xref: /aosp_15_r20/external/googleapis/google/iam/v2/policy.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.iam.v2;
18
19import "google/api/annotations.proto";
20import "google/api/client.proto";
21import "google/api/field_behavior.proto";
22import "google/iam/v2/deny.proto";
23import "google/longrunning/operations.proto";
24import "google/protobuf/timestamp.proto";
25
26option csharp_namespace = "Google.Cloud.Iam.V2";
27option go_package = "cloud.google.com/go/iam/apiv2/iampb;iampb";
28option java_multiple_files = true;
29option java_outer_classname = "PolicyProto";
30option java_package = "com.google.iam.v2";
31option php_namespace = "Google\\Cloud\\Iam\\V2";
32
33// An interface for managing Identity and Access Management (IAM) policies.
34service Policies {
35  option (google.api.default_host) = "iam.googleapis.com";
36  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
37
38  // Retrieves the policies of the specified kind that are attached to a
39  // resource.
40  //
41  // The response lists only policy metadata. In particular, policy rules are
42  // omitted.
43  rpc ListPolicies(ListPoliciesRequest) returns (ListPoliciesResponse) {
44    option (google.api.http) = {
45      get: "/v2/{parent=policies/*/*}"
46    };
47    option (google.api.method_signature) = "parent";
48  }
49
50  // Gets a policy.
51  rpc GetPolicy(GetPolicyRequest) returns (Policy) {
52    option (google.api.http) = {
53      get: "/v2/{name=policies/*/*/*}"
54    };
55    option (google.api.method_signature) = "name";
56  }
57
58  // Creates a policy.
59  rpc CreatePolicy(CreatePolicyRequest) returns (google.longrunning.Operation) {
60    option (google.api.http) = {
61      post: "/v2/{parent=policies/*/*}"
62      body: "policy"
63    };
64    option (google.api.method_signature) = "parent,policy,policy_id";
65    option (google.longrunning.operation_info) = {
66      response_type: "Policy"
67      metadata_type: "PolicyOperationMetadata"
68    };
69  }
70
71  // Updates the specified policy.
72  //
73  // You can update only the rules and the display name for the policy.
74  //
75  // To update a policy, you should use a read-modify-write loop:
76  //
77  // 1. Use [GetPolicy][google.iam.v2.Policies.GetPolicy] to read the current version of the policy.
78  // 2. Modify the policy as needed.
79  // 3. Use `UpdatePolicy` to write the updated policy.
80  //
81  // This pattern helps prevent conflicts between concurrent updates.
82  rpc UpdatePolicy(UpdatePolicyRequest) returns (google.longrunning.Operation) {
83    option (google.api.http) = {
84      put: "/v2/{policy.name=policies/*/*/*}"
85      body: "policy"
86    };
87    option (google.longrunning.operation_info) = {
88      response_type: "Policy"
89      metadata_type: "PolicyOperationMetadata"
90    };
91  }
92
93  // Deletes a policy. This action is permanent.
94  rpc DeletePolicy(DeletePolicyRequest) returns (google.longrunning.Operation) {
95    option (google.api.http) = {
96      delete: "/v2/{name=policies/*/*/*}"
97    };
98    option (google.api.method_signature) = "name";
99    option (google.longrunning.operation_info) = {
100      response_type: "Policy"
101      metadata_type: "PolicyOperationMetadata"
102    };
103  }
104}
105
106// Data for an IAM policy.
107message Policy {
108  // Immutable. The resource name of the `Policy`, which must be unique. Format:
109  // `policies/{attachment_point}/denypolicies/{policy_id}`
110  //
111  //
112  // The attachment point is identified by its URL-encoded full resource name,
113  // which means that the forward-slash character, `/`, must be written as
114  // `%2F`. For example,
115  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy`.
116  //
117  // For organizations and folders, use the numeric ID in the full resource
118  // name. For projects, requests can use the alphanumeric or the numeric ID.
119  // Responses always contain the numeric ID.
120  string name = 1 [(google.api.field_behavior) = IMMUTABLE];
121
122  // Immutable. The globally unique ID of the `Policy`. Assigned automatically when the
123  // `Policy` is created.
124  string uid = 2 [(google.api.field_behavior) = IMMUTABLE];
125
126  // Output only. The kind of the `Policy`. Always contains the value `DenyPolicy`.
127  string kind = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
128
129  // A user-specified description of the `Policy`. This value can be up to 63
130  // characters.
131  string display_name = 4;
132
133  // A key-value map to store arbitrary metadata for the `Policy`. Keys
134  // can be up to 63 characters. Values can be up to 255 characters.
135  map<string, string> annotations = 5;
136
137  // An opaque tag that identifies the current version of the `Policy`. IAM uses
138  // this value to help manage concurrent updates, so they do not cause one
139  // update to be overwritten by another.
140  //
141  // If this field is present in a [CreatePolicy][] request, the value is
142  // ignored.
143  string etag = 6;
144
145  // Output only. The time when the `Policy` was created.
146  google.protobuf.Timestamp create_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
147
148  // Output only. The time when the `Policy` was last updated.
149  google.protobuf.Timestamp update_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
150
151  // Output only. The time when the `Policy` was deleted. Empty if the policy is not deleted.
152  google.protobuf.Timestamp delete_time = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
153
154  // A list of rules that specify the behavior of the `Policy`. All of the rules
155  // should be of the `kind` specified in the `Policy`.
156  repeated PolicyRule rules = 10;
157
158  // Immutable. Specifies that this policy is managed by an authority and can only be
159  // modified by that authority. Usage is restricted.
160  string managing_authority = 11 [(google.api.field_behavior) = IMMUTABLE];
161}
162
163// A single rule in a `Policy`.
164message PolicyRule {
165  oneof kind {
166    // A rule for a deny policy.
167    DenyRule deny_rule = 2;
168  }
169
170  // A user-specified description of the rule. This value can be up to 256
171  // characters.
172  string description = 1;
173}
174
175// Request message for `ListPolicies`.
176message ListPoliciesRequest {
177  // Required. The resource that the policy is attached to, along with the kind of policy
178  // to list. Format:
179  // `policies/{attachment_point}/denypolicies`
180  //
181  //
182  // The attachment point is identified by its URL-encoded full resource name,
183  // which means that the forward-slash character, `/`, must be written as
184  // `%2F`. For example,
185  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
186  //
187  // For organizations and folders, use the numeric ID in the full resource
188  // name. For projects, you can use the alphanumeric or the numeric ID.
189  string parent = 1 [(google.api.field_behavior) = REQUIRED];
190
191  // The maximum number of policies to return. IAM ignores this value and uses
192  // the value 1000.
193  int32 page_size = 2;
194
195  // A page token received in a [ListPoliciesResponse][google.iam.v2.ListPoliciesResponse]. Provide this token to
196  // retrieve the next page.
197  string page_token = 3;
198}
199
200// Response message for `ListPolicies`.
201message ListPoliciesResponse {
202  // Metadata for the policies that are attached to the resource.
203  repeated Policy policies = 1;
204
205  // A page token that you can use in a [ListPoliciesRequest][google.iam.v2.ListPoliciesRequest] to retrieve the
206  // next page. If this field is omitted, there are no additional pages.
207  string next_page_token = 2;
208}
209
210// Request message for `GetPolicy`.
211message GetPolicyRequest {
212  // Required. The resource name of the policy to retrieve. Format:
213  // `policies/{attachment_point}/denypolicies/{policy_id}`
214  //
215  //
216  // Use the URL-encoded full resource name, which means that the forward-slash
217  // character, `/`, must be written as `%2F`. For example,
218  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
219  //
220  // For organizations and folders, use the numeric ID in the full resource
221  // name. For projects, you can use the alphanumeric or the numeric ID.
222  string name = 1 [(google.api.field_behavior) = REQUIRED];
223}
224
225// Request message for `CreatePolicy`.
226message CreatePolicyRequest {
227  // Required. The resource that the policy is attached to, along with the kind of policy
228  // to create. Format: `policies/{attachment_point}/denypolicies`
229  //
230  //
231  // The attachment point is identified by its URL-encoded full resource name,
232  // which means that the forward-slash character, `/`, must be written as
233  // `%2F`. For example,
234  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
235  //
236  // For organizations and folders, use the numeric ID in the full resource
237  // name. For projects, you can use the alphanumeric or the numeric ID.
238  string parent = 1 [(google.api.field_behavior) = REQUIRED];
239
240  // Required. The policy to create.
241  Policy policy = 2 [(google.api.field_behavior) = REQUIRED];
242
243  // The ID to use for this policy, which will become the final component of
244  // the policy's resource name. The ID must contain 3 to 63 characters. It can
245  // contain lowercase letters and numbers, as well as dashes (`-`) and periods
246  // (`.`). The first character must be a lowercase letter.
247  string policy_id = 3;
248}
249
250// Request message for `UpdatePolicy`.
251message UpdatePolicyRequest {
252  // Required. The policy to update.
253  //
254  // To prevent conflicting updates, the `etag` value must match the value that
255  // is stored in IAM. If the `etag` values do not match, the request fails with
256  // a `409` error code and `ABORTED` status.
257  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
258}
259
260// Request message for `DeletePolicy`.
261message DeletePolicyRequest {
262  // Required. The resource name of the policy to delete. Format:
263  // `policies/{attachment_point}/denypolicies/{policy_id}`
264  //
265  //
266  // Use the URL-encoded full resource name, which means that the forward-slash
267  // character, `/`, must be written as `%2F`. For example,
268  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
269  //
270  // For organizations and folders, use the numeric ID in the full resource
271  // name. For projects, you can use the alphanumeric or the numeric ID.
272  string name = 1 [(google.api.field_behavior) = REQUIRED];
273
274  // Optional. The expected `etag` of the policy to delete. If the value does not match
275  // the value that is stored in IAM, the request fails with a `409` error code
276  // and `ABORTED` status.
277  //
278  // If you omit this field, the policy is deleted regardless of its current
279  // `etag`.
280  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
281}
282
283// Metadata for long-running `Policy` operations.
284message PolicyOperationMetadata {
285  // Timestamp when the `google.longrunning.Operation` was created.
286  google.protobuf.Timestamp create_time = 1;
287}
288