diff --git a/api_names_out.yaml b/api_names_out.yaml index 6432bb059..479535bee 100644 --- a/api_names_out.yaml +++ b/api_names_out.yaml @@ -20236,6 +20236,19 @@ "/classroom:v1/fields": fields "/classroom:v1/key": key "/classroom:v1/quotaUser": quota_user +"/cloudasset:v1/AccessSelector": access_selector +"/cloudasset:v1/AccessSelector/permissions": permissions +"/cloudasset:v1/AccessSelector/permissions/permission": permission +"/cloudasset:v1/AccessSelector/roles": roles +"/cloudasset:v1/AccessSelector/roles/role": role +"/cloudasset:v1/AnalyzeIamPolicyLongrunningRequest": analyze_iam_policy_longrunning_request +"/cloudasset:v1/AnalyzeIamPolicyLongrunningRequest/analysisQuery": analysis_query +"/cloudasset:v1/AnalyzeIamPolicyLongrunningRequest/outputConfig": output_config +"/cloudasset:v1/AnalyzeIamPolicyResponse": analyze_iam_policy_response +"/cloudasset:v1/AnalyzeIamPolicyResponse/fullyExplored": fully_explored +"/cloudasset:v1/AnalyzeIamPolicyResponse/mainAnalysis": main_analysis +"/cloudasset:v1/AnalyzeIamPolicyResponse/serviceAccountImpersonationAnalysis": service_account_impersonation_analysis +"/cloudasset:v1/AnalyzeIamPolicyResponse/serviceAccountImpersonationAnalysis/service_account_impersonation_analysis": service_account_impersonation_analysis "/cloudasset:v1/Asset": asset "/cloudasset:v1/Asset/accessLevel": access_level "/cloudasset:v1/Asset/accessPolicy": access_policy @@ -20303,6 +20316,38 @@ "/cloudasset:v1/GcsDestination": gcs_destination "/cloudasset:v1/GcsDestination/uri": uri "/cloudasset:v1/GcsDestination/uriPrefix": uri_prefix +"/cloudasset:v1/GoogleCloudAssetV1Access": google_cloud_asset_v1_access +"/cloudasset:v1/GoogleCloudAssetV1Access/analysisState": analysis_state +"/cloudasset:v1/GoogleCloudAssetV1Access/permission": permission +"/cloudasset:v1/GoogleCloudAssetV1Access/role": role +"/cloudasset:v1/GoogleCloudAssetV1AccessControlList": google_cloud_asset_v1_access_control_list +"/cloudasset:v1/GoogleCloudAssetV1AccessControlList/accesses": accesses +"/cloudasset:v1/GoogleCloudAssetV1AccessControlList/accesses/access": access +"/cloudasset:v1/GoogleCloudAssetV1AccessControlList/resourceEdges": resource_edges +"/cloudasset:v1/GoogleCloudAssetV1AccessControlList/resourceEdges/resource_edge": resource_edge +"/cloudasset:v1/GoogleCloudAssetV1AccessControlList/resources": resources +"/cloudasset:v1/GoogleCloudAssetV1AccessControlList/resources/resource": resource +"/cloudasset:v1/GoogleCloudAssetV1BigQueryDestination": google_cloud_asset_v1_big_query_destination +"/cloudasset:v1/GoogleCloudAssetV1BigQueryDestination/dataset": dataset +"/cloudasset:v1/GoogleCloudAssetV1BigQueryDestination/partitionKey": partition_key +"/cloudasset:v1/GoogleCloudAssetV1BigQueryDestination/tablePrefix": table_prefix +"/cloudasset:v1/GoogleCloudAssetV1BigQueryDestination/writeDisposition": write_disposition +"/cloudasset:v1/GoogleCloudAssetV1Edge": google_cloud_asset_v1_edge +"/cloudasset:v1/GoogleCloudAssetV1Edge/sourceNode": source_node +"/cloudasset:v1/GoogleCloudAssetV1Edge/targetNode": target_node +"/cloudasset:v1/GoogleCloudAssetV1GcsDestination": google_cloud_asset_v1_gcs_destination +"/cloudasset:v1/GoogleCloudAssetV1GcsDestination/uri": uri +"/cloudasset:v1/GoogleCloudAssetV1Identity": google_cloud_asset_v1_identity +"/cloudasset:v1/GoogleCloudAssetV1Identity/analysisState": analysis_state +"/cloudasset:v1/GoogleCloudAssetV1Identity/name": name +"/cloudasset:v1/GoogleCloudAssetV1IdentityList": google_cloud_asset_v1_identity_list +"/cloudasset:v1/GoogleCloudAssetV1IdentityList/groupEdges": group_edges +"/cloudasset:v1/GoogleCloudAssetV1IdentityList/groupEdges/group_edge": group_edge +"/cloudasset:v1/GoogleCloudAssetV1IdentityList/identities": identities +"/cloudasset:v1/GoogleCloudAssetV1IdentityList/identities/identity": identity +"/cloudasset:v1/GoogleCloudAssetV1Resource": google_cloud_asset_v1_resource +"/cloudasset:v1/GoogleCloudAssetV1Resource/analysisState": analysis_state +"/cloudasset:v1/GoogleCloudAssetV1Resource/fullResourceName": full_resource_name "/cloudasset:v1/GoogleCloudOrgpolicyV1BooleanPolicy": google_cloud_orgpolicy_v1_boolean_policy "/cloudasset:v1/GoogleCloudOrgpolicyV1BooleanPolicy/enforced": enforced "/cloudasset:v1/GoogleCloudOrgpolicyV1ListPolicy": google_cloud_orgpolicy_v1_list_policy @@ -20384,11 +20429,39 @@ "/cloudasset:v1/GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices/allowedServices": allowed_services "/cloudasset:v1/GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices/allowedServices/allowed_service": allowed_service "/cloudasset:v1/GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices/enableRestriction": enable_restriction +"/cloudasset:v1/IamPolicyAnalysis": iam_policy_analysis +"/cloudasset:v1/IamPolicyAnalysis/analysisQuery": analysis_query +"/cloudasset:v1/IamPolicyAnalysis/analysisResults": analysis_results +"/cloudasset:v1/IamPolicyAnalysis/analysisResults/analysis_result": analysis_result +"/cloudasset:v1/IamPolicyAnalysis/fullyExplored": fully_explored +"/cloudasset:v1/IamPolicyAnalysis/nonCriticalErrors": non_critical_errors +"/cloudasset:v1/IamPolicyAnalysis/nonCriticalErrors/non_critical_error": non_critical_error +"/cloudasset:v1/IamPolicyAnalysisOutputConfig": iam_policy_analysis_output_config +"/cloudasset:v1/IamPolicyAnalysisOutputConfig/bigqueryDestination": bigquery_destination +"/cloudasset:v1/IamPolicyAnalysisOutputConfig/gcsDestination": gcs_destination +"/cloudasset:v1/IamPolicyAnalysisQuery": iam_policy_analysis_query +"/cloudasset:v1/IamPolicyAnalysisQuery/accessSelector": access_selector +"/cloudasset:v1/IamPolicyAnalysisQuery/identitySelector": identity_selector +"/cloudasset:v1/IamPolicyAnalysisQuery/options": options +"/cloudasset:v1/IamPolicyAnalysisQuery/resourceSelector": resource_selector +"/cloudasset:v1/IamPolicyAnalysisQuery/scope": scope +"/cloudasset:v1/IamPolicyAnalysisResult": iam_policy_analysis_result +"/cloudasset:v1/IamPolicyAnalysisResult/accessControlLists": access_control_lists +"/cloudasset:v1/IamPolicyAnalysisResult/accessControlLists/access_control_list": access_control_list +"/cloudasset:v1/IamPolicyAnalysisResult/attachedResourceFullName": attached_resource_full_name +"/cloudasset:v1/IamPolicyAnalysisResult/fullyExplored": fully_explored +"/cloudasset:v1/IamPolicyAnalysisResult/iamBinding": iam_binding +"/cloudasset:v1/IamPolicyAnalysisResult/identityList": identity_list +"/cloudasset:v1/IamPolicyAnalysisState": iam_policy_analysis_state +"/cloudasset:v1/IamPolicyAnalysisState/cause": cause +"/cloudasset:v1/IamPolicyAnalysisState/code": code "/cloudasset:v1/IamPolicySearchResult": iam_policy_search_result "/cloudasset:v1/IamPolicySearchResult/explanation": explanation "/cloudasset:v1/IamPolicySearchResult/policy": policy "/cloudasset:v1/IamPolicySearchResult/project": project "/cloudasset:v1/IamPolicySearchResult/resource": resource +"/cloudasset:v1/IdentitySelector": identity_selector +"/cloudasset:v1/IdentitySelector/identity": identity "/cloudasset:v1/ListFeedsResponse": list_feeds_response "/cloudasset:v1/ListFeedsResponse/feeds": feeds "/cloudasset:v1/ListFeedsResponse/feeds/feed": feed @@ -20400,6 +20473,13 @@ "/cloudasset:v1/Operation/name": name "/cloudasset:v1/Operation/response": response "/cloudasset:v1/Operation/response/response": response +"/cloudasset:v1/Options": options +"/cloudasset:v1/Options/analyzeServiceAccountImpersonation": analyze_service_account_impersonation +"/cloudasset:v1/Options/expandGroups": expand_groups +"/cloudasset:v1/Options/expandResources": expand_resources +"/cloudasset:v1/Options/expandRoles": expand_roles +"/cloudasset:v1/Options/outputGroupEdges": output_group_edges +"/cloudasset:v1/Options/outputResourceEdges": output_resource_edges "/cloudasset:v1/OutputConfig": output_config "/cloudasset:v1/OutputConfig/bigqueryDestination": bigquery_destination "/cloudasset:v1/OutputConfig/gcsDestination": gcs_destination @@ -20439,6 +20519,8 @@ "/cloudasset:v1/ResourceSearchResult/networkTags": network_tags "/cloudasset:v1/ResourceSearchResult/networkTags/network_tag": network_tag "/cloudasset:v1/ResourceSearchResult/project": project +"/cloudasset:v1/ResourceSelector": resource_selector +"/cloudasset:v1/ResourceSelector/fullResourceName": full_resource_name "/cloudasset:v1/SearchAllIamPoliciesResponse": search_all_iam_policies_response "/cloudasset:v1/SearchAllIamPoliciesResponse/nextPageToken": next_page_token "/cloudasset:v1/SearchAllIamPoliciesResponse/results": results @@ -20465,6 +20547,20 @@ "/cloudasset:v1/UpdateFeedRequest": update_feed_request "/cloudasset:v1/UpdateFeedRequest/feed": feed "/cloudasset:v1/UpdateFeedRequest/updateMask": update_mask +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.accessSelector.permissions": analysis_query_access_selector_permissions +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.accessSelector.roles": analysis_query_access_selector_roles +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.identitySelector.identity": analysis_query_identity_selector_identity +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.options.analyzeServiceAccountImpersonation": analysis_query_options_analyze_service_account_impersonation +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.options.expandGroups": analysis_query_options_expand_groups +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.options.expandResources": analysis_query_options_expand_resources +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.options.expandRoles": analysis_query_options_expand_roles +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.options.outputGroupEdges": analysis_query_options_output_group_edges +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.options.outputResourceEdges": analysis_query_options_output_resource_edges +"/cloudasset:v1/cloudasset.analyzeIamPolicy/analysisQuery.resourceSelector.fullResourceName": analysis_query_resource_selector_full_resource_name +"/cloudasset:v1/cloudasset.analyzeIamPolicy/executionTimeout": execution_timeout +"/cloudasset:v1/cloudasset.analyzeIamPolicy/scope": scope +"/cloudasset:v1/cloudasset.analyzeIamPolicyLongrunning": analyze_iam_policy_longrunning +"/cloudasset:v1/cloudasset.analyzeIamPolicyLongrunning/scope": scope "/cloudasset:v1/cloudasset.batchGetAssetsHistory/assetNames": asset_names "/cloudasset:v1/cloudasset.batchGetAssetsHistory/contentType": content_type "/cloudasset:v1/cloudasset.batchGetAssetsHistory/parent": parent diff --git a/generated/google/apis/cloudasset_v1.rb b/generated/google/apis/cloudasset_v1.rb index c53e3396a..4a4eb7cf3 100644 --- a/generated/google/apis/cloudasset_v1.rb +++ b/generated/google/apis/cloudasset_v1.rb @@ -25,7 +25,7 @@ module Google # @see https://cloud.google.com/asset-inventory/docs/quickstart module CloudassetV1 VERSION = 'V1' - REVISION = '20200911' + REVISION = '20201023' # View and manage your data across Google Cloud Platform services AUTH_CLOUD_PLATFORM = 'https://www.googleapis.com/auth/cloud-platform' diff --git a/generated/google/apis/cloudasset_v1/classes.rb b/generated/google/apis/cloudasset_v1/classes.rb index 1959e7f12..e6413717d 100644 --- a/generated/google/apis/cloudasset_v1/classes.rb +++ b/generated/google/apis/cloudasset_v1/classes.rb @@ -22,6 +22,94 @@ module Google module Apis module CloudassetV1 + # Specifies roles and/or permissions to analyze, to determine both the + # identities possessing them and the resources they control. If multiple values + # are specified, results will include roles or permissions matching any of them. + # The total number of roles and permissions should be equal or less than 10. + class AccessSelector + include Google::Apis::Core::Hashable + + # Optional. The permissions to appear in result. + # Corresponds to the JSON property `permissions` + # @return [Array] + attr_accessor :permissions + + # Optional. The roles to appear in result. + # Corresponds to the JSON property `roles` + # @return [Array] + attr_accessor :roles + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @permissions = args[:permissions] if args.key?(:permissions) + @roles = args[:roles] if args.key?(:roles) + end + end + + # A request message for AssetService.AnalyzeIamPolicyLongrunning. + class AnalyzeIamPolicyLongrunningRequest + include Google::Apis::Core::Hashable + + # IAM policy analysis query message. + # Corresponds to the JSON property `analysisQuery` + # @return [Google::Apis::CloudassetV1::IamPolicyAnalysisQuery] + attr_accessor :analysis_query + + # Output configuration for export IAM policy analysis destination. + # Corresponds to the JSON property `outputConfig` + # @return [Google::Apis::CloudassetV1::IamPolicyAnalysisOutputConfig] + attr_accessor :output_config + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @analysis_query = args[:analysis_query] if args.key?(:analysis_query) + @output_config = args[:output_config] if args.key?(:output_config) + end + end + + # A response message for AssetService.AnalyzeIamPolicy. + class AnalyzeIamPolicyResponse + include Google::Apis::Core::Hashable + + # Represents whether all entries in the main_analysis and + # service_account_impersonation_analysis have been fully explored to answer the + # query in the request. + # Corresponds to the JSON property `fullyExplored` + # @return [Boolean] + attr_accessor :fully_explored + alias_method :fully_explored?, :fully_explored + + # An analysis message to group the query and results. + # Corresponds to the JSON property `mainAnalysis` + # @return [Google::Apis::CloudassetV1::IamPolicyAnalysis] + attr_accessor :main_analysis + + # The service account impersonation analysis if AnalyzeIamPolicyRequest. + # analyze_service_account_impersonation is enabled. + # Corresponds to the JSON property `serviceAccountImpersonationAnalysis` + # @return [Array] + attr_accessor :service_account_impersonation_analysis + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @fully_explored = args[:fully_explored] if args.key?(:fully_explored) + @main_analysis = args[:main_analysis] if args.key?(:main_analysis) + @service_account_impersonation_analysis = args[:service_account_impersonation_analysis] if args.key?(:service_account_impersonation_analysis) + end + end + # An asset in Google Cloud. An asset can be any resource in the Google Cloud [ # resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud- # platform-resource-hierarchy), a resource outside the Google Cloud resource @@ -697,6 +785,273 @@ module Google end end + # An IAM role or permission under analysis. + class GoogleCloudAssetV1Access + include Google::Apis::Core::Hashable + + # Represents the detailed state of an entity under analysis, such as a resource, + # an identity or an access. + # Corresponds to the JSON property `analysisState` + # @return [Google::Apis::CloudassetV1::IamPolicyAnalysisState] + attr_accessor :analysis_state + + # The permission. + # Corresponds to the JSON property `permission` + # @return [String] + attr_accessor :permission + + # The role. + # Corresponds to the JSON property `role` + # @return [String] + attr_accessor :role + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @analysis_state = args[:analysis_state] if args.key?(:analysis_state) + @permission = args[:permission] if args.key?(:permission) + @role = args[:role] if args.key?(:role) + end + end + + # An access control list, derived from the above IAM policy binding, which + # contains a set of resources and accesses. May include one item from each set + # to compose an access control entry. NOTICE that there could be multiple access + # control lists for one IAM policy binding. The access control lists are created + # based on resource and access combinations. For example, assume we have the + # following cases in one IAM policy binding: - Permission P1 and P2 apply to + # resource R1 and R2; - Permission P3 applies to resource R2 and R3; This will + # result in the following access control lists: - AccessControlList 1: [R1, R2], + # [P1, P2] - AccessControlList 2: [R2, R3], [P3] + class GoogleCloudAssetV1AccessControlList + include Google::Apis::Core::Hashable + + # The accesses that match one of the following conditions: - The access_selector, + # if it is specified in request; - Otherwise, access specifiers reachable from + # the policy binding's role. + # Corresponds to the JSON property `accesses` + # @return [Array] + attr_accessor :accesses + + # Resource edges of the graph starting from the policy attached resource to any + # descendant resources. The Edge.source_node contains the full resource name of + # a parent resource and Edge.target_node contains the full resource name of a + # child resource. This field is present only if the output_resource_edges option + # is enabled in request. + # Corresponds to the JSON property `resourceEdges` + # @return [Array] + attr_accessor :resource_edges + + # The resources that match one of the following conditions: - The + # resource_selector, if it is specified in request; - Otherwise, resources + # reachable from the policy attached resource. + # Corresponds to the JSON property `resources` + # @return [Array] + attr_accessor :resources + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @accesses = args[:accesses] if args.key?(:accesses) + @resource_edges = args[:resource_edges] if args.key?(:resource_edges) + @resources = args[:resources] if args.key?(:resources) + end + end + + # A BigQuery destination. + class GoogleCloudAssetV1BigQueryDestination + include Google::Apis::Core::Hashable + + # Required. The BigQuery dataset in format "projects/projectId/datasets/ + # datasetId", to which the analysis results should be exported. If this dataset + # does not exist, the export call will return an INVALID_ARGUMENT error. + # Corresponds to the JSON property `dataset` + # @return [String] + attr_accessor :dataset + + # The partition key for BigQuery partitioned table. + # Corresponds to the JSON property `partitionKey` + # @return [String] + attr_accessor :partition_key + + # Required. The prefix of the BigQuery tables to which the analysis results will + # be written. Tables will be created based on this table_prefix if not exist: * + # _analysis table will contain export operation's metadata. * _analysis_result + # will contain all the IamPolicyAnalysisResult. When [partition_key] is + # specified, both tables will be partitioned based on the [partition_key]. + # Corresponds to the JSON property `tablePrefix` + # @return [String] + attr_accessor :table_prefix + + # Optional. Specifies the action that occurs if the destination table or + # partition already exists. The following values are supported: * WRITE_TRUNCATE: + # If the table or partition already exists, BigQuery overwrites the entire + # table or all the partitions data. * WRITE_APPEND: If the table or partition + # already exists, BigQuery appends the data to the table or the latest partition. + # * WRITE_EMPTY: If the table already exists and contains data, an error is + # returned. The default value is WRITE_APPEND. Each action is atomic and only + # occurs if BigQuery is able to complete the job successfully. Details are at + # https://cloud.google.com/bigquery/docs/loading-data-local# + # appending_to_or_overwriting_a_table_using_a_local_file. + # Corresponds to the JSON property `writeDisposition` + # @return [String] + attr_accessor :write_disposition + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @dataset = args[:dataset] if args.key?(:dataset) + @partition_key = args[:partition_key] if args.key?(:partition_key) + @table_prefix = args[:table_prefix] if args.key?(:table_prefix) + @write_disposition = args[:write_disposition] if args.key?(:write_disposition) + end + end + + # A directional edge. + class GoogleCloudAssetV1Edge + include Google::Apis::Core::Hashable + + # The source node of the edge. For example, it could be a full resource name for + # a resource node or an email of an identity. + # Corresponds to the JSON property `sourceNode` + # @return [String] + attr_accessor :source_node + + # The target node of the edge. For example, it could be a full resource name for + # a resource node or an email of an identity. + # Corresponds to the JSON property `targetNode` + # @return [String] + attr_accessor :target_node + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @source_node = args[:source_node] if args.key?(:source_node) + @target_node = args[:target_node] if args.key?(:target_node) + end + end + + # A Cloud Storage location. + class GoogleCloudAssetV1GcsDestination + include Google::Apis::Core::Hashable + + # Required. The uri of the Cloud Storage object. It's the same uri that is used + # by gsutil. For example: "gs://bucket_name/object_name". See [Quickstart: Using + # the gsutil tool] (https://cloud.google.com/storage/docs/quickstart-gsutil) for + # examples. + # Corresponds to the JSON property `uri` + # @return [String] + attr_accessor :uri + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @uri = args[:uri] if args.key?(:uri) + end + end + + # An identity under analysis. + class GoogleCloudAssetV1Identity + include Google::Apis::Core::Hashable + + # Represents the detailed state of an entity under analysis, such as a resource, + # an identity or an access. + # Corresponds to the JSON property `analysisState` + # @return [Google::Apis::CloudassetV1::IamPolicyAnalysisState] + attr_accessor :analysis_state + + # The identity name in any form of members appear in [IAM policy binding](https:/ + # /cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:foo@google. + # com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com + # - projectOwner:some_project_id - domain:google.com - allUsers - etc. + # Corresponds to the JSON property `name` + # @return [String] + attr_accessor :name + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @analysis_state = args[:analysis_state] if args.key?(:analysis_state) + @name = args[:name] if args.key?(:name) + end + end + + # The identities and group edges. + class GoogleCloudAssetV1IdentityList + include Google::Apis::Core::Hashable + + # Group identity edges of the graph starting from the binding's group members to + # any node of the identities. The Edge.source_node contains a group, such as ` + # group:parent@google.com`. The Edge.target_node contains a member of the group, + # such as `group:child@google.com` or `user:foo@google.com`. This field is + # present only if the output_group_edges option is enabled in request. + # Corresponds to the JSON property `groupEdges` + # @return [Array] + attr_accessor :group_edges + + # Only the identities that match one of the following conditions will be + # presented: - The identity_selector, if it is specified in request; - Otherwise, + # identities reachable from the policy binding's members. + # Corresponds to the JSON property `identities` + # @return [Array] + attr_accessor :identities + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @group_edges = args[:group_edges] if args.key?(:group_edges) + @identities = args[:identities] if args.key?(:identities) + end + end + + # A Google Cloud resource under analysis. + class GoogleCloudAssetV1Resource + include Google::Apis::Core::Hashable + + # Represents the detailed state of an entity under analysis, such as a resource, + # an identity or an access. + # Corresponds to the JSON property `analysisState` + # @return [Google::Apis::CloudassetV1::IamPolicyAnalysisState] + attr_accessor :analysis_state + + # The [full resource name](https://cloud.google.com/asset-inventory/docs/ + # resource-name-format) + # Corresponds to the JSON property `fullResourceName` + # @return [String] + attr_accessor :full_resource_name + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @analysis_state = args[:analysis_state] if args.key?(:analysis_state) + @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name) + end + end + # Used in `policy_type` to specify how `boolean_policy` will behave at this # resource. class GoogleCloudOrgpolicyV1BooleanPolicy @@ -1464,6 +1819,206 @@ module Google end end + # An analysis message to group the query and results. + class IamPolicyAnalysis + include Google::Apis::Core::Hashable + + # IAM policy analysis query message. + # Corresponds to the JSON property `analysisQuery` + # @return [Google::Apis::CloudassetV1::IamPolicyAnalysisQuery] + attr_accessor :analysis_query + + # A list of IamPolicyAnalysisResult that matches the analysis query, or empty if + # no result is found. + # Corresponds to the JSON property `analysisResults` + # @return [Array] + attr_accessor :analysis_results + + # Represents whether all entries in the analysis_results have been fully + # explored to answer the query. + # Corresponds to the JSON property `fullyExplored` + # @return [Boolean] + attr_accessor :fully_explored + alias_method :fully_explored?, :fully_explored + + # A list of non-critical errors happened during the query handling. + # Corresponds to the JSON property `nonCriticalErrors` + # @return [Array] + attr_accessor :non_critical_errors + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @analysis_query = args[:analysis_query] if args.key?(:analysis_query) + @analysis_results = args[:analysis_results] if args.key?(:analysis_results) + @fully_explored = args[:fully_explored] if args.key?(:fully_explored) + @non_critical_errors = args[:non_critical_errors] if args.key?(:non_critical_errors) + end + end + + # Output configuration for export IAM policy analysis destination. + class IamPolicyAnalysisOutputConfig + include Google::Apis::Core::Hashable + + # A BigQuery destination. + # Corresponds to the JSON property `bigqueryDestination` + # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1BigQueryDestination] + attr_accessor :bigquery_destination + + # A Cloud Storage location. + # Corresponds to the JSON property `gcsDestination` + # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1GcsDestination] + attr_accessor :gcs_destination + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @bigquery_destination = args[:bigquery_destination] if args.key?(:bigquery_destination) + @gcs_destination = args[:gcs_destination] if args.key?(:gcs_destination) + end + end + + # IAM policy analysis query message. + class IamPolicyAnalysisQuery + include Google::Apis::Core::Hashable + + # Specifies roles and/or permissions to analyze, to determine both the + # identities possessing them and the resources they control. If multiple values + # are specified, results will include roles or permissions matching any of them. + # The total number of roles and permissions should be equal or less than 10. + # Corresponds to the JSON property `accessSelector` + # @return [Google::Apis::CloudassetV1::AccessSelector] + attr_accessor :access_selector + + # Specifies an identity for which to determine resource access, based on roles + # assigned either directly to them or to the groups they belong to, directly or + # indirectly. + # Corresponds to the JSON property `identitySelector` + # @return [Google::Apis::CloudassetV1::IdentitySelector] + attr_accessor :identity_selector + + # Contains query options. + # Corresponds to the JSON property `options` + # @return [Google::Apis::CloudassetV1::Options] + attr_accessor :options + + # Specifies the resource to analyze for access policies, which may be set + # directly on the resource, or on ancestors such as organizations, folders or + # projects. + # Corresponds to the JSON property `resourceSelector` + # @return [Google::Apis::CloudassetV1::ResourceSelector] + attr_accessor :resource_selector + + # Required. The relative name of the root asset. Only resources and IAM policies + # within the scope will be analyzed. This can only be an organization number ( + # such as "organizations/123"), a folder number (such as "folders/123"), a + # project ID (such as "projects/my-project-id"), or a project number (such as " + # projects/12345"). To know how to get organization id, visit [here ](https:// + # cloud.google.com/resource-manager/docs/creating-managing-organization# + # retrieving_your_organization_id). To know how to get folder or project id, + # visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing- + # folders#viewing_or_listing_folders_and_projects). + # Corresponds to the JSON property `scope` + # @return [String] + attr_accessor :scope + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @access_selector = args[:access_selector] if args.key?(:access_selector) + @identity_selector = args[:identity_selector] if args.key?(:identity_selector) + @options = args[:options] if args.key?(:options) + @resource_selector = args[:resource_selector] if args.key?(:resource_selector) + @scope = args[:scope] if args.key?(:scope) + end + end + + # IAM Policy analysis result, consisting of one IAM policy binding and derived + # access control lists. + class IamPolicyAnalysisResult + include Google::Apis::Core::Hashable + + # The access control lists derived from the iam_binding that match or + # potentially match resource and access selectors specified in the request. + # Corresponds to the JSON property `accessControlLists` + # @return [Array] + attr_accessor :access_control_lists + + # The [full resource name](https://cloud.google.com/asset-inventory/docs/ + # resource-name-format) of the resource to which the iam_binding policy attaches. + # Corresponds to the JSON property `attachedResourceFullName` + # @return [String] + attr_accessor :attached_resource_full_name + + # Represents whether all analyses on the iam_binding have successfully finished. + # Corresponds to the JSON property `fullyExplored` + # @return [Boolean] + attr_accessor :fully_explored + alias_method :fully_explored?, :fully_explored + + # Associates `members` with a `role`. + # Corresponds to the JSON property `iamBinding` + # @return [Google::Apis::CloudassetV1::Binding] + attr_accessor :iam_binding + + # The identities and group edges. + # Corresponds to the JSON property `identityList` + # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1IdentityList] + attr_accessor :identity_list + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @access_control_lists = args[:access_control_lists] if args.key?(:access_control_lists) + @attached_resource_full_name = args[:attached_resource_full_name] if args.key?(:attached_resource_full_name) + @fully_explored = args[:fully_explored] if args.key?(:fully_explored) + @iam_binding = args[:iam_binding] if args.key?(:iam_binding) + @identity_list = args[:identity_list] if args.key?(:identity_list) + end + end + + # Represents the detailed state of an entity under analysis, such as a resource, + # an identity or an access. + class IamPolicyAnalysisState + include Google::Apis::Core::Hashable + + # The human-readable description of the cause of failure. + # Corresponds to the JSON property `cause` + # @return [String] + attr_accessor :cause + + # The Google standard error code that best describes the state. For example: - + # OK means the analysis on this entity has been successfully finished; - + # PERMISSION_DENIED means an access denied error is encountered; - + # DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in + # time; + # Corresponds to the JSON property `code` + # @return [String] + attr_accessor :code + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @cause = args[:cause] if args.key?(:cause) + @code = args[:code] if args.key?(:code) + end + end + # A result of IAM Policy search, containing information of an IAM policy. class IamPolicySearchResult include Google::Apis::Core::Hashable @@ -1537,6 +2092,32 @@ module Google end end + # Specifies an identity for which to determine resource access, based on roles + # assigned either directly to them or to the groups they belong to, directly or + # indirectly. + class IdentitySelector + include Google::Apis::Core::Hashable + + # Required. The identity appear in the form of members in [IAM policy binding]( + # https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of + # supported forms are: "user:mike@example.com", "group:admins@example.com", " + # domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". + # Notice that wildcard characters (such as * and ?) are not supported. You must + # give a specific identity. + # Corresponds to the JSON property `identity` + # @return [String] + attr_accessor :identity + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @identity = args[:identity] if args.key?(:identity) + end + end + # class ListFeedsResponse include Google::Apis::Core::Hashable @@ -1618,6 +2199,98 @@ module Google end end + # Contains query options. + class Options + include Google::Apis::Core::Hashable + + # Optional. If true, the response will include access analysis from identities + # to resources via service account impersonation. This is a very expensive + # operation, because many derived queries will be executed. We highly recommend + # you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if + # the request analyzes for which resources user A has permission P, and there's + # an IAM policy states user A has iam.serviceAccounts.getAccessToken permission + # to a service account SA, and there's another IAM policy states service account + # SA has permission P to a GCP folder F, then user A potentially has access to + # the GCP folder F. And those advanced analysis results will be included in + # AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another + # example, if the request analyzes for who has permission P to a GCP folder F, + # and there's an IAM policy states user A has iam.serviceAccounts.actAs + # permission to a service account SA, and there's another IAM policy states + # service account SA has permission P to the GCP folder F, then user A + # potentially has access to the GCP folder F. And those advanced analysis + # results will be included in AnalyzeIamPolicyResponse. + # service_account_impersonation_analysis. Default is false. + # Corresponds to the JSON property `analyzeServiceAccountImpersonation` + # @return [Boolean] + attr_accessor :analyze_service_account_impersonation + alias_method :analyze_service_account_impersonation?, :analyze_service_account_impersonation + + # Optional. If true, the identities section of the result will expand any Google + # groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery. + # identity_selector is specified, the identity in the result will be determined + # by the selector, and this flag is not allowed to set. Default is false. + # Corresponds to the JSON property `expandGroups` + # @return [Boolean] + attr_accessor :expand_groups + alias_method :expand_groups?, :expand_groups + + # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not + # specified, the resource section of the result will expand any resource + # attached to an IAM policy to include resources lower in the resource hierarchy. + # For example, if the request analyzes for which resources user A has + # permission P, and the results include an IAM policy with P on a GCP folder, + # the results will also include resources in that folder with permission P. If + # true and IamPolicyAnalysisQuery.resource_selector is specified, the resource + # section of the result will expand the specified resource to include resources + # lower in the resource hierarchy. Only project or lower resources are supported. + # Folder and organization resource cannot be used together with this option. + # For example, if the request analyzes for which users have permission P on a + # GCP project with this option enabled, the results will include all users who + # have permission P on that project or any lower resource. Default is false. + # Corresponds to the JSON property `expandResources` + # @return [Boolean] + attr_accessor :expand_resources + alias_method :expand_resources?, :expand_resources + + # Optional. If true, the access section of result will expand any roles + # appearing in IAM policy bindings to include their permissions. If + # IamPolicyAnalysisQuery.access_selector is specified, the access section of the + # result will be determined by the selector, and this flag is not allowed to set. + # Default is false. + # Corresponds to the JSON property `expandRoles` + # @return [Boolean] + attr_accessor :expand_roles + alias_method :expand_roles?, :expand_roles + + # Optional. If true, the result will output group identity edges, starting from + # the binding's group members, to any expanded identities. Default is false. + # Corresponds to the JSON property `outputGroupEdges` + # @return [Boolean] + attr_accessor :output_group_edges + alias_method :output_group_edges?, :output_group_edges + + # Optional. If true, the result will output resource edges, starting from the + # policy attached resource, to any expanded resources. Default is false. + # Corresponds to the JSON property `outputResourceEdges` + # @return [Boolean] + attr_accessor :output_resource_edges + alias_method :output_resource_edges?, :output_resource_edges + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @analyze_service_account_impersonation = args[:analyze_service_account_impersonation] if args.key?(:analyze_service_account_impersonation) + @expand_groups = args[:expand_groups] if args.key?(:expand_groups) + @expand_resources = args[:expand_resources] if args.key?(:expand_resources) + @expand_roles = args[:expand_roles] if args.key?(:expand_roles) + @output_group_edges = args[:output_group_edges] if args.key?(:output_group_edges) + @output_resource_edges = args[:output_resource_edges] if args.key?(:output_resource_edges) + end + end + # Output configuration for export assets destination. class OutputConfig include Google::Apis::Core::Hashable @@ -1968,6 +2641,30 @@ module Google end end + # Specifies the resource to analyze for access policies, which may be set + # directly on the resource, or on ancestors such as organizations, folders or + # projects. + class ResourceSelector + include Google::Apis::Core::Hashable + + # Required. The [full resource name] (https://cloud.google.com/asset-inventory/ + # docs/resource-name-format) of a resource of [supported resource types](https:// + # cloud.google.com/asset-inventory/docs/supported-asset-types# + # analyzable_asset_types). + # Corresponds to the JSON property `fullResourceName` + # @return [String] + attr_accessor :full_resource_name + + def initialize(**args) + update!(**args) + end + + # Update properties of this object + def update!(**args) + @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name) + end + end + # Search all IAM policies response. class SearchAllIamPoliciesResponse include Google::Apis::Core::Hashable diff --git a/generated/google/apis/cloudasset_v1/representations.rb b/generated/google/apis/cloudasset_v1/representations.rb index f5521a3ff..59d5329ff 100644 --- a/generated/google/apis/cloudasset_v1/representations.rb +++ b/generated/google/apis/cloudasset_v1/representations.rb @@ -22,6 +22,24 @@ module Google module Apis module CloudassetV1 + class AccessSelector + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class AnalyzeIamPolicyLongrunningRequest + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class AnalyzeIamPolicyResponse + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class Asset class Representation < Google::Apis::Core::JsonRepresentation; end @@ -106,6 +124,54 @@ module Google include Google::Apis::Core::JsonObjectSupport end + class GoogleCloudAssetV1Access + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class GoogleCloudAssetV1AccessControlList + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class GoogleCloudAssetV1BigQueryDestination + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class GoogleCloudAssetV1Edge + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class GoogleCloudAssetV1GcsDestination + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class GoogleCloudAssetV1Identity + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class GoogleCloudAssetV1IdentityList + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class GoogleCloudAssetV1Resource + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class GoogleCloudOrgpolicyV1BooleanPolicy class Representation < Google::Apis::Core::JsonRepresentation; end @@ -190,12 +256,48 @@ module Google include Google::Apis::Core::JsonObjectSupport end + class IamPolicyAnalysis + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class IamPolicyAnalysisOutputConfig + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class IamPolicyAnalysisQuery + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class IamPolicyAnalysisResult + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + + class IamPolicyAnalysisState + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class IamPolicySearchResult class Representation < Google::Apis::Core::JsonRepresentation; end include Google::Apis::Core::JsonObjectSupport end + class IdentitySelector + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class ListFeedsResponse class Representation < Google::Apis::Core::JsonRepresentation; end @@ -208,6 +310,12 @@ module Google include Google::Apis::Core::JsonObjectSupport end + class Options + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class OutputConfig class Representation < Google::Apis::Core::JsonRepresentation; end @@ -250,6 +358,12 @@ module Google include Google::Apis::Core::JsonObjectSupport end + class ResourceSelector + class Representation < Google::Apis::Core::JsonRepresentation; end + + include Google::Apis::Core::JsonObjectSupport + end + class SearchAllIamPoliciesResponse class Representation < Google::Apis::Core::JsonRepresentation; end @@ -286,6 +400,35 @@ module Google include Google::Apis::Core::JsonObjectSupport end + class AccessSelector + # @private + class Representation < Google::Apis::Core::JsonRepresentation + collection :permissions, as: 'permissions' + collection :roles, as: 'roles' + end + end + + class AnalyzeIamPolicyLongrunningRequest + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :analysis_query, as: 'analysisQuery', class: Google::Apis::CloudassetV1::IamPolicyAnalysisQuery, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisQuery::Representation + + property :output_config, as: 'outputConfig', class: Google::Apis::CloudassetV1::IamPolicyAnalysisOutputConfig, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisOutputConfig::Representation + + end + end + + class AnalyzeIamPolicyResponse + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :fully_explored, as: 'fullyExplored' + property :main_analysis, as: 'mainAnalysis', class: Google::Apis::CloudassetV1::IamPolicyAnalysis, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysis::Representation + + collection :service_account_impersonation_analysis, as: 'serviceAccountImpersonationAnalysis', class: Google::Apis::CloudassetV1::IamPolicyAnalysis, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysis::Representation + + end + end + class Asset # @private class Representation < Google::Apis::Core::JsonRepresentation @@ -429,6 +572,81 @@ module Google end end + class GoogleCloudAssetV1Access + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :analysis_state, as: 'analysisState', class: Google::Apis::CloudassetV1::IamPolicyAnalysisState, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisState::Representation + + property :permission, as: 'permission' + property :role, as: 'role' + end + end + + class GoogleCloudAssetV1AccessControlList + # @private + class Representation < Google::Apis::Core::JsonRepresentation + collection :accesses, as: 'accesses', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1Access, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1Access::Representation + + collection :resource_edges, as: 'resourceEdges', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1Edge, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1Edge::Representation + + collection :resources, as: 'resources', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1Resource, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1Resource::Representation + + end + end + + class GoogleCloudAssetV1BigQueryDestination + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :dataset, as: 'dataset' + property :partition_key, as: 'partitionKey' + property :table_prefix, as: 'tablePrefix' + property :write_disposition, as: 'writeDisposition' + end + end + + class GoogleCloudAssetV1Edge + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :source_node, as: 'sourceNode' + property :target_node, as: 'targetNode' + end + end + + class GoogleCloudAssetV1GcsDestination + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :uri, as: 'uri' + end + end + + class GoogleCloudAssetV1Identity + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :analysis_state, as: 'analysisState', class: Google::Apis::CloudassetV1::IamPolicyAnalysisState, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisState::Representation + + property :name, as: 'name' + end + end + + class GoogleCloudAssetV1IdentityList + # @private + class Representation < Google::Apis::Core::JsonRepresentation + collection :group_edges, as: 'groupEdges', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1Edge, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1Edge::Representation + + collection :identities, as: 'identities', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1Identity, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1Identity::Representation + + end + end + + class GoogleCloudAssetV1Resource + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :analysis_state, as: 'analysisState', class: Google::Apis::CloudassetV1::IamPolicyAnalysisState, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisState::Representation + + property :full_resource_name, as: 'fullResourceName' + end + end + class GoogleCloudOrgpolicyV1BooleanPolicy # @private class Representation < Google::Apis::Core::JsonRepresentation @@ -578,6 +796,66 @@ module Google end end + class IamPolicyAnalysis + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :analysis_query, as: 'analysisQuery', class: Google::Apis::CloudassetV1::IamPolicyAnalysisQuery, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisQuery::Representation + + collection :analysis_results, as: 'analysisResults', class: Google::Apis::CloudassetV1::IamPolicyAnalysisResult, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisResult::Representation + + property :fully_explored, as: 'fullyExplored' + collection :non_critical_errors, as: 'nonCriticalErrors', class: Google::Apis::CloudassetV1::IamPolicyAnalysisState, decorator: Google::Apis::CloudassetV1::IamPolicyAnalysisState::Representation + + end + end + + class IamPolicyAnalysisOutputConfig + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :bigquery_destination, as: 'bigqueryDestination', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1BigQueryDestination, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1BigQueryDestination::Representation + + property :gcs_destination, as: 'gcsDestination', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1GcsDestination, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1GcsDestination::Representation + + end + end + + class IamPolicyAnalysisQuery + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :access_selector, as: 'accessSelector', class: Google::Apis::CloudassetV1::AccessSelector, decorator: Google::Apis::CloudassetV1::AccessSelector::Representation + + property :identity_selector, as: 'identitySelector', class: Google::Apis::CloudassetV1::IdentitySelector, decorator: Google::Apis::CloudassetV1::IdentitySelector::Representation + + property :options, as: 'options', class: Google::Apis::CloudassetV1::Options, decorator: Google::Apis::CloudassetV1::Options::Representation + + property :resource_selector, as: 'resourceSelector', class: Google::Apis::CloudassetV1::ResourceSelector, decorator: Google::Apis::CloudassetV1::ResourceSelector::Representation + + property :scope, as: 'scope' + end + end + + class IamPolicyAnalysisResult + # @private + class Representation < Google::Apis::Core::JsonRepresentation + collection :access_control_lists, as: 'accessControlLists', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1AccessControlList, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1AccessControlList::Representation + + property :attached_resource_full_name, as: 'attachedResourceFullName' + property :fully_explored, as: 'fullyExplored' + property :iam_binding, as: 'iamBinding', class: Google::Apis::CloudassetV1::Binding, decorator: Google::Apis::CloudassetV1::Binding::Representation + + property :identity_list, as: 'identityList', class: Google::Apis::CloudassetV1::GoogleCloudAssetV1IdentityList, decorator: Google::Apis::CloudassetV1::GoogleCloudAssetV1IdentityList::Representation + + end + end + + class IamPolicyAnalysisState + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :cause, as: 'cause' + property :code, as: 'code' + end + end + class IamPolicySearchResult # @private class Representation < Google::Apis::Core::JsonRepresentation @@ -590,6 +868,13 @@ module Google end end + class IdentitySelector + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :identity, as: 'identity' + end + end + class ListFeedsResponse # @private class Representation < Google::Apis::Core::JsonRepresentation @@ -610,6 +895,18 @@ module Google end end + class Options + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :analyze_service_account_impersonation, as: 'analyzeServiceAccountImpersonation' + property :expand_groups, as: 'expandGroups' + property :expand_resources, as: 'expandResources' + property :expand_roles, as: 'expandRoles' + property :output_group_edges, as: 'outputGroupEdges' + property :output_resource_edges, as: 'outputResourceEdges' + end + end + class OutputConfig # @private class Representation < Google::Apis::Core::JsonRepresentation @@ -681,6 +978,13 @@ module Google end end + class ResourceSelector + # @private + class Representation < Google::Apis::Core::JsonRepresentation + property :full_resource_name, as: 'fullResourceName' + end + end + class SearchAllIamPoliciesResponse # @private class Representation < Google::Apis::Core::JsonRepresentation diff --git a/generated/google/apis/cloudasset_v1/service.rb b/generated/google/apis/cloudasset_v1/service.rb index d3225bf5e..55068477f 100644 --- a/generated/google/apis/cloudasset_v1/service.rb +++ b/generated/google/apis/cloudasset_v1/service.rb @@ -248,6 +248,177 @@ module Google execute_or_queue_command(command, &block) end + # Analyzes IAM policies to answer which identities have what accesses on which + # resources. + # @param [String] scope + # Required. The relative name of the root asset. Only resources and IAM policies + # within the scope will be analyzed. This can only be an organization number ( + # such as "organizations/123"), a folder number (such as "folders/123"), a + # project ID (such as "projects/my-project-id"), or a project number (such as " + # projects/12345"). To know how to get organization id, visit [here ](https:// + # cloud.google.com/resource-manager/docs/creating-managing-organization# + # retrieving_your_organization_id). To know how to get folder or project id, + # visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing- + # folders#viewing_or_listing_folders_and_projects). + # @param [Array, String] analysis_query_access_selector_permissions + # Optional. The permissions to appear in result. + # @param [Array, String] analysis_query_access_selector_roles + # Optional. The roles to appear in result. + # @param [String] analysis_query_identity_selector_identity + # Required. The identity appear in the form of members in [IAM policy binding]( + # https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of + # supported forms are: "user:mike@example.com", "group:admins@example.com", " + # domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". + # Notice that wildcard characters (such as * and ?) are not supported. You must + # give a specific identity. + # @param [Boolean] analysis_query_options_analyze_service_account_impersonation + # Optional. If true, the response will include access analysis from identities + # to resources via service account impersonation. This is a very expensive + # operation, because many derived queries will be executed. We highly recommend + # you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if + # the request analyzes for which resources user A has permission P, and there's + # an IAM policy states user A has iam.serviceAccounts.getAccessToken permission + # to a service account SA, and there's another IAM policy states service account + # SA has permission P to a GCP folder F, then user A potentially has access to + # the GCP folder F. And those advanced analysis results will be included in + # AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another + # example, if the request analyzes for who has permission P to a GCP folder F, + # and there's an IAM policy states user A has iam.serviceAccounts.actAs + # permission to a service account SA, and there's another IAM policy states + # service account SA has permission P to the GCP folder F, then user A + # potentially has access to the GCP folder F. And those advanced analysis + # results will be included in AnalyzeIamPolicyResponse. + # service_account_impersonation_analysis. Default is false. + # @param [Boolean] analysis_query_options_expand_groups + # Optional. If true, the identities section of the result will expand any Google + # groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery. + # identity_selector is specified, the identity in the result will be determined + # by the selector, and this flag is not allowed to set. Default is false. + # @param [Boolean] analysis_query_options_expand_resources + # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not + # specified, the resource section of the result will expand any resource + # attached to an IAM policy to include resources lower in the resource hierarchy. + # For example, if the request analyzes for which resources user A has + # permission P, and the results include an IAM policy with P on a GCP folder, + # the results will also include resources in that folder with permission P. If + # true and IamPolicyAnalysisQuery.resource_selector is specified, the resource + # section of the result will expand the specified resource to include resources + # lower in the resource hierarchy. Only project or lower resources are supported. + # Folder and organization resource cannot be used together with this option. + # For example, if the request analyzes for which users have permission P on a + # GCP project with this option enabled, the results will include all users who + # have permission P on that project or any lower resource. Default is false. + # @param [Boolean] analysis_query_options_expand_roles + # Optional. If true, the access section of result will expand any roles + # appearing in IAM policy bindings to include their permissions. If + # IamPolicyAnalysisQuery.access_selector is specified, the access section of the + # result will be determined by the selector, and this flag is not allowed to set. + # Default is false. + # @param [Boolean] analysis_query_options_output_group_edges + # Optional. If true, the result will output group identity edges, starting from + # the binding's group members, to any expanded identities. Default is false. + # @param [Boolean] analysis_query_options_output_resource_edges + # Optional. If true, the result will output resource edges, starting from the + # policy attached resource, to any expanded resources. Default is false. + # @param [String] analysis_query_resource_selector_full_resource_name + # Required. The [full resource name] (https://cloud.google.com/asset-inventory/ + # docs/resource-name-format) of a resource of [supported resource types](https:// + # cloud.google.com/asset-inventory/docs/supported-asset-types# + # analyzable_asset_types). + # @param [String] execution_timeout + # Optional. Amount of time executable has to complete. See JSON representation + # of [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). + # If this field is set with a value less than the RPC deadline, and the + # execution of your query hasn't finished in the specified execution timeout, + # you will get a response with partial result. Otherwise, your query's execution + # will continue until the RPC deadline. If it's not finished until then, you + # will get a DEADLINE_EXCEEDED error. Default is empty. + # @param [String] fields + # Selector specifying which fields to include in a partial response. + # @param [String] quota_user + # Available to use for quota purposes for server-side applications. Can be any + # arbitrary string assigned to a user, but should not exceed 40 characters. + # @param [Google::Apis::RequestOptions] options + # Request-specific options + # + # @yield [result, err] Result & error if block supplied + # @yieldparam result [Google::Apis::CloudassetV1::AnalyzeIamPolicyResponse] parsed result object + # @yieldparam err [StandardError] error object if request failed + # + # @return [Google::Apis::CloudassetV1::AnalyzeIamPolicyResponse] + # + # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried + # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification + # @raise [Google::Apis::AuthorizationError] Authorization is required + def analyze_iam_policy(scope, analysis_query_access_selector_permissions: nil, analysis_query_access_selector_roles: nil, analysis_query_identity_selector_identity: nil, analysis_query_options_analyze_service_account_impersonation: nil, analysis_query_options_expand_groups: nil, analysis_query_options_expand_resources: nil, analysis_query_options_expand_roles: nil, analysis_query_options_output_group_edges: nil, analysis_query_options_output_resource_edges: nil, analysis_query_resource_selector_full_resource_name: nil, execution_timeout: nil, fields: nil, quota_user: nil, options: nil, &block) + command = make_simple_command(:get, 'v1/{+scope}:analyzeIamPolicy', options) + command.response_representation = Google::Apis::CloudassetV1::AnalyzeIamPolicyResponse::Representation + command.response_class = Google::Apis::CloudassetV1::AnalyzeIamPolicyResponse + command.params['scope'] = scope unless scope.nil? + command.query['analysisQuery.accessSelector.permissions'] = analysis_query_access_selector_permissions unless analysis_query_access_selector_permissions.nil? + command.query['analysisQuery.accessSelector.roles'] = analysis_query_access_selector_roles unless analysis_query_access_selector_roles.nil? + command.query['analysisQuery.identitySelector.identity'] = analysis_query_identity_selector_identity unless analysis_query_identity_selector_identity.nil? + command.query['analysisQuery.options.analyzeServiceAccountImpersonation'] = analysis_query_options_analyze_service_account_impersonation unless analysis_query_options_analyze_service_account_impersonation.nil? + command.query['analysisQuery.options.expandGroups'] = analysis_query_options_expand_groups unless analysis_query_options_expand_groups.nil? + command.query['analysisQuery.options.expandResources'] = analysis_query_options_expand_resources unless analysis_query_options_expand_resources.nil? + command.query['analysisQuery.options.expandRoles'] = analysis_query_options_expand_roles unless analysis_query_options_expand_roles.nil? + command.query['analysisQuery.options.outputGroupEdges'] = analysis_query_options_output_group_edges unless analysis_query_options_output_group_edges.nil? + command.query['analysisQuery.options.outputResourceEdges'] = analysis_query_options_output_resource_edges unless analysis_query_options_output_resource_edges.nil? + command.query['analysisQuery.resourceSelector.fullResourceName'] = analysis_query_resource_selector_full_resource_name unless analysis_query_resource_selector_full_resource_name.nil? + command.query['executionTimeout'] = execution_timeout unless execution_timeout.nil? + command.query['fields'] = fields unless fields.nil? + command.query['quotaUser'] = quota_user unless quota_user.nil? + execute_or_queue_command(command, &block) + end + + # Analyzes IAM policies asynchronously to answer which identities have what + # accesses on which resources, and writes the analysis results to a Google Cloud + # Storage or a BigQuery destination. For Cloud Storage destination, the output + # format is the JSON format that represents a AnalyzeIamPolicyResponse. This + # method implements the google.longrunning.Operation, which allows you to track + # the operation status. We recommend intervals of at least 2 seconds with + # exponential backoff retry to poll the operation result. The metadata contains + # the request to help callers to map responses to requests. + # @param [String] scope + # Required. The relative name of the root asset. Only resources and IAM policies + # within the scope will be analyzed. This can only be an organization number ( + # such as "organizations/123"), a folder number (such as "folders/123"), a + # project ID (such as "projects/my-project-id"), or a project number (such as " + # projects/12345"). To know how to get organization id, visit [here ](https:// + # cloud.google.com/resource-manager/docs/creating-managing-organization# + # retrieving_your_organization_id). To know how to get folder or project id, + # visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing- + # folders#viewing_or_listing_folders_and_projects). + # @param [Google::Apis::CloudassetV1::AnalyzeIamPolicyLongrunningRequest] analyze_iam_policy_longrunning_request_object + # @param [String] fields + # Selector specifying which fields to include in a partial response. + # @param [String] quota_user + # Available to use for quota purposes for server-side applications. Can be any + # arbitrary string assigned to a user, but should not exceed 40 characters. + # @param [Google::Apis::RequestOptions] options + # Request-specific options + # + # @yield [result, err] Result & error if block supplied + # @yieldparam result [Google::Apis::CloudassetV1::Operation] parsed result object + # @yieldparam err [StandardError] error object if request failed + # + # @return [Google::Apis::CloudassetV1::Operation] + # + # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried + # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification + # @raise [Google::Apis::AuthorizationError] Authorization is required + def analyze_iam_policy_longrunning(scope, analyze_iam_policy_longrunning_request_object = nil, fields: nil, quota_user: nil, options: nil, &block) + command = make_simple_command(:post, 'v1/{+scope}:analyzeIamPolicyLongrunning', options) + command.request_representation = Google::Apis::CloudassetV1::AnalyzeIamPolicyLongrunningRequest::Representation + command.request_object = analyze_iam_policy_longrunning_request_object + command.response_representation = Google::Apis::CloudassetV1::Operation::Representation + command.response_class = Google::Apis::CloudassetV1::Operation + command.params['scope'] = scope unless scope.nil? + command.query['fields'] = fields unless fields.nil? + command.query['quotaUser'] = quota_user unless quota_user.nil? + execute_or_queue_command(command, &block) + end + # Batch gets the update history of assets that overlap a time window. For # IAM_POLICY content, this API outputs history when the asset and its attached # IAM POLICY both exist. This can create gaps in the output history. Otherwise, diff --git a/generated/google/apis/cloudasset_v1/synth.metadata b/generated/google/apis/cloudasset_v1/synth.metadata index 429012f74..76b2da20f 100644 --- a/generated/google/apis/cloudasset_v1/synth.metadata +++ b/generated/google/apis/cloudasset_v1/synth.metadata @@ -4,7 +4,7 @@ "git": { "name": ".", "remote": "https://github.com/googleapis/google-api-ruby-client.git", - "sha": "c98c719bbab68d0890524d53f8b629d7858af9c2" + "sha": "8d2ef13ecc4fd0426870bf3ab35770b4782063cf" } } ]