123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343 |
- // Copyright 2020 Google LLC
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- syntax = "proto3";
- package google.cloud.asset.v1p4beta1;
- import "google/api/annotations.proto";
- import "google/api/field_behavior.proto";
- import "google/cloud/asset/v1p4beta1/assets.proto";
- import "google/iam/v1/policy.proto";
- import "google/longrunning/operations.proto";
- import "google/protobuf/duration.proto";
- import "google/api/client.proto";
- option csharp_namespace = "Google.Cloud.Asset.V1P4Beta1";
- option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1p4beta1;asset";
- option java_multiple_files = true;
- option java_outer_classname = "AssetServiceProto";
- option java_package = "com.google.cloud.asset.v1p4beta1";
- option php_namespace = "Google\\Cloud\\Asset\\V1p4beta1";
- // Asset service definition.
- service AssetService {
- option (google.api.default_host) = "cloudasset.googleapis.com";
- option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
- // Analyzes IAM policies based on the specified request. Returns
- // a list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] matching the request.
- rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) returns (AnalyzeIamPolicyResponse) {
- option (google.api.http) = {
- get: "/v1p4beta1/{analysis_query.parent=*/*}:analyzeIamPolicy"
- };
- }
- // Exports IAM policy analysis based on the specified request. This API
- // implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you to keep
- // track of the export. The metadata contains the request to help callers to
- // map responses to requests.
- rpc ExportIamPolicyAnalysis(ExportIamPolicyAnalysisRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1p4beta1/{analysis_query.parent=*/*}:exportIamPolicyAnalysis"
- body: "*"
- };
- option (google.longrunning.operation_info) = {
- response_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisResponse"
- metadata_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisRequest"
- };
- }
- }
- // IAM policy analysis query message.
- message IamPolicyAnalysisQuery {
- // Specifies the resource to analyze for access policies, which may be set
- // directly on the resource, or on ancestors such as organizations, folders or
- // projects. At least one of [ResourceSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.ResourceSelector], [IdentitySelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.IdentitySelector] or
- // [AccessSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.AccessSelector] must be specified in a request.
- message ResourceSelector {
- // Required. The [full resource
- // name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
- // .
- string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // Specifies an identity for which to determine resource access, based on
- // roles assigned either directly to them or to the groups they belong to,
- // directly or indirectly.
- message IdentitySelector {
- // Required. The identity appear in the form of members in
- // [IAM policy
- // binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
- string identity = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // Specifies roles and/or permissions to analyze, to determine both the
- // identities possessing them and the resources they control. If multiple
- // values are specified, results will include identities and resources
- // matching any of them.
- message AccessSelector {
- // Optional. The roles to appear in result.
- repeated string roles = 1 [(google.api.field_behavior) = OPTIONAL];
- // Optional. The permissions to appear in result.
- repeated string permissions = 2 [(google.api.field_behavior) = OPTIONAL];
- }
- // Required. The relative name of the root asset. Only resources and IAM policies within
- // the parent will be analyzed. This can only be an organization number (such
- // as "organizations/123") or a folder number (such as "folders/123").
- string parent = 1 [(google.api.field_behavior) = REQUIRED];
- // Optional. Specifies a resource for analysis. Leaving it empty means ANY.
- ResourceSelector resource_selector = 2 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Specifies an identity for analysis. Leaving it empty means ANY.
- IdentitySelector identity_selector = 3 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Specifies roles or permissions for analysis. Leaving it empty
- // means ANY.
- AccessSelector access_selector = 4 [(google.api.field_behavior) = OPTIONAL];
- }
- // A request message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy].
- message AnalyzeIamPolicyRequest {
- // Contains request options.
- message Options {
- // Optional. If true, the identities section of the result will expand any
- // Google groups appearing in an IAM policy binding.
- //
- // If [identity_selector][] is specified, the identity in the result will
- // be determined by the selector, and this flag will have no effect.
- //
- // Default is false.
- bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the access section of result will expand any roles
- // appearing in IAM policy bindings to include their permissions.
- //
- // If [access_selector][] is specified, the access section of the result
- // will be determined by the selector, and this flag will have no effect.
- //
- // Default is false.
- bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the resource section of the result will expand any
- // resource attached to an IAM policy to include resources lower in the
- // resource hierarchy.
- //
- // For example, if the request analyzes for which resources user A has
- // permission P, and the results include an IAM policy with P on a GCP
- // folder, the results will also include resources in that folder with
- // permission P.
- //
- // If [resource_selector][] is specified, the resource section of the result
- // will be determined by the selector, and this flag will have no effect.
- // Default is false.
- bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the result will output resource edges, starting
- // from the policy attached resource, to any expanded resources.
- // Default is false.
- bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the result will output group identity edges, starting
- // from the binding's group members, to any expanded identities.
- // Default is false.
- bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the response will include access analysis from identities to
- // resources via service account impersonation. This is a very expensive
- // operation, because many derived queries will be executed. We highly
- // recommend you use ExportIamPolicyAnalysis rpc instead.
- //
- // For example, if the request analyzes for which resources user A has
- // permission P, and there's an IAM policy states user A has
- // iam.serviceAccounts.getAccessToken permission to a service account SA,
- // and there's another IAM policy states service account SA has permission P
- // to a GCP folder F, then user A potentially has access to the GCP folder
- // F. And those advanced analysis results will be included in
- // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
- //
- // Another example, if the request analyzes for who has
- // permission P to a GCP folder F, and there's an IAM policy states user A
- // has iam.serviceAccounts.actAs permission to a service account SA, and
- // there's another IAM policy states service account SA has permission P to
- // the GCP folder F, then user A potentially has access to the GCP folder
- // F. And those advanced analysis results will be included in
- // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
- //
- // Default is false.
- bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Amount of time executable has to complete. See JSON representation of
- // [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
- //
- // If this field is set with a value less than the RPC deadline, and the
- // execution of your query hasn't finished in the specified
- // execution timeout, you will get a response with partial result.
- // Otherwise, your query's execution will continue until the RPC deadline.
- // If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
- //
- // Default is empty.
- google.protobuf.Duration execution_timeout = 7 [(google.api.field_behavior) = OPTIONAL];
- }
- // Required. The request query.
- IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED];
- // Optional. The request options.
- Options options = 2 [(google.api.field_behavior) = OPTIONAL];
- }
- // A response message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy].
- message AnalyzeIamPolicyResponse {
- // An analysis message to group the query and results.
- message IamPolicyAnalysis {
- // The analysis query.
- IamPolicyAnalysisQuery analysis_query = 1;
- // A list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] that matches the analysis query, or
- // empty if no result is found.
- repeated IamPolicyAnalysisResult analysis_results = 2;
- // Represents whether all entries in the [analysis_results][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] have been
- // fully explored to answer the query.
- bool fully_explored = 3;
- }
- // The main analysis that matches the original request.
- IamPolicyAnalysis main_analysis = 1;
- // The service account impersonation analysis if
- // [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
- // enabled.
- repeated IamPolicyAnalysis service_account_impersonation_analysis = 2;
- // Represents whether all entries in the [main_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.main_analysis] and
- // [service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] have been fully explored to
- // answer the query in the request.
- bool fully_explored = 3;
- // A list of non-critical errors happened during the request handling to
- // explain why `fully_explored` is false, or empty if no error happened.
- repeated IamPolicyAnalysisResult.AnalysisState non_critical_errors = 4;
- }
- // Output configuration for export IAM policy analysis destination.
- message IamPolicyAnalysisOutputConfig {
- // A Cloud Storage location.
- message GcsDestination {
- // Required. The uri of the Cloud Storage object. It's the same uri that is used by
- // gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
- // Editing Object
- // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
- // for more information.
- string uri = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // IAM policy analysis export destination.
- oneof destination {
- // Destination on Cloud Storage.
- GcsDestination gcs_destination = 1;
- }
- }
- // A request message for [AssetService.ExportIamPolicyAnalysis][google.cloud.asset.v1p4beta1.AssetService.ExportIamPolicyAnalysis].
- message ExportIamPolicyAnalysisRequest {
- // Contains request options.
- message Options {
- // Optional. If true, the identities section of the result will expand any
- // Google groups appearing in an IAM policy binding.
- //
- // If [identity_selector][] is specified, the identity in the result will
- // be determined by the selector, and this flag will have no effect.
- //
- // Default is false.
- bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the access section of result will expand any roles
- // appearing in IAM policy bindings to include their permissions.
- //
- // If [access_selector][] is specified, the access section of the result
- // will be determined by the selector, and this flag will have no effect.
- //
- // Default is false.
- bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the resource section of the result will expand any
- // resource attached to an IAM policy to include resources lower in the
- // resource hierarchy.
- //
- // For example, if the request analyzes for which resources user A has
- // permission P, and the results include an IAM policy with P on a GCP
- // folder, the results will also include resources in that folder with
- // permission P.
- //
- // If [resource_selector][] is specified, the resource section of the result
- // will be determined by the selector, and this flag will have no effect.
- // Default is false.
- bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the result will output resource edges, starting
- // from the policy attached resource, to any expanded resources.
- // Default is false.
- bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the result will output group identity edges, starting
- // from the binding's group members, to any expanded identities.
- // Default is false.
- bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL];
- // Optional. If true, the response will include access analysis from identities to
- // resources via service account impersonation. This is a very expensive
- // operation, because many derived queries will be executed.
- //
- // For example, if the request analyzes for which resources user A has
- // permission P, and there's an IAM policy states user A has
- // iam.serviceAccounts.getAccessToken permission to a service account SA,
- // and there's another IAM policy states service account SA has permission P
- // to a GCP folder F, then user A potentially has access to the GCP folder
- // F. And those advanced analysis results will be included in
- // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
- //
- // Another example, if the request analyzes for who has
- // permission P to a GCP folder F, and there's an IAM policy states user A
- // has iam.serviceAccounts.actAs permission to a service account SA, and
- // there's another IAM policy states service account SA has permission P to
- // the GCP folder F, then user A potentially has access to the GCP folder
- // F. And those advanced analysis results will be included in
- // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
- //
- // Default is false.
- bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL];
- }
- // Required. The request query.
- IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED];
- // Optional. The request options.
- Options options = 2 [(google.api.field_behavior) = OPTIONAL];
- // Required. Output configuration indicating where the results will be output to.
- IamPolicyAnalysisOutputConfig output_config = 3 [(google.api.field_behavior) = REQUIRED];
- }
- // The export IAM policy analysis response. This message is returned by the
- // [google.longrunning.Operations.GetOperation][] method in the returned
- // [google.longrunning.Operation.response][] field.
- message ExportIamPolicyAnalysisResponse {
- // Output configuration indicating where the results were output to.
- IamPolicyAnalysisOutputConfig output_config = 1;
- }
|