From 58100db770c5d48cd658b9b43faaaf741425be6c Mon Sep 17 00:00:00 2001 From: Yoshi Automation Date: Mon, 18 Oct 2021 01:32:48 +0000 Subject: [PATCH] fix(policysimulator): update the API #### policysimulator:v1beta1 The following keys were changed: - schemas.GoogleCloudPolicysimulatorV1Replay.properties.state.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1AccessTuple.description - schemas.GoogleCloudPolicysimulatorV1beta1AccessTuple.properties.permission.description - schemas.GoogleCloudPolicysimulatorV1beta1AccessTuple.properties.principal.description - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanation.description - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanation.properties.access.description - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanation.properties.access.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanation.properties.memberships.description - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanation.properties.relevance.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanation.properties.rolePermission.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanation.properties.rolePermissionRelevance.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership.description - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership.properties.membership.description - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership.properties.membership.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership.properties.relevance.description - schemas.GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership.properties.relevance.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1ExplainedAccess.properties.accessState.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1ExplainedPolicy.properties.access.description - schemas.GoogleCloudPolicysimulatorV1beta1ExplainedPolicy.properties.access.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1beta1ExplainedPolicy.properties.bindingExplanations.description - schemas.GoogleCloudPolicysimulatorV1beta1ExplainedPolicy.properties.relevance.enumDescriptions - schemas.GoogleIamV1Binding.description - schemas.GoogleIamV1Binding.properties.condition.description - schemas.GoogleIamV1Binding.properties.members.description - schemas.GoogleIamV1Binding.properties.role.description - schemas.GoogleIamV1Policy.description - schemas.GoogleIamV1Policy.properties.bindings.description #### policysimulator:v1 The following keys were changed: - schemas.GoogleCloudPolicysimulatorV1AccessStateDiff.description - schemas.GoogleCloudPolicysimulatorV1AccessStateDiff.properties.accessChange.description - schemas.GoogleCloudPolicysimulatorV1AccessStateDiff.properties.accessChange.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1AccessTuple.description - schemas.GoogleCloudPolicysimulatorV1AccessTuple.properties.permission.description - schemas.GoogleCloudPolicysimulatorV1AccessTuple.properties.principal.description - schemas.GoogleCloudPolicysimulatorV1BindingExplanation.description - schemas.GoogleCloudPolicysimulatorV1BindingExplanation.properties.access.description - schemas.GoogleCloudPolicysimulatorV1BindingExplanation.properties.access.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1BindingExplanation.properties.memberships.description - schemas.GoogleCloudPolicysimulatorV1BindingExplanation.properties.relevance.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1BindingExplanation.properties.rolePermission.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1BindingExplanation.properties.rolePermissionRelevance.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership.description - schemas.GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership.properties.membership.description - schemas.GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership.properties.membership.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership.properties.relevance.description - schemas.GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership.properties.relevance.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1ExplainedAccess.properties.accessState.description - schemas.GoogleCloudPolicysimulatorV1ExplainedAccess.properties.accessState.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1ExplainedPolicy.properties.access.description - schemas.GoogleCloudPolicysimulatorV1ExplainedPolicy.properties.access.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1ExplainedPolicy.properties.bindingExplanations.description - schemas.GoogleCloudPolicysimulatorV1ExplainedPolicy.properties.relevance.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1Replay.properties.state.enumDescriptions - schemas.GoogleCloudPolicysimulatorV1ReplayDiff.description - schemas.GoogleCloudPolicysimulatorV1ReplayDiff.properties.accessDiff.description - schemas.GoogleCloudPolicysimulatorV1ReplayResult.properties.accessTuple.description - schemas.GoogleCloudPolicysimulatorV1ReplayResult.properties.diff.description - schemas.GoogleIamV1Binding.description - schemas.GoogleIamV1Binding.properties.condition.description - schemas.GoogleIamV1Binding.properties.members.description - schemas.GoogleIamV1Binding.properties.role.description - schemas.GoogleIamV1Policy.description - schemas.GoogleIamV1Policy.properties.bindings.description --- discovery/policysimulator-v1.json | 108 ++++++++++++------------- discovery/policysimulator-v1beta1.json | 80 +++++++++--------- src/apis/policysimulator/v1.ts | 48 +++++------ src/apis/policysimulator/v1beta1.ts | 34 ++++---- 4 files changed, 135 insertions(+), 135 deletions(-) diff --git a/discovery/policysimulator-v1.json b/discovery/policysimulator-v1.json index a1b3f2d3c5..6742835f2a 100644 --- a/discovery/policysimulator-v1.json +++ b/discovery/policysimulator-v1.json @@ -493,15 +493,15 @@ } } }, - "revision": "20210813", + "revision": "20211008", "rootUrl": "https://policysimulator.googleapis.com/", "schemas": { "GoogleCloudPolicysimulatorV1AccessStateDiff": { - "description": "A summary and comparison of the member's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple.", + "description": "A summary and comparison of the principal's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple.", "id": "GoogleCloudPolicysimulatorV1AccessStateDiff", "properties": { "accessChange": { - "description": "How the member's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies.", + "description": "How the principal's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies.", "enum": [ "ACCESS_CHANGE_TYPE_UNSPECIFIED", "NO_CHANGE", @@ -512,13 +512,13 @@ "ACCESS_MAYBE_GAINED" ], "enumDescriptions": [ - "The access change is unspecified.", - "The member's access did not change. This includes the case where both baseline and simulated are UNKNOWN, but the unknown information is equivalent.", - "The member's access under both the current policies and the proposed policies is `UNKNOWN`, but the unknown information differs between them.", - "The member had access under the current policies (`GRANTED`), but will no longer have access after the proposed changes (`NOT_GRANTED`).", - "The member did not have access under the current policies (`NOT_GRANTED`), but will have access after the proposed changes (`GRANTED`).", - "This result can occur for the following reasons: * The member had access under the current policies (`GRANTED`), but their access after the proposed changes is `UNKNOWN`. * The member's access under the current policies is `UNKNOWN`, but they will not have access after the proposed changes (`NOT_GRANTED`).", - "This result can occur for the following reasons: * The member did not have access under the current policies (`NOT_GRANTED`), but their access after the proposed changes is `UNKNOWN`. * The member's access under the current policies is `UNKNOWN`, but they will have access after the proposed changes (`GRANTED`)." + "Default value. This value is unused.", + "The principal's access did not change. This includes the case where both baseline and simulated are UNKNOWN, but the unknown information is equivalent.", + "The principal's access under both the current policies and the proposed policies is `UNKNOWN`, but the unknown information differs between them.", + "The principal had access under the current policies (`GRANTED`), but will no longer have access after the proposed changes (`NOT_GRANTED`).", + "The principal did not have access under the current policies (`NOT_GRANTED`), but will have access after the proposed changes (`GRANTED`).", + "This result can occur for the following reasons: * The principal had access under the current policies (`GRANTED`), but their access after the proposed changes is `UNKNOWN`. * The principal's access under the current policies is `UNKNOWN`, but they will not have access after the proposed changes (`NOT_GRANTED`).", + "This result can occur for the following reasons: * The principal did not have access under the current policies (`NOT_GRANTED`), but their access after the proposed changes is `UNKNOWN`. * The principal's access under the current policies is `UNKNOWN`, but they will have access after the proposed changes (`GRANTED`)." ], "type": "string" }, @@ -534,7 +534,7 @@ "type": "object" }, "GoogleCloudPolicysimulatorV1AccessTuple": { - "description": "Information about the member, resource, and permission to check.", + "description": "Information about the principal, resource, and permission to check.", "id": "GoogleCloudPolicysimulatorV1AccessTuple", "properties": { "fullResourceName": { @@ -542,22 +542,22 @@ "type": "string" }, "permission": { - "description": "Required. The IAM permission to check for the specified member and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.", + "description": "Required. The IAM permission to check for the specified principal and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.", "type": "string" }, "principal": { - "description": "Required. The member, or principal, whose access you want to check, in the form of the email address that represents that member. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The member must be a Google Account or a service account. Other types of members are not supported.", + "description": "Required. The principal whose access you want to check, in the form of the email address that represents that principal. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The principal must be a Google Account or a service account. Other types of principals are not supported.", "type": "string" } }, "type": "object" }, "GoogleCloudPolicysimulatorV1BindingExplanation": { - "description": "Details about how a binding in a policy affects a member's ability to use a permission.", + "description": "Details about how a binding in a policy affects a principal's ability to use a permission.", "id": "GoogleCloudPolicysimulatorV1BindingExplanation", "properties": { "access": { - "description": "Required. Indicates whether _this binding_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", + "description": "Required. Indicates whether _this binding_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", "enum": [ "ACCESS_STATE_UNSPECIFIED", "GRANTED", @@ -566,10 +566,10 @@ "UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The access state is not specified.", - "The member has the permission.", - "The member does not have the permission.", - "The member has the permission only if a condition expression evaluates to `true`.", + "Default value. This value is unused.", + "The principal has the permission.", + "The principal does not have the permission.", + "The principal has the permission only if a condition expression evaluates to `true`.", "The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate." ], "type": "string" @@ -582,7 +582,7 @@ "additionalProperties": { "$ref": "GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership" }, - "description": "Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request. For example, suppose that a binding includes the following members: * `user:alice@example.com` * `group:product-eng@example.com` The member in the replayed access tuple is `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first member in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second member in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`.", + "description": "Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request. For example, suppose that a binding includes the following principals: * `user:alice@example.com` * `group:product-eng@example.com` The principal in the replayed access tuple is `user:bob@example.com`. This user is a principal of the group `group:product-eng@example.com`. For the first principal in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second principal in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`.", "type": "object" }, "relevance": { @@ -593,7 +593,7 @@ "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -612,7 +612,7 @@ "ROLE_PERMISSION_UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The inclusion of the permission is not specified.", + "Default value. This value is unused.", "The permission is included in the role.", "The permission is not included in the role.", "The user who created the Replay is not allowed to access the binding." @@ -627,7 +627,7 @@ "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -637,11 +637,11 @@ "type": "object" }, "GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership": { - "description": "Details about whether the binding includes the member.", + "description": "Details about whether the binding includes the principal.", "id": "GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership", "properties": { "membership": { - "description": "Indicates whether the binding includes the member.", + "description": "Indicates whether the binding includes the principal.", "enum": [ "MEMBERSHIP_UNSPECIFIED", "MEMBERSHIP_INCLUDED", @@ -650,23 +650,23 @@ "MEMBERSHIP_UNKNOWN_UNSUPPORTED" ], "enumDescriptions": [ - "The membership is not specified.", - "The binding includes the member. The member can be included directly or indirectly. For example: * A member is included directly if that member is listed in the binding. * A member is included indirectly if that member is in a Google group or Google Workspace domain that is listed in the binding.", - "The binding does not include the member.", + "Default value. This value is unused.", + "The binding includes the principal. The principal can be included directly or indirectly. For example: * A principal is included directly if that principal is listed in the binding. * A principal is included indirectly if that principal is in a Google group or Google Workspace domain that is listed in the binding.", + "The binding does not include the principal.", "The user who created the Replay is not allowed to access the binding.", - "The member is an unsupported type. Only Google Accounts and service accounts are supported." + "The principal is an unsupported type. Only Google Accounts and service accounts are supported." ], "type": "string" }, "relevance": { - "description": "The relevance of the member's status to the overall determination for the binding.", + "description": "The relevance of the principal's status to the overall determination for the binding.", "enum": [ "HEURISTIC_RELEVANCE_UNSPECIFIED", "NORMAL", "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -680,7 +680,7 @@ "id": "GoogleCloudPolicysimulatorV1ExplainedAccess", "properties": { "accessState": { - "description": "Whether the member in the access tuple has permission to access the resource in the access tuple under the given policies.", + "description": "Whether the principal in the access tuple has permission to access the resource in the access tuple under the given policies.", "enum": [ "ACCESS_STATE_UNSPECIFIED", "GRANTED", @@ -689,10 +689,10 @@ "UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The access state is not specified.", - "The member has the permission.", - "The member does not have the permission.", - "The member has the permission only if a condition expression evaluates to `true`.", + "Default value. This value is unused.", + "The principal has the permission.", + "The principal does not have the permission.", + "The principal has the permission only if a condition expression evaluates to `true`.", "The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate." ], "type": "string" @@ -719,7 +719,7 @@ "id": "GoogleCloudPolicysimulatorV1ExplainedPolicy", "properties": { "access": { - "description": "Indicates whether _this policy_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", + "description": "Indicates whether _this policy_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", "enum": [ "ACCESS_STATE_UNSPECIFIED", "GRANTED", @@ -728,16 +728,16 @@ "UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The access state is not specified.", - "The member has the permission.", - "The member does not have the permission.", - "The member has the permission only if a condition expression evaluates to `true`.", + "Default value. This value is unused.", + "The principal has the permission.", + "The principal does not have the permission.", + "The principal has the permission only if a condition expression evaluates to `true`.", "The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate." ], "type": "string" }, "bindingExplanations": { - "description": "Details about how each binding in the policy affects the member's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted.", + "description": "Details about how each binding in the policy affects the principal's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted.", "items": { "$ref": "GoogleCloudPolicysimulatorV1BindingExplanation" }, @@ -759,7 +759,7 @@ "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -814,7 +814,7 @@ "FAILED" ], "enumDescriptions": [ - "The state is unspecified.", + "Default value. This value is unused.", "The `Replay` has not started yet.", "The `Replay` is currently running.", "The `Replay` has successfully completed.", @@ -853,12 +853,12 @@ "type": "object" }, "GoogleCloudPolicysimulatorV1ReplayDiff": { - "description": "The difference between the results of evaluating an access tuple under the current (baseline) policies and under the proposed (simulated) policies. This difference explains how a member's access could change if the proposed policies were applied.", + "description": "The difference between the results of evaluating an access tuple under the current (baseline) policies and under the proposed (simulated) policies. This difference explains how a principal's access could change if the proposed policies were applied.", "id": "GoogleCloudPolicysimulatorV1ReplayDiff", "properties": { "accessDiff": { "$ref": "GoogleCloudPolicysimulatorV1AccessStateDiff", - "description": "A summary and comparison of the member's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. The evaluation of the member's access is reported in the AccessState field." + "description": "A summary and comparison of the principal's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. The evaluation of the principal's access is reported in the AccessState field." } }, "type": "object" @@ -881,11 +881,11 @@ "properties": { "accessTuple": { "$ref": "GoogleCloudPolicysimulatorV1AccessTuple", - "description": "The access tuple that was replayed. This field includes information about the member, resource, and permission that were involved in the access attempt." + "description": "The access tuple that was replayed. This field includes information about the principal, resource, and permission that were involved in the access attempt." }, "diff": { "$ref": "GoogleCloudPolicysimulatorV1ReplayDiff", - "description": "The difference between the member's access under the current (baseline) policies and the member's access under the proposed (simulated) policies. This field is only included for access tuples that were successfully replayed and had different results under the current policies and the proposed policies." + "description": "The difference between the principal's access under the current (baseline) policies and the principal's access under the proposed (simulated) policies. This field is only included for access tuples that were successfully replayed and had different results under the current policies and the proposed policies." }, "error": { "$ref": "GoogleRpcStatus", @@ -1103,29 +1103,29 @@ "type": "object" }, "GoogleIamV1Binding": { - "description": "Associates `members` with a `role`.", + "description": "Associates `members`, or principals, with a `role`.", "id": "GoogleIamV1Binding", "properties": { "condition": { "$ref": "GoogleTypeExpr", - "description": "The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies)." + "description": "The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies)." }, "members": { - "description": "Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. ", + "description": "Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. ", "items": { "type": "string" }, "type": "array" }, "role": { - "description": "Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.", + "description": "Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.", "type": "string" } }, "type": "object" }, "GoogleIamV1Policy": { - "description": "An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { \"bindings\": [ { \"role\": \"roles/resourcemanager.organizationAdmin\", \"members\": [ \"user:mike@example.com\", \"group:admins@example.com\", \"domain:google.com\", \"serviceAccount:my-project-id@appspot.gserviceaccount.com\" ] }, { \"role\": \"roles/resourcemanager.organizationViewer\", \"members\": [ \"user:eve@example.com\" ], \"condition\": { \"title\": \"expirable access\", \"description\": \"Does not grant access after Sep 2020\", \"expression\": \"request.time < timestamp('2020-10-01T00:00:00.000Z')\", } } ], \"etag\": \"BwWWja0YfJA=\", \"version\": 3 } **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).", + "description": "An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { \"bindings\": [ { \"role\": \"roles/resourcemanager.organizationAdmin\", \"members\": [ \"user:mike@example.com\", \"group:admins@example.com\", \"domain:google.com\", \"serviceAccount:my-project-id@appspot.gserviceaccount.com\" ] }, { \"role\": \"roles/resourcemanager.organizationViewer\", \"members\": [ \"user:eve@example.com\" ], \"condition\": { \"title\": \"expirable access\", \"description\": \"Does not grant access after Sep 2020\", \"expression\": \"request.time < timestamp('2020-10-01T00:00:00.000Z')\", } } ], \"etag\": \"BwWWja0YfJA=\", \"version\": 3 } **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).", "id": "GoogleIamV1Policy", "properties": { "auditConfigs": { @@ -1136,7 +1136,7 @@ "type": "array" }, "bindings": { - "description": "Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.", + "description": "Associates a list of `members`, or principals, with a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other principal, then you can add another 1,450 principals to the `bindings` in the `Policy`.", "items": { "$ref": "GoogleIamV1Binding" }, diff --git a/discovery/policysimulator-v1beta1.json b/discovery/policysimulator-v1beta1.json index 90350680b8..8c35e30b17 100644 --- a/discovery/policysimulator-v1beta1.json +++ b/discovery/policysimulator-v1beta1.json @@ -493,7 +493,7 @@ } } }, - "revision": "20210813", + "revision": "20211008", "rootUrl": "https://policysimulator.googleapis.com/", "schemas": { "GoogleCloudPolicysimulatorV1Replay": { @@ -524,7 +524,7 @@ "FAILED" ], "enumDescriptions": [ - "The state is unspecified.", + "Default value. This value is unused.", "The `Replay` has not started yet.", "The `Replay` is currently running.", "The `Replay` has successfully completed.", @@ -647,7 +647,7 @@ "type": "object" }, "GoogleCloudPolicysimulatorV1beta1AccessTuple": { - "description": "Information about the member, resource, and permission to check.", + "description": "Information about the principal, resource, and permission to check.", "id": "GoogleCloudPolicysimulatorV1beta1AccessTuple", "properties": { "fullResourceName": { @@ -655,22 +655,22 @@ "type": "string" }, "permission": { - "description": "Required. The IAM permission to check for the specified member and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.", + "description": "Required. The IAM permission to check for the specified principal and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.", "type": "string" }, "principal": { - "description": "Required. The member, or principal, whose access you want to check, in the form of the email address that represents that member. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The member must be a Google Account or a service account. Other types of members are not supported.", + "description": "Required. The principal whose access you want to check, in the form of the email address that represents that principal. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The principal must be a Google Account or a service account. Other types of principals are not supported.", "type": "string" } }, "type": "object" }, "GoogleCloudPolicysimulatorV1beta1BindingExplanation": { - "description": "Details about how a binding in a policy affects a member's ability to use a permission.", + "description": "Details about how a binding in a policy affects a principal's ability to use a permission.", "id": "GoogleCloudPolicysimulatorV1beta1BindingExplanation", "properties": { "access": { - "description": "Required. Indicates whether _this binding_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", + "description": "Required. Indicates whether _this binding_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", "enum": [ "ACCESS_STATE_UNSPECIFIED", "GRANTED", @@ -679,10 +679,10 @@ "UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The access state is not specified.", - "The member has the permission.", - "The member does not have the permission.", - "The member has the permission only if a condition expression evaluates to `true`.", + "Default value. This value is unused.", + "The principal has the permission.", + "The principal does not have the permission.", + "The principal has the permission only if a condition expression evaluates to `true`.", "The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate." ], "type": "string" @@ -695,7 +695,7 @@ "additionalProperties": { "$ref": "GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership" }, - "description": "Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request. For example, suppose that a binding includes the following members: * `user:alice@example.com` * `group:product-eng@example.com` The member in the replayed access tuple is `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first member in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second member in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`.", + "description": "Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request. For example, suppose that a binding includes the following principals: * `user:alice@example.com` * `group:product-eng@example.com` The principal in the replayed access tuple is `user:bob@example.com`. This user is a principal of the group `group:product-eng@example.com`. For the first principal in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second principal in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`.", "type": "object" }, "relevance": { @@ -706,7 +706,7 @@ "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -725,7 +725,7 @@ "ROLE_PERMISSION_UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The inclusion of the permission is not specified.", + "Default value. This value is unused.", "The permission is included in the role.", "The permission is not included in the role.", "The user who created the Replay is not allowed to access the binding." @@ -740,7 +740,7 @@ "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -750,11 +750,11 @@ "type": "object" }, "GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership": { - "description": "Details about whether the binding includes the member.", + "description": "Details about whether the binding includes the principal.", "id": "GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership", "properties": { "membership": { - "description": "Indicates whether the binding includes the member.", + "description": "Indicates whether the binding includes the principal.", "enum": [ "MEMBERSHIP_UNSPECIFIED", "MEMBERSHIP_INCLUDED", @@ -763,23 +763,23 @@ "MEMBERSHIP_UNKNOWN_UNSUPPORTED" ], "enumDescriptions": [ - "The membership is not specified.", - "The binding includes the member. The member can be included directly or indirectly. For example: * A member is included directly if that member is listed in the binding. * A member is included indirectly if that member is in a Google group or Google Workspace domain that is listed in the binding.", - "The binding does not include the member.", + "Default value. This value is unused.", + "The binding includes the principal. The principal can be included directly or indirectly. For example: * A principal is included directly if that principal is listed in the binding. * A principal is included indirectly if that principal is in a Google group or Google Workspace domain that is listed in the binding.", + "The binding does not include the principal.", "The user who created the Replay is not allowed to access the binding.", - "The member is an unsupported type. Only Google Accounts and service accounts are supported." + "The principal is an unsupported type. Only Google Accounts and service accounts are supported." ], "type": "string" }, "relevance": { - "description": "The relevance of the member's status to the overall determination for the binding.", + "description": "The relevance of the principal's status to the overall determination for the binding.", "enum": [ "HEURISTIC_RELEVANCE_UNSPECIFIED", "NORMAL", "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -802,10 +802,10 @@ "UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The access state is not specified.", - "The member has the permission.", - "The member does not have the permission.", - "The member has the permission only if a condition expression evaluates to `true`.", + "Default value. This value is unused.", + "The principal has the permission.", + "The principal does not have the permission.", + "The principal has the permission only if a condition expression evaluates to `true`.", "The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate." ], "type": "string" @@ -832,7 +832,7 @@ "id": "GoogleCloudPolicysimulatorV1beta1ExplainedPolicy", "properties": { "access": { - "description": "Indicates whether _this policy_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", + "description": "Indicates whether _this policy_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse.", "enum": [ "ACCESS_STATE_UNSPECIFIED", "GRANTED", @@ -841,16 +841,16 @@ "UNKNOWN_INFO_DENIED" ], "enumDescriptions": [ - "The access state is not specified.", - "The member has the permission.", - "The member does not have the permission.", - "The member has the permission only if a condition expression evaluates to `true`.", + "Default value. This value is unused.", + "The principal has the permission.", + "The principal does not have the permission.", + "The principal has the permission only if a condition expression evaluates to `true`.", "The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate." ], "type": "string" }, "bindingExplanations": { - "description": "Details about how each binding in the policy affects the member's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted.", + "description": "Details about how each binding in the policy affects the principal's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted.", "items": { "$ref": "GoogleCloudPolicysimulatorV1beta1BindingExplanation" }, @@ -872,7 +872,7 @@ "HIGH" ], "enumDescriptions": [ - "Reserved for future use.", + "Default value. This value is unused.", "The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination.", "The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination." ], @@ -1103,29 +1103,29 @@ "type": "object" }, "GoogleIamV1Binding": { - "description": "Associates `members` with a `role`.", + "description": "Associates `members`, or principals, with a `role`.", "id": "GoogleIamV1Binding", "properties": { "condition": { "$ref": "GoogleTypeExpr", - "description": "The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies)." + "description": "The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies)." }, "members": { - "description": "Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. ", + "description": "Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. ", "items": { "type": "string" }, "type": "array" }, "role": { - "description": "Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.", + "description": "Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.", "type": "string" } }, "type": "object" }, "GoogleIamV1Policy": { - "description": "An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { \"bindings\": [ { \"role\": \"roles/resourcemanager.organizationAdmin\", \"members\": [ \"user:mike@example.com\", \"group:admins@example.com\", \"domain:google.com\", \"serviceAccount:my-project-id@appspot.gserviceaccount.com\" ] }, { \"role\": \"roles/resourcemanager.organizationViewer\", \"members\": [ \"user:eve@example.com\" ], \"condition\": { \"title\": \"expirable access\", \"description\": \"Does not grant access after Sep 2020\", \"expression\": \"request.time < timestamp('2020-10-01T00:00:00.000Z')\", } } ], \"etag\": \"BwWWja0YfJA=\", \"version\": 3 } **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).", + "description": "An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { \"bindings\": [ { \"role\": \"roles/resourcemanager.organizationAdmin\", \"members\": [ \"user:mike@example.com\", \"group:admins@example.com\", \"domain:google.com\", \"serviceAccount:my-project-id@appspot.gserviceaccount.com\" ] }, { \"role\": \"roles/resourcemanager.organizationViewer\", \"members\": [ \"user:eve@example.com\" ], \"condition\": { \"title\": \"expirable access\", \"description\": \"Does not grant access after Sep 2020\", \"expression\": \"request.time < timestamp('2020-10-01T00:00:00.000Z')\", } } ], \"etag\": \"BwWWja0YfJA=\", \"version\": 3 } **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).", "id": "GoogleIamV1Policy", "properties": { "auditConfigs": { @@ -1136,7 +1136,7 @@ "type": "array" }, "bindings": { - "description": "Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.", + "description": "Associates a list of `members`, or principals, with a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other principal, then you can add another 1,450 principals to the `bindings` in the `Policy`.", "items": { "$ref": "GoogleIamV1Binding" }, diff --git a/src/apis/policysimulator/v1.ts b/src/apis/policysimulator/v1.ts index bf55eb6d54..21090f9179 100644 --- a/src/apis/policysimulator/v1.ts +++ b/src/apis/policysimulator/v1.ts @@ -132,11 +132,11 @@ export namespace policysimulator_v1 { } /** - * A summary and comparison of the member's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. + * A summary and comparison of the principal's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. */ export interface Schema$GoogleCloudPolicysimulatorV1AccessStateDiff { /** - * How the member's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies. + * How the principal's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies. */ accessChange?: string | null; /** @@ -149,7 +149,7 @@ export namespace policysimulator_v1 { simulated?: Schema$GoogleCloudPolicysimulatorV1ExplainedAccess; } /** - * Information about the member, resource, and permission to check. + * Information about the principal, resource, and permission to check. */ export interface Schema$GoogleCloudPolicysimulatorV1AccessTuple { /** @@ -157,11 +157,11 @@ export namespace policysimulator_v1 { */ fullResourceName?: string | null; /** - * Required. The IAM permission to check for the specified member and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. + * Required. The IAM permission to check for the specified principal and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. */ permission?: string | null; /** - * Required. The member, or principal, whose access you want to check, in the form of the email address that represents that member. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The member must be a Google Account or a service account. Other types of members are not supported. + * Required. The principal whose access you want to check, in the form of the email address that represents that principal. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The principal must be a Google Account or a service account. Other types of principals are not supported. */ principal?: string | null; } @@ -238,11 +238,11 @@ export namespace policysimulator_v1 { unchangedCount?: number | null; } /** - * Details about how a binding in a policy affects a member's ability to use a permission. + * Details about how a binding in a policy affects a principal's ability to use a permission. */ export interface Schema$GoogleCloudPolicysimulatorV1BindingExplanation { /** - * Required. Indicates whether _this binding_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. + * Required. Indicates whether _this binding_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. */ access?: string | null; /** @@ -250,7 +250,7 @@ export namespace policysimulator_v1 { */ condition?: Schema$GoogleTypeExpr; /** - * Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request. For example, suppose that a binding includes the following members: * `user:alice@example.com` * `group:product-eng@example.com` The member in the replayed access tuple is `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first member in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second member in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`. + * Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request. For example, suppose that a binding includes the following principals: * `user:alice@example.com` * `group:product-eng@example.com` The principal in the replayed access tuple is `user:bob@example.com`. This user is a principal of the group `group:product-eng@example.com`. For the first principal in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second principal in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`. */ memberships?: { [ @@ -275,15 +275,15 @@ export namespace policysimulator_v1 { rolePermissionRelevance?: string | null; } /** - * Details about whether the binding includes the member. + * Details about whether the binding includes the principal. */ export interface Schema$GoogleCloudPolicysimulatorV1BindingExplanationAnnotatedMembership { /** - * Indicates whether the binding includes the member. + * Indicates whether the binding includes the principal. */ membership?: string | null; /** - * The relevance of the member's status to the overall determination for the binding. + * The relevance of the principal's status to the overall determination for the binding. */ relevance?: string | null; } @@ -292,7 +292,7 @@ export namespace policysimulator_v1 { */ export interface Schema$GoogleCloudPolicysimulatorV1ExplainedAccess { /** - * Whether the member in the access tuple has permission to access the resource in the access tuple under the given policies. + * Whether the principal in the access tuple has permission to access the resource in the access tuple under the given policies. */ accessState?: string | null; /** @@ -309,11 +309,11 @@ export namespace policysimulator_v1 { */ export interface Schema$GoogleCloudPolicysimulatorV1ExplainedPolicy { /** - * Indicates whether _this policy_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. + * Indicates whether _this policy_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. */ access?: string | null; /** - * Details about how each binding in the policy affects the member's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted. + * Details about how each binding in the policy affects the principal's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted. */ bindingExplanations?: Schema$GoogleCloudPolicysimulatorV1BindingExplanation[]; /** @@ -377,11 +377,11 @@ export namespace policysimulator_v1 { policyOverlay?: {[key: string]: Schema$GoogleIamV1Policy} | null; } /** - * The difference between the results of evaluating an access tuple under the current (baseline) policies and under the proposed (simulated) policies. This difference explains how a member's access could change if the proposed policies were applied. + * The difference between the results of evaluating an access tuple under the current (baseline) policies and under the proposed (simulated) policies. This difference explains how a principal's access could change if the proposed policies were applied. */ export interface Schema$GoogleCloudPolicysimulatorV1ReplayDiff { /** - * A summary and comparison of the member's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. The evaluation of the member's access is reported in the AccessState field. + * A summary and comparison of the principal's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. The evaluation of the principal's access is reported in the AccessState field. */ accessDiff?: Schema$GoogleCloudPolicysimulatorV1AccessStateDiff; } @@ -399,11 +399,11 @@ export namespace policysimulator_v1 { */ export interface Schema$GoogleCloudPolicysimulatorV1ReplayResult { /** - * The access tuple that was replayed. This field includes information about the member, resource, and permission that were involved in the access attempt. + * The access tuple that was replayed. This field includes information about the principal, resource, and permission that were involved in the access attempt. */ accessTuple?: Schema$GoogleCloudPolicysimulatorV1AccessTuple; /** - * The difference between the member's access under the current (baseline) policies and the member's access under the proposed (simulated) policies. This field is only included for access tuples that were successfully replayed and had different results under the current policies and the proposed policies. + * The difference between the principal's access under the current (baseline) policies and the principal's access under the proposed (simulated) policies. This field is only included for access tuples that were successfully replayed and had different results under the current policies and the proposed policies. */ diff?: Schema$GoogleCloudPolicysimulatorV1ReplayDiff; /** @@ -479,24 +479,24 @@ export namespace policysimulator_v1 { logType?: string | null; } /** - * Associates `members` with a `role`. + * Associates `members`, or principals, with a `role`. */ export interface Schema$GoogleIamV1Binding { /** - * The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). + * The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ condition?: Schema$GoogleTypeExpr; /** - * Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid\}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid\}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid\}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid\}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid\}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid\}` and the recovered group retains the role in the binding. * `domain:{domain\}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. + * Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid\}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid\}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid\}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid\}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid\}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid\}` and the recovered group retains the role in the binding. * `domain:{domain\}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. */ members?: string[] | null; /** - * Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. + * Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. */ role?: string | null; } /** - * An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] \}, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", \} \} ], "etag": "BwWWja0YfJA=", "version": 3 \} **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/). + * An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] \}, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", \} \} ], "etag": "BwWWja0YfJA=", "version": 3 \} **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/). */ export interface Schema$GoogleIamV1Policy { /** @@ -504,7 +504,7 @@ export namespace policysimulator_v1 { */ auditConfigs?: Schema$GoogleIamV1AuditConfig[]; /** - * Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member. + * Associates a list of `members`, or principals, with a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other principal, then you can add another 1,450 principals to the `bindings` in the `Policy`. */ bindings?: Schema$GoogleIamV1Binding[]; /** diff --git a/src/apis/policysimulator/v1beta1.ts b/src/apis/policysimulator/v1beta1.ts index f0ffa75dbe..98db8820e6 100644 --- a/src/apis/policysimulator/v1beta1.ts +++ b/src/apis/policysimulator/v1beta1.ts @@ -149,7 +149,7 @@ export namespace policysimulator_v1beta1 { simulated?: Schema$GoogleCloudPolicysimulatorV1beta1ExplainedAccess; } /** - * Information about the member, resource, and permission to check. + * Information about the principal, resource, and permission to check. */ export interface Schema$GoogleCloudPolicysimulatorV1beta1AccessTuple { /** @@ -157,20 +157,20 @@ export namespace policysimulator_v1beta1 { */ fullResourceName?: string | null; /** - * Required. The IAM permission to check for the specified member and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. + * Required. The IAM permission to check for the specified principal and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. */ permission?: string | null; /** - * Required. The member, or principal, whose access you want to check, in the form of the email address that represents that member. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The member must be a Google Account or a service account. Other types of members are not supported. + * Required. The principal whose access you want to check, in the form of the email address that represents that principal. For example, `alice@example.com` or `my-service-account@my-project.iam.gserviceaccount.com`. The principal must be a Google Account or a service account. Other types of principals are not supported. */ principal?: string | null; } /** - * Details about how a binding in a policy affects a member's ability to use a permission. + * Details about how a binding in a policy affects a principal's ability to use a permission. */ export interface Schema$GoogleCloudPolicysimulatorV1beta1BindingExplanation { /** - * Required. Indicates whether _this binding_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. + * Required. Indicates whether _this binding_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. */ access?: string | null; /** @@ -178,7 +178,7 @@ export namespace policysimulator_v1beta1 { */ condition?: Schema$GoogleTypeExpr; /** - * Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request. For example, suppose that a binding includes the following members: * `user:alice@example.com` * `group:product-eng@example.com` The member in the replayed access tuple is `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first member in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second member in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`. + * Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request. For example, suppose that a binding includes the following principals: * `user:alice@example.com` * `group:product-eng@example.com` The principal in the replayed access tuple is `user:bob@example.com`. This user is a principal of the group `group:product-eng@example.com`. For the first principal in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second principal in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`. */ memberships?: { [ @@ -203,15 +203,15 @@ export namespace policysimulator_v1beta1 { rolePermissionRelevance?: string | null; } /** - * Details about whether the binding includes the member. + * Details about whether the binding includes the principal. */ export interface Schema$GoogleCloudPolicysimulatorV1beta1BindingExplanationAnnotatedMembership { /** - * Indicates whether the binding includes the member. + * Indicates whether the binding includes the principal. */ membership?: string | null; /** - * The relevance of the member's status to the overall determination for the binding. + * The relevance of the principal's status to the overall determination for the binding. */ relevance?: string | null; } @@ -237,11 +237,11 @@ export namespace policysimulator_v1beta1 { */ export interface Schema$GoogleCloudPolicysimulatorV1beta1ExplainedPolicy { /** - * Indicates whether _this policy_ provides the specified permission to the specified member for the specified resource. This field does _not_ indicate whether the member actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the member actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. + * Indicates whether _this policy_ provides the specified permission to the specified principal for the specified resource. This field does _not_ indicate whether the principal actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the principal actually has the permission, use the `access` field in the TroubleshootIamPolicyResponse. */ access?: string | null; /** - * Details about how each binding in the policy affects the member's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted. + * Details about how each binding in the policy affects the principal's ability, or inability, to use the permission for the resource. If the user who created the Replay does not have access to the policy, this field is omitted. */ bindingExplanations?: Schema$GoogleCloudPolicysimulatorV1beta1BindingExplanation[]; /** @@ -479,24 +479,24 @@ export namespace policysimulator_v1beta1 { logType?: string | null; } /** - * Associates `members` with a `role`. + * Associates `members`, or principals, with a `role`. */ export interface Schema$GoogleIamV1Binding { /** - * The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). + * The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ condition?: Schema$GoogleTypeExpr; /** - * Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid\}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid\}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid\}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid\}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid\}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid\}` and the recovered group retains the role in the binding. * `domain:{domain\}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. + * Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid\}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid\}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid\}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid\}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid\}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid\}` and the recovered group retains the role in the binding. * `domain:{domain\}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. */ members?: string[] | null; /** - * Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. + * Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. */ role?: string | null; } /** - * An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] \}, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", \} \} ], "etag": "BwWWja0YfJA=", "version": 3 \} **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/). + * An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] \}, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", \} \} ], "etag": "BwWWja0YfJA=", "version": 3 \} **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/). */ export interface Schema$GoogleIamV1Policy { /** @@ -504,7 +504,7 @@ export namespace policysimulator_v1beta1 { */ auditConfigs?: Schema$GoogleIamV1AuditConfig[]; /** - * Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member. + * Associates a list of `members`, or principals, with a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other principal, then you can add another 1,450 principals to the `bindings` in the `Policy`. */ bindings?: Schema$GoogleIamV1Binding[]; /**