| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 |
- type: google.api.Service
- config_version: 2
- name: iam-meta-api.googleapis.com
- title: IAM Meta API
- apis:
- - name: google.iam.v1.IAMPolicy
- types:
- - name: google.iam.v1.PolicyDelta
- documentation:
- summary: Manages access control for Google Cloud Platform resources.
- overview: |-
- # Google Identity and Access Management (IAM) API
- Documentation of the access control API that will be implemented by all
- 1st party services provided by the Google Cloud Platform (like Cloud
- Storage, Compute Engine, App Engine).
- Any implementation of an API that offers access control features
- will implement the google.iam.v1.IAMPolicy interface.
- ## Data model
- Access control is applied when a principal (user or service account),
- takes some action on a resource exposed by a service. Resources,
- identified by
- URI-like names, are the unit of access control specification. It is up to
- the service implementations to choose what granularity of access control
- to support and what set of actions (permissions) to support for the
- resources
- they provide. For example one database service may allow access control to
- be specified only at the Table level, whereas another might allow access
- control to also be specified at the Column level.
- This is intentionally not a CRUD style API because access control policies
- are created and deleted implicitly with the resources to which they are
- attached.
- ## Policy
- A `Policy` consists of a list of bindings. A `Binding` binds a set of
- members to a role, where the members can include user accounts, user
- groups, user
- domains, and service accounts. A role is a named set of permissions,
- defined by the IAM system. The definition of a role is outside the
- policy.
- A permission check involves determining the roles that include the
- specified permission, and then determining if the principal specified by
- the check is a member of a binding to at least one of these roles. The
- membership check is recursive when a group is bound to a role.
- rules:
- - selector: google.iam.v1.IAMPolicy.GetIamPolicy
- description: |-
- Gets the access control policy for a resource. Returns an empty policy
- if the resource exists and does not have a policy set.
- - selector: google.iam.v1.IAMPolicy.SetIamPolicy
- description: |-
- Sets the access control policy on the specified resource. Replaces
- any existing policy.
- - selector: google.iam.v1.IAMPolicy.TestIamPermissions
- description: |-
- Returns permissions that a caller has on the specified resource. If the
- resource does not exist, this will return an empty set of
- permissions, not a NOT_FOUND error.
- Note: This operation is designed to be used for building
- permission-aware UIs and command-line tools, not for authorization
- checking. This operation may "fail open" without warning.
- http:
- rules:
- - selector: google.iam.v1.IAMPolicy.GetIamPolicy
- post: '/v1/{resource=**}:getIamPolicy'
- body: '*'
- - selector: google.iam.v1.IAMPolicy.SetIamPolicy
- post: '/v1/{resource=**}:setIamPolicy'
- body: '*'
- - selector: google.iam.v1.IAMPolicy.TestIamPermissions
- post: '/v1/{resource=**}:testIamPermissions'
- body: '*'
|
