# frozen_string_literal: true
# Generated by the protocol buffer compiler. DO NOT EDIT!
# source: google/iam/v1/policy.proto
require 'google/protobuf'
require 'google/type/expr_pb'
descriptor_data = "\n\x1agoogle/iam/v1/policy.proto\x12\rgoogle.iam.v1\x1a\x16google/type/expr.proto\"\x84\x01\n\x06Policy\x12\x0f\n\x07version\x18\x01 \x01(\x05\x12(\n\x08\x62indings\x18\x04 \x03(\x0b\x32\x16.google.iam.v1.Binding\x12\x31\n\raudit_configs\x18\x06 \x03(\x0b\x32\x1a.google.iam.v1.AuditConfig\x12\x0c\n\x04\x65tag\x18\x03 \x01(\x0c\"N\n\x07\x42inding\x12\x0c\n\x04role\x18\x01 \x01(\t\x12\x0f\n\x07members\x18\x02 \x03(\t\x12$\n\tcondition\x18\x03 \x01(\x0b\x32\x11.google.type.Expr\"X\n\x0b\x41uditConfig\x12\x0f\n\x07service\x18\x01 \x01(\t\x12\x38\n\x11\x61udit_log_configs\x18\x03 \x03(\x0b\x32\x1d.google.iam.v1.AuditLogConfig\"\xb7\x01\n\x0e\x41uditLogConfig\x12\x37\n\x08log_type\x18\x01 \x01(\x0e\x32%.google.iam.v1.AuditLogConfig.LogType\x12\x18\n\x10\x65xempted_members\x18\x02 \x03(\t\"R\n\x07LogType\x12\x18\n\x14LOG_TYPE_UNSPECIFIED\x10\x00\x12\x0e\n\nADMIN_READ\x10\x01\x12\x0e\n\nDATA_WRITE\x10\x02\x12\r\n\tDATA_READ\x10\x03\"\x80\x01\n\x0bPolicyDelta\x12\x33\n\x0e\x62inding_deltas\x18\x01 \x03(\x0b\x32\x1b.google.iam.v1.BindingDelta\x12<\n\x13\x61udit_config_deltas\x18\x02 \x03(\x0b\x32\x1f.google.iam.v1.AuditConfigDelta\"\xbd\x01\n\x0c\x42indingDelta\x12\x32\n\x06\x61\x63tion\x18\x01 \x01(\x0e\x32\".google.iam.v1.BindingDelta.Action\x12\x0c\n\x04role\x18\x02 \x01(\t\x12\x0e\n\x06member\x18\x03 \x01(\t\x12$\n\tcondition\x18\x04 \x01(\x0b\x32\x11.google.type.Expr\"5\n\x06\x41\x63tion\x12\x16\n\x12\x41\x43TION_UNSPECIFIED\x10\x00\x12\x07\n\x03\x41\x44\x44\x10\x01\x12\n\n\x06REMOVE\x10\x02\"\xbd\x01\n\x10\x41uditConfigDelta\x12\x36\n\x06\x61\x63tion\x18\x01 \x01(\x0e\x32&.google.iam.v1.AuditConfigDelta.Action\x12\x0f\n\x07service\x18\x02 \x01(\t\x12\x17\n\x0f\x65xempted_member\x18\x03 \x01(\t\x12\x10\n\x08log_type\x18\x04 \x01(\t\"5\n\x06\x41\x63tion\x12\x16\n\x12\x41\x43TION_UNSPECIFIED\x10\x00\x12\x07\n\x03\x41\x44\x44\x10\x01\x12\n\n\x06REMOVE\x10\x02\x42|\n\x11\x63om.google.iam.v1B\x0bPolicyProtoP\x01Z)cloud.google.com/go/iam/apiv1/iampb;iampb\xf8\x01\x01\xaa\x02\x13Google.Cloud.Iam.V1\xca\x02\x13Google\\Cloud\\Iam\\V1b\x06proto3"
pool = Google::Protobuf::DescriptorPool.generated_pool
begin
pool.add_serialized_file(descriptor_data)
rescue TypeError
# Compatibility code: will be removed in the next major version.
require 'google/protobuf/descriptor_pb'
parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
parsed.clear_dependency
serialized = parsed.class.encode(parsed)
file = pool.add_serialized_file(serialized)
warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
imports = [
["google.type.Expr", "google/type/expr.proto"],
]
imports.each do |type_name, expected_filename|
import_file = pool.lookup(type_name).file_descriptor
if import_file.name != expected_filename
warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
end
end
warn "Each proto file must use a consistent fully-qualified name."
warn "This will become an error in the next major version."
end
module Google
module Iam
module V1
Policy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.Policy").msgclass
Binding = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.Binding").msgclass
AuditConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.AuditConfig").msgclass
AuditLogConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.AuditLogConfig").msgclass
AuditLogConfig::LogType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.AuditLogConfig.LogType").enummodule
PolicyDelta = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.PolicyDelta").msgclass
BindingDelta = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.BindingDelta").msgclass
BindingDelta::Action = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.BindingDelta.Action").enummodule
AuditConfigDelta = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.AuditConfigDelta").msgclass
AuditConfigDelta::Action = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.AuditConfigDelta.Action").enummodule
end
end
end
#### Source proto file: google/iam/v1/policy.proto ####
#
# // Copyright 2023 Google LLC
# //
# // Licensed under the Apache License, Version 2.0 (the "License");
# // you may not use this file except in compliance with the License.
# // You may obtain a copy of the License at
# //
# // http://www.apache.org/licenses/LICENSE-2.0
# //
# // Unless required by applicable law or agreed to in writing, software
# // distributed under the License is distributed on an "AS IS" BASIS,
# // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# // See the License for the specific language governing permissions and
# // limitations under the License.
#
# syntax = "proto3";
#
# package google.iam.v1;
#
# import "google/type/expr.proto";
#
# option cc_enable_arenas = true;
# option csharp_namespace = "Google.Cloud.Iam.V1";
# option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb";
# option java_multiple_files = true;
# option java_outer_classname = "PolicyProto";
# option java_package = "com.google.iam.v1";
# option php_namespace = "Google\\Cloud\\Iam\\V1";
#
# // An Identity and Access Management (IAM) policy, which specifies access
# // controls for Google Cloud resources.
# //
# //
# // A `Policy` is a collection of `bindings`. A `binding` binds one or more
# // `members`, or principals, to a single `role`. Principals can be user
# // accounts, service accounts, Google groups, and domains (such as G Suite). A
# // `role` is a named list of permissions; each `role` can be an IAM predefined
# // role or a user-created custom role.
# //
# // For some types of Google Cloud resources, a `binding` can also specify a
# // `condition`, which is a logical expression that allows access to a resource
# // only if the expression evaluates to `true`. A condition can add constraints
# // based on attributes of the request, the resource, or both. To learn which
# // resources support conditions in their IAM policies, see the
# // [IAM
# // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
# //
# // **JSON example:**
# //
# // ```
# // {
# // "bindings": [
# // {
# // "role": "roles/resourcemanager.organizationAdmin",
# // "members": [
# // "user:mike@example.com",
# // "group:admins@example.com",
# // "domain:google.com",
# // "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# // ]
# // },
# // {
# // "role": "roles/resourcemanager.organizationViewer",
# // "members": [
# // "user:eve@example.com"
# // ],
# // "condition": {
# // "title": "expirable access",
# // "description": "Does not grant access after Sep 2020",
# // "expression": "request.time <
# // timestamp('2020-10-01T00:00:00.000Z')",
# // }
# // }
# // ],
# // "etag": "BwWWja0YfJA=",
# // "version": 3
# // }
# // ```
# //
# // **YAML example:**
# //
# // ```
# // bindings:
# // - members:
# // - user:mike@example.com
# // - group:admins@example.com
# // - domain:google.com
# // - serviceAccount:my-project-id@appspot.gserviceaccount.com
# // role: roles/resourcemanager.organizationAdmin
# // - members:
# // - user:eve@example.com
# // role: roles/resourcemanager.organizationViewer
# // condition:
# // title: expirable access
# // description: Does not grant access after Sep 2020
# // expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# // etag: BwWWja0YfJA=
# // version: 3
# // ```
# //
# // For a description of IAM and its features, see the
# // [IAM documentation](https://cloud.google.com/iam/docs/).
# message Policy {
# // Specifies the format of the policy.
# //
# // Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
# // are rejected.
# //
# // Any operation that affects conditional role bindings must specify version
# // `3`. This requirement applies to the following operations:
# //
# // * Getting a policy that includes a conditional role binding
# // * Adding a conditional role binding to a policy
# // * Changing a conditional role binding in a policy
# // * Removing any role binding, with or without a condition, from a policy
# // that includes conditions
# //
# // **Important:** If you use IAM Conditions, you must include the `etag` field
# // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# // you to overwrite a version `3` policy with a version `1` policy, and all of
# // the conditions in the version `3` policy are lost.
# //
# // If a policy does not include any conditions, operations on that policy may
# // specify any valid version or leave the field unset.
# //
# // To learn which resources support conditions in their IAM policies, see the
# // [IAM
# // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
# int32 version = 1;
#
# // Associates a list of `members`, or principals, with a `role`. Optionally,
# // may specify a `condition` that determines how and when the `bindings` are
# // applied. Each of the `bindings` must contain at least one principal.
# //
# // The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
# // of these principals can be Google groups. Each occurrence of a principal
# // counts towards these limits. For example, if the `bindings` grant 50
# // different roles to `user:alice@example.com`, and not to any other
# // principal, then you can add another 1,450 principals to the `bindings` in
# // the `Policy`.
# repeated Binding bindings = 4;
#
# // Specifies cloud audit logging configuration for this policy.
# repeated AuditConfig audit_configs = 6;
#
# // `etag` is used for optimistic concurrency control as a way to help
# // prevent simultaneous updates of a policy from overwriting each other.
# // It is strongly suggested that systems make use of the `etag` in the
# // read-modify-write cycle to perform policy updates in order to avoid race
# // conditions: An `etag` is returned in the response to `getIamPolicy`, and
# // systems are expected to put that etag in the request to `setIamPolicy` to
# // ensure that their change will be applied to the same version of the policy.
# //
# // **Important:** If you use IAM Conditions, you must include the `etag` field
# // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# // you to overwrite a version `3` policy with a version `1` policy, and all of
# // the conditions in the version `3` policy are lost.
# bytes etag = 3;
# }
#
# // Associates `members`, or principals, with a `role`.
# message Binding {
# // Role that is assigned to the list of `members`, or principals.
# // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
# string role = 1;
#
# // Specifies the principals requesting access for a Google Cloud resource.
# // `members` can have the following values:
# //
# // * `allUsers`: A special identifier that represents anyone who is
# // on the internet; with or without a Google account.
# //
# // * `allAuthenticatedUsers`: A special identifier that represents anyone
# // who is authenticated with a Google account or a service account.
# //
# // * `user:{emailid}`: An email address that represents a specific Google
# // account. For example, `alice@example.com` .
# //
# //
# // * `serviceAccount:{emailid}`: An email address that represents a service
# // account. For example, `my-other-app@appspot.gserviceaccount.com`.
# //
# // * `group:{emailid}`: An email address that represents a Google group.
# // For example, `admins@example.com`.
# //
# // * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
# // identifier) representing a user that has been recently deleted. For
# // example, `alice@example.com?uid=123456789012345678901`. If the user is
# // recovered, this value reverts to `user:{emailid}` and the recovered user
# // retains the role in the binding.
# //
# // * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
# // unique identifier) representing a service account that has been recently
# // deleted. For example,
# // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
# // If the service account is undeleted, this value reverts to
# // `serviceAccount:{emailid}` and the undeleted service account retains the
# // role in the binding.
# //
# // * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
# // identifier) representing a Google group that has been recently
# // deleted. For example, `admins@example.com?uid=123456789012345678901`. If
# // the group is recovered, this value reverts to `group:{emailid}` and the
# // recovered group retains the role in the binding.
# //
# //
# // * `domain:{domain}`: The G Suite domain (primary) that represents all the
# // users of that domain. For example, `google.com` or `example.com`.
# //
# //
# repeated string members = 2;
#
# // The condition that is associated with this binding.
# //
# // If the condition evaluates to `true`, then this binding applies to the
# // current request.
# //
# // If the condition evaluates to `false`, then this binding does not apply to
# // the current request. However, a different role binding might grant the same
# // role to one or more of the principals in this binding.
# //
# // To learn which resources support conditions in their IAM policies, see the
# // [IAM
# // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
# google.type.Expr condition = 3;
# }
#
# // Specifies the audit configuration for a service.
# // The configuration determines which permission types are logged, and what
# // identities, if any, are exempted from logging.
# // An AuditConfig must have one or more AuditLogConfigs.
# //
# // If there are AuditConfigs for both `allServices` and a specific service,
# // the union of the two AuditConfigs is used for that service: the log_types
# // specified in each AuditConfig are enabled, and the exempted_members in each
# // AuditLogConfig are exempted.
# //
# // Example Policy with multiple AuditConfigs:
# //
# // {
# // "audit_configs": [
# // {
# // "service": "allServices",
# // "audit_log_configs": [
# // {
# // "log_type": "DATA_READ",
# // "exempted_members": [
# // "user:jose@example.com"
# // ]
# // },
# // {
# // "log_type": "DATA_WRITE"
# // },
# // {
# // "log_type": "ADMIN_READ"
# // }
# // ]
# // },
# // {
# // "service": "sampleservice.googleapis.com",
# // "audit_log_configs": [
# // {
# // "log_type": "DATA_READ"
# // },
# // {
# // "log_type": "DATA_WRITE",
# // "exempted_members": [
# // "user:aliya@example.com"
# // ]
# // }
# // ]
# // }
# // ]
# // }
# //
# // For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
# // logging. It also exempts `jose@example.com` from DATA_READ logging, and
# // `aliya@example.com` from DATA_WRITE logging.
# message AuditConfig {
# // Specifies a service that will be enabled for audit logging.
# // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# // `allServices` is a special value that covers all services.
# string service = 1;
#
# // The configuration for logging of each type of permission.
# repeated AuditLogConfig audit_log_configs = 3;
# }
#
# // Provides the configuration for logging a type of permissions.
# // Example:
# //
# // {
# // "audit_log_configs": [
# // {
# // "log_type": "DATA_READ",
# // "exempted_members": [
# // "user:jose@example.com"
# // ]
# // },
# // {
# // "log_type": "DATA_WRITE"
# // }
# // ]
# // }
# //
# // This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
# // jose@example.com from DATA_READ logging.
# message AuditLogConfig {
# // The list of valid permission types for which logging can be configured.
# // Admin writes are always logged, and are not configurable.
# enum LogType {
# // Default case. Should never be this.
# LOG_TYPE_UNSPECIFIED = 0;
#
# // Admin reads. Example: CloudIAM getIamPolicy
# ADMIN_READ = 1;
#
# // Data writes. Example: CloudSQL Users create
# DATA_WRITE = 2;
#
# // Data reads. Example: CloudSQL Users list
# DATA_READ = 3;
# }
#
# // The log type that this config enables.
# LogType log_type = 1;
#
# // Specifies the identities that do not cause logging for this type of
# // permission.
# // Follows the same format of
# // [Binding.members][google.iam.v1.Binding.members].
# repeated string exempted_members = 2;
# }
#
# // The difference delta between two policies.
# message PolicyDelta {
# // The delta for Bindings between two policies.
# repeated BindingDelta binding_deltas = 1;
#
# // The delta for AuditConfigs between two policies.
# repeated AuditConfigDelta audit_config_deltas = 2;
# }
#
# // One delta entry for Binding. Each individual change (only one member in each
# // entry) to a binding will be a separate entry.
# message BindingDelta {
# // The type of action performed on a Binding in a policy.
# enum Action {
# // Unspecified.
# ACTION_UNSPECIFIED = 0;
#
# // Addition of a Binding.
# ADD = 1;
#
# // Removal of a Binding.
# REMOVE = 2;
# }
#
# // The action that was performed on a Binding.
# // Required
# Action action = 1;
#
# // Role that is assigned to `members`.
# // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
# // Required
# string role = 2;
#
# // A single identity requesting access for a Google Cloud resource.
# // Follows the same format of Binding.members.
# // Required
# string member = 3;
#
# // The condition that is associated with this binding.
# google.type.Expr condition = 4;
# }
#
# // One delta entry for AuditConfig. Each individual change (only one
# // exempted_member in each entry) to a AuditConfig will be a separate entry.
# message AuditConfigDelta {
# // The type of action performed on an audit configuration in a policy.
# enum Action {
# // Unspecified.
# ACTION_UNSPECIFIED = 0;
#
# // Addition of an audit configuration.
# ADD = 1;
#
# // Removal of an audit configuration.
# REMOVE = 2;
# }
#
# // The action that was performed on an audit configuration in a policy.
# // Required
# Action action = 1;
#
# // Specifies a service that was configured for Cloud Audit Logging.
# // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
# // `allServices` is a special value that covers all services.
# // Required
# string service = 2;
#
# // A single identity that is exempted from "data access" audit
# // logging for the `service` specified above.
# // Follows the same format of Binding.members.
# string exempted_member = 3;
#
# // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
# // enabled, and cannot be configured.
# // Required
# string log_type = 4;
# }