1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.identity.accesscontextmanager.v1; 18 19import "google/api/resource.proto"; 20import "google/protobuf/timestamp.proto"; 21 22option csharp_namespace = "Google.Identity.AccessContextManager.V1"; 23option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; 24option java_multiple_files = true; 25option java_outer_classname = "ServicePerimeterProto"; 26option java_package = "com.google.identity.accesscontextmanager.v1"; 27option objc_class_prefix = "GACM"; 28option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; 29option ruby_package = "Google::Identity::AccessContextManager::V1"; 30 31// `ServicePerimeter` describes a set of Google Cloud resources which can freely 32// import and export data amongst themselves, but not export outside of the 33// `ServicePerimeter`. If a request with a source within this `ServicePerimeter` 34// has a target outside of the `ServicePerimeter`, the request will be blocked. 35// Otherwise the request is allowed. There are two types of Service Perimeter - 36// Regular and Bridge. Regular Service Perimeters cannot overlap, a single 37// Google Cloud project can only belong to a single regular Service Perimeter. 38// Service Perimeter Bridges can contain only Google Cloud projects as members, 39// a single Google Cloud project may belong to multiple Service Perimeter 40// Bridges. 41message ServicePerimeter { 42 option (google.api.resource) = { 43 type: "accesscontextmanager.googleapis.com/ServicePerimeter" 44 pattern: "accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}" 45 }; 46 47 // Specifies the type of the Perimeter. There are two types: regular and 48 // bridge. Regular Service Perimeter contains resources, access levels, and 49 // restricted services. Every resource can be in at most ONE 50 // regular Service Perimeter. 51 // 52 // In addition to being in a regular service perimeter, a resource can also 53 // be in zero or more perimeter bridges. A perimeter bridge only contains 54 // resources. Cross project operations are permitted if all effected 55 // resources share some perimeter (whether bridge or regular). Perimeter 56 // Bridge does not contain access levels or services: those are governed 57 // entirely by the regular perimeter that resource is in. 58 // 59 // Perimeter Bridges are typically useful when building more complex toplogies 60 // with many independent perimeters that need to share some data with a common 61 // perimeter, but should not be able to share data among themselves. 62 enum PerimeterType { 63 // Regular Perimeter. 64 PERIMETER_TYPE_REGULAR = 0; 65 66 // Perimeter Bridge. 67 PERIMETER_TYPE_BRIDGE = 1; 68 } 69 70 // Required. Resource name for the ServicePerimeter. The `short_name` 71 // component must begin with a letter and only include alphanumeric and '_'. 72 // Format: 73 // `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` 74 string name = 1; 75 76 // Human readable title. Must be unique within the Policy. 77 string title = 2; 78 79 // Description of the `ServicePerimeter` and its use. Does not affect 80 // behavior. 81 string description = 3; 82 83 // Output only. Time the `ServicePerimeter` was created in UTC. 84 google.protobuf.Timestamp create_time = 4; 85 86 // Output only. Time the `ServicePerimeter` was updated in UTC. 87 google.protobuf.Timestamp update_time = 5; 88 89 // Perimeter type indicator. A single project is 90 // allowed to be a member of single regular perimeter, but multiple service 91 // perimeter bridges. A project cannot be a included in a perimeter bridge 92 // without being included in regular perimeter. For perimeter bridges, 93 // the restricted service list as well as access level lists must be 94 // empty. 95 PerimeterType perimeter_type = 6; 96 97 // Current ServicePerimeter configuration. Specifies sets of resources, 98 // restricted services and access levels that determine perimeter 99 // content and boundaries. 100 ServicePerimeterConfig status = 7; 101 102 // Proposed (or dry run) ServicePerimeter configuration. This configuration 103 // allows to specify and test ServicePerimeter configuration without enforcing 104 // actual access restrictions. Only allowed to be set when the 105 // "use_explicit_dry_run_spec" flag is set. 106 ServicePerimeterConfig spec = 8; 107 108 // Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly 109 // exists for all Service Perimeters, and that spec is identical to the 110 // status for those Service Perimeters. When this flag is set, it inhibits the 111 // generation of the implicit spec, thereby allowing the user to explicitly 112 // provide a configuration ("spec") to use in a dry-run version of the Service 113 // Perimeter. This allows the user to test changes to the enforced config 114 // ("status") without actually enforcing them. This testing is done through 115 // analyzing the differences between currently enforced and suggested 116 // restrictions. use_explicit_dry_run_spec must bet set to True if any of the 117 // fields in the spec are set to non-default values. 118 bool use_explicit_dry_run_spec = 9; 119} 120 121// `ServicePerimeterConfig` specifies a set of Google Cloud resources that 122// describe specific Service Perimeter configuration. 123message ServicePerimeterConfig { 124 // Specifies how APIs are allowed to communicate within the Service 125 // Perimeter. 126 message VpcAccessibleServices { 127 // Whether to restrict API calls within the Service Perimeter to the list of 128 // APIs specified in 'allowed_services'. 129 bool enable_restriction = 1; 130 131 // The list of APIs usable within the Service Perimeter. Must be empty 132 // unless 'enable_restriction' is True. You can specify a list of individual 133 // services, as well as include the 'RESTRICTED-SERVICES' value, which 134 // automatically includes all of the services protected by the perimeter. 135 repeated string allowed_services = 2; 136 } 137 138 // Specifies the types of identities that are allowed access in either 139 // [IngressFrom] 140 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom] 141 // or [EgressFrom] 142 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] 143 // rules. 144 enum IdentityType { 145 // No blanket identity group specified. 146 IDENTITY_TYPE_UNSPECIFIED = 0; 147 148 // Authorize access from all identities outside the perimeter. 149 ANY_IDENTITY = 1; 150 151 // Authorize access from all human users outside the perimeter. 152 ANY_USER_ACCOUNT = 2; 153 154 // Authorize access from all service accounts outside the perimeter. 155 ANY_SERVICE_ACCOUNT = 3; 156 } 157 158 // An allowed method or permission of a service specified in [ApiOperation] 159 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]. 160 message MethodSelector { 161 // The API method name or Cloud IAM permission name to allow. 162 oneof kind { 163 // Value for `method` should be a valid method name for the corresponding 164 // `service_name` in [ApiOperation] 165 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]. 166 // If `*` used as value for `method`, then ALL methods and permissions are 167 // allowed. 168 string method = 1; 169 170 // Value for `permission` should be a valid Cloud IAM permission for the 171 // corresponding `service_name` in [ApiOperation] 172 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]. 173 string permission = 2; 174 } 175 } 176 177 // Identification for an API Operation. 178 message ApiOperation { 179 // The name of the API whose methods or permissions the [IngressPolicy] 180 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 181 // or [EgressPolicy] 182 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 183 // want to allow. A single [ApiOperation] 184 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] 185 // with `service_name` field set to `*` will allow all methods AND 186 // permissions for all services. 187 string service_name = 1; 188 189 // API methods or permissions to allow. Method or permission must belong to 190 // the service specified by `service_name` field. A single [MethodSelector] 191 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector] 192 // entry with `*` specified for the `method` field will allow all methods 193 // AND permissions for the service specified in `service_name`. 194 repeated MethodSelector method_selectors = 2; 195 } 196 197 // The source that [IngressPolicy] 198 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 199 // authorizes access from. 200 message IngressSource { 201 // Allowed ingress source. It can be one of [AccessLevel] 202 // [google.identity.accesscontextmanager.v1.AccessLevel] or Google 203 // Cloud resource. 204 oneof source { 205 // An [AccessLevel] 206 // [google.identity.accesscontextmanager.v1.AccessLevel] resource 207 // name that allow resources within the [ServicePerimeters] 208 // [google.identity.accesscontextmanager.v1.ServicePerimeter] to be 209 // accessed from the internet. [AccessLevels] 210 // [google.identity.accesscontextmanager.v1.AccessLevel] listed must 211 // be in the same policy as this [ServicePerimeter] 212 // [google.identity.accesscontextmanager.v1.ServicePerimeter]. 213 // Referencing a nonexistent [AccessLevel] 214 // [google.identity.accesscontextmanager.v1.AccessLevel] will cause 215 // an error. If no [AccessLevel] 216 // [google.identity.accesscontextmanager.v1.AccessLevel] names are 217 // listed, resources within the perimeter can only be accessed via Google 218 // Cloud calls with request origins within the perimeter. Example: 219 // `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is 220 // specified for `access_level`, then all [IngressSources] 221 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource] 222 // will be allowed. 223 string access_level = 1; 224 225 // A Google Cloud resource that is allowed to ingress the perimeter. 226 // Requests from these resources will be allowed to access perimeter data. 227 // Currently only projects are allowed. 228 // Format: `projects/{project_number}` 229 // The project may be in any Google Cloud organization, not just the 230 // organization that the perimeter is defined in. `*` is not allowed, the 231 // case of allowing all Google Cloud resources only is not supported. 232 string resource = 2; 233 } 234 } 235 236 // Defines the conditions under which an [IngressPolicy] 237 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 238 // matches a request. Conditions are based on information about the source of 239 // the request. The request must satisfy what is defined in `sources` AND 240 // identity related fields in order to match. 241 message IngressFrom { 242 // Sources that this [IngressPolicy] 243 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 244 // authorizes access from. 245 repeated IngressSource sources = 1; 246 247 // A list of identities that are allowed access through this ingress 248 // policy. Should be in the format of email address. The email address 249 // should represent individual user or service account only. 250 repeated string identities = 2; 251 252 // Specifies the type of identities that are allowed access from outside the 253 // perimeter. If left unspecified, then members of `identities` field will 254 // be allowed access. 255 IdentityType identity_type = 3; 256 } 257 258 // Defines the conditions under which an [IngressPolicy] 259 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 260 // matches a request. Conditions are based on information about the 261 // [ApiOperation] 262 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] 263 // intended to be performed on the target resource of the request. The request 264 // must satisfy what is defined in `operations` AND `resources` in order to 265 // match. 266 message IngressTo { 267 // A list of [ApiOperations] 268 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] 269 // allowed to be performed by the sources specified in corresponding 270 // [IngressFrom] 271 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom] 272 // in this [ServicePerimeter] 273 // [google.identity.accesscontextmanager.v1.ServicePerimeter]. 274 repeated ApiOperation operations = 1; 275 276 // A list of resources, currently only projects in the form 277 // `projects/<projectnumber>`, protected by this [ServicePerimeter] 278 // [google.identity.accesscontextmanager.v1.ServicePerimeter] that are 279 // allowed to be accessed by sources defined in the corresponding 280 // [IngressFrom] 281 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]. 282 // If a single `*` is specified, then access to all resources inside the 283 // perimeter are allowed. 284 repeated string resources = 2; 285 } 286 287 // Policy for ingress into [ServicePerimeter] 288 // [google.identity.accesscontextmanager.v1.ServicePerimeter]. 289 // 290 // [IngressPolicies] 291 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 292 // match requests based on `ingress_from` and `ingress_to` stanzas. For an 293 // ingress policy to match, both the `ingress_from` and `ingress_to` stanzas 294 // must be matched. If an [IngressPolicy] 295 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 296 // matches a request, the request is allowed through the perimeter boundary 297 // from outside the perimeter. 298 // 299 // For example, access from the internet can be allowed either 300 // based on an [AccessLevel] 301 // [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic 302 // hosted on Google Cloud, the project of the source network. For access from 303 // private networks, using the project of the hosting network is required. 304 // 305 // Individual ingress policies can be limited by restricting which 306 // services and/or actions they match using the `ingress_to` field. 307 message IngressPolicy { 308 // Defines the conditions on the source of a request causing this 309 // [IngressPolicy] 310 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 311 // to apply. 312 IngressFrom ingress_from = 1; 313 314 // Defines the conditions on the [ApiOperation] 315 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] 316 // and request destination that cause this [IngressPolicy] 317 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 318 // to apply. 319 IngressTo ingress_to = 2; 320 } 321 322 // Defines the conditions under which an [EgressPolicy] 323 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 324 // matches a request. Conditions based on information about the source of the 325 // request. Note that if the destination of the request is also protected by a 326 // [ServicePerimeter] 327 // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that 328 // [ServicePerimeter] 329 // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have 330 // an [IngressPolicy] 331 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 332 // which allows access in order for this request to succeed. 333 message EgressFrom { 334 // A list of identities that are allowed access through this [EgressPolicy]. 335 // Should be in the format of email address. The email address should 336 // represent individual user or service account only. 337 repeated string identities = 1; 338 339 // Specifies the type of identities that are allowed access to outside the 340 // perimeter. If left unspecified, then members of `identities` field will 341 // be allowed access. 342 IdentityType identity_type = 2; 343 } 344 345 // Defines the conditions under which an [EgressPolicy] 346 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 347 // matches a request. Conditions are based on information about the 348 // [ApiOperation] 349 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] 350 // intended to be performed on the `resources` specified. Note that if the 351 // destination of the request is also protected by a [ServicePerimeter] 352 // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that 353 // [ServicePerimeter] 354 // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have 355 // an [IngressPolicy] 356 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 357 // which allows access in order for this request to succeed. The request must 358 // match `operations` AND `resources` fields in order to be allowed egress out 359 // of the perimeter. 360 message EgressTo { 361 // A list of resources, currently only projects in the form 362 // `projects/<projectnumber>`, that are allowed to be accessed by sources 363 // defined in the corresponding [EgressFrom] 364 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]. 365 // A request matches if it contains a resource in this list. If `*` is 366 // specified for `resources`, then this [EgressTo] 367 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo] 368 // rule will authorize access to all resources outside the perimeter. 369 repeated string resources = 1; 370 371 // A list of [ApiOperations] 372 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] 373 // allowed to be performed by the sources specified in the corresponding 374 // [EgressFrom] 375 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]. 376 // A request matches if it uses an operation/service in this list. 377 repeated ApiOperation operations = 2; 378 379 // A list of external resources that are allowed to be accessed. Only AWS 380 // and Azure resources are supported. For Amazon S3, the supported format is 381 // s3://BUCKET_NAME. For Azure Storage, the supported format is 382 // azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches 383 // if it contains an external resource in this list (Example: 384 // s3://bucket/path). Currently '*' is not allowed. 385 repeated string external_resources = 3; 386 } 387 388 // Policy for egress from perimeter. 389 // 390 // [EgressPolicies] 391 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 392 // match requests based on `egress_from` and `egress_to` stanzas. For an 393 // [EgressPolicy] 394 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 395 // to match, both `egress_from` and `egress_to` stanzas must be matched. If an 396 // [EgressPolicy] 397 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 398 // matches a request, the request is allowed to span the [ServicePerimeter] 399 // [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary. 400 // For example, an [EgressPolicy] 401 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 402 // can be used to allow VMs on networks within the [ServicePerimeter] 403 // [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a 404 // defined set of projects outside the perimeter in certain contexts (e.g. to 405 // read data from a Cloud Storage bucket or query against a BigQuery dataset). 406 // 407 // [EgressPolicies] 408 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 409 // are concerned with the *resources* that a request relates as well as the 410 // API services and API actions being used. They do not related to the 411 // direction of data movement. More detailed documentation for this concept 412 // can be found in the descriptions of [EgressFrom] 413 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] 414 // and [EgressTo] 415 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]. 416 message EgressPolicy { 417 // Defines conditions on the source of a request causing this [EgressPolicy] 418 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 419 // to apply. 420 EgressFrom egress_from = 1; 421 422 // Defines the conditions on the [ApiOperation] 423 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] 424 // and destination resources that cause this [EgressPolicy] 425 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 426 // to apply. 427 EgressTo egress_to = 2; 428 } 429 430 // A list of Google Cloud resources that are inside of the service perimeter. 431 // Currently only projects are allowed. Format: `projects/{project_number}` 432 repeated string resources = 1; 433 434 // A list of `AccessLevel` resource names that allow resources within the 435 // `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed 436 // must be in the same policy as this `ServicePerimeter`. Referencing a 437 // nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are 438 // listed, resources within the perimeter can only be accessed via Google 439 // Cloud calls with request origins within the perimeter. Example: 440 // `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`. 441 // For Service Perimeter Bridge, must be empty. 442 repeated string access_levels = 2; 443 444 // Google Cloud services that are subject to the Service Perimeter 445 // restrictions. For example, if `storage.googleapis.com` is specified, access 446 // to the storage buckets inside the perimeter must meet the perimeter's 447 // access restrictions. 448 repeated string restricted_services = 4; 449 450 // Configuration for APIs allowed within Perimeter. 451 VpcAccessibleServices vpc_accessible_services = 10; 452 453 // List of [IngressPolicies] 454 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 455 // to apply to the perimeter. A perimeter may have multiple [IngressPolicies] 456 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy], 457 // each of which is evaluated separately. Access is granted if any [Ingress 458 // Policy] 459 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] 460 // grants it. Must be empty for a perimeter bridge. 461 repeated IngressPolicy ingress_policies = 8; 462 463 // List of [EgressPolicies] 464 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 465 // to apply to the perimeter. A perimeter may have multiple [EgressPolicies] 466 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy], 467 // each of which is evaluated separately. Access is granted if any 468 // [EgressPolicy] 469 // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] 470 // grants it. Must be empty for a perimeter bridge. 471 repeated EgressPolicy egress_policies = 9; 472} 473