IamPolicyAnalysisResult(mapping=None, *, ignore_unknown_fields=False, **kwargs)
IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists.
Attributes
Name | Description |
attached_resource_full_name |
str
The full name of the resource to which the iam_binding policy attaches. |
iam_binding |
google.iam.v1.policy_pb2.Binding
The Cloud IAM policy binding under analysis. |
access_control_lists |
Sequence[google.cloud.asset_v1p4beta1.types.IamPolicyAnalysisResult.AccessControlList]
The access control lists derived from the iam_binding that match or potentially match resource and access selectors specified in the request. |
identity_list |
google.cloud.asset_v1p4beta1.types.IamPolicyAnalysisResult.IdentityList
The identity list derived from members of the iam_binding that match or potentially match identity selector specified in the request. |
fully_explored |
bool
Represents whether all nodes in the transitive closure of the iam_binding node have been explored. |
Classes
Access
Access(mapping=None, *, ignore_unknown_fields=False, **kwargs)
A role or permission that appears in an access control list. .. attribute:: role
The role.
:type: str
AccessControlList
AccessControlList(mapping=None, *, ignore_unknown_fields=False, **kwargs)
An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry.
NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations.
For example, assume we have the following cases in one IAM policy binding:
- Permission P1 and P2 apply to resource R1 and R2;
- Permission P3 applies to resource R2 and R3;
This will result in the following access control lists:
- AccessControlList 1: [R1, R2], [P1, P2]
- AccessControlList 2: [R2, R3], [P3]
AnalysisState
AnalysisState(mapping=None, *, ignore_unknown_fields=False, **kwargs)
Represents analysis state of each node in the result graph or non-critical errors in the response.
Edge
Edge(mapping=None, *, ignore_unknown_fields=False, **kwargs)
A directional edge. .. attribute:: source_node
The source node of the edge.
:type: str
Identity
Identity(mapping=None, *, ignore_unknown_fields=False, **kwargs)
An identity that appears in an access control list. .. attribute:: name
The identity name in any form of members appear in IAM
policy
binding <https://cloud.google.com/iam/reference/rest/v1/Binding>
__,
such as:
- user:foo@google.com
- group:group1@google.com
- serviceAccount:s1@prj1.iam.gserviceaccount.com
- projectOwner:some_project_id
- domain:google.com
- allUsers
etc.
:type: str
IdentityList
IdentityList(mapping=None, *, ignore_unknown_fields=False, **kwargs)
Resource
Resource(mapping=None, *, ignore_unknown_fields=False, **kwargs)
A GCP resource that appears in an access control list. .. attribute:: full_resource_name
The full resource
name <https://aip.dev/122#full-resource-names>
__.
:type: str