Index
AuditConfig
(message)AuditLogConfig
(message)AuditLogConfig.LogType
(enum)Binding
(message)GetIamPolicyRequest
(message)GetPolicyOptions
(message)Policy
(message)SetIamPolicyRequest
(message)TestIamPermissionsRequest
(message)TestIamPermissionsResponse
(message)
AuditConfig
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices
and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
Example Policy with multiple AuditConfigs:
{
"audit_configs": [
{
"service": "allServices",
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
},
{
"log_type": "ADMIN_READ"
}
]
},
{
"service": "sampleservice.googleapis.com",
"audit_log_configs": [
{
"log_type": "DATA_READ"
},
{
"log_type": "DATA_WRITE",
"exempted_members": [
"user:aliya@example.com"
]
}
]
}
]
}
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com
from DATA_READ logging, and aliya@example.com
from DATA_WRITE logging.
Fields | |
---|---|
service |
Specifies a service that will be enabled for audit logging. For example, |
audit_log_configs[] |
The configuration for logging of each type of permission. |
AuditLogConfig
Provides the configuration for logging a type of permissions. Example:
{
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
}
]
}
This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
Fields | |
---|---|
log_type |
The log type that this config enables. |
exempted_members[] |
Specifies the identities that do not cause logging for this type of permission. Follows the same format of |
LogType
The list of valid permission types for which logging can be configured. Admin writes are always logged, and are not configurable.
Enums | |
---|---|
LOG_TYPE_UNSPECIFIED |
Default case. Should never be this. |
ADMIN_READ |
Admin reads. Example: CloudIAM getIamPolicy |
DATA_WRITE |
Data writes. Example: CloudSQL Users create |
DATA_READ |
Data reads. Example: CloudSQL Users list |
Binding
Associates members
, or principals, with a role
.
Fields | |
---|---|
role |
Role that is assigned to the list of |
members[] |
Specifies the principals requesting access for a Google Cloud resource.
|
condition |
The condition that is associated with this binding. If the condition evaluates to If the condition evaluates to To learn which resources support conditions in their IAM policies, see the IAM documentation. |
GetIamPolicyRequest
Request message for GetIamPolicy
method.
Fields | |
---|---|
resource |
REQUIRED: The resource for which the policy is being requested. See |