Variables
File_google_iam_v2_deny_proto
var File_google_iam_v2_deny_proto protoreflect.FileDescriptorFile_google_iam_v2_policy_proto
var File_google_iam_v2_policy_proto protoreflect.FileDescriptorFunctions
func RegisterPoliciesServer
func RegisterPoliciesServer(s *grpc.Server, srv PoliciesServer)CreatePolicyRequest
type CreatePolicyRequest struct {
// Required. The resource that the policy is attached to, along with the kind of policy
// to create. Format: `policies/{attachment_point}/denypolicies`
//
// The attachment point is identified by its URL-encoded full resource name,
// which means that the forward-slash character, `/`, must be written as
// `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// Required. The policy to create.
Policy *Policy `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
// The ID to use for this policy, which will become the final component of
// the policy's resource name. The ID must contain 3 to 63 characters. It can
// contain lowercase letters and numbers, as well as dashes (`-`) and periods
// (`.`). The first character must be a lowercase letter.
PolicyId string `protobuf:"bytes,3,opt,name=policy_id,json=policyId,proto3" json:"policy_id,omitempty"`
// contains filtered or unexported fields
}Request message for CreatePolicy.
func (*CreatePolicyRequest) Descriptor
func (*CreatePolicyRequest) Descriptor() ([]byte, []int)Deprecated: Use CreatePolicyRequest.ProtoReflect.Descriptor instead.
func (*CreatePolicyRequest) GetParent
func (x *CreatePolicyRequest) GetParent() stringfunc (*CreatePolicyRequest) GetPolicy
func (x *CreatePolicyRequest) GetPolicy() *Policyfunc (*CreatePolicyRequest) GetPolicyId
func (x *CreatePolicyRequest) GetPolicyId() stringfunc (*CreatePolicyRequest) ProtoMessage
func (*CreatePolicyRequest) ProtoMessage()func (*CreatePolicyRequest) ProtoReflect
func (x *CreatePolicyRequest) ProtoReflect() protoreflect.Messagefunc (*CreatePolicyRequest) Reset
func (x *CreatePolicyRequest) Reset()func (*CreatePolicyRequest) String
func (x *CreatePolicyRequest) String() stringDeletePolicyRequest
type DeletePolicyRequest struct {
// Required. The resource name of the policy to delete. Format:
// `policies/{attachment_point}/denypolicies/{policy_id}`
//
// Use the URL-encoded full resource name, which means that the forward-slash
// character, `/`, must be written as `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// Optional. The expected `etag` of the policy to delete. If the value does not match
// the value that is stored in IAM, the request fails with a `409` error code
// and `ABORTED` status.
//
// If you omit this field, the policy is deleted regardless of its current
// `etag`.
Etag string `protobuf:"bytes,2,opt,name=etag,proto3" json:"etag,omitempty"`
// contains filtered or unexported fields
}Request message for DeletePolicy.
func (*DeletePolicyRequest) Descriptor
func (*DeletePolicyRequest) Descriptor() ([]byte, []int)Deprecated: Use DeletePolicyRequest.ProtoReflect.Descriptor instead.
func (*DeletePolicyRequest) GetEtag
func (x *DeletePolicyRequest) GetEtag() stringfunc (*DeletePolicyRequest) GetName
func (x *DeletePolicyRequest) GetName() stringfunc (*DeletePolicyRequest) ProtoMessage
func (*DeletePolicyRequest) ProtoMessage()func (*DeletePolicyRequest) ProtoReflect
func (x *DeletePolicyRequest) ProtoReflect() protoreflect.Messagefunc (*DeletePolicyRequest) Reset
func (x *DeletePolicyRequest) Reset()func (*DeletePolicyRequest) String
func (x *DeletePolicyRequest) String() stringDenyRule
type DenyRule struct {
// The identities that are prevented from using one or more permissions on
// Google Cloud resources. This field can contain the following values:
//
// - `principalSet://goog/public:all`: A special identifier that represents
// any principal that is on the internet, even if they do not have a Google
// Account or are not logged in.
//
// - `principal://goog/subject/{email_id}`: A specific Google Account.
// Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
// example, `principal://goog/subject/alice@example.com`.
//
// - `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific
// Google Account that was deleted recently. For example,
// `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If
// the Google Account is recovered, this identifier reverts to the standard
// identifier for a Google Account.
//
// - `principalSet://goog/group/{group_id}`: A Google group. For example,
// `principalSet://goog/group/admins@example.com`.
//
// - `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group
// that was deleted recently. For example,
// `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If
// the Google group is restored, this identifier reverts to the standard
// identifier for a Google group.
//
// - `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`:
// A Google Cloud service account. For example,
// `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`.
//
// - `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`:
// A Google Cloud service account that was deleted recently. For example,
// `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`.
// If the service account is undeleted, this identifier reverts to the
// standard identifier for a service account.
//
// - `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the
// principals associated with the specified Google Workspace or Cloud
// Identity customer ID. For example,
// `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.
DeniedPrincipals []string `protobuf:"bytes,1,rep,name=denied_principals,json=deniedPrincipals,proto3" json:"denied_principals,omitempty"`
// The identities that are excluded from the deny rule, even if they are
// listed in the `denied_principals`. For example, you could add a Google
// group to the `denied_principals`, then exclude specific users who belong to
// that group.
//
// This field can contain the same values as the `denied_principals` field,
// excluding `principalSet://goog/public:all`, which represents all users on
// the internet.
ExceptionPrincipals []string `protobuf:"bytes,2,rep,name=exception_principals,json=exceptionPrincipals,proto3" json:"exception_principals,omitempty"`
// The permissions that are explicitly denied by this rule. Each permission
// uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}`
// is the fully qualified domain name for the service. For example,
// `iam.googleapis.com/roles.list`.
DeniedPermissions []string `protobuf:"bytes,3,rep,name=denied_permissions,json=deniedPermissions,proto3" json:"denied_permissions,omitempty"`
// Specifies the permissions that this rule excludes from the set of denied
// permissions given by `denied_permissions`. If a permission appears in
// `denied_permissions` _and_ in `exception_permissions` then it will _not_ be
// denied.
//
// The excluded permissions can be specified using the same syntax as
// `denied_permissions`.
ExceptionPermissions []string `protobuf:"bytes,4,rep,name=exception_permissions,json=exceptionPermissions,proto3" json:"exception_permissions,omitempty"`
// The condition that determines whether this deny rule applies to a request.
// If the condition expression evaluates to `true`, then the deny rule is
// applied; otherwise, the deny rule is not applied.
//
// Each deny rule is evaluated independently. If this deny rule does not apply
// to a request, other deny rules might still apply.
//
// The condition can use CEL functions that evaluate
// [resource
// tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other
// functions and operators are not supported.
DenialCondition *expr.Expr `protobuf:"bytes,5,opt,name=denial_condition,json=denialCondition,proto3" json:"denial_condition,omitempty"`
// contains filtered or unexported fields
}A deny rule in an IAM deny policy.
func (*DenyRule) Descriptor
Deprecated: Use DenyRule.ProtoReflect.Descriptor instead.
func (*DenyRule) GetDenialCondition
func (*DenyRule) GetDeniedPermissions
func (*DenyRule) GetDeniedPrincipals
func (*DenyRule) GetExceptionPermissions
func (*DenyRule) GetExceptionPrincipals
func (*DenyRule) ProtoMessage
func (*DenyRule) ProtoMessage()func (*DenyRule) ProtoReflect
func (x *DenyRule) ProtoReflect() protoreflect.Messagefunc (*DenyRule) Reset
func (x *DenyRule) Reset()func (*DenyRule) String
GetPolicyRequest
type GetPolicyRequest struct {
// Required. The resource name of the policy to retrieve. Format:
// `policies/{attachment_point}/denypolicies/{policy_id}`
//
// Use the URL-encoded full resource name, which means that the forward-slash
// character, `/`, must be written as `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// contains filtered or unexported fields
}Request message for GetPolicy.
func (*GetPolicyRequest) Descriptor
func (*GetPolicyRequest) Descriptor() ([]byte, []int)Deprecated: Use GetPolicyRequest.ProtoReflect.Descriptor instead.
func (*GetPolicyRequest) GetName
func (x *GetPolicyRequest) GetName() stringfunc (*GetPolicyRequest) ProtoMessage
func (*GetPolicyRequest) ProtoMessage()func (*GetPolicyRequest) ProtoReflect
func (x *GetPolicyRequest) ProtoReflect() protoreflect.Messagefunc (*GetPolicyRequest) Reset
func (x *GetPolicyRequest) Reset()func (*GetPolicyRequest) String
func (x *GetPolicyRequest) String() stringListPoliciesRequest
type ListPoliciesRequest struct {
// Required. The resource that the policy is attached to, along with the kind of policy
// to list. Format:
// `policies/{attachment_point}/denypolicies`
//
// The attachment point is identified by its URL-encoded full resource name,
// which means that the forward-slash character, `/`, must be written as
// `%2F`. For example,
// `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
//
// For organizations and folders, use the numeric ID in the full resource
// name. For projects, you can use the alphanumeric or the numeric ID.
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// The maximum number of policies to return. IAM ignores this value and uses
// the value 1000.
PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
// A page token received in a [ListPoliciesResponse][google.iam.v2.ListPoliciesResponse]. Provide this token to
// retrieve the next page.
PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
// contains filtered or unexported fields
}Request message for ListPolicies.
func (*ListPoliciesRequest) Descriptor
func (*ListPoliciesRequest) Descriptor() ([]byte, []int)Deprecated: Use ListPoliciesRequest.ProtoReflect.Descriptor instead.
func (*ListPoliciesRequest) GetPageSize
func (x *ListPoliciesRequest) GetPageSize() int32func (*ListPoliciesRequest) GetPageToken
func (x *ListPoliciesRequest) GetPageToken() stringfunc (*ListPoliciesRequest) GetParent
func (x *ListPoliciesRequest) GetParent() stringfunc (*ListPoliciesRequest) ProtoMessage
func (*ListPoliciesRequest) ProtoMessage()func (*ListPoliciesRequest) ProtoReflect
func (x *ListPoliciesRequest) ProtoReflect() protoreflect.Messagefunc (*ListPoliciesRequest) Reset
func (x *ListPoliciesRequest) Reset()func (*ListPoliciesRequest) String
func (x *ListPoliciesRequest) String() stringListPoliciesResponse
type ListPoliciesResponse struct {
// Metadata for the policies that are attached to the resource.
Policies []*Policy `protobuf:"bytes,1,rep,name=policies,proto3" json:"policies,omitempty"`
// A page token that you can use in a [ListPoliciesRequest][google.iam.v2.ListPoliciesRequest] to retrieve the
// next page. If this field is omitted, there are no additional pages.
NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
// contains filtered or unexported fields
}Response message for ListPolicies.
func (*ListPoliciesResponse) Descriptor
func (*ListPoliciesResponse) Descriptor() ([]byte, []int)Deprecated: Use ListPoliciesResponse.ProtoReflect.Descriptor instead.
func (*ListPoliciesResponse) GetNextPageToken
func (x *ListPoliciesResponse) GetNextPageToken() stringfunc (*ListPoliciesResponse) GetPolicies
func (x *ListPoliciesResponse) GetPolicies() []*Policyfunc (*ListPoliciesResponse) ProtoMessage
func (*ListPoliciesResponse) ProtoMessage()func (*ListPoliciesResponse) ProtoReflect
func (x *ListPoliciesResponse) ProtoReflect() protoreflect.Messagefunc (*ListPoliciesResponse) Reset
func (x *ListPoliciesResponse) Reset()func (*ListPoliciesResponse) String
func (x *ListPoliciesResponse) String() stringPoliciesClient
type PoliciesClient interface {
// Retrieves the policies of the specified kind that are attached to a
// resource.
//
// The response lists only policy metadata. In particular, policy rules are
// omitted.
ListPolicies(ctx context.Context, in *ListPoliciesRequest, opts ...grpc.CallOption) (*ListPoliciesResponse, error)
// Gets a policy.
GetPolicy(ctx context.Context, in *GetPolicyRequest, opts ...grpc.CallOption) (*Policy, error)
// Creates a policy.
CreatePolicy(ctx context.Context, in *CreatePolicyRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
// Updates the specified policy.
//
// You can update only the rules and the display name for the policy.
//
// To update a policy, you should use a read-modify-write loop:
//
// 1. Use [GetPolicy][google.iam.v2.Policies.GetPolicy] to read the current version of the policy.
// 2. Modify the policy as needed.
// 3. Use `UpdatePolicy` to write the updated policy.
//
// This pattern helps prevent conflicts between concurrent updates.
UpdatePolicy(ctx context.Context, in *UpdatePolicyRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
// Deletes a policy. This action is permanent.
DeletePolicy(ctx context.Context, in *DeletePolicyRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
}PoliciesClient is the client API for Policies service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
func NewPoliciesClient
func NewPoliciesClient(cc grpc.ClientConnInterface) PoliciesClientPoliciesServer
type PoliciesServer interface {
// Retrieves the policies of the specified kind that are attached to a
// resource.
//
// The response lists only policy metadata. In particular, policy rules are
// omitted.
ListPolicies(context.Context, *ListPoliciesRequest) (*ListPoliciesResponse, error)
// Gets a policy.
GetPolicy(context.Context, *GetPolicyRequest) (*Policy, error)
// Creates a policy.
CreatePolicy(context.Context, *CreatePolicyRequest) (*longrunning.Operation, error)
// Updates the specified policy.
//
// You can update only the rules and the display name for the policy.
//
// To update a policy, you should use a read-modify-write loop:
//
// 1. Use [GetPolicy][google.iam.v2.Policies.GetPolicy] to read the current version of the policy.
// 2. Modify the policy as needed.
// 3. Use `UpdatePolicy` to write the updated policy.
//
// This pattern helps prevent conflicts between concurrent updates.
UpdatePolicy(context.Context, *UpdatePolicyRequest) (*longrunning.Operation, error)
// Deletes a policy. This action is permanent.
DeletePolicy(context.Context, *DeletePolicyRequest) (*longrunning.Operation, error)
}PoliciesServer is the server API for Policies service.
Policy
type Policy struct {
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
Kind string `protobuf:"bytes,3,opt,name=kind,proto3" json:"kind,omitempty"`
DisplayName string `protobuf:"bytes,4,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"`
Annotations map[string]string "" /* 163 byte string literal not displayed */
Etag string `protobuf:"bytes,6,opt,name=etag,proto3" json:"etag,omitempty"`
CreateTime *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
UpdateTime *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
DeleteTime *timestamppb.Timestamp `protobuf:"bytes,9,opt,name=delete_time,json=deleteTime,proto3" json:"delete_time,omitempty"`
Rules []*PolicyRule `protobuf:"bytes,10,rep,name=rules,proto3" json:"rules,omitempty"`
ManagingAuthority string `protobuf:"bytes,11,opt,name=managing_authority,json=managingAuthority,proto3" json:"managing_authority,omitempty"`
}Data for an IAM policy.
func (*Policy) Descriptor
Deprecated: Use Policy.ProtoReflect.Descriptor instead.
func (*Policy) GetAnnotations
func (*Policy) GetCreateTime
func (x *Policy) GetCreateTime() *timestamppb.Timestampfunc (*Policy) GetDeleteTime
func (x *Policy) GetDeleteTime() *timestamppb.Timestampfunc (*Policy) GetDisplayName
func (*Policy) GetEtag
func (*Policy) GetKind
func (*Policy) GetManagingAuthority
func (*Policy) GetName
func (*Policy) GetRules
func (x *Policy) GetRules() []*PolicyRulefunc (*Policy) GetUid
func (*Policy) GetUpdateTime
func (x *Policy) GetUpdateTime() *timestamppb.Timestampfunc (*Policy) ProtoMessage
func (*Policy) ProtoMessage()func (*Policy) ProtoReflect
func (x *Policy) ProtoReflect() protoreflect.Messagefunc (*Policy) Reset
func (x *Policy) Reset()func (*Policy) String
PolicyOperationMetadata
type PolicyOperationMetadata struct {
// Timestamp when the `google.longrunning.Operation` was created.
CreateTime *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
// contains filtered or unexported fields
}Metadata for long-running Policy operations.
func (*PolicyOperationMetadata) Descriptor
func (*PolicyOperationMetadata) Descriptor() ([]byte, []int)Deprecated: Use PolicyOperationMetadata.ProtoReflect.Descriptor instead.
func (*PolicyOperationMetadata) GetCreateTime
func (x *PolicyOperationMetadata) GetCreateTime() *timestamppb.Timestampfunc (*PolicyOperationMetadata) ProtoMessage
func (*PolicyOperationMetadata) ProtoMessage()func (*PolicyOperationMetadata) ProtoReflect
func (x *PolicyOperationMetadata) ProtoReflect() protoreflect.Messagefunc (*PolicyOperationMetadata) Reset
func (x *PolicyOperationMetadata) Reset()func (*PolicyOperationMetadata) String
func (x *PolicyOperationMetadata) String() stringPolicyRule
type PolicyRule struct {
// Types that are assignable to Kind:
//
// *PolicyRule_DenyRule
Kind isPolicyRule_Kind `protobuf_oneof:"kind"`
// A user-specified description of the rule. This value can be up to 256
// characters.
Description string `protobuf:"bytes,1,opt,name=description,proto3" json:"description,omitempty"`
// contains filtered or unexported fields
}A single rule in a Policy.
func (*PolicyRule) Descriptor
func (*PolicyRule) Descriptor() ([]byte, []int)Deprecated: Use PolicyRule.ProtoReflect.Descriptor instead.
func (*PolicyRule) GetDenyRule
func (x *PolicyRule) GetDenyRule() *DenyRulefunc (*PolicyRule) GetDescription
func (x *PolicyRule) GetDescription() stringfunc (*PolicyRule) GetKind
func (m *PolicyRule) GetKind() isPolicyRule_Kindfunc (*PolicyRule) ProtoMessage
func (*PolicyRule) ProtoMessage()func (*PolicyRule) ProtoReflect
func (x *PolicyRule) ProtoReflect() protoreflect.Messagefunc (*PolicyRule) Reset
func (x *PolicyRule) Reset()func (*PolicyRule) String
func (x *PolicyRule) String() stringPolicyRule_DenyRule
type PolicyRule_DenyRule struct {
// A rule for a deny policy.
DenyRule *DenyRule `protobuf:"bytes,2,opt,name=deny_rule,json=denyRule,proto3,oneof"`
}UnimplementedPoliciesServer
type UnimplementedPoliciesServer struct {
}UnimplementedPoliciesServer can be embedded to have forward compatible implementations.
func (*UnimplementedPoliciesServer) CreatePolicy
func (*UnimplementedPoliciesServer) CreatePolicy(context.Context, *CreatePolicyRequest) (*longrunning.Operation, error)func (*UnimplementedPoliciesServer) DeletePolicy
func (*UnimplementedPoliciesServer) DeletePolicy(context.Context, *DeletePolicyRequest) (*longrunning.Operation, error)func (*UnimplementedPoliciesServer) GetPolicy
func (*UnimplementedPoliciesServer) GetPolicy(context.Context, *GetPolicyRequest) (*Policy, error)func (*UnimplementedPoliciesServer) ListPolicies
func (*UnimplementedPoliciesServer) ListPolicies(context.Context, *ListPoliciesRequest) (*ListPoliciesResponse, error)func (*UnimplementedPoliciesServer) UpdatePolicy
func (*UnimplementedPoliciesServer) UpdatePolicy(context.Context, *UpdatePolicyRequest) (*longrunning.Operation, error)UpdatePolicyRequest
type UpdatePolicyRequest struct {
// Required. The policy to update.
//
// To prevent conflicting updates, the `etag` value must match the value that
// is stored in IAM. If the `etag` values do not match, the request fails with
// a `409` error code and `ABORTED` status.
Policy *Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
// contains filtered or unexported fields
}Request message for UpdatePolicy.
func (*UpdatePolicyRequest) Descriptor
func (*UpdatePolicyRequest) Descriptor() ([]byte, []int)Deprecated: Use UpdatePolicyRequest.ProtoReflect.Descriptor instead.
func (*UpdatePolicyRequest) GetPolicy
func (x *UpdatePolicyRequest) GetPolicy() *Policyfunc (*UpdatePolicyRequest) ProtoMessage
func (*UpdatePolicyRequest) ProtoMessage()func (*UpdatePolicyRequest) ProtoReflect
func (x *UpdatePolicyRequest) ProtoReflect() protoreflect.Messagefunc (*UpdatePolicyRequest) Reset
func (x *UpdatePolicyRequest) Reset()func (*UpdatePolicyRequest) String
func (x *UpdatePolicyRequest) String() string