Method: iamPolicies.lintPolicy

Lints a Cloud IAM policy object or its sub fields. Currently supports google.iam.v1.Policy, google.iam.v1.Binding and google.iam.v1.Binding.condition.

Each lint operation consists of multiple lint validation units. Validation units have the following properties:

The set of applicable validation units is determined by the Cloud IAM server and is not configurable.

Regardless of any lint issues or their severities, successful calls to lintPolicy return an HTTP 200 OK status code.

HTTP request

POST https://iam.googleapis.com/v1/iamPolicies:lintPolicy

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "fullResourceName": string,
  "context": {
    object
  },

  // Union field lint_object can be only one of the following:
  "policy": {
    object(Policy)
  },
  "binding": {
    object(Binding)
  },
  "condition": {
    object(Expr)
  }
  // End of list of possible types for union field lint_object.
}
Fields
fullResourceName

string

The full resource name of the policy this lint request is about.

The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object.

context

object (Struct format)

context contains additional permission-controlled data that any lint unit may depend on, in form of {key: value} pairs. Currently, this field is non-operational and it will not be used during the lint operation.

Union field lint_object. Required. The Cloud IAM object to be linted. lint_object can be only one of the following:
policy

object(Policy)

Policy object to be linted. The functionality of linting a policy is not yet implemented and if this field is set, it returns NOT_IMPLEMENTED error.

binding

object(Binding)

Binding object to be linted. The functionality of linting a binding is not yet implemented and if this field is set, it returns NOT_IMPLEMENTED error.

condition

object(Expr)

google.iam.v1.Binding.condition object to be linted.

Response body

If successful, the response body contains data with the following structure:

The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.

JSON representation
{
  "lintResults": [
    {
      object(LintResult)
    }
  ]
}
Fields
lintResults[]

object(LintResult)

List of lint results sorted by a composite <severity, bindingOrdinal> key, descending order of severity and ascending order of bindingOrdinal. There is no certain order among the same keys.

For cross-binding results (only if the input object to lint is instance of google.iam.v1.Policy), there will be a google.iam.admin.v1.LintResult for each of the involved bindings, and the associated debugMessage may enumerate the other involved binding ordinal number(s).

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

LintResult

Structured response of a single validation unit.

JSON representation
{
  "level": enum(Level),
  "validationUnitName": string,
  "severity": enum(Severity),
  "bindingOrdinal": number,
  "fieldName": string,
  "locationOffset": number,
  "debugMessage": string
}
Fields
level

enum(Level)

The validation unit level.

validationUnitName

string

The validation unit name, for instance “lintValidationUnits/ConditionComplexityCheck”.

severity

enum(Severity)

The validation unit severity.

bindingOrdinal

number

0-based index ordinality of the binding in the input object associated with this result. This field is populated only if the input object to lint is of type google.iam.v1.Policy, which can comprise more than one binding. It is set to -1 if the result is not associated with any particular binding and only targets the policy as a whole, such as results about policy size violations.

fieldName

string

The name of the field for which this lint result is about.

For nested messages, fieldName consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For instance, if the lint request is on a google.iam.v1.Policy and this lint result is about a condition expression of one of the input policy bindings, the field would be populated as policy.bindings.condition.expression.

This field does not identify the ordinality of the repetitive fields (for instance bindings in a policy).

locationOffset

number

0-based character position of problematic construct within the object identified by fieldName. Currently, this is populated only for condition expression.

debugMessage

string

Human readable debug message associated with the issue.

Level

Possible Level values of a validation unit corresponding to its domain of discourse.

Enums
LEVEL_UNSPECIFIED Level is unspecified.
POLICY A validation unit which operates on a policy. It is executed only if the input object to lint is of type google.iam.v1.Policy.
BINDING A validation unit which operates on an individual binding. It is executed in both cases where the input object to lint is of type google.iam.v1.Policy or google.iam.v1.Binding.
CONDITION A validation unit which operates on an individual condition within a binding. It is executed in all three cases where the input object to lint is of type google.iam.v1.Policy, google.iam.v1.Binding or google.iam.v1.Binding.condition.

Severity

Possible Severity values of an issued result.

Enums
SEVERITY_UNSPECIFIED Severity is unspecified.
ERROR A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the setPolicy operation to fail.
WARNING

Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail setPolicy, but there is a high likelihood that they won't behave as expected during policy evaluation in checkPolicy. This includes the following common scenarios:

  • Unsatisfiable condition: Expired timestamp in date/time condition.
  • Ineffective condition: Condition on a <member, role> pair which is granted unconditionally in another binding of the same policy.
NOTICE Reserved for the issues that are not severe as ERROR/WARNING, but need special handling. For instance, messages about skipped validation units are issued as NOTICE.
INFO Any informative statement which is not severe enough to raise ERROR/WARNING/NOTICE, like auto-correction recommendations on the input content. Note that current version of the linter does not utilize INFO.
DEPRECATED Deprecated severity level.

Try it!

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

Cloud Identity and Access Management