Resource: SecurityAction
A SecurityAction is rule that can be enforced at an environment level. The result is one of: - A denied API call - An explicitly allowed API call - A flagged API call (HTTP headers added before the target receives it) At least one condition is required to create a SecurityAction.
JSON representation |
---|
{ "name": string, "description": string, "state": enum ( |
Fields | |
---|---|
name |
Immutable. This field is ignored during creation as per AIP-133. Please set the |
description |
Optional. An optional user provided description of the SecurityAction. |
state |
Required. Only an ENABLED SecurityAction is enforced. An ENABLED SecurityAction past its expiration time will not be enforced. |
createTime |
Output only. The create time for this SecurityAction. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. The update time for this SecurityAction. This reflects when this SecurityAction changed states. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
apiProxies[] |
Optional. If unset, this would apply to all proxies in the environment. If set, this action is enforced only if at least one proxy in the repeated list is deployed at the time of enforcement. If set, several restrictions are enforced on SecurityActions. There can be at most 100 enabled actions with proxies set in an env. Several other restrictions apply on conditions and are detailed later. |
conditionConfig |
Required. A valid SecurityAction must contain at least one condition. |
Union field action_type . The action that needs to be taken when a request matches this SecurityAction. action_type can be only one of the following: |
|
allow |
Allow a request through if it matches this SecurityAction. |
deny |
Deny a request through if it matches this SecurityAction. |
flag |
Flag a request through if it matches this SecurityAction. |
Union field expiration . A SecurityAction will not be enforced beyond this time even if it is enabled. If unset the rule never expires. expiration can be only one of the following: |
|
expireTime |
The expiration for this SecurityAction. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
ttl |
Input only. The TTL for this SecurityAction. A duration in seconds with up to nine fractional digits, ending with ' |
State
An enum of valid states that a SecurityAction can exist in.
Enums | |
---|---|
STATE_UNSPECIFIED |
The default value. This only exists for forward compatibility. A create request with this value will be rejected. |
ENABLED |
An ENABLED SecurityAction is actively enforced if the expiration_time is in the future. |
DISABLED |
A disabled SecurityAction is never enforced. |
Allow
This type has no fields.
Message that should be set in case of an Allow Action. This does not have any fields.
Deny
Message that should be set in case of a Deny Action.
JSON representation |
---|
{ "responseCode": integer } |
Fields | |
---|---|
responseCode |
Optional. The HTTP response code if the Action = DENY. |
Flag
The message that should be set in the case of a Flag action.
JSON representation |
---|
{
"headers": [
{
object ( |
Fields | |
---|---|
headers[] |
Optional. A list of HTTP headers to be sent to the target in case of a FLAG SecurityAction. Limit 5 headers per SecurityAction. At least one is mandatory. |
HttpHeader
An HTTP header.
JSON representation |
---|
{ "name": string, "value": string } |
Fields | |
---|---|
name |
The header name to be sent to the target. |
value |
The header value to be sent to the target. |
ConditionConfig
The following are a list of conditions. A valid SecurityAction must contain at least one condition. Within a condition, each element is ORed. Across conditions elements are ANDed. For example if a SecurityAction has the following: ipAddressRanges: ["ip1", "ip2"] and botReasons: ["Flooder", "Robot Abuser"] then this is interpreted as: enforce the action if the incoming request has ((ipAddressRanges = "ip1" OR ipAddressRanges = "ip2") AND (botReasons="Flooder" OR botReasons="Robot Abuser")). Conditions other than ipAddressRanges and botReasons cannot be ANDed.
JSON representation |
---|
{ "ipAddressRanges": [ string ], "botReasons": [ string ], "httpMethods": [ string ], "apiKeys": [ string ], "accessTokens": [ string ], "apiProducts": [ string ], "developerApps": [ string ], "developers": [ string ], "userAgents": [ string ], "regionCodes": [ string ], "asns": [ string ] } |
Fields | |
---|---|
ipAddressRanges[] |
Optional. A list of IP addresses. This could be either IPv4 or IPv6. Limited to 100 per action. |
botReasons[] |
Optional. A list of Bot Reasons. Current options: Flooder, Brute Guessor, Static Content Scraper, OAuth Abuser, Robot Abuser, TorListRule, Advanced Anomaly Detection, Advanced API Scraper, Search Engine Crawlers, Public Clouds, Public Cloud AWS, Public Cloud Azure, and Public Cloud Google. |
httpMethods[] |
Optional. Act only on particular HTTP methods. E.g. A read-only API can block POST/PUT/DELETE methods. Accepted values are: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE and PATCH. |
apiKeys[] |
Optional. A list of API keys. Limit 1000 per action. |
accessTokens[] |
Optional. A list of accessTokens. Limit 1000 per action. |
apiProducts[] |
Optional. A list of API Products. Limit 1000 per action. |
developerApps[] |
Optional. A list of developer apps. Limit 1000 per action. |
developers[] |
Optional. A list of developers. Limit 1000 per action. |
userAgents[] |
Optional. A list of user agents to deny. We look for exact matches. Limit 50 per action. |
regionCodes[] |
Optional. A list of countries/region codes to act on, e.g. US. This follows https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2. |
asns[] |
Optional. A list of ASN numbers to act on, e.g. 23. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) This uses int64 instead of uint32 because of https://linter.aip.dev/141/forbidden-types. |
Methods |
|
---|---|
|
CreateSecurityAction creates a SecurityAction. |
|
Disable a SecurityAction. |
|
Enable a SecurityAction. |
|
Get a SecurityAction by name. |
|
Returns a list of SecurityActions. |