter
to somewhere outside the ServicePerimeter
boundaries.
Fields | |
---|---|
Union field source . Allowed egress source. source can be only one of the following: |
|
access_level |
An |
EgressTo
Defines the conditions under which an EgressPolicy
matches a request. Conditions are based on information about the ApiOperation
intended to be performed on the resources
specified. Note that if the destination of the request is also protected by a ServicePerimeter
, then that ServicePerimeter
must have an IngressPolicy
which allows access in order for this request to succeed. The request must match operations
AND resources
fields in order to be allowed egress out of the perimeter.
Fields | |
---|---|
resources[] |
A list of resources, currently only projects in the form |
operations[] |
A list of |
external_resources[] |
A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported formats are s3://BUCKET_NAME, s3a://BUCKET_NAME, and s3n://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed. |
roles[] |
IAM roles that represent the set of operations allowed to be performed by the sources specified in the corresponding |
IdentityType
Specifies the types of identities that are allowed access in either IngressFrom
or EgressFrom
rules.
Enums | |
---|---|
IDENTITY_TYPE_UNSPECIFIED |
No blanket identity group specified. |
ANY_IDENTITY |
Authorize access from all identities outside the perimeter. |
ANY_USER_ACCOUNT |
Authorize access from all human users outside the perimeter. |
ANY_SERVICE_ACCOUNT |
Authorize access from all service accounts outside the perimeter. |
IngressFrom
Defines the conditions under which an IngressPolicy
matches a request. Conditions are based on information about the source of the request. The request must satisfy what is defined in sources
AND identity related fields in order to match.
Fields | |
---|---|
sources[] |
Sources that this |
identities[] |
A list of identities that are allowed access through |
identity_type |
Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of |
IngressPolicy
Policy for ingress into ServicePerimeter
.
IngressPolicies
match requests based on ingress_from
and ingress_to
stanzas. For an ingress policy to match, both the ingress_from
and ingress_to
stanzas must be matched. If an IngressPolicy
matches a request, the request is allowed through the perimeter boundary from outside the perimeter.
For example, access from the internet can be allowed either based on an AccessLevel
or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required.
Individual ingress policies can be limited by restricting which services and/or actions they match using the ingress_to
field.
Fields | |
---|---|
ingress_from |
Defines the conditions on the source of a request causing this |
ingress_to |
Defines the conditions on the |
IngressSource
The source that IngressPolicy
authorizes access from.
Fields | |
---|---|
Union field source . Allowed ingress source. It can be one of AccessLevel or Google Cloud resource. source can be only one of the following: |
|
access_level |
An |
resource |
A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources are allowed to access perimeter data. Only projects and VPCs are allowed. Project format: |
IngressTo
Defines the conditions under which an IngressPolicy
matches a request. Conditions are based on information about the ApiOperation
intended to be performed on the target resource of the request. The request must satisfy what is defined in operations
AND resources
in order to match.
Fields | |
---|---|
operations[] |
A list of |
resources[] |
A list of resources, currently only projects in the form |
roles[] |
IAM roles that represent the set of operations that the sources specified in the corresponding |
MethodSelector
An allowed method or permission of a service specified in ApiOperation
.
Fields | |
---|---|
Union field kind . The API method name or Cloud IAM permission name to allow. kind can be only one of the following: |
|
method |
A valid method name for the corresponding |
permission |
A valid Cloud IAM permission for the corresponding |
SourceRestriction
Whether to enable the enforcement of traffic based on the sources
field. Only applies to EgressFrom
.
Enums | |
---|---|
SOURCE_RESTRICTION_UNSPECIFIED |
Enforcement preference unspecified, will not enforce traffic restrictions based on sources in EgressFrom . |
SOURCE_RESTRICTION_ENABLED |
Enforcement preference enabled, traffic restrictions will be enforced based on sources in EgressFrom . |
SOURCE_RESTRICTION_DISABLED |
Enforcement preference disabled, will not enforce traffic restrictions based on sources in EgressFrom . |
VpcAccessibleServices
Specifies how APIs are allowed to communicate within the Service Perimeter.
Fields | |
---|---|
enable_restriction |
Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'. |
allowed_services[] |
The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter. |
ServiceSupportStage
The support stage of the service.
Enums | |
---|---|
SERVICE_SUPPORT_STAGE_UNSPECIFIED |
Do not use this default value. |
GA |
GA features are open to all developers and are considered stable and fully qualified for production use. |
PREVIEW |
PREVIEW indicates a pre-release stage where the product is functionally complete but undergoing real-world testing. |
DEPRECATED |
Deprecated features are scheduled to be shut down and removed. |
SupportedService
SupportedService
specifies the VPC Service Controls and its properties.
Fields | |
---|---|
name |
The service name/address of the supported service, such as 'service.googleapis.com' |
support_stage |
The support stage of the service. |
available_on_restricted_vip |
True if the service is available on the restricted VIP. Services on the restricted VIP typically either support VPC Service Controls or are core infrastructure services required for the functioning of Google Cloud. |
title |
The name of the supported product, such as 'Cloud Product API'. |
supported_methods[] |
The list of the supported methods. This field exists only in response to |
known_limitations |
True if the service is supported with some limitations. Check documentation for details. |
service_support_stage |
The support stage of the service. |
UpdateAccessLevelRequest
A request to update an AccessLevel
.
Fields | |
---|---|
access_level |
Required. The updated |
update_mask |
Required. Mask to control which fields get updated. Must be non-empty. |
UpdateAccessPolicyRequest
A request to update an AccessPolicy
.
Fields | |
---|---|
policy |
Required. The updated AccessPolicy. |
update_mask |
Required. Mask to control which fields get updated. Must be non-empty. |
UpdateAuthorizedOrgsDescRequest
A request to update a AuthorizedOrgsDesc
.
Fields | |
---|---|
authorized_orgs_desc |
Required. The updated |
update_mask |
Required. Mask to control which fields get updated. Must be non-empty. |
UpdateGcpUserAccessBindingRequest
Request of UpdateGcpUserAccessBinding
.
Fields | |
---|---|
gcp_user_access_binding |
Required. |
update_mask |
Required. Only the fields specified in this mask are updated. Because name and group_key cannot be changed, update_mask is required and may only contain the following fields: Example: update_mask { paths: "access_levels" } |
UpdateServicePerimeterRequest
A request to update a ServicePerimeter
.
Fields | |
---|---|
service_perimeter |
Required. The updated |
update_mask |
Required. Mask to control which fields get updated. Must be non-empty. |
VpcNetworkSource
The originating network source in Google Cloud.
Fields | |
---|---|
Union field kind . The type of the originating network source of the request. kind can be only one of the following: |
|
vpc_subnetwork |
Sub-segment ranges of a VPC network. |
VpcSubNetwork
Sub-segment ranges inside of a VPC Network.
Fields | |
---|---|
network |
Required. Network name. If the network is not part of the organization, the |
vpc_ip_subnetworks[] |
CIDR block IP subnetwork specification. The IP address must be an IPv4 address and can be a public or private IP address. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. If empty, all IP addresses are allowed. |