1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.iam.v1; 18 19import "google/type/expr.proto"; 20 21option cc_enable_arenas = true; 22option csharp_namespace = "Google.Cloud.Iam.V1"; 23option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb"; 24option java_multiple_files = true; 25option java_outer_classname = "PolicyProto"; 26option java_package = "com.google.iam.v1"; 27option php_namespace = "Google\\Cloud\\Iam\\V1"; 28 29// An Identity and Access Management (IAM) policy, which specifies access 30// controls for Google Cloud resources. 31// 32// 33// A `Policy` is a collection of `bindings`. A `binding` binds one or more 34// `members`, or principals, to a single `role`. Principals can be user 35// accounts, service accounts, Google groups, and domains (such as G Suite). A 36// `role` is a named list of permissions; each `role` can be an IAM predefined 37// role or a user-created custom role. 38// 39// For some types of Google Cloud resources, a `binding` can also specify a 40// `condition`, which is a logical expression that allows access to a resource 41// only if the expression evaluates to `true`. A condition can add constraints 42// based on attributes of the request, the resource, or both. To learn which 43// resources support conditions in their IAM policies, see the 44// [IAM 45// documentation](https://cloud.google.com/iam/help/conditions/resource-policies). 46// 47// **JSON example:** 48// 49// ``` 50// { 51// "bindings": [ 52// { 53// "role": "roles/resourcemanager.organizationAdmin", 54// "members": [ 55// "user:[email protected]", 56// "group:[email protected]", 57// "domain:google.com", 58// "serviceAccount:[email protected]" 59// ] 60// }, 61// { 62// "role": "roles/resourcemanager.organizationViewer", 63// "members": [ 64// "user:[email protected]" 65// ], 66// "condition": { 67// "title": "expirable access", 68// "description": "Does not grant access after Sep 2020", 69// "expression": "request.time < 70// timestamp('2020-10-01T00:00:00.000Z')", 71// } 72// } 73// ], 74// "etag": "BwWWja0YfJA=", 75// "version": 3 76// } 77// ``` 78// 79// **YAML example:** 80// 81// ``` 82// bindings: 83// - members: 84// - user:[email protected] 85// - group:[email protected] 86// - domain:google.com 87// - serviceAccount:[email protected] 88// role: roles/resourcemanager.organizationAdmin 89// - members: 90// - user:[email protected] 91// role: roles/resourcemanager.organizationViewer 92// condition: 93// title: expirable access 94// description: Does not grant access after Sep 2020 95// expression: request.time < timestamp('2020-10-01T00:00:00.000Z') 96// etag: BwWWja0YfJA= 97// version: 3 98// ``` 99// 100// For a description of IAM and its features, see the 101// [IAM documentation](https://cloud.google.com/iam/docs/). 102message Policy { 103 // Specifies the format of the policy. 104 // 105 // Valid values are `0`, `1`, and `3`. Requests that specify an invalid value 106 // are rejected. 107 // 108 // Any operation that affects conditional role bindings must specify version 109 // `3`. This requirement applies to the following operations: 110 // 111 // * Getting a policy that includes a conditional role binding 112 // * Adding a conditional role binding to a policy 113 // * Changing a conditional role binding in a policy 114 // * Removing any role binding, with or without a condition, from a policy 115 // that includes conditions 116 // 117 // **Important:** If you use IAM Conditions, you must include the `etag` field 118 // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 119 // you to overwrite a version `3` policy with a version `1` policy, and all of 120 // the conditions in the version `3` policy are lost. 121 // 122 // If a policy does not include any conditions, operations on that policy may 123 // specify any valid version or leave the field unset. 124 // 125 // To learn which resources support conditions in their IAM policies, see the 126 // [IAM 127 // documentation](https://cloud.google.com/iam/help/conditions/resource-policies). 128 int32 version = 1; 129 130 // Associates a list of `members`, or principals, with a `role`. Optionally, 131 // may specify a `condition` that determines how and when the `bindings` are 132 // applied. Each of the `bindings` must contain at least one principal. 133 // 134 // The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 135 // of these principals can be Google groups. Each occurrence of a principal 136 // counts towards these limits. For example, if the `bindings` grant 50 137 // different roles to `user:[email protected]`, and not to any other 138 // principal, then you can add another 1,450 principals to the `bindings` in 139 // the `Policy`. 140 repeated Binding bindings = 4; 141 142 // Specifies cloud audit logging configuration for this policy. 143 repeated AuditConfig audit_configs = 6; 144 145 // `etag` is used for optimistic concurrency control as a way to help 146 // prevent simultaneous updates of a policy from overwriting each other. 147 // It is strongly suggested that systems make use of the `etag` in the 148 // read-modify-write cycle to perform policy updates in order to avoid race 149 // conditions: An `etag` is returned in the response to `getIamPolicy`, and 150 // systems are expected to put that etag in the request to `setIamPolicy` to 151 // ensure that their change will be applied to the same version of the policy. 152 // 153 // **Important:** If you use IAM Conditions, you must include the `etag` field 154 // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 155 // you to overwrite a version `3` policy with a version `1` policy, and all of 156 // the conditions in the version `3` policy are lost. 157 bytes etag = 3; 158} 159 160// Associates `members`, or principals, with a `role`. 161message Binding { 162 // Role that is assigned to the list of `members`, or principals. 163 // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 164 string role = 1; 165 166 // Specifies the principals requesting access for a Google Cloud resource. 167 // `members` can have the following values: 168 // 169 // * `allUsers`: A special identifier that represents anyone who is 170 // on the internet; with or without a Google account. 171 // 172 // * `allAuthenticatedUsers`: A special identifier that represents anyone 173 // who is authenticated with a Google account or a service account. 174 // 175 // * `user:{emailid}`: An email address that represents a specific Google 176 // account. For example, `[email protected]` . 177 // 178 // 179 // * `serviceAccount:{emailid}`: An email address that represents a service 180 // account. For example, `[email protected]`. 181 // 182 // * `group:{emailid}`: An email address that represents a Google group. 183 // For example, `[email protected]`. 184 // 185 // * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique 186 // identifier) representing a user that has been recently deleted. For 187 // example, `[email protected]?uid=123456789012345678901`. If the user is 188 // recovered, this value reverts to `user:{emailid}` and the recovered user 189 // retains the role in the binding. 190 // 191 // * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus 192 // unique identifier) representing a service account that has been recently 193 // deleted. For example, 194 // `[email protected]?uid=123456789012345678901`. 195 // If the service account is undeleted, this value reverts to 196 // `serviceAccount:{emailid}` and the undeleted service account retains the 197 // role in the binding. 198 // 199 // * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique 200 // identifier) representing a Google group that has been recently 201 // deleted. For example, `[email protected]?uid=123456789012345678901`. If 202 // the group is recovered, this value reverts to `group:{emailid}` and the 203 // recovered group retains the role in the binding. 204 // 205 // 206 // * `domain:{domain}`: The G Suite domain (primary) that represents all the 207 // users of that domain. For example, `google.com` or `example.com`. 208 // 209 // 210 repeated string members = 2; 211 212 // The condition that is associated with this binding. 213 // 214 // If the condition evaluates to `true`, then this binding applies to the 215 // current request. 216 // 217 // If the condition evaluates to `false`, then this binding does not apply to 218 // the current request. However, a different role binding might grant the same 219 // role to one or more of the principals in this binding. 220 // 221 // To learn which resources support conditions in their IAM policies, see the 222 // [IAM 223 // documentation](https://cloud.google.com/iam/help/conditions/resource-policies). 224 google.type.Expr condition = 3; 225} 226 227// Specifies the audit configuration for a service. 228// The configuration determines which permission types are logged, and what 229// identities, if any, are exempted from logging. 230// An AuditConfig must have one or more AuditLogConfigs. 231// 232// If there are AuditConfigs for both `allServices` and a specific service, 233// the union of the two AuditConfigs is used for that service: the log_types 234// specified in each AuditConfig are enabled, and the exempted_members in each 235// AuditLogConfig are exempted. 236// 237// Example Policy with multiple AuditConfigs: 238// 239// { 240// "audit_configs": [ 241// { 242// "service": "allServices", 243// "audit_log_configs": [ 244// { 245// "log_type": "DATA_READ", 246// "exempted_members": [ 247// "user:[email protected]" 248// ] 249// }, 250// { 251// "log_type": "DATA_WRITE" 252// }, 253// { 254// "log_type": "ADMIN_READ" 255// } 256// ] 257// }, 258// { 259// "service": "sampleservice.googleapis.com", 260// "audit_log_configs": [ 261// { 262// "log_type": "DATA_READ" 263// }, 264// { 265// "log_type": "DATA_WRITE", 266// "exempted_members": [ 267// "user:[email protected]" 268// ] 269// } 270// ] 271// } 272// ] 273// } 274// 275// For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 276// logging. It also exempts `[email protected]` from DATA_READ logging, and 277// `[email protected]` from DATA_WRITE logging. 278message AuditConfig { 279 // Specifies a service that will be enabled for audit logging. 280 // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 281 // `allServices` is a special value that covers all services. 282 string service = 1; 283 284 // The configuration for logging of each type of permission. 285 repeated AuditLogConfig audit_log_configs = 3; 286} 287 288// Provides the configuration for logging a type of permissions. 289// Example: 290// 291// { 292// "audit_log_configs": [ 293// { 294// "log_type": "DATA_READ", 295// "exempted_members": [ 296// "user:[email protected]" 297// ] 298// }, 299// { 300// "log_type": "DATA_WRITE" 301// } 302// ] 303// } 304// 305// This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 306// [email protected] from DATA_READ logging. 307message AuditLogConfig { 308 // The list of valid permission types for which logging can be configured. 309 // Admin writes are always logged, and are not configurable. 310 enum LogType { 311 // Default case. Should never be this. 312 LOG_TYPE_UNSPECIFIED = 0; 313 314 // Admin reads. Example: CloudIAM getIamPolicy 315 ADMIN_READ = 1; 316 317 // Data writes. Example: CloudSQL Users create 318 DATA_WRITE = 2; 319 320 // Data reads. Example: CloudSQL Users list 321 DATA_READ = 3; 322 } 323 324 // The log type that this config enables. 325 LogType log_type = 1; 326 327 // Specifies the identities that do not cause logging for this type of 328 // permission. 329 // Follows the same format of 330 // [Binding.members][google.iam.v1.Binding.members]. 331 repeated string exempted_members = 2; 332} 333 334// The difference delta between two policies. 335message PolicyDelta { 336 // The delta for Bindings between two policies. 337 repeated BindingDelta binding_deltas = 1; 338 339 // The delta for AuditConfigs between two policies. 340 repeated AuditConfigDelta audit_config_deltas = 2; 341} 342 343// One delta entry for Binding. Each individual change (only one member in each 344// entry) to a binding will be a separate entry. 345message BindingDelta { 346 // The type of action performed on a Binding in a policy. 347 enum Action { 348 // Unspecified. 349 ACTION_UNSPECIFIED = 0; 350 351 // Addition of a Binding. 352 ADD = 1; 353 354 // Removal of a Binding. 355 REMOVE = 2; 356 } 357 358 // The action that was performed on a Binding. 359 // Required 360 Action action = 1; 361 362 // Role that is assigned to `members`. 363 // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 364 // Required 365 string role = 2; 366 367 // A single identity requesting access for a Google Cloud resource. 368 // Follows the same format of Binding.members. 369 // Required 370 string member = 3; 371 372 // The condition that is associated with this binding. 373 google.type.Expr condition = 4; 374} 375 376// One delta entry for AuditConfig. Each individual change (only one 377// exempted_member in each entry) to a AuditConfig will be a separate entry. 378message AuditConfigDelta { 379 // The type of action performed on an audit configuration in a policy. 380 enum Action { 381 // Unspecified. 382 ACTION_UNSPECIFIED = 0; 383 384 // Addition of an audit configuration. 385 ADD = 1; 386 387 // Removal of an audit configuration. 388 REMOVE = 2; 389 } 390 391 // The action that was performed on an audit configuration in a policy. 392 // Required 393 Action action = 1; 394 395 // Specifies a service that was configured for Cloud Audit Logging. 396 // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 397 // `allServices` is a special value that covers all services. 398 // Required 399 string service = 2; 400 401 // A single identity that is exempted from "data access" audit 402 // logging for the `service` specified above. 403 // Follows the same format of Binding.members. 404 string exempted_member = 3; 405 406 // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always 407 // enabled, and cannot be configured. 408 // Required 409 string log_type = 4; 410} 411