diff --git a/google/iam/v1/iam_policy.proto b/google/iam/v1/iam_policy.proto deleted file mode 100644 index 0841d99..0000000 --- a/google/iam/v1/iam_policy.proto +++ /dev/null @@ -1,157 +0,0 @@ -// Copyright 2024 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.iam.v1; - -import "google/api/annotations.proto"; -import "google/api/client.proto"; -import "google/api/field_behavior.proto"; -import "google/api/resource.proto"; -import "google/iam/v1/options.proto"; -import "google/iam/v1/policy.proto"; -import "google/protobuf/field_mask.proto"; - -option csharp_namespace = "Google.Cloud.Iam.V1"; -option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb"; -option java_multiple_files = true; -option java_outer_classname = "IamPolicyProto"; -option java_package = "com.google.iam.v1"; -option php_namespace = "Google\\Cloud\\Iam\\V1"; - -// API Overview -// -// Manages Identity and Access Management (IAM) policies. -// -// Any implementation of an API that offers access control features -// implements the google.iam.v1.IAMPolicy interface. -// -// ## Data model -// -// Access control is applied when a principal (user or service account), takes -// some action on a resource exposed by a service. Resources, identified by -// URI-like names, are the unit of access control specification. Service -// implementations can choose the granularity of access control and the -// supported permissions for their resources. -// For example one database service may allow access control to be -// specified only at the Table level, whereas another might allow access control -// to also be specified at the Column level. -// -// ## Policy Structure -// -// See google.iam.v1.Policy -// -// This is intentionally not a CRUD style API because access control policies -// are created and deleted implicitly with the resources to which they are -// attached. -service IAMPolicy { - option (google.api.default_host) = "iam-meta-api.googleapis.com"; - - // Sets the access control policy on the specified resource. Replaces any - // existing policy. - // - // Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors. - rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy) { - option (google.api.http) = { - post: "/v1/{resource=**}:setIamPolicy" - body: "*" - }; - } - - // Gets the access control policy for a resource. - // Returns an empty policy if the resource exists and does not have a policy - // set. - rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy) { - option (google.api.http) = { - post: "/v1/{resource=**}:getIamPolicy" - body: "*" - }; - } - - // Returns permissions that a caller has on the specified resource. - // If the resource does not exist, this will return an empty set of - // permissions, not a `NOT_FOUND` error. - // - // Note: This operation is designed to be used for building permission-aware - // UIs and command-line tools, not for authorization checking. This operation - // may "fail open" without warning. - rpc TestIamPermissions(TestIamPermissionsRequest) - returns (TestIamPermissionsResponse) { - option (google.api.http) = { - post: "/v1/{resource=**}:testIamPermissions" - body: "*" - }; - } -} - -// Request message for `SetIamPolicy` method. -message SetIamPolicyRequest { - // REQUIRED: The resource for which the policy is being specified. - // See the operation documentation for the appropriate value for this field. - string resource = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference).type = "*" - ]; - - // REQUIRED: The complete policy to be applied to the `resource`. The size of - // the policy is limited to a few 10s of KB. An empty policy is a - // valid policy but certain Cloud Platform services (such as Projects) - // might reject them. - Policy policy = 2 [(google.api.field_behavior) = REQUIRED]; - - // OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only - // the fields in the mask will be modified. If no mask is provided, the - // following default mask is used: - // - // `paths: "bindings, etag"` - google.protobuf.FieldMask update_mask = 3; -} - -// Request message for `GetIamPolicy` method. -message GetIamPolicyRequest { - // REQUIRED: The resource for which the policy is being requested. - // See the operation documentation for the appropriate value for this field. - string resource = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference).type = "*" - ]; - - // OPTIONAL: A `GetPolicyOptions` object for specifying options to - // `GetIamPolicy`. - GetPolicyOptions options = 2; -} - -// Request message for `TestIamPermissions` method. -message TestIamPermissionsRequest { - // REQUIRED: The resource for which the policy detail is being requested. - // See the operation documentation for the appropriate value for this field. - string resource = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference).type = "*" - ]; - - // The set of permissions to check for the `resource`. Permissions with - // wildcards (such as '*' or 'storage.*') are not allowed. For more - // information see - // [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). - repeated string permissions = 2 [(google.api.field_behavior) = REQUIRED]; -} - -// Response message for `TestIamPermissions` method. -message TestIamPermissionsResponse { - // A subset of `TestPermissionsRequest.permissions` that the caller is - // allowed. - repeated string permissions = 1; -} diff --git a/google/iam/v1/logging/audit_data.proto b/google/iam/v1/logging/audit_data.proto deleted file mode 100644 index ccafe04..0000000 --- a/google/iam/v1/logging/audit_data.proto +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2024 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.iam.v1.logging; - -import "google/iam/v1/policy.proto"; - -option csharp_namespace = "Google.Cloud.Iam.V1.Logging"; -option go_package = "cloud.google.com/go/iam/apiv1/logging/loggingpb;loggingpb"; -option java_multiple_files = true; -option java_outer_classname = "AuditDataProto"; -option java_package = "com.google.iam.v1.logging"; - -// Audit log information specific to Cloud IAM. This message is serialized -// as an `Any` type in the `ServiceData` message of an -// `AuditLog` message. -message AuditData { - // Policy delta between the original policy and the newly set policy. - google.iam.v1.PolicyDelta policy_delta = 2; -} diff --git a/google/iam/v1/options.proto b/google/iam/v1/options.proto deleted file mode 100644 index 5334962..0000000 --- a/google/iam/v1/options.proto +++ /dev/null @@ -1,48 +0,0 @@ -// Copyright 2024 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.iam.v1; - -option cc_enable_arenas = true; -option csharp_namespace = "Google.Cloud.Iam.V1"; -option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb"; -option java_multiple_files = true; -option java_outer_classname = "OptionsProto"; -option java_package = "com.google.iam.v1"; -option php_namespace = "Google\\Cloud\\Iam\\V1"; - -// Encapsulates settings provided to GetIamPolicy. -message GetPolicyOptions { - // Optional. The maximum policy version that will be used to format the - // policy. - // - // Valid values are 0, 1, and 3. Requests specifying an invalid value will be - // rejected. - // - // Requests for policies with any conditional role bindings must specify - // version 3. Policies with no conditional role bindings may specify any valid - // value or leave the field unset. - // - // The policy in the response might use the policy version that you specified, - // or it might use a lower policy version. For example, if you specify version - // 3, but the policy has no conditional role bindings, the response uses - // version 1. - // - // To learn which resources support conditions in their IAM policies, see the - // [IAM - // documentation](https://cloud.google.com/iam/help/conditions/resource-policies). - int32 requested_policy_version = 1; -} diff --git a/google/iam/v1/policy.proto b/google/iam/v1/policy.proto deleted file mode 100644 index 9bff39a..0000000 --- a/google/iam/v1/policy.proto +++ /dev/null @@ -1,410 +0,0 @@ -// Copyright 2024 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.iam.v1; - -import "google/type/expr.proto"; - -option cc_enable_arenas = true; -option csharp_namespace = "Google.Cloud.Iam.V1"; -option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb"; -option java_multiple_files = true; -option java_outer_classname = "PolicyProto"; -option java_package = "com.google.iam.v1"; -option php_namespace = "Google\\Cloud\\Iam\\V1"; - -// An Identity and Access Management (IAM) policy, which specifies access -// controls for Google Cloud resources. -// -// -// A `Policy` is a collection of `bindings`. A `binding` binds one or more -// `members`, or principals, to a single `role`. Principals can be user -// accounts, service accounts, Google groups, and domains (such as G Suite). A -// `role` is a named list of permissions; each `role` can be an IAM predefined -// role or a user-created custom role. -// -// For some types of Google Cloud resources, a `binding` can also specify a -// `condition`, which is a logical expression that allows access to a resource -// only if the expression evaluates to `true`. A condition can add constraints -// based on attributes of the request, the resource, or both. To learn which -// resources support conditions in their IAM policies, see the -// [IAM -// documentation](https://cloud.google.com/iam/help/conditions/resource-policies). -// -// **JSON example:** -// -// ``` -// { -// "bindings": [ -// { -// "role": "roles/resourcemanager.organizationAdmin", -// "members": [ -// "user:mike@example.com", -// "group:admins@example.com", -// "domain:google.com", -// "serviceAccount:my-project-id@appspot.gserviceaccount.com" -// ] -// }, -// { -// "role": "roles/resourcemanager.organizationViewer", -// "members": [ -// "user:eve@example.com" -// ], -// "condition": { -// "title": "expirable access", -// "description": "Does not grant access after Sep 2020", -// "expression": "request.time < -// timestamp('2020-10-01T00:00:00.000Z')", -// } -// } -// ], -// "etag": "BwWWja0YfJA=", -// "version": 3 -// } -// ``` -// -// **YAML example:** -// -// ``` -// bindings: -// - members: -// - user:mike@example.com -// - group:admins@example.com -// - domain:google.com -// - serviceAccount:my-project-id@appspot.gserviceaccount.com -// role: roles/resourcemanager.organizationAdmin -// - members: -// - user:eve@example.com -// role: roles/resourcemanager.organizationViewer -// condition: -// title: expirable access -// description: Does not grant access after Sep 2020 -// expression: request.time < timestamp('2020-10-01T00:00:00.000Z') -// etag: BwWWja0YfJA= -// version: 3 -// ``` -// -// For a description of IAM and its features, see the -// [IAM documentation](https://cloud.google.com/iam/docs/). -message Policy { - // Specifies the format of the policy. - // - // Valid values are `0`, `1`, and `3`. Requests that specify an invalid value - // are rejected. - // - // Any operation that affects conditional role bindings must specify version - // `3`. This requirement applies to the following operations: - // - // * Getting a policy that includes a conditional role binding - // * Adding a conditional role binding to a policy - // * Changing a conditional role binding in a policy - // * Removing any role binding, with or without a condition, from a policy - // that includes conditions - // - // **Important:** If you use IAM Conditions, you must include the `etag` field - // whenever you call `setIamPolicy`. If you omit this field, then IAM allows - // you to overwrite a version `3` policy with a version `1` policy, and all of - // the conditions in the version `3` policy are lost. - // - // If a policy does not include any conditions, operations on that policy may - // specify any valid version or leave the field unset. - // - // To learn which resources support conditions in their IAM policies, see the - // [IAM - // documentation](https://cloud.google.com/iam/help/conditions/resource-policies). - int32 version = 1; - - // Associates a list of `members`, or principals, with a `role`. Optionally, - // may specify a `condition` that determines how and when the `bindings` are - // applied. Each of the `bindings` must contain at least one principal. - // - // The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 - // of these principals can be Google groups. Each occurrence of a principal - // counts towards these limits. For example, if the `bindings` grant 50 - // different roles to `user:alice@example.com`, and not to any other - // principal, then you can add another 1,450 principals to the `bindings` in - // the `Policy`. - repeated Binding bindings = 4; - - // Specifies cloud audit logging configuration for this policy. - repeated AuditConfig audit_configs = 6; - - // `etag` is used for optimistic concurrency control as a way to help - // prevent simultaneous updates of a policy from overwriting each other. - // It is strongly suggested that systems make use of the `etag` in the - // read-modify-write cycle to perform policy updates in order to avoid race - // conditions: An `etag` is returned in the response to `getIamPolicy`, and - // systems are expected to put that etag in the request to `setIamPolicy` to - // ensure that their change will be applied to the same version of the policy. - // - // **Important:** If you use IAM Conditions, you must include the `etag` field - // whenever you call `setIamPolicy`. If you omit this field, then IAM allows - // you to overwrite a version `3` policy with a version `1` policy, and all of - // the conditions in the version `3` policy are lost. - bytes etag = 3; -} - -// Associates `members`, or principals, with a `role`. -message Binding { - // Role that is assigned to the list of `members`, or principals. - // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. - string role = 1; - - // Specifies the principals requesting access for a Google Cloud resource. - // `members` can have the following values: - // - // * `allUsers`: A special identifier that represents anyone who is - // on the internet; with or without a Google account. - // - // * `allAuthenticatedUsers`: A special identifier that represents anyone - // who is authenticated with a Google account or a service account. - // - // * `user:{emailid}`: An email address that represents a specific Google - // account. For example, `alice@example.com` . - // - // - // * `serviceAccount:{emailid}`: An email address that represents a service - // account. For example, `my-other-app@appspot.gserviceaccount.com`. - // - // * `group:{emailid}`: An email address that represents a Google group. - // For example, `admins@example.com`. - // - // * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique - // identifier) representing a user that has been recently deleted. For - // example, `alice@example.com?uid=123456789012345678901`. If the user is - // recovered, this value reverts to `user:{emailid}` and the recovered user - // retains the role in the binding. - // - // * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus - // unique identifier) representing a service account that has been recently - // deleted. For example, - // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. - // If the service account is undeleted, this value reverts to - // `serviceAccount:{emailid}` and the undeleted service account retains the - // role in the binding. - // - // * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique - // identifier) representing a Google group that has been recently - // deleted. For example, `admins@example.com?uid=123456789012345678901`. If - // the group is recovered, this value reverts to `group:{emailid}` and the - // recovered group retains the role in the binding. - // - // - // * `domain:{domain}`: The G Suite domain (primary) that represents all the - // users of that domain. For example, `google.com` or `example.com`. - // - // - repeated string members = 2; - - // The condition that is associated with this binding. - // - // If the condition evaluates to `true`, then this binding applies to the - // current request. - // - // If the condition evaluates to `false`, then this binding does not apply to - // the current request. However, a different role binding might grant the same - // role to one or more of the principals in this binding. - // - // To learn which resources support conditions in their IAM policies, see the - // [IAM - // documentation](https://cloud.google.com/iam/help/conditions/resource-policies). - google.type.Expr condition = 3; -} - -// Specifies the audit configuration for a service. -// The configuration determines which permission types are logged, and what -// identities, if any, are exempted from logging. -// An AuditConfig must have one or more AuditLogConfigs. -// -// If there are AuditConfigs for both `allServices` and a specific service, -// the union of the two AuditConfigs is used for that service: the log_types -// specified in each AuditConfig are enabled, and the exempted_members in each -// AuditLogConfig are exempted. -// -// Example Policy with multiple AuditConfigs: -// -// { -// "audit_configs": [ -// { -// "service": "allServices", -// "audit_log_configs": [ -// { -// "log_type": "DATA_READ", -// "exempted_members": [ -// "user:jose@example.com" -// ] -// }, -// { -// "log_type": "DATA_WRITE" -// }, -// { -// "log_type": "ADMIN_READ" -// } -// ] -// }, -// { -// "service": "sampleservice.googleapis.com", -// "audit_log_configs": [ -// { -// "log_type": "DATA_READ" -// }, -// { -// "log_type": "DATA_WRITE", -// "exempted_members": [ -// "user:aliya@example.com" -// ] -// } -// ] -// } -// ] -// } -// -// For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ -// logging. It also exempts `jose@example.com` from DATA_READ logging, and -// `aliya@example.com` from DATA_WRITE logging. -message AuditConfig { - // Specifies a service that will be enabled for audit logging. - // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. - // `allServices` is a special value that covers all services. - string service = 1; - - // The configuration for logging of each type of permission. - repeated AuditLogConfig audit_log_configs = 3; -} - -// Provides the configuration for logging a type of permissions. -// Example: -// -// { -// "audit_log_configs": [ -// { -// "log_type": "DATA_READ", -// "exempted_members": [ -// "user:jose@example.com" -// ] -// }, -// { -// "log_type": "DATA_WRITE" -// } -// ] -// } -// -// This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting -// jose@example.com from DATA_READ logging. -message AuditLogConfig { - // The list of valid permission types for which logging can be configured. - // Admin writes are always logged, and are not configurable. - enum LogType { - // Default case. Should never be this. - LOG_TYPE_UNSPECIFIED = 0; - - // Admin reads. Example: CloudIAM getIamPolicy - ADMIN_READ = 1; - - // Data writes. Example: CloudSQL Users create - DATA_WRITE = 2; - - // Data reads. Example: CloudSQL Users list - DATA_READ = 3; - } - - // The log type that this config enables. - LogType log_type = 1; - - // Specifies the identities that do not cause logging for this type of - // permission. - // Follows the same format of - // [Binding.members][google.iam.v1.Binding.members]. - repeated string exempted_members = 2; -} - -// The difference delta between two policies. -message PolicyDelta { - // The delta for Bindings between two policies. - repeated BindingDelta binding_deltas = 1; - - // The delta for AuditConfigs between two policies. - repeated AuditConfigDelta audit_config_deltas = 2; -} - -// One delta entry for Binding. Each individual change (only one member in each -// entry) to a binding will be a separate entry. -message BindingDelta { - // The type of action performed on a Binding in a policy. - enum Action { - // Unspecified. - ACTION_UNSPECIFIED = 0; - - // Addition of a Binding. - ADD = 1; - - // Removal of a Binding. - REMOVE = 2; - } - - // The action that was performed on a Binding. - // Required - Action action = 1; - - // Role that is assigned to `members`. - // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. - // Required - string role = 2; - - // A single identity requesting access for a Google Cloud resource. - // Follows the same format of Binding.members. - // Required - string member = 3; - - // The condition that is associated with this binding. - google.type.Expr condition = 4; -} - -// One delta entry for AuditConfig. Each individual change (only one -// exempted_member in each entry) to a AuditConfig will be a separate entry. -message AuditConfigDelta { - // The type of action performed on an audit configuration in a policy. - enum Action { - // Unspecified. - ACTION_UNSPECIFIED = 0; - - // Addition of an audit configuration. - ADD = 1; - - // Removal of an audit configuration. - REMOVE = 2; - } - - // The action that was performed on an audit configuration in a policy. - // Required - Action action = 1; - - // Specifies a service that was configured for Cloud Audit Logging. - // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. - // `allServices` is a special value that covers all services. - // Required - string service = 2; - - // A single identity that is exempted from "data access" audit - // logging for the `service` specified above. - // Follows the same format of Binding.members. - string exempted_member = 3; - - // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always - // enabled, and cannot be configured. - // Required - string log_type = 4; -} diff --git a/google/iam/v1/resource_policy_member.proto b/google/iam/v1/resource_policy_member.proto deleted file mode 100644 index 8f9aae6..0000000 --- a/google/iam/v1/resource_policy_member.proto +++ /dev/null @@ -1,50 +0,0 @@ -// Copyright 2024 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.iam.v1; - -import "google/api/field_behavior.proto"; - -option csharp_namespace = "Google.Cloud.Iam.V1"; -option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb"; -option php_namespace = "Google\\Cloud\\Iam\\V1"; -option java_multiple_files = true; -option java_outer_classname = "ResourcePolicyMemberProto"; -option java_package = "com.google.iam.v1"; - -// Output-only policy member strings of a Google Cloud resource's built-in -// identity. -message ResourcePolicyMember { - // IAM policy binding member referring to a Google Cloud resource by - // user-assigned name (https://google.aip.dev/122). If a resource is deleted - // and recreated with the same name, the binding will be applicable to the new - // resource. - // - // Example: - // `principal://parametermanager.googleapis.com/projects/12345/name/locations/us-central1-a/parameters/my-parameter` - string iam_policy_name_principal = 1 - [(google.api.field_behavior) = OUTPUT_ONLY]; - - // IAM policy binding member referring to a Google Cloud resource by - // system-assigned unique identifier (https://google.aip.dev/148#uid). If a - // resource is deleted and recreated with the same name, the binding will not - // be applicable to the new resource - // - // Example: - // `principal://parametermanager.googleapis.com/projects/12345/uid/locations/us-central1-a/parameters/a918fed5` - string iam_policy_uid_principal = 2 - [(google.api.field_behavior) = OUTPUT_ONLY]; -}