1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.policytroubleshooter.v1; 18 19import public "google/cloud/policytroubleshooter/v1/explanations.proto"; 20 21import "google/api/annotations.proto"; 22import "google/api/client.proto"; 23import "google/rpc/status.proto"; 24 25option cc_enable_arenas = true; 26option csharp_namespace = "Google.Cloud.PolicyTroubleshooter.V1"; 27option go_package = "cloud.google.com/go/policytroubleshooter/apiv1/policytroubleshooterpb;policytroubleshooterpb"; 28option java_multiple_files = true; 29option java_outer_classname = "IAMCheckerProto"; 30option java_package = "com.google.cloud.policytroubleshooter.v1"; 31option php_namespace = "Google\\Cloud\\PolicyTroubleshooter\\V1"; 32option ruby_package = "Google::Cloud::PolicyTroubleshooter::V1"; 33 34// IAM Policy Troubleshooter service. 35// 36// This service helps you troubleshoot access issues for Google Cloud resources. 37service IamChecker { 38 option (google.api.default_host) = "policytroubleshooter.googleapis.com"; 39 option (google.api.oauth_scopes) = 40 "https://www.googleapis.com/auth/cloud-platform"; 41 42 // Checks whether a principal has a specific permission for a specific 43 // resource, and explains why the principal does or does not have that 44 // permission. 45 rpc TroubleshootIamPolicy(TroubleshootIamPolicyRequest) 46 returns (TroubleshootIamPolicyResponse) { 47 option (google.api.http) = { 48 post: "/v1/iam:troubleshoot" 49 body: "*" 50 }; 51 } 52} 53 54// Request for 55// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.v1.IamChecker.TroubleshootIamPolicy]. 56message TroubleshootIamPolicyRequest { 57 // The information to use for checking whether a principal has a permission 58 // for a resource. 59 AccessTuple access_tuple = 1; 60} 61 62// Response for 63// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.v1.IamChecker.TroubleshootIamPolicy]. 64message TroubleshootIamPolicyResponse { 65 // Indicates whether the principal has the specified permission for the 66 // specified resource, based on evaluating all of the applicable IAM policies. 67 AccessState access = 1; 68 69 // List of IAM policies that were evaluated to check the principal's 70 // permissions, with annotations to indicate how each policy contributed to 71 // the final result. 72 // 73 // The list of policies can include the policy for the resource itself. It can 74 // also include policies that are inherited from higher levels of the resource 75 // hierarchy, including the organization, the folder, and the project. 76 // 77 // To learn more about the resource hierarchy, see 78 // https://cloud.google.com/iam/help/resource-hierarchy. 79 repeated ExplainedPolicy explained_policies = 2; 80 81 // The general errors contained in the troubleshooting response. 82 repeated google.rpc.Status errors = 3; 83} 84