1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.iam.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/iam/v1/options.proto"; 24import "google/iam/v1/policy.proto"; 25import "google/protobuf/field_mask.proto"; 26 27option cc_enable_arenas = true; 28option csharp_namespace = "Google.Cloud.Iam.V1"; 29option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb"; 30option java_multiple_files = true; 31option java_outer_classname = "IamPolicyProto"; 32option java_package = "com.google.iam.v1"; 33option php_namespace = "Google\\Cloud\\Iam\\V1"; 34 35// API Overview 36// 37// 38// Manages Identity and Access Management (IAM) policies. 39// 40// Any implementation of an API that offers access control features 41// implements the google.iam.v1.IAMPolicy interface. 42// 43// ## Data model 44// 45// Access control is applied when a principal (user or service account), takes 46// some action on a resource exposed by a service. Resources, identified by 47// URI-like names, are the unit of access control specification. Service 48// implementations can choose the granularity of access control and the 49// supported permissions for their resources. 50// For example one database service may allow access control to be 51// specified only at the Table level, whereas another might allow access control 52// to also be specified at the Column level. 53// 54// ## Policy Structure 55// 56// See google.iam.v1.Policy 57// 58// This is intentionally not a CRUD style API because access control policies 59// are created and deleted implicitly with the resources to which they are 60// attached. 61service IAMPolicy { 62 option (google.api.default_host) = "iam-meta-api.googleapis.com"; 63 64 // Sets the access control policy on the specified resource. Replaces any 65 // existing policy. 66 // 67 // Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors. 68 rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy) { 69 option (google.api.http) = { 70 post: "/v1/{resource=**}:setIamPolicy" 71 body: "*" 72 }; 73 } 74 75 // Gets the access control policy for a resource. 76 // Returns an empty policy if the resource exists and does not have a policy 77 // set. 78 rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy) { 79 option (google.api.http) = { 80 post: "/v1/{resource=**}:getIamPolicy" 81 body: "*" 82 }; 83 } 84 85 // Returns permissions that a caller has on the specified resource. 86 // If the resource does not exist, this will return an empty set of 87 // permissions, not a `NOT_FOUND` error. 88 // 89 // Note: This operation is designed to be used for building permission-aware 90 // UIs and command-line tools, not for authorization checking. This operation 91 // may "fail open" without warning. 92 rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse) { 93 option (google.api.http) = { 94 post: "/v1/{resource=**}:testIamPermissions" 95 body: "*" 96 }; 97 } 98} 99 100// Request message for `SetIamPolicy` method. 101message SetIamPolicyRequest { 102 // REQUIRED: The resource for which the policy is being specified. 103 // See the operation documentation for the appropriate value for this field. 104 string resource = 1 [ 105 (google.api.field_behavior) = REQUIRED, 106 (google.api.resource_reference).type = "*"]; 107 108 // REQUIRED: The complete policy to be applied to the `resource`. The size of 109 // the policy is limited to a few 10s of KB. An empty policy is a 110 // valid policy but certain Cloud Platform services (such as Projects) 111 // might reject them. 112 Policy policy = 2 [(google.api.field_behavior) = REQUIRED]; 113 114 // OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 115 // the fields in the mask will be modified. If no mask is provided, the 116 // following default mask is used: 117 // 118 // `paths: "bindings, etag"` 119 google.protobuf.FieldMask update_mask = 3; 120} 121 122// Request message for `GetIamPolicy` method. 123message GetIamPolicyRequest { 124 // REQUIRED: The resource for which the policy is being requested. 125 // See the operation documentation for the appropriate value for this field. 126 string resource = 1 [ 127 (google.api.field_behavior) = REQUIRED, 128 (google.api.resource_reference).type = "*"]; 129 130 // OPTIONAL: A `GetPolicyOptions` object for specifying options to 131 // `GetIamPolicy`. 132 GetPolicyOptions options = 2; 133} 134 135// Request message for `TestIamPermissions` method. 136message TestIamPermissionsRequest { 137 // REQUIRED: The resource for which the policy detail is being requested. 138 // See the operation documentation for the appropriate value for this field. 139 string resource = 1[ 140 (google.api.field_behavior) = REQUIRED, 141 (google.api.resource_reference).type = "*"]; 142 143 // The set of permissions to check for the `resource`. Permissions with 144 // wildcards (such as '*' or 'storage.*') are not allowed. For more 145 // information see 146 // [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 147 repeated string permissions = 2 [(google.api.field_behavior) = REQUIRED]; 148} 149 150// Response message for `TestIamPermissions` method. 151message TestIamPermissionsResponse { 152 // A subset of `TestPermissionsRequest.permissions` that the caller is 153 // allowed. 154 repeated string permissions = 1; 155} 156