1*d5c09012SAndroid Build Coastguard Worker// Copyright 2023 Google LLC 2*d5c09012SAndroid Build Coastguard Worker// 3*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*d5c09012SAndroid Build Coastguard Worker// 7*d5c09012SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*d5c09012SAndroid Build Coastguard Worker// 9*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*d5c09012SAndroid Build Coastguard Worker// limitations under the License. 14*d5c09012SAndroid Build Coastguard Worker 15*d5c09012SAndroid Build Coastguard Workersyntax = "proto3"; 16*d5c09012SAndroid Build Coastguard Worker 17*d5c09012SAndroid Build Coastguard Workerpackage google.iam.v1; 18*d5c09012SAndroid Build Coastguard Worker 19*d5c09012SAndroid Build Coastguard Workerimport "google/type/expr.proto"; 20*d5c09012SAndroid Build Coastguard Worker 21*d5c09012SAndroid Build Coastguard Workeroption cc_enable_arenas = true; 22*d5c09012SAndroid Build Coastguard Workeroption csharp_namespace = "Google.Cloud.Iam.V1"; 23*d5c09012SAndroid Build Coastguard Workeroption go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb"; 24*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true; 25*d5c09012SAndroid Build Coastguard Workeroption java_outer_classname = "PolicyProto"; 26*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.iam.v1"; 27*d5c09012SAndroid Build Coastguard Workeroption php_namespace = "Google\\Cloud\\Iam\\V1"; 28*d5c09012SAndroid Build Coastguard Worker 29*d5c09012SAndroid Build Coastguard Worker// An Identity and Access Management (IAM) policy, which specifies access 30*d5c09012SAndroid Build Coastguard Worker// controls for Google Cloud resources. 31*d5c09012SAndroid Build Coastguard Worker// 32*d5c09012SAndroid Build Coastguard Worker// 33*d5c09012SAndroid Build Coastguard Worker// A `Policy` is a collection of `bindings`. A `binding` binds one or more 34*d5c09012SAndroid Build Coastguard Worker// `members`, or principals, to a single `role`. Principals can be user 35*d5c09012SAndroid Build Coastguard Worker// accounts, service accounts, Google groups, and domains (such as G Suite). A 36*d5c09012SAndroid Build Coastguard Worker// `role` is a named list of permissions; each `role` can be an IAM predefined 37*d5c09012SAndroid Build Coastguard Worker// role or a user-created custom role. 38*d5c09012SAndroid Build Coastguard Worker// 39*d5c09012SAndroid Build Coastguard Worker// For some types of Google Cloud resources, a `binding` can also specify a 40*d5c09012SAndroid Build Coastguard Worker// `condition`, which is a logical expression that allows access to a resource 41*d5c09012SAndroid Build Coastguard Worker// only if the expression evaluates to `true`. A condition can add constraints 42*d5c09012SAndroid Build Coastguard Worker// based on attributes of the request, the resource, or both. To learn which 43*d5c09012SAndroid Build Coastguard Worker// resources support conditions in their IAM policies, see the 44*d5c09012SAndroid Build Coastguard Worker// [IAM 45*d5c09012SAndroid Build Coastguard Worker// documentation](https://cloud.google.com/iam/help/conditions/resource-policies). 46*d5c09012SAndroid Build Coastguard Worker// 47*d5c09012SAndroid Build Coastguard Worker// **JSON example:** 48*d5c09012SAndroid Build Coastguard Worker// 49*d5c09012SAndroid Build Coastguard Worker// ``` 50*d5c09012SAndroid Build Coastguard Worker// { 51*d5c09012SAndroid Build Coastguard Worker// "bindings": [ 52*d5c09012SAndroid Build Coastguard Worker// { 53*d5c09012SAndroid Build Coastguard Worker// "role": "roles/resourcemanager.organizationAdmin", 54*d5c09012SAndroid Build Coastguard Worker// "members": [ 55*d5c09012SAndroid Build Coastguard Worker// "user:[email protected]", 56*d5c09012SAndroid Build Coastguard Worker// "group:[email protected]", 57*d5c09012SAndroid Build Coastguard Worker// "domain:google.com", 58*d5c09012SAndroid Build Coastguard Worker// "serviceAccount:[email protected]" 59*d5c09012SAndroid Build Coastguard Worker// ] 60*d5c09012SAndroid Build Coastguard Worker// }, 61*d5c09012SAndroid Build Coastguard Worker// { 62*d5c09012SAndroid Build Coastguard Worker// "role": "roles/resourcemanager.organizationViewer", 63*d5c09012SAndroid Build Coastguard Worker// "members": [ 64*d5c09012SAndroid Build Coastguard Worker// "user:[email protected]" 65*d5c09012SAndroid Build Coastguard Worker// ], 66*d5c09012SAndroid Build Coastguard Worker// "condition": { 67*d5c09012SAndroid Build Coastguard Worker// "title": "expirable access", 68*d5c09012SAndroid Build Coastguard Worker// "description": "Does not grant access after Sep 2020", 69*d5c09012SAndroid Build Coastguard Worker// "expression": "request.time < 70*d5c09012SAndroid Build Coastguard Worker// timestamp('2020-10-01T00:00:00.000Z')", 71*d5c09012SAndroid Build Coastguard Worker// } 72*d5c09012SAndroid Build Coastguard Worker// } 73*d5c09012SAndroid Build Coastguard Worker// ], 74*d5c09012SAndroid Build Coastguard Worker// "etag": "BwWWja0YfJA=", 75*d5c09012SAndroid Build Coastguard Worker// "version": 3 76*d5c09012SAndroid Build Coastguard Worker// } 77*d5c09012SAndroid Build Coastguard Worker// ``` 78*d5c09012SAndroid Build Coastguard Worker// 79*d5c09012SAndroid Build Coastguard Worker// **YAML example:** 80*d5c09012SAndroid Build Coastguard Worker// 81*d5c09012SAndroid Build Coastguard Worker// ``` 82*d5c09012SAndroid Build Coastguard Worker// bindings: 83*d5c09012SAndroid Build Coastguard Worker// - members: 84*d5c09012SAndroid Build Coastguard Worker// - user:[email protected] 85*d5c09012SAndroid Build Coastguard Worker// - group:[email protected] 86*d5c09012SAndroid Build Coastguard Worker// - domain:google.com 87*d5c09012SAndroid Build Coastguard Worker// - serviceAccount:[email protected] 88*d5c09012SAndroid Build Coastguard Worker// role: roles/resourcemanager.organizationAdmin 89*d5c09012SAndroid Build Coastguard Worker// - members: 90*d5c09012SAndroid Build Coastguard Worker// - user:[email protected] 91*d5c09012SAndroid Build Coastguard Worker// role: roles/resourcemanager.organizationViewer 92*d5c09012SAndroid Build Coastguard Worker// condition: 93*d5c09012SAndroid Build Coastguard Worker// title: expirable access 94*d5c09012SAndroid Build Coastguard Worker// description: Does not grant access after Sep 2020 95*d5c09012SAndroid Build Coastguard Worker// expression: request.time < timestamp('2020-10-01T00:00:00.000Z') 96*d5c09012SAndroid Build Coastguard Worker// etag: BwWWja0YfJA= 97*d5c09012SAndroid Build Coastguard Worker// version: 3 98*d5c09012SAndroid Build Coastguard Worker// ``` 99*d5c09012SAndroid Build Coastguard Worker// 100*d5c09012SAndroid Build Coastguard Worker// For a description of IAM and its features, see the 101*d5c09012SAndroid Build Coastguard Worker// [IAM documentation](https://cloud.google.com/iam/docs/). 102*d5c09012SAndroid Build Coastguard Workermessage Policy { 103*d5c09012SAndroid Build Coastguard Worker // Specifies the format of the policy. 104*d5c09012SAndroid Build Coastguard Worker // 105*d5c09012SAndroid Build Coastguard Worker // Valid values are `0`, `1`, and `3`. Requests that specify an invalid value 106*d5c09012SAndroid Build Coastguard Worker // are rejected. 107*d5c09012SAndroid Build Coastguard Worker // 108*d5c09012SAndroid Build Coastguard Worker // Any operation that affects conditional role bindings must specify version 109*d5c09012SAndroid Build Coastguard Worker // `3`. This requirement applies to the following operations: 110*d5c09012SAndroid Build Coastguard Worker // 111*d5c09012SAndroid Build Coastguard Worker // * Getting a policy that includes a conditional role binding 112*d5c09012SAndroid Build Coastguard Worker // * Adding a conditional role binding to a policy 113*d5c09012SAndroid Build Coastguard Worker // * Changing a conditional role binding in a policy 114*d5c09012SAndroid Build Coastguard Worker // * Removing any role binding, with or without a condition, from a policy 115*d5c09012SAndroid Build Coastguard Worker // that includes conditions 116*d5c09012SAndroid Build Coastguard Worker // 117*d5c09012SAndroid Build Coastguard Worker // **Important:** If you use IAM Conditions, you must include the `etag` field 118*d5c09012SAndroid Build Coastguard Worker // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 119*d5c09012SAndroid Build Coastguard Worker // you to overwrite a version `3` policy with a version `1` policy, and all of 120*d5c09012SAndroid Build Coastguard Worker // the conditions in the version `3` policy are lost. 121*d5c09012SAndroid Build Coastguard Worker // 122*d5c09012SAndroid Build Coastguard Worker // If a policy does not include any conditions, operations on that policy may 123*d5c09012SAndroid Build Coastguard Worker // specify any valid version or leave the field unset. 124*d5c09012SAndroid Build Coastguard Worker // 125*d5c09012SAndroid Build Coastguard Worker // To learn which resources support conditions in their IAM policies, see the 126*d5c09012SAndroid Build Coastguard Worker // [IAM 127*d5c09012SAndroid Build Coastguard Worker // documentation](https://cloud.google.com/iam/help/conditions/resource-policies). 128*d5c09012SAndroid Build Coastguard Worker int32 version = 1; 129*d5c09012SAndroid Build Coastguard Worker 130*d5c09012SAndroid Build Coastguard Worker // Associates a list of `members`, or principals, with a `role`. Optionally, 131*d5c09012SAndroid Build Coastguard Worker // may specify a `condition` that determines how and when the `bindings` are 132*d5c09012SAndroid Build Coastguard Worker // applied. Each of the `bindings` must contain at least one principal. 133*d5c09012SAndroid Build Coastguard Worker // 134*d5c09012SAndroid Build Coastguard Worker // The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 135*d5c09012SAndroid Build Coastguard Worker // of these principals can be Google groups. Each occurrence of a principal 136*d5c09012SAndroid Build Coastguard Worker // counts towards these limits. For example, if the `bindings` grant 50 137*d5c09012SAndroid Build Coastguard Worker // different roles to `user:[email protected]`, and not to any other 138*d5c09012SAndroid Build Coastguard Worker // principal, then you can add another 1,450 principals to the `bindings` in 139*d5c09012SAndroid Build Coastguard Worker // the `Policy`. 140*d5c09012SAndroid Build Coastguard Worker repeated Binding bindings = 4; 141*d5c09012SAndroid Build Coastguard Worker 142*d5c09012SAndroid Build Coastguard Worker // Specifies cloud audit logging configuration for this policy. 143*d5c09012SAndroid Build Coastguard Worker repeated AuditConfig audit_configs = 6; 144*d5c09012SAndroid Build Coastguard Worker 145*d5c09012SAndroid Build Coastguard Worker // `etag` is used for optimistic concurrency control as a way to help 146*d5c09012SAndroid Build Coastguard Worker // prevent simultaneous updates of a policy from overwriting each other. 147*d5c09012SAndroid Build Coastguard Worker // It is strongly suggested that systems make use of the `etag` in the 148*d5c09012SAndroid Build Coastguard Worker // read-modify-write cycle to perform policy updates in order to avoid race 149*d5c09012SAndroid Build Coastguard Worker // conditions: An `etag` is returned in the response to `getIamPolicy`, and 150*d5c09012SAndroid Build Coastguard Worker // systems are expected to put that etag in the request to `setIamPolicy` to 151*d5c09012SAndroid Build Coastguard Worker // ensure that their change will be applied to the same version of the policy. 152*d5c09012SAndroid Build Coastguard Worker // 153*d5c09012SAndroid Build Coastguard Worker // **Important:** If you use IAM Conditions, you must include the `etag` field 154*d5c09012SAndroid Build Coastguard Worker // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 155*d5c09012SAndroid Build Coastguard Worker // you to overwrite a version `3` policy with a version `1` policy, and all of 156*d5c09012SAndroid Build Coastguard Worker // the conditions in the version `3` policy are lost. 157*d5c09012SAndroid Build Coastguard Worker bytes etag = 3; 158*d5c09012SAndroid Build Coastguard Worker} 159*d5c09012SAndroid Build Coastguard Worker 160*d5c09012SAndroid Build Coastguard Worker// Associates `members`, or principals, with a `role`. 161*d5c09012SAndroid Build Coastguard Workermessage Binding { 162*d5c09012SAndroid Build Coastguard Worker // Role that is assigned to the list of `members`, or principals. 163*d5c09012SAndroid Build Coastguard Worker // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 164*d5c09012SAndroid Build Coastguard Worker string role = 1; 165*d5c09012SAndroid Build Coastguard Worker 166*d5c09012SAndroid Build Coastguard Worker // Specifies the principals requesting access for a Google Cloud resource. 167*d5c09012SAndroid Build Coastguard Worker // `members` can have the following values: 168*d5c09012SAndroid Build Coastguard Worker // 169*d5c09012SAndroid Build Coastguard Worker // * `allUsers`: A special identifier that represents anyone who is 170*d5c09012SAndroid Build Coastguard Worker // on the internet; with or without a Google account. 171*d5c09012SAndroid Build Coastguard Worker // 172*d5c09012SAndroid Build Coastguard Worker // * `allAuthenticatedUsers`: A special identifier that represents anyone 173*d5c09012SAndroid Build Coastguard Worker // who is authenticated with a Google account or a service account. 174*d5c09012SAndroid Build Coastguard Worker // 175*d5c09012SAndroid Build Coastguard Worker // * `user:{emailid}`: An email address that represents a specific Google 176*d5c09012SAndroid Build Coastguard Worker // account. For example, `[email protected]` . 177*d5c09012SAndroid Build Coastguard Worker // 178*d5c09012SAndroid Build Coastguard Worker // 179*d5c09012SAndroid Build Coastguard Worker // * `serviceAccount:{emailid}`: An email address that represents a service 180*d5c09012SAndroid Build Coastguard Worker // account. For example, `[email protected]`. 181*d5c09012SAndroid Build Coastguard Worker // 182*d5c09012SAndroid Build Coastguard Worker // * `group:{emailid}`: An email address that represents a Google group. 183*d5c09012SAndroid Build Coastguard Worker // For example, `[email protected]`. 184*d5c09012SAndroid Build Coastguard Worker // 185*d5c09012SAndroid Build Coastguard Worker // * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique 186*d5c09012SAndroid Build Coastguard Worker // identifier) representing a user that has been recently deleted. For 187*d5c09012SAndroid Build Coastguard Worker // example, `[email protected]?uid=123456789012345678901`. If the user is 188*d5c09012SAndroid Build Coastguard Worker // recovered, this value reverts to `user:{emailid}` and the recovered user 189*d5c09012SAndroid Build Coastguard Worker // retains the role in the binding. 190*d5c09012SAndroid Build Coastguard Worker // 191*d5c09012SAndroid Build Coastguard Worker // * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus 192*d5c09012SAndroid Build Coastguard Worker // unique identifier) representing a service account that has been recently 193*d5c09012SAndroid Build Coastguard Worker // deleted. For example, 194*d5c09012SAndroid Build Coastguard Worker // `[email protected]?uid=123456789012345678901`. 195*d5c09012SAndroid Build Coastguard Worker // If the service account is undeleted, this value reverts to 196*d5c09012SAndroid Build Coastguard Worker // `serviceAccount:{emailid}` and the undeleted service account retains the 197*d5c09012SAndroid Build Coastguard Worker // role in the binding. 198*d5c09012SAndroid Build Coastguard Worker // 199*d5c09012SAndroid Build Coastguard Worker // * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique 200*d5c09012SAndroid Build Coastguard Worker // identifier) representing a Google group that has been recently 201*d5c09012SAndroid Build Coastguard Worker // deleted. For example, `[email protected]?uid=123456789012345678901`. If 202*d5c09012SAndroid Build Coastguard Worker // the group is recovered, this value reverts to `group:{emailid}` and the 203*d5c09012SAndroid Build Coastguard Worker // recovered group retains the role in the binding. 204*d5c09012SAndroid Build Coastguard Worker // 205*d5c09012SAndroid Build Coastguard Worker // 206*d5c09012SAndroid Build Coastguard Worker // * `domain:{domain}`: The G Suite domain (primary) that represents all the 207*d5c09012SAndroid Build Coastguard Worker // users of that domain. For example, `google.com` or `example.com`. 208*d5c09012SAndroid Build Coastguard Worker // 209*d5c09012SAndroid Build Coastguard Worker // 210*d5c09012SAndroid Build Coastguard Worker repeated string members = 2; 211*d5c09012SAndroid Build Coastguard Worker 212*d5c09012SAndroid Build Coastguard Worker // The condition that is associated with this binding. 213*d5c09012SAndroid Build Coastguard Worker // 214*d5c09012SAndroid Build Coastguard Worker // If the condition evaluates to `true`, then this binding applies to the 215*d5c09012SAndroid Build Coastguard Worker // current request. 216*d5c09012SAndroid Build Coastguard Worker // 217*d5c09012SAndroid Build Coastguard Worker // If the condition evaluates to `false`, then this binding does not apply to 218*d5c09012SAndroid Build Coastguard Worker // the current request. However, a different role binding might grant the same 219*d5c09012SAndroid Build Coastguard Worker // role to one or more of the principals in this binding. 220*d5c09012SAndroid Build Coastguard Worker // 221*d5c09012SAndroid Build Coastguard Worker // To learn which resources support conditions in their IAM policies, see the 222*d5c09012SAndroid Build Coastguard Worker // [IAM 223*d5c09012SAndroid Build Coastguard Worker // documentation](https://cloud.google.com/iam/help/conditions/resource-policies). 224*d5c09012SAndroid Build Coastguard Worker google.type.Expr condition = 3; 225*d5c09012SAndroid Build Coastguard Worker} 226*d5c09012SAndroid Build Coastguard Worker 227*d5c09012SAndroid Build Coastguard Worker// Specifies the audit configuration for a service. 228*d5c09012SAndroid Build Coastguard Worker// The configuration determines which permission types are logged, and what 229*d5c09012SAndroid Build Coastguard Worker// identities, if any, are exempted from logging. 230*d5c09012SAndroid Build Coastguard Worker// An AuditConfig must have one or more AuditLogConfigs. 231*d5c09012SAndroid Build Coastguard Worker// 232*d5c09012SAndroid Build Coastguard Worker// If there are AuditConfigs for both `allServices` and a specific service, 233*d5c09012SAndroid Build Coastguard Worker// the union of the two AuditConfigs is used for that service: the log_types 234*d5c09012SAndroid Build Coastguard Worker// specified in each AuditConfig are enabled, and the exempted_members in each 235*d5c09012SAndroid Build Coastguard Worker// AuditLogConfig are exempted. 236*d5c09012SAndroid Build Coastguard Worker// 237*d5c09012SAndroid Build Coastguard Worker// Example Policy with multiple AuditConfigs: 238*d5c09012SAndroid Build Coastguard Worker// 239*d5c09012SAndroid Build Coastguard Worker// { 240*d5c09012SAndroid Build Coastguard Worker// "audit_configs": [ 241*d5c09012SAndroid Build Coastguard Worker// { 242*d5c09012SAndroid Build Coastguard Worker// "service": "allServices", 243*d5c09012SAndroid Build Coastguard Worker// "audit_log_configs": [ 244*d5c09012SAndroid Build Coastguard Worker// { 245*d5c09012SAndroid Build Coastguard Worker// "log_type": "DATA_READ", 246*d5c09012SAndroid Build Coastguard Worker// "exempted_members": [ 247*d5c09012SAndroid Build Coastguard Worker// "user:[email protected]" 248*d5c09012SAndroid Build Coastguard Worker// ] 249*d5c09012SAndroid Build Coastguard Worker// }, 250*d5c09012SAndroid Build Coastguard Worker// { 251*d5c09012SAndroid Build Coastguard Worker// "log_type": "DATA_WRITE" 252*d5c09012SAndroid Build Coastguard Worker// }, 253*d5c09012SAndroid Build Coastguard Worker// { 254*d5c09012SAndroid Build Coastguard Worker// "log_type": "ADMIN_READ" 255*d5c09012SAndroid Build Coastguard Worker// } 256*d5c09012SAndroid Build Coastguard Worker// ] 257*d5c09012SAndroid Build Coastguard Worker// }, 258*d5c09012SAndroid Build Coastguard Worker// { 259*d5c09012SAndroid Build Coastguard Worker// "service": "sampleservice.googleapis.com", 260*d5c09012SAndroid Build Coastguard Worker// "audit_log_configs": [ 261*d5c09012SAndroid Build Coastguard Worker// { 262*d5c09012SAndroid Build Coastguard Worker// "log_type": "DATA_READ" 263*d5c09012SAndroid Build Coastguard Worker// }, 264*d5c09012SAndroid Build Coastguard Worker// { 265*d5c09012SAndroid Build Coastguard Worker// "log_type": "DATA_WRITE", 266*d5c09012SAndroid Build Coastguard Worker// "exempted_members": [ 267*d5c09012SAndroid Build Coastguard Worker// "user:[email protected]" 268*d5c09012SAndroid Build Coastguard Worker// ] 269*d5c09012SAndroid Build Coastguard Worker// } 270*d5c09012SAndroid Build Coastguard Worker// ] 271*d5c09012SAndroid Build Coastguard Worker// } 272*d5c09012SAndroid Build Coastguard Worker// ] 273*d5c09012SAndroid Build Coastguard Worker// } 274*d5c09012SAndroid Build Coastguard Worker// 275*d5c09012SAndroid Build Coastguard Worker// For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 276*d5c09012SAndroid Build Coastguard Worker// logging. It also exempts `[email protected]` from DATA_READ logging, and 277*d5c09012SAndroid Build Coastguard Worker// `[email protected]` from DATA_WRITE logging. 278*d5c09012SAndroid Build Coastguard Workermessage AuditConfig { 279*d5c09012SAndroid Build Coastguard Worker // Specifies a service that will be enabled for audit logging. 280*d5c09012SAndroid Build Coastguard Worker // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 281*d5c09012SAndroid Build Coastguard Worker // `allServices` is a special value that covers all services. 282*d5c09012SAndroid Build Coastguard Worker string service = 1; 283*d5c09012SAndroid Build Coastguard Worker 284*d5c09012SAndroid Build Coastguard Worker // The configuration for logging of each type of permission. 285*d5c09012SAndroid Build Coastguard Worker repeated AuditLogConfig audit_log_configs = 3; 286*d5c09012SAndroid Build Coastguard Worker} 287*d5c09012SAndroid Build Coastguard Worker 288*d5c09012SAndroid Build Coastguard Worker// Provides the configuration for logging a type of permissions. 289*d5c09012SAndroid Build Coastguard Worker// Example: 290*d5c09012SAndroid Build Coastguard Worker// 291*d5c09012SAndroid Build Coastguard Worker// { 292*d5c09012SAndroid Build Coastguard Worker// "audit_log_configs": [ 293*d5c09012SAndroid Build Coastguard Worker// { 294*d5c09012SAndroid Build Coastguard Worker// "log_type": "DATA_READ", 295*d5c09012SAndroid Build Coastguard Worker// "exempted_members": [ 296*d5c09012SAndroid Build Coastguard Worker// "user:[email protected]" 297*d5c09012SAndroid Build Coastguard Worker// ] 298*d5c09012SAndroid Build Coastguard Worker// }, 299*d5c09012SAndroid Build Coastguard Worker// { 300*d5c09012SAndroid Build Coastguard Worker// "log_type": "DATA_WRITE" 301*d5c09012SAndroid Build Coastguard Worker// } 302*d5c09012SAndroid Build Coastguard Worker// ] 303*d5c09012SAndroid Build Coastguard Worker// } 304*d5c09012SAndroid Build Coastguard Worker// 305*d5c09012SAndroid Build Coastguard Worker// This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 306*d5c09012SAndroid Build Coastguard Worker// [email protected] from DATA_READ logging. 307*d5c09012SAndroid Build Coastguard Workermessage AuditLogConfig { 308*d5c09012SAndroid Build Coastguard Worker // The list of valid permission types for which logging can be configured. 309*d5c09012SAndroid Build Coastguard Worker // Admin writes are always logged, and are not configurable. 310*d5c09012SAndroid Build Coastguard Worker enum LogType { 311*d5c09012SAndroid Build Coastguard Worker // Default case. Should never be this. 312*d5c09012SAndroid Build Coastguard Worker LOG_TYPE_UNSPECIFIED = 0; 313*d5c09012SAndroid Build Coastguard Worker 314*d5c09012SAndroid Build Coastguard Worker // Admin reads. Example: CloudIAM getIamPolicy 315*d5c09012SAndroid Build Coastguard Worker ADMIN_READ = 1; 316*d5c09012SAndroid Build Coastguard Worker 317*d5c09012SAndroid Build Coastguard Worker // Data writes. Example: CloudSQL Users create 318*d5c09012SAndroid Build Coastguard Worker DATA_WRITE = 2; 319*d5c09012SAndroid Build Coastguard Worker 320*d5c09012SAndroid Build Coastguard Worker // Data reads. Example: CloudSQL Users list 321*d5c09012SAndroid Build Coastguard Worker DATA_READ = 3; 322*d5c09012SAndroid Build Coastguard Worker } 323*d5c09012SAndroid Build Coastguard Worker 324*d5c09012SAndroid Build Coastguard Worker // The log type that this config enables. 325*d5c09012SAndroid Build Coastguard Worker LogType log_type = 1; 326*d5c09012SAndroid Build Coastguard Worker 327*d5c09012SAndroid Build Coastguard Worker // Specifies the identities that do not cause logging for this type of 328*d5c09012SAndroid Build Coastguard Worker // permission. 329*d5c09012SAndroid Build Coastguard Worker // Follows the same format of 330*d5c09012SAndroid Build Coastguard Worker // [Binding.members][google.iam.v1.Binding.members]. 331*d5c09012SAndroid Build Coastguard Worker repeated string exempted_members = 2; 332*d5c09012SAndroid Build Coastguard Worker} 333*d5c09012SAndroid Build Coastguard Worker 334*d5c09012SAndroid Build Coastguard Worker// The difference delta between two policies. 335*d5c09012SAndroid Build Coastguard Workermessage PolicyDelta { 336*d5c09012SAndroid Build Coastguard Worker // The delta for Bindings between two policies. 337*d5c09012SAndroid Build Coastguard Worker repeated BindingDelta binding_deltas = 1; 338*d5c09012SAndroid Build Coastguard Worker 339*d5c09012SAndroid Build Coastguard Worker // The delta for AuditConfigs between two policies. 340*d5c09012SAndroid Build Coastguard Worker repeated AuditConfigDelta audit_config_deltas = 2; 341*d5c09012SAndroid Build Coastguard Worker} 342*d5c09012SAndroid Build Coastguard Worker 343*d5c09012SAndroid Build Coastguard Worker// One delta entry for Binding. Each individual change (only one member in each 344*d5c09012SAndroid Build Coastguard Worker// entry) to a binding will be a separate entry. 345*d5c09012SAndroid Build Coastguard Workermessage BindingDelta { 346*d5c09012SAndroid Build Coastguard Worker // The type of action performed on a Binding in a policy. 347*d5c09012SAndroid Build Coastguard Worker enum Action { 348*d5c09012SAndroid Build Coastguard Worker // Unspecified. 349*d5c09012SAndroid Build Coastguard Worker ACTION_UNSPECIFIED = 0; 350*d5c09012SAndroid Build Coastguard Worker 351*d5c09012SAndroid Build Coastguard Worker // Addition of a Binding. 352*d5c09012SAndroid Build Coastguard Worker ADD = 1; 353*d5c09012SAndroid Build Coastguard Worker 354*d5c09012SAndroid Build Coastguard Worker // Removal of a Binding. 355*d5c09012SAndroid Build Coastguard Worker REMOVE = 2; 356*d5c09012SAndroid Build Coastguard Worker } 357*d5c09012SAndroid Build Coastguard Worker 358*d5c09012SAndroid Build Coastguard Worker // The action that was performed on a Binding. 359*d5c09012SAndroid Build Coastguard Worker // Required 360*d5c09012SAndroid Build Coastguard Worker Action action = 1; 361*d5c09012SAndroid Build Coastguard Worker 362*d5c09012SAndroid Build Coastguard Worker // Role that is assigned to `members`. 363*d5c09012SAndroid Build Coastguard Worker // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 364*d5c09012SAndroid Build Coastguard Worker // Required 365*d5c09012SAndroid Build Coastguard Worker string role = 2; 366*d5c09012SAndroid Build Coastguard Worker 367*d5c09012SAndroid Build Coastguard Worker // A single identity requesting access for a Google Cloud resource. 368*d5c09012SAndroid Build Coastguard Worker // Follows the same format of Binding.members. 369*d5c09012SAndroid Build Coastguard Worker // Required 370*d5c09012SAndroid Build Coastguard Worker string member = 3; 371*d5c09012SAndroid Build Coastguard Worker 372*d5c09012SAndroid Build Coastguard Worker // The condition that is associated with this binding. 373*d5c09012SAndroid Build Coastguard Worker google.type.Expr condition = 4; 374*d5c09012SAndroid Build Coastguard Worker} 375*d5c09012SAndroid Build Coastguard Worker 376*d5c09012SAndroid Build Coastguard Worker// One delta entry for AuditConfig. Each individual change (only one 377*d5c09012SAndroid Build Coastguard Worker// exempted_member in each entry) to a AuditConfig will be a separate entry. 378*d5c09012SAndroid Build Coastguard Workermessage AuditConfigDelta { 379*d5c09012SAndroid Build Coastguard Worker // The type of action performed on an audit configuration in a policy. 380*d5c09012SAndroid Build Coastguard Worker enum Action { 381*d5c09012SAndroid Build Coastguard Worker // Unspecified. 382*d5c09012SAndroid Build Coastguard Worker ACTION_UNSPECIFIED = 0; 383*d5c09012SAndroid Build Coastguard Worker 384*d5c09012SAndroid Build Coastguard Worker // Addition of an audit configuration. 385*d5c09012SAndroid Build Coastguard Worker ADD = 1; 386*d5c09012SAndroid Build Coastguard Worker 387*d5c09012SAndroid Build Coastguard Worker // Removal of an audit configuration. 388*d5c09012SAndroid Build Coastguard Worker REMOVE = 2; 389*d5c09012SAndroid Build Coastguard Worker } 390*d5c09012SAndroid Build Coastguard Worker 391*d5c09012SAndroid Build Coastguard Worker // The action that was performed on an audit configuration in a policy. 392*d5c09012SAndroid Build Coastguard Worker // Required 393*d5c09012SAndroid Build Coastguard Worker Action action = 1; 394*d5c09012SAndroid Build Coastguard Worker 395*d5c09012SAndroid Build Coastguard Worker // Specifies a service that was configured for Cloud Audit Logging. 396*d5c09012SAndroid Build Coastguard Worker // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 397*d5c09012SAndroid Build Coastguard Worker // `allServices` is a special value that covers all services. 398*d5c09012SAndroid Build Coastguard Worker // Required 399*d5c09012SAndroid Build Coastguard Worker string service = 2; 400*d5c09012SAndroid Build Coastguard Worker 401*d5c09012SAndroid Build Coastguard Worker // A single identity that is exempted from "data access" audit 402*d5c09012SAndroid Build Coastguard Worker // logging for the `service` specified above. 403*d5c09012SAndroid Build Coastguard Worker // Follows the same format of Binding.members. 404*d5c09012SAndroid Build Coastguard Worker string exempted_member = 3; 405*d5c09012SAndroid Build Coastguard Worker 406*d5c09012SAndroid Build Coastguard Worker // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always 407*d5c09012SAndroid Build Coastguard Worker // enabled, and cannot be configured. 408*d5c09012SAndroid Build Coastguard Worker // Required 409*d5c09012SAndroid Build Coastguard Worker string log_type = 4; 410*d5c09012SAndroid Build Coastguard Worker} 411