You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
85 lines
3.2 KiB
85 lines
3.2 KiB
type: google.api.Service |
|
config_version: 2 |
|
name: iam-meta-api.googleapis.com |
|
title: IAM Meta API |
|
|
|
apis: |
|
- name: google.iam.v1.IAMPolicy |
|
|
|
types: |
|
- name: google.iam.v1.PolicyDelta |
|
|
|
documentation: |
|
summary: Manages access control for Google Cloud Platform resources. |
|
overview: |- |
|
# Google Identity and Access Management (IAM) API |
|
|
|
Documentation of the access control API that will be implemented by all |
|
1st party services provided by the Google Cloud Platform (like Cloud |
|
Storage, Compute Engine, App Engine). |
|
|
|
Any implementation of an API that offers access control features |
|
will implement the google.iam.v1.IAMPolicy interface. |
|
|
|
## Data model |
|
|
|
Access control is applied when a principal (user or service account), |
|
takes some action on a resource exposed by a service. Resources, |
|
identified by |
|
URI-like names, are the unit of access control specification. It is up to |
|
the service implementations to choose what granularity of access control |
|
to support and what set of actions (permissions) to support for the |
|
resources |
|
they provide. For example one database service may allow access control to |
|
be specified only at the Table level, whereas another might allow access |
|
control to also be specified at the Column level. |
|
|
|
This is intentionally not a CRUD style API because access control policies |
|
are created and deleted implicitly with the resources to which they are |
|
attached. |
|
|
|
## Policy |
|
|
|
A `Policy` consists of a list of bindings. A `Binding` binds a set of |
|
members to a role, where the members can include user accounts, user |
|
groups, user |
|
domains, and service accounts. A role is a named set of permissions, |
|
defined by the IAM system. The definition of a role is outside the |
|
policy. |
|
|
|
A permission check involves determining the roles that include the |
|
specified permission, and then determining if the principal specified by |
|
the check is a member of a binding to at least one of these roles. The |
|
membership check is recursive when a group is bound to a role. |
|
rules: |
|
- selector: google.iam.v1.IAMPolicy.GetIamPolicy |
|
description: |- |
|
Gets the access control policy for a resource. Returns an empty policy |
|
if the resource exists and does not have a policy set. |
|
|
|
- selector: google.iam.v1.IAMPolicy.SetIamPolicy |
|
description: |- |
|
Sets the access control policy on the specified resource. Replaces |
|
any existing policy. |
|
|
|
- selector: google.iam.v1.IAMPolicy.TestIamPermissions |
|
description: |- |
|
Returns permissions that a caller has on the specified resource. If the |
|
resource does not exist, this will return an empty set of |
|
permissions, not a NOT_FOUND error. |
|
|
|
Note: This operation is designed to be used for building |
|
permission-aware UIs and command-line tools, not for authorization |
|
checking. This operation may "fail open" without warning. |
|
|
|
http: |
|
rules: |
|
- selector: google.iam.v1.IAMPolicy.GetIamPolicy |
|
post: '/v1/{resource=**}:getIamPolicy' |
|
body: '*' |
|
- selector: google.iam.v1.IAMPolicy.SetIamPolicy |
|
post: '/v1/{resource=**}:setIamPolicy' |
|
body: '*' |
|
- selector: google.iam.v1.IAMPolicy.TestIamPermissions |
|
post: '/v1/{resource=**}:testIamPermissions' |
|
body: '*'
|
|
|