xref: /aosp_15_r20/external/googleapis/google/iam/v2beta/policy.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.iam.v2beta;
18
19import "google/api/annotations.proto";
20import "google/api/client.proto";
21import "google/api/field_behavior.proto";
22import "google/iam/v2beta/deny.proto";
23import "google/longrunning/operations.proto";
24import "google/protobuf/timestamp.proto";
25
26option csharp_namespace = "Google.Cloud.Iam.V2Beta";
27option go_package = "cloud.google.com/go/iam/apiv2beta/iampb;iampb";
28option java_multiple_files = true;
29option java_outer_classname = "PolicyProto";
30option java_package = "com.google.iam.v2beta";
31option php_namespace = "Google\\Cloud\\Iam\\V2beta";
32
33// An interface for managing Identity and Access Management (IAM) policies.
34service Policies {
35  option (google.api.default_host) = "iam.googleapis.com";
36  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
37
38  // Retrieves the policies of the specified kind that are attached to a
39  // resource.
40  //
41  // The response lists only policy metadata. In particular, policy rules are
42  // omitted.
43  rpc ListPolicies(ListPoliciesRequest) returns (ListPoliciesResponse) {
44    option (google.api.http) = {
45      get: "/v2beta/{parent=policies/*/*}"
46    };
47    option (google.api.method_signature) = "parent";
48  }
49
50  // Gets a policy.
51  rpc GetPolicy(GetPolicyRequest) returns (Policy) {
52    option (google.api.http) = {
53      get: "/v2beta/{name=policies/*/*/*}"
54    };
55    option (google.api.method_signature) = "name";
56  }
57
58  // Creates a policy.
59  rpc CreatePolicy(CreatePolicyRequest) returns (google.longrunning.Operation) {
60    option (google.api.http) = {
61      post: "/v2beta/{parent=policies/*/*}"
62      body: "policy"
63    };
64    option (google.api.method_signature) = "parent,policy,policy_id";
65    option (google.longrunning.operation_info) = {
66      response_type: "Policy"
67      metadata_type: "PolicyOperationMetadata"
68    };
69  }
70
71  // Updates the specified policy.
72  //
73  // You can update only the rules and the display name for the policy.
74  //
75  // To update a policy, you should use a read-modify-write loop:
76  //
77  // 1. Use [GetPolicy][google.iam.v2beta.Policies.GetPolicy] to read the current version of the policy.
78  // 2. Modify the policy as needed.
79  // 3. Use `UpdatePolicy` to write the updated policy.
80  //
81  // This pattern helps prevent conflicts between concurrent updates.
82  rpc UpdatePolicy(UpdatePolicyRequest) returns (google.longrunning.Operation) {
83    option (google.api.http) = {
84      put: "/v2beta/{policy.name=policies/*/*/*}"
85      body: "policy"
86    };
87    option (google.longrunning.operation_info) = {
88      response_type: "Policy"
89      metadata_type: "PolicyOperationMetadata"
90    };
91  }
92
93  // Deletes a policy. This action is permanent.
94  rpc DeletePolicy(DeletePolicyRequest) returns (google.longrunning.Operation) {
95    option (google.api.http) = {
96      delete: "/v2beta/{name=policies/*/*/*}"
97    };
98    option (google.api.method_signature) = "name";
99    option (google.longrunning.operation_info) = {
100      response_type: "Policy"
101      metadata_type: "PolicyOperationMetadata"
102    };
103  }
104}
105
106// Data for an IAM policy.
107message Policy {
108  // Immutable. The resource name of the `Policy`, which must be unique. Format:
109  // `policies/{attachment_point}/denypolicies/{policy_id}`
110  //
111  //
112  // The attachment point is identified by its URL-encoded full resource name,
113  // which means that the forward-slash character, `/`, must be written as
114  // `%2F`. For example,
115  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy`.
116  //
117  // For organizations and folders, use the numeric ID in the full resource
118  // name. For projects, requests can use the alphanumeric or the numeric ID.
119  // Responses always contain the numeric ID.
120  string name = 1 [(google.api.field_behavior) = IMMUTABLE];
121
122  // Immutable. The globally unique ID of the `Policy`. Assigned automatically when the
123  // `Policy` is created.
124  string uid = 2 [(google.api.field_behavior) = IMMUTABLE];
125
126  // Output only. The kind of the `Policy`. Always contains the value `DenyPolicy`.
127  string kind = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
128
129  // A user-specified description of the `Policy`. This value can be up to 63
130  // characters.
131  string display_name = 4;
132
133  // A key-value map to store arbitrary metadata for the `Policy`. Keys
134  // can be up to 63 characters. Values can be up to 255 characters.
135  map<string, string> annotations = 5;
136
137  // An opaque tag that identifies the current version of the `Policy`. IAM uses
138  // this value to help manage concurrent updates, so they do not cause one
139  // update to be overwritten by another.
140  //
141  // If this field is present in a [CreatePolicy][] request, the value is
142  // ignored.
143  string etag = 6;
144
145  // Output only. The time when the `Policy` was created.
146  google.protobuf.Timestamp create_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
147
148  // Output only. The time when the `Policy` was last updated.
149  google.protobuf.Timestamp update_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
150
151  // Output only. The time when the `Policy` was deleted. Empty if the policy is not deleted.
152  google.protobuf.Timestamp delete_time = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
153
154  // A list of rules that specify the behavior of the `Policy`. All of the rules
155  // should be of the `kind` specified in the `Policy`.
156  repeated PolicyRule rules = 10;
157}
158
159// A single rule in a `Policy`.
160message PolicyRule {
161  oneof kind {
162    // A rule for a deny policy.
163    DenyRule deny_rule = 2;
164  }
165
166  // A user-specified description of the rule. This value can be up to 256
167  // characters.
168  string description = 1;
169}
170
171// Request message for `ListPolicies`.
172message ListPoliciesRequest {
173  // Required. The resource that the policy is attached to, along with the kind of policy
174  // to list. Format:
175  // `policies/{attachment_point}/denypolicies`
176  //
177  //
178  // The attachment point is identified by its URL-encoded full resource name,
179  // which means that the forward-slash character, `/`, must be written as
180  // `%2F`. For example,
181  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
182  //
183  // For organizations and folders, use the numeric ID in the full resource
184  // name. For projects, you can use the alphanumeric or the numeric ID.
185  string parent = 1 [(google.api.field_behavior) = REQUIRED];
186
187  // The maximum number of policies to return. IAM ignores this value and uses
188  // the value 1000.
189  int32 page_size = 2;
190
191  // A page token received in a [ListPoliciesResponse][google.iam.v2beta.ListPoliciesResponse]. Provide this token to
192  // retrieve the next page.
193  string page_token = 3;
194}
195
196// Response message for `ListPolicies`.
197message ListPoliciesResponse {
198  // Metadata for the policies that are attached to the resource.
199  repeated Policy policies = 1;
200
201  // A page token that you can use in a [ListPoliciesRequest][google.iam.v2beta.ListPoliciesRequest] to retrieve the
202  // next page. If this field is omitted, there are no additional pages.
203  string next_page_token = 2;
204}
205
206// Request message for `GetPolicy`.
207message GetPolicyRequest {
208  // Required. The resource name of the policy to retrieve. Format:
209  // `policies/{attachment_point}/denypolicies/{policy_id}`
210  //
211  //
212  // Use the URL-encoded full resource name, which means that the forward-slash
213  // character, `/`, must be written as `%2F`. For example,
214  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
215  //
216  // For organizations and folders, use the numeric ID in the full resource
217  // name. For projects, you can use the alphanumeric or the numeric ID.
218  string name = 1 [(google.api.field_behavior) = REQUIRED];
219}
220
221// Request message for `CreatePolicy`.
222message CreatePolicyRequest {
223  // Required. The resource that the policy is attached to, along with the kind of policy
224  // to create. Format: `policies/{attachment_point}/denypolicies`
225  //
226  //
227  // The attachment point is identified by its URL-encoded full resource name,
228  // which means that the forward-slash character, `/`, must be written as
229  // `%2F`. For example,
230  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies`.
231  //
232  // For organizations and folders, use the numeric ID in the full resource
233  // name. For projects, you can use the alphanumeric or the numeric ID.
234  string parent = 1 [(google.api.field_behavior) = REQUIRED];
235
236  // Required. The policy to create.
237  Policy policy = 2 [(google.api.field_behavior) = REQUIRED];
238
239  // The ID to use for this policy, which will become the final component of
240  // the policy's resource name. The ID must contain 3 to 63 characters. It can
241  // contain lowercase letters and numbers, as well as dashes (`-`) and periods
242  // (`.`). The first character must be a lowercase letter.
243  string policy_id = 3;
244}
245
246// Request message for `UpdatePolicy`.
247message UpdatePolicyRequest {
248  // Required. The policy to update.
249  //
250  // To prevent conflicting updates, the `etag` value must match the value that
251  // is stored in IAM. If the `etag` values do not match, the request fails with
252  // a `409` error code and `ABORTED` status.
253  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
254}
255
256// Request message for `DeletePolicy`.
257message DeletePolicyRequest {
258  // Required. The resource name of the policy to delete. Format:
259  // `policies/{attachment_point}/denypolicies/{policy_id}`
260  //
261  //
262  // Use the URL-encoded full resource name, which means that the forward-slash
263  // character, `/`, must be written as `%2F`. For example,
264  // `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-policy`.
265  //
266  // For organizations and folders, use the numeric ID in the full resource
267  // name. For projects, you can use the alphanumeric or the numeric ID.
268  string name = 1 [(google.api.field_behavior) = REQUIRED];
269
270  // Optional. The expected `etag` of the policy to delete. If the value does not match
271  // the value that is stored in IAM, the request fails with a `409` error code
272  // and `ABORTED` status.
273  //
274  // If you omit this field, the policy is deleted regardless of its current
275  // `etag`.
276  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
277}
278
279// Metadata for long-running `Policy` operations.
280message PolicyOperationMetadata {
281  // Timestamp when the `google.longrunning.Operation` was created.
282  google.protobuf.Timestamp create_time = 1;
283}
284