xref: /aosp_15_r20/external/googleapis/google/iam/v2beta/deny.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.iam.v2beta;
18
19import "google/type/expr.proto";
20
21option csharp_namespace = "Google.Cloud.Iam.V2Beta";
22option go_package = "cloud.google.com/go/iam/apiv2beta/iampb;iampb";
23option java_multiple_files = true;
24option java_outer_classname = "DenyRuleProto";
25option java_package = "com.google.iam.v2beta";
26option php_namespace = "Google\\Cloud\\Iam\\V2beta";
27
28// A deny rule in an IAM deny policy.
29message DenyRule {
30  // The identities that are prevented from using one or more permissions on
31  // Google Cloud resources. This field can contain the following values:
32  //
33  // * `principalSet://goog/public:all`: A special identifier that represents
34  //   any principal that is on the internet, even if they do not have a Google
35  //   Account or are not logged in.
36  //
37  // * `principal://goog/subject/{email_id}`: A specific Google Account.
38  //   Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
39  //   example, `principal://goog/subject/alice@example.com`.
40  //
41  // * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific
42  //   Google Account that was deleted recently. For example,
43  //   `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If
44  //   the Google Account is recovered, this identifier reverts to the standard
45  //   identifier for a Google Account.
46  //
47  // * `principalSet://goog/group/{group_id}`: A Google group. For example,
48  //   `principalSet://goog/group/admins@example.com`.
49  //
50  // * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group
51  //   that was deleted recently. For example,
52  //   `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If
53  //   the Google group is restored, this identifier reverts to the standard
54  //   identifier for a Google group.
55  //
56  // * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`:
57  //   A Google Cloud service account. For example,
58  //   `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`.
59  //
60  // * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`:
61  //   A Google Cloud service account that was deleted recently. For example,
62  //   `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`.
63  //   If the service account is undeleted, this identifier reverts to the
64  //   standard identifier for a service account.
65  //
66  // * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the
67  //   principals associated with the specified Google Workspace or Cloud
68  //   Identity customer ID. For example,
69  //   `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.
70  repeated string denied_principals = 1;
71
72  // The identities that are excluded from the deny rule, even if they are
73  // listed in the `denied_principals`. For example, you could add a Google
74  // group to the `denied_principals`, then exclude specific users who belong to
75  // that group.
76  //
77  // This field can contain the same values as the `denied_principals` field,
78  // excluding `principalSet://goog/public:all`, which represents all users on
79  // the internet.
80  repeated string exception_principals = 2;
81
82  // The permissions that are explicitly denied by this rule. Each permission
83  // uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}`
84  // is the fully qualified domain name for the service. For example,
85  // `iam.googleapis.com/roles.list`.
86  repeated string denied_permissions = 3;
87
88  // Specifies the permissions that this rule excludes from the set of denied
89  // permissions given by `denied_permissions`. If a permission appears in
90  // `denied_permissions` _and_ in `exception_permissions` then it will _not_ be
91  // denied.
92  //
93  // The excluded permissions can be specified using the same syntax as
94  // `denied_permissions`.
95  repeated string exception_permissions = 4;
96
97  // The condition that determines whether this deny rule applies to a request.
98  // If the condition expression evaluates to `true`, then the deny rule is
99  // applied; otherwise, the deny rule is not applied.
100  //
101  // Each deny rule is evaluated independently. If this deny rule does not apply
102  // to a request, other deny rules might still apply.
103  //
104  // The condition can use CEL functions that evaluate
105  // [resource
106  // tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other
107  // functions and operators are not supported.
108  google.type.Expr denial_condition = 5;
109}
110