Classes
AuditConfig
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices
and a specific service,
the union of the two AuditConfigs is used for that service: the log_types
specified in each AuditConfig are enabled, and the exempted_members in each
AuditLogConfig are exempted.
Example Policy with multiple AuditConfigs:
{
"audit_configs": [
{
"service": "allServices",
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
},
{
"log_type": "ADMIN_READ"
}
]
},
{
"service": "sampleservice.googleapis.com",
"audit_log_configs": [
{
"log_type": "DATA_READ"
},
{
"log_type": "DATA_WRITE",
"exempted_members": [
"user:aliya@example.com"
]
}
]
}
]
}
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
Protobuf type google.iam.v1.AuditConfig
AuditConfig.Builder
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices
and a specific service,
the union of the two AuditConfigs is used for that service: the log_types
specified in each AuditConfig are enabled, and the exempted_members in each
AuditLogConfig are exempted.
Example Policy with multiple AuditConfigs:
{
"audit_configs": [
{
"service": "allServices",
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
},
{
"log_type": "ADMIN_READ"
}
]
},
{
"service": "sampleservice.googleapis.com",
"audit_log_configs": [
{
"log_type": "DATA_READ"
},
{
"log_type": "DATA_WRITE",
"exempted_members": [
"user:aliya@example.com"
]
}
]
}
]
}
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
Protobuf type google.iam.v1.AuditConfig
AuditConfigDelta
One delta entry for AuditConfig. Each individual change (only one exempted_member in each entry) to a AuditConfig will be a separate entry.
Protobuf type google.iam.v1.AuditConfigDelta
AuditConfigDelta.Builder
One delta entry for AuditConfig. Each individual change (only one exempted_member in each entry) to a AuditConfig will be a separate entry.
Protobuf type google.iam.v1.AuditConfigDelta
AuditLogConfig
Provides the configuration for logging a type of permissions. Example:
{
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
}
]
}
This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
Protobuf type google.iam.v1.AuditLogConfig
AuditLogConfig.Builder
Provides the configuration for logging a type of permissions. Example:
{
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
}
]
}
This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
Protobuf type google.iam.v1.AuditLogConfig
Binding
Associates members
, or principals, with a role
.
Protobuf type google.iam.v1.Binding
Binding.Builder
Associates members
, or principals, with a role
.
Protobuf type google.iam.v1.Binding
BindingDelta
One delta entry for Binding. Each individual change (only one member in each entry) to a binding will be a separate entry.
Protobuf type google.iam.v1.BindingDelta
BindingDelta.Builder
One delta entry for Binding. Each individual change (only one member in each entry) to a binding will be a separate entry.
Protobuf type google.iam.v1.BindingDelta
GetIamPolicyRequest
Request message for GetIamPolicy
method.
Protobuf type google.iam.v1.GetIamPolicyRequest
GetIamPolicyRequest.Builder
Request message for GetIamPolicy
method.
Protobuf type google.iam.v1.GetIamPolicyRequest
GetPolicyOptions
Encapsulates settings provided to GetIamPolicy.
Protobuf type google.iam.v1.GetPolicyOptions
GetPolicyOptions.Builder
Encapsulates settings provided to GetIamPolicy.
Protobuf type google.iam.v1.GetPolicyOptions
IAMPolicyGrpc
API Overview Manages Identity and Access Management (IAM) policies. Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.
Data model
Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.
Policy Structure
See google.iam.v1.Policy This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.
IAMPolicyGrpc.IAMPolicyBlockingStub
A stub to allow clients to do synchronous rpc calls to service IAMPolicy.
API Overview Manages Identity and Access Management (IAM) policies. Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.
Data model
Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.
Policy Structure
See google.iam.v1.Policy This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.
IAMPolicyGrpc.IAMPolicyFutureStub
A stub to allow clients to do ListenableFuture-style rpc calls to service IAMPolicy.
API Overview Manages Identity and Access Management (IAM) policies. Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.
Data model
Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.
Policy Structure
See google.iam.v1.Policy This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.
IAMPolicyGrpc.IAMPolicyImplBase
Base class for the server implementation of the service IAMPolicy.
API Overview Manages Identity and Access Management (IAM) policies. Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.
Data model
Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.
Policy Structure
See google.iam.v1.Policy This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.
IAMPolicyGrpc.IAMPolicyStub
A stub to allow clients to do asynchronous rpc calls to service IAMPolicy.
API Overview Manages Identity and Access Management (IAM) policies. Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.
Data model
Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.
Policy Structure
See google.iam.v1.Policy This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.
IamPolicyProto
OptionsProto
Policy
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more
members
, or principals, to a single role
. Principals can be user
accounts, service accounts, Google groups, and domains (such as G Suite). A
role
is a named list of permissions; each role
can be an IAM predefined
role or a user-created custom role.
For some types of Google Cloud resources, a binding
can also specify a
condition
, which is a logical expression that allows access to a resource
only if the expression evaluates to true
. A condition can add constraints
based on attributes of the request, the resource, or both. To learn which
resources support conditions in their IAM policies, see the
IAM
documentation.
JSON example:
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": [
"user:eve@example.com"
],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time <
timestamp('2020-10-01T00:00:00.000Z')",
}
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
YAML example:
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
etag: BwWWja0YfJA=
version: 3
For a description of IAM and its features, see the IAM documentation.
Protobuf type google.iam.v1.Policy
Policy.Builder
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more
members
, or principals, to a single role
. Principals can be user
accounts, service accounts, Google groups, and domains (such as G Suite). A
role
is a named list of permissions; each role
can be an IAM predefined
role or a user-created custom role.
For some types of Google Cloud resources, a binding
can also specify a
condition
, which is a logical expression that allows access to a resource
only if the expression evaluates to true
. A condition can add constraints
based on attributes of the request, the resource, or both. To learn which
resources support conditions in their IAM policies, see the
IAM
documentation.
JSON example:
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": [
"user:eve@example.com"
],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time <
timestamp('2020-10-01T00:00:00.000Z')",
}
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
YAML example:
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
etag: BwWWja0YfJA=
version: 3
For a description of IAM and its features, see the IAM documentation.
Protobuf type google.iam.v1.Policy
PolicyDelta
The difference delta between two policies.
Protobuf type google.iam.v1.PolicyDelta
PolicyDelta.Builder
The difference delta between two policies.
Protobuf type google.iam.v1.PolicyDelta
PolicyProto
SetIamPolicyRequest
Request message for SetIamPolicy
method.
Protobuf type google.iam.v1.SetIamPolicyRequest
SetIamPolicyRequest.Builder
Request message for SetIamPolicy
method.
Protobuf type google.iam.v1.SetIamPolicyRequest
TestIamPermissionsRequest
Request message for TestIamPermissions
method.
Protobuf type google.iam.v1.TestIamPermissionsRequest
TestIamPermissionsRequest.Builder
Request message for TestIamPermissions
method.
Protobuf type google.iam.v1.TestIamPermissionsRequest
TestIamPermissionsResponse
Response message for TestIamPermissions
method.
Protobuf type google.iam.v1.TestIamPermissionsResponse
TestIamPermissionsResponse.Builder
Response message for TestIamPermissions
method.
Protobuf type google.iam.v1.TestIamPermissionsResponse
Interfaces
AuditConfigDeltaOrBuilder
AuditConfigOrBuilder
AuditLogConfigOrBuilder
BindingDeltaOrBuilder
BindingOrBuilder
GetIamPolicyRequestOrBuilder
GetPolicyOptionsOrBuilder
IAMPolicyGrpc.AsyncService
API Overview Manages Identity and Access Management (IAM) policies. Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.
Data model
Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.
Policy Structure
See google.iam.v1.Policy This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.
PolicyDeltaOrBuilder
PolicyOrBuilder
SetIamPolicyRequestOrBuilder
TestIamPermissionsRequestOrBuilder
TestIamPermissionsResponseOrBuilder
Enums
AuditConfigDelta.Action
The type of action performed on an audit configuration in a policy.
Protobuf enum google.iam.v1.AuditConfigDelta.Action
AuditLogConfig.LogType
The list of valid permission types for which logging can be configured. Admin writes are always logged, and are not configurable.
Protobuf enum google.iam.v1.AuditLogConfig.LogType
BindingDelta.Action
The type of action performed on a Binding in a policy.
Protobuf enum google.iam.v1.BindingDelta.Action