You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
343 lines
16 KiB
343 lines
16 KiB
// Copyright 2020 Google LLC |
|
// |
|
// Licensed under the Apache License, Version 2.0 (the "License"); |
|
// you may not use this file except in compliance with the License. |
|
// You may obtain a copy of the License at |
|
// |
|
// http://www.apache.org/licenses/LICENSE-2.0 |
|
// |
|
// Unless required by applicable law or agreed to in writing, software |
|
// distributed under the License is distributed on an "AS IS" BASIS, |
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
// See the License for the specific language governing permissions and |
|
// limitations under the License. |
|
|
|
syntax = "proto3"; |
|
|
|
package google.cloud.asset.v1p4beta1; |
|
|
|
import "google/api/annotations.proto"; |
|
import "google/api/field_behavior.proto"; |
|
import "google/cloud/asset/v1p4beta1/assets.proto"; |
|
import "google/iam/v1/policy.proto"; |
|
import "google/longrunning/operations.proto"; |
|
import "google/protobuf/duration.proto"; |
|
import "google/api/client.proto"; |
|
|
|
option csharp_namespace = "Google.Cloud.Asset.V1P4Beta1"; |
|
option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1p4beta1;asset"; |
|
option java_multiple_files = true; |
|
option java_outer_classname = "AssetServiceProto"; |
|
option java_package = "com.google.cloud.asset.v1p4beta1"; |
|
option php_namespace = "Google\\Cloud\\Asset\\V1p4beta1"; |
|
|
|
// Asset service definition. |
|
service AssetService { |
|
option (google.api.default_host) = "cloudasset.googleapis.com"; |
|
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; |
|
|
|
// Analyzes IAM policies based on the specified request. Returns |
|
// a list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] matching the request. |
|
rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) returns (AnalyzeIamPolicyResponse) { |
|
option (google.api.http) = { |
|
get: "/v1p4beta1/{analysis_query.parent=*/*}:analyzeIamPolicy" |
|
}; |
|
} |
|
|
|
// Exports IAM policy analysis based on the specified request. This API |
|
// implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you to keep |
|
// track of the export. The metadata contains the request to help callers to |
|
// map responses to requests. |
|
rpc ExportIamPolicyAnalysis(ExportIamPolicyAnalysisRequest) returns (google.longrunning.Operation) { |
|
option (google.api.http) = { |
|
post: "/v1p4beta1/{analysis_query.parent=*/*}:exportIamPolicyAnalysis" |
|
body: "*" |
|
}; |
|
option (google.longrunning.operation_info) = { |
|
response_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisResponse" |
|
metadata_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisRequest" |
|
}; |
|
} |
|
} |
|
|
|
// IAM policy analysis query message. |
|
message IamPolicyAnalysisQuery { |
|
// Specifies the resource to analyze for access policies, which may be set |
|
// directly on the resource, or on ancestors such as organizations, folders or |
|
// projects. At least one of [ResourceSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.ResourceSelector], [IdentitySelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.IdentitySelector] or |
|
// [AccessSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.AccessSelector] must be specified in a request. |
|
message ResourceSelector { |
|
// Required. The [full resource |
|
// name](https://cloud.google.com/apis/design/resource_names#full_resource_name) |
|
// . |
|
string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED]; |
|
} |
|
|
|
// Specifies an identity for which to determine resource access, based on |
|
// roles assigned either directly to them or to the groups they belong to, |
|
// directly or indirectly. |
|
message IdentitySelector { |
|
// Required. The identity appear in the form of members in |
|
// [IAM policy |
|
// binding](https://cloud.google.com/iam/reference/rest/v1/Binding). |
|
string identity = 1 [(google.api.field_behavior) = REQUIRED]; |
|
} |
|
|
|
// Specifies roles and/or permissions to analyze, to determine both the |
|
// identities possessing them and the resources they control. If multiple |
|
// values are specified, results will include identities and resources |
|
// matching any of them. |
|
message AccessSelector { |
|
// Optional. The roles to appear in result. |
|
repeated string roles = 1 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. The permissions to appear in result. |
|
repeated string permissions = 2 [(google.api.field_behavior) = OPTIONAL]; |
|
} |
|
|
|
// Required. The relative name of the root asset. Only resources and IAM policies within |
|
// the parent will be analyzed. This can only be an organization number (such |
|
// as "organizations/123") or a folder number (such as "folders/123"). |
|
string parent = 1 [(google.api.field_behavior) = REQUIRED]; |
|
|
|
// Optional. Specifies a resource for analysis. Leaving it empty means ANY. |
|
ResourceSelector resource_selector = 2 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. Specifies an identity for analysis. Leaving it empty means ANY. |
|
IdentitySelector identity_selector = 3 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. Specifies roles or permissions for analysis. Leaving it empty |
|
// means ANY. |
|
AccessSelector access_selector = 4 [(google.api.field_behavior) = OPTIONAL]; |
|
} |
|
|
|
// A request message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy]. |
|
message AnalyzeIamPolicyRequest { |
|
// Contains request options. |
|
message Options { |
|
// Optional. If true, the identities section of the result will expand any |
|
// Google groups appearing in an IAM policy binding. |
|
// |
|
// If [identity_selector][] is specified, the identity in the result will |
|
// be determined by the selector, and this flag will have no effect. |
|
// |
|
// Default is false. |
|
bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the access section of result will expand any roles |
|
// appearing in IAM policy bindings to include their permissions. |
|
// |
|
// If [access_selector][] is specified, the access section of the result |
|
// will be determined by the selector, and this flag will have no effect. |
|
// |
|
// Default is false. |
|
bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the resource section of the result will expand any |
|
// resource attached to an IAM policy to include resources lower in the |
|
// resource hierarchy. |
|
// |
|
// For example, if the request analyzes for which resources user A has |
|
// permission P, and the results include an IAM policy with P on a GCP |
|
// folder, the results will also include resources in that folder with |
|
// permission P. |
|
// |
|
// If [resource_selector][] is specified, the resource section of the result |
|
// will be determined by the selector, and this flag will have no effect. |
|
// Default is false. |
|
bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the result will output resource edges, starting |
|
// from the policy attached resource, to any expanded resources. |
|
// Default is false. |
|
bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the result will output group identity edges, starting |
|
// from the binding's group members, to any expanded identities. |
|
// Default is false. |
|
bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the response will include access analysis from identities to |
|
// resources via service account impersonation. This is a very expensive |
|
// operation, because many derived queries will be executed. We highly |
|
// recommend you use ExportIamPolicyAnalysis rpc instead. |
|
// |
|
// For example, if the request analyzes for which resources user A has |
|
// permission P, and there's an IAM policy states user A has |
|
// iam.serviceAccounts.getAccessToken permission to a service account SA, |
|
// and there's another IAM policy states service account SA has permission P |
|
// to a GCP folder F, then user A potentially has access to the GCP folder |
|
// F. And those advanced analysis results will be included in |
|
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. |
|
// |
|
// Another example, if the request analyzes for who has |
|
// permission P to a GCP folder F, and there's an IAM policy states user A |
|
// has iam.serviceAccounts.actAs permission to a service account SA, and |
|
// there's another IAM policy states service account SA has permission P to |
|
// the GCP folder F, then user A potentially has access to the GCP folder |
|
// F. And those advanced analysis results will be included in |
|
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. |
|
// |
|
// Default is false. |
|
bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. Amount of time executable has to complete. See JSON representation of |
|
// [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). |
|
// |
|
// If this field is set with a value less than the RPC deadline, and the |
|
// execution of your query hasn't finished in the specified |
|
// execution timeout, you will get a response with partial result. |
|
// Otherwise, your query's execution will continue until the RPC deadline. |
|
// If it's not finished until then, you will get a DEADLINE_EXCEEDED error. |
|
// |
|
// Default is empty. |
|
google.protobuf.Duration execution_timeout = 7 [(google.api.field_behavior) = OPTIONAL]; |
|
} |
|
|
|
// Required. The request query. |
|
IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED]; |
|
|
|
// Optional. The request options. |
|
Options options = 2 [(google.api.field_behavior) = OPTIONAL]; |
|
} |
|
|
|
// A response message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy]. |
|
message AnalyzeIamPolicyResponse { |
|
// An analysis message to group the query and results. |
|
message IamPolicyAnalysis { |
|
// The analysis query. |
|
IamPolicyAnalysisQuery analysis_query = 1; |
|
|
|
// A list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] that matches the analysis query, or |
|
// empty if no result is found. |
|
repeated IamPolicyAnalysisResult analysis_results = 2; |
|
|
|
// Represents whether all entries in the [analysis_results][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] have been |
|
// fully explored to answer the query. |
|
bool fully_explored = 3; |
|
} |
|
|
|
// The main analysis that matches the original request. |
|
IamPolicyAnalysis main_analysis = 1; |
|
|
|
// The service account impersonation analysis if |
|
// [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is |
|
// enabled. |
|
repeated IamPolicyAnalysis service_account_impersonation_analysis = 2; |
|
|
|
// Represents whether all entries in the [main_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.main_analysis] and |
|
// [service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] have been fully explored to |
|
// answer the query in the request. |
|
bool fully_explored = 3; |
|
|
|
// A list of non-critical errors happened during the request handling to |
|
// explain why `fully_explored` is false, or empty if no error happened. |
|
repeated IamPolicyAnalysisResult.AnalysisState non_critical_errors = 4; |
|
} |
|
|
|
// Output configuration for export IAM policy analysis destination. |
|
message IamPolicyAnalysisOutputConfig { |
|
// A Cloud Storage location. |
|
message GcsDestination { |
|
// Required. The uri of the Cloud Storage object. It's the same uri that is used by |
|
// gsutil. For example: "gs://bucket_name/object_name". See [Viewing and |
|
// Editing Object |
|
// Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) |
|
// for more information. |
|
string uri = 1 [(google.api.field_behavior) = REQUIRED]; |
|
} |
|
|
|
// IAM policy analysis export destination. |
|
oneof destination { |
|
// Destination on Cloud Storage. |
|
GcsDestination gcs_destination = 1; |
|
} |
|
} |
|
|
|
// A request message for [AssetService.ExportIamPolicyAnalysis][google.cloud.asset.v1p4beta1.AssetService.ExportIamPolicyAnalysis]. |
|
message ExportIamPolicyAnalysisRequest { |
|
// Contains request options. |
|
message Options { |
|
// Optional. If true, the identities section of the result will expand any |
|
// Google groups appearing in an IAM policy binding. |
|
// |
|
// If [identity_selector][] is specified, the identity in the result will |
|
// be determined by the selector, and this flag will have no effect. |
|
// |
|
// Default is false. |
|
bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the access section of result will expand any roles |
|
// appearing in IAM policy bindings to include their permissions. |
|
// |
|
// If [access_selector][] is specified, the access section of the result |
|
// will be determined by the selector, and this flag will have no effect. |
|
// |
|
// Default is false. |
|
bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the resource section of the result will expand any |
|
// resource attached to an IAM policy to include resources lower in the |
|
// resource hierarchy. |
|
// |
|
// For example, if the request analyzes for which resources user A has |
|
// permission P, and the results include an IAM policy with P on a GCP |
|
// folder, the results will also include resources in that folder with |
|
// permission P. |
|
// |
|
// If [resource_selector][] is specified, the resource section of the result |
|
// will be determined by the selector, and this flag will have no effect. |
|
// Default is false. |
|
bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the result will output resource edges, starting |
|
// from the policy attached resource, to any expanded resources. |
|
// Default is false. |
|
bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the result will output group identity edges, starting |
|
// from the binding's group members, to any expanded identities. |
|
// Default is false. |
|
bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Optional. If true, the response will include access analysis from identities to |
|
// resources via service account impersonation. This is a very expensive |
|
// operation, because many derived queries will be executed. |
|
// |
|
// For example, if the request analyzes for which resources user A has |
|
// permission P, and there's an IAM policy states user A has |
|
// iam.serviceAccounts.getAccessToken permission to a service account SA, |
|
// and there's another IAM policy states service account SA has permission P |
|
// to a GCP folder F, then user A potentially has access to the GCP folder |
|
// F. And those advanced analysis results will be included in |
|
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. |
|
// |
|
// Another example, if the request analyzes for who has |
|
// permission P to a GCP folder F, and there's an IAM policy states user A |
|
// has iam.serviceAccounts.actAs permission to a service account SA, and |
|
// there's another IAM policy states service account SA has permission P to |
|
// the GCP folder F, then user A potentially has access to the GCP folder |
|
// F. And those advanced analysis results will be included in |
|
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. |
|
// |
|
// Default is false. |
|
bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL]; |
|
} |
|
|
|
// Required. The request query. |
|
IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED]; |
|
|
|
// Optional. The request options. |
|
Options options = 2 [(google.api.field_behavior) = OPTIONAL]; |
|
|
|
// Required. Output configuration indicating where the results will be output to. |
|
IamPolicyAnalysisOutputConfig output_config = 3 [(google.api.field_behavior) = REQUIRED]; |
|
} |
|
|
|
// The export IAM policy analysis response. This message is returned by the |
|
// [google.longrunning.Operations.GetOperation][] method in the returned |
|
// [google.longrunning.Operation.response][] field. |
|
message ExportIamPolicyAnalysisResponse { |
|
// Output configuration indicating where the results were output to. |
|
IamPolicyAnalysisOutputConfig output_config = 1; |
|
}
|
|
|