Package com.google.cloud.policytroubleshooter.iam.v3 (1.26.0)

A client to Policy Troubleshooter API

The interfaces provided are listed below, along with usage samples.

PolicyTroubleshooterClient

Service Description: IAM Policy Troubleshooter service.

This service helps you troubleshoot access issues for Google Cloud resources.

Sample for PolicyTroubleshooterClient:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (PolicyTroubleshooterClient policyTroubleshooterClient =
     PolicyTroubleshooterClient.create()) {
   TroubleshootIamPolicyRequest request =
       TroubleshootIamPolicyRequest.newBuilder()
           .setAccessTuple(AccessTuple.newBuilder().build())
           .build();
   TroubleshootIamPolicyResponse response =
       policyTroubleshooterClient.troubleshootIamPolicy(request);
 }
 

Classes

AccessTuple

Information about the principal, resource, and permission to check.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AccessTuple

AccessTuple.Builder

Information about the principal, resource, and permission to check.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AccessTuple

AllowBindingExplanation

Details about how a role binding in an allow policy affects a principal's ability to use a permission.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation

AllowBindingExplanation.AnnotatedAllowMembership

Details about whether the role binding includes the principal.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership

AllowBindingExplanation.AnnotatedAllowMembership.Builder

Details about whether the role binding includes the principal.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership

AllowBindingExplanation.Builder

Details about how a role binding in an allow policy affects a principal's ability to use a permission.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation

AllowPolicyExplanation

Details about how the relevant IAM allow policies affect the final access state.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AllowPolicyExplanation

AllowPolicyExplanation.Builder

Details about how the relevant IAM allow policies affect the final access state.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AllowPolicyExplanation

ConditionContext

Additional context for troubleshooting conditional role bindings and deny rules.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext

ConditionContext.Builder

Additional context for troubleshooting conditional role bindings and deny rules.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext

ConditionContext.EffectiveTag

A tag that applies to a resource during policy evaluation. Tags can be either directly bound to a resource or inherited from its ancestor. EffectiveTag contains the name and namespaced_name of the tag value and tag key, with additional fields of inherited to indicate the inheritance status of the effective tag.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.EffectiveTag

ConditionContext.EffectiveTag.Builder

A tag that applies to a resource during policy evaluation. Tags can be either directly bound to a resource or inherited from its ancestor. EffectiveTag contains the name and namespaced_name of the tag value and tag key, with additional fields of inherited to indicate the inheritance status of the effective tag.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.EffectiveTag

ConditionContext.Peer

This message defines attributes for a node that handles a network request. The node can be either a service or an application that sends, forwards, or receives the request. Service peers should fill in principal and labels as appropriate.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.Peer

ConditionContext.Peer.Builder

This message defines attributes for a node that handles a network request. The node can be either a service or an application that sends, forwards, or receives the request. Service peers should fill in principal and labels as appropriate.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.Peer

ConditionContext.Request

This message defines attributes for an HTTP request. If the actual request is not an HTTP request, the runtime system should try to map the actual request to an equivalent HTTP request.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.Request

ConditionContext.Request.Builder

This message defines attributes for an HTTP request. If the actual request is not an HTTP request, the runtime system should try to map the actual request to an equivalent HTTP request.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.Request

ConditionContext.Resource

Core attributes for a resource. A resource is an addressable (named) entity provided by the destination service. For example, a Compute Engine instance.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.Resource

ConditionContext.Resource.Builder

Core attributes for a resource. A resource is an addressable (named) entity provided by the destination service. For example, a Compute Engine instance.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionContext.Resource

ConditionExplanation

Explanation for how a condition affects a principal's access

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionExplanation

ConditionExplanation.Builder

Explanation for how a condition affects a principal's access

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionExplanation

ConditionExplanation.EvaluationState

Evaluated state of a condition expression.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionExplanation.EvaluationState

ConditionExplanation.EvaluationState.Builder

Evaluated state of a condition expression.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ConditionExplanation.EvaluationState

DenyPolicyExplanation

Details about how the relevant IAM deny policies affect the final access state.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyPolicyExplanation

DenyPolicyExplanation.Builder

Details about how the relevant IAM deny policies affect the final access state.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyPolicyExplanation

DenyRuleExplanation

Details about how a deny rule in a deny policy affects a principal's ability to use a permission.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation

DenyRuleExplanation.AnnotatedDenyPrincipalMatching

Details about whether the principal in the request is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching

DenyRuleExplanation.AnnotatedDenyPrincipalMatching.Builder

Details about whether the principal in the request is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching

DenyRuleExplanation.AnnotatedPermissionMatching

Details about whether the permission in the request is denied by the deny rule.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching

DenyRuleExplanation.AnnotatedPermissionMatching.Builder

Details about whether the permission in the request is denied by the deny rule.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching

DenyRuleExplanation.Builder

Details about how a deny rule in a deny policy affects a principal's ability to use a permission.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation

ExplainedAllowPolicy

Details about how a specific IAM allow policy contributed to the final access state.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ExplainedAllowPolicy

ExplainedAllowPolicy.Builder

Details about how a specific IAM allow policy contributed to the final access state.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ExplainedAllowPolicy

ExplainedDenyPolicy

Details about how a specific IAM deny policy Policy contributed to the access check.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ExplainedDenyPolicy

ExplainedDenyPolicy.Builder

Details about how a specific IAM deny policy Policy contributed to the access check.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ExplainedDenyPolicy

ExplainedDenyResource

Details about how a specific resource contributed to the deny policy evaluation.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ExplainedDenyResource

ExplainedDenyResource.Builder

Details about how a specific resource contributed to the deny policy evaluation.

Protobuf type google.cloud.policytroubleshooter.iam.v3.ExplainedDenyResource

PolicyTroubleshooterClient

Service Description: IAM Policy Troubleshooter service.

This service helps you troubleshoot access issues for Google Cloud resources.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (PolicyTroubleshooterClient policyTroubleshooterClient =
     PolicyTroubleshooterClient.create()) {
   TroubleshootIamPolicyRequest request =
       TroubleshootIamPolicyRequest.newBuilder()
           .setAccessTuple(AccessTuple.newBuilder().build())
           .build();
   TroubleshootIamPolicyResponse response =
       policyTroubleshooterClient.troubleshootIamPolicy(request);
 }
 

Note: close() needs to be called on the PolicyTroubleshooterClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

The surface of this class includes several types of Java methods for each of the API's methods:

  1. A "flattened" method. With this type of method, the fields of the request type have been converted into function parameters. It may be the case that not all fields are available as parameters, and not every API method will have a flattened method entry point.
  2. A "request object" method. This type of method only takes one parameter, a request object, which must be constructed before the call. Not every API method will have a request object method.
  3. A "callable" method. This type of method takes no parameters and returns an immutable API callable object, which can be used to initiate calls to the service.

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of PolicyTroubleshooterSettings to create(). For example:

To customize credentials:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 PolicyTroubleshooterSettings policyTroubleshooterSettings =
     PolicyTroubleshooterSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 PolicyTroubleshooterClient policyTroubleshooterClient =
     PolicyTroubleshooterClient.create(policyTroubleshooterSettings);
 

To customize the endpoint:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 PolicyTroubleshooterSettings policyTroubleshooterSettings =
     PolicyTroubleshooterSettings.newBuilder().setEndpoint(myEndpoint).build();
 PolicyTroubleshooterClient policyTroubleshooterClient =
     PolicyTroubleshooterClient.create(policyTroubleshooterSettings);
 

To use REST (HTTP1.1/JSON) transport (instead of gRPC) for sending and receiving requests over the wire:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 PolicyTroubleshooterSettings policyTroubleshooterSettings =
     PolicyTroubleshooterSettings.newHttpJsonBuilder().build();
 PolicyTroubleshooterClient policyTroubleshooterClient =
     PolicyTroubleshooterClient.create(policyTroubleshooterSettings);
 

Please refer to the GitHub repository's samples for more quickstart code snippets.

PolicyTroubleshooterGrpc

IAM Policy Troubleshooter service. This service helps you troubleshoot access issues for Google Cloud resources.

PolicyTroubleshooterGrpc.PolicyTroubleshooterBlockingStub

A stub to allow clients to do synchronous rpc calls to service PolicyTroubleshooter.

IAM Policy Troubleshooter service. This service helps you troubleshoot access issues for Google Cloud resources.

PolicyTroubleshooterGrpc.PolicyTroubleshooterFutureStub

A stub to allow clients to do ListenableFuture-style rpc calls to service PolicyTroubleshooter.

IAM Policy Troubleshooter service. This service helps you troubleshoot access issues for Google Cloud resources.

PolicyTroubleshooterGrpc.PolicyTroubleshooterImplBase

Base class for the server implementation of the service PolicyTroubleshooter.

IAM Policy Troubleshooter service. This service helps you troubleshoot access issues for Google Cloud resources.

PolicyTroubleshooterGrpc.PolicyTroubleshooterStub

A stub to allow clients to do asynchronous rpc calls to service PolicyTroubleshooter.

IAM Policy Troubleshooter service. This service helps you troubleshoot access issues for Google Cloud resources.

PolicyTroubleshooterSettings

Settings class to configure an instance of PolicyTroubleshooterClient.

The default instance has everything set to sensible defaults:

  • The default service address (policytroubleshooter.googleapis.com) and default port (443) are used.
  • Credentials are acquired automatically through Application Default Credentials.
  • Retries are configured for idempotent methods but not for non-idempotent methods.

The builder of this class is recursive, so contained classes are themselves builders. When build() is called, the tree of builders is called to create the complete settings object.

For example, to set the total timeout of troubleshootIamPolicy to 30 seconds:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 PolicyTroubleshooterSettings.Builder policyTroubleshooterSettingsBuilder =
     PolicyTroubleshooterSettings.newBuilder();
 policyTroubleshooterSettingsBuilder
     .troubleshootIamPolicySettings()
     .setRetrySettings(
         policyTroubleshooterSettingsBuilder
             .troubleshootIamPolicySettings()
             .getRetrySettings()
             .toBuilder()
             .setTotalTimeout(Duration.ofSeconds(30))
             .build());
 PolicyTroubleshooterSettings policyTroubleshooterSettings =
     policyTroubleshooterSettingsBuilder.build();
 

PolicyTroubleshooterSettings.Builder

Builder for PolicyTroubleshooterSettings.

TroubleshootIamPolicyRequest

Request for TroubleshootIamPolicy.

Protobuf type google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyRequest

TroubleshootIamPolicyRequest.Builder

Request for TroubleshootIamPolicy.

Protobuf type google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyRequest

TroubleshootIamPolicyResponse

Response for TroubleshootIamPolicy.

Protobuf type google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse

TroubleshootIamPolicyResponse.Builder

Response for TroubleshootIamPolicy.

Protobuf type google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse

TroubleshooterProto

Interfaces

AccessTupleOrBuilder

AllowBindingExplanation.AnnotatedAllowMembershipOrBuilder

AllowBindingExplanationOrBuilder

AllowPolicyExplanationOrBuilder

ConditionContext.EffectiveTagOrBuilder

ConditionContext.PeerOrBuilder

ConditionContext.RequestOrBuilder

ConditionContext.ResourceOrBuilder

ConditionContextOrBuilder

ConditionExplanation.EvaluationStateOrBuilder

ConditionExplanationOrBuilder

DenyPolicyExplanationOrBuilder

DenyRuleExplanation.AnnotatedDenyPrincipalMatchingOrBuilder

DenyRuleExplanation.AnnotatedPermissionMatchingOrBuilder

DenyRuleExplanationOrBuilder

ExplainedAllowPolicyOrBuilder

ExplainedDenyPolicyOrBuilder

ExplainedDenyResourceOrBuilder

PolicyTroubleshooterGrpc.AsyncService

IAM Policy Troubleshooter service. This service helps you troubleshoot access issues for Google Cloud resources.

TroubleshootIamPolicyRequestOrBuilder

TroubleshootIamPolicyResponseOrBuilder

Enums

AllowAccessState

Whether IAM allow policies gives the principal the permission.

Protobuf enum google.cloud.policytroubleshooter.iam.v3.AllowAccessState

DenyAccessState

Whether IAM deny policies deny the principal the permission.

Protobuf enum google.cloud.policytroubleshooter.iam.v3.DenyAccessState

HeuristicRelevance

The extent to which a single data point contributes to an overall determination.

Protobuf enum google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance

MembershipMatchingState

Whether the principal in the request matches the principal in the policy.

Protobuf enum google.cloud.policytroubleshooter.iam.v3.MembershipMatchingState

PermissionPatternMatchingState

Whether the permission in the request matches the permission in the policy.

Protobuf enum google.cloud.policytroubleshooter.iam.v3.PermissionPatternMatchingState

RolePermissionInclusionState

Whether a role includes a specific permission.

Protobuf enum google.cloud.policytroubleshooter.iam.v3.RolePermissionInclusionState

TroubleshootIamPolicyResponse.OverallAccessState

Whether the principal has the permission on the resource.

Protobuf enum google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse.OverallAccessState