From 79c3d66de5c00a76ea0baaa6e4d6b660fa3bfb6a Mon Sep 17 00:00:00 2001 From: Yoshi Automation Date: Tue, 2 May 2023 01:37:53 +0000 Subject: [PATCH] feat(cloudasset): update the API #### cloudasset:v1 The following keys were added: - resources.v1.methods.analyzeIamPolicy.parameters.analysisQuery.options.includeDenyPolicyAnalysis.description - resources.v1.methods.analyzeIamPolicy.parameters.analysisQuery.options.includeDenyPolicyAnalysis.location - resources.v1.methods.analyzeIamPolicy.parameters.analysisQuery.options.includeDenyPolicyAnalysis.type - schemas.DeniedAccess.description - schemas.DeniedAccess.id - schemas.DeniedAccess.properties.deniedAccessTuple.$ref - schemas.DeniedAccess.properties.deniedAccessTuple.description - schemas.DeniedAccess.properties.denyDetails.description - schemas.DeniedAccess.properties.denyDetails.items.$ref - schemas.DeniedAccess.properties.denyDetails.type - schemas.DeniedAccess.type - schemas.GoogleCloudAssetV1DeniedAccessAccess.description - schemas.GoogleCloudAssetV1DeniedAccessAccess.id - schemas.GoogleCloudAssetV1DeniedAccessAccess.properties.permission.description - schemas.GoogleCloudAssetV1DeniedAccessAccess.properties.permission.type - schemas.GoogleCloudAssetV1DeniedAccessAccess.properties.role.description - schemas.GoogleCloudAssetV1DeniedAccessAccess.properties.role.type - schemas.GoogleCloudAssetV1DeniedAccessAccess.type - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.description - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.id - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.properties.access.$ref - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.properties.access.description - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.properties.identity.$ref - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.properties.identity.description - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.properties.resource.$ref - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.properties.resource.description - schemas.GoogleCloudAssetV1DeniedAccessAccessTuple.type - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.description - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.id - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.accesses.description - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.accesses.items.$ref - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.accesses.type - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.denyRule.$ref - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.denyRule.description - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.fullyDenied.description - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.fullyDenied.type - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.identities.description - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.identities.items.$ref - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.identities.type - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.resources.description - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.resources.items.$ref - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.properties.resources.type - schemas.GoogleCloudAssetV1DeniedAccessDenyDetail.type - schemas.GoogleCloudAssetV1DeniedAccessIdentity.description - schemas.GoogleCloudAssetV1DeniedAccessIdentity.id - schemas.GoogleCloudAssetV1DeniedAccessIdentity.properties.name.description - schemas.GoogleCloudAssetV1DeniedAccessIdentity.properties.name.type - schemas.GoogleCloudAssetV1DeniedAccessIdentity.type - schemas.GoogleCloudAssetV1DeniedAccessResource.description - schemas.GoogleCloudAssetV1DeniedAccessResource.id - schemas.GoogleCloudAssetV1DeniedAccessResource.properties.fullResourceName.description - schemas.GoogleCloudAssetV1DeniedAccessResource.properties.fullResourceName.type - schemas.GoogleCloudAssetV1DeniedAccessResource.type - schemas.GoogleIamV2DenyRule.description - schemas.GoogleIamV2DenyRule.id - schemas.GoogleIamV2DenyRule.properties.denialCondition.$ref - schemas.GoogleIamV2DenyRule.properties.denialCondition.description - schemas.GoogleIamV2DenyRule.properties.deniedPermissions.description - schemas.GoogleIamV2DenyRule.properties.deniedPermissions.items.type - schemas.GoogleIamV2DenyRule.properties.deniedPermissions.type - schemas.GoogleIamV2DenyRule.properties.deniedPrincipals.description - schemas.GoogleIamV2DenyRule.properties.deniedPrincipals.items.type - schemas.GoogleIamV2DenyRule.properties.deniedPrincipals.type - schemas.GoogleIamV2DenyRule.properties.exceptionPermissions.description - schemas.GoogleIamV2DenyRule.properties.exceptionPermissions.items.type - schemas.GoogleIamV2DenyRule.properties.exceptionPermissions.type - schemas.GoogleIamV2DenyRule.properties.exceptionPrincipals.description - schemas.GoogleIamV2DenyRule.properties.exceptionPrincipals.items.type - schemas.GoogleIamV2DenyRule.properties.exceptionPrincipals.type - schemas.GoogleIamV2DenyRule.type - schemas.IamPolicyAnalysis.properties.deniedAccesses.description - schemas.IamPolicyAnalysis.properties.deniedAccesses.items.$ref - schemas.IamPolicyAnalysis.properties.deniedAccesses.type - schemas.Options.properties.includeDenyPolicyAnalysis.description - schemas.Options.properties.includeDenyPolicyAnalysis.type The following keys were changed: - schemas.GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy.properties.attachedResource.description - schemas.GoogleCloudAssetV1Identity.properties.name.description --- discovery/cloudasset-v1.json | 171 ++++++++++++++++++++++++++++++++++- src/apis/cloudasset/v1.ts | 129 +++++++++++++++++++++++++- 2 files changed, 295 insertions(+), 5 deletions(-) diff --git a/discovery/cloudasset-v1.json b/discovery/cloudasset-v1.json index 659c1bc4de..510bbc10fe 100644 --- a/discovery/cloudasset-v1.json +++ b/discovery/cloudasset-v1.json @@ -601,6 +601,11 @@ "location": "query", "type": "boolean" }, + "analysisQuery.options.includeDenyPolicyAnalysis": { + "description": "Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false.", + "location": "query", + "type": "boolean" + }, "analysisQuery.options.outputGroupEdges": { "description": "Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.", "location": "query", @@ -1095,7 +1100,7 @@ } } }, - "revision": "20230318", + "revision": "20230421", "rootUrl": "https://cloudasset.googleapis.com/", "schemas": { "AccessSelector": { @@ -1585,6 +1590,24 @@ }, "type": "object" }, + "DeniedAccess": { + "description": "A denied access contains details about an access tuple that is blocked by IAM deny policies.", + "id": "DeniedAccess", + "properties": { + "deniedAccessTuple": { + "$ref": "GoogleCloudAssetV1DeniedAccessAccessTuple", + "description": "A denied access tuple that is either fully or partially denied by IAM deny rules. This access tuple should match at least one access tuple derived from IamPolicyAnalysisResult." + }, + "denyDetails": { + "description": "The details about how denied_access_tuple is denied.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessDenyDetail" + }, + "type": "array" + } + }, + "type": "object" + }, "EffectiveIamPolicy": { "description": "The effective IAM policies on one resource.", "id": "EffectiveIamPolicy", @@ -1868,7 +1891,7 @@ "id": "GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy", "properties": { "attachedResource": { - "description": "The full resource name of the resource associated with this IAM policy. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information.", + "description": "The full resource name of the resource on which this IAM policy is set. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information.", "type": "string" }, "folders": { @@ -2064,6 +2087,98 @@ }, "type": "object" }, + "GoogleCloudAssetV1DeniedAccessAccess": { + "description": "An IAM role or permission under analysis.", + "id": "GoogleCloudAssetV1DeniedAccessAccess", + "properties": { + "permission": { + "description": "The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference)", + "type": "string" + }, + "role": { + "description": "The IAM role.", + "type": "string" + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessAccessTuple": { + "description": "An access tuple contains a tuple of a resource, an identity and an access.", + "id": "GoogleCloudAssetV1DeniedAccessAccessTuple", + "properties": { + "access": { + "$ref": "GoogleCloudAssetV1DeniedAccessAccess", + "description": "One access from IamPolicyAnalysisResult.AccessControlList.accesses." + }, + "identity": { + "$ref": "GoogleCloudAssetV1DeniedAccessIdentity", + "description": "One identity from IamPolicyAnalysisResult.IdentityList.identities." + }, + "resource": { + "$ref": "GoogleCloudAssetV1DeniedAccessResource", + "description": "One resource from IamPolicyAnalysisResult.AccessControlList.resources." + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessDenyDetail": { + "description": "A deny detail that explains which IAM deny rule denies the denied_access_tuple.", + "id": "GoogleCloudAssetV1DeniedAccessDenyDetail", + "properties": { + "accesses": { + "description": "The denied accesses. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.access. Otherwise, this field can contain AccessTuple.access and its descendant accesses, such as a subset of IAM permissions contained in an IAM role.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessAccess" + }, + "type": "array" + }, + "denyRule": { + "$ref": "GoogleIamV2DenyRule", + "description": "A deny rule in an IAM deny policy." + }, + "fullyDenied": { + "description": "Whether the deny_rule fully denies all access granted by the denied_access_tuple. `True` means the deny rule fully blocks the access tuple. `False` means the deny rule partially blocks the access tuple.\"", + "type": "boolean" + }, + "identities": { + "description": "If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.identity. Otherwise, this field can contain AccessTuple.identity and its descendant identities, such as a subset of users in a group.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessIdentity" + }, + "type": "array" + }, + "resources": { + "description": "The resources that the identities are denied access to. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.resource. Otherwise, this field can contain AccessTuple.resource and its descendant resources.", + "items": { + "$ref": "GoogleCloudAssetV1DeniedAccessResource" + }, + "type": "array" + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessIdentity": { + "description": "An identity under analysis.", + "id": "GoogleCloudAssetV1DeniedAccessIdentity", + "properties": { + "name": { + "description": "The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers", + "type": "string" + } + }, + "type": "object" + }, + "GoogleCloudAssetV1DeniedAccessResource": { + "description": "A Google Cloud resource under analysis.", + "id": "GoogleCloudAssetV1DeniedAccessResource", + "properties": { + "fullResourceName": { + "description": "The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format)", + "type": "string" + } + }, + "type": "object" + }, "GoogleCloudAssetV1Edge": { "description": "A directional edge.", "id": "GoogleCloudAssetV1Edge", @@ -2125,7 +2240,7 @@ "description": "The analysis state of this identity." }, "name": { - "description": "The identity name in any form of members appear in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers - etc.", + "description": "The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers", "type": "string" } }, @@ -2507,6 +2622,45 @@ "properties": {}, "type": "object" }, + "GoogleIamV2DenyRule": { + "description": "A deny rule in an IAM deny policy.", + "id": "GoogleIamV2DenyRule", + "properties": { + "denialCondition": { + "$ref": "Expr", + "description": "The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to `true`, then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate [resource tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other functions and operators are not supported." + }, + "deniedPermissions": { + "description": "The permissions that are explicitly denied by this rule. Each permission uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "deniedPrincipals": { + "description": "The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * `principalSet://goog/public:all`: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * `principal://goog/subject/{email_id}`: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, `principal://goog/subject/alice@example.com`. * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific Google Account that was deleted recently. For example, `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * `principalSet://goog/group/{group_id}`: A Google group. For example, `principalSet://goog/group/admins@example.com`. * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group that was deleted recently. For example, `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`: A Google Cloud service account. For example, `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`. * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`: A Google Cloud service account that was deleted recently. For example, `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "exceptionPermissions": { + "description": "Specifies the permissions that this rule excludes from the set of denied permissions given by `denied_permissions`. If a permission appears in `denied_permissions` _and_ in `exception_permissions` then it will _not_ be denied. The excluded permissions can be specified using the same syntax as `denied_permissions`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "exceptionPrincipals": { + "description": "The identities that are excluded from the deny rule, even if they are listed in the `denied_principals`. For example, you could add a Google group to the `denied_principals`, then exclude specific users who belong to that group. This field can contain the same values as the `denied_principals` field, excluding `principalSet://goog/public:all`, which represents all users on the internet.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, "GoogleIdentityAccesscontextmanagerV1AccessLevel": { "description": "An `AccessLevel` is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied.", "id": "GoogleIdentityAccesscontextmanagerV1AccessLevel", @@ -3061,6 +3215,13 @@ }, "type": "array" }, + "deniedAccesses": { + "description": "A list of DeniedAccess, which contains all access tuples in the analysis_results that are denied by IAM deny policies. If no access tuples are denied, the list is empty. This is only populated when IamPolicyAnalysisQuery.Options.include_deny_policy_analysis is true.", + "items": { + "$ref": "DeniedAccess" + }, + "type": "array" + }, "fullyExplored": { "description": "Represents whether all entries in the analysis_results have been fully explored to answer the query.", "type": "boolean" @@ -3497,6 +3658,10 @@ "description": "Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.", "type": "boolean" }, + "includeDenyPolicyAnalysis": { + "description": "Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false.", + "type": "boolean" + }, "outputGroupEdges": { "description": "Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.", "type": "boolean" diff --git a/src/apis/cloudasset/v1.ts b/src/apis/cloudasset/v1.ts index 95a5f3b9f4..5da2d0d35e 100644 --- a/src/apis/cloudasset/v1.ts +++ b/src/apis/cloudasset/v1.ts @@ -498,6 +498,19 @@ export namespace cloudasset_v1 { */ year?: number | null; } + /** + * A denied access contains details about an access tuple that is blocked by IAM deny policies. + */ + export interface Schema$DeniedAccess { + /** + * A denied access tuple that is either fully or partially denied by IAM deny rules. This access tuple should match at least one access tuple derived from IamPolicyAnalysisResult. + */ + deniedAccessTuple?: Schema$GoogleCloudAssetV1DeniedAccessAccessTuple; + /** + * The details about how denied_access_tuple is denied. + */ + denyDetails?: Schema$GoogleCloudAssetV1DeniedAccessDenyDetail[]; + } /** * The effective IAM policies on one resource. */ @@ -689,7 +702,7 @@ export namespace cloudasset_v1 { */ export interface Schema$GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy { /** - * The full resource name of the resource associated with this IAM policy. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information. + * The full resource name of the resource on which this IAM policy is set. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information. */ attachedResource?: string | null; /** @@ -821,6 +834,79 @@ export namespace cloudasset_v1 { */ resourceTypes?: string[] | null; } + /** + * An IAM role or permission under analysis. + */ + export interface Schema$GoogleCloudAssetV1DeniedAccessAccess { + /** + * The IAM permission in [v1 format](https://cloud.google.com/iam/docs/permissions-reference) + */ + permission?: string | null; + /** + * The IAM role. + */ + role?: string | null; + } + /** + * An access tuple contains a tuple of a resource, an identity and an access. + */ + export interface Schema$GoogleCloudAssetV1DeniedAccessAccessTuple { + /** + * One access from IamPolicyAnalysisResult.AccessControlList.accesses. + */ + access?: Schema$GoogleCloudAssetV1DeniedAccessAccess; + /** + * One identity from IamPolicyAnalysisResult.IdentityList.identities. + */ + identity?: Schema$GoogleCloudAssetV1DeniedAccessIdentity; + /** + * One resource from IamPolicyAnalysisResult.AccessControlList.resources. + */ + resource?: Schema$GoogleCloudAssetV1DeniedAccessResource; + } + /** + * A deny detail that explains which IAM deny rule denies the denied_access_tuple. + */ + export interface Schema$GoogleCloudAssetV1DeniedAccessDenyDetail { + /** + * The denied accesses. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.access. Otherwise, this field can contain AccessTuple.access and its descendant accesses, such as a subset of IAM permissions contained in an IAM role. + */ + accesses?: Schema$GoogleCloudAssetV1DeniedAccessAccess[]; + /** + * A deny rule in an IAM deny policy. + */ + denyRule?: Schema$GoogleIamV2DenyRule; + /** + * Whether the deny_rule fully denies all access granted by the denied_access_tuple. `True` means the deny rule fully blocks the access tuple. `False` means the deny rule partially blocks the access tuple." + */ + fullyDenied?: boolean | null; + /** + * If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.identity. Otherwise, this field can contain AccessTuple.identity and its descendant identities, such as a subset of users in a group. + */ + identities?: Schema$GoogleCloudAssetV1DeniedAccessIdentity[]; + /** + * The resources that the identities are denied access to. If this deny_rule fully denies the denied_access_tuple, this field will be same as AccessTuple.resource. Otherwise, this field can contain AccessTuple.resource and its descendant resources. + */ + resources?: Schema$GoogleCloudAssetV1DeniedAccessResource[]; + } + /** + * An identity under analysis. + */ + export interface Schema$GoogleCloudAssetV1DeniedAccessIdentity { + /** + * The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers + */ + name?: string | null; + } + /** + * A Google Cloud resource under analysis. + */ + export interface Schema$GoogleCloudAssetV1DeniedAccessResource { + /** + * The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) + */ + fullResourceName?: string | null; + } /** * A directional edge. */ @@ -873,7 +959,7 @@ export namespace cloudasset_v1 { */ analysisState?: Schema$IamPolicyAnalysisState; /** - * The identity name in any form of members appear in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers - etc. + * The identity of members, formatted as appear in an [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For example, they might be formatted like the following: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers */ name?: string | null; } @@ -1175,6 +1261,31 @@ export namespace cloudasset_v1 { * Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific `Constraint` at this resource. Suppose that `constraint_default` is set to `ALLOW` for the `Constraint` `constraints/serviceuser.services`. Suppose that organization foo.com sets a `Policy` at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a `Policy` with the `policy_type` `restore_default` on several experimental projects, restoring the `constraint_default` enforcement of the `Constraint` for only those projects, allowing those projects to have all services activated. */ export interface Schema$GoogleCloudOrgpolicyV1RestoreDefault {} + /** + * A deny rule in an IAM deny policy. + */ + export interface Schema$GoogleIamV2DenyRule { + /** + * The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to `true`, then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate [resource tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other functions and operators are not supported. + */ + denialCondition?: Schema$Expr; + /** + * The permissions that are explicitly denied by this rule. Each permission uses the format `{service_fqdn\}/{resource\}.{verb\}`, where `{service_fqdn\}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`. + */ + deniedPermissions?: string[] | null; + /** + * The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * `principalSet://goog/public:all`: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * `principal://goog/subject/{email_id\}`: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, `principal://goog/subject/alice@example.com`. * `deleted:principal://goog/subject/{email_id\}?uid={uid\}`: A specific Google Account that was deleted recently. For example, `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * `principalSet://goog/group/{group_id\}`: A Google group. For example, `principalSet://goog/group/admins@example.com`. * `deleted:principalSet://goog/group/{group_id\}?uid={uid\}`: A Google group that was deleted recently. For example, `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id\}`: A Google Cloud service account. For example, `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`. * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id\}?uid={uid\}`: A Google Cloud service account that was deleted recently. For example, `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * `principalSet://goog/cloudIdentityCustomerId/{customer_id\}`: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, `principalSet://goog/cloudIdentityCustomerId/C01Abc35`. + */ + deniedPrincipals?: string[] | null; + /** + * Specifies the permissions that this rule excludes from the set of denied permissions given by `denied_permissions`. If a permission appears in `denied_permissions` _and_ in `exception_permissions` then it will _not_ be denied. The excluded permissions can be specified using the same syntax as `denied_permissions`. + */ + exceptionPermissions?: string[] | null; + /** + * The identities that are excluded from the deny rule, even if they are listed in the `denied_principals`. For example, you could add a Google group to the `denied_principals`, then exclude specific users who belong to that group. This field can contain the same values as the `denied_principals` field, excluding `principalSet://goog/public:all`, which represents all users on the internet. + */ + exceptionPrincipals?: string[] | null; + } /** * An `AccessLevel` is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied. */ @@ -1534,6 +1645,10 @@ export namespace cloudasset_v1 { * A list of IamPolicyAnalysisResult that matches the analysis query, or empty if no result is found. */ analysisResults?: Schema$IamPolicyAnalysisResult[]; + /** + * A list of DeniedAccess, which contains all access tuples in the analysis_results that are denied by IAM deny policies. If no access tuples are denied, the list is empty. This is only populated when IamPolicyAnalysisQuery.Options.include_deny_policy_analysis is true. + */ + deniedAccesses?: Schema$DeniedAccess[]; /** * Represents whether all entries in the analysis_results have been fully explored to answer the query. */ @@ -1839,6 +1954,10 @@ export namespace cloudasset_v1 { * Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. */ expandRoles?: boolean | null; + /** + * Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false. + */ + includeDenyPolicyAnalysis?: boolean | null; /** * Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. */ @@ -4669,6 +4788,8 @@ export namespace cloudasset_v1 { * 'analysisQuery.options.expandResources': 'placeholder-value', * // Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. * 'analysisQuery.options.expandRoles': 'placeholder-value', + * // Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false. + * 'analysisQuery.options.includeDenyPolicyAnalysis': 'placeholder-value', * // Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. * 'analysisQuery.options.outputGroupEdges': 'placeholder-value', * // Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. @@ -6289,6 +6410,10 @@ export namespace cloudasset_v1 { * Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. */ 'analysisQuery.options.expandRoles'?: boolean; + /** + * Optional. If true, the response includes deny policy analysis results, and you can see which access tuples are denied. Default is false. + */ + 'analysisQuery.options.includeDenyPolicyAnalysis'?: boolean; /** * Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. */