asset_service.proto 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343
  1. // Copyright 2020 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.asset.v1p4beta1;
  16. import "google/api/annotations.proto";
  17. import "google/api/field_behavior.proto";
  18. import "google/cloud/asset/v1p4beta1/assets.proto";
  19. import "google/iam/v1/policy.proto";
  20. import "google/longrunning/operations.proto";
  21. import "google/protobuf/duration.proto";
  22. import "google/api/client.proto";
  23. option csharp_namespace = "Google.Cloud.Asset.V1P4Beta1";
  24. option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1p4beta1;asset";
  25. option java_multiple_files = true;
  26. option java_outer_classname = "AssetServiceProto";
  27. option java_package = "com.google.cloud.asset.v1p4beta1";
  28. option php_namespace = "Google\\Cloud\\Asset\\V1p4beta1";
  29. // Asset service definition.
  30. service AssetService {
  31. option (google.api.default_host) = "cloudasset.googleapis.com";
  32. option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
  33. // Analyzes IAM policies based on the specified request. Returns
  34. // a list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] matching the request.
  35. rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) returns (AnalyzeIamPolicyResponse) {
  36. option (google.api.http) = {
  37. get: "/v1p4beta1/{analysis_query.parent=*/*}:analyzeIamPolicy"
  38. };
  39. }
  40. // Exports IAM policy analysis based on the specified request. This API
  41. // implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you to keep
  42. // track of the export. The metadata contains the request to help callers to
  43. // map responses to requests.
  44. rpc ExportIamPolicyAnalysis(ExportIamPolicyAnalysisRequest) returns (google.longrunning.Operation) {
  45. option (google.api.http) = {
  46. post: "/v1p4beta1/{analysis_query.parent=*/*}:exportIamPolicyAnalysis"
  47. body: "*"
  48. };
  49. option (google.longrunning.operation_info) = {
  50. response_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisResponse"
  51. metadata_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisRequest"
  52. };
  53. }
  54. }
  55. // IAM policy analysis query message.
  56. message IamPolicyAnalysisQuery {
  57. // Specifies the resource to analyze for access policies, which may be set
  58. // directly on the resource, or on ancestors such as organizations, folders or
  59. // projects. At least one of [ResourceSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.ResourceSelector], [IdentitySelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.IdentitySelector] or
  60. // [AccessSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.AccessSelector] must be specified in a request.
  61. message ResourceSelector {
  62. // Required. The [full resource
  63. // name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
  64. // .
  65. string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
  66. }
  67. // Specifies an identity for which to determine resource access, based on
  68. // roles assigned either directly to them or to the groups they belong to,
  69. // directly or indirectly.
  70. message IdentitySelector {
  71. // Required. The identity appear in the form of members in
  72. // [IAM policy
  73. // binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
  74. string identity = 1 [(google.api.field_behavior) = REQUIRED];
  75. }
  76. // Specifies roles and/or permissions to analyze, to determine both the
  77. // identities possessing them and the resources they control. If multiple
  78. // values are specified, results will include identities and resources
  79. // matching any of them.
  80. message AccessSelector {
  81. // Optional. The roles to appear in result.
  82. repeated string roles = 1 [(google.api.field_behavior) = OPTIONAL];
  83. // Optional. The permissions to appear in result.
  84. repeated string permissions = 2 [(google.api.field_behavior) = OPTIONAL];
  85. }
  86. // Required. The relative name of the root asset. Only resources and IAM policies within
  87. // the parent will be analyzed. This can only be an organization number (such
  88. // as "organizations/123") or a folder number (such as "folders/123").
  89. string parent = 1 [(google.api.field_behavior) = REQUIRED];
  90. // Optional. Specifies a resource for analysis. Leaving it empty means ANY.
  91. ResourceSelector resource_selector = 2 [(google.api.field_behavior) = OPTIONAL];
  92. // Optional. Specifies an identity for analysis. Leaving it empty means ANY.
  93. IdentitySelector identity_selector = 3 [(google.api.field_behavior) = OPTIONAL];
  94. // Optional. Specifies roles or permissions for analysis. Leaving it empty
  95. // means ANY.
  96. AccessSelector access_selector = 4 [(google.api.field_behavior) = OPTIONAL];
  97. }
  98. // A request message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy].
  99. message AnalyzeIamPolicyRequest {
  100. // Contains request options.
  101. message Options {
  102. // Optional. If true, the identities section of the result will expand any
  103. // Google groups appearing in an IAM policy binding.
  104. //
  105. // If [identity_selector][] is specified, the identity in the result will
  106. // be determined by the selector, and this flag will have no effect.
  107. //
  108. // Default is false.
  109. bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL];
  110. // Optional. If true, the access section of result will expand any roles
  111. // appearing in IAM policy bindings to include their permissions.
  112. //
  113. // If [access_selector][] is specified, the access section of the result
  114. // will be determined by the selector, and this flag will have no effect.
  115. //
  116. // Default is false.
  117. bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL];
  118. // Optional. If true, the resource section of the result will expand any
  119. // resource attached to an IAM policy to include resources lower in the
  120. // resource hierarchy.
  121. //
  122. // For example, if the request analyzes for which resources user A has
  123. // permission P, and the results include an IAM policy with P on a GCP
  124. // folder, the results will also include resources in that folder with
  125. // permission P.
  126. //
  127. // If [resource_selector][] is specified, the resource section of the result
  128. // will be determined by the selector, and this flag will have no effect.
  129. // Default is false.
  130. bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL];
  131. // Optional. If true, the result will output resource edges, starting
  132. // from the policy attached resource, to any expanded resources.
  133. // Default is false.
  134. bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL];
  135. // Optional. If true, the result will output group identity edges, starting
  136. // from the binding's group members, to any expanded identities.
  137. // Default is false.
  138. bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL];
  139. // Optional. If true, the response will include access analysis from identities to
  140. // resources via service account impersonation. This is a very expensive
  141. // operation, because many derived queries will be executed. We highly
  142. // recommend you use ExportIamPolicyAnalysis rpc instead.
  143. //
  144. // For example, if the request analyzes for which resources user A has
  145. // permission P, and there's an IAM policy states user A has
  146. // iam.serviceAccounts.getAccessToken permission to a service account SA,
  147. // and there's another IAM policy states service account SA has permission P
  148. // to a GCP folder F, then user A potentially has access to the GCP folder
  149. // F. And those advanced analysis results will be included in
  150. // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
  151. //
  152. // Another example, if the request analyzes for who has
  153. // permission P to a GCP folder F, and there's an IAM policy states user A
  154. // has iam.serviceAccounts.actAs permission to a service account SA, and
  155. // there's another IAM policy states service account SA has permission P to
  156. // the GCP folder F, then user A potentially has access to the GCP folder
  157. // F. And those advanced analysis results will be included in
  158. // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
  159. //
  160. // Default is false.
  161. bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL];
  162. // Optional. Amount of time executable has to complete. See JSON representation of
  163. // [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
  164. //
  165. // If this field is set with a value less than the RPC deadline, and the
  166. // execution of your query hasn't finished in the specified
  167. // execution timeout, you will get a response with partial result.
  168. // Otherwise, your query's execution will continue until the RPC deadline.
  169. // If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
  170. //
  171. // Default is empty.
  172. google.protobuf.Duration execution_timeout = 7 [(google.api.field_behavior) = OPTIONAL];
  173. }
  174. // Required. The request query.
  175. IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED];
  176. // Optional. The request options.
  177. Options options = 2 [(google.api.field_behavior) = OPTIONAL];
  178. }
  179. // A response message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy].
  180. message AnalyzeIamPolicyResponse {
  181. // An analysis message to group the query and results.
  182. message IamPolicyAnalysis {
  183. // The analysis query.
  184. IamPolicyAnalysisQuery analysis_query = 1;
  185. // A list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] that matches the analysis query, or
  186. // empty if no result is found.
  187. repeated IamPolicyAnalysisResult analysis_results = 2;
  188. // Represents whether all entries in the [analysis_results][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] have been
  189. // fully explored to answer the query.
  190. bool fully_explored = 3;
  191. }
  192. // The main analysis that matches the original request.
  193. IamPolicyAnalysis main_analysis = 1;
  194. // The service account impersonation analysis if
  195. // [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
  196. // enabled.
  197. repeated IamPolicyAnalysis service_account_impersonation_analysis = 2;
  198. // Represents whether all entries in the [main_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.main_analysis] and
  199. // [service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] have been fully explored to
  200. // answer the query in the request.
  201. bool fully_explored = 3;
  202. // A list of non-critical errors happened during the request handling to
  203. // explain why `fully_explored` is false, or empty if no error happened.
  204. repeated IamPolicyAnalysisResult.AnalysisState non_critical_errors = 4;
  205. }
  206. // Output configuration for export IAM policy analysis destination.
  207. message IamPolicyAnalysisOutputConfig {
  208. // A Cloud Storage location.
  209. message GcsDestination {
  210. // Required. The uri of the Cloud Storage object. It's the same uri that is used by
  211. // gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
  212. // Editing Object
  213. // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
  214. // for more information.
  215. string uri = 1 [(google.api.field_behavior) = REQUIRED];
  216. }
  217. // IAM policy analysis export destination.
  218. oneof destination {
  219. // Destination on Cloud Storage.
  220. GcsDestination gcs_destination = 1;
  221. }
  222. }
  223. // A request message for [AssetService.ExportIamPolicyAnalysis][google.cloud.asset.v1p4beta1.AssetService.ExportIamPolicyAnalysis].
  224. message ExportIamPolicyAnalysisRequest {
  225. // Contains request options.
  226. message Options {
  227. // Optional. If true, the identities section of the result will expand any
  228. // Google groups appearing in an IAM policy binding.
  229. //
  230. // If [identity_selector][] is specified, the identity in the result will
  231. // be determined by the selector, and this flag will have no effect.
  232. //
  233. // Default is false.
  234. bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL];
  235. // Optional. If true, the access section of result will expand any roles
  236. // appearing in IAM policy bindings to include their permissions.
  237. //
  238. // If [access_selector][] is specified, the access section of the result
  239. // will be determined by the selector, and this flag will have no effect.
  240. //
  241. // Default is false.
  242. bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL];
  243. // Optional. If true, the resource section of the result will expand any
  244. // resource attached to an IAM policy to include resources lower in the
  245. // resource hierarchy.
  246. //
  247. // For example, if the request analyzes for which resources user A has
  248. // permission P, and the results include an IAM policy with P on a GCP
  249. // folder, the results will also include resources in that folder with
  250. // permission P.
  251. //
  252. // If [resource_selector][] is specified, the resource section of the result
  253. // will be determined by the selector, and this flag will have no effect.
  254. // Default is false.
  255. bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL];
  256. // Optional. If true, the result will output resource edges, starting
  257. // from the policy attached resource, to any expanded resources.
  258. // Default is false.
  259. bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL];
  260. // Optional. If true, the result will output group identity edges, starting
  261. // from the binding's group members, to any expanded identities.
  262. // Default is false.
  263. bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL];
  264. // Optional. If true, the response will include access analysis from identities to
  265. // resources via service account impersonation. This is a very expensive
  266. // operation, because many derived queries will be executed.
  267. //
  268. // For example, if the request analyzes for which resources user A has
  269. // permission P, and there's an IAM policy states user A has
  270. // iam.serviceAccounts.getAccessToken permission to a service account SA,
  271. // and there's another IAM policy states service account SA has permission P
  272. // to a GCP folder F, then user A potentially has access to the GCP folder
  273. // F. And those advanced analysis results will be included in
  274. // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
  275. //
  276. // Another example, if the request analyzes for who has
  277. // permission P to a GCP folder F, and there's an IAM policy states user A
  278. // has iam.serviceAccounts.actAs permission to a service account SA, and
  279. // there's another IAM policy states service account SA has permission P to
  280. // the GCP folder F, then user A potentially has access to the GCP folder
  281. // F. And those advanced analysis results will be included in
  282. // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
  283. //
  284. // Default is false.
  285. bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL];
  286. }
  287. // Required. The request query.
  288. IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED];
  289. // Optional. The request options.
  290. Options options = 2 [(google.api.field_behavior) = OPTIONAL];
  291. // Required. Output configuration indicating where the results will be output to.
  292. IamPolicyAnalysisOutputConfig output_config = 3 [(google.api.field_behavior) = REQUIRED];
  293. }
  294. // The export IAM policy analysis response. This message is returned by the
  295. // [google.longrunning.Operations.GetOperation][] method in the returned
  296. // [google.longrunning.Operation.response][] field.
  297. message ExportIamPolicyAnalysisResponse {
  298. // Output configuration indicating where the results were output to.
  299. IamPolicyAnalysisOutputConfig output_config = 1;
  300. }