3.0.0 • Published 5 years ago

@datafire/google_cloudasset v3.0.0

Weekly downloads
1
License
MIT
Repository
github
Last release
5 years ago

@datafire/google_cloudasset

Client library for Cloud Asset API

Installation and Usage

npm install --save @datafire/google_cloudasset
let google_cloudasset = require('@datafire/google_cloudasset').create({
  access_token: "",
  refresh_token: "",
  client_id: "",
  client_secret: "",
  redirect_uri: ""
});

.then(data => {
  console.log(data);
});

Description

The cloud asset API manages the history and inventory of cloud resources.

Actions

oauthCallback

Exchange the code passed to your redirect URI for an access_token

google_cloudasset.oauthCallback({
  "code": ""
}, context)

Input

  • input object
    • code required string

Output

  • output object
    • access_token string
    • refresh_token string
    • token_type string
    • scope string
    • expiration string

oauthRefresh

Exchange a refresh_token for an access_token

google_cloudasset.oauthRefresh(null, context)

Input

This action has no parameters

Output

  • output object
    • access_token string
    • refresh_token string
    • token_type string
    • scope string
    • expiration string

cloudasset.assets.list

Lists assets with time and resource types and returns paged results in response.

google_cloudasset.cloudasset.assets.list({
  "parent": ""
}, context)

Input

  • input object
    • parent required string: Required. Name of the organization or project the assets belong to. Format: "organizations/organization-number" (such as "organizations/123"), "projects/project-number" (such as "projects/my-project-id"), or "projects/project-id" (such as "projects/12345").
    • assetTypes array: A list of asset types to take a snapshot for. For example: "compute.googleapis.com/Disk". Regular expression is also supported. For example: "compute.googleapis.com." snapshots resources whose asset type starts with "compute.googleapis.com". ".Instance" snapshots resources whose asset type ends with "Instance". ".Instance.*" snapshots resources whose asset type contains "Instance". See RE2 for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned. If specified, only matching assets will be returned, otherwise, it will snapshot all asset types. See Introduction to Cloud Asset Inventory for all supported asset types.
    • contentType string (values: CONTENT_TYPE_UNSPECIFIED, RESOURCE, IAM_POLICY, ORG_POLICY, ACCESS_POLICY): Asset content type. If not specified, no content but the asset name will be returned.
    • pageSize integer: The maximum number of assets to be returned in a single response. Default is 100, minimum is 1, and maximum is 1000.
    • pageToken string: The next_page_token returned from the previous ListAssetsResponse, or unspecified for the first ListAssetsRequest. It is a continuation of a prior ListAssets call, and the API should return the next page of assets.
    • readTime string: Timestamp to take an asset snapshot. This can only be set to a timestamp between the current time and the current time minus 35 days (inclusive). If not specified, the current time will be used. Due to delays in resource data collection and indexing, there is a volatile window during which running the same query may get different results.
    • $.xgafv string (values: 1, 2): V1 error format.
    • access_token string: OAuth access token.
    • alt string (values: json, media, proto): Data format for response.
    • callback string: JSONP
    • fields string: Selector specifying which fields to include in a partial response.
    • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
    • oauth_token string: OAuth 2.0 token for the current user.
    • prettyPrint boolean: Returns response with indentations and line breaks.
    • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
    • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
    • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

Definitions

Asset

AuditConfig

  • AuditConfig object: Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": "user:jose@example.com" }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": "user:aliya@example.com" } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
    • auditLogConfigs array: The configuration for logging of each type of permission.
    • service string: Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.

AuditLogConfig

  • AuditLogConfig object: Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": "user:jose@example.com" }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
    • exemptedMembers array: Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members.
      • items string
    • logType string (values: LOG_TYPE_UNSPECIFIED, ADMIN_READ, DATA_WRITE, DATA_READ): The log type that this config enables.

Binding

  • Binding object: Associates members with a role.
    • condition Expr
    • members array: Specifies the identities requesting access for a Cloud Platform resource. members can have the following values: allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. user:{emailid}: An email address that represents a specific Google account. For example, alice@example.com . serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. group:{emailid}: An email address that represents a Google group. For example, admins@example.com. deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. * domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.
      • items string
    • role string: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

Expr

  • Expr object: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
    • description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    • expression string: Textual representation of an expression in Common Expression Language syntax.
    • location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    • title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

GoogleCloudOrgpolicyV1BooleanPolicy

  • GoogleCloudOrgpolicyV1BooleanPolicy object: Used in policy_type to specify how boolean_policy will behave at this resource.
    • enforced boolean: If true, then the Policy is enforced. If false, then any configuration is acceptable. Suppose you have a Constraint constraints/compute.disableSerialPortAccess with constraint_default set to ALLOW. A Policy for that Constraint exhibits the following behavior: - If the Policy at this resource has enforced set to false, serial port connection attempts will be allowed. - If the Policy at this resource has enforced set to true, serial port connection attempts will be refused. - If the Policy at this resource is RestoreDefault, serial port connection attempts will be allowed. - If no Policy is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no Policy is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if thePolicy were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest Constraint wins): organizations/foo has a Policy with: {enforced: false} projects/bar has no Policy set. The constraint at projects/bar and organizations/foo will not be enforced. Example 2 (enforcement gets replaced): organizations/foo has a Policy with: {enforced: false} projects/bar has a Policy with: {enforced: true} The constraint at organizations/foo is not enforced. The constraint at projects/bar is enforced. Example 3 (RestoreDefault): organizations/foo has a Policy with: {enforced: true} projects/bar has a Policy with: {RestoreDefault: {}} The constraint at organizations/foo is enforced. The constraint at projects/bar is not enforced, because constraint_default for the Constraint is ALLOW.

GoogleCloudOrgpolicyV1ListPolicy

  • GoogleCloudOrgpolicyV1ListPolicy object: Used in policy_type to specify how list_policy behaves at this resource. ListPolicy can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations, Folders, Projects) that are allowed or denied by setting the allowed_values and denied_values fields. This is achieved by using the under: and optional is: prefixes. The under: prefix is used to denote resource subtree values. The is: prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The supports_under field of the associated Constraint defines whether ancestry prefixes can be used. You can set allowed_values and denied_values in the same Policy if all_values is ALL_VALUES_UNSPECIFIED. ALLOW or DENY are used to allow or deny all values. If all_values is set to either ALLOW or DENY, allowed_values and denied_values must be unset.
    • allValues string (values: ALL_VALUES_UNSPECIFIED, ALLOW, DENY): The policy all_values state.
    • allowedValues array: List of values allowed at this resource. Can only be set if all_values is set to ALL_VALUES_UNSPECIFIED.
      • items string
    • deniedValues array: List of values denied at this resource. Can only be set if all_values is set to ALL_VALUES_UNSPECIFIED.
      • items string
    • inheritFromParent boolean: Determines the inheritance behavior for this Policy. By default, a ListPolicy set at a resource supersedes any Policy set anywhere up the resource hierarchy. However, if inherit_from_parent is set to true, then the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy. Setting Policy hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a Policy with allowed_values set that inherits a Policy with denied_values set. In this case, the values that are allowed must be in allowed_values and not present in denied_values. For example, suppose you have a Constraint constraints/serviceuser.services, which has a constraint_type of list_constraint, and with constraint_default set to ALLOW. Suppose that at the Organization level, a Policy is applied that restricts the allowed API activations to {E1, E2}. Then, if a Policy is applied to a project below the Organization that has inherit_from_parent set to false and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for projects/bar parented by organizations/foo: Example 1 (no inherited values): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values:"E2"} projects/bar has inherit_from_parent false and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are E3, and E4. Example 2 (inherited values): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values:"E2"} projects/bar has a Policy with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are E1, E2, E3, and E4. Example 3 (inheriting both allowed and denied values): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values: "E2"} projects/bar has a Policy with: {denied_values: "E1"} The accepted values at organizations/foo are E1, E2. The value accepted at projects/bar is E2. Example 4 (RestoreDefault): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values:"E2"} projects/bar has a Policy with values: {RestoreDefault: {}} The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are either all or none depending on the value of constraint_default (if ALLOW, all; if DENY, none). Example 5 (no policy inherits parent policy): organizations/foo has no Policy set. projects/bar has no Policy set. The accepted values at both levels are either all or none depending on the value of constraint_default (if ALLOW, all; if DENY, none). Example 6 (ListConstraint allowing all): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values: "E2"} projects/bar has a Policy with: {all: ALLOW} The accepted values at organizations/foo are E1, E2. Any value is accepted atprojects/bar. Example 7 (ListConstraint allowing none):organizations/foohas aPolicywith values: {allowed_values: "E1" allowed_values: "E2"}projects/barhas aPolicywith: {all: DENY} The accepted values atorganizations/fooareE1, E2. No value is accepted at projects/bar. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, organizations/foo has a Policy with values: {allowed_values: "under:organizations/O1"} projects/bar has a Policy with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at organizations/foo are organizations/O1, folders/F1, folders/F2, projects/P1, projects/P2, projects/P3. The accepted values at projects/bar are organizations/O1, folders/F1, projects/P1.
    • suggestedValue string: Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this Policy. If suggested_value is not set, it will inherit the value specified higher in the hierarchy, unless inherit_from_parent is false.

GoogleCloudOrgpolicyV1Policy

  • GoogleCloudOrgpolicyV1Policy object: Defines a Cloud Organization Policy which is used to specify Constraints for configurations of Cloud Platform resources.
    • booleanPolicy GoogleCloudOrgpolicyV1BooleanPolicy
    • constraint string: The name of the Constraint the Policy is configuring, for example, constraints/serviceuser.services. A list of available constraints is available. Immutable after creation.
    • etag string: An opaque tag indicating the current version of the Policy, used for concurrency control. When the Policy is returned from either a GetPolicy or a ListOrgPolicy request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset. When the Policy is used in a SetOrgPolicy method, use the etag value that was returned from a GetOrgPolicy request as part of a read-modify-write loop for concurrency control. Not setting the etagin a SetOrgPolicy request will result in an unconditional write of the Policy.
    • listPolicy GoogleCloudOrgpolicyV1ListPolicy
    • restoreDefault GoogleCloudOrgpolicyV1RestoreDefault
    • updateTime string: The time stamp the Policy was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to SetOrgPolicy was made for that Policy. Any value set by the client will be ignored.
    • version integer: Version of the Policy. Default version is 0;

GoogleCloudOrgpolicyV1RestoreDefault

  • GoogleCloudOrgpolicyV1RestoreDefault object: Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. Suppose that constraint_default is set to ALLOW for the Constraint constraints/serviceuser.services. Suppose that organization foo.com sets a Policy at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a Policy with the policy_type restore_default on several experimental projects, restoring the constraint_default enforcement of the Constraint for only those projects, allowing those projects to have all services activated.

GoogleIdentityAccesscontextmanagerV1AccessLevel

  • GoogleIdentityAccesscontextmanagerV1AccessLevel object: An AccessLevel is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied.
    • basic GoogleIdentityAccesscontextmanagerV1BasicLevel
    • custom GoogleIdentityAccesscontextmanagerV1CustomLevel
    • description string: Description of the AccessLevel and its use. Does not affect behavior.
    • name string: Required. Resource name for the Access Level. The short_name component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{policy_id}/accessLevels/{short_name}. The maximum length of the short_name component is 50 characters.
    • title string: Human readable title. Must be unique within the Policy.

GoogleIdentityAccesscontextmanagerV1AccessPolicy

  • GoogleIdentityAccesscontextmanagerV1AccessPolicy object: AccessPolicy is a container for AccessLevels (which define the necessary attributes to use Google Cloud services) and ServicePerimeters (which define regions of services able to freely pass data within a perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply to all projects within an organization.
    • etag string: Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Polices will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format.
    • name string: Output only. Resource name of the AccessPolicy. Format: accessPolicies/{policy_id}
    • parent string: Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id}
    • title string: Required. Human readable title. Does not affect behavior.

GoogleIdentityAccesscontextmanagerV1BasicLevel

  • GoogleIdentityAccesscontextmanagerV1BasicLevel object: BasicLevel is an AccessLevel using a set of recommended features.
    • combiningFunction string (values: AND, OR): How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition in conditions must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition in conditions must be satisfied for the AccessLevel to be applied. Default behavior is AND.
    • conditions array: Required. A list of requirements for the AccessLevel to be granted.

GoogleIdentityAccesscontextmanagerV1Condition

  • GoogleIdentityAccesscontextmanagerV1Condition object: A condition necessary for an AccessLevel to be granted. The Condition is an AND over its fields. So a Condition is true if: 1) the request IP is from one of the listed subnetworks AND 2) the originating device complies with the listed device policy AND 3) all listed access levels are granted AND 4) the request was sent at a time allowed by the DateTimeRestriction.
    • devicePolicy GoogleIdentityAccesscontextmanagerV1DevicePolicy
    • ipSubnetworks array: CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed.
      • items string
    • members array: The request must be made by one of the provided user or service accounts. Groups are not supported. Syntax: user:{emailid} serviceAccount:{emailid} If not specified, a request may come from any user.
      • items string
    • negate boolean: Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false.
    • regions array: The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes.
      • items string
    • requiredAccessLevels array: A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"
      • items string

GoogleIdentityAccesscontextmanagerV1CustomLevel

  • GoogleIdentityAccesscontextmanagerV1CustomLevel object: CustomLevel is an AccessLevel using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. See CEL spec at: https://github.com/google/cel-spec

GoogleIdentityAccesscontextmanagerV1DevicePolicy

  • GoogleIdentityAccesscontextmanagerV1DevicePolicy object: DevicePolicy specifies device specific restrictions necessary to acquire a given access level. A DevicePolicy specifies requirements for requests from devices to be granted access levels, it does not do any enforcement on the device. DevicePolicy acts as an AND over all specified fields, and each repeated field is an OR over its elements. Any unset fields are ignored. For example, if the proto is { os_type : DESKTOP_WINDOWS, os_type : DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be true for requests originating from encrypted Linux desktops and encrypted Windows desktops.
    • allowedDeviceManagementLevels array: Allowed device management levels, an empty list allows all management levels.
      • items string (values: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE)
    • allowedEncryptionStatuses array: Allowed encryptions statuses, an empty list allows all statuses.
      • items string (values: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED)
    • osConstraints array: Allowed OS versions, an empty list allows all types and all versions.
    • requireAdminApproval boolean: Whether the device needs to be approved by the customer admin.
    • requireCorpOwned boolean: Whether the device needs to be corp owned.
    • requireScreenlock boolean: Whether or not screenlock is required for the DevicePolicy to be true. Defaults to false.

GoogleIdentityAccesscontextmanagerV1OsConstraint

  • GoogleIdentityAccesscontextmanagerV1OsConstraint object: A restriction on the OS type and version of devices making requests.
    • minimumVersion string: The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: "major.minor.patch". Examples: "10.5.301", "9.2.1".
    • osType string (values: OS_UNSPECIFIED, DESKTOP_MAC, DESKTOP_WINDOWS, DESKTOP_LINUX, DESKTOP_CHROME_OS, ANDROID, IOS): Required. The allowed OS type.
    • requireVerifiedChromeOs boolean: Only allows requests from devices with a verified Chrome OS. Verifications includes requirements that the device is enterprise-managed, conformant to domain policies, and the caller has permission to call the API targeted by the request.

GoogleIdentityAccesscontextmanagerV1ServicePerimeter

  • GoogleIdentityAccesscontextmanagerV1ServicePerimeter object: ServicePerimeter describes a set of Google Cloud resources which can freely import and export data amongst themselves, but not export outside of the ServicePerimeter. If a request with a source within this ServicePerimeter has a target outside of the ServicePerimeter, the request will be blocked. Otherwise the request is allowed. There are two types of Service Perimeter - Regular and Bridge. Regular Service Perimeters cannot overlap, a single Google Cloud project can only belong to a single regular Service Perimeter. Service Perimeter Bridges can contain only Google Cloud projects as members, a single Google Cloud project may belong to multiple Service Perimeter Bridges.
    • description string: Description of the ServicePerimeter and its use. Does not affect behavior.
    • name string: Required. Resource name for the ServicePerimeter. The short_name component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{policy_id}/servicePerimeters/{short_name}
    • perimeterType string (values: PERIMETER_TYPE_REGULAR, PERIMETER_TYPE_BRIDGE): Perimeter type indicator. A single project is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.
    • spec GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig
    • status GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig
    • title string: Human readable title. Must be unique within the Policy.
    • useExplicitDryRunSpec boolean: Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.

GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig

  • GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig object: ServicePerimeterConfig specifies a set of Google Cloud resources that describe specific Service Perimeter configuration.
    • accessLevels array: A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.
      • items string
    • resources array: A list of Google Cloud resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}
      • items string
    • restrictedServices array: Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.
      • items string
    • vpcAccessibleServices GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices

GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices

  • GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices object: Specifies how APIs are allowed to communicate within the Service Perimeter.
    • allowedServices array: The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.
      • items string
    • enableRestriction boolean: Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.

ListAssetsResponse

  • ListAssetsResponse object: ListAssets response.
    • assets array: Assets.
    • nextPageToken string: Token to retrieve the next page of results. Set to empty if there are no remaining results.
    • readTime string: Time the snapshot was taken.

Policy

  • Policy object: An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" }, { "role": "roles/resourcemanager.organizationViewer", "members": "user:eve@example.com" , "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3 For a description of IAM and its features, see the IAM documentation.
    • auditConfigs array: Specifies cloud audit logging configuration for this policy.
    • bindings array: Associates a list of members to a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one member.
    • etag string: etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy. Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.
    • version integer: Specifies the format of the policy. Valid values are 0, 1, and 3. Requests that specify an invalid value are rejected. Any operation that affects conditional role bindings must specify version 3. This requirement applies to the following operations: Getting a policy that includes a conditional role binding Adding a conditional role binding to a policy Changing a conditional role binding in a policy Removing any role binding, with or without a condition, from a policy that includes conditions Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost. If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation.

Resource

  • Resource object: A representation of a Google Cloud resource.
    • data object: The content of the resource, in which some sensitive fields are removed and may not be present.
    • discoveryDocumentUri string: The URL of the discovery document containing the resource's JSON schema. Example: https://www.googleapis.com/discovery/v1/apis/compute/v1/rest This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable.
    • discoveryName string: The JSON schema name listed in the discovery document. Example: Project This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable.
    • parent string: The full name of the immediate parent of this resource. See Resource Names for more information. For Google Cloud assets, this value is the parent resource defined in the Cloud IAM policy hierarchy. Example: //cloudresourcemanager.googleapis.com/projects/my_project_123 For third-party assets, this field may be set differently.
    • resourceUrl string: The REST URL for accessing the resource. An HTTP GET request using this URL returns the resource itself. Example: https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123 This value is unspecified for resources without a REST API.
    • version string: The API version. Example: "v1".
datafire
@infinitebrahmanuniverse/nolb-_datafire_g@everything-registry/sub-chunk-222@zalastax/nolb-_datafire_g
3.0.0

5 years ago