- Resource: ReplayResult
- Methods
Resource: ReplayResult
The result of replaying a single access tuple against a simulated state.
JSON representation | |
---|---|
{ "name": string, "parent": string, "accessTuple": { object ( |
Fields | ||
---|---|---|
name |
The resource name of the
Example: |
|
parent |
The |
|
accessTuple |
The access tuple that was replayed. This field includes information about the member, resource, and permission that were involved in the access attempt. |
|
lastSeenDate |
The latest date this access tuple was seen in the logs. |
|
Union field result . The result of replaying the access tuple. result can be only one of the following: |
||
diff |
The difference between the member's access under the current (baseline) policies and the member's access under the proposed (simulated) policies. This field is only included for access tuples that were successfully replayed and had different results under the current policies and the proposed policies. |
|
error |
The error that caused the access tuple replay to fail. This field is only included for access tuples that were not replayed successfully. |
AccessTuple
Information about the member, resource, and permission to check.
JSON representation | |
---|---|
{ "principal": string, "fullResourceName": string, "permission": string } |
Fields | |
---|---|
principal |
Required. The member, or principal, whose access you want to check, in the form of the email address that represents that member. For example, The member must be a Google Account or a service account. Other types of members are not supported. |
fullResourceName |
Required. The full resource name that identifies the resource. For example, For examples of full resource names for Google Cloud services, see https://cloud.google.com/iam/help/troubleshooter/full-resource-names. |
permission |
Required. The IAM permission to check for the specified member and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. |
ReplayDiff
The difference between the results of evaluating an access tuple under the current (baseline) policies and under the proposed (simulated) policies. This difference explains how a member's access could change if the proposed policies were applied.
JSON representation | |
---|---|
{
"accessDiff": {
object ( |
Fields | |
---|---|
accessDiff |
A summary and comparison of the member's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. The evaluation of the member's access is reported in the |
AccessStateDiff
A summary and comparison of the member's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple.
JSON representation | |
---|---|
{ "baseline": { object ( |
Fields | |
---|---|
baseline |
The results of evaluating the access tuple under the current (baseline) policies. If the |
simulated |
The results of evaluating the access tuple under the proposed (simulated) policies. If the AccessState couldn't be fully evaluated, this field explains why. |
accessChange |
How the member's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies. |
ExplainedAccess
Details about how a set of policies, listed in ExplainedPolicy
, resulted in a certain AccessState
when replaying an access tuple.
JSON representation | |
---|---|
{ "accessState": enum ( |
Fields | |
---|---|
accessState |
Whether the member in the access tuple has permission to access the resource in the access tuple under the given policies. |
policies[] |
If the If the |
errors[] |
If the If the |
AccessState
Whether a member has a permission for a resource.
Enums | |
---|---|
ACCESS_STATE_UNSPECIFIED |
The access state is not specified. |
GRANTED |
The member has the permission. |
NOT_GRANTED |
The member does not have the permission. |
UNKNOWN_CONDITIONAL |
The member has the permission only if a condition expression evaluates to true . |
UNKNOWN_INFO_DENIED |
The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate. |
ExplainedPolicy
Details about how a specific IAM Policy
contributed to the access check.
JSON representation | |
---|---|
{ "access": enum ( |
Fields | |
---|---|
access |
Indicates whether this policy provides the specified permission to the specified member for the specified resource. This field does not indicate whether the member actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the member actually has the permission, use the |
fullResourceName |
The full resource name that identifies the resource. For example, If the user who created the For examples of full resource names for Google Cloud services, see https://cloud.google.com/iam/help/troubleshooter/full-resource-names. |
policy |
The IAM policy attached to the resource. If the user who created the |
bindingExplanations[] |
Details about how each binding in the policy affects the member's ability, or inability, to use the permission for the resource. If the user who created the |
relevance |
The relevance of this policy to the overall determination in the [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. If the user who created the |
Policy
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more members
to a single role
. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role
is a named list of permissions; each role
can be an IAM predefined role or a user-created custom role.
For some types of Google Cloud resources, a binding
can also specify a condition
, which is a logical expression that allows access to a resource only if the expression evaluates to true
. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation.
JSON example:
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": [
"user:eve@example.com"
],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
}
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
YAML example:
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
- etag: BwWWja0YfJA=
- version: 3
For a description of IAM and its features, see the IAM documentation.
JSON representation | |
---|---|
{ "version": integer, "bindings": [ { object ( |
Fields | |
---|---|
version |
Specifies the format of the policy. Valid values are Any operation that affects conditional role bindings must specify version
Important: If you use IAM Conditions, you must include the If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation. |
bindings[] |
Associates a list of |
auditConfigs[] |
Specifies cloud audit logging configuration for this policy. |
etag |
Important: If you use IAM Conditions, you must include the A base64-encoded string. |
Binding
Associates members
with a role
.
JSON representation | |
---|---|
{
"role": string,
"members": [
string
],
"condition": {
object ( |
Fields | |
---|---|
role |
Role that is assigned to |
members[] |
Specifies the identities requesting access for a Cloud Platform resource.
|
condition |
The condition that is associated with this binding. If the condition evaluates to If the condition evaluates to To learn which resources support conditions in their IAM policies, see the IAM documentation. |
Expr
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec.
Example (Comparison):
title: "Summary size limit"
description: "Determines if a summary is less than 100 chars"
expression: "document.summary.size() < 100"
Example (Equality):
title: "Requestor is owner"
description: "Determines if requestor is the document owner"
expression: "document.owner == request.auth.claims.email"
Example (Logic):
title: "Public documents"
description: "Determine whether the document should be publicly visible"
expression: "document.type != 'private' && document.type != 'internal'"
Example (Data Manipulation):
title: "Notification string"
description: "Create a notification string with a timestamp."
expression: "'New message received at ' + string(document.create_time)"
The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
JSON representation | |
---|---|
{ "expression": string, "title": string, "description": string, "location": string } |
Fields | |
---|---|
expression |
Textual representation of an expression in Common Expression Language syntax. |
title |
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. |
description |
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. |
location |
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. |
AuditConfig
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices
and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.
Example Policy with multiple AuditConfigs:
{
"auditConfigs": [
{
"service": "allServices",
"auditLogConfigs": [
{
"logType": "DATA_READ",
"exemptedMembers": [
"user:jose@example.com"
]
},
{
"logType": "DATA_WRITE"
},
{
"logType": "ADMIN_READ"
}
]
},
{
"service": "sampleservice.googleapis.com",
"auditLogConfigs": [
{
"logType": "DATA_READ"
},
{
"logType": "DATA_WRITE",
"exemptedMembers": [
"user:aliya@example.com"
]
}
]
}
]
}
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
JSON representation | |
---|---|
{
"service": string,
"auditLogConfigs": [
{
object ( |
Fields | |
---|---|
service |
Specifies a service that will be enabled for audit logging. For example, |
auditLogConfigs[] |
The configuration for logging of each type of permission. |
AuditLogConfig
Provides the configuration for logging a type of permissions. Example:
{
"auditLogConfigs": [
{
"logType": "DATA_READ",
"exemptedMembers": [
"user:jose@example.com"
]
},
{
"logType": "DATA_WRITE"
}
]
}
This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
JSON representation | |
---|---|
{
"logType": enum ( |
Fields | |
---|---|
logType |
The log type that this config enables. |
exemptedMembers[] |
Specifies the identities that do not cause logging for this type of permission. Follows the same format of |
LogType
The list of valid permission types for which logging can be configured. Admin writes are always logged, and are not configurable.
Enums | |
---|---|
LOG_TYPE_UNSPECIFIED |
Default case. Should never be this. |
ADMIN_READ |
Admin reads. Example: CloudIAM getIamPolicy |
DATA_WRITE |
Data writes. Example: CloudSQL Users create |
DATA_READ |
Data reads. Example: CloudSQL Users list |
BindingExplanation
Details about how a binding in a policy affects a member's ability to use a permission.
JSON representation | |
---|---|
{ "access": enum ( |
Fields | |
---|---|
access |
Required. Indicates whether this binding provides the specified permission to the specified member for the specified resource. This field does not indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the |
role |
The role that this binding grants. For example, For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. |
rolePermission |
Indicates whether the role granted by this binding contains the specified permission. |
rolePermissionRelevance |
The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy. |
memberships[] |
Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request. For example, suppose that a binding includes the following members:
The member in the replayed access tuple is For the first member in the binding, the key is For the second member in the binding, the key is An object containing a list of |
memberships[].membership |
Indicates whether the binding includes the member. Valid values of this enum field are:
,
,
,
,
|
memberships[].relevance |
The relevance of the member's status to the overall determination for the binding. |
relevance |
The relevance of this binding to the overall determination for the entire policy. |
condition |
A condition expression that prevents this binding from granting access unless the expression evaluates to To learn about IAM Conditions, see https://cloud.google.com/iam/docs/conditions-overview. |
RolePermission
Whether a role includes a specific permission.
Enums | |
---|---|
ROLE_PERMISSION_UNSPECIFIED |
The inclusion of the permission is not specified. |
ROLE_PERMISSION_INCLUDED |
The permission is included in the role. |
ROLE_PERMISSION_NOT_INCLUDED |
The permission is not included in the role. |
ROLE_PERMISSION_UNKNOWN_INFO_DENIED |
The user who created the Replay is not allowed to access the binding. |
HeuristicRelevance
The extent to which a single part of a policy (e.g. a binding or a membership annotation in the binding) contributes to an overall determination.
Enums | |
---|---|
HEURISTIC_RELEVANCE_UNSPECIFIED |
Reserved for future use. |
NORMAL |
The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination. |
HIGH |
The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination. |
AccessChangeType
How the member's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies.
Enums | |
---|---|
ACCESS_CHANGE_TYPE_UNSPECIFIED |
The access change is unspecified. |
NO_CHANGE |
The member's access did not change. This includes the case where both baseline and simulated are UNKNOWN, but the unknown information is equivalent. |
UNKNOWN_CHANGE |
The member's access under both the current policies and the proposed policies is UNKNOWN , but the unknown information differs between them. |
ACCESS_REVOKED |
The member had access under the current policies (GRANTED ), but will no longer have access after the proposed changes (NOT_GRANTED ). |
ACCESS_GAINED |
The member did not have access under the current policies (NOT_GRANTED ), but will have access after the proposed changes (GRANTED ). |
ACCESS_MAYBE_REVOKED |
This result can occur for the following reasons:
|
ACCESS_MAYBE_GAINED |
This result can occur for the following reasons:
|
Methods |
|
---|---|
|
Lists the results of running a Replay . |