Method: permissions.queryTestablePermissions

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

HTTP request

POST https://iam.googleapis.com/v1/permissions:queryTestablePermissions

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "fullResourceName": string,
  "pageSize": integer,
  "pageToken": string
}
Fields
fullResourceName

string

Required. The full resource name to query from the list of testable permissions.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

pageSize

integer

Optional limit on the number of permissions to include in the response.

The default is 100, and the maximum is 1,000.

pageToken

string

Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

Response body

The response containing permissions which can be tested on a resource.

If successful, the response body contains data with the following structure:

JSON representation
{
  "permissions": [
    {
      object (Permission)
    }
  ],
  "nextPageToken": string
}
Fields
permissions[]

object (Permission)

The Permissions testable on the requested resource.

nextPageToken

string

To retrieve the next page of results, set QueryTestableRolesRequest.page_token to this value.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Permission

A permission which can be included by a role.

JSON representation
{
  "name": string,
  "title": string,
  "description": string,
  "onlyInPredefinedRoles": boolean,
  "stage": enum (PermissionLaunchStage),
  "customRolesSupportLevel": enum (CustomRolesSupportLevel),
  "apiDisabled": boolean,
  "primaryPermission": string
}
Fields
name

string

The name of this Permission.

title

string

The title of this Permission.

description

string

A brief description of what this Permission is used for.

onlyInPredefinedRoles
(deprecated)

boolean

stage

enum (PermissionLaunchStage)

The current launch stage of the permission.

customRolesSupportLevel

enum (CustomRolesSupportLevel)

The current custom role support level.

apiDisabled

boolean

The service API associated with the permission is not enabled.

primaryPermission

string

The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primaryPermission.

PermissionLaunchStage

A stage representing a permission's lifecycle phase.

Enums
ALPHA The permission is currently in an alpha phase.
BETA The permission is currently in a beta phase.
GA The permission is generally available.
DEPRECATED The permission is being deprecated.

CustomRolesSupportLevel

The state of the permission with regards to custom roles.

Enums
SUPPORTED Default state. Permission is fully supported for custom role use.
TESTING Permission is being tested to check custom role compatibility.
NOT_SUPPORTED Permission is not supported for custom role use.

.NET client library を使用します。

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install the C# client library by adding a dependency on the relevant NuGet
//    package. Libraries published by Google are owned by google-apis-packages:
//    https://www.nuget.org/profiles/google-apis-packages

using Google.Apis.Auth.OAuth2;
using Google.Apis.Services;
using Google.Apis.Iam.v1;
using Newtonsoft.Json;
using System;
using System.Threading.Tasks;

using Data = Google.Apis.Iam.v1.Data;

namespace IamSample
{
   
public class IamExample
   
{
       
public static void Main(string[] args)
       
{
           
IamService iamService = new IamService(new BaseClientService.Initializer
           
{
               
HttpClientInitializer = GetCredential(),
               
ApplicationName = "Google-iamSample/0.1",
           
});

           
// TODO: Assign values to desired properties of `requestBody`:
           
Data.QueryTestablePermissionsRequest requestBody = new Data.QueryTestablePermissionsRequest();

           
PermissionsResource.QueryTestablePermissionsRequest request = iamService.Permissions.QueryTestablePermissions(requestBody);

           
Data.QueryTestablePermissionsResponse response;
           
do
           
{
               
// To execute asynchronously in an async method, replace `request.Execute()` as shown:
                response
= request.Execute();
               
// response = await request.ExecuteAsync();

               
if (response.Permissions == null)
               
{
                   
continue;
               
}
               
foreach (Data.Permission permission in response.Permissions)
               
{
                   
// TODO: Change code below to process each `permission` resource:
                   
Console.WriteLine(JsonConvert.SerializeObject(permission));
               
}
                requestBody
.PageToken = response.NextPageToken;
           
} while (response.NextPageToken != null);
       
}

       
public static GoogleCredential GetCredential()
       
{
           
GoogleCredential credential = Task.Run(() => GoogleCredential.GetApplicationDefaultAsync()).Result;
           
if (credential.IsCreateScopedRequired)
           
{
                credential
= credential.CreateScoped("https://www.googleapis.com/auth/cloud-platform");
           
}
           
return credential;
       
}
   
}
}

Go client library を使用します。

package main

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk/ and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install and update the Go dependencies by running `go get -u` in the
//    project directory.

import (
       
"fmt"
       
"log"

       
"golang.org/x/net/context"
       
"golang.org/x/oauth2/google"
       
"google.golang.org/api/iam/v1"
)

func main
() {
        ctx
:= context.Background()

        iamService
, err := iam.NewService(ctx)
       
if err != nil {
                log
.Fatal(err)
       
}

        rb
:= &iam.QueryTestablePermissionsRequest{
               
// TODO: Add desired fields of the request body.
       
}

        req
:= iamService.Permissions.QueryTestablePermissions(rb)
       
if err := req.Pages(ctx, func(page *iam.QueryTestablePermissionsResponse) error {
               
for _, permission := range page.Permissions {
                       
// TODO: Change code below to process each `permission` resource:
                        fmt
.Printf("%#v\n", permission)
               
}
               
return nil
       
}); err != nil {
                log
.Fatal(err)
       
}
}

Java client library を使用します。

/*
 * BEFORE RUNNING:
 * ---------------
 * 1. If not already done, enable the Identity and Access Management (IAM) API
 *    and check the quota for your project at
 *    https://console.developers.google.com/apis/api/iam
 * 2. This sample uses Application Default Credentials for authentication.
 *    If not already done, install the gcloud CLI from
 *    https://cloud.google.com/sdk and run
 *    `gcloud beta auth application-default login`.
 *    For more information, see
 *    https://developers.google.com/identity/protocols/application-default-credentials
 * 3. Install the Java client library on Maven or Gradle. Check installation
 *    instructions at https://github.com/google/google-api-java-client.
 *    On other build systems, you can add the jar files to your project from
 *    https://developers.google.com/resources/api-libraries/download/iam/v1/java
 */

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.model.Permission;
import com.google.api.services.iam.v1.model.QueryTestablePermissionsRequest;
import com.google.api.services.iam.v1.model.QueryTestablePermissionsResponse;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Arrays;

public class IamExample {
 
public static void main(String args[]) throws IOException, GeneralSecurityException {
   
// TODO: Assign values to desired fields of `requestBody`:
   
QueryTestablePermissionsRequest requestBody = new QueryTestablePermissionsRequest();

   
Iam iamService = createIamService();
   
Iam.Permissions.QueryTestablePermissions request =
        iamService
.permissions().queryTestablePermissions(requestBody);

   
QueryTestablePermissionsResponse response;
   
do {
      response
= request.execute();
     
if (response.getPermissions() == null) {
       
continue;
     
}
     
for (Permission permission : response.getPermissions()) {
       
// TODO: Change code below to process each `permission` resource:
       
System.out.println(permission);
     
}
      requestBody
.setPageToken(response.getNextPageToken());
   
} while (response.getNextPageToken() != null);
 
}

 
public static Iam createIamService() throws IOException, GeneralSecurityException {
   
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
   
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();

   
GoogleCredential credential = GoogleCredential.getApplicationDefault();
   
if (credential.createScopedRequired()) {
      credential
=
          credential
.createScoped(Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
   
}

   
return new Iam.Builder(httpTransport, jsonFactory, credential)
       
.setApplicationName("Google-iamSample/0.1")
       
.build();
 
}
}

Node.js client library を使用します。

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install the Node.js client library by running
//    `npm install googleapis --save`

const {google} = require('googleapis');
const iam = google.iam('v1');

async
function main () {
 
const authClient = await authorize();
 
const request = {
    resource
: {
     
// TODO: Add desired properties to the request body.
   
},

    auth
: authClient,
 
};

  let response
;
 
do {
   
if (response && response.nextPageToken) {
      request
.resource.pageToken = response.nextPageToken;
   
}
    response
= (await iam.permissions.queryTestablePermissions(request)).data;
   
const permissionsPage = response.permissions;
   
if (permissionsPage) {
     
for (let i = 0; i < permissionsPage.length; i++) {
       
// TODO: Change code below to process each resource in `permissionsPage`:
        console
.log(JSON.stringify(permissionsPage[i], null, 2));
     
}
   
}
 
} while (response.nextPageToken);
}
main
();

async
function authorize() {
 
const auth = new google.auth.GoogleAuth({
    scopes
: ['https://www.googleapis.com/auth/cloud-platform']
 
});
 
return await auth.getClient();
}

PHP client library を使用します。

<?php
/*
 * BEFORE RUNNING:
 * ---------------
 * 1. If not already done, enable the Identity and Access Management (IAM) API
 *    and check the quota for your project at
 *    https://console.developers.google.com/apis/api/iam
 * 2. This sample uses Application Default Credentials for authentication.
 *    If not already done, install the gcloud CLI from
 *    https://cloud.google.com/sdk and run
 *    `gcloud beta auth application-default login`.
 *    For more information, see
 *    https://developers.google.com/identity/protocols/application-default-credentials
 * 3. Install the PHP client library with Composer. Check installation
 *    instructions at https://github.com/google/google-api-php-client.
 */


// Autoload Composer.
require_once __DIR__
. '/vendor/autoload.php';

$client
= new Google_Client();
$client
->setApplicationName('Google-iamSample/0.1');
$client
->useApplicationDefaultCredentials();
$client
->addScope('https://www.googleapis.com/auth/cloud-platform');

$service
= new Google_Service_Iam($client);

// TODO: Assign values to desired properties of `requestBody`:
$requestBody
= new Google_Service_Iam_QueryTestablePermissionsRequest();

do {
  $response
= $service->permissions->queryTestablePermissions($requestBody);

 
foreach ($response['permissions'] as $permission) {
   
// TODO: Change code below to process each `permission` resource:
    echo
'<pre>', var_export($permission, true), '</pre>', "\n";
 
}

  $requestBody
->setPageToken($response->getNextPageToken());
} while ($requestBody->getPageToken());
?>

Python client library を使用します。

"""
BEFORE RUNNING:
---------------
1. If not already done, enable the Identity and Access Management (IAM) API
   and check the quota for your project at
   https://console.developers.google.com/apis/api/iam
2. This sample uses Application Default Credentials for authentication.
   If not already done, install the gcloud CLI from
   https://cloud.google.com/sdk and run
   `gcloud beta auth application-default login`.
   For more information, see
   https://developers.google.com/identity/protocols/application-default-credentials
3. Install the Python client library for Google APIs by running
   `pip install --upgrade google-api-python-client`
4. Install the OAuth 2.0 client for Google APIs by running
   `pip install --upgrade oauth2client`
"""

from pprint import pprint

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials
= GoogleCredentials.get_application_default()

service
= discovery.build('iam', 'v1', credentials=credentials)

query_testable_permissions_request_body
= {
   
# TODO: Add desired entries to the request body.
}

while True:
    request
= service.permissions().queryTestablePermissions(body=query_testable_permissions_request_body)
    response
= request.execute()

   
for permission in response.get('permissions', []):
       
# TODO: Change code below to process each `permission` resource:
        pprint
(permission)

   
if 'nextPageToken' not in response:
       
break
    query_testable_permissions_request_body
['pageToken'] = response['nextPageToken']

Ruby client library を使用します。

# BEFORE RUNNING:
# ---------------
# 1. If not already done, enable the Identity and Access Management (IAM) API
#    and check the quota for your project at
#    https://console.developers.google.com/apis/api/iam
# 2. This sample uses Application Default Credentials for authentication.
#    If not already done, install the gcloud CLI from
#    https://cloud.google.com/sdk and run
#    `gcloud beta auth application-default login`.
#    For more information, see
#    https://developers.google.com/identity/protocols/application-default-credentials
# 3. Install the Ruby client library and Application Default Credentials
#    library by running `gem install google-api-client` and
#    `gem install googleauth`

require 'googleauth'
require 'google/apis/iam_v1'

service
= Google::Apis::IamV1::IamService.new

service
.authorization = \
   
Google::Auth.get_application_default(['https://www.googleapis.com/auth/cloud-platform'])

# TODO: Assign values to desired members of `request_body`:
request_body
= Google::Apis::IamV1::QueryTestablePermissionsRequest.new

permissions
= service.fetch_all(items: :permissions) do |token|
  request_body
.page_token = token
  service
.query_testable_permissions(request_body)
end

permissions
.each do |permission|
 
# TODO: Change code below to process each `permission` resource:
  puts permission
.to_json
end