generated/google/apis/cloudresourcemanager_v2/classes.rb in google-api-client-0.32.0 vs generated/google/apis/cloudresourcemanager_v2/classes.rb in google-api-client-0.32.1
- old
+ new
@@ -503,54 +503,68 @@
end
end
# Defines an Identity and Access Management (IAM) policy. It is used to
# specify access control policies for Cloud Platform resources.
- # A `Policy` consists of a list of `bindings`. A `binding` binds a list of
- # `members` to a `role`, where the members can be user accounts, Google groups,
- # Google domains, and service accounts. A `role` is a named list of permissions
- # defined by IAM.
+ # A `Policy` is a collection of `bindings`. A `binding` binds one or more
+ # `members` to a single `role`. Members can be user accounts, service accounts,
+ # Google groups, and domains (such as G Suite). A `role` is a named list of
+ # permissions (defined by IAM or configured by users). A `binding` can
+ # optionally specify a `condition`, which is a logic expression that further
+ # constrains the role binding based on attributes about the request and/or
+ # target resource.
# **JSON Example**
# `
# "bindings": [
# `
- # "role": "roles/owner",
+ # "role": "roles/resourcemanager.organizationAdmin",
# "members": [
# "user:mike@example.com",
# "group:admins@example.com",
# "domain:google.com",
- # "serviceAccount:my-other-app@appspot.gserviceaccount.com"
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# `,
# `
- # "role": "roles/viewer",
- # "members": ["user:sean@example.com"]
+ # "role": "roles/resourcemanager.organizationViewer",
+ # "members": ["user:eve@example.com"],
+ # "condition": `
+ # "title": "expirable access",
+ # "description": "Does not grant access after Sep 2020",
+ # "expression": "request.time <
+ # timestamp('2020-10-01T00:00:00.000Z')",
# `
+ # `
# ]
# `
# **YAML Example**
# bindings:
# - members:
# - user:mike@example.com
# - group:admins@example.com
# - domain:google.com
- # - serviceAccount:my-other-app@appspot.gserviceaccount.com
- # role: roles/owner
+ # - serviceAccount:my-project-id@appspot.gserviceaccount.com
+ # role: roles/resourcemanager.organizationAdmin
# - members:
- # - user:sean@example.com
- # role: roles/viewer
+ # - user:eve@example.com
+ # role: roles/resourcemanager.organizationViewer
+ # condition:
+ # title: expirable access
+ # description: Does not grant access after Sep 2020
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# For a description of IAM and its features, see the
# [IAM developer's guide](https://cloud.google.com/iam/docs).
class Policy
include Google::Apis::Core::Hashable
# Specifies cloud audit logging configuration for this policy.
# Corresponds to the JSON property `auditConfigs`
# @return [Array<Google::Apis::CloudresourcemanagerV2::AuditConfig>]
attr_accessor :audit_configs
- # Associates a list of `members` to a `role`.
+ # Associates a list of `members` to a `role`. Optionally may specify a
+ # `condition` that determines when binding is in effect.
# `bindings` with no members will result in an error.
# Corresponds to the JSON property `bindings`
# @return [Array<Google::Apis::CloudresourcemanagerV2::Binding>]
attr_accessor :bindings
@@ -560,22 +574,28 @@
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
# If no `etag` is provided in the call to `setIamPolicy`, then the existing
- # policy is overwritten.
+ # policy is overwritten. Due to blind-set semantics of an etag-less policy,
+ # 'setIamPolicy' will not fail even if either of incoming or stored policy
+ # does not meet the version requirements.
# Corresponds to the JSON property `etag`
# NOTE: Values are automatically base64 encoded/decoded in the client library.
# @return [String]
attr_accessor :etag
# Specifies the format of the policy.
# Valid values are 0, 1, and 3. Requests specifying an invalid value will be
# rejected.
- # Policies with any conditional bindings must specify version 3. Policies
- # without any conditional bindings may specify any valid value or leave the
- # field unset.
+ # Operations affecting conditional bindings must specify version 3. This can
+ # be either setting a conditional policy, modifying a conditional binding,
+ # or removing a conditional binding from the stored conditional policy.
+ # Operations on non-conditional policies may specify any valid value or
+ # leave the field unset.
+ # If no etag is provided in the call to `setIamPolicy`, any version
+ # compliance checks on the incoming and/or stored policy is skipped.
# Corresponds to the JSON property `version`
# @return [Fixnum]
attr_accessor :version
def initialize(**args)
@@ -712,42 +732,55 @@
class SetIamPolicyRequest
include Google::Apis::Core::Hashable
# Defines an Identity and Access Management (IAM) policy. It is used to
# specify access control policies for Cloud Platform resources.
- # A `Policy` consists of a list of `bindings`. A `binding` binds a list of
- # `members` to a `role`, where the members can be user accounts, Google groups,
- # Google domains, and service accounts. A `role` is a named list of permissions
- # defined by IAM.
+ # A `Policy` is a collection of `bindings`. A `binding` binds one or more
+ # `members` to a single `role`. Members can be user accounts, service accounts,
+ # Google groups, and domains (such as G Suite). A `role` is a named list of
+ # permissions (defined by IAM or configured by users). A `binding` can
+ # optionally specify a `condition`, which is a logic expression that further
+ # constrains the role binding based on attributes about the request and/or
+ # target resource.
# **JSON Example**
# `
# "bindings": [
# `
- # "role": "roles/owner",
+ # "role": "roles/resourcemanager.organizationAdmin",
# "members": [
# "user:mike@example.com",
# "group:admins@example.com",
# "domain:google.com",
- # "serviceAccount:my-other-app@appspot.gserviceaccount.com"
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# `,
# `
- # "role": "roles/viewer",
- # "members": ["user:sean@example.com"]
+ # "role": "roles/resourcemanager.organizationViewer",
+ # "members": ["user:eve@example.com"],
+ # "condition": `
+ # "title": "expirable access",
+ # "description": "Does not grant access after Sep 2020",
+ # "expression": "request.time <
+ # timestamp('2020-10-01T00:00:00.000Z')",
# `
+ # `
# ]
# `
# **YAML Example**
# bindings:
# - members:
# - user:mike@example.com
# - group:admins@example.com
# - domain:google.com
- # - serviceAccount:my-other-app@appspot.gserviceaccount.com
- # role: roles/owner
+ # - serviceAccount:my-project-id@appspot.gserviceaccount.com
+ # role: roles/resourcemanager.organizationAdmin
# - members:
- # - user:sean@example.com
- # role: roles/viewer
+ # - user:eve@example.com
+ # role: roles/resourcemanager.organizationViewer
+ # condition:
+ # title: expirable access
+ # description: Does not grant access after Sep 2020
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
# For a description of IAM and its features, see the
# [IAM developer's guide](https://cloud.google.com/iam/docs).
# Corresponds to the JSON property `policy`
# @return [Google::Apis::CloudresourcemanagerV2::Policy]
attr_accessor :policy