feat: serviceAccountKeyName, serviceAccountDelegationInfo, and princi…

…palSubject attributes added to the existing access attribute (#375) * feat: serviceAccountKeyName, serviceAccountDelegationInfo, and principalSubject attributes added to the existing access attribute. These new attributes provide additional context about the principals that are associated with the finding PiperOrigin-RevId: 469787268 Source-Link: googleapis/googleapis@c7a52f4 Source-Link: googleapis/googleapis-gen@4e23576 Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiNGUyMzU3NjVjM2YwOTY2MjE0M2JjMGEyYjA4ZjEyYmMwZmUwYzkzZiJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
googleapis · Aug 24, 2022 · 14a49c3 · 14a49c3
1 parent 5a9c0e8
commit 14a49c3
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 3 deletions.
diff --git a/packages/google-cloud-securitycenter/google/cloud/securitycenter/__init__.py b/packages/google-cloud-securitycenter/google/cloud/securitycenter/__init__.py
@@ -20,7 +20,11 @@
 from google.cloud.securitycenter_v1.services.security_center.client import (
     SecurityCenterClient,
 )
-from google.cloud.securitycenter_v1.types.access import Access, Geolocation
+from google.cloud.securitycenter_v1.types.access import (
+    Access,
+    Geolocation,
+    ServiceAccountDelegationInfo,
+)
 from google.cloud.securitycenter_v1.types.asset import Asset
 from google.cloud.securitycenter_v1.types.bigquery_export import BigQueryExport
 from google.cloud.securitycenter_v1.types.compliance import Compliance
@@ -113,6 +117,7 @@
     "SecurityCenterAsyncClient",
     "Access",
     "Geolocation",
+    "ServiceAccountDelegationInfo",
     "Asset",
     "BigQueryExport",
     "Compliance",

diff --git a/packages/google-cloud-securitycenter/google/cloud/securitycenter_v1/__init__.py b/packages/google-cloud-securitycenter/google/cloud/securitycenter_v1/__init__.py
@@ -15,7 +15,7 @@
 #
 
 from .services.security_center import SecurityCenterAsyncClient, SecurityCenterClient
-from .types.access import Access, Geolocation
+from .types.access import Access, Geolocation, ServiceAccountDelegationInfo
 from .types.asset import Asset
 from .types.bigquery_export import BigQueryExport
 from .types.compliance import Compliance
@@ -158,6 +158,7 @@
     "RunAssetDiscoveryResponse",
     "SecurityCenterClient",
     "SecurityMarks",
+    "ServiceAccountDelegationInfo",
     "SetFindingStateRequest",
     "SetMuteRequest",
     "Source",

diff --git a/packages/google-cloud-securitycenter/google/cloud/securitycenter_v1/types/__init__.py b/packages/google-cloud-securitycenter/google/cloud/securitycenter_v1/types/__init__.py
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-from .access import Access, Geolocation
+from .access import Access, Geolocation, ServiceAccountDelegationInfo
 from .asset import Asset
 from .bigquery_export import BigQueryExport
 from .compliance import Compliance
@@ -90,6 +90,7 @@
 __all__ = (
     "Access",
     "Geolocation",
+    "ServiceAccountDelegationInfo",
     "Asset",
     "BigQueryExport",
     "Compliance",

diff --git a/packages/google-cloud-securitycenter/google/cloud/securitycenter_v1/types/access.py b/packages/google-cloud-securitycenter/google/cloud/securitycenter_v1/types/access.py
@@ -19,6 +19,7 @@
     package="google.cloud.securitycenter.v1",
     manifest={
         "Access",
+        "ServiceAccountDelegationInfo",
         "Geolocation",
     },
 )
@@ -30,6 +31,15 @@ class Access(proto.Message):
     Attributes:
         principal_email (str):
             Associated email, such as "foo@google.com".
+
+            The email address of the authenticated user (or service
+            account on behalf of third party principal) making the
+            request. For third party identity callers, the
+            ``principal_subject`` field is populated instead of this
+            field. For privacy reasons, the principal email address is
+            sometimes redacted. For more information, see `Caller
+            identities in audit
+            logs <https://cloud.google.com/logging/docs/audit#user-id>`__.
         caller_ip (str):
             Caller's IP address, such as "1.1.1.1".
         caller_ip_geo (google.cloud.securitycenter_v1.types.Geolocation):
@@ -46,6 +56,32 @@ class Access(proto.Message):
         method_name (str):
             The method that the service account called,
             e.g. "SetIamPolicy".
+        principal_subject (str):
+            A string representing the principal_subject associated with
+            the identity. As compared to ``principal_email``, supports
+            principals that aren't associated with email addresses, such
+            as third party principals. For most identities, the format
+            will be
+            ``principal://iam.googleapis.com/{identity pool name}/subjects/{subject}``
+            except for some GKE identities (GKE_WORKLOAD, FREEFORM,
+            GKE_HUB_WORKLOAD) that are still in the legacy format
+            ``serviceAccount:{identity pool name}[{subject}]``
+        service_account_key_name (str):
+            The name of the service account key used to create or
+            exchange credentials for authenticating the service account
+            making the request. This is a scheme-less URI full resource
+            name. For example:
+
+            "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}".
+        service_account_delegation_info (Sequence[google.cloud.securitycenter_v1.types.ServiceAccountDelegationInfo]):
+            Identity delegation history of an
+            authenticated service account that makes the
+            request. It contains information on the real
+            authorities that try to access GCP resources by
+            delegating on a service account. When multiple
+            authorities are present, they are guaranteed to
+            be sorted based on the original ordering of the
+            identity delegation events.
     """
 
     principal_email = proto.Field(
@@ -73,6 +109,48 @@ class Access(proto.Message):
         proto.STRING,
         number=6,
     )
+    principal_subject = proto.Field(
+        proto.STRING,
+        number=7,
+    )
+    service_account_key_name = proto.Field(
+        proto.STRING,
+        number=8,
+    )
+    service_account_delegation_info = proto.RepeatedField(
+        proto.MESSAGE,
+        number=9,
+        message="ServiceAccountDelegationInfo",
+    )
+
+
+class ServiceAccountDelegationInfo(proto.Message):
+    r"""Identity delegation history of an authenticated service
+    account.
+
+    Attributes:
+        principal_email (str):
+            The email address of a Google account.
+        principal_subject (str):
+            A string representing the principal_subject associated with
+            the identity. As compared to ``principal_email``, supports
+            principals that aren't associated with email addresses, such
+            as third party principals. For most identities, the format
+            will be
+            ``principal://iam.googleapis.com/{identity pool name}/subjects/{subject}``
+            except for some GKE identities (GKE_WORKLOAD, FREEFORM,
+            GKE_HUB_WORKLOAD) that are still in the legacy format
+            ``serviceAccount:{identity pool name}[{subject}]``
+    """
+
+    principal_email = proto.Field(
+        proto.STRING,
+        number=1,
+    )
+    principal_subject = proto.Field(
+        proto.STRING,
+        number=2,
+    )
 
 
 class Geolocation(proto.Message):