clearOrgPolicy(resource=*, body=None, x__xgafv=None)
Clears a `Policy` from a resource.
create(body=None, x__xgafv=None)
Request that a new Project be created. The result is an Operation which
delete(projectId=None, x__xgafv=None)
Marks the Project identified by the specified
get(projectId=None, x__xgafv=None)
Retrieves the Project identified by the specified
getAncestry(projectId=None, body=None, x__xgafv=None)
Gets a list of ancestors in the resource hierarchy for the Project
getEffectiveOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets the effective `Policy` on a resource. This is the result of merging
getIamPolicy(resource=None, body=None, x__xgafv=None)
Returns the IAM access control policy for the specified Project.
getOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets a `Policy` on a resource.
list(pageSize=None, pageToken=None, x__xgafv=None, filter=None)
Lists Projects that the caller has the `resourcemanager.projects.get`
listAvailableOrgPolicyConstraints(resource=*, body=None, x__xgafv=None)
Lists `Constraints` that could be applied on the specified resource.
listAvailableOrgPolicyConstraints_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
listOrgPolicies(resource=*, body=None, x__xgafv=None)
Lists all the `Policies` set for a particular resource.
listOrgPolicies_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
list_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
setIamPolicy(resource=None, body=None, x__xgafv=None)
Sets the IAM access control policy for the specified Project. Overwrites
setOrgPolicy(resource=*, body=None, x__xgafv=None)
Updates the specified `Policy` on the resource. Creates a new `Policy` for
testIamPermissions(resource=None, body=None, x__xgafv=None)
Returns permissions that a caller has on the specified Project.
undelete(projectId=None, body=None, x__xgafv=None)
Restores the Project identified by the specified
update(projectId=None, body=None, x__xgafv=None)
Updates the attributes of the Project identified by the specified
clearOrgPolicy(resource=*, body=None, x__xgafv=None)
Clears a `Policy` from a resource.
Args:
resource: string, Name of the resource for the `Policy` to clear. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the ClearOrgPolicy method.
"etag": "A String", # The current version, for concurrency control. Not sending an `etag`
# will cause the `Policy` to be cleared blindly.
"constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated
# empty messages in your APIs. A typical example is to use it as the request
# or the response type of an API method. For instance:
#
# service Foo {
# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
# }
#
# The JSON representation for `Empty` is empty JSON object `{}`.
}
create(body=None, x__xgafv=None)
Request that a new Project be created. The result is an Operation which
can be used to track the creation process. This process usually takes a few
seconds, but can sometimes take much longer. The tracking Operation is
automatically deleted after a few hours, so there is no need to call
DeleteOperation.
Authorization requires the Google IAM permission
`resourcemanager.projects.create` on the specified parent for the new
project. The parent is identified by a specified ResourceId,
which must include both an ID and a type, such as organization.
This method does not associate the new project with a billing account.
You can set or update the billing account associated with a project using
the [`projects.updateBillingInfo`]
(/billing/reference/rest/v1/projects/updateBillingInfo) method.
Args:
body: object, The request body.
The object takes the form of:
{ # A Project is a high-level Google Cloud Platform entity. It is a
# container for ACLs, APIs, App Engine Apps, VMs, and other
# Google Cloud Platform resources.
"name": "A String", # The optional user-assigned display name of the Project.
# When present it must be between 4 to 30 characters.
# Allowed characters are: lowercase and uppercase letters, numbers,
# hyphen, single-quote, double-quote, space, and exclamation point.
#
# Example: <code>My Project</code>
# Read-write.
"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.
#
# Supported parent types include "organization" and "folder". Once set, the
# parent cannot be cleared. The `parent` can be set on creation or using the
# `UpdateProject` method; the end user must have the
# `resourcemanager.projects.create` permission on the parent.
#
# Read-write.
# Cloud Platform is a generic term for something you (a developer) may want to
# interact with through one of our API's. Some examples are an App Engine app,
# a Compute Engine instance, a Cloud SQL database, and so on.
"type": "A String", # Required field representing the resource type this id is for.
# At present, the valid types are: "organization", "folder", and "project".
"id": "A String", # Required field for the type-specific id. This should correspond to the id
# used in the type-specific API's.
},
"projectId": "A String", # The unique, user-assigned ID of the Project.
# It must be 6 to 30 lowercase letters, digits, or hyphens.
# It must start with a letter.
# Trailing hyphens are prohibited.
#
# Example: <code>tokyo-rain-123</code>
# Read-only after creation.
"labels": { # The labels associated with this Project.
#
# Label keys must be between 1 and 63 characters long and must conform
# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.
#
# Label values must be between 0 and 63 characters long and must conform
# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. A label
# value can be empty.
#
# No more than 256 labels can be associated with a given resource.
#
# Clients should store labels in a representation such as JSON that does not
# depend on specific characters being disallowed.
#
# Example: <code>"environment" : "dev"</code>
# Read-write.
"a_key": "A String",
},
"projectNumber": "A String", # The number uniquely identifying the project.
#
# Example: <code>415104041262</code>
# Read-only.
"lifecycleState": "A String", # The Project lifecycle state.
#
# Read-only.
"createTime": "A String", # Creation time.
#
# Read-only.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # This resource represents a long-running operation that is the result of a
# network API call.
"metadata": { # Service-specific metadata associated with the operation. It typically
# contains progress information and common metadata such as create time.
# Some services might not provide such metadata. Any method that returns a
# long-running operation should document the metadata type, if any.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.
# different programming environments, including REST APIs and RPC APIs. It is
# used by [gRPC](https://github.com/grpc). Each `Status` message contains
# three pieces of data: error code, error message, and error details.
#
# You can find out more about this error model and how to work with it in the
# [API Design Guide](https://cloud.google.com/apis/design/errors).
"message": "A String", # A developer-facing error message, which should be in English. Any
# user-facing error message should be localized and sent in the
# google.rpc.Status.details field, or localized by the client.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of
# message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
},
"done": True or False, # If the value is `false`, it means the operation is still in progress.
# If `true`, the operation is completed, and either `error` or `response` is
# available.
"response": { # The normal response of the operation in case of success. If the original
# method returns no data on success, such as `Delete`, the response is
# `google.protobuf.Empty`. If the original method is standard
# `Get`/`Create`/`Update`, the response should be the resource. For other
# methods, the response should have the type `XxxResponse`, where `Xxx`
# is the original method name. For example, if the original method name
# is `TakeSnapshot()`, the inferred response type is
# `TakeSnapshotResponse`.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"name": "A String", # The server-assigned name, which is only unique within the same service that
# originally returns it. If you use the default HTTP mapping, the
# `name` should be a resource name ending with `operations/{unique_id}`.
}
delete(projectId=None, x__xgafv=None)
Marks the Project identified by the specified
`project_id` (for example, `my-project-123`) for deletion.
This method will only affect the Project if it has a lifecycle state of
ACTIVE.
This method changes the Project's lifecycle state from
ACTIVE
to DELETE_REQUESTED.
The deletion starts at an unspecified time,
at which point the Project is no longer accessible.
Until the deletion completes, you can check the lifecycle state
checked by retrieving the Project with GetProject,
and the Project remains visible to ListProjects.
However, you cannot update the project.
After the deletion completes, the Project is not retrievable by
the GetProject and
ListProjects methods.
The caller must have modify permissions for this Project.
Args:
projectId: string, The Project ID (for example, `foo-bar-123`).
Required. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated
# empty messages in your APIs. A typical example is to use it as the request
# or the response type of an API method. For instance:
#
# service Foo {
# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
# }
#
# The JSON representation for `Empty` is empty JSON object `{}`.
}
get(projectId=None, x__xgafv=None)
Retrieves the Project identified by the specified
`project_id` (for example, `my-project-123`).
The caller must have read permissions for this Project.
Args:
projectId: string, The Project ID (for example, `my-project-123`).
Required. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A Project is a high-level Google Cloud Platform entity. It is a
# container for ACLs, APIs, App Engine Apps, VMs, and other
# Google Cloud Platform resources.
"name": "A String", # The optional user-assigned display name of the Project.
# When present it must be between 4 to 30 characters.
# Allowed characters are: lowercase and uppercase letters, numbers,
# hyphen, single-quote, double-quote, space, and exclamation point.
#
# Example: <code>My Project</code>
# Read-write.
"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.
#
# Supported parent types include "organization" and "folder". Once set, the
# parent cannot be cleared. The `parent` can be set on creation or using the
# `UpdateProject` method; the end user must have the
# `resourcemanager.projects.create` permission on the parent.
#
# Read-write.
# Cloud Platform is a generic term for something you (a developer) may want to
# interact with through one of our API's. Some examples are an App Engine app,
# a Compute Engine instance, a Cloud SQL database, and so on.
"type": "A String", # Required field representing the resource type this id is for.
# At present, the valid types are: "organization", "folder", and "project".
"id": "A String", # Required field for the type-specific id. This should correspond to the id
# used in the type-specific API's.
},
"projectId": "A String", # The unique, user-assigned ID of the Project.
# It must be 6 to 30 lowercase letters, digits, or hyphens.
# It must start with a letter.
# Trailing hyphens are prohibited.
#
# Example: <code>tokyo-rain-123</code>
# Read-only after creation.
"labels": { # The labels associated with this Project.
#
# Label keys must be between 1 and 63 characters long and must conform
# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.
#
# Label values must be between 0 and 63 characters long and must conform
# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. A label
# value can be empty.
#
# No more than 256 labels can be associated with a given resource.
#
# Clients should store labels in a representation such as JSON that does not
# depend on specific characters being disallowed.
#
# Example: <code>"environment" : "dev"</code>
# Read-write.
"a_key": "A String",
},
"projectNumber": "A String", # The number uniquely identifying the project.
#
# Example: <code>415104041262</code>
# Read-only.
"lifecycleState": "A String", # The Project lifecycle state.
#
# Read-only.
"createTime": "A String", # Creation time.
#
# Read-only.
}
getAncestry(projectId=None, body=None, x__xgafv=None)
Gets a list of ancestors in the resource hierarchy for the Project
identified by the specified `project_id` (for example, `my-project-123`).
The caller must have read permissions for this Project.
Args:
projectId: string, The Project ID (for example, `my-project-123`).
Required. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the
# GetAncestry
# method.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response from the GetAncestry method.
"ancestor": [ # Ancestors are ordered from bottom to top of the resource hierarchy. The
# first ancestor is the project itself, followed by the project's parent,
# etc..
{ # Identifying information for a single ancestor of a project.
"resourceId": { # A container to reference an id for any resource type. A `resource` in Google # Resource id of the ancestor.
# Cloud Platform is a generic term for something you (a developer) may want to
# interact with through one of our API's. Some examples are an App Engine app,
# a Compute Engine instance, a Cloud SQL database, and so on.
"type": "A String", # Required field representing the resource type this id is for.
# At present, the valid types are: "organization", "folder", and "project".
"id": "A String", # Required field for the type-specific id. This should correspond to the id
# used in the type-specific API's.
},
},
],
}
getEffectiveOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets the effective `Policy` on a resource. This is the result of merging
`Policies` in the resource hierarchy. The returned `Policy` will not have
an `etag`set because it is a computed `Policy` across multiple resources.
Subtrees of Resource Manager resource hierarchy with 'under:' prefix will
not be expanded.
Args:
resource: string, The name of the resource to start computing the effective `Policy`. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the GetEffectiveOrgPolicy method.
"constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
}
getIamPolicy(resource=None, body=None, x__xgafv=None)
Returns the IAM access control policy for the specified Project.
Permission is denied if the policy or the resource does not exist.
Authorization requires the Google IAM permission
`resourcemanager.projects.getIamPolicy` on the project.
For additional information about resource structure and identification,
see [Resource Names](/apis/design/resource_names).
Args:
resource: string, REQUIRED: The resource for which the policy is being requested.
See the operation documentation for the appropriate value for this field. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for `GetIamPolicy` method.
"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to
# `GetIamPolicy`. This field is only used by Cloud IAM.
"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.
#
# Valid values are 0, 1, and 3. Requests specifying an invalid value will be
# rejected.
#
# Requests for policies with any conditional bindings must specify version 3.
# Policies without any conditional bindings may specify any valid value or
# leave the field unset.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # An Identity and Access Management (IAM) policy, which specifies access
# controls for Google Cloud resources.
#
#
# A `Policy` is a collection of `bindings`. A `binding` binds one or more
# `members` to a single `role`. Members can be user accounts, service accounts,
# Google groups, and domains (such as G Suite). A `role` is a named list of
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
# Optionally, a `binding` can specify a `condition`, which is a logical
# expression that allows access to a resource only if the expression evaluates
# to `true`. A condition can add constraints based on attributes of the
# request, the resource, or both.
#
# **JSON example:**
#
# {
# "bindings": [
# {
# "role": "roles/resourcemanager.organizationAdmin",
# "members": [
# "user:mike@example.com",
# "group:admins@example.com",
# "domain:google.com",
# "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# },
# {
# "role": "roles/resourcemanager.organizationViewer",
# "members": ["user:eve@example.com"],
# "condition": {
# "title": "expirable access",
# "description": "Does not grant access after Sep 2020",
# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
# }
# }
# ],
# "etag": "BwWWja0YfJA=",
# "version": 3
# }
#
# **YAML example:**
#
# bindings:
# - members:
# - user:mike@example.com
# - group:admins@example.com
# - domain:google.com
# - serviceAccount:my-project-id@appspot.gserviceaccount.com
# role: roles/resourcemanager.organizationAdmin
# - members:
# - user:eve@example.com
# role: roles/resourcemanager.organizationViewer
# condition:
# title: expirable access
# description: Does not grant access after Sep 2020
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# - etag: BwWWja0YfJA=
# - version: 3
#
# For a description of IAM and its features, see the
# [IAM documentation](https://cloud.google.com/iam/docs/).
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service.
# The configuration determines which permission types are logged, and what
# identities, if any, are exempted from logging.
# An AuditConfig must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service,
# the union of the two AuditConfigs is used for that service: the log_types
# specified in each AuditConfig are enabled, and the exempted_members in each
# AuditLogConfig are exempted.
#
# Example Policy with multiple AuditConfigs:
#
# {
# "audit_configs": [
# {
# "service": "allServices"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:jose@example.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# },
# {
# "log_type": "ADMIN_READ",
# }
# ]
# },
# {
# "service": "sampleservice.googleapis.com"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# },
# {
# "log_type": "DATA_WRITE",
# "exempted_members": [
# "user:aliya@example.com"
# ]
# }
# ]
# }
# ]
# }
#
# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
# logging. It also exempts jose@example.com from DATA_READ logging, and
# aliya@example.com from DATA_WRITE logging.
"auditLogConfigs": [ # The configuration for logging of each type of permission.
{ # Provides the configuration for logging a type of permissions.
# Example:
#
# {
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:jose@example.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# }
# ]
# }
#
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
# jose@example.com from DATA_READ logging.
"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
# permission.
# Follows the same format of Binding.members.
"A String",
],
"logType": "A String", # The log type that this config enables.
},
],
"service": "A String", # Specifies a service that will be enabled for audit logging.
# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# `allServices` is a special value that covers all services.
},
],
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# **Important:** If you use IAM Conditions, you must include the `etag` field
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `alice@example.com` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `admins@example.com`.
#
# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
# identifier) representing a user that has been recently deleted. For
# example, `alice@example.com?uid=123456789012345678901`. If the user is
# recovered, this value reverts to `user:{emailid}` and the recovered user
# retains the role in the binding.
#
# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
# unique identifier) representing a service account that has been recently
# deleted. For example,
# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
# If the service account is undeleted, this value reverts to
# `serviceAccount:{emailid}` and the undeleted service account retains the
# role in the binding.
#
# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
# identifier) representing a Google group that has been recently
# deleted. For example, `admins@example.com?uid=123456789012345678901`. If
# the group is recovered, this value reverts to `group:{emailid}` and the
# recovered group retains the role in the binding.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
# syntax. CEL is a C-like expression language. The syntax and semantics of CEL
# are documented at https://github.com/google/cel-spec.
#
# Example (Comparison):
#
# title: "Summary size limit"
# description: "Determines if a summary is less than 100 chars"
# expression: "document.summary.size() < 100"
#
# Example (Equality):
#
# title: "Requestor is owner"
# description: "Determines if requestor is the document owner"
# expression: "document.owner == request.auth.claims.email"
#
# Example (Logic):
#
# title: "Public documents"
# description: "Determine whether the document should be publicly visible"
# expression: "document.type != 'private' && document.type != 'internal'"
#
# Example (Data Manipulation):
#
# title: "Notification string"
# description: "Create a notification string with a timestamp."
# expression: "'New message received at ' + string(document.create_time)"
#
# The exact variables and functions that may be referenced within an expression
# are determined by the service that evaluates it. See the service
# documentation for additional information.
"description": "A String", # Optional. Description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"expression": "A String", # Textual representation of an expression in Common Expression Language
# syntax.
"location": "A String", # Optional. String indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"title": "A String", # Optional. Title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
],
"version": 42, # Specifies the format of the policy.
#
# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
# are rejected.
#
# Any operation that affects conditional role bindings must specify version
# `3`. This requirement applies to the following operations:
#
# * Getting a policy that includes a conditional role binding
# * Adding a conditional role binding to a policy
# * Changing a conditional role binding in a policy
# * Removing any role binding, with or without a condition, from a policy
# that includes conditions
#
# **Important:** If you use IAM Conditions, you must include the `etag` field
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
#
# If a policy does not include any conditions, operations on that policy may
# specify any valid version or leave the field unset.
}
getOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets a `Policy` on a resource.
If no `Policy` is set on the resource, a `Policy` is returned with default
values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
`etag` value can be used with `SetOrgPolicy()` to create or update a
`Policy` during read-modify-write.
Args:
resource: string, Name of the resource the `Policy` is set on. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the GetOrgPolicy method.
"constraint": "A String", # Name of the `Constraint` to get the `Policy`.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
}
list(pageSize=None, pageToken=None, x__xgafv=None, filter=None)
Lists Projects that the caller has the `resourcemanager.projects.get`
permission on and satisfy the specified filter.
This method returns Projects in an unspecified order.
This method is eventually consistent with project mutations; this means
that a newly created project may not appear in the results or recent
updates to an existing project may not be reflected in the results. To
retrieve the latest state of a project, use the
GetProject method.
NOTE: If the request filter contains a `parent.type` and `parent.id` and
the caller has the `resourcemanager.projects.list` permission on the
parent, the results will be drawn from an alternate index which provides
more consistent results. In future versions of this API, this List method
will be split into List and Search to properly capture the behavorial
difference.
Args:
pageSize: integer, The maximum number of Projects to return in the response.
The server can return fewer Projects than requested.
If unspecified, server picks an appropriate default.
Optional.
pageToken: string, A pagination token returned from a previous call to ListProjects
that indicates from where listing should continue.
Optional.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
filter: string, An expression for filtering the results of the request. Filter rules are
case insensitive. The fields eligible for filtering are:
+ `name`
+ `id`
+ `labels.<key>` (where *key* is the name of a label)
+ `parent.type`
+ `parent.id`
Some examples of using labels as filters:
| Filter | Description |
|------------------|-----------------------------------------------------|
| name:how* | The project's name starts with "how". |
| name:Howl | The project's name is `Howl` or `howl`. |
| name:HOWL | Equivalent to above. |
| NAME:howl | Equivalent to above. |
| labels.color:* | The project has the label `color`. |
| labels.color:red | The project's label `color` has the value `red`. |
| labels.color:red labels.size:big |The project's label `color` has
the value `red` and its label `size` has the value `big`. |
If no filter is specified, the call will return projects for which the user
has the `resourcemanager.projects.get` permission.
NOTE: To perform a by-parent query (eg., what projects are directly in a
Folder), the caller must have the `resourcemanager.projects.list`
permission on the parent and the filter must contain both a `parent.type`
and a `parent.id` restriction
(example: "parent.type:folder parent.id:123"). In this case an alternate
search index is used which provides more consistent results.
Optional.
Returns:
An object of the form:
{ # A page of the response received from the
# ListProjects
# method.
#
# A paginated response where more pages are available has
# `next_page_token` set. This token can be used in a subsequent request to
# retrieve the next request page.
"nextPageToken": "A String", # Pagination token.
#
# If the result set is too large to fit in a single response, this token
# is returned. It encodes the position of the current result cursor.
# Feeding this value into a new list request with the `page_token` parameter
# gives the next page of the results.
#
# When `next_page_token` is not filled in, there is no next page and
# the list returned is the last page in the result set.
#
# Pagination tokens have a limited lifetime.
"projects": [ # The list of Projects that matched the list filter. This list can
# be paginated.
{ # A Project is a high-level Google Cloud Platform entity. It is a
# container for ACLs, APIs, App Engine Apps, VMs, and other
# Google Cloud Platform resources.
"name": "A String", # The optional user-assigned display name of the Project.
# When present it must be between 4 to 30 characters.
# Allowed characters are: lowercase and uppercase letters, numbers,
# hyphen, single-quote, double-quote, space, and exclamation point.
#
# Example: <code>My Project</code>
# Read-write.
"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.
#
# Supported parent types include "organization" and "folder". Once set, the
# parent cannot be cleared. The `parent` can be set on creation or using the
# `UpdateProject` method; the end user must have the
# `resourcemanager.projects.create` permission on the parent.
#
# Read-write.
# Cloud Platform is a generic term for something you (a developer) may want to
# interact with through one of our API's. Some examples are an App Engine app,
# a Compute Engine instance, a Cloud SQL database, and so on.
"type": "A String", # Required field representing the resource type this id is for.
# At present, the valid types are: "organization", "folder", and "project".
"id": "A String", # Required field for the type-specific id. This should correspond to the id
# used in the type-specific API's.
},
"projectId": "A String", # The unique, user-assigned ID of the Project.
# It must be 6 to 30 lowercase letters, digits, or hyphens.
# It must start with a letter.
# Trailing hyphens are prohibited.
#
# Example: <code>tokyo-rain-123</code>
# Read-only after creation.
"labels": { # The labels associated with this Project.
#
# Label keys must be between 1 and 63 characters long and must conform
# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.
#
# Label values must be between 0 and 63 characters long and must conform
# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. A label
# value can be empty.
#
# No more than 256 labels can be associated with a given resource.
#
# Clients should store labels in a representation such as JSON that does not
# depend on specific characters being disallowed.
#
# Example: <code>"environment" : "dev"</code>
# Read-write.
"a_key": "A String",
},
"projectNumber": "A String", # The number uniquely identifying the project.
#
# Example: <code>415104041262</code>
# Read-only.
"lifecycleState": "A String", # The Project lifecycle state.
#
# Read-only.
"createTime": "A String", # Creation time.
#
# Read-only.
},
],
}
listAvailableOrgPolicyConstraints(resource=*, body=None, x__xgafv=None)
Lists `Constraints` that could be applied on the specified resource.
Args:
resource: string, Name of the resource to list `Constraints` for. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the [ListAvailableOrgPolicyConstraints]
# google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.
"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
# and will be ignored. The server may at any point start using this field.
"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
# be ignored. The server may at any point start using this field to limit
# page size.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The response returned from the ListAvailableOrgPolicyConstraints method.
# Returns all `Constraints` that could be set at this level of the hierarchy
# (contrast with the response from `ListPolicies`, which returns all policies
# which are set).
"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
"constraints": [ # The collection of constraints that are settable on the request resource.
{ # A `Constraint` describes a way in which a resource's configuration can be
# restricted. For example, it controls which cloud services can be activated
# across an organization, or whether a Compute Engine instance can have
# serial port connections established. `Constraints` can be configured by the
# organization's policy adminstrator to fit the needs of the organzation by
# setting Policies for `Constraints` at different locations in the
# organization's resource hierarchy. Policies are inherited down the resource
# hierarchy from higher levels, but can also be overridden. For details about
# the inheritance rules please read about
# Policies.
#
# `Constraints` have a default behavior determined by the `constraint_default`
# field, which is the enforcement behavior that is used in the absence of a
# `Policy` being defined or inherited for the resource in question.
"constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.
"displayName": "A String", # The human readable name.
#
# Mutable.
"description": "A String", # Detailed description of what this `Constraint` controls as well as how and
# where it is enforced.
#
# Mutable.
"booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
#
# For example a constraint `constraints/compute.disableSerialPortAccess`.
# If it is enforced on a VM instance, serial port connections will not be
# opened to that instance.
},
"version": 42, # Version of the `Constraint`. Default version is 0;
"listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
# configured by an Organization's policy administrator with a `Policy`.
"supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy
# can be used in `Policy.allowed_values` and `Policy.denied_values`. For
# example, `"under:folders/123"` would match any resource under the
# 'folders/123' folder.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Constraint`.
},
"name": "A String", # Immutable value, required to globally be unique. For example,
# `constraints/serviceuser.services`
},
],
}
listAvailableOrgPolicyConstraints_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
listOrgPolicies(resource=*, body=None, x__xgafv=None)
Lists all the `Policies` set for a particular resource.
Args:
resource: string, Name of the resource to list Policies for. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the ListOrgPolicies method.
"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
# and will be ignored. The server may at any point start using this field.
"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
# be ignored. The server may at any point start using this field to limit
# page size.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The response returned from the ListOrgPolicies method. It will be empty
# if no `Policies` are set on the resource.
"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
# the server may at any point start supplying a valid token.
"policies": [ # The `Policies` that are set on the resource. It will be empty if no
# `Policies` are set.
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
},
],
}
listOrgPolicies_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
list_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
setIamPolicy(resource=None, body=None, x__xgafv=None)
Sets the IAM access control policy for the specified Project. Overwrites
any existing policy.
The following constraints apply when using `setIamPolicy()`:
+ Project does not support `allUsers` and `allAuthenticatedUsers` as
`members` in a `Binding` of a `Policy`.
+ The owner role can be granted to a `user`, `serviceAccount`, or a group
that is part of an organization. For example,
group@myownpersonaldomain.com could be added as an owner to a project in
the myownpersonaldomain.com organization, but not the examplepetstore.com
organization.
+ Service accounts can be made owners of a project directly
without any restrictions. However, to be added as an owner, a user must be
invited via Cloud Platform console and must accept the invitation.
+ A user cannot be granted the owner role using `setIamPolicy()`. The user
must be granted the owner role using the Cloud Platform Console and must
explicitly accept the invitation.
+ You can only grant ownership of a project to a member by using the
GCP Console. Inviting a member will deliver an invitation email that
they must accept. An invitation email is not generated if you are
granting a role other than owner, or if both the member you are inviting
and the project are part of your organization.
+ Membership changes that leave the project without any owners that have
accepted the Terms of Service (ToS) will be rejected.
+ If the project is not part of an organization, there must be at least
one owner who has accepted the Terms of Service (ToS) agreement in the
policy. Calling `setIamPolicy()` to remove the last ToS-accepted owner
from the policy will fail. This restriction also applies to legacy
projects that no longer have owners who have accepted the ToS. Edits to
IAM policies will be rejected until the lack of a ToS-accepting owner is
rectified.
+ This method will replace the existing policy, and cannot be used to
append additional IAM settings.
Note: Removing service accounts from policies or changing their roles
can render services completely inoperable. It is important to understand
how the service account is being used before removing or updating its
roles.
Authorization requires the Google IAM permission
`resourcemanager.projects.setIamPolicy` on the project
Args:
resource: string, REQUIRED: The resource for which the policy is being specified.
See the operation documentation for the appropriate value for this field. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for `SetIamPolicy` method.
"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
# the policy is limited to a few 10s of KB. An empty policy is a
# valid policy but certain Cloud Platform services (such as Projects)
# might reject them.
# controls for Google Cloud resources.
#
#
# A `Policy` is a collection of `bindings`. A `binding` binds one or more
# `members` to a single `role`. Members can be user accounts, service accounts,
# Google groups, and domains (such as G Suite). A `role` is a named list of
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
# Optionally, a `binding` can specify a `condition`, which is a logical
# expression that allows access to a resource only if the expression evaluates
# to `true`. A condition can add constraints based on attributes of the
# request, the resource, or both.
#
# **JSON example:**
#
# {
# "bindings": [
# {
# "role": "roles/resourcemanager.organizationAdmin",
# "members": [
# "user:mike@example.com",
# "group:admins@example.com",
# "domain:google.com",
# "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# },
# {
# "role": "roles/resourcemanager.organizationViewer",
# "members": ["user:eve@example.com"],
# "condition": {
# "title": "expirable access",
# "description": "Does not grant access after Sep 2020",
# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
# }
# }
# ],
# "etag": "BwWWja0YfJA=",
# "version": 3
# }
#
# **YAML example:**
#
# bindings:
# - members:
# - user:mike@example.com
# - group:admins@example.com
# - domain:google.com
# - serviceAccount:my-project-id@appspot.gserviceaccount.com
# role: roles/resourcemanager.organizationAdmin
# - members:
# - user:eve@example.com
# role: roles/resourcemanager.organizationViewer
# condition:
# title: expirable access
# description: Does not grant access after Sep 2020
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# - etag: BwWWja0YfJA=
# - version: 3
#
# For a description of IAM and its features, see the
# [IAM documentation](https://cloud.google.com/iam/docs/).
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service.
# The configuration determines which permission types are logged, and what
# identities, if any, are exempted from logging.
# An AuditConfig must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service,
# the union of the two AuditConfigs is used for that service: the log_types
# specified in each AuditConfig are enabled, and the exempted_members in each
# AuditLogConfig are exempted.
#
# Example Policy with multiple AuditConfigs:
#
# {
# "audit_configs": [
# {
# "service": "allServices"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:jose@example.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# },
# {
# "log_type": "ADMIN_READ",
# }
# ]
# },
# {
# "service": "sampleservice.googleapis.com"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# },
# {
# "log_type": "DATA_WRITE",
# "exempted_members": [
# "user:aliya@example.com"
# ]
# }
# ]
# }
# ]
# }
#
# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
# logging. It also exempts jose@example.com from DATA_READ logging, and
# aliya@example.com from DATA_WRITE logging.
"auditLogConfigs": [ # The configuration for logging of each type of permission.
{ # Provides the configuration for logging a type of permissions.
# Example:
#
# {
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:jose@example.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# }
# ]
# }
#
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
# jose@example.com from DATA_READ logging.
"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
# permission.
# Follows the same format of Binding.members.
"A String",
],
"logType": "A String", # The log type that this config enables.
},
],
"service": "A String", # Specifies a service that will be enabled for audit logging.
# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# `allServices` is a special value that covers all services.
},
],
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# **Important:** If you use IAM Conditions, you must include the `etag` field
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `alice@example.com` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `admins@example.com`.
#
# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
# identifier) representing a user that has been recently deleted. For
# example, `alice@example.com?uid=123456789012345678901`. If the user is
# recovered, this value reverts to `user:{emailid}` and the recovered user
# retains the role in the binding.
#
# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
# unique identifier) representing a service account that has been recently
# deleted. For example,
# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
# If the service account is undeleted, this value reverts to
# `serviceAccount:{emailid}` and the undeleted service account retains the
# role in the binding.
#
# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
# identifier) representing a Google group that has been recently
# deleted. For example, `admins@example.com?uid=123456789012345678901`. If
# the group is recovered, this value reverts to `group:{emailid}` and the
# recovered group retains the role in the binding.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
# syntax. CEL is a C-like expression language. The syntax and semantics of CEL
# are documented at https://github.com/google/cel-spec.
#
# Example (Comparison):
#
# title: "Summary size limit"
# description: "Determines if a summary is less than 100 chars"
# expression: "document.summary.size() < 100"
#
# Example (Equality):
#
# title: "Requestor is owner"
# description: "Determines if requestor is the document owner"
# expression: "document.owner == request.auth.claims.email"
#
# Example (Logic):
#
# title: "Public documents"
# description: "Determine whether the document should be publicly visible"
# expression: "document.type != 'private' && document.type != 'internal'"
#
# Example (Data Manipulation):
#
# title: "Notification string"
# description: "Create a notification string with a timestamp."
# expression: "'New message received at ' + string(document.create_time)"
#
# The exact variables and functions that may be referenced within an expression
# are determined by the service that evaluates it. See the service
# documentation for additional information.
"description": "A String", # Optional. Description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"expression": "A String", # Textual representation of an expression in Common Expression Language
# syntax.
"location": "A String", # Optional. String indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"title": "A String", # Optional. Title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
],
"version": 42, # Specifies the format of the policy.
#
# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
# are rejected.
#
# Any operation that affects conditional role bindings must specify version
# `3`. This requirement applies to the following operations:
#
# * Getting a policy that includes a conditional role binding
# * Adding a conditional role binding to a policy
# * Changing a conditional role binding in a policy
# * Removing any role binding, with or without a condition, from a policy
# that includes conditions
#
# **Important:** If you use IAM Conditions, you must include the `etag` field
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
#
# If a policy does not include any conditions, operations on that policy may
# specify any valid version or leave the field unset.
},
"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
# the fields in the mask will be modified. If no mask is provided, the
# following default mask is used:
# paths: "bindings, etag"
# This field is only used by Cloud IAM.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # An Identity and Access Management (IAM) policy, which specifies access
# controls for Google Cloud resources.
#
#
# A `Policy` is a collection of `bindings`. A `binding` binds one or more
# `members` to a single `role`. Members can be user accounts, service accounts,
# Google groups, and domains (such as G Suite). A `role` is a named list of
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
# Optionally, a `binding` can specify a `condition`, which is a logical
# expression that allows access to a resource only if the expression evaluates
# to `true`. A condition can add constraints based on attributes of the
# request, the resource, or both.
#
# **JSON example:**
#
# {
# "bindings": [
# {
# "role": "roles/resourcemanager.organizationAdmin",
# "members": [
# "user:mike@example.com",
# "group:admins@example.com",
# "domain:google.com",
# "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# },
# {
# "role": "roles/resourcemanager.organizationViewer",
# "members": ["user:eve@example.com"],
# "condition": {
# "title": "expirable access",
# "description": "Does not grant access after Sep 2020",
# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
# }
# }
# ],
# "etag": "BwWWja0YfJA=",
# "version": 3
# }
#
# **YAML example:**
#
# bindings:
# - members:
# - user:mike@example.com
# - group:admins@example.com
# - domain:google.com
# - serviceAccount:my-project-id@appspot.gserviceaccount.com
# role: roles/resourcemanager.organizationAdmin
# - members:
# - user:eve@example.com
# role: roles/resourcemanager.organizationViewer
# condition:
# title: expirable access
# description: Does not grant access after Sep 2020
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# - etag: BwWWja0YfJA=
# - version: 3
#
# For a description of IAM and its features, see the
# [IAM documentation](https://cloud.google.com/iam/docs/).
"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
{ # Specifies the audit configuration for a service.
# The configuration determines which permission types are logged, and what
# identities, if any, are exempted from logging.
# An AuditConfig must have one or more AuditLogConfigs.
#
# If there are AuditConfigs for both `allServices` and a specific service,
# the union of the two AuditConfigs is used for that service: the log_types
# specified in each AuditConfig are enabled, and the exempted_members in each
# AuditLogConfig are exempted.
#
# Example Policy with multiple AuditConfigs:
#
# {
# "audit_configs": [
# {
# "service": "allServices"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:jose@example.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# },
# {
# "log_type": "ADMIN_READ",
# }
# ]
# },
# {
# "service": "sampleservice.googleapis.com"
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# },
# {
# "log_type": "DATA_WRITE",
# "exempted_members": [
# "user:aliya@example.com"
# ]
# }
# ]
# }
# ]
# }
#
# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
# logging. It also exempts jose@example.com from DATA_READ logging, and
# aliya@example.com from DATA_WRITE logging.
"auditLogConfigs": [ # The configuration for logging of each type of permission.
{ # Provides the configuration for logging a type of permissions.
# Example:
#
# {
# "audit_log_configs": [
# {
# "log_type": "DATA_READ",
# "exempted_members": [
# "user:jose@example.com"
# ]
# },
# {
# "log_type": "DATA_WRITE",
# }
# ]
# }
#
# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
# jose@example.com from DATA_READ logging.
"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
# permission.
# Follows the same format of Binding.members.
"A String",
],
"logType": "A String", # The log type that this config enables.
},
],
"service": "A String", # Specifies a service that will be enabled for audit logging.
# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# `allServices` is a special value that covers all services.
},
],
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# **Important:** If you use IAM Conditions, you must include the `etag` field
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `alice@example.com` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `admins@example.com`.
#
# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
# identifier) representing a user that has been recently deleted. For
# example, `alice@example.com?uid=123456789012345678901`. If the user is
# recovered, this value reverts to `user:{emailid}` and the recovered user
# retains the role in the binding.
#
# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
# unique identifier) representing a service account that has been recently
# deleted. For example,
# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
# If the service account is undeleted, this value reverts to
# `serviceAccount:{emailid}` and the undeleted service account retains the
# role in the binding.
#
# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
# identifier) representing a Google group that has been recently
# deleted. For example, `admins@example.com?uid=123456789012345678901`. If
# the group is recovered, this value reverts to `group:{emailid}` and the
# recovered group retains the role in the binding.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
# syntax. CEL is a C-like expression language. The syntax and semantics of CEL
# are documented at https://github.com/google/cel-spec.
#
# Example (Comparison):
#
# title: "Summary size limit"
# description: "Determines if a summary is less than 100 chars"
# expression: "document.summary.size() < 100"
#
# Example (Equality):
#
# title: "Requestor is owner"
# description: "Determines if requestor is the document owner"
# expression: "document.owner == request.auth.claims.email"
#
# Example (Logic):
#
# title: "Public documents"
# description: "Determine whether the document should be publicly visible"
# expression: "document.type != 'private' && document.type != 'internal'"
#
# Example (Data Manipulation):
#
# title: "Notification string"
# description: "Create a notification string with a timestamp."
# expression: "'New message received at ' + string(document.create_time)"
#
# The exact variables and functions that may be referenced within an expression
# are determined by the service that evaluates it. See the service
# documentation for additional information.
"description": "A String", # Optional. Description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"expression": "A String", # Textual representation of an expression in Common Expression Language
# syntax.
"location": "A String", # Optional. String indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"title": "A String", # Optional. Title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
],
"version": 42, # Specifies the format of the policy.
#
# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
# are rejected.
#
# Any operation that affects conditional role bindings must specify version
# `3`. This requirement applies to the following operations:
#
# * Getting a policy that includes a conditional role binding
# * Adding a conditional role binding to a policy
# * Changing a conditional role binding in a policy
# * Removing any role binding, with or without a condition, from a policy
# that includes conditions
#
# **Important:** If you use IAM Conditions, you must include the `etag` field
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
#
# If a policy does not include any conditions, operations on that policy may
# specify any valid version or leave the field unset.
}
setOrgPolicy(resource=*, body=None, x__xgafv=None)
Updates the specified `Policy` on the resource. Creates a new `Policy` for
that `Constraint` on the resource if one does not exist.
Not supplying an `etag` on the request `Policy` results in an unconditional
write of the `Policy`.
Args:
resource: string, Resource name of the resource to attach the `Policy`. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the SetOrgPolicyRequest method.
"policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
}
testIamPermissions(resource=None, body=None, x__xgafv=None)
Returns permissions that a caller has on the specified Project.
There are no permissions required for making this API call.
Args:
resource: string, REQUIRED: The resource for which the policy detail is being requested.
See the operation documentation for the appropriate value for this field. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for `TestIamPermissions` method.
"permissions": [ # The set of permissions to check for the `resource`. Permissions with
# wildcards (such as '*' or 'storage.*') are not allowed. For more
# information see
# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for `TestIamPermissions` method.
"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
# allowed.
"A String",
],
}
undelete(projectId=None, body=None, x__xgafv=None)
Restores the Project identified by the specified
`project_id` (for example, `my-project-123`).
You can only use this method for a Project that has a lifecycle state of
DELETE_REQUESTED.
After deletion starts, the Project cannot be restored.
The caller must have modify permissions for this Project.
Args:
projectId: string, The project ID (for example, `foo-bar-123`).
Required. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the UndeleteProject
# method.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated
# empty messages in your APIs. A typical example is to use it as the request
# or the response type of an API method. For instance:
#
# service Foo {
# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
# }
#
# The JSON representation for `Empty` is empty JSON object `{}`.
}
update(projectId=None, body=None, x__xgafv=None)
Updates the attributes of the Project identified by the specified
`project_id` (for example, `my-project-123`).
The caller must have modify permissions for this Project.
Args:
projectId: string, The project ID (for example, `my-project-123`).
Required. (required)
body: object, The request body.
The object takes the form of:
{ # A Project is a high-level Google Cloud Platform entity. It is a
# container for ACLs, APIs, App Engine Apps, VMs, and other
# Google Cloud Platform resources.
"name": "A String", # The optional user-assigned display name of the Project.
# When present it must be between 4 to 30 characters.
# Allowed characters are: lowercase and uppercase letters, numbers,
# hyphen, single-quote, double-quote, space, and exclamation point.
#
# Example: <code>My Project</code>
# Read-write.
"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.
#
# Supported parent types include "organization" and "folder". Once set, the
# parent cannot be cleared. The `parent` can be set on creation or using the
# `UpdateProject` method; the end user must have the
# `resourcemanager.projects.create` permission on the parent.
#
# Read-write.
# Cloud Platform is a generic term for something you (a developer) may want to
# interact with through one of our API's. Some examples are an App Engine app,
# a Compute Engine instance, a Cloud SQL database, and so on.
"type": "A String", # Required field representing the resource type this id is for.
# At present, the valid types are: "organization", "folder", and "project".
"id": "A String", # Required field for the type-specific id. This should correspond to the id
# used in the type-specific API's.
},
"projectId": "A String", # The unique, user-assigned ID of the Project.
# It must be 6 to 30 lowercase letters, digits, or hyphens.
# It must start with a letter.
# Trailing hyphens are prohibited.
#
# Example: <code>tokyo-rain-123</code>
# Read-only after creation.
"labels": { # The labels associated with this Project.
#
# Label keys must be between 1 and 63 characters long and must conform
# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.
#
# Label values must be between 0 and 63 characters long and must conform
# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. A label
# value can be empty.
#
# No more than 256 labels can be associated with a given resource.
#
# Clients should store labels in a representation such as JSON that does not
# depend on specific characters being disallowed.
#
# Example: <code>"environment" : "dev"</code>
# Read-write.
"a_key": "A String",
},
"projectNumber": "A String", # The number uniquely identifying the project.
#
# Example: <code>415104041262</code>
# Read-only.
"lifecycleState": "A String", # The Project lifecycle state.
#
# Read-only.
"createTime": "A String", # Creation time.
#
# Read-only.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A Project is a high-level Google Cloud Platform entity. It is a
# container for ACLs, APIs, App Engine Apps, VMs, and other
# Google Cloud Platform resources.
"name": "A String", # The optional user-assigned display name of the Project.
# When present it must be between 4 to 30 characters.
# Allowed characters are: lowercase and uppercase letters, numbers,
# hyphen, single-quote, double-quote, space, and exclamation point.
#
# Example: <code>My Project</code>
# Read-write.
"parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource.
#
# Supported parent types include "organization" and "folder". Once set, the
# parent cannot be cleared. The `parent` can be set on creation or using the
# `UpdateProject` method; the end user must have the
# `resourcemanager.projects.create` permission on the parent.
#
# Read-write.
# Cloud Platform is a generic term for something you (a developer) may want to
# interact with through one of our API's. Some examples are an App Engine app,
# a Compute Engine instance, a Cloud SQL database, and so on.
"type": "A String", # Required field representing the resource type this id is for.
# At present, the valid types are: "organization", "folder", and "project".
"id": "A String", # Required field for the type-specific id. This should correspond to the id
# used in the type-specific API's.
},
"projectId": "A String", # The unique, user-assigned ID of the Project.
# It must be 6 to 30 lowercase letters, digits, or hyphens.
# It must start with a letter.
# Trailing hyphens are prohibited.
#
# Example: <code>tokyo-rain-123</code>
# Read-only after creation.
"labels": { # The labels associated with this Project.
#
# Label keys must be between 1 and 63 characters long and must conform
# to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?.
#
# Label values must be between 0 and 63 characters long and must conform
# to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. A label
# value can be empty.
#
# No more than 256 labels can be associated with a given resource.
#
# Clients should store labels in a representation such as JSON that does not
# depend on specific characters being disallowed.
#
# Example: <code>"environment" : "dev"</code>
# Read-write.
"a_key": "A String",
},
"projectNumber": "A String", # The number uniquely identifying the project.
#
# Example: <code>415104041262</code>
# Read-only.
"lifecycleState": "A String", # The Project lifecycle state.
#
# Read-only.
"createTime": "A String", # Creation time.
#
# Read-only.
}