diff --git a/java-accesscontextmanager/README.md b/java-accesscontextmanager/README.md index 94e55329d991..5b4aec6ccd3b 100644 --- a/java-accesscontextmanager/README.md +++ b/java-accesscontextmanager/README.md @@ -19,20 +19,20 @@ If you are using Maven, add this to your pom.xml file: com.google.cloud google-identity-accesscontextmanager - 1.6.0 + 1.7.0 ``` If you are using Gradle without BOM, add this to your dependencies: ```Groovy -implementation 'com.google.cloud:google-identity-accesscontextmanager:1.6.0' +implementation 'com.google.cloud:google-identity-accesscontextmanager:1.7.0' ``` If you are using SBT, add this to your dependencies: ```Scala -libraryDependencies += "com.google.cloud" % "google-identity-accesscontextmanager" % "1.6.0" +libraryDependencies += "com.google.cloud" % "google-identity-accesscontextmanager" % "1.7.0" ``` ## Authentication @@ -159,16 +159,16 @@ Java is a registered trademark of Oracle and/or its affiliates. [product-docs]: n/a [javadocs]: https://cloud.google.com/java/docs/reference/google-identity-accesscontextmanager/latest/overview -[kokoro-badge-image-1]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java7.svg -[kokoro-badge-link-1]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java7.html -[kokoro-badge-image-2]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java8.svg -[kokoro-badge-link-2]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java8.html -[kokoro-badge-image-3]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java8-osx.svg -[kokoro-badge-link-3]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java8-osx.html -[kokoro-badge-image-4]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java8-win.svg -[kokoro-badge-link-4]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java8-win.html -[kokoro-badge-image-5]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java11.svg -[kokoro-badge-link-5]: http://storage.googleapis.com/cloud-devrel-public/java/badges/java-accesscontextmanager/java11.html +[kokoro-badge-image-1]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java7.svg +[kokoro-badge-link-1]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java7.html +[kokoro-badge-image-2]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java8.svg +[kokoro-badge-link-2]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java8.html +[kokoro-badge-image-3]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java8-osx.svg +[kokoro-badge-link-3]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java8-osx.html +[kokoro-badge-image-4]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java8-win.svg +[kokoro-badge-link-4]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java8-win.html +[kokoro-badge-image-5]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java11.svg +[kokoro-badge-link-5]: http://storage.googleapis.com/cloud-devrel-public/java/badges/google-cloud-java/java11.html [stability-image]: https://img.shields.io/badge/stability-stable-green [maven-version-image]: https://img.shields.io/maven-central/v/com.google.cloud/google-identity-accesscontextmanager.svg [maven-version-link]: https://search.maven.org/search?q=g:com.google.cloud%20AND%20a:google-identity-accesscontextmanager&core=gav @@ -180,9 +180,9 @@ Java is a registered trademark of Oracle and/or its affiliates. [create-project]: https://cloud.google.com/resource-manager/docs/creating-managing-projects [cloud-sdk]: https://cloud.google.com/sdk/ [troubleshooting]: https://github.com/googleapis/google-cloud-common/blob/main/troubleshooting/readme.md#troubleshooting -[contributing]: https://github.com/googleapis/java-accesscontextmanager/blob/main/CONTRIBUTING.md -[code-of-conduct]: https://github.com/googleapis/java-accesscontextmanager/blob/main/CODE_OF_CONDUCT.md#contributor-code-of-conduct -[license]: https://github.com/googleapis/java-accesscontextmanager/blob/main/LICENSE +[contributing]: https://github.com/googleapis/google-cloud-java/blob/main/CONTRIBUTING.md +[code-of-conduct]: https://github.com/googleapis/google-cloud-java/blob/main/CODE_OF_CONDUCT.md#contributor-code-of-conduct +[license]: https://github.com/googleapis/google-cloud-java/blob/main/LICENSE [enable-billing]: https://cloud.google.com/apis/docs/getting-started#enabling_billing [libraries-bom]: https://github.com/GoogleCloudPlatform/cloud-opensource-java/wiki/The-Google-Cloud-Platform-Libraries-BOM diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClient.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClient.java index 1178e3f45c43..2191a1cc9ad4 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClient.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClient.java @@ -29,6 +29,11 @@ import com.google.api.gax.rpc.PageContext; import com.google.api.gax.rpc.UnaryCallable; import com.google.common.util.concurrent.MoreExecutors; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.stub.AccessContextManagerStub; import com.google.identity.accesscontextmanager.v1.stub.AccessContextManagerStubSettings; import com.google.longrunning.Operation; @@ -41,12 +46,12 @@ // AUTO-GENERATED DOCUMENTATION AND CLASS. /** - * Service Description: API for setting [Access Levels] - * [google.identity.accesscontextmanager.v1.AccessLevel] and [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] for Google Cloud Projects. Each - * organization has one [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] - * containing the [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [Service - * Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]. This [AccessPolicy] + * Service Description: API for setting [access levels] + * [google.identity.accesscontextmanager.v1.AccessLevel] and [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] for Google Cloud projects. Each + * organization has one [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] that + * contains the [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]. This [access policy] * [google.identity.accesscontextmanager.v1.AccessPolicy] is applicable to all resources in the * organization. AccessPolicies * @@ -217,8 +222,8 @@ public final OperationsClient getHttpJsonOperationsClient() { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [AccessPolicies] [google.identity.accesscontextmanager.v1.AccessPolicy] under a - * container. + * Lists all [access policies] [google.identity.accesscontextmanager.v1.AccessPolicy] in an + * organization. * *

Sample code: * @@ -253,8 +258,8 @@ public final ListAccessPoliciesPagedResponse listAccessPolicies( // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [AccessPolicies] [google.identity.accesscontextmanager.v1.AccessPolicy] under a - * container. + * Lists all [access policies] [google.identity.accesscontextmanager.v1.AccessPolicy] in an + * organization. * *

Sample code: * @@ -288,8 +293,8 @@ public final ListAccessPoliciesPagedResponse listAccessPolicies( // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [AccessPolicies] [google.identity.accesscontextmanager.v1.AccessPolicy] under a - * container. + * Lists all [access policies] [google.identity.accesscontextmanager.v1.AccessPolicy] in an + * organization. * *

Sample code: * @@ -330,7 +335,8 @@ public final ListAccessPoliciesPagedResponse listAccessPolicies( // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by name. + * Returns an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * name. * *

Sample code: * @@ -359,7 +365,8 @@ public final AccessPolicy getAccessPolicy(AccessPolicyName name) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by name. + * Returns an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * name. * *

Sample code: * @@ -387,7 +394,8 @@ public final AccessPolicy getAccessPolicy(String name) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by name. + * Returns an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * name. * *

Sample code: * @@ -416,7 +424,8 @@ public final AccessPolicy getAccessPolicy(GetAccessPolicyRequest request) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by name. + * Returns an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * name. * *

Sample code: * @@ -445,9 +454,9 @@ public final UnaryCallable getAccessPolicy // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an `AccessPolicy`. Fails if this organization already has a `AccessPolicy`. The - * longrunning Operation will have a successful status once the `AccessPolicy` has propagated to - * long-lasting storage. Syntactic and basic semantic errors will be returned in `metadata` as a + * Creates an access policy. This method fails if the organization already has an access policy. + * The long-running operation has a successful status after the access policy propagates to + * long-lasting storage. Syntactic and basic semantic errors are returned in `metadata` as a * BadRequest proto. * *

Sample code: @@ -465,6 +474,7 @@ public final UnaryCallable getAccessPolicy * .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) * .setParent("parent-995424086") * .setTitle("title110371416") + * .addAllScopes(new ArrayList()) * .setCreateTime(Timestamp.newBuilder().build()) * .setUpdateTime(Timestamp.newBuilder().build()) * .setEtag("etag3123477") @@ -483,9 +493,9 @@ public final UnaryCallable getAccessPolicy // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an `AccessPolicy`. Fails if this organization already has a `AccessPolicy`. The - * longrunning Operation will have a successful status once the `AccessPolicy` has propagated to - * long-lasting storage. Syntactic and basic semantic errors will be returned in `metadata` as a + * Creates an access policy. This method fails if the organization already has an access policy. + * The long-running operation has a successful status after the access policy propagates to + * long-lasting storage. Syntactic and basic semantic errors are returned in `metadata` as a * BadRequest proto. * *

Sample code: @@ -503,6 +513,7 @@ public final UnaryCallable getAccessPolicy * .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) * .setParent("parent-995424086") * .setTitle("title110371416") + * .addAllScopes(new ArrayList()) * .setCreateTime(Timestamp.newBuilder().build()) * .setUpdateTime(Timestamp.newBuilder().build()) * .setEtag("etag3123477") @@ -521,9 +532,9 @@ public final UnaryCallable getAccessPolicy // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an `AccessPolicy`. Fails if this organization already has a `AccessPolicy`. The - * longrunning Operation will have a successful status once the `AccessPolicy` has propagated to - * long-lasting storage. Syntactic and basic semantic errors will be returned in `metadata` as a + * Creates an access policy. This method fails if the organization already has an access policy. + * The long-running operation has a successful status after the access policy propagates to + * long-lasting storage. Syntactic and basic semantic errors are returned in `metadata` as a * BadRequest proto. * *

Sample code: @@ -541,6 +552,7 @@ public final UnaryCallable getAccessPolicy * .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) * .setParent("parent-995424086") * .setTitle("title110371416") + * .addAllScopes(new ArrayList()) * .setCreateTime(Timestamp.newBuilder().build()) * .setUpdateTime(Timestamp.newBuilder().build()) * .setEtag("etag3123477") @@ -558,11 +570,10 @@ public final UnaryCallable createAccessPolicyCallable() // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The - * longrunning Operation from this RPC will have a successful status once the changes to the - * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated to - * long-lasting storage. Syntactic and basic semantic errors will be returned in `metadata` as a - * BadRequest proto. + * Updates an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] propagate to long-lasting + * storage. * *

Sample code: * @@ -594,11 +605,10 @@ public final UnaryCallable createAccessPolicyCallable() // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The - * longrunning Operation from this RPC will have a successful status once the changes to the - * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated to - * long-lasting storage. Syntactic and basic semantic errors will be returned in `metadata` as a - * BadRequest proto. + * Updates an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] propagate to long-lasting + * storage. * *

Sample code: * @@ -629,11 +639,10 @@ public final UnaryCallable createAccessPolicyCallable() // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The - * longrunning Operation from this RPC will have a successful status once the changes to the - * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated to - * long-lasting storage. Syntactic and basic semantic errors will be returned in `metadata` as a - * BadRequest proto. + * Updates an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] propagate to long-lasting + * storage. * *

Sample code: * @@ -665,11 +674,10 @@ public final UnaryCallable createAccessPolicyCallable() // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The - * longrunning Operation from this RPC will have a successful status once the changes to the - * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated to - * long-lasting storage. Syntactic and basic semantic errors will be returned in `metadata` as a - * BadRequest proto. + * Updates an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] propagate to long-lasting + * storage. * *

Sample code: * @@ -699,10 +707,9 @@ public final UnaryCallable updateAccessPol // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by resource - * name. The longrunning Operation will have a successful status once the [AccessPolicy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] has been removed from long-lasting - * storage. + * Deletes an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * resource name. The long-running operation has a successful status after the [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] is removed from long-lasting storage. * *

Sample code: * @@ -734,10 +741,9 @@ public final UnaryCallable updateAccessPol // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by resource - * name. The longrunning Operation will have a successful status once the [AccessPolicy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] has been removed from long-lasting - * storage. + * Deletes an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * resource name. The long-running operation has a successful status after the [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] is removed from long-lasting storage. * *

Sample code: * @@ -767,10 +773,9 @@ public final UnaryCallable updateAccessPol // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by resource - * name. The longrunning Operation will have a successful status once the [AccessPolicy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] has been removed from long-lasting - * storage. + * Deletes an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * resource name. The long-running operation has a successful status after the [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] is removed from long-lasting storage. * *

Sample code: * @@ -800,10 +805,9 @@ public final UnaryCallable updateAccessPol // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by resource - * name. The longrunning Operation will have a successful status once the [AccessPolicy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] has been removed from long-lasting - * storage. + * Deletes an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * resource name. The long-running operation has a successful status after the [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] is removed from long-lasting storage. * *

Sample code: * @@ -834,10 +838,9 @@ public final UnaryCallable updateAccessPol // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] by resource - * name. The longrunning Operation will have a successful status once the [AccessPolicy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] has been removed from long-lasting - * storage. + * Deletes an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + * resource name. The long-running operation has a successful status after the [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] is removed from long-lasting storage. * *

Sample code: * @@ -866,7 +869,7 @@ public final UnaryCallable deleteAccessPol // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access + * Lists all [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access * policy. * *

Sample code: @@ -901,7 +904,7 @@ public final ListAccessLevelsPagedResponse listAccessLevels(AccessPolicyName par // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access + * Lists all [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access * policy. * *

Sample code: @@ -934,7 +937,7 @@ public final ListAccessLevelsPagedResponse listAccessLevels(String parent) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access + * Lists all [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access * policy. * *

Sample code: @@ -970,7 +973,7 @@ public final ListAccessLevelsPagedResponse listAccessLevels(ListAccessLevelsRequ // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access + * Lists all [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access * policy. * *

Sample code: @@ -1006,7 +1009,7 @@ public final ListAccessLevelsPagedResponse listAccessLevels(ListAccessLevelsRequ // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access + * Lists all [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] for an access * policy. * *

Sample code: @@ -1049,7 +1052,8 @@ public final ListAccessLevelsPagedResponse listAccessLevels(ListAccessLevelsRequ // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource name. + * Gets an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. * *

Sample code: * @@ -1079,7 +1083,8 @@ public final AccessLevel getAccessLevel(AccessLevelName name) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource name. + * Gets an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. * *

Sample code: * @@ -1108,7 +1113,8 @@ public final AccessLevel getAccessLevel(String name) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource name. + * Gets an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. * *

Sample code: * @@ -1138,7 +1144,8 @@ public final AccessLevel getAccessLevel(GetAccessLevelRequest request) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource name. + * Gets an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. * *

Sample code: * @@ -1168,11 +1175,11 @@ public final UnaryCallable getAccessLevelCal // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] has propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Creates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the [access level] + * [google.identity.accesscontextmanager.v1.AccessLevel] propagates to long-lasting storage. If + * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an error + * response is returned for the first error encountered. * *

Sample code: * @@ -1212,11 +1219,11 @@ public final UnaryCallable getAccessLevelCal // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] has propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Creates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the [access level] + * [google.identity.accesscontextmanager.v1.AccessLevel] propagates to long-lasting storage. If + * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an error + * response is returned for the first error encountered. * *

Sample code: * @@ -1253,11 +1260,11 @@ public final UnaryCallable getAccessLevelCal // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] has propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Creates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the [access level] + * [google.identity.accesscontextmanager.v1.AccessLevel] propagates to long-lasting storage. If + * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an error + * response is returned for the first error encountered. * *

Sample code: * @@ -1288,11 +1295,11 @@ public final UnaryCallable getAccessLevelCal // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] has propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Creates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the [access level] + * [google.identity.accesscontextmanager.v1.AccessLevel] propagates to long-lasting storage. If + * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an error + * response is returned for the first error encountered. * *

Sample code: * @@ -1324,11 +1331,11 @@ public final UnaryCallable getAccessLevelCal // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] has propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Creates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the [access level] + * [google.identity.accesscontextmanager.v1.AccessLevel] propagates to long-lasting storage. If + * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an error + * response is returned for the first error encountered. * *

Sample code: * @@ -1358,11 +1365,11 @@ public final UnaryCallable createAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the changes to the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Updates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * level] [google.identity.accesscontextmanager.v1.AccessLevel] propagate to long-lasting storage. + * If [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an + * error response is returned for the first error encountered. * *

Sample code: * @@ -1400,11 +1407,11 @@ public final UnaryCallable createAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the changes to the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Updates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * level] [google.identity.accesscontextmanager.v1.AccessLevel] propagate to long-lasting storage. + * If [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an + * error response is returned for the first error encountered. * *

Sample code: * @@ -1435,11 +1442,11 @@ public final UnaryCallable createAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the changes to the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Updates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * level] [google.identity.accesscontextmanager.v1.AccessLevel] propagate to long-lasting storage. + * If [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an + * error response is returned for the first error encountered. * *

Sample code: * @@ -1471,11 +1478,11 @@ public final UnaryCallable createAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning - * operation from this RPC will have a successful status once the changes to the [Access Level] - * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated to long-lasting storage. - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] containing errors will - * result in an error response for the first error encountered. + * Updates an [access level] [google.identity.accesscontextmanager.v1.AccessLevel]. The + * long-running operation from this RPC has a successful status after the changes to the [access + * level] [google.identity.accesscontextmanager.v1.AccessLevel] propagate to long-lasting storage. + * If [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] contain errors, an + * error response is returned for the first error encountered. * *

Sample code: * @@ -1505,10 +1512,10 @@ public final UnaryCallable updateAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource - * name. The longrunning operation from this RPC will have a successful status once the [Access - * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from long-lasting - * storage. + * Deletes an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. The long-running operation from this RPC has a successful status after the + * [access level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from + * long-lasting storage. * *

Sample code: * @@ -1541,10 +1548,10 @@ public final OperationFuture delet // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource - * name. The longrunning operation from this RPC will have a successful status once the [Access - * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from long-lasting - * storage. + * Deletes an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. The long-running operation from this RPC has a successful status after the + * [access level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from + * long-lasting storage. * *

Sample code: * @@ -1574,10 +1581,10 @@ public final OperationFuture delet // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource - * name. The longrunning operation from this RPC will have a successful status once the [Access - * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from long-lasting - * storage. + * Deletes an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. The long-running operation from this RPC has a successful status after the + * [access level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from + * long-lasting storage. * *

Sample code: * @@ -1607,10 +1614,10 @@ public final OperationFuture delet // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource - * name. The longrunning operation from this RPC will have a successful status once the [Access - * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from long-lasting - * storage. + * Deletes an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. The long-running operation from this RPC has a successful status after the + * [access level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from + * long-lasting storage. * *

Sample code: * @@ -1641,10 +1648,10 @@ public final OperationFuture delet // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete an [Access Level] [google.identity.accesscontextmanager.v1.AccessLevel] by resource - * name. The longrunning operation from this RPC will have a successful status once the [Access - * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from long-lasting - * storage. + * Deletes an [access level] [google.identity.accesscontextmanager.v1.AccessLevel] based on the + * resource name. The long-running operation from this RPC has a successful status after the + * [access level] [google.identity.accesscontextmanager.v1.AccessLevel] has been removed from + * long-lasting storage. * *

Sample code: * @@ -1673,17 +1680,16 @@ public final UnaryCallable deleteAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Replace all existing [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] in - * an [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the [Access - * Levels] [google.identity.accesscontextmanager.v1.AccessLevel] provided. This is done - * atomically. The longrunning operation from this RPC will have a successful status once all - * replacements have propagated to long-lasting storage. Replacements containing errors will - * result in an error response for the first error encountered. Replacement will be cancelled on - * error, existing [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] will not - * be affected. Operation.response field will contain ReplaceAccessLevelsResponse. Removing - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in - * error. + * Replaces all existing [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] in + * an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the [access + * levels] [google.identity.accesscontextmanager.v1.AccessLevel] provided. This is done + * atomically. The long-running operation from this RPC has a successful status after all + * replacements propagate to long-lasting storage. If the replacement contains errors, an error + * response is returned for the first error encountered. Upon error, the replacement is cancelled, + * and existing [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] are not + * affected. The Operation.response field contains ReplaceAccessLevelsResponse. Removing [access + * levels] [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an error. * *

Sample code: * @@ -1716,17 +1722,16 @@ public final UnaryCallable deleteAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Replace all existing [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] in - * an [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the [Access - * Levels] [google.identity.accesscontextmanager.v1.AccessLevel] provided. This is done - * atomically. The longrunning operation from this RPC will have a successful status once all - * replacements have propagated to long-lasting storage. Replacements containing errors will - * result in an error response for the first error encountered. Replacement will be cancelled on - * error, existing [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] will not - * be affected. Operation.response field will contain ReplaceAccessLevelsResponse. Removing - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in - * error. + * Replaces all existing [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] in + * an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the [access + * levels] [google.identity.accesscontextmanager.v1.AccessLevel] provided. This is done + * atomically. The long-running operation from this RPC has a successful status after all + * replacements propagate to long-lasting storage. If the replacement contains errors, an error + * response is returned for the first error encountered. Upon error, the replacement is cancelled, + * and existing [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] are not + * affected. The Operation.response field contains ReplaceAccessLevelsResponse. Removing [access + * levels] [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an error. * *

Sample code: * @@ -1761,17 +1766,16 @@ public final UnaryCallable deleteAccessLeve // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Replace all existing [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] in - * an [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the [Access - * Levels] [google.identity.accesscontextmanager.v1.AccessLevel] provided. This is done - * atomically. The longrunning operation from this RPC will have a successful status once all - * replacements have propagated to long-lasting storage. Replacements containing errors will - * result in an error response for the first error encountered. Replacement will be cancelled on - * error, existing [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] will not - * be affected. Operation.response field will contain ReplaceAccessLevelsResponse. Removing - * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in - * error. + * Replaces all existing [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] in + * an [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the [access + * levels] [google.identity.accesscontextmanager.v1.AccessLevel] provided. This is done + * atomically. The long-running operation from this RPC has a successful status after all + * replacements propagate to long-lasting storage. If the replacement contains errors, an error + * response is returned for the first error encountered. Upon error, the replacement is cancelled, + * and existing [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] are not + * affected. The Operation.response field contains ReplaceAccessLevelsResponse. Removing [access + * levels] [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an error. * *

Sample code: * @@ -1802,8 +1806,8 @@ public final UnaryCallable replaceAccessL // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for an - * access policy. + * Lists all [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for + * an access policy. * *

Sample code: * @@ -1838,8 +1842,8 @@ public final ListServicePerimetersPagedResponse listServicePerimeters(AccessPoli // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for an - * access policy. + * Lists all [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for + * an access policy. * *

Sample code: * @@ -1872,8 +1876,8 @@ public final ListServicePerimetersPagedResponse listServicePerimeters(String par // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for an - * access policy. + * Lists all [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for + * an access policy. * *

Sample code: * @@ -1908,8 +1912,8 @@ public final ListServicePerimetersPagedResponse listServicePerimeters( // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for an - * access policy. + * Lists all [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for + * an access policy. * *

Sample code: * @@ -1943,8 +1947,8 @@ public final ListServicePerimetersPagedResponse listServicePerimeters( // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * List all [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for an - * access policy. + * Lists all [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for + * an access policy. * *

Sample code: * @@ -1985,8 +1989,8 @@ public final ListServicePerimetersPagedResponse listServicePerimeters( // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. + * Gets a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based on + * the resource name. * *

Sample code: * @@ -2018,8 +2022,8 @@ public final ServicePerimeter getServicePerimeter(ServicePerimeterName name) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. + * Gets a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based on + * the resource name. * *

Sample code: * @@ -2049,8 +2053,8 @@ public final ServicePerimeter getServicePerimeter(String name) { // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. + * Gets a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based on + * the resource name. * *

Sample code: * @@ -2079,8 +2083,8 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Get a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. + * Gets a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based on + * the resource name. * *

Sample code: * @@ -2110,11 +2114,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] has propagated to long-lasting - * storage. [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] - * containing errors will result in an error response for the first error encountered. + * Creates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2154,11 +2158,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] has propagated to long-lasting - * storage. [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] - * containing errors will result in an error response for the first error encountered. + * Creates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2198,11 +2202,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] has propagated to long-lasting - * storage. [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] - * containing errors will result in an error response for the first error encountered. + * Creates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2234,11 +2238,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] has propagated to long-lasting - * storage. [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] - * containing errors will result in an error response for the first error encountered. + * Creates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2270,11 +2274,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Create a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] has propagated to long-lasting - * storage. [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] - * containing errors will result in an error response for the first error encountered. + * Creates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2305,12 +2309,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the changes to the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] have propagated - * to long-lasting storage. [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing errors will result in an - * error response for the first error encountered. + * Updates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2348,12 +2351,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the changes to the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] have propagated - * to long-lasting storage. [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing errors will result in an - * error response for the first error encountered. + * Updates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2385,12 +2387,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the changes to the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] have propagated - * to long-lasting storage. [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing errors will result in an - * error response for the first error encountered. + * Updates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2422,12 +2423,11 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Update a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The - * longrunning operation from this RPC will have a successful status once the changes to the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] have propagated - * to long-lasting storage. [Service Perimeter] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing errors will result in an - * error response for the first error encountered. + * Updates a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + * long-running operation from this RPC has a successful status after the [service perimeter] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] propagates to long-lasting storage. + * If a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + * errors, an error response is returned for the first error encountered. * *

Sample code: * @@ -2458,9 +2458,9 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. The longrunning operation from this RPC will have a successful status once the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] has been removed + * Deletes a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based + * on the resource name. The long-running operation from this RPC has a successful status after + * the [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed * from long-lasting storage. * *

Sample code: @@ -2494,9 +2494,9 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. The longrunning operation from this RPC will have a successful status once the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] has been removed + * Deletes a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based + * on the resource name. The long-running operation from this RPC has a successful status after + * the [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed * from long-lasting storage. * *

Sample code: @@ -2528,9 +2528,9 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. The longrunning operation from this RPC will have a successful status once the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] has been removed + * Deletes a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based + * on the resource name. The long-running operation from this RPC has a successful status after + * the [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed * from long-lasting storage. * *

Sample code: @@ -2561,9 +2561,9 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. The longrunning operation from this RPC will have a successful status once the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] has been removed + * Deletes a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based + * on the resource name. The long-running operation from this RPC has a successful status after + * the [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed * from long-lasting storage. * *

Sample code: @@ -2595,9 +2595,9 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Delete a [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] by - * resource name. The longrunning operation from this RPC will have a successful status once the - * [Service Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] has been removed + * Deletes a [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] based + * on the resource name. The long-running operation from this RPC has a successful status after + * the [service perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed * from long-lasting storage. * *

Sample code: @@ -2628,15 +2628,15 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Replace all existing [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [Access Policy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] with the [Service Perimeters] + * Replace all existing [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] with the [service perimeters] * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This is done atomically. - * The longrunning operation from this RPC will have a successful status once all replacements - * have propagated to long-lasting storage. Replacements containing errors will result in an error - * response for the first error encountered. Replacement will be cancelled on error, existing - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be - * affected. Operation.response field will contain ReplaceServicePerimetersResponse. + * The long-running operation from this RPC has a successful status after all replacements + * propagate to long-lasting storage. Replacements containing errors result in an error response + * for the first error encountered. Upon an error, replacement are cancelled and existing [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] are not affected. The + * Operation.response field contains ReplaceServicePerimetersResponse. * *

Sample code: * @@ -2670,15 +2670,15 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Replace all existing [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [Access Policy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] with the [Service Perimeters] + * Replace all existing [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] with the [service perimeters] * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This is done atomically. - * The longrunning operation from this RPC will have a successful status once all replacements - * have propagated to long-lasting storage. Replacements containing errors will result in an error - * response for the first error encountered. Replacement will be cancelled on error, existing - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be - * affected. Operation.response field will contain ReplaceServicePerimetersResponse. + * The long-running operation from this RPC has a successful status after all replacements + * propagate to long-lasting storage. Replacements containing errors result in an error response + * for the first error encountered. Upon an error, replacement are cancelled and existing [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] are not affected. The + * Operation.response field contains ReplaceServicePerimetersResponse. * *

Sample code: * @@ -2716,15 +2716,15 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Replace all existing [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [Access Policy] - * [google.identity.accesscontextmanager.v1.AccessPolicy] with the [Service Perimeters] + * Replace all existing [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access policy] + * [google.identity.accesscontextmanager.v1.AccessPolicy] with the [service perimeters] * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This is done atomically. - * The longrunning operation from this RPC will have a successful status once all replacements - * have propagated to long-lasting storage. Replacements containing errors will result in an error - * response for the first error encountered. Replacement will be cancelled on error, existing - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be - * affected. Operation.response field will contain ReplaceServicePerimetersResponse. + * The long-running operation from this RPC has a successful status after all replacements + * propagate to long-lasting storage. Replacements containing errors result in an error response + * for the first error encountered. Upon an error, replacement are cancelled and existing [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] are not affected. The + * Operation.response field contains ReplaceServicePerimetersResponse. * *

Sample code: * @@ -2756,18 +2756,18 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Commit the dry-run spec for all the [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [Access - * Policy][google.identity.accesscontextmanager.v1.AccessPolicy]. A commit operation on a Service - * Perimeter involves copying its `spec` field to that Service Perimeter's `status` field. Only - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] with + * Commits the dry-run specification for all the [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. A commit operation on a service + * perimeter involves copying its `spec` field to the `status` field of the service perimeter. + * Only [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] with * `use_explicit_dry_run_spec` field set to true are affected by a commit operation. The - * longrunning operation from this RPC will have a successful status once the dry-run specs for - * all the [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] have - * been committed. If a commit fails, it will cause the longrunning operation to return an error - * response and the entire commit operation will be cancelled. When successful, Operation.response - * field will contain CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will be - * cleared after a successful commit operation. + * long-running operation from this RPC has a successful status after the dry-run specifications + * for all the [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] + * have been committed. If a commit fails, it causes the long-running operation to return an error + * response and the entire commit operation is cancelled. When successful, the Operation.response + * field contains CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are cleared + * after a successful commit operation. * *

Sample code: * @@ -2800,18 +2800,18 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Commit the dry-run spec for all the [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [Access - * Policy][google.identity.accesscontextmanager.v1.AccessPolicy]. A commit operation on a Service - * Perimeter involves copying its `spec` field to that Service Perimeter's `status` field. Only - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] with + * Commits the dry-run specification for all the [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. A commit operation on a service + * perimeter involves copying its `spec` field to the `status` field of the service perimeter. + * Only [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] with * `use_explicit_dry_run_spec` field set to true are affected by a commit operation. The - * longrunning operation from this RPC will have a successful status once the dry-run specs for - * all the [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] have - * been committed. If a commit fails, it will cause the longrunning operation to return an error - * response and the entire commit operation will be cancelled. When successful, Operation.response - * field will contain CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will be - * cleared after a successful commit operation. + * long-running operation from this RPC has a successful status after the dry-run specifications + * for all the [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] + * have been committed. If a commit fails, it causes the long-running operation to return an error + * response and the entire commit operation is cancelled. When successful, the Operation.response + * field contains CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are cleared + * after a successful commit operation. * *

Sample code: * @@ -2848,18 +2848,18 @@ public final ServicePerimeter getServicePerimeter(GetServicePerimeterRequest req // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Commit the dry-run spec for all the [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [Access - * Policy][google.identity.accesscontextmanager.v1.AccessPolicy]. A commit operation on a Service - * Perimeter involves copying its `spec` field to that Service Perimeter's `status` field. Only - * [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] with + * Commits the dry-run specification for all the [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. A commit operation on a service + * perimeter involves copying its `spec` field to the `status` field of the service perimeter. + * Only [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] with * `use_explicit_dry_run_spec` field set to true are affected by a commit operation. The - * longrunning operation from this RPC will have a successful status once the dry-run specs for - * all the [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] have - * been committed. If a commit fails, it will cause the longrunning operation to return an error - * response and the entire commit operation will be cancelled. When successful, Operation.response - * field will contain CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will be - * cleared after a successful commit operation. + * long-running operation from this RPC has a successful status after the dry-run specifications + * for all the [service perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] + * have been committed. If a commit fails, it causes the long-running operation to return an error + * response and the entire commit operation is cancelled. When successful, the Operation.response + * field contains CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are cleared + * after a successful commit operation. * *

Sample code: * @@ -3201,8 +3201,8 @@ public final GcpUserAccessBinding getGcpUserAccessBinding( /** * Creates a [GcpUserAccessBinding] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the client specifies a - * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server will - * ignore it. Fails if a resource already exists with the same [group_key] + * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server ignores + * it. Fails if a resource already exists with the same [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. Completion of this * long-running operation does not necessarily signify that the new binding is deployed onto all * affected users, which may take more time. @@ -3246,8 +3246,8 @@ public final GcpUserAccessBinding getGcpUserAccessBinding( /** * Creates a [GcpUserAccessBinding] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the client specifies a - * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server will - * ignore it. Fails if a resource already exists with the same [group_key] + * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server ignores + * it. Fails if a resource already exists with the same [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. Completion of this * long-running operation does not necessarily signify that the new binding is deployed onto all * affected users, which may take more time. @@ -3290,8 +3290,8 @@ public final GcpUserAccessBinding getGcpUserAccessBinding( /** * Creates a [GcpUserAccessBinding] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the client specifies a - * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server will - * ignore it. Fails if a resource already exists with the same [group_key] + * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server ignores + * it. Fails if a resource already exists with the same [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. Completion of this * long-running operation does not necessarily signify that the new binding is deployed onto all * affected users, which may take more time. @@ -3328,8 +3328,8 @@ public final GcpUserAccessBinding getGcpUserAccessBinding( /** * Creates a [GcpUserAccessBinding] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the client specifies a - * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server will - * ignore it. Fails if a resource already exists with the same [group_key] + * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server ignores + * it. Fails if a resource already exists with the same [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. Completion of this * long-running operation does not necessarily signify that the new binding is deployed onto all * affected users, which may take more time. @@ -3370,8 +3370,8 @@ public final GcpUserAccessBinding getGcpUserAccessBinding( /** * Creates a [GcpUserAccessBinding] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the client specifies a - * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server will - * ignore it. Fails if a resource already exists with the same [group_key] + * [name] [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], the server ignores + * it. Fails if a resource already exists with the same [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. Completion of this * long-running operation does not necessarily signify that the new binding is deployed onto all * affected users, which may take more time. @@ -3731,6 +3731,209 @@ public final GcpUserAccessBinding getGcpUserAccessBinding( return stub.deleteGcpUserAccessBindingCallable(); } + // AUTO-GENERATED DOCUMENTATION AND METHOD. + /** + * Sets the IAM policy for the specified Access Context Manager [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. This method replaces the + * existing IAM policy on the access policy. The IAM policy controls the set of users who can + * perform specific operations on the Access Context Manager [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + * + *

Sample code: + * + * 

{@code
+   * // This snippet has been automatically generated and should be regarded as a code template only.
+   * // It will require modifications to work:
+   * // - It may require correct/in-range values for request initialization.
+   * // - It may require specifying regional endpoints when creating the service client as shown in
+   * // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
+   * try (AccessContextManagerClient accessContextManagerClient =
+   *     AccessContextManagerClient.create()) {
+   *   SetIamPolicyRequest request =
+   *       SetIamPolicyRequest.newBuilder()
+   *           .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString())
+   *           .setPolicy(Policy.newBuilder().build())
+   *           .setUpdateMask(FieldMask.newBuilder().build())
+   *           .build();
+   *   Policy response = accessContextManagerClient.setIamPolicy(request);
+   * }
+   * }
+ * + * @param request The request object containing all of the parameters for the API call. + * @throws com.google.api.gax.rpc.ApiException if the remote call fails + */ + public final Policy setIamPolicy(SetIamPolicyRequest request) { + return setIamPolicyCallable().call(request); + } + + // AUTO-GENERATED DOCUMENTATION AND METHOD. + /** + * Sets the IAM policy for the specified Access Context Manager [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. This method replaces the + * existing IAM policy on the access policy. The IAM policy controls the set of users who can + * perform specific operations on the Access Context Manager [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + * + *

Sample code: + * + * 

{@code
+   * // This snippet has been automatically generated and should be regarded as a code template only.
+   * // It will require modifications to work:
+   * // - It may require correct/in-range values for request initialization.
+   * // - It may require specifying regional endpoints when creating the service client as shown in
+   * // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
+   * try (AccessContextManagerClient accessContextManagerClient =
+   *     AccessContextManagerClient.create()) {
+   *   SetIamPolicyRequest request =
+   *       SetIamPolicyRequest.newBuilder()
+   *           .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString())
+   *           .setPolicy(Policy.newBuilder().build())
+   *           .setUpdateMask(FieldMask.newBuilder().build())
+   *           .build();
+   *   ApiFuture future =
+   *       accessContextManagerClient.setIamPolicyCallable().futureCall(request);
+   *   // Do something.
+   *   Policy response = future.get();
+   * }
+   * }
+ */ + public final UnaryCallable setIamPolicyCallable() { + return stub.setIamPolicyCallable(); + } + + // AUTO-GENERATED DOCUMENTATION AND METHOD. + /** + * Gets the IAM policy for the specified Access Context Manager [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + * + *

Sample code: + * + * 

{@code
+   * // This snippet has been automatically generated and should be regarded as a code template only.
+   * // It will require modifications to work:
+   * // - It may require correct/in-range values for request initialization.
+   * // - It may require specifying regional endpoints when creating the service client as shown in
+   * // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
+   * try (AccessContextManagerClient accessContextManagerClient =
+   *     AccessContextManagerClient.create()) {
+   *   GetIamPolicyRequest request =
+   *       GetIamPolicyRequest.newBuilder()
+   *           .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString())
+   *           .setOptions(GetPolicyOptions.newBuilder().build())
+   *           .build();
+   *   Policy response = accessContextManagerClient.getIamPolicy(request);
+   * }
+   * }
+ * + * @param request The request object containing all of the parameters for the API call. + * @throws com.google.api.gax.rpc.ApiException if the remote call fails + */ + public final Policy getIamPolicy(GetIamPolicyRequest request) { + return getIamPolicyCallable().call(request); + } + + // AUTO-GENERATED DOCUMENTATION AND METHOD. + /** + * Gets the IAM policy for the specified Access Context Manager [access + * policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + * + *

Sample code: + * + * 

{@code
+   * // This snippet has been automatically generated and should be regarded as a code template only.
+   * // It will require modifications to work:
+   * // - It may require correct/in-range values for request initialization.
+   * // - It may require specifying regional endpoints when creating the service client as shown in
+   * // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
+   * try (AccessContextManagerClient accessContextManagerClient =
+   *     AccessContextManagerClient.create()) {
+   *   GetIamPolicyRequest request =
+   *       GetIamPolicyRequest.newBuilder()
+   *           .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString())
+   *           .setOptions(GetPolicyOptions.newBuilder().build())
+   *           .build();
+   *   ApiFuture future =
+   *       accessContextManagerClient.getIamPolicyCallable().futureCall(request);
+   *   // Do something.
+   *   Policy response = future.get();
+   * }
+   * }
+ */ + public final UnaryCallable getIamPolicyCallable() { + return stub.getIamPolicyCallable(); + } + + // AUTO-GENERATED DOCUMENTATION AND METHOD. + /** + * Returns the IAM permissions that the caller has on the specified Access Context Manager + * resource. The resource can be an + * [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy], + * [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or + * [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter ]. This method does + * not support other resources. + * + *

Sample code: + * + * 

{@code
+   * // This snippet has been automatically generated and should be regarded as a code template only.
+   * // It will require modifications to work:
+   * // - It may require correct/in-range values for request initialization.
+   * // - It may require specifying regional endpoints when creating the service client as shown in
+   * // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
+   * try (AccessContextManagerClient accessContextManagerClient =
+   *     AccessContextManagerClient.create()) {
+   *   TestIamPermissionsRequest request =
+   *       TestIamPermissionsRequest.newBuilder()
+   *           .setResource(AccessLevelName.of("[ACCESS_POLICY]", "[ACCESS_LEVEL]").toString())
+   *           .addAllPermissions(new ArrayList())
+   *           .build();
+   *   TestIamPermissionsResponse response = accessContextManagerClient.testIamPermissions(request);
+   * }
+   * }
+ * + * @param request The request object containing all of the parameters for the API call. + * @throws com.google.api.gax.rpc.ApiException if the remote call fails + */ + public final TestIamPermissionsResponse testIamPermissions(TestIamPermissionsRequest request) { + return testIamPermissionsCallable().call(request); + } + + // AUTO-GENERATED DOCUMENTATION AND METHOD. + /** + * Returns the IAM permissions that the caller has on the specified Access Context Manager + * resource. The resource can be an + * [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy], + * [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or + * [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter ]. This method does + * not support other resources. + * + *

Sample code: + * + * 

{@code
+   * // This snippet has been automatically generated and should be regarded as a code template only.
+   * // It will require modifications to work:
+   * // - It may require correct/in-range values for request initialization.
+   * // - It may require specifying regional endpoints when creating the service client as shown in
+   * // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
+   * try (AccessContextManagerClient accessContextManagerClient =
+   *     AccessContextManagerClient.create()) {
+   *   TestIamPermissionsRequest request =
+   *       TestIamPermissionsRequest.newBuilder()
+   *           .setResource(AccessLevelName.of("[ACCESS_POLICY]", "[ACCESS_LEVEL]").toString())
+   *           .addAllPermissions(new ArrayList())
+   *           .build();
+   *   ApiFuture future =
+   *       accessContextManagerClient.testIamPermissionsCallable().futureCall(request);
+   *   // Do something.
+   *   TestIamPermissionsResponse response = future.get();
+   * }
+   * }
+ */ + public final UnaryCallable + testIamPermissionsCallable() { + return stub.testIamPermissionsCallable(); + } + @Override public final void close() { stub.close(); diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerSettings.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerSettings.java index 6887fe888e0f..7aa5e18b4b66 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerSettings.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerSettings.java @@ -34,6 +34,11 @@ import com.google.api.gax.rpc.PagedCallSettings; import com.google.api.gax.rpc.TransportChannelProvider; import com.google.api.gax.rpc.UnaryCallSettings; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.stub.AccessContextManagerStubSettings; import com.google.longrunning.Operation; import com.google.protobuf.Empty; @@ -354,6 +359,22 @@ public UnaryCallSettings replaceAccessLev .deleteGcpUserAccessBindingOperationSettings(); } + /** Returns the object with the settings used for calls to setIamPolicy. */ + public UnaryCallSettings setIamPolicySettings() { + return ((AccessContextManagerStubSettings) getStubSettings()).setIamPolicySettings(); + } + + /** Returns the object with the settings used for calls to getIamPolicy. */ + public UnaryCallSettings getIamPolicySettings() { + return ((AccessContextManagerStubSettings) getStubSettings()).getIamPolicySettings(); + } + + /** Returns the object with the settings used for calls to testIamPermissions. */ + public UnaryCallSettings + testIamPermissionsSettings() { + return ((AccessContextManagerStubSettings) getStubSettings()).testIamPermissionsSettings(); + } + public static final AccessContextManagerSettings create(AccessContextManagerStubSettings stub) throws IOException { return new AccessContextManagerSettings.Builder(stub.toBuilder()).build(); @@ -729,6 +750,22 @@ public UnaryCallSettings.Builder getAccessLe return getStubSettingsBuilder().deleteGcpUserAccessBindingOperationSettings(); } + /** Returns the builder for the settings used for calls to setIamPolicy. */ + public UnaryCallSettings.Builder setIamPolicySettings() { + return getStubSettingsBuilder().setIamPolicySettings(); + } + + /** Returns the builder for the settings used for calls to getIamPolicy. */ + public UnaryCallSettings.Builder getIamPolicySettings() { + return getStubSettingsBuilder().getIamPolicySettings(); + } + + /** Returns the builder for the settings used for calls to testIamPermissions. */ + public UnaryCallSettings.Builder + testIamPermissionsSettings() { + return getStubSettingsBuilder().testIamPermissionsSettings(); + } + @Override public AccessContextManagerSettings build() throws IOException { return new AccessContextManagerSettings(this); diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/gapic_metadata.json b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/gapic_metadata.json index df4097f5fe61..75666c10ba64 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/gapic_metadata.json +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/gapic_metadata.json @@ -46,6 +46,9 @@ "GetGcpUserAccessBinding": { "methods": ["getGcpUserAccessBinding", "getGcpUserAccessBinding", "getGcpUserAccessBinding", "getGcpUserAccessBindingCallable"] }, + "GetIamPolicy": { + "methods": ["getIamPolicy", "getIamPolicyCallable"] + }, "GetServicePerimeter": { "methods": ["getServicePerimeter", "getServicePerimeter", "getServicePerimeter", "getServicePerimeterCallable"] }, @@ -67,6 +70,12 @@ "ReplaceServicePerimeters": { "methods": ["replaceServicePerimetersAsync", "replaceServicePerimetersOperationCallable", "replaceServicePerimetersCallable"] }, + "SetIamPolicy": { + "methods": ["setIamPolicy", "setIamPolicyCallable"] + }, + "TestIamPermissions": { + "methods": ["testIamPermissions", "testIamPermissionsCallable"] + }, "UpdateAccessLevel": { "methods": ["updateAccessLevelAsync", "updateAccessLevelAsync", "updateAccessLevelOperationCallable", "updateAccessLevelCallable"] }, diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/package-info.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/package-info.java index 8977537f2155..a7b9b2919edb 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/package-info.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/package-info.java @@ -15,16 +15,18 @@ */ /** - * The interfaces provided are listed below, along with usage samples. + * A client to Access Context Manager API + * + *

The interfaces provided are listed below, along with usage samples. * *

======================= AccessContextManagerClient ======================= * - *

Service Description: API for setting [Access Levels] - * [google.identity.accesscontextmanager.v1.AccessLevel] and [Service Perimeters] - * [google.identity.accesscontextmanager.v1.ServicePerimeter] for Google Cloud Projects. Each - * organization has one [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] - * containing the [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [Service - * Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]. This [AccessPolicy] + *

Service Description: API for setting [access levels] + * [google.identity.accesscontextmanager.v1.AccessLevel] and [service perimeters] + * [google.identity.accesscontextmanager.v1.ServicePerimeter] for Google Cloud projects. Each + * organization has one [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] that + * contains the [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [service + * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]. This [access policy] * [google.identity.accesscontextmanager.v1.AccessPolicy] is applicable to all resources in the * organization. AccessPolicies * diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStub.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStub.java index 5ab449ae7541..454837097c49 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStub.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStub.java @@ -24,6 +24,11 @@ import com.google.api.gax.core.BackgroundResource; import com.google.api.gax.rpc.OperationCallable; import com.google.api.gax.rpc.UnaryCallable; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.AccessContextManagerOperationMetadata; import com.google.identity.accesscontextmanager.v1.AccessLevel; import com.google.identity.accesscontextmanager.v1.AccessPolicy; @@ -320,6 +325,19 @@ public UnaryCallable deleteServicePeri "Not implemented: deleteGcpUserAccessBindingCallable()"); } + public UnaryCallable setIamPolicyCallable() { + throw new UnsupportedOperationException("Not implemented: setIamPolicyCallable()"); + } + + public UnaryCallable getIamPolicyCallable() { + throw new UnsupportedOperationException("Not implemented: getIamPolicyCallable()"); + } + + public UnaryCallable + testIamPermissionsCallable() { + throw new UnsupportedOperationException("Not implemented: testIamPermissionsCallable()"); + } + @Override public abstract void close(); } diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStubSettings.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStubSettings.java index 826adde0b486..df5c65278a1d 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStubSettings.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/AccessContextManagerStubSettings.java @@ -54,6 +54,11 @@ import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.AccessContextManagerOperationMetadata; import com.google.identity.accesscontextmanager.v1.AccessLevel; import com.google.identity.accesscontextmanager.v1.AccessPolicy; @@ -243,6 +248,10 @@ public class AccessContextManagerStubSettings private final OperationCallSettings< DeleteGcpUserAccessBindingRequest, Empty, GcpUserAccessBindingOperationMetadata> deleteGcpUserAccessBindingOperationSettings; + private final UnaryCallSettings setIamPolicySettings; + private final UnaryCallSettings getIamPolicySettings; + private final UnaryCallSettings + testIamPermissionsSettings; private static final PagedListDescriptor< ListAccessPoliciesRequest, ListAccessPoliciesResponse, AccessPolicy> @@ -755,6 +764,22 @@ public UnaryCallSettings replaceAccessLev return deleteGcpUserAccessBindingOperationSettings; } + /** Returns the object with the settings used for calls to setIamPolicy. */ + public UnaryCallSettings setIamPolicySettings() { + return setIamPolicySettings; + } + + /** Returns the object with the settings used for calls to getIamPolicy. */ + public UnaryCallSettings getIamPolicySettings() { + return getIamPolicySettings; + } + + /** Returns the object with the settings used for calls to testIamPermissions. */ + public UnaryCallSettings + testIamPermissionsSettings() { + return testIamPermissionsSettings; + } + public AccessContextManagerStub createStub() throws IOException { if (getTransportChannelProvider() .getTransportName() @@ -917,6 +942,9 @@ protected AccessContextManagerStubSettings(Builder settingsBuilder) throws IOExc settingsBuilder.deleteGcpUserAccessBindingSettings().build(); deleteGcpUserAccessBindingOperationSettings = settingsBuilder.deleteGcpUserAccessBindingOperationSettings().build(); + setIamPolicySettings = settingsBuilder.setIamPolicySettings().build(); + getIamPolicySettings = settingsBuilder.getIamPolicySettings().build(); + testIamPermissionsSettings = settingsBuilder.testIamPermissionsSettings().build(); } /** Builder for AccessContextManagerStubSettings. */ @@ -1031,6 +1059,10 @@ public static class Builder private final OperationCallSettings.Builder< DeleteGcpUserAccessBindingRequest, Empty, GcpUserAccessBindingOperationMetadata> deleteGcpUserAccessBindingOperationSettings; + private final UnaryCallSettings.Builder setIamPolicySettings; + private final UnaryCallSettings.Builder getIamPolicySettings; + private final UnaryCallSettings.Builder + testIamPermissionsSettings; private static final ImmutableMap> RETRYABLE_CODE_DEFINITIONS; @@ -1105,6 +1137,9 @@ protected Builder(ClientContext clientContext) { updateGcpUserAccessBindingOperationSettings = OperationCallSettings.newBuilder(); deleteGcpUserAccessBindingSettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); deleteGcpUserAccessBindingOperationSettings = OperationCallSettings.newBuilder(); + setIamPolicySettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); + getIamPolicySettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); + testIamPermissionsSettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); unaryMethodSettingsBuilders = ImmutableList.>of( @@ -1130,7 +1165,10 @@ protected Builder(ClientContext clientContext) { getGcpUserAccessBindingSettings, createGcpUserAccessBindingSettings, updateGcpUserAccessBindingSettings, - deleteGcpUserAccessBindingSettings); + deleteGcpUserAccessBindingSettings, + setIamPolicySettings, + getIamPolicySettings, + testIamPermissionsSettings); initDefaults(this); } @@ -1187,6 +1225,9 @@ protected Builder(AccessContextManagerStubSettings settings) { deleteGcpUserAccessBindingSettings = settings.deleteGcpUserAccessBindingSettings.toBuilder(); deleteGcpUserAccessBindingOperationSettings = settings.deleteGcpUserAccessBindingOperationSettings.toBuilder(); + setIamPolicySettings = settings.setIamPolicySettings.toBuilder(); + getIamPolicySettings = settings.getIamPolicySettings.toBuilder(); + testIamPermissionsSettings = settings.testIamPermissionsSettings.toBuilder(); unaryMethodSettingsBuilders = ImmutableList.>of( @@ -1212,7 +1253,10 @@ protected Builder(AccessContextManagerStubSettings settings) { getGcpUserAccessBindingSettings, createGcpUserAccessBindingSettings, updateGcpUserAccessBindingSettings, - deleteGcpUserAccessBindingSettings); + deleteGcpUserAccessBindingSettings, + setIamPolicySettings, + getIamPolicySettings, + testIamPermissionsSettings); } private static Builder createDefault() { @@ -1357,6 +1401,21 @@ private static Builder initDefaults(Builder builder) { .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("no_retry_0_codes")) .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("no_retry_0_params")); + builder + .setIamPolicySettings() + .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("no_retry_0_codes")) + .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("no_retry_0_params")); + + builder + .getIamPolicySettings() + .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("no_retry_0_codes")) + .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("no_retry_0_params")); + + builder + .testIamPermissionsSettings() + .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("no_retry_0_codes")) + .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("no_retry_0_params")); + builder .createAccessPolicyOperationSettings() .setInitialCallSettings( @@ -2044,6 +2103,22 @@ public UnaryCallSettings.Builder getAccessLe return deleteGcpUserAccessBindingOperationSettings; } + /** Returns the builder for the settings used for calls to setIamPolicy. */ + public UnaryCallSettings.Builder setIamPolicySettings() { + return setIamPolicySettings; + } + + /** Returns the builder for the settings used for calls to getIamPolicy. */ + public UnaryCallSettings.Builder getIamPolicySettings() { + return getIamPolicySettings; + } + + /** Returns the builder for the settings used for calls to testIamPermissions. */ + public UnaryCallSettings.Builder + testIamPermissionsSettings() { + return testIamPermissionsSettings; + } + @Override public AccessContextManagerStubSettings build() throws IOException { return new AccessContextManagerStubSettings(this); diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/GrpcAccessContextManagerStub.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/GrpcAccessContextManagerStub.java index 755160a1172f..b1a5a2491406 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/GrpcAccessContextManagerStub.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/GrpcAccessContextManagerStub.java @@ -29,6 +29,11 @@ import com.google.api.gax.rpc.OperationCallable; import com.google.api.gax.rpc.UnaryCallable; import com.google.common.collect.ImmutableMap; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.AccessContextManagerOperationMetadata; import com.google.identity.accesscontextmanager.v1.AccessLevel; import com.google.identity.accesscontextmanager.v1.AccessPolicy; @@ -340,6 +345,36 @@ public class GrpcAccessContextManagerStub extends AccessContextManagerStub { .setResponseMarshaller(ProtoUtils.marshaller(Operation.getDefaultInstance())) .build(); + private static final MethodDescriptor setIamPolicyMethodDescriptor = + MethodDescriptor.newBuilder() + .setType(MethodDescriptor.MethodType.UNARY) + .setFullMethodName( + "google.identity.accesscontextmanager.v1.AccessContextManager/SetIamPolicy") + .setRequestMarshaller(ProtoUtils.marshaller(SetIamPolicyRequest.getDefaultInstance())) + .setResponseMarshaller(ProtoUtils.marshaller(Policy.getDefaultInstance())) + .build(); + + private static final MethodDescriptor getIamPolicyMethodDescriptor = + MethodDescriptor.newBuilder() + .setType(MethodDescriptor.MethodType.UNARY) + .setFullMethodName( + "google.identity.accesscontextmanager.v1.AccessContextManager/GetIamPolicy") + .setRequestMarshaller(ProtoUtils.marshaller(GetIamPolicyRequest.getDefaultInstance())) + .setResponseMarshaller(ProtoUtils.marshaller(Policy.getDefaultInstance())) + .build(); + + private static final MethodDescriptor + testIamPermissionsMethodDescriptor = + MethodDescriptor.newBuilder() + .setType(MethodDescriptor.MethodType.UNARY) + .setFullMethodName( + "google.identity.accesscontextmanager.v1.AccessContextManager/TestIamPermissions") + .setRequestMarshaller( + ProtoUtils.marshaller(TestIamPermissionsRequest.getDefaultInstance())) + .setResponseMarshaller( + ProtoUtils.marshaller(TestIamPermissionsResponse.getDefaultInstance())) + .build(); + private final UnaryCallable listAccessPoliciesCallable; private final UnaryCallable @@ -440,6 +475,10 @@ public class GrpcAccessContextManagerStub extends AccessContextManagerStub { private final OperationCallable< DeleteGcpUserAccessBindingRequest, Empty, GcpUserAccessBindingOperationMetadata> deleteGcpUserAccessBindingOperationCallable; + private final UnaryCallable setIamPolicyCallable; + private final UnaryCallable getIamPolicyCallable; + private final UnaryCallable + testIamPermissionsCallable; private final BackgroundResource backgroundResources; private final GrpcOperationsStub operationsStub; @@ -724,6 +763,37 @@ protected GrpcAccessContextManagerStub( return params.build(); }) .build(); + GrpcCallSettings setIamPolicyTransportSettings = + GrpcCallSettings.newBuilder() + .setMethodDescriptor(setIamPolicyMethodDescriptor) + .setParamsExtractor( + request -> { + ImmutableMap.Builder params = ImmutableMap.builder(); + params.put("resource", String.valueOf(request.getResource())); + return params.build(); + }) + .build(); + GrpcCallSettings getIamPolicyTransportSettings = + GrpcCallSettings.newBuilder() + .setMethodDescriptor(getIamPolicyMethodDescriptor) + .setParamsExtractor( + request -> { + ImmutableMap.Builder params = ImmutableMap.builder(); + params.put("resource", String.valueOf(request.getResource())); + return params.build(); + }) + .build(); + GrpcCallSettings + testIamPermissionsTransportSettings = + GrpcCallSettings.newBuilder() + .setMethodDescriptor(testIamPermissionsMethodDescriptor) + .setParamsExtractor( + request -> { + ImmutableMap.Builder params = ImmutableMap.builder(); + params.put("resource", String.valueOf(request.getResource())); + return params.build(); + }) + .build(); this.listAccessPoliciesCallable = callableFactory.createUnaryCallable( @@ -942,6 +1012,17 @@ protected GrpcAccessContextManagerStub( settings.deleteGcpUserAccessBindingOperationSettings(), clientContext, operationsStub); + this.setIamPolicyCallable = + callableFactory.createUnaryCallable( + setIamPolicyTransportSettings, settings.setIamPolicySettings(), clientContext); + this.getIamPolicyCallable = + callableFactory.createUnaryCallable( + getIamPolicyTransportSettings, settings.getIamPolicySettings(), clientContext); + this.testIamPermissionsCallable = + callableFactory.createUnaryCallable( + testIamPermissionsTransportSettings, + settings.testIamPermissionsSettings(), + clientContext); this.backgroundResources = new BackgroundResourceAggregation(clientContext.getBackgroundResources()); @@ -1212,6 +1293,22 @@ public UnaryCallable deleteServicePeri return deleteGcpUserAccessBindingOperationCallable; } + @Override + public UnaryCallable setIamPolicyCallable() { + return setIamPolicyCallable; + } + + @Override + public UnaryCallable getIamPolicyCallable() { + return getIamPolicyCallable; + } + + @Override + public UnaryCallable + testIamPermissionsCallable() { + return testIamPermissionsCallable; + } + @Override public final void close() { try { diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/HttpJsonAccessContextManagerStub.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/HttpJsonAccessContextManagerStub.java index 14b6ac3e9773..ea9424488ff8 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/HttpJsonAccessContextManagerStub.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/main/java/com/google/identity/accesscontextmanager/v1/stub/HttpJsonAccessContextManagerStub.java @@ -36,6 +36,11 @@ import com.google.api.gax.rpc.ClientContext; import com.google.api.gax.rpc.OperationCallable; import com.google.api.gax.rpc.UnaryCallable; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.AccessContextManagerOperationMetadata; import com.google.identity.accesscontextmanager.v1.AccessLevel; import com.google.identity.accesscontextmanager.v1.AccessPolicy; @@ -998,6 +1003,120 @@ public class HttpJsonAccessContextManagerStub extends AccessContextManagerStub { HttpJsonOperationSnapshot.create(response)) .build(); + private static final ApiMethodDescriptor + setIamPolicyMethodDescriptor = + ApiMethodDescriptor.newBuilder() + .setFullMethodName( + "google.identity.accesscontextmanager.v1.AccessContextManager/SetIamPolicy") + .setHttpMethod("POST") + .setType(ApiMethodDescriptor.MethodType.UNARY) + .setRequestFormatter( + ProtoMessageRequestFormatter.newBuilder() + .setPath( + "/v1/{resource=accessPolicies/*}:setIamPolicy", + request -> { + Map fields = new HashMap<>(); + ProtoRestSerializer serializer = + ProtoRestSerializer.create(); + serializer.putPathParam(fields, "resource", request.getResource()); + return fields; + }) + .setQueryParamsExtractor( + request -> { + Map> fields = new HashMap<>(); + ProtoRestSerializer serializer = + ProtoRestSerializer.create(); + return fields; + }) + .setRequestBodyExtractor( + request -> + ProtoRestSerializer.create() + .toBody("*", request.toBuilder().clearResource().build(), false)) + .build()) + .setResponseParser( + ProtoMessageResponseParser.newBuilder() + .setDefaultInstance(Policy.getDefaultInstance()) + .setDefaultTypeRegistry(typeRegistry) + .build()) + .build(); + + private static final ApiMethodDescriptor + getIamPolicyMethodDescriptor = + ApiMethodDescriptor.newBuilder() + .setFullMethodName( + "google.identity.accesscontextmanager.v1.AccessContextManager/GetIamPolicy") + .setHttpMethod("POST") + .setType(ApiMethodDescriptor.MethodType.UNARY) + .setRequestFormatter( + ProtoMessageRequestFormatter.newBuilder() + .setPath( + "/v1/{resource=accessPolicies/*}:getIamPolicy", + request -> { + Map fields = new HashMap<>(); + ProtoRestSerializer serializer = + ProtoRestSerializer.create(); + serializer.putPathParam(fields, "resource", request.getResource()); + return fields; + }) + .setQueryParamsExtractor( + request -> { + Map> fields = new HashMap<>(); + ProtoRestSerializer serializer = + ProtoRestSerializer.create(); + return fields; + }) + .setRequestBodyExtractor( + request -> + ProtoRestSerializer.create() + .toBody("*", request.toBuilder().clearResource().build(), false)) + .build()) + .setResponseParser( + ProtoMessageResponseParser.newBuilder() + .setDefaultInstance(Policy.getDefaultInstance()) + .setDefaultTypeRegistry(typeRegistry) + .build()) + .build(); + + private static final ApiMethodDescriptor + testIamPermissionsMethodDescriptor = + ApiMethodDescriptor.newBuilder() + .setFullMethodName( + "google.identity.accesscontextmanager.v1.AccessContextManager/TestIamPermissions") + .setHttpMethod("POST") + .setType(ApiMethodDescriptor.MethodType.UNARY) + .setRequestFormatter( + ProtoMessageRequestFormatter.newBuilder() + .setPath( + "/v1/{resource=accessPolicies/*}:testIamPermissions", + request -> { + Map fields = new HashMap<>(); + ProtoRestSerializer serializer = + ProtoRestSerializer.create(); + serializer.putPathParam(fields, "resource", request.getResource()); + return fields; + }) + .setAdditionalPaths( + "/v1/{resource=accessPolicies/*/accessLevels/*}:testIamPermissions", + "/v1/{resource=accessPolicies/*/servicePerimeters/*}:testIamPermissions") + .setQueryParamsExtractor( + request -> { + Map> fields = new HashMap<>(); + ProtoRestSerializer serializer = + ProtoRestSerializer.create(); + return fields; + }) + .setRequestBodyExtractor( + request -> + ProtoRestSerializer.create() + .toBody("*", request.toBuilder().clearResource().build(), false)) + .build()) + .setResponseParser( + ProtoMessageResponseParser.newBuilder() + .setDefaultInstance(TestIamPermissionsResponse.getDefaultInstance()) + .setDefaultTypeRegistry(typeRegistry) + .build()) + .build(); + private final UnaryCallable listAccessPoliciesCallable; private final UnaryCallable @@ -1098,6 +1217,10 @@ public class HttpJsonAccessContextManagerStub extends AccessContextManagerStub { private final OperationCallable< DeleteGcpUserAccessBindingRequest, Empty, GcpUserAccessBindingOperationMetadata> deleteGcpUserAccessBindingOperationCallable; + private final UnaryCallable setIamPolicyCallable; + private final UnaryCallable getIamPolicyCallable; + private final UnaryCallable + testIamPermissionsCallable; private final BackgroundResource backgroundResources; private final HttpJsonOperationsStub httpJsonOperationsStub; @@ -1278,6 +1401,22 @@ protected HttpJsonAccessContextManagerStub( .setMethodDescriptor(deleteGcpUserAccessBindingMethodDescriptor) .setTypeRegistry(typeRegistry) .build(); + HttpJsonCallSettings setIamPolicyTransportSettings = + HttpJsonCallSettings.newBuilder() + .setMethodDescriptor(setIamPolicyMethodDescriptor) + .setTypeRegistry(typeRegistry) + .build(); + HttpJsonCallSettings getIamPolicyTransportSettings = + HttpJsonCallSettings.newBuilder() + .setMethodDescriptor(getIamPolicyMethodDescriptor) + .setTypeRegistry(typeRegistry) + .build(); + HttpJsonCallSettings + testIamPermissionsTransportSettings = + HttpJsonCallSettings.newBuilder() + .setMethodDescriptor(testIamPermissionsMethodDescriptor) + .setTypeRegistry(typeRegistry) + .build(); this.listAccessPoliciesCallable = callableFactory.createUnaryCallable( @@ -1496,6 +1635,17 @@ protected HttpJsonAccessContextManagerStub( settings.deleteGcpUserAccessBindingOperationSettings(), clientContext, httpJsonOperationsStub); + this.setIamPolicyCallable = + callableFactory.createUnaryCallable( + setIamPolicyTransportSettings, settings.setIamPolicySettings(), clientContext); + this.getIamPolicyCallable = + callableFactory.createUnaryCallable( + getIamPolicyTransportSettings, settings.getIamPolicySettings(), clientContext); + this.testIamPermissionsCallable = + callableFactory.createUnaryCallable( + testIamPermissionsTransportSettings, + settings.testIamPermissionsSettings(), + clientContext); this.backgroundResources = new BackgroundResourceAggregation(clientContext.getBackgroundResources()); @@ -1527,6 +1677,9 @@ public static List getMethodDescriptors() { methodDescriptors.add(createGcpUserAccessBindingMethodDescriptor); methodDescriptors.add(updateGcpUserAccessBindingMethodDescriptor); methodDescriptors.add(deleteGcpUserAccessBindingMethodDescriptor); + methodDescriptors.add(setIamPolicyMethodDescriptor); + methodDescriptors.add(getIamPolicyMethodDescriptor); + methodDescriptors.add(testIamPermissionsMethodDescriptor); return methodDescriptors; } @@ -1795,6 +1948,22 @@ public UnaryCallable deleteServicePeri return deleteGcpUserAccessBindingOperationCallable; } + @Override + public UnaryCallable setIamPolicyCallable() { + return setIamPolicyCallable; + } + + @Override + public UnaryCallable getIamPolicyCallable() { + return getIamPolicyCallable; + } + + @Override + public UnaryCallable + testIamPermissionsCallable() { + return testIamPermissionsCallable; + } + @Override public final void close() { try { diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientHttpJsonTest.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientHttpJsonTest.java index b126b10e01e1..aa4ece58b995 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientHttpJsonTest.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientHttpJsonTest.java @@ -31,9 +31,18 @@ import com.google.api.gax.rpc.StatusCode; import com.google.api.gax.rpc.testing.FakeStatusCode; import com.google.common.collect.Lists; +import com.google.iam.v1.AuditConfig; +import com.google.iam.v1.Binding; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.GetPolicyOptions; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.stub.HttpJsonAccessContextManagerStub; import com.google.longrunning.Operation; import com.google.protobuf.Any; +import com.google.protobuf.ByteString; import com.google.protobuf.Empty; import com.google.protobuf.FieldMask; import com.google.protobuf.Timestamp; @@ -152,6 +161,7 @@ public void getAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -201,6 +211,7 @@ public void getAccessPolicyTest2() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -250,6 +261,7 @@ public void createAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -267,6 +279,7 @@ public void createAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -303,6 +316,7 @@ public void createAccessPolicyExceptionTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -320,6 +334,7 @@ public void updateAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -337,6 +352,7 @@ public void updateAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -374,6 +390,7 @@ public void updateAccessPolicyExceptionTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -2081,4 +2098,166 @@ public void deleteGcpUserAccessBindingExceptionTest2() throws Exception { } catch (ExecutionException e) { } } + + @Test + public void setIamPolicyTest() throws Exception { + Policy expectedResponse = + Policy.newBuilder() + .setVersion(351608024) + .addAllBindings(new ArrayList()) + .addAllAuditConfigs(new ArrayList()) + .setEtag(ByteString.EMPTY) + .build(); + mockService.addResponse(expectedResponse); + + SetIamPolicyRequest request = + SetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setPolicy(Policy.newBuilder().build()) + .setUpdateMask(FieldMask.newBuilder().build()) + .build(); + + Policy actualResponse = client.setIamPolicy(request); + Assert.assertEquals(expectedResponse, actualResponse); + + List actualRequests = mockService.getRequestPaths(); + Assert.assertEquals(1, actualRequests.size()); + + String apiClientHeaderKey = + mockService + .getRequestHeaders() + .get(ApiClientHeaderProvider.getDefaultApiClientHeaderKey()) + .iterator() + .next(); + Assert.assertTrue( + GaxHttpJsonProperties.getDefaultApiClientHeaderPattern() + .matcher(apiClientHeaderKey) + .matches()); + } + + @Test + public void setIamPolicyExceptionTest() throws Exception { + ApiException exception = + ApiExceptionFactory.createException( + new Exception(), FakeStatusCode.of(StatusCode.Code.INVALID_ARGUMENT), false); + mockService.addException(exception); + + try { + SetIamPolicyRequest request = + SetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setPolicy(Policy.newBuilder().build()) + .setUpdateMask(FieldMask.newBuilder().build()) + .build(); + client.setIamPolicy(request); + Assert.fail("No exception raised"); + } catch (InvalidArgumentException e) { + // Expected exception. + } + } + + @Test + public void getIamPolicyTest() throws Exception { + Policy expectedResponse = + Policy.newBuilder() + .setVersion(351608024) + .addAllBindings(new ArrayList()) + .addAllAuditConfigs(new ArrayList()) + .setEtag(ByteString.EMPTY) + .build(); + mockService.addResponse(expectedResponse); + + GetIamPolicyRequest request = + GetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setOptions(GetPolicyOptions.newBuilder().build()) + .build(); + + Policy actualResponse = client.getIamPolicy(request); + Assert.assertEquals(expectedResponse, actualResponse); + + List actualRequests = mockService.getRequestPaths(); + Assert.assertEquals(1, actualRequests.size()); + + String apiClientHeaderKey = + mockService + .getRequestHeaders() + .get(ApiClientHeaderProvider.getDefaultApiClientHeaderKey()) + .iterator() + .next(); + Assert.assertTrue( + GaxHttpJsonProperties.getDefaultApiClientHeaderPattern() + .matcher(apiClientHeaderKey) + .matches()); + } + + @Test + public void getIamPolicyExceptionTest() throws Exception { + ApiException exception = + ApiExceptionFactory.createException( + new Exception(), FakeStatusCode.of(StatusCode.Code.INVALID_ARGUMENT), false); + mockService.addException(exception); + + try { + GetIamPolicyRequest request = + GetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setOptions(GetPolicyOptions.newBuilder().build()) + .build(); + client.getIamPolicy(request); + Assert.fail("No exception raised"); + } catch (InvalidArgumentException e) { + // Expected exception. + } + } + + @Test + public void testIamPermissionsTest() throws Exception { + TestIamPermissionsResponse expectedResponse = + TestIamPermissionsResponse.newBuilder().addAllPermissions(new ArrayList()).build(); + mockService.addResponse(expectedResponse); + + TestIamPermissionsRequest request = + TestIamPermissionsRequest.newBuilder() + .setResource(AccessLevelName.of("[ACCESS_POLICY]", "[ACCESS_LEVEL]").toString()) + .addAllPermissions(new ArrayList()) + .build(); + + TestIamPermissionsResponse actualResponse = client.testIamPermissions(request); + Assert.assertEquals(expectedResponse, actualResponse); + + List actualRequests = mockService.getRequestPaths(); + Assert.assertEquals(1, actualRequests.size()); + + String apiClientHeaderKey = + mockService + .getRequestHeaders() + .get(ApiClientHeaderProvider.getDefaultApiClientHeaderKey()) + .iterator() + .next(); + Assert.assertTrue( + GaxHttpJsonProperties.getDefaultApiClientHeaderPattern() + .matcher(apiClientHeaderKey) + .matches()); + } + + @Test + public void testIamPermissionsExceptionTest() throws Exception { + ApiException exception = + ApiExceptionFactory.createException( + new Exception(), FakeStatusCode.of(StatusCode.Code.INVALID_ARGUMENT), false); + mockService.addException(exception); + + try { + TestIamPermissionsRequest request = + TestIamPermissionsRequest.newBuilder() + .setResource(AccessLevelName.of("[ACCESS_POLICY]", "[ACCESS_LEVEL]").toString()) + .addAllPermissions(new ArrayList()) + .build(); + client.testIamPermissions(request); + Assert.fail("No exception raised"); + } catch (InvalidArgumentException e) { + // Expected exception. + } + } } diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientTest.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientTest.java index 51dbd21459aa..e909247d1a58 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientTest.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerClientTest.java @@ -30,9 +30,18 @@ import com.google.api.gax.rpc.InvalidArgumentException; import com.google.api.gax.rpc.StatusCode; import com.google.common.collect.Lists; +import com.google.iam.v1.AuditConfig; +import com.google.iam.v1.Binding; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.GetPolicyOptions; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.longrunning.Operation; import com.google.protobuf.AbstractMessage; import com.google.protobuf.Any; +import com.google.protobuf.ByteString; import com.google.protobuf.Empty; import com.google.protobuf.FieldMask; import com.google.protobuf.Timestamp; @@ -152,6 +161,7 @@ public void getAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -195,6 +205,7 @@ public void getAccessPolicyTest2() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -238,6 +249,7 @@ public void createAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -255,6 +267,7 @@ public void createAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -270,6 +283,7 @@ public void createAccessPolicyTest() throws Exception { Assert.assertEquals(request.getName(), actualRequest.getName()); Assert.assertEquals(request.getParent(), actualRequest.getParent()); Assert.assertEquals(request.getTitle(), actualRequest.getTitle()); + Assert.assertEquals(request.getScopesList(), actualRequest.getScopesList()); Assert.assertEquals(request.getCreateTime(), actualRequest.getCreateTime()); Assert.assertEquals(request.getUpdateTime(), actualRequest.getUpdateTime()); Assert.assertEquals(request.getEtag(), actualRequest.getEtag()); @@ -290,6 +304,7 @@ public void createAccessPolicyExceptionTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -310,6 +325,7 @@ public void updateAccessPolicyTest() throws Exception { .setName(AccessPolicyName.of("[ACCESS_POLICY]").toString()) .setParent("parent-995424086") .setTitle("title110371416") + .addAllScopes(new ArrayList()) .setCreateTime(Timestamp.newBuilder().build()) .setUpdateTime(Timestamp.newBuilder().build()) .setEtag("etag3123477") @@ -1904,4 +1920,152 @@ public void deleteGcpUserAccessBindingExceptionTest2() throws Exception { Assert.assertEquals(StatusCode.Code.INVALID_ARGUMENT, apiException.getStatusCode().getCode()); } } + + @Test + public void setIamPolicyTest() throws Exception { + Policy expectedResponse = + Policy.newBuilder() + .setVersion(351608024) + .addAllBindings(new ArrayList()) + .addAllAuditConfigs(new ArrayList()) + .setEtag(ByteString.EMPTY) + .build(); + mockAccessContextManager.addResponse(expectedResponse); + + SetIamPolicyRequest request = + SetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setPolicy(Policy.newBuilder().build()) + .setUpdateMask(FieldMask.newBuilder().build()) + .build(); + + Policy actualResponse = client.setIamPolicy(request); + Assert.assertEquals(expectedResponse, actualResponse); + + List actualRequests = mockAccessContextManager.getRequests(); + Assert.assertEquals(1, actualRequests.size()); + SetIamPolicyRequest actualRequest = ((SetIamPolicyRequest) actualRequests.get(0)); + + Assert.assertEquals(request.getResource(), actualRequest.getResource()); + Assert.assertEquals(request.getPolicy(), actualRequest.getPolicy()); + Assert.assertEquals(request.getUpdateMask(), actualRequest.getUpdateMask()); + Assert.assertTrue( + channelProvider.isHeaderSent( + ApiClientHeaderProvider.getDefaultApiClientHeaderKey(), + GaxGrpcProperties.getDefaultApiClientHeaderPattern())); + } + + @Test + public void setIamPolicyExceptionTest() throws Exception { + StatusRuntimeException exception = new StatusRuntimeException(io.grpc.Status.INVALID_ARGUMENT); + mockAccessContextManager.addException(exception); + + try { + SetIamPolicyRequest request = + SetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setPolicy(Policy.newBuilder().build()) + .setUpdateMask(FieldMask.newBuilder().build()) + .build(); + client.setIamPolicy(request); + Assert.fail("No exception raised"); + } catch (InvalidArgumentException e) { + // Expected exception. + } + } + + @Test + public void getIamPolicyTest() throws Exception { + Policy expectedResponse = + Policy.newBuilder() + .setVersion(351608024) + .addAllBindings(new ArrayList()) + .addAllAuditConfigs(new ArrayList()) + .setEtag(ByteString.EMPTY) + .build(); + mockAccessContextManager.addResponse(expectedResponse); + + GetIamPolicyRequest request = + GetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setOptions(GetPolicyOptions.newBuilder().build()) + .build(); + + Policy actualResponse = client.getIamPolicy(request); + Assert.assertEquals(expectedResponse, actualResponse); + + List actualRequests = mockAccessContextManager.getRequests(); + Assert.assertEquals(1, actualRequests.size()); + GetIamPolicyRequest actualRequest = ((GetIamPolicyRequest) actualRequests.get(0)); + + Assert.assertEquals(request.getResource(), actualRequest.getResource()); + Assert.assertEquals(request.getOptions(), actualRequest.getOptions()); + Assert.assertTrue( + channelProvider.isHeaderSent( + ApiClientHeaderProvider.getDefaultApiClientHeaderKey(), + GaxGrpcProperties.getDefaultApiClientHeaderPattern())); + } + + @Test + public void getIamPolicyExceptionTest() throws Exception { + StatusRuntimeException exception = new StatusRuntimeException(io.grpc.Status.INVALID_ARGUMENT); + mockAccessContextManager.addException(exception); + + try { + GetIamPolicyRequest request = + GetIamPolicyRequest.newBuilder() + .setResource(AccessPolicyName.of("[ACCESS_POLICY]").toString()) + .setOptions(GetPolicyOptions.newBuilder().build()) + .build(); + client.getIamPolicy(request); + Assert.fail("No exception raised"); + } catch (InvalidArgumentException e) { + // Expected exception. + } + } + + @Test + public void testIamPermissionsTest() throws Exception { + TestIamPermissionsResponse expectedResponse = + TestIamPermissionsResponse.newBuilder().addAllPermissions(new ArrayList()).build(); + mockAccessContextManager.addResponse(expectedResponse); + + TestIamPermissionsRequest request = + TestIamPermissionsRequest.newBuilder() + .setResource(AccessLevelName.of("[ACCESS_POLICY]", "[ACCESS_LEVEL]").toString()) + .addAllPermissions(new ArrayList()) + .build(); + + TestIamPermissionsResponse actualResponse = client.testIamPermissions(request); + Assert.assertEquals(expectedResponse, actualResponse); + + List actualRequests = mockAccessContextManager.getRequests(); + Assert.assertEquals(1, actualRequests.size()); + TestIamPermissionsRequest actualRequest = ((TestIamPermissionsRequest) actualRequests.get(0)); + + Assert.assertEquals(request.getResource(), actualRequest.getResource()); + Assert.assertEquals(request.getPermissionsList(), actualRequest.getPermissionsList()); + Assert.assertTrue( + channelProvider.isHeaderSent( + ApiClientHeaderProvider.getDefaultApiClientHeaderKey(), + GaxGrpcProperties.getDefaultApiClientHeaderPattern())); + } + + @Test + public void testIamPermissionsExceptionTest() throws Exception { + StatusRuntimeException exception = new StatusRuntimeException(io.grpc.Status.INVALID_ARGUMENT); + mockAccessContextManager.addException(exception); + + try { + TestIamPermissionsRequest request = + TestIamPermissionsRequest.newBuilder() + .setResource(AccessLevelName.of("[ACCESS_POLICY]", "[ACCESS_LEVEL]").toString()) + .addAllPermissions(new ArrayList()) + .build(); + client.testIamPermissions(request); + Assert.fail("No exception raised"); + } catch (InvalidArgumentException e) { + // Expected exception. + } + } } diff --git a/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/MockAccessContextManagerImpl.java b/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/MockAccessContextManagerImpl.java index 8880a78585b8..c3b91717bc2e 100644 --- a/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/MockAccessContextManagerImpl.java +++ b/java-accesscontextmanager/google-identity-accesscontextmanager/src/test/java/com/google/identity/accesscontextmanager/v1/MockAccessContextManagerImpl.java @@ -17,6 +17,11 @@ package com.google.identity.accesscontextmanager.v1; import com.google.api.core.BetaApi; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; +import com.google.iam.v1.SetIamPolicyRequest; +import com.google.iam.v1.TestIamPermissionsRequest; +import com.google.iam.v1.TestIamPermissionsResponse; import com.google.identity.accesscontextmanager.v1.AccessContextManagerGrpc.AccessContextManagerImplBase; import com.google.longrunning.Operation; import com.google.protobuf.AbstractMessage; @@ -544,4 +549,66 @@ public void deleteGcpUserAccessBinding( Exception.class.getName()))); } } + + @Override + public void setIamPolicy(SetIamPolicyRequest request, StreamObserver responseObserver) { + Object response = responses.poll(); + if (response instanceof Policy) { + requests.add(request); + responseObserver.onNext(((Policy) response)); + responseObserver.onCompleted(); + } else if (response instanceof Exception) { + responseObserver.onError(((Exception) response)); + } else { + responseObserver.onError( + new IllegalArgumentException( + String.format( + "Unrecognized response type %s for method SetIamPolicy, expected %s or %s", + response == null ? "null" : response.getClass().getName(), + Policy.class.getName(), + Exception.class.getName()))); + } + } + + @Override + public void getIamPolicy(GetIamPolicyRequest request, StreamObserver responseObserver) { + Object response = responses.poll(); + if (response instanceof Policy) { + requests.add(request); + responseObserver.onNext(((Policy) response)); + responseObserver.onCompleted(); + } else if (response instanceof Exception) { + responseObserver.onError(((Exception) response)); + } else { + responseObserver.onError( + new IllegalArgumentException( + String.format( + "Unrecognized response type %s for method GetIamPolicy, expected %s or %s", + response == null ? "null" : response.getClass().getName(), + Policy.class.getName(), + Exception.class.getName()))); + } + } + + @Override + public void testIamPermissions( + TestIamPermissionsRequest request, + StreamObserver responseObserver) { + Object response = responses.poll(); + if (response instanceof TestIamPermissionsResponse) { + requests.add(request); + responseObserver.onNext(((TestIamPermissionsResponse) response)); + responseObserver.onCompleted(); + } else if (response instanceof Exception) { + responseObserver.onError(((Exception) response)); + } else { + responseObserver.onError( + new IllegalArgumentException( + String.format( + "Unrecognized response type %s for method TestIamPermissions, expected %s or %s", + response == null ? "null" : response.getClass().getName(), + TestIamPermissionsResponse.class.getName(), + Exception.class.getName()))); + } + } } diff --git a/java-accesscontextmanager/grpc-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerGrpc.java b/java-accesscontextmanager/grpc-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerGrpc.java index 01373da282b2..5662cead770a 100644 --- a/java-accesscontextmanager/grpc-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerGrpc.java +++ b/java-accesscontextmanager/grpc-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerGrpc.java @@ -21,15 +21,15 @@ * * * 

- * API for setting [Access Levels]
- * [google.identity.accesscontextmanager.v1.AccessLevel] and [Service
- * Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
- * for Google Cloud Projects. Each organization has one [AccessPolicy]
- * [google.identity.accesscontextmanager.v1.AccessPolicy] containing the
- * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
- * and [Service Perimeters]
+ * API for setting [access levels]
+ * [google.identity.accesscontextmanager.v1.AccessLevel] and [service
+ * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
+ * for Google Cloud projects. Each organization has one [access policy]
+ * [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
+ * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
+ * and [service perimeters]
  * [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
- * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
+ * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
  * applicable to all resources in the organization.
  * AccessPolicies
  *
@@ -1209,6 +1209,129 @@ private AccessContextManagerGrpc() {} return getDeleteGcpUserAccessBindingMethod; } + private static volatile io.grpc.MethodDescriptor< + com.google.iam.v1.SetIamPolicyRequest, com.google.iam.v1.Policy> + getSetIamPolicyMethod; + + @io.grpc.stub.annotations.RpcMethod( + fullMethodName = SERVICE_NAME + '/' + "SetIamPolicy", + requestType = com.google.iam.v1.SetIamPolicyRequest.class, + responseType = com.google.iam.v1.Policy.class, + methodType = io.grpc.MethodDescriptor.MethodType.UNARY) + public static io.grpc.MethodDescriptor< + com.google.iam.v1.SetIamPolicyRequest, com.google.iam.v1.Policy> + getSetIamPolicyMethod() { + io.grpc.MethodDescriptor + getSetIamPolicyMethod; + if ((getSetIamPolicyMethod = AccessContextManagerGrpc.getSetIamPolicyMethod) == null) { + synchronized (AccessContextManagerGrpc.class) { + if ((getSetIamPolicyMethod = AccessContextManagerGrpc.getSetIamPolicyMethod) == null) { + AccessContextManagerGrpc.getSetIamPolicyMethod = + getSetIamPolicyMethod = + io.grpc.MethodDescriptor + .newBuilder() + .setType(io.grpc.MethodDescriptor.MethodType.UNARY) + .setFullMethodName(generateFullMethodName(SERVICE_NAME, "SetIamPolicy")) + .setSampledToLocalTracing(true) + .setRequestMarshaller( + io.grpc.protobuf.ProtoUtils.marshaller( + com.google.iam.v1.SetIamPolicyRequest.getDefaultInstance())) + .setResponseMarshaller( + io.grpc.protobuf.ProtoUtils.marshaller( + com.google.iam.v1.Policy.getDefaultInstance())) + .setSchemaDescriptor( + new AccessContextManagerMethodDescriptorSupplier("SetIamPolicy")) + .build(); + } + } + } + return getSetIamPolicyMethod; + } + + private static volatile io.grpc.MethodDescriptor< + com.google.iam.v1.GetIamPolicyRequest, com.google.iam.v1.Policy> + getGetIamPolicyMethod; + + @io.grpc.stub.annotations.RpcMethod( + fullMethodName = SERVICE_NAME + '/' + "GetIamPolicy", + requestType = com.google.iam.v1.GetIamPolicyRequest.class, + responseType = com.google.iam.v1.Policy.class, + methodType = io.grpc.MethodDescriptor.MethodType.UNARY) + public static io.grpc.MethodDescriptor< + com.google.iam.v1.GetIamPolicyRequest, com.google.iam.v1.Policy> + getGetIamPolicyMethod() { + io.grpc.MethodDescriptor + getGetIamPolicyMethod; + if ((getGetIamPolicyMethod = AccessContextManagerGrpc.getGetIamPolicyMethod) == null) { + synchronized (AccessContextManagerGrpc.class) { + if ((getGetIamPolicyMethod = AccessContextManagerGrpc.getGetIamPolicyMethod) == null) { + AccessContextManagerGrpc.getGetIamPolicyMethod = + getGetIamPolicyMethod = + io.grpc.MethodDescriptor + .newBuilder() + .setType(io.grpc.MethodDescriptor.MethodType.UNARY) + .setFullMethodName(generateFullMethodName(SERVICE_NAME, "GetIamPolicy")) + .setSampledToLocalTracing(true) + .setRequestMarshaller( + io.grpc.protobuf.ProtoUtils.marshaller( + com.google.iam.v1.GetIamPolicyRequest.getDefaultInstance())) + .setResponseMarshaller( + io.grpc.protobuf.ProtoUtils.marshaller( + com.google.iam.v1.Policy.getDefaultInstance())) + .setSchemaDescriptor( + new AccessContextManagerMethodDescriptorSupplier("GetIamPolicy")) + .build(); + } + } + } + return getGetIamPolicyMethod; + } + + private static volatile io.grpc.MethodDescriptor< + com.google.iam.v1.TestIamPermissionsRequest, com.google.iam.v1.TestIamPermissionsResponse> + getTestIamPermissionsMethod; + + @io.grpc.stub.annotations.RpcMethod( + fullMethodName = SERVICE_NAME + '/' + "TestIamPermissions", + requestType = com.google.iam.v1.TestIamPermissionsRequest.class, + responseType = com.google.iam.v1.TestIamPermissionsResponse.class, + methodType = io.grpc.MethodDescriptor.MethodType.UNARY) + public static io.grpc.MethodDescriptor< + com.google.iam.v1.TestIamPermissionsRequest, com.google.iam.v1.TestIamPermissionsResponse> + getTestIamPermissionsMethod() { + io.grpc.MethodDescriptor< + com.google.iam.v1.TestIamPermissionsRequest, + com.google.iam.v1.TestIamPermissionsResponse> + getTestIamPermissionsMethod; + if ((getTestIamPermissionsMethod = AccessContextManagerGrpc.getTestIamPermissionsMethod) + == null) { + synchronized (AccessContextManagerGrpc.class) { + if ((getTestIamPermissionsMethod = AccessContextManagerGrpc.getTestIamPermissionsMethod) + == null) { + AccessContextManagerGrpc.getTestIamPermissionsMethod = + getTestIamPermissionsMethod = + io.grpc.MethodDescriptor + . + newBuilder() + .setType(io.grpc.MethodDescriptor.MethodType.UNARY) + .setFullMethodName(generateFullMethodName(SERVICE_NAME, "TestIamPermissions")) + .setSampledToLocalTracing(true) + .setRequestMarshaller( + io.grpc.protobuf.ProtoUtils.marshaller( + com.google.iam.v1.TestIamPermissionsRequest.getDefaultInstance())) + .setResponseMarshaller( + io.grpc.protobuf.ProtoUtils.marshaller( + com.google.iam.v1.TestIamPermissionsResponse.getDefaultInstance())) + .setSchemaDescriptor( + new AccessContextManagerMethodDescriptorSupplier("TestIamPermissions")) + .build(); + } + } + } + return getTestIamPermissionsMethod; + } + /** Creates a new async stub that supports all call types for the service */ public static AccessContextManagerStub newStub(io.grpc.Channel channel) { io.grpc.stub.AbstractStub.StubFactory factory = @@ -1254,15 +1377,15 @@ public AccessContextManagerFutureStub newStub( * * * 
-   * API for setting [Access Levels]
-   * [google.identity.accesscontextmanager.v1.AccessLevel] and [Service
-   * Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
-   * for Google Cloud Projects. Each organization has one [AccessPolicy]
-   * [google.identity.accesscontextmanager.v1.AccessPolicy] containing the
-   * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
-   * and [Service Perimeters]
+   * API for setting [access levels]
+   * [google.identity.accesscontextmanager.v1.AccessLevel] and [service
+   * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
+   * for Google Cloud projects. Each organization has one [access policy]
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
+   * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
+   * and [service perimeters]
    * [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
-   * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
+   * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
    * applicable to all resources in the organization.
    * AccessPolicies
    *
@@ -1273,9 +1396,9 @@ public abstract static class AccessContextManagerImplBase implements io.grpc.Bin * * * 
-     * List all [AccessPolicies]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] under a
-     * container.
+     * Lists all [access policies]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] in an
+     * organization.
      *
*/ public void listAccessPolicies( @@ -1291,8 +1414,8 @@ public void listAccessPolicies( * * * 
-     * Get an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by name.
+     * Returns an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name.
      *
*/ public void getAccessPolicy( @@ -1307,10 +1430,10 @@ public void getAccessPolicy( * * * 
-     * Create an `AccessPolicy`. Fails if this organization already has a
-     * `AccessPolicy`. The longrunning Operation will have a successful status
-     * once the `AccessPolicy` has propagated to long-lasting storage.
-     * Syntactic and basic semantic errors will be returned in `metadata` as a
+     * Creates an access policy. This method fails if the organization already has
+     * an access policy. The long-running operation has a successful status
+     * after the access policy propagates to long-lasting storage.
+     * Syntactic and basic semantic errors are returned in `metadata` as a
      * BadRequest proto.
      *
*/ @@ -1325,13 +1448,12 @@ public void createAccessPolicy( * * * 
-     * Update an [AccessPolicy]
+     * Updates an [access policy]
      * [google.identity.accesscontextmanager.v1.AccessPolicy]. The
-     * longrunning Operation from this RPC will have a successful status once the
-     * changes to the [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated
-     * to long-lasting storage. Syntactic and basic semantic errors will be
-     * returned in `metadata` as a BadRequest proto.
+     * long-running operation from this RPC has a successful status after the
+     * changes to the [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] propagate
+     * to long-lasting storage.
      *
*/ public void updateAccessPolicy( @@ -1345,11 +1467,11 @@ public void updateAccessPolicy( * * * 
-     * Delete an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by resource
-     * name. The longrunning Operation will have a successful status once the
-     * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * has been removed from long-lasting storage.
+     * Deletes an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the
+     * resource name. The long-running operation has a successful status after the
+     * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
+     * is removed from long-lasting storage.
      *
*/ public void deleteAccessPolicy( @@ -1363,7 +1485,7 @@ public void deleteAccessPolicy( * * * 
-     * List all [Access Levels]
+     * Lists all [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] for an access
      * policy.
      *
@@ -1381,8 +1503,8 @@ public void listAccessLevels( * * * 
-     * Get an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
+     * Gets an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
      * name.
      *
*/ @@ -1398,13 +1520,13 @@ public void getAccessLevel( * * * 
-     * Create an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the [Access
-     * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has
-     * propagated to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Creates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the [access
+     * level] [google.identity.accesscontextmanager.v1.AccessLevel]
+     * propagates to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void createAccessLevel( @@ -1418,14 +1540,14 @@ public void createAccessLevel( * * * 
-     * Update an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the changes to
-     * the [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated
-     * to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Updates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the changes to
+     * the [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] propagate
+     * to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void updateAccessLevel( @@ -1439,10 +1561,10 @@ public void updateAccessLevel( * * * 
-     * Delete an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Access Level]
+     * Deletes an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
+     * name. The long-running operation from this RPC has a successful status
+     * after the [access level]
      * [google.identity.accesscontextmanager.v1.AccessLevel] has been removed
      * from long-lasting storage.
      *
@@ -1458,22 +1580,22 @@ public void deleteAccessLevel( * * * 
-     * Replace all existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [Access
-     * Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
-     * the [Access Levels]
+     * Replaces all existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
+     * the [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] provided. This
-     * is done atomically. The longrunning operation from this RPC will have a
-     * successful status once all replacements have propagated to long-lasting
-     * storage. Replacements containing errors will result in an error response
-     * for the first error encountered.  Replacement will be cancelled on error,
-     * existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] will not be
-     * affected. Operation.response field will contain
-     * ReplaceAccessLevelsResponse. Removing [Access Levels]
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting
+     * storage. If the replacement contains errors, an error response is returned
+     * for the first error encountered.  Upon error, the replacement is cancelled,
+     * and existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] are not
+     * affected. The Operation.response field contains
+     * ReplaceAccessLevelsResponse. Removing [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing
-     * [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an
      * error.
      *
*/ @@ -1488,7 +1610,7 @@ public void replaceAccessLevels( * * * 
-     * List all [Service Perimeters]
+     * Lists all [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] for an
      * access policy.
      *
@@ -1506,9 +1628,9 @@ public void listServicePerimeters( * * * 
-     * Get a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name.
+     * Gets a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name.
      *
*/ public void getServicePerimeter( @@ -1523,14 +1645,14 @@ public void getServicePerimeter( * * * 
-     * Create a [Service Perimeter]
+     * Creates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has
-     * propagated to long-lasting storage. [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void createServicePerimeter( @@ -1544,14 +1666,14 @@ public void createServicePerimeter( * * * 
-     * Update a [Service Perimeter]
+     * Updates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * changes to the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] have
-     * propagated to long-lasting storage. [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void updateServicePerimeter( @@ -1565,12 +1687,12 @@ public void updateServicePerimeter( * * * 
-     * Delete a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has been
-     * removed from long-lasting storage.
+     * Deletes a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name. The long-running operation from this RPC has a successful
+     * status after the [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from
+     * long-lasting storage.
      *
*/ public void deleteServicePerimeter( @@ -1584,18 +1706,18 @@ public void deleteServicePerimeter( * * * 
-     * Replace all existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * with the [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided.
-     * This is done atomically. The longrunning operation from this
-     * RPC will have a successful status once all replacements have propagated to
-     * long-lasting storage. Replacements containing errors will result in an
-     * error response for the first error encountered. Replacement will be
-     * cancelled on error, existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be
-     * affected. Operation.response field will contain
+     * Replace all existing [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting storage.
+     * Replacements containing errors result in an error response for the first
+     * error encountered. Upon an error, replacement are cancelled and existing
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] are not
+     * affected. The Operation.response field contains
      * ReplaceServicePerimetersResponse.
      *
*/ @@ -1610,21 +1732,21 @@ public void replaceServicePerimeters( * * * 
-     * Commit the dry-run spec for all the [Service Perimeters]
+     * Commits the dry-run specification for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
-     * A commit operation on a Service Perimeter involves copying its `spec` field
-     * to that Service Perimeter's `status` field. Only [Service Perimeters]
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * A commit operation on a service perimeter involves copying its `spec` field
+     * to the `status` field of the service perimeter. Only [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] with
      * `use_explicit_dry_run_spec` field set to true are affected by a commit
-     * operation. The longrunning operation from this RPC will have a successful
-     * status once the dry-run specs for all the [Service Perimeters]
+     * operation. The long-running operation from this RPC has a successful
+     * status after the dry-run specifications for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] have been
-     * committed. If a commit fails, it will cause the longrunning operation to
-     * return an error response and the entire commit operation will be cancelled.
-     * When successful, Operation.response field will contain
-     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will
-     * be cleared after a successful commit operation.
+     * committed. If a commit fails, it causes the long-running operation to
+     * return an error response and the entire commit operation is cancelled.
+     * When successful, the Operation.response field contains
+     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are
+     * cleared after a successful commit operation.
      *
*/ public void commitServicePerimeters( @@ -1678,7 +1800,7 @@ public void getGcpUserAccessBinding( * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the * client specifies a [name] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], - * the server will ignore it. Fails if a resource already exists with the same + * the server ignores it. Fails if a resource already exists with the same * [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. * Completion of this long-running operation does not necessarily signify that @@ -1729,6 +1851,60 @@ public void deleteGcpUserAccessBinding( getDeleteGcpUserAccessBindingMethod(), responseObserver); } + /** + * + * + * 
+     * Sets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * This method replaces the existing IAM policy on the access policy. The IAM
+     * policy controls the set of users who can perform specific operations on the
+     * Access Context Manager [access
+     * policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public void setIamPolicy( + com.google.iam.v1.SetIamPolicyRequest request, + io.grpc.stub.StreamObserver responseObserver) { + io.grpc.stub.ServerCalls.asyncUnimplementedUnaryCall( + getSetIamPolicyMethod(), responseObserver); + } + + /** + * + * + * 
+     * Gets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public void getIamPolicy( + com.google.iam.v1.GetIamPolicyRequest request, + io.grpc.stub.StreamObserver responseObserver) { + io.grpc.stub.ServerCalls.asyncUnimplementedUnaryCall( + getGetIamPolicyMethod(), responseObserver); + } + + /** + * + * + * 
+     * Returns the IAM permissions that the caller has on the specified Access
+     * Context Manager resource. The resource can be an
+     * [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy],
+     * [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or
+     * [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter
+     * ]. This method does not support other resources.
+     *
+ */ + public void testIamPermissions( + com.google.iam.v1.TestIamPermissionsRequest request, + io.grpc.stub.StreamObserver + responseObserver) { + io.grpc.stub.ServerCalls.asyncUnimplementedUnaryCall( + getTestIamPermissionsMethod(), responseObserver); + } + @java.lang.Override public final io.grpc.ServerServiceDefinition bindService() { return io.grpc.ServerServiceDefinition.builder(getServiceDescriptor()) @@ -1882,6 +2058,25 @@ public final io.grpc.ServerServiceDefinition bindService() { com.google.identity.accesscontextmanager.v1.DeleteGcpUserAccessBindingRequest, com.google.longrunning.Operation>( this, METHODID_DELETE_GCP_USER_ACCESS_BINDING))) + .addMethod( + getSetIamPolicyMethod(), + io.grpc.stub.ServerCalls.asyncUnaryCall( + new MethodHandlers< + com.google.iam.v1.SetIamPolicyRequest, com.google.iam.v1.Policy>( + this, METHODID_SET_IAM_POLICY))) + .addMethod( + getGetIamPolicyMethod(), + io.grpc.stub.ServerCalls.asyncUnaryCall( + new MethodHandlers< + com.google.iam.v1.GetIamPolicyRequest, com.google.iam.v1.Policy>( + this, METHODID_GET_IAM_POLICY))) + .addMethod( + getTestIamPermissionsMethod(), + io.grpc.stub.ServerCalls.asyncUnaryCall( + new MethodHandlers< + com.google.iam.v1.TestIamPermissionsRequest, + com.google.iam.v1.TestIamPermissionsResponse>( + this, METHODID_TEST_IAM_PERMISSIONS))) .build(); } } @@ -1890,15 +2085,15 @@ public final io.grpc.ServerServiceDefinition bindService() { * * * 
-   * API for setting [Access Levels]
-   * [google.identity.accesscontextmanager.v1.AccessLevel] and [Service
-   * Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
-   * for Google Cloud Projects. Each organization has one [AccessPolicy]
-   * [google.identity.accesscontextmanager.v1.AccessPolicy] containing the
-   * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
-   * and [Service Perimeters]
+   * API for setting [access levels]
+   * [google.identity.accesscontextmanager.v1.AccessLevel] and [service
+   * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
+   * for Google Cloud projects. Each organization has one [access policy]
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
+   * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
+   * and [service perimeters]
    * [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
-   * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
+   * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
    * applicable to all resources in the organization.
    * AccessPolicies
    *
@@ -1919,9 +2114,9 @@ protected AccessContextManagerStub build( * * * 
-     * List all [AccessPolicies]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] under a
-     * container.
+     * Lists all [access policies]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] in an
+     * organization.
      *
*/ public void listAccessPolicies( @@ -1939,8 +2134,8 @@ public void listAccessPolicies( * * * 
-     * Get an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by name.
+     * Returns an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name.
      *
*/ public void getAccessPolicy( @@ -1957,10 +2152,10 @@ public void getAccessPolicy( * * * 
-     * Create an `AccessPolicy`. Fails if this organization already has a
-     * `AccessPolicy`. The longrunning Operation will have a successful status
-     * once the `AccessPolicy` has propagated to long-lasting storage.
-     * Syntactic and basic semantic errors will be returned in `metadata` as a
+     * Creates an access policy. This method fails if the organization already has
+     * an access policy. The long-running operation has a successful status
+     * after the access policy propagates to long-lasting storage.
+     * Syntactic and basic semantic errors are returned in `metadata` as a
      * BadRequest proto.
      *
*/ @@ -1977,13 +2172,12 @@ public void createAccessPolicy( * * * 
-     * Update an [AccessPolicy]
+     * Updates an [access policy]
      * [google.identity.accesscontextmanager.v1.AccessPolicy]. The
-     * longrunning Operation from this RPC will have a successful status once the
-     * changes to the [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated
-     * to long-lasting storage. Syntactic and basic semantic errors will be
-     * returned in `metadata` as a BadRequest proto.
+     * long-running operation from this RPC has a successful status after the
+     * changes to the [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] propagate
+     * to long-lasting storage.
      *
*/ public void updateAccessPolicy( @@ -1999,11 +2193,11 @@ public void updateAccessPolicy( * * * 
-     * Delete an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by resource
-     * name. The longrunning Operation will have a successful status once the
-     * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * has been removed from long-lasting storage.
+     * Deletes an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the
+     * resource name. The long-running operation has a successful status after the
+     * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
+     * is removed from long-lasting storage.
      *
*/ public void deleteAccessPolicy( @@ -2019,7 +2213,7 @@ public void deleteAccessPolicy( * * * 
-     * List all [Access Levels]
+     * Lists all [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] for an access
      * policy.
      *
@@ -2039,8 +2233,8 @@ public void listAccessLevels( * * * 
-     * Get an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
+     * Gets an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
      * name.
      *
*/ @@ -2058,13 +2252,13 @@ public void getAccessLevel( * * * 
-     * Create an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the [Access
-     * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has
-     * propagated to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Creates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the [access
+     * level] [google.identity.accesscontextmanager.v1.AccessLevel]
+     * propagates to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void createAccessLevel( @@ -2080,14 +2274,14 @@ public void createAccessLevel( * * * 
-     * Update an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the changes to
-     * the [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated
-     * to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Updates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the changes to
+     * the [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] propagate
+     * to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void updateAccessLevel( @@ -2103,10 +2297,10 @@ public void updateAccessLevel( * * * 
-     * Delete an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Access Level]
+     * Deletes an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
+     * name. The long-running operation from this RPC has a successful status
+     * after the [access level]
      * [google.identity.accesscontextmanager.v1.AccessLevel] has been removed
      * from long-lasting storage.
      *
@@ -2124,22 +2318,22 @@ public void deleteAccessLevel( * * * 
-     * Replace all existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [Access
-     * Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
-     * the [Access Levels]
+     * Replaces all existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
+     * the [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] provided. This
-     * is done atomically. The longrunning operation from this RPC will have a
-     * successful status once all replacements have propagated to long-lasting
-     * storage. Replacements containing errors will result in an error response
-     * for the first error encountered.  Replacement will be cancelled on error,
-     * existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] will not be
-     * affected. Operation.response field will contain
-     * ReplaceAccessLevelsResponse. Removing [Access Levels]
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting
+     * storage. If the replacement contains errors, an error response is returned
+     * for the first error encountered.  Upon error, the replacement is cancelled,
+     * and existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] are not
+     * affected. The Operation.response field contains
+     * ReplaceAccessLevelsResponse. Removing [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing
-     * [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an
      * error.
      *
*/ @@ -2156,7 +2350,7 @@ public void replaceAccessLevels( * * * 
-     * List all [Service Perimeters]
+     * Lists all [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] for an
      * access policy.
      *
@@ -2176,9 +2370,9 @@ public void listServicePerimeters( * * * 
-     * Get a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name.
+     * Gets a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name.
      *
*/ public void getServicePerimeter( @@ -2195,14 +2389,14 @@ public void getServicePerimeter( * * * 
-     * Create a [Service Perimeter]
+     * Creates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has
-     * propagated to long-lasting storage. [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void createServicePerimeter( @@ -2218,14 +2412,14 @@ public void createServicePerimeter( * * * 
-     * Update a [Service Perimeter]
+     * Updates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * changes to the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] have
-     * propagated to long-lasting storage. [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public void updateServicePerimeter( @@ -2241,12 +2435,12 @@ public void updateServicePerimeter( * * * 
-     * Delete a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has been
-     * removed from long-lasting storage.
+     * Deletes a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name. The long-running operation from this RPC has a successful
+     * status after the [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from
+     * long-lasting storage.
      *
*/ public void deleteServicePerimeter( @@ -2262,18 +2456,18 @@ public void deleteServicePerimeter( * * * 
-     * Replace all existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * with the [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided.
-     * This is done atomically. The longrunning operation from this
-     * RPC will have a successful status once all replacements have propagated to
-     * long-lasting storage. Replacements containing errors will result in an
-     * error response for the first error encountered. Replacement will be
-     * cancelled on error, existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be
-     * affected. Operation.response field will contain
+     * Replace all existing [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting storage.
+     * Replacements containing errors result in an error response for the first
+     * error encountered. Upon an error, replacement are cancelled and existing
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] are not
+     * affected. The Operation.response field contains
      * ReplaceServicePerimetersResponse.
      *
*/ @@ -2290,21 +2484,21 @@ public void replaceServicePerimeters( * * * 
-     * Commit the dry-run spec for all the [Service Perimeters]
+     * Commits the dry-run specification for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
-     * A commit operation on a Service Perimeter involves copying its `spec` field
-     * to that Service Perimeter's `status` field. Only [Service Perimeters]
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * A commit operation on a service perimeter involves copying its `spec` field
+     * to the `status` field of the service perimeter. Only [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] with
      * `use_explicit_dry_run_spec` field set to true are affected by a commit
-     * operation. The longrunning operation from this RPC will have a successful
-     * status once the dry-run specs for all the [Service Perimeters]
+     * operation. The long-running operation from this RPC has a successful
+     * status after the dry-run specifications for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] have been
-     * committed. If a commit fails, it will cause the longrunning operation to
-     * return an error response and the entire commit operation will be cancelled.
-     * When successful, Operation.response field will contain
-     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will
-     * be cleared after a successful commit operation.
+     * committed. If a commit fails, it causes the long-running operation to
+     * return an error response and the entire commit operation is cancelled.
+     * When successful, the Operation.response field contains
+     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are
+     * cleared after a successful commit operation.
      *
*/ public void commitServicePerimeters( @@ -2364,7 +2558,7 @@ public void getGcpUserAccessBinding( * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the * client specifies a [name] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], - * the server will ignore it. Fails if a resource already exists with the same + * the server ignores it. Fails if a resource already exists with the same * [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. * Completion of this long-running operation does not necessarily signify that @@ -2420,21 +2614,81 @@ public void deleteGcpUserAccessBinding( request, responseObserver); } + + /** + * + * + * 
+     * Sets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * This method replaces the existing IAM policy on the access policy. The IAM
+     * policy controls the set of users who can perform specific operations on the
+     * Access Context Manager [access
+     * policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public void setIamPolicy( + com.google.iam.v1.SetIamPolicyRequest request, + io.grpc.stub.StreamObserver responseObserver) { + io.grpc.stub.ClientCalls.asyncUnaryCall( + getChannel().newCall(getSetIamPolicyMethod(), getCallOptions()), + request, + responseObserver); + } + + /** + * + * + * 
+     * Gets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public void getIamPolicy( + com.google.iam.v1.GetIamPolicyRequest request, + io.grpc.stub.StreamObserver responseObserver) { + io.grpc.stub.ClientCalls.asyncUnaryCall( + getChannel().newCall(getGetIamPolicyMethod(), getCallOptions()), + request, + responseObserver); + } + + /** + * + * + * 
+     * Returns the IAM permissions that the caller has on the specified Access
+     * Context Manager resource. The resource can be an
+     * [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy],
+     * [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or
+     * [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter
+     * ]. This method does not support other resources.
+     *
+ */ + public void testIamPermissions( + com.google.iam.v1.TestIamPermissionsRequest request, + io.grpc.stub.StreamObserver + responseObserver) { + io.grpc.stub.ClientCalls.asyncUnaryCall( + getChannel().newCall(getTestIamPermissionsMethod(), getCallOptions()), + request, + responseObserver); + } } /** * * * 
-   * API for setting [Access Levels]
-   * [google.identity.accesscontextmanager.v1.AccessLevel] and [Service
-   * Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
-   * for Google Cloud Projects. Each organization has one [AccessPolicy]
-   * [google.identity.accesscontextmanager.v1.AccessPolicy] containing the
-   * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
-   * and [Service Perimeters]
+   * API for setting [access levels]
+   * [google.identity.accesscontextmanager.v1.AccessLevel] and [service
+   * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
+   * for Google Cloud projects. Each organization has one [access policy]
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
+   * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
+   * and [service perimeters]
    * [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
-   * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
+   * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
    * applicable to all resources in the organization.
    * AccessPolicies
    *
@@ -2456,9 +2710,9 @@ protected AccessContextManagerBlockingStub build( * * * 
-     * List all [AccessPolicies]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] under a
-     * container.
+     * Lists all [access policies]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] in an
+     * organization.
      *
*/ public com.google.identity.accesscontextmanager.v1.ListAccessPoliciesResponse @@ -2472,8 +2726,8 @@ protected AccessContextManagerBlockingStub build( * * * 
-     * Get an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by name.
+     * Returns an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name.
      *
*/ public com.google.identity.accesscontextmanager.v1.AccessPolicy getAccessPolicy( @@ -2486,10 +2740,10 @@ public com.google.identity.accesscontextmanager.v1.AccessPolicy getAccessPolicy( * * * 
-     * Create an `AccessPolicy`. Fails if this organization already has a
-     * `AccessPolicy`. The longrunning Operation will have a successful status
-     * once the `AccessPolicy` has propagated to long-lasting storage.
-     * Syntactic and basic semantic errors will be returned in `metadata` as a
+     * Creates an access policy. This method fails if the organization already has
+     * an access policy. The long-running operation has a successful status
+     * after the access policy propagates to long-lasting storage.
+     * Syntactic and basic semantic errors are returned in `metadata` as a
      * BadRequest proto.
      *
*/ @@ -2503,13 +2757,12 @@ public com.google.longrunning.Operation createAccessPolicy( * * * 
-     * Update an [AccessPolicy]
+     * Updates an [access policy]
      * [google.identity.accesscontextmanager.v1.AccessPolicy]. The
-     * longrunning Operation from this RPC will have a successful status once the
-     * changes to the [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated
-     * to long-lasting storage. Syntactic and basic semantic errors will be
-     * returned in `metadata` as a BadRequest proto.
+     * long-running operation from this RPC has a successful status after the
+     * changes to the [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] propagate
+     * to long-lasting storage.
      *
*/ public com.google.longrunning.Operation updateAccessPolicy( @@ -2522,11 +2775,11 @@ public com.google.longrunning.Operation updateAccessPolicy( * * * 
-     * Delete an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by resource
-     * name. The longrunning Operation will have a successful status once the
-     * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * has been removed from long-lasting storage.
+     * Deletes an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the
+     * resource name. The long-running operation has a successful status after the
+     * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
+     * is removed from long-lasting storage.
      *
*/ public com.google.longrunning.Operation deleteAccessPolicy( @@ -2539,7 +2792,7 @@ public com.google.longrunning.Operation deleteAccessPolicy( * * * 
-     * List all [Access Levels]
+     * Lists all [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] for an access
      * policy.
      *
@@ -2554,8 +2807,8 @@ public com.google.identity.accesscontextmanager.v1.ListAccessLevelsResponse list * * * 
-     * Get an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
+     * Gets an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
      * name.
      *
*/ @@ -2569,13 +2822,13 @@ public com.google.identity.accesscontextmanager.v1.AccessLevel getAccessLevel( * * * 
-     * Create an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the [Access
-     * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has
-     * propagated to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Creates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the [access
+     * level] [google.identity.accesscontextmanager.v1.AccessLevel]
+     * propagates to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.longrunning.Operation createAccessLevel( @@ -2588,14 +2841,14 @@ public com.google.longrunning.Operation createAccessLevel( * * * 
-     * Update an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the changes to
-     * the [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated
-     * to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Updates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the changes to
+     * the [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] propagate
+     * to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.longrunning.Operation updateAccessLevel( @@ -2608,10 +2861,10 @@ public com.google.longrunning.Operation updateAccessLevel( * * * 
-     * Delete an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Access Level]
+     * Deletes an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
+     * name. The long-running operation from this RPC has a successful status
+     * after the [access level]
      * [google.identity.accesscontextmanager.v1.AccessLevel] has been removed
      * from long-lasting storage.
      *
@@ -2626,22 +2879,22 @@ public com.google.longrunning.Operation deleteAccessLevel( * * * 
-     * Replace all existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [Access
-     * Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
-     * the [Access Levels]
+     * Replaces all existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
+     * the [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] provided. This
-     * is done atomically. The longrunning operation from this RPC will have a
-     * successful status once all replacements have propagated to long-lasting
-     * storage. Replacements containing errors will result in an error response
-     * for the first error encountered.  Replacement will be cancelled on error,
-     * existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] will not be
-     * affected. Operation.response field will contain
-     * ReplaceAccessLevelsResponse. Removing [Access Levels]
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting
+     * storage. If the replacement contains errors, an error response is returned
+     * for the first error encountered.  Upon error, the replacement is cancelled,
+     * and existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] are not
+     * affected. The Operation.response field contains
+     * ReplaceAccessLevelsResponse. Removing [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing
-     * [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an
      * error.
      *
*/ @@ -2655,7 +2908,7 @@ public com.google.longrunning.Operation replaceAccessLevels( * * * 
-     * List all [Service Perimeters]
+     * Lists all [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] for an
      * access policy.
      *
@@ -2671,9 +2924,9 @@ public com.google.longrunning.Operation replaceAccessLevels( * * * 
-     * Get a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name.
+     * Gets a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name.
      *
*/ public com.google.identity.accesscontextmanager.v1.ServicePerimeter getServicePerimeter( @@ -2686,14 +2939,14 @@ public com.google.identity.accesscontextmanager.v1.ServicePerimeter getServicePe * * * 
-     * Create a [Service Perimeter]
+     * Creates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has
-     * propagated to long-lasting storage. [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.longrunning.Operation createServicePerimeter( @@ -2706,14 +2959,14 @@ public com.google.longrunning.Operation createServicePerimeter( * * * 
-     * Update a [Service Perimeter]
+     * Updates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * changes to the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] have
-     * propagated to long-lasting storage. [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.longrunning.Operation updateServicePerimeter( @@ -2726,12 +2979,12 @@ public com.google.longrunning.Operation updateServicePerimeter( * * * 
-     * Delete a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has been
-     * removed from long-lasting storage.
+     * Deletes a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name. The long-running operation from this RPC has a successful
+     * status after the [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from
+     * long-lasting storage.
      *
*/ public com.google.longrunning.Operation deleteServicePerimeter( @@ -2744,18 +2997,18 @@ public com.google.longrunning.Operation deleteServicePerimeter( * * * 
-     * Replace all existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * with the [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided.
-     * This is done atomically. The longrunning operation from this
-     * RPC will have a successful status once all replacements have propagated to
-     * long-lasting storage. Replacements containing errors will result in an
-     * error response for the first error encountered. Replacement will be
-     * cancelled on error, existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be
-     * affected. Operation.response field will contain
+     * Replace all existing [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting storage.
+     * Replacements containing errors result in an error response for the first
+     * error encountered. Upon an error, replacement are cancelled and existing
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] are not
+     * affected. The Operation.response field contains
      * ReplaceServicePerimetersResponse.
      *
*/ @@ -2769,21 +3022,21 @@ public com.google.longrunning.Operation replaceServicePerimeters( * * * 
-     * Commit the dry-run spec for all the [Service Perimeters]
+     * Commits the dry-run specification for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
-     * A commit operation on a Service Perimeter involves copying its `spec` field
-     * to that Service Perimeter's `status` field. Only [Service Perimeters]
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * A commit operation on a service perimeter involves copying its `spec` field
+     * to the `status` field of the service perimeter. Only [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] with
      * `use_explicit_dry_run_spec` field set to true are affected by a commit
-     * operation. The longrunning operation from this RPC will have a successful
-     * status once the dry-run specs for all the [Service Perimeters]
+     * operation. The long-running operation from this RPC has a successful
+     * status after the dry-run specifications for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] have been
-     * committed. If a commit fails, it will cause the longrunning operation to
-     * return an error response and the entire commit operation will be cancelled.
-     * When successful, Operation.response field will contain
-     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will
-     * be cleared after a successful commit operation.
+     * committed. If a commit fails, it causes the long-running operation to
+     * return an error response and the entire commit operation is cancelled.
+     * When successful, the Operation.response field contains
+     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are
+     * cleared after a successful commit operation.
      *
*/ public com.google.longrunning.Operation commitServicePerimeters( @@ -2831,7 +3084,7 @@ public com.google.identity.accesscontextmanager.v1.GcpUserAccessBinding getGcpUs * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the * client specifies a [name] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], - * the server will ignore it. Fails if a resource already exists with the same + * the server ignores it. Fails if a resource already exists with the same * [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. * Completion of this long-running operation does not necessarily signify that @@ -2878,21 +3131,69 @@ public com.google.longrunning.Operation deleteGcpUserAccessBinding( return io.grpc.stub.ClientCalls.blockingUnaryCall( getChannel(), getDeleteGcpUserAccessBindingMethod(), getCallOptions(), request); } + + /** + * + * + * 
+     * Sets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * This method replaces the existing IAM policy on the access policy. The IAM
+     * policy controls the set of users who can perform specific operations on the
+     * Access Context Manager [access
+     * policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public com.google.iam.v1.Policy setIamPolicy(com.google.iam.v1.SetIamPolicyRequest request) { + return io.grpc.stub.ClientCalls.blockingUnaryCall( + getChannel(), getSetIamPolicyMethod(), getCallOptions(), request); + } + + /** + * + * + * 
+     * Gets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public com.google.iam.v1.Policy getIamPolicy(com.google.iam.v1.GetIamPolicyRequest request) { + return io.grpc.stub.ClientCalls.blockingUnaryCall( + getChannel(), getGetIamPolicyMethod(), getCallOptions(), request); + } + + /** + * + * + * 
+     * Returns the IAM permissions that the caller has on the specified Access
+     * Context Manager resource. The resource can be an
+     * [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy],
+     * [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or
+     * [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter
+     * ]. This method does not support other resources.
+     *
+ */ + public com.google.iam.v1.TestIamPermissionsResponse testIamPermissions( + com.google.iam.v1.TestIamPermissionsRequest request) { + return io.grpc.stub.ClientCalls.blockingUnaryCall( + getChannel(), getTestIamPermissionsMethod(), getCallOptions(), request); + } } /** * * * 
-   * API for setting [Access Levels]
-   * [google.identity.accesscontextmanager.v1.AccessLevel] and [Service
-   * Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
-   * for Google Cloud Projects. Each organization has one [AccessPolicy]
-   * [google.identity.accesscontextmanager.v1.AccessPolicy] containing the
-   * [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
-   * and [Service Perimeters]
+   * API for setting [access levels]
+   * [google.identity.accesscontextmanager.v1.AccessLevel] and [service
+   * perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
+   * for Google Cloud projects. Each organization has one [access policy]
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
+   * [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
+   * and [service perimeters]
    * [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
-   * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
+   * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
    * applicable to all resources in the organization.
    * AccessPolicies
    *
@@ -2914,9 +3215,9 @@ protected AccessContextManagerFutureStub build( * * * 
-     * List all [AccessPolicies]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] under a
-     * container.
+     * Lists all [access policies]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] in an
+     * organization.
      *
*/ public com.google.common.util.concurrent.ListenableFuture< @@ -2931,8 +3232,8 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Get an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by name.
+     * Returns an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name.
      *
*/ public com.google.common.util.concurrent.ListenableFuture< @@ -2947,10 +3248,10 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Create an `AccessPolicy`. Fails if this organization already has a
-     * `AccessPolicy`. The longrunning Operation will have a successful status
-     * once the `AccessPolicy` has propagated to long-lasting storage.
-     * Syntactic and basic semantic errors will be returned in `metadata` as a
+     * Creates an access policy. This method fails if the organization already has
+     * an access policy. The long-running operation has a successful status
+     * after the access policy propagates to long-lasting storage.
+     * Syntactic and basic semantic errors are returned in `metadata` as a
      * BadRequest proto.
      *
*/ @@ -2964,13 +3265,12 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Update an [AccessPolicy]
+     * Updates an [access policy]
      * [google.identity.accesscontextmanager.v1.AccessPolicy]. The
-     * longrunning Operation from this RPC will have a successful status once the
-     * changes to the [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated
-     * to long-lasting storage. Syntactic and basic semantic errors will be
-     * returned in `metadata` as a BadRequest proto.
+     * long-running operation from this RPC has a successful status after the
+     * changes to the [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] propagate
+     * to long-lasting storage.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -2984,11 +3284,11 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Delete an [AccessPolicy]
-     * [google.identity.accesscontextmanager.v1.AccessPolicy] by resource
-     * name. The longrunning Operation will have a successful status once the
-     * [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * has been removed from long-lasting storage.
+     * Deletes an [access policy]
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] based on the
+     * resource name. The long-running operation has a successful status after the
+     * [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
+     * is removed from long-lasting storage.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -3002,7 +3302,7 @@ protected AccessContextManagerFutureStub build( * * * 
-     * List all [Access Levels]
+     * Lists all [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] for an access
      * policy.
      *
@@ -3019,8 +3319,8 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Get an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
+     * Gets an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
      * name.
      *
*/ @@ -3035,13 +3335,13 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Create an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the [Access
-     * Level] [google.identity.accesscontextmanager.v1.AccessLevel] has
-     * propagated to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Creates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the [access
+     * level] [google.identity.accesscontextmanager.v1.AccessLevel]
+     * propagates to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -3055,14 +3355,14 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Update an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-     * operation from this RPC will have a successful status once the changes to
-     * the [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] have propagated
-     * to long-lasting storage. [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] containing
-     * errors will result in an error response for the first error encountered.
+     * Updates an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+     * operation from this RPC has a successful status after the changes to
+     * the [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] propagate
+     * to long-lasting storage. If [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] contain
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -3076,10 +3376,10 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Delete an [Access Level]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Access Level]
+     * Deletes an [access level]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
+     * name. The long-running operation from this RPC has a successful status
+     * after the [access level]
      * [google.identity.accesscontextmanager.v1.AccessLevel] has been removed
      * from long-lasting storage.
      *
@@ -3095,22 +3395,22 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Replace all existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [Access
-     * Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
-     * the [Access Levels]
+     * Replaces all existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
+     * the [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] provided. This
-     * is done atomically. The longrunning operation from this RPC will have a
-     * successful status once all replacements have propagated to long-lasting
-     * storage. Replacements containing errors will result in an error response
-     * for the first error encountered.  Replacement will be cancelled on error,
-     * existing [Access Levels]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] will not be
-     * affected. Operation.response field will contain
-     * ReplaceAccessLevelsResponse. Removing [Access Levels]
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting
+     * storage. If the replacement contains errors, an error response is returned
+     * for the first error encountered.  Upon error, the replacement is cancelled,
+     * and existing [access levels]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] are not
+     * affected. The Operation.response field contains
+     * ReplaceAccessLevelsResponse. Removing [access levels]
      * [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing
-     * [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an
      * error.
      *
*/ @@ -3125,7 +3425,7 @@ protected AccessContextManagerFutureStub build( * * * 
-     * List all [Service Perimeters]
+     * Lists all [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] for an
      * access policy.
      *
@@ -3142,9 +3442,9 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Get a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name.
+     * Gets a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name.
      *
*/ public com.google.common.util.concurrent.ListenableFuture< @@ -3159,14 +3459,14 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Create a [Service Perimeter]
+     * Creates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has
-     * propagated to long-lasting storage. [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -3180,14 +3480,14 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Update a [Service Perimeter]
+     * Updates a [service perimeter]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-     * longrunning operation from this RPC will have a successful status once the
-     * changes to the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] have
-     * propagated to long-lasting storage. [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-     * errors will result in an error response for the first error encountered.
+     * long-running operation from this RPC has a successful status after the
+     * [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter]
+     * propagates to long-lasting storage. If a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+     * errors, an error response is returned for the first error encountered.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -3201,12 +3501,12 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Delete a [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-     * name. The longrunning operation from this RPC will have a successful status
-     * once the [Service Perimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] has been
-     * removed from long-lasting storage.
+     * Deletes a [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+     * resource name. The long-running operation from this RPC has a successful
+     * status after the [service perimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from
+     * long-lasting storage.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -3220,18 +3520,18 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Replace all existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-     * with the [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided.
-     * This is done atomically. The longrunning operation from this
-     * RPC will have a successful status once all replacements have propagated to
-     * long-lasting storage. Replacements containing errors will result in an
-     * error response for the first error encountered. Replacement will be
-     * cancelled on error, existing [Service Perimeters]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be
-     * affected. Operation.response field will contain
+     * Replace all existing [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access
+     * policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This
+     * is done atomically. The long-running operation from this RPC has a
+     * successful status after all replacements propagate to long-lasting storage.
+     * Replacements containing errors result in an error response for the first
+     * error encountered. Upon an error, replacement are cancelled and existing
+     * [service perimeters]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] are not
+     * affected. The Operation.response field contains
      * ReplaceServicePerimetersResponse.
      *
*/ @@ -3246,21 +3546,21 @@ protected AccessContextManagerFutureStub build( * * * 
-     * Commit the dry-run spec for all the [Service Perimeters]
+     * Commits the dry-run specification for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-     * [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
-     * A commit operation on a Service Perimeter involves copying its `spec` field
-     * to that Service Perimeter's `status` field. Only [Service Perimeters]
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * A commit operation on a service perimeter involves copying its `spec` field
+     * to the `status` field of the service perimeter. Only [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] with
      * `use_explicit_dry_run_spec` field set to true are affected by a commit
-     * operation. The longrunning operation from this RPC will have a successful
-     * status once the dry-run specs for all the [Service Perimeters]
+     * operation. The long-running operation from this RPC has a successful
+     * status after the dry-run specifications for all the [service perimeters]
      * [google.identity.accesscontextmanager.v1.ServicePerimeter] have been
-     * committed. If a commit fails, it will cause the longrunning operation to
-     * return an error response and the entire commit operation will be cancelled.
-     * When successful, Operation.response field will contain
-     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will
-     * be cleared after a successful commit operation.
+     * committed. If a commit fails, it causes the long-running operation to
+     * return an error response and the entire commit operation is cancelled.
+     * When successful, the Operation.response field contains
+     * CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are
+     * cleared after a successful commit operation.
      *
*/ public com.google.common.util.concurrent.ListenableFuture @@ -3312,7 +3612,7 @@ protected AccessContextManagerFutureStub build( * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the * client specifies a [name] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], - * the server will ignore it. Fails if a resource already exists with the same + * the server ignores it. Fails if a resource already exists with the same * [group_key] * [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. * Completion of this long-running operation does not necessarily signify that @@ -3362,6 +3662,57 @@ protected AccessContextManagerFutureStub build( return io.grpc.stub.ClientCalls.futureUnaryCall( getChannel().newCall(getDeleteGcpUserAccessBindingMethod(), getCallOptions()), request); } + + /** + * + * + * 
+     * Sets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     * This method replaces the existing IAM policy on the access policy. The IAM
+     * policy controls the set of users who can perform specific operations on the
+     * Access Context Manager [access
+     * policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public com.google.common.util.concurrent.ListenableFuture + setIamPolicy(com.google.iam.v1.SetIamPolicyRequest request) { + return io.grpc.stub.ClientCalls.futureUnaryCall( + getChannel().newCall(getSetIamPolicyMethod(), getCallOptions()), request); + } + + /** + * + * + * 
+     * Gets the IAM policy for the specified Access Context Manager
+     * [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+     *
+ */ + public com.google.common.util.concurrent.ListenableFuture + getIamPolicy(com.google.iam.v1.GetIamPolicyRequest request) { + return io.grpc.stub.ClientCalls.futureUnaryCall( + getChannel().newCall(getGetIamPolicyMethod(), getCallOptions()), request); + } + + /** + * + * + * 
+     * Returns the IAM permissions that the caller has on the specified Access
+     * Context Manager resource. The resource can be an
+     * [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy],
+     * [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or
+     * [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter
+     * ]. This method does not support other resources.
+     *
+ */ + public com.google.common.util.concurrent.ListenableFuture< + com.google.iam.v1.TestIamPermissionsResponse> + testIamPermissions(com.google.iam.v1.TestIamPermissionsRequest request) { + return io.grpc.stub.ClientCalls.futureUnaryCall( + getChannel().newCall(getTestIamPermissionsMethod(), getCallOptions()), request); + } } private static final int METHODID_LIST_ACCESS_POLICIES = 0; @@ -3387,6 +3738,9 @@ protected AccessContextManagerFutureStub build( private static final int METHODID_CREATE_GCP_USER_ACCESS_BINDING = 20; private static final int METHODID_UPDATE_GCP_USER_ACCESS_BINDING = 21; private static final int METHODID_DELETE_GCP_USER_ACCESS_BINDING = 22; + private static final int METHODID_SET_IAM_POLICY = 23; + private static final int METHODID_GET_IAM_POLICY = 24; + private static final int METHODID_TEST_IAM_PERMISSIONS = 25; private static final class MethodHandlers implements io.grpc.stub.ServerCalls.UnaryMethod, @@ -3540,6 +3894,22 @@ public void invoke(Req request, io.grpc.stub.StreamObserver responseObserv request, (io.grpc.stub.StreamObserver) responseObserver); break; + case METHODID_SET_IAM_POLICY: + serviceImpl.setIamPolicy( + (com.google.iam.v1.SetIamPolicyRequest) request, + (io.grpc.stub.StreamObserver) responseObserver); + break; + case METHODID_GET_IAM_POLICY: + serviceImpl.getIamPolicy( + (com.google.iam.v1.GetIamPolicyRequest) request, + (io.grpc.stub.StreamObserver) responseObserver); + break; + case METHODID_TEST_IAM_PERMISSIONS: + serviceImpl.testIamPermissions( + (com.google.iam.v1.TestIamPermissionsRequest) request, + (io.grpc.stub.StreamObserver) + responseObserver); + break; default: throw new AssertionError(); } @@ -3627,6 +3997,9 @@ public static io.grpc.ServiceDescriptor getServiceDescriptor() { .addMethod(getCreateGcpUserAccessBindingMethod()) .addMethod(getUpdateGcpUserAccessBindingMethod()) .addMethod(getDeleteGcpUserAccessBindingMethod()) + .addMethod(getSetIamPolicyMethod()) + .addMethod(getGetIamPolicyMethod()) + .addMethod(getTestIamPermissionsMethod()) .build(); } } diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/pom.xml b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/pom.xml index e16168673034..b4089c3aee59 100644 --- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/pom.xml +++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/pom.xml @@ -29,10 +29,15 @@ com.google.guava guava + + com.google.api.grpc + proto-google-iam-v1 + + com.google.api.grpc proto-google-identity-accesscontextmanager-type 1.7.0 - \ No newline at end of file + diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerProto.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerProto.java index c81fa4990be6..8b7461f7fffb 100644 --- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerProto.java +++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessContextManagerProto.java @@ -165,284 +165,301 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() { + "dentity.accesscontextmanager.v1\032\034google/" + "api/annotations.proto\032\027google/api/client" + ".proto\032\037google/api/field_behavior.proto\032" - + "\031google/api/resource.proto\032:google/ident" - + "ity/accesscontextmanager/v1/access_level" - + ".proto\032;google/identity/accesscontextman" - + "ager/v1/access_policy.proto\032Egoogle/iden" - + "tity/accesscontextmanager/v1/gcp_user_ac" - + "cess_binding.proto\032?google/identity/acce" - + "sscontextmanager/v1/service_perimeter.pr" - + "oto\032#google/longrunning/operations.proto" - + "\032 google/protobuf/field_mask.proto\"\214\001\n\031L" - + "istAccessPoliciesRequest\022H\n\006parent\030\001 \001(\t" - + "B8\340A\002\372A2\n0cloudresourcemanager.googleapi" - + "s.com/Organization\022\021\n\tpage_size\030\002 \001(\005\022\022\n" - + "\npage_token\030\003 \001(\t\"\205\001\n\032ListAccessPolicies" - + "Response\022N\n\017access_policies\030\001 \003(\01325.goog" - + "le.identity.accesscontextmanager.v1.Acce" - + "ssPolicy\022\027\n\017next_page_token\030\002 \001(\t\"`\n\026Get" - + "AccessPolicyRequest\022F\n\004name\030\001 \001(\tB8\340A\002\372A" - + "2\n0accesscontextmanager.googleapis.com/A" - + "ccessPolicy\"\235\001\n\031UpdateAccessPolicyReques" - + "t\022J\n\006policy\030\001 \001(\01325.google.identity.acce" - + "sscontextmanager.v1.AccessPolicyB\003\340A\002\0224\n" - + "\013update_mask\030\002 \001(\0132\032.google.protobuf.Fie" - + "ldMaskB\003\340A\002\"c\n\031DeleteAccessPolicyRequest" - + "\022F\n\004name\030\001 \001(\tB8\340A\002\372A2\n0accesscontextman" - + "ager.googleapis.com/AccessPolicy\"\334\001\n\027Lis" - + "tAccessLevelsRequest\022G\n\006parent\030\001 \001(\tB7\340A" - + "\002\372A1\022/accesscontextmanager.googleapis.co" - + "m/AccessLevel\022\021\n\tpage_size\030\002 \001(\005\022\022\n\npage" - + "_token\030\003 \001(\t\022Q\n\023access_level_format\030\004 \001(" - + "\01624.google.identity.accesscontextmanager" - + ".v1.LevelFormat\"\200\001\n\030ListAccessLevelsResp" - + "onse\022K\n\raccess_levels\030\001 \003(\01324.google.ide" - + "ntity.accesscontextmanager.v1.AccessLeve" - + "l\022\027\n\017next_page_token\030\002 \001(\t\"\261\001\n\025GetAccess" - + "LevelRequest\022E\n\004name\030\001 \001(\tB7\340A\002\372A1\n/acce" - + "sscontextmanager.googleapis.com/AccessLe" - + "vel\022Q\n\023access_level_format\030\002 \001(\01624.googl" - + "e.identity.accesscontextmanager.v1.Level" - + "Format\"\264\001\n\030CreateAccessLevelRequest\022G\n\006p" - + "arent\030\001 \001(\tB7\340A\002\372A1\022/accesscontextmanage" - + "r.googleapis.com/AccessLevel\022O\n\014access_l" - + "evel\030\002 \001(\01324.google.identity.accessconte" - + "xtmanager.v1.AccessLevelB\003\340A\002\"\241\001\n\030Update" - + "AccessLevelRequest\022O\n\014access_level\030\001 \001(\013" - + "24.google.identity.accesscontextmanager." - + "v1.AccessLevelB\003\340A\002\0224\n\013update_mask\030\002 \001(\013" - + "2\032.google.protobuf.FieldMaskB\003\340A\002\"a\n\030Del" - + "eteAccessLevelRequest\022E\n\004name\030\001 \001(\tB7\340A\002" - + "\372A1\n/accesscontextmanager.googleapis.com" - + "/AccessLevel\"\305\001\n\032ReplaceAccessLevelsRequ" - + "est\022G\n\006parent\030\001 \001(\tB7\340A\002\372A1\022/accessconte" - + "xtmanager.googleapis.com/AccessLevel\022P\n\r" - + "access_levels\030\002 \003(\01324.google.identity.ac" - + "cesscontextmanager.v1.AccessLevelB\003\340A\002\022\014" - + "\n\004etag\030\004 \001(\t\"j\n\033ReplaceAccessLevelsRespo" - + "nse\022K\n\raccess_levels\030\001 \003(\01324.google.iden" - + "tity.accesscontextmanager.v1.AccessLevel" - + "\"\223\001\n\034ListServicePerimetersRequest\022L\n\006par" - + "ent\030\001 \001(\tB<\340A\002\372A6\0224accesscontextmanager." - + "googleapis.com/ServicePerimeter\022\021\n\tpage_" - + "size\030\002 \001(\005\022\022\n\npage_token\030\003 \001(\t\"\217\001\n\035ListS" - + "ervicePerimetersResponse\022U\n\022service_peri" - + "meters\030\001 \003(\01329.google.identity.accesscon" - + "textmanager.v1.ServicePerimeter\022\027\n\017next_" - + "page_token\030\002 \001(\t\"h\n\032GetServicePerimeterR" - + "equest\022J\n\004name\030\001 \001(\tB<\340A\002\372A6\n4accesscont" - + "extmanager.googleapis.com/ServicePerimet" - + "er\"\310\001\n\035CreateServicePerimeterRequest\022L\n\006" - + "parent\030\001 \001(\tB<\340A\002\372A6\0224accesscontextmanag" - + "er.googleapis.com/ServicePerimeter\022Y\n\021se" - + "rvice_perimeter\030\002 \001(\01329.google.identity." - + "accesscontextmanager.v1.ServicePerimeter" - + "B\003\340A\002\"\260\001\n\035UpdateServicePerimeterRequest\022" - + "Y\n\021service_perimeter\030\001 \001(\01329.google.iden" - + "tity.accesscontextmanager.v1.ServicePeri" - + "meterB\003\340A\002\0224\n\013update_mask\030\002 \001(\0132\032.google" - + ".protobuf.FieldMaskB\003\340A\002\"k\n\035DeleteServic" - + "ePerimeterRequest\022J\n\004name\030\001 \001(\tB<\340A\002\372A6\n" - + "4accesscontextmanager.googleapis.com/Ser" - + "vicePerimeter\"\331\001\n\037ReplaceServicePerimete" - + "rsRequest\022L\n\006parent\030\001 \001(\tB<\340A\002\372A6\0224acces" - + "scontextmanager.googleapis.com/ServicePe" - + "rimeter\022Z\n\022service_perimeters\030\002 \003(\01329.go" - + "ogle.identity.accesscontextmanager.v1.Se" - + "rvicePerimeterB\003\340A\002\022\014\n\004etag\030\003 \001(\t\"y\n Rep" - + "laceServicePerimetersResponse\022U\n\022service" - + "_perimeters\030\001 \003(\01329.google.identity.acce" - + "sscontextmanager.v1.ServicePerimeter\"|\n\036" - + "CommitServicePerimetersRequest\022L\n\006parent" - + "\030\001 \001(\tB<\340A\002\372A6\0224accesscontextmanager.goo" - + "gleapis.com/ServicePerimeter\022\014\n\004etag\030\002 \001" - + "(\t\"x\n\037CommitServicePerimetersResponse\022U\n" - + "\022service_perimeters\030\001 \003(\01329.google.ident" - + "ity.accesscontextmanager.v1.ServicePerim" - + "eter\"\235\001\n ListGcpUserAccessBindingsReques" - + "t\022H\n\006parent\030\001 \001(\tB8\340A\002\372A2\n0cloudresource" - + "manager.googleapis.com/Organization\022\026\n\tp" - + "age_size\030\002 \001(\005B\003\340A\001\022\027\n\npage_token\030\003 \001(\tB" - + "\003\340A\001\"\235\001\n!ListGcpUserAccessBindingsRespon" - + "se\022_\n\030gcp_user_access_bindings\030\001 \003(\0132=.g" - + "oogle.identity.accesscontextmanager.v1.G" - + "cpUserAccessBinding\022\027\n\017next_page_token\030\002" - + " \001(\t\"p\n\036GetGcpUserAccessBindingRequest\022N" - + "\n\004name\030\001 \001(\tB@\340A\002\372A:\n8accesscontextmanag" - + "er.googleapis.com/GcpUserAccessBinding\"\322" - + "\001\n!CreateGcpUserAccessBindingRequest\022H\n\006" - + "parent\030\001 \001(\tB8\340A\002\372A2\n0cloudresourcemanag" - + "er.googleapis.com/Organization\022c\n\027gcp_us" - + "er_access_binding\030\002 \001(\0132=.google.identit" - + "y.accesscontextmanager.v1.GcpUserAccessB" - + "indingB\003\340A\002\"\276\001\n!UpdateGcpUserAccessBindi" - + "ngRequest\022c\n\027gcp_user_access_binding\030\001 \001" - + "(\0132=.google.identity.accesscontextmanage" - + "r.v1.GcpUserAccessBindingB\003\340A\002\0224\n\013update" + + "\031google/api/resource.proto\032\036google/iam/v" + + "1/iam_policy.proto\032\032google/iam/v1/policy" + + ".proto\032:google/identity/accesscontextman" + + "ager/v1/access_level.proto\032;google/ident" + + "ity/accesscontextmanager/v1/access_polic" + + "y.proto\032Egoogle/identity/accesscontextma" + + "nager/v1/gcp_user_access_binding.proto\032?" + + "google/identity/accesscontextmanager/v1/" + + "service_perimeter.proto\032#google/longrunn" + + "ing/operations.proto\032 google/protobuf/fi" + + "eld_mask.proto\"\214\001\n\031ListAccessPoliciesReq" + + "uest\022H\n\006parent\030\001 \001(\tB8\340A\002\372A2\n0cloudresou" + + "rcemanager.googleapis.com/Organization\022\021" + + "\n\tpage_size\030\002 \001(\005\022\022\n\npage_token\030\003 \001(\t\"\205\001" + + "\n\032ListAccessPoliciesResponse\022N\n\017access_p" + + "olicies\030\001 \003(\01325.google.identity.accessco" + + "ntextmanager.v1.AccessPolicy\022\027\n\017next_pag" + + "e_token\030\002 \001(\t\"`\n\026GetAccessPolicyRequest\022" + + "F\n\004name\030\001 \001(\tB8\340A\002\372A2\n0accesscontextmana" + + "ger.googleapis.com/AccessPolicy\"\235\001\n\031Upda" + + "teAccessPolicyRequest\022J\n\006policy\030\001 \001(\01325." + + "google.identity.accesscontextmanager.v1." + + "AccessPolicyB\003\340A\002\0224\n\013update_mask\030\002 \001(\0132\032" + + ".google.protobuf.FieldMaskB\003\340A\002\"c\n\031Delet" + + "eAccessPolicyRequest\022F\n\004name\030\001 \001(\tB8\340A\002\372" + + "A2\n0accesscontextmanager.googleapis.com/" + + "AccessPolicy\"\334\001\n\027ListAccessLevelsRequest" + + "\022G\n\006parent\030\001 \001(\tB7\340A\002\372A1\022/accesscontextm" + + "anager.googleapis.com/AccessLevel\022\021\n\tpag" + + "e_size\030\002 \001(\005\022\022\n\npage_token\030\003 \001(\t\022Q\n\023acce" + + "ss_level_format\030\004 \001(\01624.google.identity." + + "accesscontextmanager.v1.LevelFormat\"\200\001\n\030" + + "ListAccessLevelsResponse\022K\n\raccess_level" + + "s\030\001 \003(\01324.google.identity.accesscontextm" + + "anager.v1.AccessLevel\022\027\n\017next_page_token" + + "\030\002 \001(\t\"\261\001\n\025GetAccessLevelRequest\022E\n\004name" + + "\030\001 \001(\tB7\340A\002\372A1\n/accesscontextmanager.goo" + + "gleapis.com/AccessLevel\022Q\n\023access_level_" + + "format\030\002 \001(\01624.google.identity.accesscon" + + "textmanager.v1.LevelFormat\"\264\001\n\030CreateAcc" + + "essLevelRequest\022G\n\006parent\030\001 \001(\tB7\340A\002\372A1\022" + + "/accesscontextmanager.googleapis.com/Acc" + + "essLevel\022O\n\014access_level\030\002 \001(\01324.google." + + "identity.accesscontextmanager.v1.AccessL" + + "evelB\003\340A\002\"\241\001\n\030UpdateAccessLevelRequest\022O" + + "\n\014access_level\030\001 \001(\01324.google.identity.a" + + "ccesscontextmanager.v1.AccessLevelB\003\340A\002\022" + + "4\n\013update_mask\030\002 \001(\0132\032.google.protobuf.F" + + "ieldMaskB\003\340A\002\"a\n\030DeleteAccessLevelReques" + + "t\022E\n\004name\030\001 \001(\tB7\340A\002\372A1\n/accesscontextma" + + "nager.googleapis.com/AccessLevel\"\305\001\n\032Rep" + + "laceAccessLevelsRequest\022G\n\006parent\030\001 \001(\tB" + + "7\340A\002\372A1\022/accesscontextmanager.googleapis" + + ".com/AccessLevel\022P\n\raccess_levels\030\002 \003(\0132" + + "4.google.identity.accesscontextmanager.v" + + "1.AccessLevelB\003\340A\002\022\014\n\004etag\030\004 \001(\t\"j\n\033Repl" + + "aceAccessLevelsResponse\022K\n\raccess_levels" + + "\030\001 \003(\01324.google.identity.accesscontextma" + + "nager.v1.AccessLevel\"\223\001\n\034ListServicePeri" + + "metersRequest\022L\n\006parent\030\001 \001(\tB<\340A\002\372A6\0224a" + + "ccesscontextmanager.googleapis.com/Servi" + + "cePerimeter\022\021\n\tpage_size\030\002 \001(\005\022\022\n\npage_t" + + "oken\030\003 \001(\t\"\217\001\n\035ListServicePerimetersResp" + + "onse\022U\n\022service_perimeters\030\001 \003(\01329.googl" + + "e.identity.accesscontextmanager.v1.Servi" + + "cePerimeter\022\027\n\017next_page_token\030\002 \001(\t\"h\n\032" + + "GetServicePerimeterRequest\022J\n\004name\030\001 \001(\t" + + "B<\340A\002\372A6\n4accesscontextmanager.googleapi" + + "s.com/ServicePerimeter\"\310\001\n\035CreateService" + + "PerimeterRequest\022L\n\006parent\030\001 \001(\tB<\340A\002\372A6" + + "\0224accesscontextmanager.googleapis.com/Se" + + "rvicePerimeter\022Y\n\021service_perimeter\030\002 \001(" + + "\01329.google.identity.accesscontextmanager" + + ".v1.ServicePerimeterB\003\340A\002\"\260\001\n\035UpdateServ" + + "icePerimeterRequest\022Y\n\021service_perimeter" + + "\030\001 \001(\01329.google.identity.accesscontextma" + + "nager.v1.ServicePerimeterB\003\340A\002\0224\n\013update" + "_mask\030\002 \001(\0132\032.google.protobuf.FieldMaskB" - + "\003\340A\002\"s\n!DeleteGcpUserAccessBindingReques" - + "t\022N\n\004name\030\001 \001(\tB@\340A\002\372A:\n8accesscontextma" - + "nager.googleapis.com/GcpUserAccessBindin" - + "g\"\'\n%GcpUserAccessBindingOperationMetada" - + "ta\"\'\n%AccessContextManagerOperationMetad" - + "ata*D\n\013LevelFormat\022\034\n\030LEVEL_FORMAT_UNSPE" - + "CIFIED\020\000\022\016\n\nAS_DEFINED\020\001\022\007\n\003CEL\020\0022\245.\n\024Ac" - + "cessContextManager\022\271\001\n\022ListAccessPolicie" - + "s\022B.google.identity.accesscontextmanager" - + ".v1.ListAccessPoliciesRequest\032C.google.i" - + "dentity.accesscontextmanager.v1.ListAcce" - + "ssPoliciesResponse\"\032\202\323\344\223\002\024\022\022/v1/accessPo" - + "licies\022\265\001\n\017GetAccessPolicy\022?.google.iden" - + "tity.accesscontextmanager.v1.GetAccessPo" - + "licyRequest\0325.google.identity.accesscont" - + "extmanager.v1.AccessPolicy\"*\202\323\344\223\002\035\022\033/v1/" - + "{name=accessPolicies/*}\332A\004name\022\301\001\n\022Creat" - + "eAccessPolicy\0225.google.identity.accessco" - + "ntextmanager.v1.AccessPolicy\032\035.google.lo" - + "ngrunning.Operation\"U\202\323\344\223\002\027\"\022/v1/accessP" - + "olicies:\001*\312A5\n\014AccessPolicy\022%AccessConte" - + "xtManagerOperationMetadata\022\370\001\n\022UpdateAcc" - + "essPolicy\022B.google.identity.accesscontex" - + "tmanager.v1.UpdateAccessPolicyRequest\032\035." - + "google.longrunning.Operation\"\177\202\323\344\223\002,2\"/v" - + "1/{policy.name=accessPolicies/*}:\006policy" - + "\332A\022policy,update_mask\312A5\n\014AccessPolicy\022%" - + "AccessContextManagerOperationMetadata\022\344\001" - + "\n\022DeleteAccessPolicy\022B.google.identity.a" - + "ccesscontextmanager.v1.DeleteAccessPolic" - + "yRequest\032\035.google.longrunning.Operation\"" - + "k\202\323\344\223\002\035*\033/v1/{name=accessPolicies/*}\332A\004n" - + "ame\312A>\n\025google.protobuf.Empty\022%AccessCon" - + "textManagerOperationMetadata\022\324\001\n\020ListAcc" - + "essLevels\022@.google.identity.accesscontex" - + "tmanager.v1.ListAccessLevelsRequest\032A.go" - + "ogle.identity.accesscontextmanager.v1.Li" - + "stAccessLevelsResponse\";\202\323\344\223\002,\022*/v1/{par" - + "ent=accessPolicies/*}/accessLevels\332A\006par" - + "ent\022\301\001\n\016GetAccessLevel\022>.google.identity" - + ".accesscontextmanager.v1.GetAccessLevelR" - + "equest\0324.google.identity.accesscontextma" - + "nager.v1.AccessLevel\"9\202\323\344\223\002,\022*/v1/{name=" - + "accessPolicies/*/accessLevels/*}\332A\004name\022" - + "\205\002\n\021CreateAccessLevel\022A.google.identity." - + "accesscontextmanager.v1.CreateAccessLeve" - + "lRequest\032\035.google.longrunning.Operation\"" - + "\215\001\202\323\344\223\002:\"*/v1/{parent=accessPolicies/*}/" - + "accessLevels:\014access_level\332A\023parent,acce" - + "ss_level\312A4\n\013AccessLevel\022%AccessContextM" - + "anagerOperationMetadata\022\227\002\n\021UpdateAccess" - + "Level\022A.google.identity.accesscontextman" - + "ager.v1.UpdateAccessLevelRequest\032\035.googl" - + "e.longrunning.Operation\"\237\001\202\323\344\223\002G27/v1/{a" - + "ccess_level.name=accessPolicies/*/access" - + "Levels/*}:\014access_level\332A\030access_level,u" - + "pdate_mask\312A4\n\013AccessLevel\022%AccessContex" - + "tManagerOperationMetadata\022\361\001\n\021DeleteAcce" - + "ssLevel\022A.google.identity.accesscontextm" - + "anager.v1.DeleteAccessLevelRequest\032\035.goo" - + "gle.longrunning.Operation\"z\202\323\344\223\002,**/v1/{" - + "name=accessPolicies/*/accessLevels/*}\332A\004" - + "name\312A>\n\025google.protobuf.Empty\022%AccessCo" - + "ntextManagerOperationMetadata\022\203\002\n\023Replac" - + "eAccessLevels\022C.google.identity.accessco" - + "ntextmanager.v1.ReplaceAccessLevelsReque" - + "st\032\035.google.longrunning.Operation\"\207\001\202\323\344\223" - + "\002:\"5/v1/{parent=accessPolicies/*}/access" - + "Levels:replaceAll:\001*\312AD\n\033ReplaceAccessLe" - + "velsResponse\022%AccessContextManagerOperat" - + "ionMetadata\022\350\001\n\025ListServicePerimeters\022E." + + "\003\340A\002\"k\n\035DeleteServicePerimeterRequest\022J\n" + + "\004name\030\001 \001(\tB<\340A\002\372A6\n4accesscontextmanage" + + "r.googleapis.com/ServicePerimeter\"\331\001\n\037Re" + + "placeServicePerimetersRequest\022L\n\006parent\030" + + "\001 \001(\tB<\340A\002\372A6\0224accesscontextmanager.goog" + + "leapis.com/ServicePerimeter\022Z\n\022service_p" + + "erimeters\030\002 \003(\01329.google.identity.access" + + "contextmanager.v1.ServicePerimeterB\003\340A\002\022" + + "\014\n\004etag\030\003 \001(\t\"y\n ReplaceServicePerimeter" + + "sResponse\022U\n\022service_perimeters\030\001 \003(\01329." + "google.identity.accesscontextmanager.v1." - + "ListServicePerimetersRequest\032F.google.id" - + "entity.accesscontextmanager.v1.ListServi" - + "cePerimetersResponse\"@\202\323\344\223\0021\022//v1/{paren" - + "t=accessPolicies/*}/servicePerimeters\332A\006" - + "parent\022\325\001\n\023GetServicePerimeter\022C.google." - + "identity.accesscontextmanager.v1.GetServ" - + "icePerimeterRequest\0329.google.identity.ac" - + "cesscontextmanager.v1.ServicePerimeter\">" - + "\202\323\344\223\0021\022//v1/{name=accessPolicies/*/servi" - + "cePerimeters/*}\332A\004name\022\243\002\n\026CreateService" - + "Perimeter\022F.google.identity.accesscontex" - + "tmanager.v1.CreateServicePerimeterReques" - + "t\032\035.google.longrunning.Operation\"\241\001\202\323\344\223\002" - + "D\"//v1/{parent=accessPolicies/*}/service" - + "Perimeters:\021service_perimeter\332A\030parent,s" - + "ervice_perimeter\312A9\n\020ServicePerimeter\022%A" - + "ccessContextManagerOperationMetadata\022\272\002\n" - + "\026UpdateServicePerimeter\022F.google.identit" - + "y.accesscontextmanager.v1.UpdateServiceP" - + "erimeterRequest\032\035.google.longrunning.Ope" - + "ration\"\270\001\202\323\344\223\002V2A/v1/{service_perimeter." - + "name=accessPolicies/*/servicePerimeters/" - + "*}:\021service_perimeter\332A\035service_perimete" - + "r,update_mask\312A9\n\020ServicePerimeter\022%Acce" - + "ssContextManagerOperationMetadata\022\200\002\n\026De" - + "leteServicePerimeter\022F.google.identity.a" - + "ccesscontextmanager.v1.DeleteServicePeri" - + "meterRequest\032\035.google.longrunning.Operat" - + "ion\"\177\202\323\344\223\0021*//v1/{name=accessPolicies/*/" - + "servicePerimeters/*}\332A\004name\312A>\n\025google.p" - + "rotobuf.Empty\022%AccessContextManagerOpera" - + "tionMetadata\022\227\002\n\030ReplaceServicePerimeter" - + "s\022H.google.identity.accesscontextmanager" - + ".v1.ReplaceServicePerimetersRequest\032\035.go" - + "ogle.longrunning.Operation\"\221\001\202\323\344\223\002?\":/v1" - + "/{parent=accessPolicies/*}/servicePerime" - + "ters:replaceAll:\001*\312AI\n ReplaceServicePer" - + "imetersResponse\022%AccessContextManagerOpe" - + "rationMetadata\022\220\002\n\027CommitServicePerimete" - + "rs\022G.google.identity.accesscontextmanage" - + "r.v1.CommitServicePerimetersRequest\032\035.go" - + "ogle.longrunning.Operation\"\214\001\202\323\344\223\002;\"6/v1" - + "/{parent=accessPolicies/*}/servicePerime" - + "ters:commit:\001*\312AH\n\037CommitServicePerimete" - + "rsResponse\022%AccessContextManagerOperatio" - + "nMetadata\022\367\001\n\031ListGcpUserAccessBindings\022" - + "I.google.identity.accesscontextmanager.v" - + "1.ListGcpUserAccessBindingsRequest\032J.goo" - + "gle.identity.accesscontextmanager.v1.Lis" - + "tGcpUserAccessBindingsResponse\"C\202\323\344\223\0024\0222" - + "/v1/{parent=organizations/*}/gcpUserAcce" - + "ssBindings\332A\006parent\022\344\001\n\027GetGcpUserAccess" - + "Binding\022G.google.identity.accesscontextm" - + "anager.v1.GetGcpUserAccessBindingRequest" - + "\032=.google.identity.accesscontextmanager." - + "v1.GcpUserAccessBinding\"A\202\323\344\223\0024\0222/v1/{na" - + "me=organizations/*/gcpUserAccessBindings" - + "/*}\332A\004name\022\276\002\n\032CreateGcpUserAccessBindin" - + "g\022J.google.identity.accesscontextmanager" - + ".v1.CreateGcpUserAccessBindingRequest\032\035." - + "google.longrunning.Operation\"\264\001\202\323\344\223\002M\"2/" - + "v1/{parent=organizations/*}/gcpUserAcces" - + "sBindings:\027gcp_user_access_binding\332A\036par" - + "ent,gcp_user_access_binding\312A=\n\024GcpUserA" - + "ccessBinding\022%GcpUserAccessBindingOperat" - + "ionMetadata\022\333\002\n\032UpdateGcpUserAccessBindi" - + "ng\022J.google.identity.accesscontextmanage" - + "r.v1.UpdateGcpUserAccessBindingRequest\032\035" - + ".google.longrunning.Operation\"\321\001\202\323\344\223\002e2J" - + "/v1/{gcp_user_access_binding.name=organi" - + "zations/*/gcpUserAccessBindings/*}:\027gcp_" - + "user_access_binding\332A#gcp_user_access_bi" - + "nding,update_mask\312A=\n\024GcpUserAccessBindi" - + "ng\022%GcpUserAccessBindingOperationMetadat" - + "a\022\214\002\n\032DeleteGcpUserAccessBinding\022J.googl" - + "e.identity.accesscontextmanager.v1.Delet" - + "eGcpUserAccessBindingRequest\032\035.google.lo" - + "ngrunning.Operation\"\202\001\202\323\344\223\0024*2/v1/{name=" - + "organizations/*/gcpUserAccessBindings/*}" - + "\332A\004name\312A>\n\025google.protobuf.Empty\022%GcpUs" - + "erAccessBindingOperationMetadata\032W\312A#acc" - + "esscontextmanager.googleapis.com\322A.https" - + "://www.googleapis.com/auth/cloud-platfor" - + "mB\257\002\n+com.google.identity.accesscontextm" - + "anager.v1B\031AccessContextManagerProtoP\001Z[" - + "google.golang.org/genproto/googleapis/id" - + "entity/accesscontextmanager/v1;accesscon" - + "textmanager\242\002\004GACM\252\002\'Google.Identity.Acc" - + "essContextManager.V1\312\002\'Google\\Identity\\A" - + "ccessContextManager\\V1\352\002*Google::Identit" - + "y::AccessContextManager::V1b\006proto3" + + "ServicePerimeter\"|\n\036CommitServicePerimet" + + "ersRequest\022L\n\006parent\030\001 \001(\tB<\340A\002\372A6\0224acce" + + "sscontextmanager.googleapis.com/ServiceP" + + "erimeter\022\014\n\004etag\030\002 \001(\t\"x\n\037CommitServiceP" + + "erimetersResponse\022U\n\022service_perimeters\030" + + "\001 \003(\01329.google.identity.accesscontextman" + + "ager.v1.ServicePerimeter\"\235\001\n ListGcpUser" + + "AccessBindingsRequest\022H\n\006parent\030\001 \001(\tB8\340" + + "A\002\372A2\n0cloudresourcemanager.googleapis.c" + + "om/Organization\022\026\n\tpage_size\030\002 \001(\005B\003\340A\001\022" + + "\027\n\npage_token\030\003 \001(\tB\003\340A\001\"\235\001\n!ListGcpUser" + + "AccessBindingsResponse\022_\n\030gcp_user_acces" + + "s_bindings\030\001 \003(\0132=.google.identity.acces" + + "scontextmanager.v1.GcpUserAccessBinding\022" + + "\027\n\017next_page_token\030\002 \001(\t\"p\n\036GetGcpUserAc" + + "cessBindingRequest\022N\n\004name\030\001 \001(\tB@\340A\002\372A:" + + "\n8accesscontextmanager.googleapis.com/Gc" + + "pUserAccessBinding\"\322\001\n!CreateGcpUserAcce" + + "ssBindingRequest\022H\n\006parent\030\001 \001(\tB8\340A\002\372A2" + + "\n0cloudresourcemanager.googleapis.com/Or" + + "ganization\022c\n\027gcp_user_access_binding\030\002 " + + "\001(\0132=.google.identity.accesscontextmanag" + + "er.v1.GcpUserAccessBindingB\003\340A\002\"\276\001\n!Upda" + + "teGcpUserAccessBindingRequest\022c\n\027gcp_use" + + "r_access_binding\030\001 \001(\0132=.google.identity" + + ".accesscontextmanager.v1.GcpUserAccessBi" + + "ndingB\003\340A\002\0224\n\013update_mask\030\002 \001(\0132\032.google" + + ".protobuf.FieldMaskB\003\340A\002\"s\n!DeleteGcpUse" + + "rAccessBindingRequest\022N\n\004name\030\001 \001(\tB@\340A\002" + + "\372A:\n8accesscontextmanager.googleapis.com" + + "/GcpUserAccessBinding\"\'\n%GcpUserAccessBi" + + "ndingOperationMetadata\"\'\n%AccessContextM" + + "anagerOperationMetadata*D\n\013LevelFormat\022\034" + + "\n\030LEVEL_FORMAT_UNSPECIFIED\020\000\022\016\n\nAS_DEFIN" + + "ED\020\001\022\007\n\003CEL\020\0022\3612\n\024AccessContextManager\022\271" + + "\001\n\022ListAccessPolicies\022B.google.identity." + + "accesscontextmanager.v1.ListAccessPolici" + + "esRequest\032C.google.identity.accesscontex" + + "tmanager.v1.ListAccessPoliciesResponse\"\032" + + "\202\323\344\223\002\024\022\022/v1/accessPolicies\022\265\001\n\017GetAccess" + + "Policy\022?.google.identity.accesscontextma" + + "nager.v1.GetAccessPolicyRequest\0325.google" + + ".identity.accesscontextmanager.v1.Access" + + "Policy\"*\202\323\344\223\002\035\022\033/v1/{name=accessPolicies" + + "/*}\332A\004name\022\301\001\n\022CreateAccessPolicy\0225.goog" + + "le.identity.accesscontextmanager.v1.Acce" + + "ssPolicy\032\035.google.longrunning.Operation\"" + + "U\202\323\344\223\002\027\"\022/v1/accessPolicies:\001*\312A5\n\014Acces" + + "sPolicy\022%AccessContextManagerOperationMe" + + "tadata\022\370\001\n\022UpdateAccessPolicy\022B.google.i" + + "dentity.accesscontextmanager.v1.UpdateAc" + + "cessPolicyRequest\032\035.google.longrunning.O" + + "peration\"\177\202\323\344\223\002,2\"/v1/{policy.name=acces" + + "sPolicies/*}:\006policy\332A\022policy,update_mas" + + "k\312A5\n\014AccessPolicy\022%AccessContextManager" + + "OperationMetadata\022\344\001\n\022DeleteAccessPolicy" + + "\022B.google.identity.accesscontextmanager." + + "v1.DeleteAccessPolicyRequest\032\035.google.lo" + + "ngrunning.Operation\"k\202\323\344\223\002\035*\033/v1/{name=a" + + "ccessPolicies/*}\332A\004name\312A>\n\025google.proto" + + "buf.Empty\022%AccessContextManagerOperation" + + "Metadata\022\324\001\n\020ListAccessLevels\022@.google.i" + + "dentity.accesscontextmanager.v1.ListAcce" + + "ssLevelsRequest\032A.google.identity.access" + + "contextmanager.v1.ListAccessLevelsRespon" + + "se\";\202\323\344\223\002,\022*/v1/{parent=accessPolicies/*" + + "}/accessLevels\332A\006parent\022\301\001\n\016GetAccessLev" + + "el\022>.google.identity.accesscontextmanage" + + "r.v1.GetAccessLevelRequest\0324.google.iden" + + "tity.accesscontextmanager.v1.AccessLevel" + + "\"9\202\323\344\223\002,\022*/v1/{name=accessPolicies/*/acc" + + "essLevels/*}\332A\004name\022\205\002\n\021CreateAccessLeve" + + "l\022A.google.identity.accesscontextmanager" + + ".v1.CreateAccessLevelRequest\032\035.google.lo" + + "ngrunning.Operation\"\215\001\202\323\344\223\002:\"*/v1/{paren" + + "t=accessPolicies/*}/accessLevels:\014access" + + "_level\332A\023parent,access_level\312A4\n\013AccessL" + + "evel\022%AccessContextManagerOperationMetad" + + "ata\022\227\002\n\021UpdateAccessLevel\022A.google.ident" + + "ity.accesscontextmanager.v1.UpdateAccess" + + "LevelRequest\032\035.google.longrunning.Operat" + + "ion\"\237\001\202\323\344\223\002G27/v1/{access_level.name=acc" + + "essPolicies/*/accessLevels/*}:\014access_le" + + "vel\332A\030access_level,update_mask\312A4\n\013Acces" + + "sLevel\022%AccessContextManagerOperationMet" + + "adata\022\361\001\n\021DeleteAccessLevel\022A.google.ide" + + "ntity.accesscontextmanager.v1.DeleteAcce" + + "ssLevelRequest\032\035.google.longrunning.Oper" + + "ation\"z\202\323\344\223\002,**/v1/{name=accessPolicies/" + + "*/accessLevels/*}\332A\004name\312A>\n\025google.prot" + + "obuf.Empty\022%AccessContextManagerOperatio" + + "nMetadata\022\203\002\n\023ReplaceAccessLevels\022C.goog" + + "le.identity.accesscontextmanager.v1.Repl" + + "aceAccessLevelsRequest\032\035.google.longrunn" + + "ing.Operation\"\207\001\202\323\344\223\002:\"5/v1/{parent=acce" + + "ssPolicies/*}/accessLevels:replaceAll:\001*" + + "\312AD\n\033ReplaceAccessLevelsResponse\022%Access" + + "ContextManagerOperationMetadata\022\350\001\n\025List" + + "ServicePerimeters\022E.google.identity.acce" + + "sscontextmanager.v1.ListServicePerimeter" + + "sRequest\032F.google.identity.accesscontext" + + "manager.v1.ListServicePerimetersResponse" + + "\"@\202\323\344\223\0021\022//v1/{parent=accessPolicies/*}/" + + "servicePerimeters\332A\006parent\022\325\001\n\023GetServic" + + "ePerimeter\022C.google.identity.accessconte" + + "xtmanager.v1.GetServicePerimeterRequest\032" + + "9.google.identity.accesscontextmanager.v" + + "1.ServicePerimeter\">\202\323\344\223\0021\022//v1/{name=ac" + + "cessPolicies/*/servicePerimeters/*}\332A\004na" + + "me\022\243\002\n\026CreateServicePerimeter\022F.google.i" + + "dentity.accesscontextmanager.v1.CreateSe" + + "rvicePerimeterRequest\032\035.google.longrunni" + + "ng.Operation\"\241\001\202\323\344\223\002D\"//v1/{parent=acces" + + "sPolicies/*}/servicePerimeters:\021service_" + + "perimeter\332A\030parent,service_perimeter\312A9\n" + + "\020ServicePerimeter\022%AccessContextManagerO" + + "perationMetadata\022\272\002\n\026UpdateServicePerime" + + "ter\022F.google.identity.accesscontextmanag" + + "er.v1.UpdateServicePerimeterRequest\032\035.go" + + "ogle.longrunning.Operation\"\270\001\202\323\344\223\002V2A/v1" + + "/{service_perimeter.name=accessPolicies/" + + "*/servicePerimeters/*}:\021service_perimete" + + "r\332A\035service_perimeter,update_mask\312A9\n\020Se" + + "rvicePerimeter\022%AccessContextManagerOper" + + "ationMetadata\022\200\002\n\026DeleteServicePerimeter" + + "\022F.google.identity.accesscontextmanager." + + "v1.DeleteServicePerimeterRequest\032\035.googl" + + "e.longrunning.Operation\"\177\202\323\344\223\0021*//v1/{na" + + "me=accessPolicies/*/servicePerimeters/*}" + + "\332A\004name\312A>\n\025google.protobuf.Empty\022%Acces" + + "sContextManagerOperationMetadata\022\227\002\n\030Rep" + + "laceServicePerimeters\022H.google.identity." + + "accesscontextmanager.v1.ReplaceServicePe" + + "rimetersRequest\032\035.google.longrunning.Ope" + + "ration\"\221\001\202\323\344\223\002?\":/v1/{parent=accessPolic" + + "ies/*}/servicePerimeters:replaceAll:\001*\312A" + + "I\n ReplaceServicePerimetersResponse\022%Acc" + + "essContextManagerOperationMetadata\022\220\002\n\027C" + + "ommitServicePerimeters\022G.google.identity" + + ".accesscontextmanager.v1.CommitServicePe" + + "rimetersRequest\032\035.google.longrunning.Ope" + + "ration\"\214\001\202\323\344\223\002;\"6/v1/{parent=accessPolic" + + "ies/*}/servicePerimeters:commit:\001*\312AH\n\037C" + + "ommitServicePerimetersResponse\022%AccessCo" + + "ntextManagerOperationMetadata\022\367\001\n\031ListGc" + + "pUserAccessBindings\022I.google.identity.ac" + + "cesscontextmanager.v1.ListGcpUserAccessB" + + "indingsRequest\032J.google.identity.accessc" + + "ontextmanager.v1.ListGcpUserAccessBindin" + + "gsResponse\"C\202\323\344\223\0024\0222/v1/{parent=organiza" + + "tions/*}/gcpUserAccessBindings\332A\006parent\022" + + "\344\001\n\027GetGcpUserAccessBinding\022G.google.ide" + + "ntity.accesscontextmanager.v1.GetGcpUser" + + "AccessBindingRequest\032=.google.identity.a" + + "ccesscontextmanager.v1.GcpUserAccessBind" + + "ing\"A\202\323\344\223\0024\0222/v1/{name=organizations/*/g" + + "cpUserAccessBindings/*}\332A\004name\022\276\002\n\032Creat" + + "eGcpUserAccessBinding\022J.google.identity." + + "accesscontextmanager.v1.CreateGcpUserAcc" + + "essBindingRequest\032\035.google.longrunning.O" + + "peration\"\264\001\202\323\344\223\002M\"2/v1/{parent=organizat" + + "ions/*}/gcpUserAccessBindings:\027gcp_user_" + + "access_binding\332A\036parent,gcp_user_access_" + + "binding\312A=\n\024GcpUserAccessBinding\022%GcpUse" + + "rAccessBindingOperationMetadata\022\333\002\n\032Upda" + + "teGcpUserAccessBinding\022J.google.identity" + + ".accesscontextmanager.v1.UpdateGcpUserAc" + + "cessBindingRequest\032\035.google.longrunning." + + "Operation\"\321\001\202\323\344\223\002e2J/v1/{gcp_user_access" + + "_binding.name=organizations/*/gcpUserAcc" + + "essBindings/*}:\027gcp_user_access_binding\332" + + "A#gcp_user_access_binding,update_mask\312A=" + + "\n\024GcpUserAccessBinding\022%GcpUserAccessBin" + + "dingOperationMetadata\022\214\002\n\032DeleteGcpUserA" + + "ccessBinding\022J.google.identity.accesscon" + + "textmanager.v1.DeleteGcpUserAccessBindin" + + "gRequest\032\035.google.longrunning.Operation\"" + + "\202\001\202\323\344\223\0024*2/v1/{name=organizations/*/gcpU" + + "serAccessBindings/*}\332A\004name\312A>\n\025google.p" + + "rotobuf.Empty\022%GcpUserAccessBindingOpera" + + "tionMetadata\022\202\001\n\014SetIamPolicy\022\".google.i" + + "am.v1.SetIamPolicyRequest\032\025.google.iam.v" + + "1.Policy\"7\202\323\344\223\0021\",/v1/{resource=accessPo" + + "licies/*}:setIamPolicy:\001*\022\202\001\n\014GetIamPoli" + + "cy\022\".google.iam.v1.GetIamPolicyRequest\032\025" + + ".google.iam.v1.Policy\"7\202\323\344\223\0021\",/v1/{reso" + + "urce=accessPolicies/*}:getIamPolicy:\001*\022\277" + + "\002\n\022TestIamPermissions\022(.google.iam.v1.Te" + + "stIamPermissionsRequest\032).google.iam.v1." + + "TestIamPermissionsResponse\"\323\001\202\323\344\223\002\314\001\"2/v" + + "1/{resource=accessPolicies/*}:testIamPer" + + "missions:\001*ZF\"A/v1/{resource=accessPolic" + + "ies/*/accessLevels/*}:testIamPermissions" + + ":\001*ZK\"F/v1/{resource=accessPolicies/*/se" + + "rvicePerimeters/*}:testIamPermissions:\001*" + + "\032W\312A#accesscontextmanager.googleapis.com" + + "\322A.https://www.googleapis.com/auth/cloud" + + "-platformB\257\002\n+com.google.identity.access" + + "contextmanager.v1B\031AccessContextManagerP" + + "rotoP\001Z[google.golang.org/genproto/googl" + + "eapis/identity/accesscontextmanager/v1;a" + + "ccesscontextmanager\242\002\004GACM\252\002\'Google.Iden" + + "tity.AccessContextManager.V1\312\002\'Google\\Id" + + "entity\\AccessContextManager\\V1\352\002*Google:" + + ":Identity::AccessContextManager::V1b\006pro" + + "to3" }; descriptor = com.google.protobuf.Descriptors.FileDescriptor.internalBuildGeneratedFileFrom( @@ -452,6 +469,8 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() { com.google.api.ClientProto.getDescriptor(), com.google.api.FieldBehaviorProto.getDescriptor(), com.google.api.ResourceProto.getDescriptor(), + com.google.iam.v1.IamPolicyProto.getDescriptor(), + com.google.iam.v1.PolicyProto.getDescriptor(), com.google.identity.accesscontextmanager.v1.AccessLevelProto.getDescriptor(), com.google.identity.accesscontextmanager.v1.PolicyProto.getDescriptor(), com.google.identity.accesscontextmanager.v1.GcpUserAccessBindingProto.getDescriptor(), @@ -718,6 +737,8 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() { com.google.api.ClientProto.getDescriptor(); com.google.api.FieldBehaviorProto.getDescriptor(); com.google.api.ResourceProto.getDescriptor(); + com.google.iam.v1.IamPolicyProto.getDescriptor(); + com.google.iam.v1.PolicyProto.getDescriptor(); com.google.identity.accesscontextmanager.v1.AccessLevelProto.getDescriptor(); com.google.identity.accesscontextmanager.v1.PolicyProto.getDescriptor(); com.google.identity.accesscontextmanager.v1.GcpUserAccessBindingProto.getDescriptor(); diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicy.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicy.java index 11e978eab253..86df17efbc56 100644 --- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicy.java +++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicy.java @@ -45,6 +45,7 @@ private AccessPolicy() { name_ = ""; parent_ = ""; title_ = ""; + scopes_ = com.google.protobuf.LazyStringArrayList.EMPTY; etag_ = ""; } @@ -227,6 +228,119 @@ public com.google.protobuf.ByteString getTitleBytes() { } } + public static final int SCOPES_FIELD_NUMBER = 7; + private com.google.protobuf.LazyStringList scopes_; + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @return A list containing the scopes. + */ + public com.google.protobuf.ProtocolStringList getScopesList() { + return scopes_; + } + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @return The count of scopes. + */ + public int getScopesCount() { + return scopes_.size(); + } + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @param index The index of the element to return. + * @return The scopes at the given index. + */ + public java.lang.String getScopes(int index) { + return scopes_.get(index); + } + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @param index The index of the value to return. + * @return The bytes of the scopes at the given index. + */ + public com.google.protobuf.ByteString getScopesBytes(int index) { + return scopes_.getByteString(index); + } + public static final int CREATE_TIME_FIELD_NUMBER = 4; private com.google.protobuf.Timestamp createTime_; /** @@ -406,6 +520,9 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io if (!com.google.protobuf.GeneratedMessageV3.isStringEmpty(etag_)) { com.google.protobuf.GeneratedMessageV3.writeString(output, 6, etag_); } + for (int i = 0; i < scopes_.size(); i++) { + com.google.protobuf.GeneratedMessageV3.writeString(output, 7, scopes_.getRaw(i)); + } getUnknownFields().writeTo(output); } @@ -433,6 +550,14 @@ public int getSerializedSize() { if (!com.google.protobuf.GeneratedMessageV3.isStringEmpty(etag_)) { size += com.google.protobuf.GeneratedMessageV3.computeStringSize(6, etag_); } + { + int dataSize = 0; + for (int i = 0; i < scopes_.size(); i++) { + dataSize += computeStringSizeNoTag(scopes_.getRaw(i)); + } + size += dataSize; + size += 1 * getScopesList().size(); + } size += getUnknownFields().getSerializedSize(); memoizedSize = size; return size; @@ -452,6 +577,7 @@ public boolean equals(final java.lang.Object obj) { if (!getName().equals(other.getName())) return false; if (!getParent().equals(other.getParent())) return false; if (!getTitle().equals(other.getTitle())) return false; + if (!getScopesList().equals(other.getScopesList())) return false; if (hasCreateTime() != other.hasCreateTime()) return false; if (hasCreateTime()) { if (!getCreateTime().equals(other.getCreateTime())) return false; @@ -478,6 +604,10 @@ public int hashCode() { hash = (53 * hash) + getParent().hashCode(); hash = (37 * hash) + TITLE_FIELD_NUMBER; hash = (53 * hash) + getTitle().hashCode(); + if (getScopesCount() > 0) { + hash = (37 * hash) + SCOPES_FIELD_NUMBER; + hash = (53 * hash) + getScopesList().hashCode(); + } if (hasCreateTime()) { hash = (37 * hash) + CREATE_TIME_FIELD_NUMBER; hash = (53 * hash) + getCreateTime().hashCode(); @@ -637,6 +767,8 @@ public Builder clear() { title_ = ""; + scopes_ = com.google.protobuf.LazyStringArrayList.EMPTY; + bitField0_ = (bitField0_ & ~0x00000001); if (createTimeBuilder_ == null) { createTime_ = null; } else { @@ -678,9 +810,15 @@ public com.google.identity.accesscontextmanager.v1.AccessPolicy build() { public com.google.identity.accesscontextmanager.v1.AccessPolicy buildPartial() { com.google.identity.accesscontextmanager.v1.AccessPolicy result = new com.google.identity.accesscontextmanager.v1.AccessPolicy(this); + int from_bitField0_ = bitField0_; result.name_ = name_; result.parent_ = parent_; result.title_ = title_; + if (((bitField0_ & 0x00000001) != 0)) { + scopes_ = scopes_.getUnmodifiableView(); + bitField0_ = (bitField0_ & ~0x00000001); + } + result.scopes_ = scopes_; if (createTimeBuilder_ == null) { result.createTime_ = createTime_; } else { @@ -754,6 +892,16 @@ public Builder mergeFrom(com.google.identity.accesscontextmanager.v1.AccessPolic title_ = other.title_; onChanged(); } + if (!other.scopes_.isEmpty()) { + if (scopes_.isEmpty()) { + scopes_ = other.scopes_; + bitField0_ = (bitField0_ & ~0x00000001); + } else { + ensureScopesIsMutable(); + scopes_.addAll(other.scopes_); + } + onChanged(); + } if (other.hasCreateTime()) { mergeCreateTime(other.getCreateTime()); } @@ -826,6 +974,13 @@ public Builder mergeFrom( break; } // case 50 + case 58: + { + java.lang.String s = input.readStringRequireUtf8(); + ensureScopesIsMutable(); + scopes_.add(s); + break; + } // case 58 default: { if (!super.parseUnknownField(input, extensionRegistry, tag)) { @@ -843,6 +998,8 @@ public Builder mergeFrom( return this; } + private int bitField0_; + private java.lang.Object name_ = ""; /** * @@ -1176,6 +1333,291 @@ public Builder setTitleBytes(com.google.protobuf.ByteString value) { return this; } + private com.google.protobuf.LazyStringList scopes_ = + com.google.protobuf.LazyStringArrayList.EMPTY; + + private void ensureScopesIsMutable() { + if (!((bitField0_ & 0x00000001) != 0)) { + scopes_ = new com.google.protobuf.LazyStringArrayList(scopes_); + bitField0_ |= 0x00000001; + } + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @return A list containing the scopes. + */ + public com.google.protobuf.ProtocolStringList getScopesList() { + return scopes_.getUnmodifiableView(); + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @return The count of scopes. + */ + public int getScopesCount() { + return scopes_.size(); + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @param index The index of the element to return. + * @return The scopes at the given index. + */ + public java.lang.String getScopes(int index) { + return scopes_.get(index); + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @param index The index of the value to return. + * @return The bytes of the scopes at the given index. + */ + public com.google.protobuf.ByteString getScopesBytes(int index) { + return scopes_.getByteString(index); + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @param index The index to set the value at. + * @param value The scopes to set. + * @return This builder for chaining. + */ + public Builder setScopes(int index, java.lang.String value) { + if (value == null) { + throw new NullPointerException(); + } + ensureScopesIsMutable(); + scopes_.set(index, value); + onChanged(); + return this; + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @param value The scopes to add. + * @return This builder for chaining. + */ + public Builder addScopes(java.lang.String value) { + if (value == null) { + throw new NullPointerException(); + } + ensureScopesIsMutable(); + scopes_.add(value); + onChanged(); + return this; + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @param values The scopes to add. + * @return This builder for chaining. + */ + public Builder addAllScopes(java.lang.Iterable values) { + ensureScopesIsMutable(); + com.google.protobuf.AbstractMessageLite.Builder.addAll(values, scopes_); + onChanged(); + return this; + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @return This builder for chaining. + */ + public Builder clearScopes() { + scopes_ = com.google.protobuf.LazyStringArrayList.EMPTY; + bitField0_ = (bitField0_ & ~0x00000001); + onChanged(); + return this; + } + /** + * + * + * 
+     * The scopes of a policy define which resources an ACM policy can restrict,
+     * and where ACM resources can be referenced.
+     * For example, a policy with scopes=["folders/123"] has the following
+     * behavior:
+     * - vpcsc perimeters can only restrict projects within folders/123
+     * - access levels can only be referenced by resources within folders/123.
+     * If empty, there are no limitations on which resources can be restricted by
+     * an ACM policy, and there are no limitations on where ACM resources can be
+     * referenced.
+     * Only one policy can include a given scope (attempting to create a second
+     * policy which includes "folders/123" will result in an error).
+     * Currently, scopes cannot be modified after a policy is created.
+     * Currently, policies can only have a single scope.
+     * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+     *
+ * + * repeated string scopes = 7; + * + * @param value The bytes of the scopes to add. + * @return This builder for chaining. + */ + public Builder addScopesBytes(com.google.protobuf.ByteString value) { + if (value == null) { + throw new NullPointerException(); + } + checkByteStringIsUtf8(value); + ensureScopesIsMutable(); + scopes_.add(value); + onChanged(); + return this; + } + private com.google.protobuf.Timestamp createTime_; private com.google.protobuf.SingleFieldBuilderV3< com.google.protobuf.Timestamp, diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicyOrBuilder.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicyOrBuilder.java index ba712950e671..d14d40515ba0 100644 --- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicyOrBuilder.java +++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/AccessPolicyOrBuilder.java @@ -104,6 +104,109 @@ public interface AccessPolicyOrBuilder */ com.google.protobuf.ByteString getTitleBytes(); + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @return A list containing the scopes. + */ + java.util.List getScopesList(); + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @return The count of scopes. + */ + int getScopesCount(); + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @param index The index of the element to return. + * @return The scopes at the given index. + */ + java.lang.String getScopes(int index); + /** + * + * + * 
+   * The scopes of a policy define which resources an ACM policy can restrict,
+   * and where ACM resources can be referenced.
+   * For example, a policy with scopes=["folders/123"] has the following
+   * behavior:
+   * - vpcsc perimeters can only restrict projects within folders/123
+   * - access levels can only be referenced by resources within folders/123.
+   * If empty, there are no limitations on which resources can be restricted by
+   * an ACM policy, and there are no limitations on where ACM resources can be
+   * referenced.
+   * Only one policy can include a given scope (attempting to create a second
+   * policy which includes "folders/123" will result in an error).
+   * Currently, scopes cannot be modified after a policy is created.
+   * Currently, policies can only have a single scope.
+   * Format: list of `folders/{folder_number}` or `projects/{project_number}`
+   *
+ * + * repeated string scopes = 7; + * + * @param index The index of the value to return. + * @return The bytes of the scopes at the given index. + */ + com.google.protobuf.ByteString getScopesBytes(int index); + /** * * diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequest.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequest.java index 4f78bbd09a26..4c882086f456 100644 --- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequest.java +++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequest.java @@ -142,7 +142,7 @@ public com.google.protobuf.ByteString getParentBytes() { * * 
    * Optional. The etag for the version of the [Access Policy]
-   * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
    * commit operation is to be performed on. If, at the time of commit, the
    * etag for the Access Policy stored in Access Context Manager is different
    * from the specified etag, then the commit operation will not be performed
@@ -171,7 +171,7 @@ public java.lang.String getEtag() {
    *
    * 
    * Optional. The etag for the version of the [Access Policy]
-   * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
    * commit operation is to be performed on. If, at the time of commit, the
    * etag for the Access Policy stored in Access Context Manager is different
    * from the specified etag, then the commit operation will not be performed
@@ -715,7 +715,7 @@ public Builder setParentBytes(com.google.protobuf.ByteString value) {
      *
      * 
      * Optional. The etag for the version of the [Access Policy]
-     * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
      * commit operation is to be performed on. If, at the time of commit, the
      * etag for the Access Policy stored in Access Context Manager is different
      * from the specified etag, then the commit operation will not be performed
@@ -743,7 +743,7 @@ public java.lang.String getEtag() {
      *
      * 
      * Optional. The etag for the version of the [Access Policy]
-     * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
      * commit operation is to be performed on. If, at the time of commit, the
      * etag for the Access Policy stored in Access Context Manager is different
      * from the specified etag, then the commit operation will not be performed
@@ -771,7 +771,7 @@ public com.google.protobuf.ByteString getEtagBytes() {
      *
      * 
      * Optional. The etag for the version of the [Access Policy]
-     * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
      * commit operation is to be performed on. If, at the time of commit, the
      * etag for the Access Policy stored in Access Context Manager is different
      * from the specified etag, then the commit operation will not be performed
@@ -798,7 +798,7 @@ public Builder setEtag(java.lang.String value) {
      *
      * 
      * Optional. The etag for the version of the [Access Policy]
-     * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
      * commit operation is to be performed on. If, at the time of commit, the
      * etag for the Access Policy stored in Access Context Manager is different
      * from the specified etag, then the commit operation will not be performed
@@ -821,7 +821,7 @@ public Builder clearEtag() {
      *
      * 
      * Optional. The etag for the version of the [Access Policy]
-     * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+     * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
      * commit operation is to be performed on. If, at the time of commit, the
      * etag for the Access Policy stored in Access Context Manager is different
      * from the specified etag, then the commit operation will not be performed
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequestOrBuilder.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequestOrBuilder.java
index dfe98d035696..ded2c1921f6f 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequestOrBuilder.java
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/CommitServicePerimetersRequestOrBuilder.java
@@ -67,7 +67,7 @@ public interface CommitServicePerimetersRequestOrBuilder
    *
    * 
    * Optional. The etag for the version of the [Access Policy]
-   * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
    * commit operation is to be performed on. If, at the time of commit, the
    * etag for the Access Policy stored in Access Context Manager is different
    * from the specified etag, then the commit operation will not be performed
@@ -85,7 +85,7 @@ public interface CommitServicePerimetersRequestOrBuilder
    *
    * 
    * Optional. The etag for the version of the [Access Policy]
-   * [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+   * [google.identity.accesscontextmanager.v1.AccessPolicy] that this
    * commit operation is to be performed on. If, at the time of commit, the
    * etag for the Access Policy stored in Access Context Manager is different
    * from the specified etag, then the commit operation will not be performed
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/PolicyProto.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/PolicyProto.java
index 531c1b7dcf74..66dc867a4eb0 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/PolicyProto.java
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/PolicyProto.java
@@ -44,21 +44,21 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
           + "1/access_policy.proto\022\'google.identity.a"
           + "ccesscontextmanager.v1\032\031google/api/resou"
           + "rce.proto\032\037google/protobuf/timestamp.pro"
-          + "to\"\202\002\n\014AccessPolicy\022\014\n\004name\030\001 \001(\t\022\016\n\006par"
-          + "ent\030\002 \001(\t\022\r\n\005title\030\003 \001(\t\022/\n\013create_time\030"
-          + "\004 \001(\0132\032.google.protobuf.Timestamp\022/\n\013upd"
-          + "ate_time\030\005 \001(\0132\032.google.protobuf.Timesta"
-          + "mp\022\014\n\004etag\030\006 \001(\t:U\352AR\n0accesscontextmana"
-          + "ger.googleapis.com/AccessPolicy\022\036accessP"
-          + "olicies/{access_policy}B\241\002\n+com.google.i"
-          + "dentity.accesscontextmanager.v1B\013PolicyP"
-          + "rotoP\001Z[google.golang.org/genproto/googl"
-          + "eapis/identity/accesscontextmanager/v1;a"
-          + "ccesscontextmanager\242\002\004GACM\252\002\'Google.Iden"
-          + "tity.AccessContextManager.V1\312\002\'Google\\Id"
-          + "entity\\AccessContextManager\\V1\352\002*Google:"
-          + ":Identity::AccessContextManager::V1b\006pro"
-          + "to3"
+          + "to\"\222\002\n\014AccessPolicy\022\014\n\004name\030\001 \001(\t\022\016\n\006par"
+          + "ent\030\002 \001(\t\022\r\n\005title\030\003 \001(\t\022\016\n\006scopes\030\007 \003(\t"
+          + "\022/\n\013create_time\030\004 \001(\0132\032.google.protobuf."
+          + "Timestamp\022/\n\013update_time\030\005 \001(\0132\032.google."
+          + "protobuf.Timestamp\022\014\n\004etag\030\006 \001(\t:U\352AR\n0a"
+          + "ccesscontextmanager.googleapis.com/Acces"
+          + "sPolicy\022\036accessPolicies/{access_policy}B"
+          + "\241\002\n+com.google.identity.accesscontextman"
+          + "ager.v1B\013PolicyProtoP\001Z[google.golang.or"
+          + "g/genproto/googleapis/identity/accesscon"
+          + "textmanager/v1;accesscontextmanager\242\002\004GA"
+          + "CM\252\002\'Google.Identity.AccessContextManage"
+          + "r.V1\312\002\'Google\\Identity\\AccessContextMana"
+          + "ger\\V1\352\002*Google::Identity::AccessContext"
+          + "Manager::V1b\006proto3"
     };
     descriptor =
         com.google.protobuf.Descriptors.FileDescriptor.internalBuildGeneratedFileFrom(
@@ -73,7 +73,7 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_identity_accesscontextmanager_v1_AccessPolicy_descriptor,
             new java.lang.String[] {
-              "Name", "Parent", "Title", "CreateTime", "UpdateTime", "Etag",
+              "Name", "Parent", "Title", "Scopes", "CreateTime", "UpdateTime", "Etag",
             });
     com.google.protobuf.ExtensionRegistry registry =
         com.google.protobuf.ExtensionRegistry.newInstance();
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterConfig.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterConfig.java
index 9d09306abba8..74ae22f85e7b 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterConfig.java
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterConfig.java
@@ -5268,225 +5268,216 @@ public com.google.protobuf.Parser getParserForType() {
     }
   }
 
-  public interface EgressToOrBuilder
+  public interface IngressFromOrBuilder
       extends
-      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
+      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
       com.google.protobuf.MessageOrBuilder {
 
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
-     * repeated string resources = 1;
-     *
-     * @return A list containing the resources.
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
      */
-    java.util.List getResourcesList();
+    java.util.List
+        getSourcesList();
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
-     * repeated string resources = 1;
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
+     */
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource getSources(
+        int index);
+    /**
      *
-     * @return The count of resources.
+     *
+     * 
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
+     * 

+     *
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
      */
-    int getResourcesCount();
+    int getSourcesCount();
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
-     * repeated string resources = 1;
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
+     */
+    java.util.List<
+            ? extends
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                    .IngressSourceOrBuilder>
+        getSourcesOrBuilderList();
+    /**
      *
-     * @param index The index of the element to return.
-     * @return The resources at the given index.
+     *
+     * 
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
+     * 

+     *
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
      */
-    java.lang.String getResources(int index);
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSourceOrBuilder
+        getSourcesOrBuilder(int index);
+
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
      * 

      *
-     * repeated string resources = 1;
+     * repeated string identities = 2;
      *
-     * @param index The index of the value to return.
-     * @return The bytes of the resources at the given index.
+     * @return A list containing the identities.
      */
-    com.google.protobuf.ByteString getResourcesBytes(int index);
-
+    java.util.List getIdentitiesList();
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
      * 

      *
-     * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-     * 
+     * repeated string identities = 2;
+     *
+     * @return The count of identities.
      */
-    java.util.List
-        getOperationsList();
+    int getIdentitiesCount();
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
      * 

      *
-     * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-     * 
+     * repeated string identities = 2;
+     *
+     * @param index The index of the element to return.
+     * @return The identities at the given index.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation getOperations(
-        int index);
+    java.lang.String getIdentities(int index);
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
      * 

      *
-     * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-     * 
+     * repeated string identities = 2;
+     *
+     * @param index The index of the value to return.
+     * @return The bytes of the identities at the given index.
      */
-    int getOperationsCount();
+    com.google.protobuf.ByteString getIdentitiesBytes(int index);
+
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * Specifies the type of identities that are allowed access from outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
      * 
+     *
+     * @return The enum numeric value on the wire for identityType.
      */
-    java.util.List<
-            ? extends
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                    .ApiOperationOrBuilder>
-        getOperationsOrBuilderList();
+    int getIdentityTypeValue();
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * Specifies the type of identities that are allowed access from outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
      * 
+     *
+     * @return The identityType.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
-        getOperationsOrBuilder(int index);
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+        getIdentityType();
   }
   /**
    *
    *
    * 
-   * Defines the conditions under which an [EgressPolicy]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-   * matches a request. Conditions are based on information about the
-   * [ApiOperation]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-   * intended to be performed on the `resources` specified. Note that if the
-   * destination of the request is also protected by a [ServicePerimeter]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
-   * [ServicePerimeter]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
-   * an [IngressPolicy]
+   * Defines the conditions under which an [IngressPolicy]
    * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-   * which allows access in order for this request to succeed. The request must
-   * match `operations` AND `resources` fields in order to be allowed egress out
-   * of the perimeter.
+   * matches a request. Conditions are based on information about the source of
+   * the request. The request must satisfy what is defined in `sources` AND
+   * identity related fields in order to match.
    * 

    *
-   * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo}
+   * Protobuf type {@code
+   * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom}
    */
-  public static final class EgressTo extends com.google.protobuf.GeneratedMessageV3
+  public static final class IngressFrom extends com.google.protobuf.GeneratedMessageV3
       implements
-      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
-      EgressToOrBuilder {
+      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
+      IngressFromOrBuilder {
     private static final long serialVersionUID = 0L;
-    // Use EgressTo.newBuilder() to construct.
-    private EgressTo(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    // Use IngressFrom.newBuilder() to construct.
+    private IngressFrom(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
 
-    private EgressTo() {
-      resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-      operations_ = java.util.Collections.emptyList();
+    private IngressFrom() {
+      sources_ = java.util.Collections.emptyList();
+      identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      identityType_ = 0;
     }
 
     @java.lang.Override
     @SuppressWarnings({"unused"})
     protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
-      return new EgressTo();
+      return new IngressFrom();
     }
 
     @java.lang.Override
@@ -5496,220 +5487,234 @@ public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
 
     public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor;
     }
 
     @java.lang.Override
     protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
         internalGetFieldAccessorTable() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_fieldAccessorTable
           .ensureFieldAccessorsInitialized(
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.class,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.class,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.Builder
                   .class);
     }
 
-    public static final int RESOURCES_FIELD_NUMBER = 1;
-    private com.google.protobuf.LazyStringList resources_;
-    /**
+    public static final int SOURCES_FIELD_NUMBER = 1;
+    private java.util.List<
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
+        sources_;
+    /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
-     * repeated string resources = 1;
-     *
-     * @return A list containing the resources.
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
      */
-    public com.google.protobuf.ProtocolStringList getResourcesList() {
-      return resources_;
+    @java.lang.Override
+    public java.util.List<
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
+        getSourcesList() {
+      return sources_;
     }
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
-     * repeated string resources = 1;
-     *
-     * @return The count of resources.
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
      */
-    public int getResourcesCount() {
-      return resources_.size();
+    @java.lang.Override
+    public java.util.List<
+            ? extends
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                    .IngressSourceOrBuilder>
+        getSourcesOrBuilderList() {
+      return sources_;
     }
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
-     * repeated string resources = 1;
-     *
-     * @param index The index of the element to return.
-     * @return The resources at the given index.
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
      */
-    public java.lang.String getResources(int index) {
-      return resources_.get(index);
+    @java.lang.Override
+    public int getSourcesCount() {
+      return sources_.size();
     }
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, that are allowed to be accessed by sources
-     * defined in the corresponding [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it contains a resource in this list.  If `*` is
-     * specified for `resources`, then this [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-     * rule will authorize access to all resources outside the perimeter.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
-     * repeated string resources = 1;
-     *
-     * @param index The index of the value to return.
-     * @return The bytes of the resources at the given index.
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * 
      */
-    public com.google.protobuf.ByteString getResourcesBytes(int index) {
-      return resources_.getByteString(index);
+    @java.lang.Override
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+        getSources(int index) {
+      return sources_.get(index);
     }
-
-    public static final int OPERATIONS_FIELD_NUMBER = 2;
-    private java.util.List<
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-        operations_;
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * Sources that this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * authorizes access from.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
      * 
      */
     @java.lang.Override
-    public java.util.List<
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-        getOperationsList() {
-      return operations_;
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSourceOrBuilder
+        getSourcesOrBuilder(int index) {
+      return sources_.get(index);
+    }
+
+    public static final int IDENTITIES_FIELD_NUMBER = 2;
+    private com.google.protobuf.LazyStringList identities_;
+    /**
+     *
+     *
+     * 
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
+     * 

+     *
+     * repeated string identities = 2;
+     *
+     * @return A list containing the identities.
+     */
+    public com.google.protobuf.ProtocolStringList getIdentitiesList() {
+      return identities_;
     }
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
      * 

      *
-     * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-     * 
+     * repeated string identities = 2;
+     *
+     * @return The count of identities.
      */
-    @java.lang.Override
-    public java.util.List<
-            ? extends
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                    .ApiOperationOrBuilder>
-        getOperationsOrBuilderList() {
-      return operations_;
+    public int getIdentitiesCount() {
+      return identities_.size();
     }
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
      * 

      *
-     * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-     * 
+     * repeated string identities = 2;
+     *
+     * @param index The index of the element to return.
+     * @return The identities at the given index.
      */
-    @java.lang.Override
-    public int getOperationsCount() {
-      return operations_.size();
+    public java.lang.String getIdentities(int index) {
+      return identities_.get(index);
     }
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * A list of identities that are allowed access through this ingress
+     * policy. Should be in the format of email address. The email address
+     * should represent individual user or service account only.
+     * 

+     *
+     * repeated string identities = 2;
+     *
+     * @param index The index of the value to return.
+     * @return The bytes of the identities at the given index.
+     */
+    public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
+      return identities_.getByteString(index);
+    }
+
+    public static final int IDENTITY_TYPE_FIELD_NUMBER = 3;
+    private int identityType_;
+    /**
+     *
+     *
+     * 
+     * Specifies the type of identities that are allowed access from outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
      * 
+     *
+     * @return The enum numeric value on the wire for identityType.
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-        getOperations(int index) {
-      return operations_.get(index);
+    public int getIdentityTypeValue() {
+      return identityType_;
     }
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in the corresponding
-     * [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-     * A request matches if it uses an operation/service in this list.
+     * Specifies the type of identities that are allowed access from outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
      * 
+     *
+     * @return The identityType.
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
-        getOperationsOrBuilder(int index) {
-      return operations_.get(index);
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+        getIdentityType() {
+      @SuppressWarnings("deprecation")
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
+              identityType_);
+      return result == null
+          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+              .UNRECOGNIZED
+          : result;
     }
 
     private byte memoizedIsInitialized = -1;
@@ -5726,11 +5731,17 @@ public final boolean isInitialized() {
 
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
-      for (int i = 0; i < resources_.size(); i++) {
-        com.google.protobuf.GeneratedMessageV3.writeString(output, 1, resources_.getRaw(i));
-      }
-      for (int i = 0; i < operations_.size(); i++) {
-        output.writeMessage(2, operations_.get(i));
+      for (int i = 0; i < sources_.size(); i++) {
+        output.writeMessage(1, sources_.get(i));
+      }
+      for (int i = 0; i < identities_.size(); i++) {
+        com.google.protobuf.GeneratedMessageV3.writeString(output, 2, identities_.getRaw(i));
+      }
+      if (identityType_
+          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+              .IDENTITY_TYPE_UNSPECIFIED
+              .getNumber()) {
+        output.writeEnum(3, identityType_);
       }
       getUnknownFields().writeTo(output);
     }
@@ -5741,16 +5752,22 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
+      for (int i = 0; i < sources_.size(); i++) {
+        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, sources_.get(i));
+      }
       {
         int dataSize = 0;
-        for (int i = 0; i < resources_.size(); i++) {
-          dataSize += computeStringSizeNoTag(resources_.getRaw(i));
+        for (int i = 0; i < identities_.size(); i++) {
+          dataSize += computeStringSizeNoTag(identities_.getRaw(i));
         }
         size += dataSize;
-        size += 1 * getResourcesList().size();
+        size += 1 * getIdentitiesList().size();
       }
-      for (int i = 0; i < operations_.size(); i++) {
-        size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, operations_.get(i));
+      if (identityType_
+          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+              .IDENTITY_TYPE_UNSPECIFIED
+              .getNumber()) {
+        size += com.google.protobuf.CodedOutputStream.computeEnumSize(3, identityType_);
       }
       size += getUnknownFields().getSerializedSize();
       memoizedSize = size;
@@ -5763,14 +5780,16 @@ public boolean equals(final java.lang.Object obj) {
         return true;
       }
       if (!(obj
-          instanceof com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)) {
+          instanceof
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)) {
         return super.equals(obj);
       }
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo other =
-          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo) obj;
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom other =
+          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom) obj;
 
-      if (!getResourcesList().equals(other.getResourcesList())) return false;
-      if (!getOperationsList().equals(other.getOperationsList())) return false;
+      if (!getSourcesList().equals(other.getSourcesList())) return false;
+      if (!getIdentitiesList().equals(other.getIdentitiesList())) return false;
+      if (identityType_ != other.identityType_) return false;
       if (!getUnknownFields().equals(other.getUnknownFields())) return false;
       return true;
     }
@@ -5782,39 +5801,41 @@ public int hashCode() {
       }
       int hash = 41;
       hash = (19 * hash) + getDescriptor().hashCode();
-      if (getResourcesCount() > 0) {
-        hash = (37 * hash) + RESOURCES_FIELD_NUMBER;
-        hash = (53 * hash) + getResourcesList().hashCode();
+      if (getSourcesCount() > 0) {
+        hash = (37 * hash) + SOURCES_FIELD_NUMBER;
+        hash = (53 * hash) + getSourcesList().hashCode();
       }
-      if (getOperationsCount() > 0) {
-        hash = (37 * hash) + OPERATIONS_FIELD_NUMBER;
-        hash = (53 * hash) + getOperationsList().hashCode();
+      if (getIdentitiesCount() > 0) {
+        hash = (37 * hash) + IDENTITIES_FIELD_NUMBER;
+        hash = (53 * hash) + getIdentitiesList().hashCode();
       }
+      hash = (37 * hash) + IDENTITY_TYPE_FIELD_NUMBER;
+      hash = (53 * hash) + identityType_;
       hash = (29 * hash) + getUnknownFields().hashCode();
       memoizedHashCode = hash;
       return hash;
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(java.nio.ByteBuffer data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(
             java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(com.google.protobuf.ByteString data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(
             com.google.protobuf.ByteString data,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -5822,23 +5843,23 @@ public int hashCode() {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -5846,12 +5867,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseDelimitedFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -5859,12 +5880,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         parseFrom(
             com.google.protobuf.CodedInputStream input,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -5883,7 +5904,7 @@ public static Builder newBuilder() {
     }
 
     public static Builder newBuilder(
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo prototype) {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom prototype) {
       return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
     }
 
@@ -5902,48 +5923,40 @@ protected Builder newBuilderForType(
      *
      *
      * 
-     * Defines the conditions under which an [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * matches a request. Conditions are based on information about the
-     * [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * intended to be performed on the `resources` specified. Note that if the
-     * destination of the request is also protected by a [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
-     * [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
-     * an [IngressPolicy]
+     * Defines the conditions under which an [IngressPolicy]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * which allows access in order for this request to succeed. The request must
-     * match `operations` AND `resources` fields in order to be allowed egress out
-     * of the perimeter.
+     * matches a request. Conditions are based on information about the source of
+     * the request. The request must satisfy what is defined in `sources` AND
+     * identity related fields in order to match.
      * 

      *
-     * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo}
+     * Protobuf type {@code
+     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom}
      */
     public static final class Builder
         extends com.google.protobuf.GeneratedMessageV3.Builder
         implements
-        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder {
+        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder {
       public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor;
       }
 
       @java.lang.Override
       protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
           internalGetFieldAccessorTable() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_fieldAccessorTable
             .ensureFieldAccessorsInitialized(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.class,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
-                    .class);
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+                    .class,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+                    .Builder.class);
       }
 
       // Construct using
-      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.newBuilder()
+      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.newBuilder()
       private Builder() {}
 
       private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
@@ -5953,34 +5966,37 @@ private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-        bitField0_ = (bitField0_ & ~0x00000001);
-        if (operationsBuilder_ == null) {
-          operations_ = java.util.Collections.emptyList();
+        if (sourcesBuilder_ == null) {
+          sources_ = java.util.Collections.emptyList();
         } else {
-          operations_ = null;
-          operationsBuilder_.clear();
+          sources_ = null;
+          sourcesBuilder_.clear();
         }
+        bitField0_ = (bitField0_ & ~0x00000001);
+        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
         bitField0_ = (bitField0_ & ~0x00000002);
+        identityType_ = 0;
+
         return this;
       }
 
       @java.lang.Override
       public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor;
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
           getDefaultInstanceForType() {
-        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
             .getDefaultInstance();
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo build() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo result =
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+          build() {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom result =
             buildPartial();
         if (!result.isInitialized()) {
           throw newUninitializedMessageException(result);
@@ -5989,25 +6005,27 @@ public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.Egress
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
           buildPartial() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo result =
-            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo(this);
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom result =
+            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom(
+                this);
         int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) != 0)) {
-          resources_ = resources_.getUnmodifiableView();
-          bitField0_ = (bitField0_ & ~0x00000001);
-        }
-        result.resources_ = resources_;
-        if (operationsBuilder_ == null) {
-          if (((bitField0_ & 0x00000002) != 0)) {
-            operations_ = java.util.Collections.unmodifiableList(operations_);
-            bitField0_ = (bitField0_ & ~0x00000002);
+        if (sourcesBuilder_ == null) {
+          if (((bitField0_ & 0x00000001) != 0)) {
+            sources_ = java.util.Collections.unmodifiableList(sources_);
+            bitField0_ = (bitField0_ & ~0x00000001);
           }
-          result.operations_ = operations_;
+          result.sources_ = sources_;
         } else {
-          result.operations_ = operationsBuilder_.build();
+          result.sources_ = sourcesBuilder_.build();
         }
+        if (((bitField0_ & 0x00000002) != 0)) {
+          identities_ = identities_.getUnmodifiableView();
+          bitField0_ = (bitField0_ & ~0x00000002);
+        }
+        result.identities_ = identities_;
+        result.identityType_ = identityType_;
         onBuilt();
         return result;
       }
@@ -6051,9 +6069,10 @@ public Builder addRepeatedField(
       public Builder mergeFrom(com.google.protobuf.Message other) {
         if (other
             instanceof
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo) {
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom) {
           return mergeFrom(
-              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo) other);
+              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
+                  other);
         } else {
           super.mergeFrom(other);
           return this;
@@ -6061,47 +6080,50 @@ public Builder mergeFrom(com.google.protobuf.Message other) {
       }
 
       public Builder mergeFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo other) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom other) {
         if (other
-            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
                 .getDefaultInstance()) return this;
-        if (!other.resources_.isEmpty()) {
-          if (resources_.isEmpty()) {
-            resources_ = other.resources_;
-            bitField0_ = (bitField0_ & ~0x00000001);
-          } else {
-            ensureResourcesIsMutable();
-            resources_.addAll(other.resources_);
-          }
-          onChanged();
-        }
-        if (operationsBuilder_ == null) {
-          if (!other.operations_.isEmpty()) {
-            if (operations_.isEmpty()) {
-              operations_ = other.operations_;
-              bitField0_ = (bitField0_ & ~0x00000002);
+        if (sourcesBuilder_ == null) {
+          if (!other.sources_.isEmpty()) {
+            if (sources_.isEmpty()) {
+              sources_ = other.sources_;
+              bitField0_ = (bitField0_ & ~0x00000001);
             } else {
-              ensureOperationsIsMutable();
-              operations_.addAll(other.operations_);
+              ensureSourcesIsMutable();
+              sources_.addAll(other.sources_);
             }
             onChanged();
           }
         } else {
-          if (!other.operations_.isEmpty()) {
-            if (operationsBuilder_.isEmpty()) {
-              operationsBuilder_.dispose();
-              operationsBuilder_ = null;
-              operations_ = other.operations_;
-              bitField0_ = (bitField0_ & ~0x00000002);
-              operationsBuilder_ =
+          if (!other.sources_.isEmpty()) {
+            if (sourcesBuilder_.isEmpty()) {
+              sourcesBuilder_.dispose();
+              sourcesBuilder_ = null;
+              sources_ = other.sources_;
+              bitField0_ = (bitField0_ & ~0x00000001);
+              sourcesBuilder_ =
                   com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders
-                      ? getOperationsFieldBuilder()
+                      ? getSourcesFieldBuilder()
                       : null;
             } else {
-              operationsBuilder_.addAllMessages(other.operations_);
+              sourcesBuilder_.addAllMessages(other.sources_);
             }
           }
         }
+        if (!other.identities_.isEmpty()) {
+          if (identities_.isEmpty()) {
+            identities_ = other.identities_;
+            bitField0_ = (bitField0_ & ~0x00000002);
+          } else {
+            ensureIdentitiesIsMutable();
+            identities_.addAll(other.identities_);
+          }
+          onChanged();
+        }
+        if (other.identityType_ != 0) {
+          setIdentityTypeValue(other.getIdentityTypeValue());
+        }
         this.mergeUnknownFields(other.getUnknownFields());
         onChanged();
         return this;
@@ -6130,27 +6152,33 @@ public Builder mergeFrom(
                 break;
               case 10:
                 {
-                  java.lang.String s = input.readStringRequireUtf8();
-                  ensureResourcesIsMutable();
-                  resources_.add(s);
-                  break;
-                } // case 10
-              case 18:
-                {
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
                       m =
                           input.readMessage(
                               com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                                  .ApiOperation.parser(),
+                                  .IngressSource.parser(),
                               extensionRegistry);
-                  if (operationsBuilder_ == null) {
-                    ensureOperationsIsMutable();
-                    operations_.add(m);
+                  if (sourcesBuilder_ == null) {
+                    ensureSourcesIsMutable();
+                    sources_.add(m);
                   } else {
-                    operationsBuilder_.addMessage(m);
+                    sourcesBuilder_.addMessage(m);
                   }
                   break;
+                } // case 10
+              case 18:
+                {
+                  java.lang.String s = input.readStringRequireUtf8();
+                  ensureIdentitiesIsMutable();
+                  identities_.add(s);
+                  break;
                 } // case 18
+              case 24:
+                {
+                  identityType_ = input.readEnum();
+
+                  break;
+                } // case 24
               default:
                 {
                   if (!super.parseUnknownField(input, extensionRegistry, tag)) {
@@ -6170,753 +6198,774 @@ public Builder mergeFrom(
 
       private int bitField0_;
 
-      private com.google.protobuf.LazyStringList resources_ =
-          com.google.protobuf.LazyStringArrayList.EMPTY;
+      private java.util.List<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
+          sources_ = java.util.Collections.emptyList();
 
-      private void ensureResourcesIsMutable() {
+      private void ensureSourcesIsMutable() {
         if (!((bitField0_ & 0x00000001) != 0)) {
-          resources_ = new com.google.protobuf.LazyStringArrayList(resources_);
+          sources_ =
+              new java.util.ArrayList<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>(
+                  sources_);
           bitField0_ |= 0x00000001;
         }
       }
+
+      private com.google.protobuf.RepeatedFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                  .Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                  .IngressSourceOrBuilder>
+          sourcesBuilder_;
+
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @return A list containing the resources.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public com.google.protobuf.ProtocolStringList getResourcesList() {
-        return resources_.getUnmodifiableView();
+      public java.util.List<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
+          getSourcesList() {
+        if (sourcesBuilder_ == null) {
+          return java.util.Collections.unmodifiableList(sources_);
+        } else {
+          return sourcesBuilder_.getMessageList();
+        }
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @return The count of resources.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public int getResourcesCount() {
-        return resources_.size();
+      public int getSourcesCount() {
+        if (sourcesBuilder_ == null) {
+          return sources_.size();
+        } else {
+          return sourcesBuilder_.getCount();
+        }
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @param index The index of the element to return.
-       * @return The resources at the given index.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public java.lang.String getResources(int index) {
-        return resources_.get(index);
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+          getSources(int index) {
+        if (sourcesBuilder_ == null) {
+          return sources_.get(index);
+        } else {
+          return sourcesBuilder_.getMessage(index);
+        }
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @param index The index of the value to return.
-       * @return The bytes of the resources at the given index.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public com.google.protobuf.ByteString getResourcesBytes(int index) {
-        return resources_.getByteString(index);
+      public Builder setSources(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource value) {
+        if (sourcesBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          ensureSourcesIsMutable();
+          sources_.set(index, value);
+          onChanged();
+        } else {
+          sourcesBuilder_.setMessage(index, value);
+        }
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @param index The index to set the value at.
-       * @param value The resources to set.
-       * @return This builder for chaining.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public Builder setResources(int index, java.lang.String value) {
-        if (value == null) {
-          throw new NullPointerException();
+      public Builder setSources(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource.Builder
+              builderForValue) {
+        if (sourcesBuilder_ == null) {
+          ensureSourcesIsMutable();
+          sources_.set(index, builderForValue.build());
+          onChanged();
+        } else {
+          sourcesBuilder_.setMessage(index, builderForValue.build());
         }
-        ensureResourcesIsMutable();
-        resources_.set(index, value);
-        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @param value The resources to add.
-       * @return This builder for chaining.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public Builder addResources(java.lang.String value) {
-        if (value == null) {
-          throw new NullPointerException();
+      public Builder addSources(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource value) {
+        if (sourcesBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          ensureSourcesIsMutable();
+          sources_.add(value);
+          onChanged();
+        } else {
+          sourcesBuilder_.addMessage(value);
         }
-        ensureResourcesIsMutable();
-        resources_.add(value);
-        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @param values The resources to add.
-       * @return This builder for chaining.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public Builder addAllResources(java.lang.Iterable values) {
-        ensureResourcesIsMutable();
-        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, resources_);
-        onChanged();
+      public Builder addSources(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource value) {
+        if (sourcesBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          ensureSourcesIsMutable();
+          sources_.add(index, value);
+          onChanged();
+        } else {
+          sourcesBuilder_.addMessage(index, value);
+        }
         return this;
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @return This builder for chaining.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public Builder clearResources() {
-        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-        bitField0_ = (bitField0_ & ~0x00000001);
-        onChanged();
+      public Builder addSources(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource.Builder
+              builderForValue) {
+        if (sourcesBuilder_ == null) {
+          ensureSourcesIsMutable();
+          sources_.add(builderForValue.build());
+          onChanged();
+        } else {
+          sourcesBuilder_.addMessage(builderForValue.build());
+        }
         return this;
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, that are allowed to be accessed by sources
-       * defined in the corresponding [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it contains a resource in this list.  If `*` is
-       * specified for `resources`, then this [EgressTo]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-       * rule will authorize access to all resources outside the perimeter.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
-       * repeated string resources = 1;
-       *
-       * @param value The bytes of the resources to add.
-       * @return This builder for chaining.
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * 
        */
-      public Builder addResourcesBytes(com.google.protobuf.ByteString value) {
-        if (value == null) {
-          throw new NullPointerException();
+      public Builder addSources(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource.Builder
+              builderForValue) {
+        if (sourcesBuilder_ == null) {
+          ensureSourcesIsMutable();
+          sources_.add(index, builderForValue.build());
+          onChanged();
+        } else {
+          sourcesBuilder_.addMessage(index, builderForValue.build());
         }
-        checkByteStringIsUtf8(value);
-        ensureResourcesIsMutable();
-        resources_.add(value);
-        onChanged();
         return this;
       }
-
-      private java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-          operations_ = java.util.Collections.emptyList();
-
-      private void ensureOperationsIsMutable() {
-        if (!((bitField0_ & 0x00000002) != 0)) {
-          operations_ =
-              new java.util.ArrayList<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>(
-                  operations_);
-          bitField0_ |= 0x00000002;
-        }
-      }
-
-      private com.google.protobuf.RepeatedFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                  .Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .ApiOperationOrBuilder>
-          operationsBuilder_;
-
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-          getOperationsList() {
-        if (operationsBuilder_ == null) {
-          return java.util.Collections.unmodifiableList(operations_);
+      public Builder addAllSources(
+          java.lang.Iterable<
+                  ? extends
+                      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                          .IngressSource>
+              values) {
+        if (sourcesBuilder_ == null) {
+          ensureSourcesIsMutable();
+          com.google.protobuf.AbstractMessageLite.Builder.addAll(values, sources_);
+          onChanged();
         } else {
-          return operationsBuilder_.getMessageList();
+          sourcesBuilder_.addAllMessages(values);
         }
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public int getOperationsCount() {
-        if (operationsBuilder_ == null) {
-          return operations_.size();
+      public Builder clearSources() {
+        if (sourcesBuilder_ == null) {
+          sources_ = java.util.Collections.emptyList();
+          bitField0_ = (bitField0_ & ~0x00000001);
+          onChanged();
         } else {
-          return operationsBuilder_.getCount();
+          sourcesBuilder_.clear();
         }
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-          getOperations(int index) {
-        if (operationsBuilder_ == null) {
-          return operations_.get(index);
+      public Builder removeSources(int index) {
+        if (sourcesBuilder_ == null) {
+          ensureSourcesIsMutable();
+          sources_.remove(index);
+          onChanged();
         } else {
-          return operationsBuilder_.getMessage(index);
+          sourcesBuilder_.remove(index);
         }
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public Builder setOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
-        if (operationsBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
-          }
-          ensureOperationsIsMutable();
-          operations_.set(index, value);
-          onChanged();
-        } else {
-          operationsBuilder_.setMessage(index, value);
-        }
-        return this;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+              .Builder
+          getSourcesBuilder(int index) {
+        return getSourcesFieldBuilder().getBuilder(index);
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public Builder setOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-              builderForValue) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.set(index, builderForValue.build());
-          onChanged();
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+              .IngressSourceOrBuilder
+          getSourcesOrBuilder(int index) {
+        if (sourcesBuilder_ == null) {
+          return sources_.get(index);
         } else {
-          operationsBuilder_.setMessage(index, builderForValue.build());
+          return sourcesBuilder_.getMessageOrBuilder(index);
         }
-        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public Builder addOperations(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
-        if (operationsBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
-          }
-          ensureOperationsIsMutable();
-          operations_.add(value);
-          onChanged();
+      public java.util.List<
+              ? extends
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                      .IngressSourceOrBuilder>
+          getSourcesOrBuilderList() {
+        if (sourcesBuilder_ != null) {
+          return sourcesBuilder_.getMessageOrBuilderList();
         } else {
-          operationsBuilder_.addMessage(value);
+          return java.util.Collections.unmodifiableList(sources_);
         }
-        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public Builder addOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
-        if (operationsBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
-          }
-          ensureOperationsIsMutable();
-          operations_.add(index, value);
-          onChanged();
-        } else {
-          operationsBuilder_.addMessage(index, value);
-        }
-        return this;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+              .Builder
+          addSourcesBuilder() {
+        return getSourcesFieldBuilder()
+            .addBuilder(
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                    .getDefaultInstance());
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public Builder addOperations(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-              builderForValue) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.add(builderForValue.build());
-          onChanged();
-        } else {
-          operationsBuilder_.addMessage(builderForValue.build());
-        }
-        return this;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+              .Builder
+          addSourcesBuilder(int index) {
+        return getSourcesFieldBuilder()
+            .addBuilder(
+                index,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                    .getDefaultInstance());
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Sources that this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * authorizes access from.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
        * 
        */
-      public Builder addOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-              builderForValue) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.add(index, builderForValue.build());
-          onChanged();
-        } else {
-          operationsBuilder_.addMessage(index, builderForValue.build());
+      public java.util.List<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                  .Builder>
+          getSourcesBuilderList() {
+        return getSourcesFieldBuilder().getBuilderList();
+      }
+
+      private com.google.protobuf.RepeatedFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                  .Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                  .IngressSourceOrBuilder>
+          getSourcesFieldBuilder() {
+        if (sourcesBuilder_ == null) {
+          sourcesBuilder_ =
+              new com.google.protobuf.RepeatedFieldBuilderV3<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                      .Builder,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                      .IngressSourceOrBuilder>(
+                  sources_, ((bitField0_ & 0x00000001) != 0), getParentForChildren(), isClean());
+          sources_ = null;
+        }
+        return sourcesBuilder_;
+      }
+
+      private com.google.protobuf.LazyStringList identities_ =
+          com.google.protobuf.LazyStringArrayList.EMPTY;
+
+      private void ensureIdentitiesIsMutable() {
+        if (!((bitField0_ & 0x00000002) != 0)) {
+          identities_ = new com.google.protobuf.LazyStringArrayList(identities_);
+          bitField0_ |= 0x00000002;
         }
-        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
        * 

        *
-       * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-       * 
+       * repeated string identities = 2;
+       *
+       * @return A list containing the identities.
        */
-      public Builder addAllOperations(
-          java.lang.Iterable<
-                  ? extends
-                      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                          .ApiOperation>
-              values) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          com.google.protobuf.AbstractMessageLite.Builder.addAll(values, operations_);
-          onChanged();
-        } else {
-          operationsBuilder_.addAllMessages(values);
-        }
-        return this;
+      public com.google.protobuf.ProtocolStringList getIdentitiesList() {
+        return identities_.getUnmodifiableView();
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
        * 

        *
-       * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-       * 
+       * repeated string identities = 2;
+       *
+       * @return The count of identities.
        */
-      public Builder clearOperations() {
-        if (operationsBuilder_ == null) {
-          operations_ = java.util.Collections.emptyList();
-          bitField0_ = (bitField0_ & ~0x00000002);
-          onChanged();
-        } else {
-          operationsBuilder_.clear();
-        }
-        return this;
+      public int getIdentitiesCount() {
+        return identities_.size();
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
        * 

        *
-       * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-       * 
+       * repeated string identities = 2;
+       *
+       * @param index The index of the element to return.
+       * @return The identities at the given index.
        */
-      public Builder removeOperations(int index) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.remove(index);
-          onChanged();
-        } else {
-          operationsBuilder_.remove(index);
-        }
-        return this;
+      public java.lang.String getIdentities(int index) {
+        return identities_.get(index);
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
        * 

        *
-       * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-       * 
+       * repeated string identities = 2;
+       *
+       * @param index The index of the value to return.
+       * @return The bytes of the identities at the given index.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-          getOperationsBuilder(int index) {
-        return getOperationsFieldBuilder().getBuilder(index);
+      public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
+        return identities_.getByteString(index);
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
        * 

        *
-       * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-       * 
+       * repeated string identities = 2;
+       *
+       * @param index The index to set the value at.
+       * @param value The identities to set.
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-              .ApiOperationOrBuilder
-          getOperationsOrBuilder(int index) {
-        if (operationsBuilder_ == null) {
-          return operations_.get(index);
-        } else {
-          return operationsBuilder_.getMessageOrBuilder(index);
+      public Builder setIdentities(int index, java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
+        ensureIdentitiesIsMutable();
+        identities_.set(index, value);
+        onChanged();
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
        * 

        *
-       * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
-       * 
+       * repeated string identities = 2;
+       *
+       * @param value The identities to add.
+       * @return This builder for chaining.
        */
-      public java.util.List<
-              ? extends
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .ApiOperationOrBuilder>
-          getOperationsOrBuilderList() {
-        if (operationsBuilder_ != null) {
-          return operationsBuilder_.getMessageOrBuilderList();
-        } else {
-          return java.util.Collections.unmodifiableList(operations_);
+      public Builder addIdentities(java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
+        ensureIdentitiesIsMutable();
+        identities_.add(value);
+        onChanged();
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
+       * 

+       *
+       * repeated string identities = 2;
+       *
+       * @param values The identities to add.
+       * @return This builder for chaining.
+       */
+      public Builder addAllIdentities(java.lang.Iterable values) {
+        ensureIdentitiesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, identities_);
+        onChanged();
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
+       * 

+       *
+       * repeated string identities = 2;
+       *
+       * @return This builder for chaining.
+       */
+      public Builder clearIdentities() {
+        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000002);
+        onChanged();
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of identities that are allowed access through this ingress
+       * policy. Should be in the format of email address. The email address
+       * should represent individual user or service account only.
+       * 

+       *
+       * repeated string identities = 2;
+       *
+       * @param value The bytes of the identities to add.
+       * @return This builder for chaining.
+       */
+      public Builder addIdentitiesBytes(com.google.protobuf.ByteString value) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        checkByteStringIsUtf8(value);
+        ensureIdentitiesIsMutable();
+        identities_.add(value);
+        onChanged();
+        return this;
+      }
+
+      private int identityType_ = 0;
+      /**
+       *
+       *
+       * 
+       * Specifies the type of identities that are allowed access from outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
        * 
+       *
+       * @return The enum numeric value on the wire for identityType.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-          addOperationsBuilder() {
-        return getOperationsFieldBuilder()
-            .addBuilder(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                    .getDefaultInstance());
+      @java.lang.Override
+      public int getIdentityTypeValue() {
+        return identityType_;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Specifies the type of identities that are allowed access from outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
        * 
+       *
+       * @param value The enum numeric value on the wire for identityType to set.
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-          addOperationsBuilder(int index) {
-        return getOperationsFieldBuilder()
-            .addBuilder(
-                index,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                    .getDefaultInstance());
+      public Builder setIdentityTypeValue(int value) {
+
+        identityType_ = value;
+        onChanged();
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in the corresponding
-       * [EgressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-       * A request matches if it uses an operation/service in this list.
+       * Specifies the type of identities that are allowed access from outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
        * 
+       *
+       * @return The identityType.
        */
-      public java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                  .Builder>
-          getOperationsBuilderList() {
-        return getOperationsFieldBuilder().getBuilderList();
+      @java.lang.Override
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+          getIdentityType() {
+        @SuppressWarnings("deprecation")
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
+                identityType_);
+        return result == null
+            ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+                .UNRECOGNIZED
+            : result;
       }
-
-      private com.google.protobuf.RepeatedFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                  .Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .ApiOperationOrBuilder>
-          getOperationsFieldBuilder() {
-        if (operationsBuilder_ == null) {
-          operationsBuilder_ =
-              new com.google.protobuf.RepeatedFieldBuilderV3<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                      .Builder,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .ApiOperationOrBuilder>(
-                  operations_, ((bitField0_ & 0x00000002) != 0), getParentForChildren(), isClean());
-          operations_ = null;
+      /**
+       *
+       *
+       * 
+       * Specifies the type of identities that are allowed access from outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
+       * 

+       *
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
+       * 
+       *
+       * @param value The identityType to set.
+       * @return This builder for chaining.
+       */
+      public Builder setIdentityType(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
-        return operationsBuilder_;
+
+        identityType_ = value.getNumber();
+        onChanged();
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * Specifies the type of identities that are allowed access from outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
+       * 

+       *
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
+       * 
+       *
+       * @return This builder for chaining.
+       */
+      public Builder clearIdentityType() {
+
+        identityType_ = 0;
+        onChanged();
+        return this;
       }
 
       @java.lang.Override
@@ -6931,27 +6980,28 @@ public final Builder mergeUnknownFields(
         return super.mergeUnknownFields(unknownFields);
       }
 
-      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
+      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
     }
 
-    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
-    private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
+    private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+            .IngressFrom
         DEFAULT_INSTANCE;
 
     static {
       DEFAULT_INSTANCE =
-          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo();
+          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom();
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         getDefaultInstance() {
       return DEFAULT_INSTANCE;
     }
 
-    private static final com.google.protobuf.Parser PARSER =
-        new com.google.protobuf.AbstractParser() {
+    private static final com.google.protobuf.Parser PARSER =
+        new com.google.protobuf.AbstractParser() {
           @java.lang.Override
-          public EgressTo parsePartialFrom(
+          public IngressFrom parsePartialFrom(
               com.google.protobuf.CodedInputStream input,
               com.google.protobuf.ExtensionRegistryLite extensionRegistry)
               throws com.google.protobuf.InvalidProtocolBufferException {
@@ -6971,197 +7021,203 @@ public EgressTo parsePartialFrom(
           }
         };
 
-    public static com.google.protobuf.Parser parser() {
+    public static com.google.protobuf.Parser parser() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.protobuf.Parser getParserForType() {
+    public com.google.protobuf.Parser getParserForType() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
         getDefaultInstanceForType() {
       return DEFAULT_INSTANCE;
     }
   }
 
-  public interface IngressFromOrBuilder
+  public interface IngressToOrBuilder
       extends
-      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
+      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
       com.google.protobuf.MessageOrBuilder {
 
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
-    java.util.List
-        getSourcesList();
+    java.util.List
+        getOperationsList();
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource getSources(
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation getOperations(
         int index);
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
-    int getSourcesCount();
+    int getOperationsCount();
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
     java.util.List<
             ? extends
                 com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                    .IngressSourceOrBuilder>
-        getSourcesOrBuilderList();
+                    .ApiOperationOrBuilder>
+        getOperationsOrBuilderList();
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSourceOrBuilder
-        getSourcesOrBuilder(int index);
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
+        getOperationsOrBuilder(int index);
 
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
-     * @return A list containing the identities.
+     * @return A list containing the resources.
      */
-    java.util.List getIdentitiesList();
+    java.util.List getResourcesList();
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
-     * @return The count of identities.
+     * @return The count of resources.
      */
-    int getIdentitiesCount();
+    int getResourcesCount();
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
      * @param index The index of the element to return.
-     * @return The identities at the given index.
+     * @return The resources at the given index.
      */
-    java.lang.String getIdentities(int index);
+    java.lang.String getResources(int index);
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
      * @param index The index of the value to return.
-     * @return The bytes of the identities at the given index.
-     */
-    com.google.protobuf.ByteString getIdentitiesBytes(int index);
-
-    /**
-     *
-     *
-     * 
-     * Specifies the type of identities that are allowed access from outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
-     * 

-     *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-     * 
-     *
-     * @return The enum numeric value on the wire for identityType.
-     */
-    int getIdentityTypeValue();
-    /**
-     *
-     *
-     * 
-     * Specifies the type of identities that are allowed access from outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
-     * 

-     *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-     * 
-     *
-     * @return The identityType.
+     * @return The bytes of the resources at the given index.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-        getIdentityType();
+    com.google.protobuf.ByteString getResourcesBytes(int index);
   }
   /**
    *
@@ -7169,34 +7225,35 @@ com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
    * 
    * Defines the conditions under which an [IngressPolicy]
    * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-   * matches a request. Conditions are based on information about the source of
-   * the request. The request must satisfy what is defined in `sources` AND
-   * identity related fields in order to match.
+   * matches a request. Conditions are based on information about the
+   * [ApiOperation]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+   * intended to be performed on the target resource of the request. The request
+   * must satisfy what is defined in `operations` AND `resources` in order to
+   * match.
    * 

    *
-   * Protobuf type {@code
-   * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom}
+   * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo}
    */
-  public static final class IngressFrom extends com.google.protobuf.GeneratedMessageV3
+  public static final class IngressTo extends com.google.protobuf.GeneratedMessageV3
       implements
-      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
-      IngressFromOrBuilder {
+      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
+      IngressToOrBuilder {
     private static final long serialVersionUID = 0L;
-    // Use IngressFrom.newBuilder() to construct.
-    private IngressFrom(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    // Use IngressTo.newBuilder() to construct.
+    private IngressTo(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
 
-    private IngressFrom() {
-      sources_ = java.util.Collections.emptyList();
-      identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-      identityType_ = 0;
+    private IngressTo() {
+      operations_ = java.util.Collections.emptyList();
+      resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
     }
 
     @java.lang.Override
     @SuppressWarnings({"unused"})
     protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
-      return new IngressFrom();
+      return new IngressTo();
     }
 
     @java.lang.Override
@@ -7206,234 +7263,225 @@ public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
 
     public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor;
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor;
     }
 
     @java.lang.Override
     protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
         internalGetFieldAccessorTable() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_fieldAccessorTable
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_fieldAccessorTable
           .ensureFieldAccessorsInitialized(
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.class,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.Builder
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.class,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
                   .class);
     }
 
-    public static final int SOURCES_FIELD_NUMBER = 1;
+    public static final int OPERATIONS_FIELD_NUMBER = 1;
     private java.util.List<
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
-        sources_;
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+        operations_;
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
     @java.lang.Override
     public java.util.List<
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
-        getSourcesList() {
-      return sources_;
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+        getOperationsList() {
+      return operations_;
     }
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
     @java.lang.Override
     public java.util.List<
             ? extends
                 com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                    .IngressSourceOrBuilder>
-        getSourcesOrBuilderList() {
-      return sources_;
-    }
-    /**
+                    .ApiOperationOrBuilder>
+        getOperationsOrBuilderList() {
+      return operations_;
+    }
+    /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
     @java.lang.Override
-    public int getSourcesCount() {
-      return sources_.size();
+    public int getOperationsCount() {
+      return operations_.size();
     }
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
-        getSources(int index) {
-      return sources_.get(index);
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+        getOperations(int index) {
+      return operations_.get(index);
     }
     /**
      *
      *
      * 
-     * Sources that this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * authorizes access from.
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+     * in this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
      * 
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSourceOrBuilder
-        getSourcesOrBuilder(int index) {
-      return sources_.get(index);
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
+        getOperationsOrBuilder(int index) {
+      return operations_.get(index);
     }
 
-    public static final int IDENTITIES_FIELD_NUMBER = 2;
-    private com.google.protobuf.LazyStringList identities_;
+    public static final int RESOURCES_FIELD_NUMBER = 2;
+    private com.google.protobuf.LazyStringList resources_;
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
-     * @return A list containing the identities.
+     * @return A list containing the resources.
      */
-    public com.google.protobuf.ProtocolStringList getIdentitiesList() {
-      return identities_;
+    public com.google.protobuf.ProtocolStringList getResourcesList() {
+      return resources_;
     }
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
-     * @return The count of identities.
+     * @return The count of resources.
      */
-    public int getIdentitiesCount() {
-      return identities_.size();
+    public int getResourcesCount() {
+      return resources_.size();
     }
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
      * @param index The index of the element to return.
-     * @return The identities at the given index.
+     * @return The resources at the given index.
      */
-    public java.lang.String getIdentities(int index) {
-      return identities_.get(index);
+    public java.lang.String getResources(int index) {
+      return resources_.get(index);
     }
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this ingress
-     * policy. Should be in the format of email address. The email address
-     * should represent individual user or service account only.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+     * allowed to be accessed by sources defined in the corresponding
+     * [IngressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+     * If a single `*` is specified, then access to all resources inside the
+     * perimeter are allowed.
      * 

      *
-     * repeated string identities = 2;
+     * repeated string resources = 2;
      *
      * @param index The index of the value to return.
-     * @return The bytes of the identities at the given index.
-     */
-    public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
-      return identities_.getByteString(index);
-    }
-
-    public static final int IDENTITY_TYPE_FIELD_NUMBER = 3;
-    private int identityType_;
-    /**
-     *
-     *
-     * 
-     * Specifies the type of identities that are allowed access from outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
-     * 

-     *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-     * 
-     *
-     * @return The enum numeric value on the wire for identityType.
-     */
-    @java.lang.Override
-    public int getIdentityTypeValue() {
-      return identityType_;
-    }
-    /**
-     *
-     *
-     * 
-     * Specifies the type of identities that are allowed access from outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
-     * 

-     *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-     * 
-     *
-     * @return The identityType.
+     * @return The bytes of the resources at the given index.
      */
-    @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-        getIdentityType() {
-      @SuppressWarnings("deprecation")
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
-              identityType_);
-      return result == null
-          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-              .UNRECOGNIZED
-          : result;
+    public com.google.protobuf.ByteString getResourcesBytes(int index) {
+      return resources_.getByteString(index);
     }
 
     private byte memoizedIsInitialized = -1;
@@ -7450,17 +7498,11 @@ public final boolean isInitialized() {
 
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
-      for (int i = 0; i < sources_.size(); i++) {
-        output.writeMessage(1, sources_.get(i));
-      }
-      for (int i = 0; i < identities_.size(); i++) {
-        com.google.protobuf.GeneratedMessageV3.writeString(output, 2, identities_.getRaw(i));
+      for (int i = 0; i < operations_.size(); i++) {
+        output.writeMessage(1, operations_.get(i));
       }
-      if (identityType_
-          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-              .IDENTITY_TYPE_UNSPECIFIED
-              .getNumber()) {
-        output.writeEnum(3, identityType_);
+      for (int i = 0; i < resources_.size(); i++) {
+        com.google.protobuf.GeneratedMessageV3.writeString(output, 2, resources_.getRaw(i));
       }
       getUnknownFields().writeTo(output);
     }
@@ -7471,22 +7513,16 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      for (int i = 0; i < sources_.size(); i++) {
-        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, sources_.get(i));
+      for (int i = 0; i < operations_.size(); i++) {
+        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, operations_.get(i));
       }
       {
         int dataSize = 0;
-        for (int i = 0; i < identities_.size(); i++) {
-          dataSize += computeStringSizeNoTag(identities_.getRaw(i));
+        for (int i = 0; i < resources_.size(); i++) {
+          dataSize += computeStringSizeNoTag(resources_.getRaw(i));
         }
         size += dataSize;
-        size += 1 * getIdentitiesList().size();
-      }
-      if (identityType_
-          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-              .IDENTITY_TYPE_UNSPECIFIED
-              .getNumber()) {
-        size += com.google.protobuf.CodedOutputStream.computeEnumSize(3, identityType_);
+        size += 1 * getResourcesList().size();
       }
       size += getUnknownFields().getSerializedSize();
       memoizedSize = size;
@@ -7500,15 +7536,14 @@ public boolean equals(final java.lang.Object obj) {
       }
       if (!(obj
           instanceof
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)) {
         return super.equals(obj);
       }
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom other =
-          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom) obj;
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo other =
+          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo) obj;
 
-      if (!getSourcesList().equals(other.getSourcesList())) return false;
-      if (!getIdentitiesList().equals(other.getIdentitiesList())) return false;
-      if (identityType_ != other.identityType_) return false;
+      if (!getOperationsList().equals(other.getOperationsList())) return false;
+      if (!getResourcesList().equals(other.getResourcesList())) return false;
       if (!getUnknownFields().equals(other.getUnknownFields())) return false;
       return true;
     }
@@ -7520,41 +7555,39 @@ public int hashCode() {
       }
       int hash = 41;
       hash = (19 * hash) + getDescriptor().hashCode();
-      if (getSourcesCount() > 0) {
-        hash = (37 * hash) + SOURCES_FIELD_NUMBER;
-        hash = (53 * hash) + getSourcesList().hashCode();
+      if (getOperationsCount() > 0) {
+        hash = (37 * hash) + OPERATIONS_FIELD_NUMBER;
+        hash = (53 * hash) + getOperationsList().hashCode();
       }
-      if (getIdentitiesCount() > 0) {
-        hash = (37 * hash) + IDENTITIES_FIELD_NUMBER;
-        hash = (53 * hash) + getIdentitiesList().hashCode();
+      if (getResourcesCount() > 0) {
+        hash = (37 * hash) + RESOURCES_FIELD_NUMBER;
+        hash = (53 * hash) + getResourcesList().hashCode();
       }
-      hash = (37 * hash) + IDENTITY_TYPE_FIELD_NUMBER;
-      hash = (53 * hash) + identityType_;
       hash = (29 * hash) + getUnknownFields().hashCode();
       memoizedHashCode = hash;
       return hash;
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(java.nio.ByteBuffer data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(
             java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(com.google.protobuf.ByteString data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(
             com.google.protobuf.ByteString data,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -7562,23 +7595,23 @@ public int hashCode() {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -7586,12 +7619,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseDelimitedFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -7599,12 +7632,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         parseFrom(
             com.google.protobuf.CodedInputStream input,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -7623,7 +7656,7 @@ public static Builder newBuilder() {
     }
 
     public static Builder newBuilder(
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom prototype) {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo prototype) {
       return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
     }
 
@@ -7644,38 +7677,40 @@ protected Builder newBuilderForType(
      * 
      * Defines the conditions under which an [IngressPolicy]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * matches a request. Conditions are based on information about the source of
-     * the request. The request must satisfy what is defined in `sources` AND
-     * identity related fields in order to match.
+     * matches a request. Conditions are based on information about the
+     * [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * intended to be performed on the target resource of the request. The request
+     * must satisfy what is defined in `operations` AND `resources` in order to
+     * match.
      * 

      *
      * Protobuf type {@code
-     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom}
+     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo}
      */
     public static final class Builder
         extends com.google.protobuf.GeneratedMessageV3.Builder
         implements
-        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder {
+        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder {
       public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor;
       }
 
       @java.lang.Override
       protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
           internalGetFieldAccessorTable() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_fieldAccessorTable
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_fieldAccessorTable
             .ensureFieldAccessorsInitialized(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                    .class,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                    .Builder.class);
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.class,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
+                    .class);
       }
 
       // Construct using
-      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.newBuilder()
+      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.newBuilder()
       private Builder() {}
 
       private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
@@ -7685,37 +7720,34 @@ private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        if (sourcesBuilder_ == null) {
-          sources_ = java.util.Collections.emptyList();
+        if (operationsBuilder_ == null) {
+          operations_ = java.util.Collections.emptyList();
         } else {
-          sources_ = null;
-          sourcesBuilder_.clear();
+          operations_ = null;
+          operationsBuilder_.clear();
         }
         bitField0_ = (bitField0_ & ~0x00000001);
-        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
         bitField0_ = (bitField0_ & ~0x00000002);
-        identityType_ = 0;
-
         return this;
       }
 
       @java.lang.Override
       public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor;
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
           getDefaultInstanceForType() {
-        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
             .getDefaultInstance();
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-          build() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom result =
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo build() {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo result =
             buildPartial();
         if (!result.isInitialized()) {
           throw newUninitializedMessageException(result);
@@ -7724,27 +7756,25 @@ public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
           buildPartial() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom result =
-            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom(
-                this);
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo result =
+            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo(this);
         int from_bitField0_ = bitField0_;
-        if (sourcesBuilder_ == null) {
+        if (operationsBuilder_ == null) {
           if (((bitField0_ & 0x00000001) != 0)) {
-            sources_ = java.util.Collections.unmodifiableList(sources_);
+            operations_ = java.util.Collections.unmodifiableList(operations_);
             bitField0_ = (bitField0_ & ~0x00000001);
           }
-          result.sources_ = sources_;
+          result.operations_ = operations_;
         } else {
-          result.sources_ = sourcesBuilder_.build();
+          result.operations_ = operationsBuilder_.build();
         }
         if (((bitField0_ & 0x00000002) != 0)) {
-          identities_ = identities_.getUnmodifiableView();
+          resources_ = resources_.getUnmodifiableView();
           bitField0_ = (bitField0_ & ~0x00000002);
         }
-        result.identities_ = identities_;
-        result.identityType_ = identityType_;
+        result.resources_ = resources_;
         onBuilt();
         return result;
       }
@@ -7788,10 +7818,9 @@ public Builder addRepeatedField(
       public Builder mergeFrom(com.google.protobuf.Message other) {
         if (other
             instanceof
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom) {
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo) {
           return mergeFrom(
-              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
-                  other);
+              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo) other);
         } else {
           super.mergeFrom(other);
           return this;
@@ -7799,50 +7828,47 @@ public Builder mergeFrom(com.google.protobuf.Message other) {
       }
 
       public Builder mergeFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom other) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo other) {
         if (other
-            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
                 .getDefaultInstance()) return this;
-        if (sourcesBuilder_ == null) {
-          if (!other.sources_.isEmpty()) {
-            if (sources_.isEmpty()) {
-              sources_ = other.sources_;
+        if (operationsBuilder_ == null) {
+          if (!other.operations_.isEmpty()) {
+            if (operations_.isEmpty()) {
+              operations_ = other.operations_;
               bitField0_ = (bitField0_ & ~0x00000001);
             } else {
-              ensureSourcesIsMutable();
-              sources_.addAll(other.sources_);
+              ensureOperationsIsMutable();
+              operations_.addAll(other.operations_);
             }
             onChanged();
           }
         } else {
-          if (!other.sources_.isEmpty()) {
-            if (sourcesBuilder_.isEmpty()) {
-              sourcesBuilder_.dispose();
-              sourcesBuilder_ = null;
-              sources_ = other.sources_;
+          if (!other.operations_.isEmpty()) {
+            if (operationsBuilder_.isEmpty()) {
+              operationsBuilder_.dispose();
+              operationsBuilder_ = null;
+              operations_ = other.operations_;
               bitField0_ = (bitField0_ & ~0x00000001);
-              sourcesBuilder_ =
+              operationsBuilder_ =
                   com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders
-                      ? getSourcesFieldBuilder()
+                      ? getOperationsFieldBuilder()
                       : null;
             } else {
-              sourcesBuilder_.addAllMessages(other.sources_);
+              operationsBuilder_.addAllMessages(other.operations_);
             }
           }
         }
-        if (!other.identities_.isEmpty()) {
-          if (identities_.isEmpty()) {
-            identities_ = other.identities_;
+        if (!other.resources_.isEmpty()) {
+          if (resources_.isEmpty()) {
+            resources_ = other.resources_;
             bitField0_ = (bitField0_ & ~0x00000002);
           } else {
-            ensureIdentitiesIsMutable();
-            identities_.addAll(other.identities_);
+            ensureResourcesIsMutable();
+            resources_.addAll(other.resources_);
           }
           onChanged();
         }
-        if (other.identityType_ != 0) {
-          setIdentityTypeValue(other.getIdentityTypeValue());
-        }
         this.mergeUnknownFields(other.getUnknownFields());
         onChanged();
         return this;
@@ -7871,33 +7897,27 @@ public Builder mergeFrom(
                 break;
               case 10:
                 {
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                       m =
                           input.readMessage(
                               com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                                  .IngressSource.parser(),
+                                  .ApiOperation.parser(),
                               extensionRegistry);
-                  if (sourcesBuilder_ == null) {
-                    ensureSourcesIsMutable();
-                    sources_.add(m);
+                  if (operationsBuilder_ == null) {
+                    ensureOperationsIsMutable();
+                    operations_.add(m);
                   } else {
-                    sourcesBuilder_.addMessage(m);
+                    operationsBuilder_.addMessage(m);
                   }
                   break;
                 } // case 10
               case 18:
                 {
                   java.lang.String s = input.readStringRequireUtf8();
-                  ensureIdentitiesIsMutable();
-                  identities_.add(s);
+                  ensureResourcesIsMutable();
+                  resources_.add(s);
                   break;
                 } // case 18
-              case 24:
-                {
-                  identityType_ = input.readEnum();
-
-                  break;
-                } // case 24
               default:
                 {
                   if (!super.parseUnknownField(input, extensionRegistry, tag)) {
@@ -7918,115 +7938,131 @@ public Builder mergeFrom(
       private int bitField0_;
 
       private java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
-          sources_ = java.util.Collections.emptyList();
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+          operations_ = java.util.Collections.emptyList();
 
-      private void ensureSourcesIsMutable() {
+      private void ensureOperationsIsMutable() {
         if (!((bitField0_ & 0x00000001) != 0)) {
-          sources_ =
+          operations_ =
               new java.util.ArrayList<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>(
-                  sources_);
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>(
+                  operations_);
           bitField0_ |= 0x00000001;
         }
       }
 
       private com.google.protobuf.RepeatedFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                   .Builder,
               com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .IngressSourceOrBuilder>
-          sourcesBuilder_;
+                  .ApiOperationOrBuilder>
+          operationsBuilder_;
 
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
       public java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource>
-          getSourcesList() {
-        if (sourcesBuilder_ == null) {
-          return java.util.Collections.unmodifiableList(sources_);
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+          getOperationsList() {
+        if (operationsBuilder_ == null) {
+          return java.util.Collections.unmodifiableList(operations_);
         } else {
-          return sourcesBuilder_.getMessageList();
+          return operationsBuilder_.getMessageList();
         }
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public int getSourcesCount() {
-        if (sourcesBuilder_ == null) {
-          return sources_.size();
+      public int getOperationsCount() {
+        if (operationsBuilder_ == null) {
+          return operations_.size();
         } else {
-          return sourcesBuilder_.getCount();
+          return operationsBuilder_.getCount();
         }
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
-          getSources(int index) {
-        if (sourcesBuilder_ == null) {
-          return sources_.get(index);
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+          getOperations(int index) {
+        if (operationsBuilder_ == null) {
+          return operations_.get(index);
         } else {
-          return sourcesBuilder_.getMessage(index);
+          return operationsBuilder_.getMessage(index);
         }
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder setSources(
+      public Builder setOperations(
           int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource value) {
-        if (sourcesBuilder_ == null) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
+        if (operationsBuilder_ == null) {
           if (value == null) {
             throw new NullPointerException();
           }
-          ensureSourcesIsMutable();
-          sources_.set(index, value);
+          ensureOperationsIsMutable();
+          operations_.set(index, value);
           onChanged();
         } else {
-          sourcesBuilder_.setMessage(index, value);
+          operationsBuilder_.setMessage(index, value);
         }
         return this;
       }
@@ -8034,25 +8070,29 @@ public Builder setSources(
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder setSources(
+      public Builder setOperations(
           int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource.Builder
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
               builderForValue) {
-        if (sourcesBuilder_ == null) {
-          ensureSourcesIsMutable();
-          sources_.set(index, builderForValue.build());
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.set(index, builderForValue.build());
           onChanged();
         } else {
-          sourcesBuilder_.setMessage(index, builderForValue.build());
+          operationsBuilder_.setMessage(index, builderForValue.build());
         }
         return this;
       }
@@ -8060,26 +8100,30 @@ public Builder setSources(
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder addSources(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource value) {
-        if (sourcesBuilder_ == null) {
+      public Builder addOperations(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
+        if (operationsBuilder_ == null) {
           if (value == null) {
             throw new NullPointerException();
           }
-          ensureSourcesIsMutable();
-          sources_.add(value);
+          ensureOperationsIsMutable();
+          operations_.add(value);
           onChanged();
         } else {
-          sourcesBuilder_.addMessage(value);
+          operationsBuilder_.addMessage(value);
         }
         return this;
       }
@@ -8087,27 +8131,31 @@ public Builder addSources(
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder addSources(
+      public Builder addOperations(
           int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource value) {
-        if (sourcesBuilder_ == null) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
+        if (operationsBuilder_ == null) {
           if (value == null) {
             throw new NullPointerException();
           }
-          ensureSourcesIsMutable();
-          sources_.add(index, value);
+          ensureOperationsIsMutable();
+          operations_.add(index, value);
           onChanged();
         } else {
-          sourcesBuilder_.addMessage(index, value);
+          operationsBuilder_.addMessage(index, value);
         }
         return this;
       }
@@ -8115,24 +8163,28 @@ public Builder addSources(
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder addSources(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource.Builder
+      public Builder addOperations(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
               builderForValue) {
-        if (sourcesBuilder_ == null) {
-          ensureSourcesIsMutable();
-          sources_.add(builderForValue.build());
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.add(builderForValue.build());
           onChanged();
         } else {
-          sourcesBuilder_.addMessage(builderForValue.build());
+          operationsBuilder_.addMessage(builderForValue.build());
         }
         return this;
       }
@@ -8140,25 +8192,29 @@ public Builder addSources(
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder addSources(
+      public Builder addOperations(
           int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource.Builder
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
               builderForValue) {
-        if (sourcesBuilder_ == null) {
-          ensureSourcesIsMutable();
-          sources_.add(index, builderForValue.build());
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.add(index, builderForValue.build());
           onChanged();
         } else {
-          sourcesBuilder_.addMessage(index, builderForValue.build());
+          operationsBuilder_.addMessage(index, builderForValue.build());
         }
         return this;
       }
@@ -8166,27 +8222,31 @@ public Builder addSources(
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder addAllSources(
+      public Builder addAllOperations(
           java.lang.Iterable<
                   ? extends
                       com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                          .IngressSource>
+                          .ApiOperation>
               values) {
-        if (sourcesBuilder_ == null) {
-          ensureSourcesIsMutable();
-          com.google.protobuf.AbstractMessageLite.Builder.addAll(values, sources_);
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          com.google.protobuf.AbstractMessageLite.Builder.addAll(values, operations_);
           onChanged();
         } else {
-          sourcesBuilder_.addAllMessages(values);
+          operationsBuilder_.addAllMessages(values);
         }
         return this;
       }
@@ -8194,22 +8254,26 @@ public Builder addAllSources(
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder clearSources() {
-        if (sourcesBuilder_ == null) {
-          sources_ = java.util.Collections.emptyList();
+      public Builder clearOperations() {
+        if (operationsBuilder_ == null) {
+          operations_ = java.util.Collections.emptyList();
           bitField0_ = (bitField0_ & ~0x00000001);
           onChanged();
         } else {
-          sourcesBuilder_.clear();
+          operationsBuilder_.clear();
         }
         return this;
       }
@@ -8217,22 +8281,26 @@ public Builder clearSources() {
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public Builder removeSources(int index) {
-        if (sourcesBuilder_ == null) {
-          ensureSourcesIsMutable();
-          sources_.remove(index);
+      public Builder removeOperations(int index) {
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.remove(index);
           onChanged();
         } else {
-          sourcesBuilder_.remove(index);
+          operationsBuilder_.remove(index);
         }
         return this;
       }
@@ -8240,156 +8308,177 @@ public Builder removeSources(int index) {
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
-              .Builder
-          getSourcesBuilder(int index) {
-        return getSourcesFieldBuilder().getBuilder(index);
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+          getOperationsBuilder(int index) {
+        return getOperationsFieldBuilder().getBuilder(index);
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
       public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-              .IngressSourceOrBuilder
-          getSourcesOrBuilder(int index) {
-        if (sourcesBuilder_ == null) {
-          return sources_.get(index);
+              .ApiOperationOrBuilder
+          getOperationsOrBuilder(int index) {
+        if (operationsBuilder_ == null) {
+          return operations_.get(index);
         } else {
-          return sourcesBuilder_.getMessageOrBuilder(index);
+          return operationsBuilder_.getMessageOrBuilder(index);
         }
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
       public java.util.List<
               ? extends
                   com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .IngressSourceOrBuilder>
-          getSourcesOrBuilderList() {
-        if (sourcesBuilder_ != null) {
-          return sourcesBuilder_.getMessageOrBuilderList();
+                      .ApiOperationOrBuilder>
+          getOperationsOrBuilderList() {
+        if (operationsBuilder_ != null) {
+          return operationsBuilder_.getMessageOrBuilderList();
         } else {
-          return java.util.Collections.unmodifiableList(sources_);
+          return java.util.Collections.unmodifiableList(operations_);
         }
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
-              .Builder
-          addSourcesBuilder() {
-        return getSourcesFieldBuilder()
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+          addOperationsBuilder() {
+        return getOperationsFieldBuilder()
             .addBuilder(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                     .getDefaultInstance());
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
-              .Builder
-          addSourcesBuilder(int index) {
-        return getSourcesFieldBuilder()
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+          addOperationsBuilder(int index) {
+        return getOperationsFieldBuilder()
             .addBuilder(
                 index,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                     .getDefaultInstance());
       }
       /**
        *
        *
        * 
-       * Sources that this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * authorizes access from.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+       * in this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource sources = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
        * 
        */
       public java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                   .Builder>
-          getSourcesBuilderList() {
-        return getSourcesFieldBuilder().getBuilderList();
+          getOperationsBuilderList() {
+        return getOperationsFieldBuilder().getBuilderList();
       }
 
       private com.google.protobuf.RepeatedFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                   .Builder,
               com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .IngressSourceOrBuilder>
-          getSourcesFieldBuilder() {
-        if (sourcesBuilder_ == null) {
-          sourcesBuilder_ =
+                  .ApiOperationOrBuilder>
+          getOperationsFieldBuilder() {
+        if (operationsBuilder_ == null) {
+          operationsBuilder_ =
               new com.google.protobuf.RepeatedFieldBuilderV3<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                       .Builder,
                   com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .IngressSourceOrBuilder>(
-                  sources_, ((bitField0_ & 0x00000001) != 0), getParentForChildren(), isClean());
-          sources_ = null;
+                      .ApiOperationOrBuilder>(
+                  operations_, ((bitField0_ & 0x00000001) != 0), getParentForChildren(), isClean());
+          operations_ = null;
         }
-        return sourcesBuilder_;
+        return operationsBuilder_;
       }
 
-      private com.google.protobuf.LazyStringList identities_ =
+      private com.google.protobuf.LazyStringList resources_ =
           com.google.protobuf.LazyStringArrayList.EMPTY;
 
-      private void ensureIdentitiesIsMutable() {
+      private void ensureResourcesIsMutable() {
         if (!((bitField0_ & 0x00000002) != 0)) {
-          identities_ = new com.google.protobuf.LazyStringArrayList(identities_);
+          resources_ = new com.google.protobuf.LazyStringArrayList(resources_);
           bitField0_ |= 0x00000002;
         }
       }
@@ -8397,89 +8486,114 @@ private void ensureIdentitiesIsMutable() {
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
-       * @return A list containing the identities.
+       * @return A list containing the resources.
        */
-      public com.google.protobuf.ProtocolStringList getIdentitiesList() {
-        return identities_.getUnmodifiableView();
+      public com.google.protobuf.ProtocolStringList getResourcesList() {
+        return resources_.getUnmodifiableView();
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
-       * @return The count of identities.
+       * @return The count of resources.
        */
-      public int getIdentitiesCount() {
-        return identities_.size();
+      public int getResourcesCount() {
+        return resources_.size();
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
        * @param index The index of the element to return.
-       * @return The identities at the given index.
+       * @return The resources at the given index.
        */
-      public java.lang.String getIdentities(int index) {
-        return identities_.get(index);
+      public java.lang.String getResources(int index) {
+        return resources_.get(index);
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
        * @param index The index of the value to return.
-       * @return The bytes of the identities at the given index.
+       * @return The bytes of the resources at the given index.
        */
-      public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
-        return identities_.getByteString(index);
+      public com.google.protobuf.ByteString getResourcesBytes(int index) {
+        return resources_.getByteString(index);
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
        * @param index The index to set the value at.
-       * @param value The identities to set.
+       * @param value The resources to set.
        * @return This builder for chaining.
        */
-      public Builder setIdentities(int index, java.lang.String value) {
+      public Builder setResources(int index, java.lang.String value) {
         if (value == null) {
           throw new NullPointerException();
         }
-        ensureIdentitiesIsMutable();
-        identities_.set(index, value);
+        ensureResourcesIsMutable();
+        resources_.set(index, value);
         onChanged();
         return this;
       }
@@ -8487,22 +8601,27 @@ public Builder setIdentities(int index, java.lang.String value) {
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
-       * @param value The identities to add.
+       * @param value The resources to add.
        * @return This builder for chaining.
        */
-      public Builder addIdentities(java.lang.String value) {
+      public Builder addResources(java.lang.String value) {
         if (value == null) {
           throw new NullPointerException();
         }
-        ensureIdentitiesIsMutable();
-        identities_.add(value);
+        ensureResourcesIsMutable();
+        resources_.add(value);
         onChanged();
         return this;
       }
@@ -8510,19 +8629,24 @@ public Builder addIdentities(java.lang.String value) {
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
-       * @param values The identities to add.
+       * @param values The resources to add.
        * @return This builder for chaining.
        */
-      public Builder addAllIdentities(java.lang.Iterable values) {
-        ensureIdentitiesIsMutable();
-        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, identities_);
+      public Builder addAllResources(java.lang.Iterable values) {
+        ensureResourcesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, resources_);
         onChanged();
         return this;
       }
@@ -8530,17 +8654,22 @@ public Builder addAllIdentities(java.lang.Iterable values) {
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
        * @return This builder for chaining.
        */
-      public Builder clearIdentities() {
-        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      public Builder clearResources() {
+        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
         bitField0_ = (bitField0_ & ~0x00000002);
         onChanged();
         return this;
@@ -8549,140 +8678,28 @@ public Builder clearIdentities() {
        *
        *
        * 
-       * A list of identities that are allowed access through this ingress
-       * policy. Should be in the format of email address. The email address
-       * should represent individual user or service account only.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+       * allowed to be accessed by sources defined in the corresponding
+       * [IngressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+       * If a single `*` is specified, then access to all resources inside the
+       * perimeter are allowed.
        * 

        *
-       * repeated string identities = 2;
+       * repeated string resources = 2;
        *
-       * @param value The bytes of the identities to add.
+       * @param value The bytes of the resources to add.
        * @return This builder for chaining.
        */
-      public Builder addIdentitiesBytes(com.google.protobuf.ByteString value) {
+      public Builder addResourcesBytes(com.google.protobuf.ByteString value) {
         if (value == null) {
           throw new NullPointerException();
         }
         checkByteStringIsUtf8(value);
-        ensureIdentitiesIsMutable();
-        identities_.add(value);
-        onChanged();
-        return this;
-      }
-
-      private int identityType_ = 0;
-      /**
-       *
-       *
-       * 
-       * Specifies the type of identities that are allowed access from outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-       * 
-       *
-       * @return The enum numeric value on the wire for identityType.
-       */
-      @java.lang.Override
-      public int getIdentityTypeValue() {
-        return identityType_;
-      }
-      /**
-       *
-       *
-       * 
-       * Specifies the type of identities that are allowed access from outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-       * 
-       *
-       * @param value The enum numeric value on the wire for identityType to set.
-       * @return This builder for chaining.
-       */
-      public Builder setIdentityTypeValue(int value) {
-
-        identityType_ = value;
-        onChanged();
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * Specifies the type of identities that are allowed access from outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-       * 
-       *
-       * @return The identityType.
-       */
-      @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-          getIdentityType() {
-        @SuppressWarnings("deprecation")
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
-                identityType_);
-        return result == null
-            ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-                .UNRECOGNIZED
-            : result;
-      }
-      /**
-       *
-       *
-       * 
-       * Specifies the type of identities that are allowed access from outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-       * 
-       *
-       * @param value The identityType to set.
-       * @return This builder for chaining.
-       */
-      public Builder setIdentityType(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType value) {
-        if (value == null) {
-          throw new NullPointerException();
-        }
-
-        identityType_ = value.getNumber();
-        onChanged();
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * Specifies the type of identities that are allowed access from outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 3;
-       * 
-       *
-       * @return This builder for chaining.
-       */
-      public Builder clearIdentityType() {
-
-        identityType_ = 0;
+        ensureResourcesIsMutable();
+        resources_.add(value);
         onChanged();
         return this;
       }
@@ -8699,28 +8716,28 @@ public final Builder mergeUnknownFields(
         return super.mergeUnknownFields(unknownFields);
       }
 
-      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
+      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
     }
 
-    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom)
+    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
     private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-            .IngressFrom
+            .IngressTo
         DEFAULT_INSTANCE;
 
     static {
       DEFAULT_INSTANCE =
-          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom();
+          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo();
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         getDefaultInstance() {
       return DEFAULT_INSTANCE;
     }
 
-    private static final com.google.protobuf.Parser PARSER =
-        new com.google.protobuf.AbstractParser() {
+    private static final com.google.protobuf.Parser PARSER =
+        new com.google.protobuf.AbstractParser() {
           @java.lang.Override
-          public IngressFrom parsePartialFrom(
+          public IngressTo parsePartialFrom(
               com.google.protobuf.CodedInputStream input,
               com.google.protobuf.ExtensionRegistryLite extensionRegistry)
               throws com.google.protobuf.InvalidProtocolBufferException {
@@ -8740,239 +8757,174 @@ public IngressFrom parsePartialFrom(
           }
         };
 
-    public static com.google.protobuf.Parser parser() {
+    public static com.google.protobuf.Parser parser() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.protobuf.Parser getParserForType() {
+    public com.google.protobuf.Parser getParserForType() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
         getDefaultInstanceForType() {
       return DEFAULT_INSTANCE;
     }
   }
 
-  public interface IngressToOrBuilder
+  public interface IngressPolicyOrBuilder
       extends
-      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
+      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
       com.google.protobuf.MessageOrBuilder {
 
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * Defines the conditions on the source of a request causing this
+     * [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
      * 
+     *
+     * @return Whether the ingressFrom field is set.
      */
-    java.util.List
-        getOperationsList();
+    boolean hasIngressFrom();
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * Defines the conditions on the source of a request causing this
+     * [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
      * 
+     *
+     * @return The ingressFrom.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation getOperations(
-        int index);
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom getIngressFrom();
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * Defines the conditions on the source of a request causing this
+     * [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
      * 
      */
-    int getOperationsCount();
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder
+        getIngressFromOrBuilder();
+
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
+     * Defines the conditions on the [ApiOperation]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * and request destination that cause this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
      * 
+     *
+     * @return Whether the ingressTo field is set.
      */
-    java.util.List<
-            ? extends
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                    .ApiOperationOrBuilder>
-        getOperationsOrBuilderList();
+    boolean hasIngressTo();
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
+     * Defines the conditions on the [ApiOperation]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * and request destination that cause this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
      * 
+     *
+     * @return The ingressTo.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
-        getOperationsOrBuilder(int index);
-
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo getIngressTo();
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
-     * 

-     *
-     * repeated string resources = 2;
-     *
-     * @return A list containing the resources.
-     */
-    java.util.List getResourcesList();
-    /**
-     *
-     *
-     * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
-     * 

-     *
-     * repeated string resources = 2;
-     *
-     * @return The count of resources.
-     */
-    int getResourcesCount();
-    /**
-     *
-     *
-     * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
-     * 

-     *
-     * repeated string resources = 2;
-     *
-     * @param index The index of the element to return.
-     * @return The resources at the given index.
-     */
-    java.lang.String getResources(int index);
-    /**
-     *
-     *
-     * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and request destination that cause this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
-     * repeated string resources = 2;
-     *
-     * @param index The index of the value to return.
-     * @return The bytes of the resources at the given index.
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+     * 
      */
-    com.google.protobuf.ByteString getResourcesBytes(int index);
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder
+        getIngressToOrBuilder();
   }
   /**
    *
    *
    * 
-   * Defines the conditions under which an [IngressPolicy]
+   * Policy for ingress into [ServicePerimeter]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+   * [IngressPolicies]
    * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-   * matches a request. Conditions are based on information about the
-   * [ApiOperation]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-   * intended to be performed on the target resource of the request. The request
-   * must satisfy what is defined in `operations` AND `resources` in order to
-   * match.
+   * match requests based on `ingress_from` and `ingress_to` stanzas.  For an
+   * ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
+   * must be matched. If an [IngressPolicy]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+   * matches a request, the request is allowed through the perimeter boundary
+   * from outside the perimeter.
+   * For example, access from the internet can be allowed either
+   * based on an [AccessLevel]
+   * [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
+   * hosted on Google Cloud, the project of the source network. For access from
+   * private networks, using the project of the hosting network is required.
+   * Individual ingress policies can be limited by restricting which
+   * services and/or actions they match using the `ingress_to` field.
    * 

    *
-   * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo}
+   * Protobuf type {@code
+   * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy}
    */
-  public static final class IngressTo extends com.google.protobuf.GeneratedMessageV3
+  public static final class IngressPolicy extends com.google.protobuf.GeneratedMessageV3
       implements
-      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
-      IngressToOrBuilder {
+      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
+      IngressPolicyOrBuilder {
     private static final long serialVersionUID = 0L;
-    // Use IngressTo.newBuilder() to construct.
-    private IngressTo(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    // Use IngressPolicy.newBuilder() to construct.
+    private IngressPolicy(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
 
-    private IngressTo() {
-      operations_ = java.util.Collections.emptyList();
-      resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-    }
+    private IngressPolicy() {}
 
     @java.lang.Override
     @SuppressWarnings({"unused"})
     protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
-      return new IngressTo();
+      return new IngressPolicy();
     }
 
     @java.lang.Override
@@ -8982,225 +8934,155 @@ public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
 
     public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor;
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor;
     }
 
     @java.lang.Override
     protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
         internalGetFieldAccessorTable() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_fieldAccessorTable
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_fieldAccessorTable
           .ensureFieldAccessorsInitialized(
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.class,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
-                  .class);
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+                  .class,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+                  .Builder.class);
     }
 
-    public static final int OPERATIONS_FIELD_NUMBER = 1;
-    private java.util.List<
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-        operations_;
+    public static final int INGRESS_FROM_FIELD_NUMBER = 1;
+    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+        ingressFrom_;
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * Defines the conditions on the source of a request causing this
+     * [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
      * 
+     *
+     * @return Whether the ingressFrom field is set.
      */
     @java.lang.Override
-    public java.util.List<
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-        getOperationsList() {
-      return operations_;
+    public boolean hasIngressFrom() {
+      return ingressFrom_ != null;
     }
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * Defines the conditions on the source of a request causing this
+     * [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
      * 
+     *
+     * @return The ingressFrom.
      */
     @java.lang.Override
-    public java.util.List<
-            ? extends
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                    .ApiOperationOrBuilder>
-        getOperationsOrBuilderList() {
-      return operations_;
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+        getIngressFrom() {
+      return ingressFrom_ == null
+          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+              .getDefaultInstance()
+          : ingressFrom_;
     }
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * Defines the conditions on the source of a request causing this
+     * [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
      * 
      */
     @java.lang.Override
-    public int getOperationsCount() {
-      return operations_.size();
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder
+        getIngressFromOrBuilder() {
+      return getIngressFrom();
     }
+
+    public static final int INGRESS_TO_FIELD_NUMBER = 2;
+    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingressTo_;
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
+     * Defines the conditions on the [ApiOperation]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * and request destination that cause this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
      * 
+     *
+     * @return Whether the ingressTo field is set.
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-        getOperations(int index) {
-      return operations_.get(index);
+    public boolean hasIngressTo() {
+      return ingressTo_ != null;
     }
     /**
      *
      *
      * 
-     * A list of [ApiOperations]
+     * Defines the conditions on the [ApiOperation]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * allowed to be performed by the sources specified in corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-     * in this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * and request destination that cause this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
      * 
-     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
      * 
+     *
+     * @return The ingressTo.
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
-        getOperationsOrBuilder(int index) {
-      return operations_.get(index);
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+        getIngressTo() {
+      return ingressTo_ == null
+          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+              .getDefaultInstance()
+          : ingressTo_;
     }
-
-    public static final int RESOURCES_FIELD_NUMBER = 2;
-    private com.google.protobuf.LazyStringList resources_;
     /**
      *
      *
      * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
-     * 

-     *
-     * repeated string resources = 2;
-     *
-     * @return A list containing the resources.
-     */
-    public com.google.protobuf.ProtocolStringList getResourcesList() {
-      return resources_;
-    }
-    /**
-     *
-     *
-     * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
-     * 

-     *
-     * repeated string resources = 2;
-     *
-     * @return The count of resources.
-     */
-    public int getResourcesCount() {
-      return resources_.size();
-    }
-    /**
-     *
-     *
-     * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
-     * 

-     *
-     * repeated string resources = 2;
-     *
-     * @param index The index of the element to return.
-     * @return The resources at the given index.
-     */
-    public java.lang.String getResources(int index) {
-      return resources_.get(index);
-    }
-    /**
-     *
-     *
-     * 
-     * A list of resources, currently only projects in the form
-     * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-     * allowed to be accessed by sources defined in the corresponding
-     * [IngressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-     * If a single `*` is specified, then access to all resources inside the
-     * perimeter are allowed.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and request destination that cause this [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * to apply.
      * 

      *
-     * repeated string resources = 2;
-     *
-     * @param index The index of the value to return.
-     * @return The bytes of the resources at the given index.
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+     * 
      */
-    public com.google.protobuf.ByteString getResourcesBytes(int index) {
-      return resources_.getByteString(index);
+    @java.lang.Override
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder
+        getIngressToOrBuilder() {
+      return getIngressTo();
     }
 
     private byte memoizedIsInitialized = -1;
@@ -9217,11 +9099,11 @@ public final boolean isInitialized() {
 
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
-      for (int i = 0; i < operations_.size(); i++) {
-        output.writeMessage(1, operations_.get(i));
+      if (ingressFrom_ != null) {
+        output.writeMessage(1, getIngressFrom());
       }
-      for (int i = 0; i < resources_.size(); i++) {
-        com.google.protobuf.GeneratedMessageV3.writeString(output, 2, resources_.getRaw(i));
+      if (ingressTo_ != null) {
+        output.writeMessage(2, getIngressTo());
       }
       getUnknownFields().writeTo(output);
     }
@@ -9232,16 +9114,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      for (int i = 0; i < operations_.size(); i++) {
-        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, operations_.get(i));
+      if (ingressFrom_ != null) {
+        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, getIngressFrom());
       }
-      {
-        int dataSize = 0;
-        for (int i = 0; i < resources_.size(); i++) {
-          dataSize += computeStringSizeNoTag(resources_.getRaw(i));
-        }
-        size += dataSize;
-        size += 1 * getResourcesList().size();
+      if (ingressTo_ != null) {
+        size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, getIngressTo());
       }
       size += getUnknownFields().getSerializedSize();
       memoizedSize = size;
@@ -9255,14 +9132,20 @@ public boolean equals(final java.lang.Object obj) {
       }
       if (!(obj
           instanceof
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)) {
         return super.equals(obj);
       }
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo other =
-          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo) obj;
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy other =
+          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy) obj;
 
-      if (!getOperationsList().equals(other.getOperationsList())) return false;
-      if (!getResourcesList().equals(other.getResourcesList())) return false;
+      if (hasIngressFrom() != other.hasIngressFrom()) return false;
+      if (hasIngressFrom()) {
+        if (!getIngressFrom().equals(other.getIngressFrom())) return false;
+      }
+      if (hasIngressTo() != other.hasIngressTo()) return false;
+      if (hasIngressTo()) {
+        if (!getIngressTo().equals(other.getIngressTo())) return false;
+      }
       if (!getUnknownFields().equals(other.getUnknownFields())) return false;
       return true;
     }
@@ -9274,39 +9157,39 @@ public int hashCode() {
       }
       int hash = 41;
       hash = (19 * hash) + getDescriptor().hashCode();
-      if (getOperationsCount() > 0) {
-        hash = (37 * hash) + OPERATIONS_FIELD_NUMBER;
-        hash = (53 * hash) + getOperationsList().hashCode();
+      if (hasIngressFrom()) {
+        hash = (37 * hash) + INGRESS_FROM_FIELD_NUMBER;
+        hash = (53 * hash) + getIngressFrom().hashCode();
       }
-      if (getResourcesCount() > 0) {
-        hash = (37 * hash) + RESOURCES_FIELD_NUMBER;
-        hash = (53 * hash) + getResourcesList().hashCode();
+      if (hasIngressTo()) {
+        hash = (37 * hash) + INGRESS_TO_FIELD_NUMBER;
+        hash = (53 * hash) + getIngressTo().hashCode();
       }
       hash = (29 * hash) + getUnknownFields().hashCode();
       memoizedHashCode = hash;
       return hash;
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(java.nio.ByteBuffer data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(
             java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(com.google.protobuf.ByteString data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(
             com.google.protobuf.ByteString data,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -9314,23 +9197,23 @@ public int hashCode() {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -9338,12 +9221,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseDelimitedFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -9351,12 +9234,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         parseFrom(
             com.google.protobuf.CodedInputStream input,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -9375,7 +9258,8 @@ public static Builder newBuilder() {
     }
 
     public static Builder newBuilder(
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo prototype) {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+            prototype) {
       return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
     }
 
@@ -9394,42 +9278,52 @@ protected Builder newBuilderForType(
      *
      *
      * 
-     * Defines the conditions under which an [IngressPolicy]
+     * Policy for ingress into [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+     * [IngressPolicies]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * matches a request. Conditions are based on information about the
-     * [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * intended to be performed on the target resource of the request. The request
-     * must satisfy what is defined in `operations` AND `resources` in order to
-     * match.
+     * match requests based on `ingress_from` and `ingress_to` stanzas.  For an
+     * ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
+     * must be matched. If an [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * matches a request, the request is allowed through the perimeter boundary
+     * from outside the perimeter.
+     * For example, access from the internet can be allowed either
+     * based on an [AccessLevel]
+     * [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
+     * hosted on Google Cloud, the project of the source network. For access from
+     * private networks, using the project of the hosting network is required.
+     * Individual ingress policies can be limited by restricting which
+     * services and/or actions they match using the `ingress_to` field.
      * 

      *
      * Protobuf type {@code
-     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo}
+     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy}
      */
     public static final class Builder
         extends com.google.protobuf.GeneratedMessageV3.Builder
         implements
-        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder {
+        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicyOrBuilder {
       public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor;
       }
 
       @java.lang.Override
       protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
           internalGetFieldAccessorTable() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_fieldAccessorTable
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_fieldAccessorTable
             .ensureFieldAccessorsInitialized(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.class,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
-                    .class);
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+                    .class,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+                    .Builder.class);
       }
 
       // Construct using
-      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.newBuilder()
+      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy.newBuilder()
       private Builder() {}
 
       private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
@@ -9439,34 +9333,38 @@ private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        if (operationsBuilder_ == null) {
-          operations_ = java.util.Collections.emptyList();
+        if (ingressFromBuilder_ == null) {
+          ingressFrom_ = null;
         } else {
-          operations_ = null;
-          operationsBuilder_.clear();
+          ingressFrom_ = null;
+          ingressFromBuilder_ = null;
+        }
+        if (ingressToBuilder_ == null) {
+          ingressTo_ = null;
+        } else {
+          ingressTo_ = null;
+          ingressToBuilder_ = null;
         }
-        bitField0_ = (bitField0_ & ~0x00000001);
-        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-        bitField0_ = (bitField0_ & ~0x00000002);
         return this;
       }
 
       @java.lang.Override
       public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor;
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
           getDefaultInstanceForType() {
-        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
             .getDefaultInstance();
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo build() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo result =
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+          build() {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy result =
             buildPartial();
         if (!result.isInitialized()) {
           throw newUninitializedMessageException(result);
@@ -9475,25 +9373,21 @@ public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.Ingres
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
           buildPartial() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo result =
-            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo(this);
-        int from_bitField0_ = bitField0_;
-        if (operationsBuilder_ == null) {
-          if (((bitField0_ & 0x00000001) != 0)) {
-            operations_ = java.util.Collections.unmodifiableList(operations_);
-            bitField0_ = (bitField0_ & ~0x00000001);
-          }
-          result.operations_ = operations_;
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy result =
+            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy(
+                this);
+        if (ingressFromBuilder_ == null) {
+          result.ingressFrom_ = ingressFrom_;
         } else {
-          result.operations_ = operationsBuilder_.build();
+          result.ingressFrom_ = ingressFromBuilder_.build();
         }
-        if (((bitField0_ & 0x00000002) != 0)) {
-          resources_ = resources_.getUnmodifiableView();
-          bitField0_ = (bitField0_ & ~0x00000002);
+        if (ingressToBuilder_ == null) {
+          result.ingressTo_ = ingressTo_;
+        } else {
+          result.ingressTo_ = ingressToBuilder_.build();
         }
-        result.resources_ = resources_;
         onBuilt();
         return result;
       }
@@ -9537,9 +9431,10 @@ public Builder addRepeatedField(
       public Builder mergeFrom(com.google.protobuf.Message other) {
         if (other
             instanceof
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo) {
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy) {
           return mergeFrom(
-              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo) other);
+              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
+                  other);
         } else {
           super.mergeFrom(other);
           return this;
@@ -9547,46 +9442,15 @@ public Builder mergeFrom(com.google.protobuf.Message other) {
       }
 
       public Builder mergeFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo other) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy other) {
         if (other
-            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
                 .getDefaultInstance()) return this;
-        if (operationsBuilder_ == null) {
-          if (!other.operations_.isEmpty()) {
-            if (operations_.isEmpty()) {
-              operations_ = other.operations_;
-              bitField0_ = (bitField0_ & ~0x00000001);
-            } else {
-              ensureOperationsIsMutable();
-              operations_.addAll(other.operations_);
-            }
-            onChanged();
-          }
-        } else {
-          if (!other.operations_.isEmpty()) {
-            if (operationsBuilder_.isEmpty()) {
-              operationsBuilder_.dispose();
-              operationsBuilder_ = null;
-              operations_ = other.operations_;
-              bitField0_ = (bitField0_ & ~0x00000001);
-              operationsBuilder_ =
-                  com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders
-                      ? getOperationsFieldBuilder()
-                      : null;
-            } else {
-              operationsBuilder_.addAllMessages(other.operations_);
-            }
-          }
+        if (other.hasIngressFrom()) {
+          mergeIngressFrom(other.getIngressFrom());
         }
-        if (!other.resources_.isEmpty()) {
-          if (resources_.isEmpty()) {
-            resources_ = other.resources_;
-            bitField0_ = (bitField0_ & ~0x00000002);
-          } else {
-            ensureResourcesIsMutable();
-            resources_.addAll(other.resources_);
-          }
-          onChanged();
+        if (other.hasIngressTo()) {
+          mergeIngressTo(other.getIngressTo());
         }
         this.mergeUnknownFields(other.getUnknownFields());
         onChanged();
@@ -9616,25 +9480,14 @@ public Builder mergeFrom(
                 break;
               case 10:
                 {
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                      m =
-                          input.readMessage(
-                              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                                  .ApiOperation.parser(),
-                              extensionRegistry);
-                  if (operationsBuilder_ == null) {
-                    ensureOperationsIsMutable();
-                    operations_.add(m);
-                  } else {
-                    operationsBuilder_.addMessage(m);
-                  }
+                  input.readMessage(getIngressFromFieldBuilder().getBuilder(), extensionRegistry);
+
                   break;
                 } // case 10
               case 18:
                 {
-                  java.lang.String s = input.readStringRequireUtf8();
-                  ensureResourcesIsMutable();
-                  resources_.add(s);
+                  input.readMessage(getIngressToFieldBuilder().getBuilder(), extensionRegistry);
+
                   break;
                 } // case 18
               default:
@@ -9654,809 +9507,537 @@ public Builder mergeFrom(
         return this;
       }
 
-      private int bitField0_;
-
-      private java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-          operations_ = java.util.Collections.emptyList();
-
-      private void ensureOperationsIsMutable() {
-        if (!((bitField0_ & 0x00000001) != 0)) {
-          operations_ =
-              new java.util.ArrayList<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>(
-                  operations_);
-          bitField0_ |= 0x00000001;
-        }
-      }
-
-      private com.google.protobuf.RepeatedFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+          ingressFrom_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
                   .Builder,
               com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .ApiOperationOrBuilder>
-          operationsBuilder_;
-
+                  .IngressFromOrBuilder>
+          ingressFromBuilder_;
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
-       */
-      public java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
-          getOperationsList() {
-        if (operationsBuilder_ == null) {
-          return java.util.Collections.unmodifiableList(operations_);
-        } else {
-          return operationsBuilder_.getMessageList();
-        }
-      }
-      /**
-       *
-       *
-       * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
-       * 

        *
-       * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
-       * 
+       * @return Whether the ingressFrom field is set.
        */
-      public int getOperationsCount() {
-        if (operationsBuilder_ == null) {
-          return operations_.size();
-        } else {
-          return operationsBuilder_.getCount();
-        }
+      public boolean hasIngressFrom() {
+        return ingressFromBuilder_ != null || ingressFrom_ != null;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
+       *
+       * @return The ingressFrom.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-          getOperations(int index) {
-        if (operationsBuilder_ == null) {
-          return operations_.get(index);
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+          getIngressFrom() {
+        if (ingressFromBuilder_ == null) {
+          return ingressFrom_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+                  .getDefaultInstance()
+              : ingressFrom_;
         } else {
-          return operationsBuilder_.getMessage(index);
+          return ingressFromBuilder_.getMessage();
         }
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
        */
-      public Builder setOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
-        if (operationsBuilder_ == null) {
+      public Builder setIngressFrom(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom value) {
+        if (ingressFromBuilder_ == null) {
           if (value == null) {
             throw new NullPointerException();
           }
-          ensureOperationsIsMutable();
-          operations_.set(index, value);
+          ingressFrom_ = value;
           onChanged();
         } else {
-          operationsBuilder_.setMessage(index, value);
+          ingressFromBuilder_.setMessage(value);
         }
+
         return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
        */
-      public Builder setOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+      public Builder setIngressFrom(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.Builder
               builderForValue) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.set(index, builderForValue.build());
+        if (ingressFromBuilder_ == null) {
+          ingressFrom_ = builderForValue.build();
           onChanged();
         } else {
-          operationsBuilder_.setMessage(index, builderForValue.build());
+          ingressFromBuilder_.setMessage(builderForValue.build());
         }
+
         return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
        */
-      public Builder addOperations(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
-        if (operationsBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
+      public Builder mergeIngressFrom(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom value) {
+        if (ingressFromBuilder_ == null) {
+          if (ingressFrom_ != null) {
+            ingressFrom_ =
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+                    .newBuilder(ingressFrom_)
+                    .mergeFrom(value)
+                    .buildPartial();
+          } else {
+            ingressFrom_ = value;
           }
-          ensureOperationsIsMutable();
-          operations_.add(value);
           onChanged();
         } else {
-          operationsBuilder_.addMessage(value);
+          ingressFromBuilder_.mergeFrom(value);
         }
+
         return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
        */
-      public Builder addOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
-        if (operationsBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
-          }
-          ensureOperationsIsMutable();
-          operations_.add(index, value);
+      public Builder clearIngressFrom() {
+        if (ingressFromBuilder_ == null) {
+          ingressFrom_ = null;
           onChanged();
         } else {
-          operationsBuilder_.addMessage(index, value);
+          ingressFrom_ = null;
+          ingressFromBuilder_ = null;
         }
+
         return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
        */
-      public Builder addOperations(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-              builderForValue) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.add(builderForValue.build());
-          onChanged();
-        } else {
-          operationsBuilder_.addMessage(builderForValue.build());
-        }
-        return this;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.Builder
+          getIngressFromBuilder() {
+
+        onChanged();
+        return getIngressFromFieldBuilder().getBuilder();
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
        */
-      public Builder addOperations(
-          int index,
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-              builderForValue) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.add(index, builderForValue.build());
-          onChanged();
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder
+          getIngressFromOrBuilder() {
+        if (ingressFromBuilder_ != null) {
+          return ingressFromBuilder_.getMessageOrBuilder();
         } else {
-          operationsBuilder_.addMessage(index, builderForValue.build());
+          return ingressFrom_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+                  .getDefaultInstance()
+              : ingressFrom_;
         }
-        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * Defines the conditions on the source of a request causing this
+       * [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
        * 
        */
-      public Builder addAllOperations(
-          java.lang.Iterable<
-                  ? extends
-                      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                          .ApiOperation>
-              values) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          com.google.protobuf.AbstractMessageLite.Builder.addAll(values, operations_);
-          onChanged();
-        } else {
-          operationsBuilder_.addAllMessages(values);
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+                  .Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                  .IngressFromOrBuilder>
+          getIngressFromFieldBuilder() {
+        if (ingressFromBuilder_ == null) {
+          ingressFromBuilder_ =
+              new com.google.protobuf.SingleFieldBuilderV3<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
+                      .Builder,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                      .IngressFromOrBuilder>(getIngressFrom(), getParentForChildren(), isClean());
+          ingressFrom_ = null;
         }
-        return this;
+        return ingressFromBuilder_;
       }
+
+      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+          ingressTo_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder>
+          ingressToBuilder_;
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
+       *
+       * @return Whether the ingressTo field is set.
        */
-      public Builder clearOperations() {
-        if (operationsBuilder_ == null) {
-          operations_ = java.util.Collections.emptyList();
-          bitField0_ = (bitField0_ & ~0x00000001);
-          onChanged();
-        } else {
-          operationsBuilder_.clear();
-        }
-        return this;
+      public boolean hasIngressTo() {
+        return ingressToBuilder_ != null || ingressTo_ != null;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
+       *
+       * @return The ingressTo.
        */
-      public Builder removeOperations(int index) {
-        if (operationsBuilder_ == null) {
-          ensureOperationsIsMutable();
-          operations_.remove(index);
-          onChanged();
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+          getIngressTo() {
+        if (ingressToBuilder_ == null) {
+          return ingressTo_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+                  .getDefaultInstance()
+              : ingressTo_;
         } else {
-          operationsBuilder_.remove(index);
+          return ingressToBuilder_.getMessage();
         }
-        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-          getOperationsBuilder(int index) {
-        return getOperationsFieldBuilder().getBuilder(index);
+      public Builder setIngressTo(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo value) {
+        if (ingressToBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          ingressTo_ = value;
+          onChanged();
+        } else {
+          ingressToBuilder_.setMessage(value);
+        }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-              .ApiOperationOrBuilder
-          getOperationsOrBuilder(int index) {
-        if (operationsBuilder_ == null) {
-          return operations_.get(index);
+      public Builder setIngressTo(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
+              builderForValue) {
+        if (ingressToBuilder_ == null) {
+          ingressTo_ = builderForValue.build();
+          onChanged();
         } else {
-          return operationsBuilder_.getMessageOrBuilder(index);
+          ingressToBuilder_.setMessage(builderForValue.build());
         }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
        */
-      public java.util.List<
-              ? extends
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .ApiOperationOrBuilder>
-          getOperationsOrBuilderList() {
-        if (operationsBuilder_ != null) {
-          return operationsBuilder_.getMessageOrBuilderList();
+      public Builder mergeIngressTo(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo value) {
+        if (ingressToBuilder_ == null) {
+          if (ingressTo_ != null) {
+            ingressTo_ =
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+                    .newBuilder(ingressTo_)
+                    .mergeFrom(value)
+                    .buildPartial();
+          } else {
+            ingressTo_ = value;
+          }
+          onChanged();
         } else {
-          return java.util.Collections.unmodifiableList(operations_);
+          ingressToBuilder_.mergeFrom(value);
         }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-          addOperationsBuilder() {
-        return getOperationsFieldBuilder()
-            .addBuilder(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                    .getDefaultInstance());
+      public Builder clearIngressTo() {
+        if (ingressToBuilder_ == null) {
+          ingressTo_ = null;
+          onChanged();
+        } else {
+          ingressTo_ = null;
+          ingressToBuilder_ = null;
+        }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
-          addOperationsBuilder(int index) {
-        return getOperationsFieldBuilder()
-            .addBuilder(
-                index,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                    .getDefaultInstance());
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
+          getIngressToBuilder() {
+
+        onChanged();
+        return getIngressToFieldBuilder().getBuilder();
       }
       /**
        *
        *
        * 
-       * A list of [ApiOperations]
+       * Defines the conditions on the [ApiOperation]
        * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * allowed to be performed by the sources specified in corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-       * in this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter].
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
        * 
-       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 1;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
        * 
        */
-      public java.util.List<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                  .Builder>
-          getOperationsBuilderList() {
-        return getOperationsFieldBuilder().getBuilderList();
-      }
-
-      private com.google.protobuf.RepeatedFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                  .Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .ApiOperationOrBuilder>
-          getOperationsFieldBuilder() {
-        if (operationsBuilder_ == null) {
-          operationsBuilder_ =
-              new com.google.protobuf.RepeatedFieldBuilderV3<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
-                      .Builder,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .ApiOperationOrBuilder>(
-                  operations_, ((bitField0_ & 0x00000001) != 0), getParentForChildren(), isClean());
-          operations_ = null;
-        }
-        return operationsBuilder_;
-      }
-
-      private com.google.protobuf.LazyStringList resources_ =
-          com.google.protobuf.LazyStringArrayList.EMPTY;
-
-      private void ensureResourcesIsMutable() {
-        if (!((bitField0_ & 0x00000002) != 0)) {
-          resources_ = new com.google.protobuf.LazyStringArrayList(resources_);
-          bitField0_ |= 0x00000002;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder
+          getIngressToOrBuilder() {
+        if (ingressToBuilder_ != null) {
+          return ingressToBuilder_.getMessageOrBuilder();
+        } else {
+          return ingressTo_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+                  .getDefaultInstance()
+              : ingressTo_;
         }
       }
       /**
        *
        *
        * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @return A list containing the resources.
-       */
-      public com.google.protobuf.ProtocolStringList getResourcesList() {
-        return resources_.getUnmodifiableView();
-      }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and request destination that cause this [IngressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+       * to apply.
        * 

        *
-       * repeated string resources = 2;
-       *
-       * @return The count of resources.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+       * 
        */
-      public int getResourcesCount() {
-        return resources_.size();
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder>
+          getIngressToFieldBuilder() {
+        if (ingressToBuilder_ == null) {
+          ingressToBuilder_ =
+              new com.google.protobuf.SingleFieldBuilderV3<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+                      .Builder,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                      .IngressToOrBuilder>(getIngressTo(), getParentForChildren(), isClean());
+          ingressTo_ = null;
+        }
+        return ingressToBuilder_;
       }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @param index The index of the element to return.
-       * @return The resources at the given index.
-       */
-      public java.lang.String getResources(int index) {
-        return resources_.get(index);
+
+      @java.lang.Override
+      public final Builder setUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.setUnknownFields(unknownFields);
       }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @param index The index of the value to return.
-       * @return The bytes of the resources at the given index.
-       */
-      public com.google.protobuf.ByteString getResourcesBytes(int index) {
-        return resources_.getByteString(index);
-      }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @param index The index to set the value at.
-       * @param value The resources to set.
-       * @return This builder for chaining.
-       */
-      public Builder setResources(int index, java.lang.String value) {
-        if (value == null) {
-          throw new NullPointerException();
-        }
-        ensureResourcesIsMutable();
-        resources_.set(index, value);
-        onChanged();
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @param value The resources to add.
-       * @return This builder for chaining.
-       */
-      public Builder addResources(java.lang.String value) {
-        if (value == null) {
-          throw new NullPointerException();
-        }
-        ensureResourcesIsMutable();
-        resources_.add(value);
-        onChanged();
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @param values The resources to add.
-       * @return This builder for chaining.
-       */
-      public Builder addAllResources(java.lang.Iterable values) {
-        ensureResourcesIsMutable();
-        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, resources_);
-        onChanged();
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @return This builder for chaining.
-       */
-      public Builder clearResources() {
-        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-        bitField0_ = (bitField0_ & ~0x00000002);
-        onChanged();
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * A list of resources, currently only projects in the form
-       * `projects/<projectnumber>`, protected by this [ServicePerimeter]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
-       * allowed to be accessed by sources defined in the corresponding
-       * [IngressFrom]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
-       * If a single `*` is specified, then access to all resources inside the
-       * perimeter are allowed.
-       * 

-       *
-       * repeated string resources = 2;
-       *
-       * @param value The bytes of the resources to add.
-       * @return This builder for chaining.
-       */
-      public Builder addResourcesBytes(com.google.protobuf.ByteString value) {
-        if (value == null) {
-          throw new NullPointerException();
-        }
-        checkByteStringIsUtf8(value);
-        ensureResourcesIsMutable();
-        resources_.add(value);
-        onChanged();
-        return this;
-      }
-
-      @java.lang.Override
-      public final Builder setUnknownFields(
-          final com.google.protobuf.UnknownFieldSet unknownFields) {
-        return super.setUnknownFields(unknownFields);
-      }
-
-      @java.lang.Override
-      public final Builder mergeUnknownFields(
-          final com.google.protobuf.UnknownFieldSet unknownFields) {
-        return super.mergeUnknownFields(unknownFields);
+
+      @java.lang.Override
+      public final Builder mergeUnknownFields(
+          final com.google.protobuf.UnknownFieldSet unknownFields) {
+        return super.mergeUnknownFields(unknownFields);
       }
 
-      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
+      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
     }
 
-    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo)
+    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
     private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-            .IngressTo
+            .IngressPolicy
         DEFAULT_INSTANCE;
 
     static {
       DEFAULT_INSTANCE =
-          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo();
+          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy();
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         getDefaultInstance() {
       return DEFAULT_INSTANCE;
     }
 
-    private static final com.google.protobuf.Parser PARSER =
-        new com.google.protobuf.AbstractParser() {
+    private static final com.google.protobuf.Parser PARSER =
+        new com.google.protobuf.AbstractParser() {
           @java.lang.Override
-          public IngressTo parsePartialFrom(
+          public IngressPolicy parsePartialFrom(
               com.google.protobuf.CodedInputStream input,
               com.google.protobuf.ExtensionRegistryLite extensionRegistry)
               throws com.google.protobuf.InvalidProtocolBufferException {
@@ -10476,174 +10057,158 @@ public IngressTo parsePartialFrom(
           }
         };
 
-    public static com.google.protobuf.Parser parser() {
+    public static com.google.protobuf.Parser parser() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.protobuf.Parser getParserForType() {
+    public com.google.protobuf.Parser getParserForType() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
         getDefaultInstanceForType() {
       return DEFAULT_INSTANCE;
     }
   }
 
-  public interface IngressPolicyOrBuilder
+  public interface EgressFromOrBuilder
       extends
-      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
+      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
       com.google.protobuf.MessageOrBuilder {
 
     /**
      *
      *
      * 
-     * Defines the conditions on the source of a request causing this
-     * [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-     * 
+     * repeated string identities = 1;
      *
-     * @return Whether the ingressFrom field is set.
+     * @return A list containing the identities.
      */
-    boolean hasIngressFrom();
+    java.util.List getIdentitiesList();
     /**
      *
      *
      * 
-     * Defines the conditions on the source of a request causing this
-     * [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-     * 
+     * repeated string identities = 1;
      *
-     * @return The ingressFrom.
+     * @return The count of identities.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom getIngressFrom();
+    int getIdentitiesCount();
     /**
      *
      *
      * 
-     * Defines the conditions on the source of a request causing this
-     * [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-     * 
+     * repeated string identities = 1;
+     *
+     * @param index The index of the element to return.
+     * @return The identities at the given index.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder
-        getIngressFromOrBuilder();
-
+    java.lang.String getIdentities(int index);
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and request destination that cause this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
-     * 
+     * repeated string identities = 1;
      *
-     * @return Whether the ingressTo field is set.
+     * @param index The index of the value to return.
+     * @return The bytes of the identities at the given index.
      */
-    boolean hasIngressTo();
+    com.google.protobuf.ByteString getIdentitiesBytes(int index);
+
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and request destination that cause this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * Specifies the type of identities that are allowed access to outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
      * 
      *
-     * @return The ingressTo.
+     * @return The enum numeric value on the wire for identityType.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo getIngressTo();
+    int getIdentityTypeValue();
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and request destination that cause this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * Specifies the type of identities that are allowed access to outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
      * 
+     *
+     * @return The identityType.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder
-        getIngressToOrBuilder();
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+        getIdentityType();
   }
   /**
    *
    *
    * 
-   * Policy for ingress into [ServicePerimeter]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeter].
-   * [IngressPolicies]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-   * match requests based on `ingress_from` and `ingress_to` stanzas.  For an
-   * ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
-   * must be matched. If an [IngressPolicy]
+   * Defines the conditions under which an [EgressPolicy]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+   * matches a request. Conditions based on information about the source of the
+   * request. Note that if the destination of the request is also protected by a
+   * [ServicePerimeter]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+   * [ServicePerimeter]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+   * an [IngressPolicy]
    * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-   * matches a request, the request is allowed through the perimeter boundary
-   * from outside the perimeter.
-   * For example, access from the internet can be allowed either
-   * based on an [AccessLevel]
-   * [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
-   * hosted on Google Cloud, the project of the source network. For access from
-   * private networks, using the project of the hosting network is required.
-   * Individual ingress policies can be limited by restricting which
-   * services and/or actions they match using the `ingress_to` field.
+   * which allows access in order for this request to succeed.
    * 

    *
-   * Protobuf type {@code
-   * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy}
+   * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom}
    */
-  public static final class IngressPolicy extends com.google.protobuf.GeneratedMessageV3
+  public static final class EgressFrom extends com.google.protobuf.GeneratedMessageV3
       implements
-      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
-      IngressPolicyOrBuilder {
+      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
+      EgressFromOrBuilder {
     private static final long serialVersionUID = 0L;
-    // Use IngressPolicy.newBuilder() to construct.
-    private IngressPolicy(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    // Use EgressFrom.newBuilder() to construct.
+    private EgressFrom(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
 
-    private IngressPolicy() {}
+    private EgressFrom() {
+      identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      identityType_ = 0;
+    }
 
     @java.lang.Override
     @SuppressWarnings({"unused"})
     protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
-      return new IngressPolicy();
+      return new EgressFrom();
     }
 
     @java.lang.Override
@@ -10653,155 +10218,136 @@ public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
 
     public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor;
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor;
     }
 
     @java.lang.Override
     protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
         internalGetFieldAccessorTable() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_fieldAccessorTable
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_fieldAccessorTable
           .ensureFieldAccessorsInitialized(
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
-                  .class,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
-                  .Builder.class);
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.class,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder
+                  .class);
     }
 
-    public static final int INGRESS_FROM_FIELD_NUMBER = 1;
-    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-        ingressFrom_;
+    public static final int IDENTITIES_FIELD_NUMBER = 1;
+    private com.google.protobuf.LazyStringList identities_;
     /**
      *
      *
      * 
-     * Defines the conditions on the source of a request causing this
-     * [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-     * 
+     * repeated string identities = 1;
      *
-     * @return Whether the ingressFrom field is set.
+     * @return A list containing the identities.
      */
-    @java.lang.Override
-    public boolean hasIngressFrom() {
-      return ingressFrom_ != null;
+    public com.google.protobuf.ProtocolStringList getIdentitiesList() {
+      return identities_;
     }
     /**
      *
      *
      * 
-     * Defines the conditions on the source of a request causing this
-     * [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-     * 
+     * repeated string identities = 1;
      *
-     * @return The ingressFrom.
+     * @return The count of identities.
      */
-    @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-        getIngressFrom() {
-      return ingressFrom_ == null
-          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-              .getDefaultInstance()
-          : ingressFrom_;
+    public int getIdentitiesCount() {
+      return identities_.size();
     }
     /**
      *
      *
      * 
-     * Defines the conditions on the source of a request causing this
-     * [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-     * 
+     * repeated string identities = 1;
+     *
+     * @param index The index of the element to return.
+     * @return The identities at the given index.
      */
-    @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder
-        getIngressFromOrBuilder() {
-      return getIngressFrom();
+    public java.lang.String getIdentities(int index) {
+      return identities_.get(index);
     }
-
-    public static final int INGRESS_TO_FIELD_NUMBER = 2;
-    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingressTo_;
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and request destination that cause this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * A list of identities that are allowed access through this [EgressPolicy].
+     * Should be in the format of email address. The email address should
+     * represent individual user or service account only.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
-     * 
+     * repeated string identities = 1;
      *
-     * @return Whether the ingressTo field is set.
+     * @param index The index of the value to return.
+     * @return The bytes of the identities at the given index.
      */
-    @java.lang.Override
-    public boolean hasIngressTo() {
-      return ingressTo_ != null;
+    public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
+      return identities_.getByteString(index);
     }
+
+    public static final int IDENTITY_TYPE_FIELD_NUMBER = 2;
+    private int identityType_;
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and request destination that cause this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * Specifies the type of identities that are allowed access to outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
      * 
      *
-     * @return The ingressTo.
+     * @return The enum numeric value on the wire for identityType.
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-        getIngressTo() {
-      return ingressTo_ == null
-          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-              .getDefaultInstance()
-          : ingressTo_;
+    public int getIdentityTypeValue() {
+      return identityType_;
     }
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and request destination that cause this [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * to apply.
+     * Specifies the type of identities that are allowed access to outside the
+     * perimeter. If left unspecified, then members of `identities` field will
+     * be allowed access.
      * 

      *
      * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
      * 
+     *
+     * @return The identityType.
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder
-        getIngressToOrBuilder() {
-      return getIngressTo();
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+        getIdentityType() {
+      @SuppressWarnings("deprecation")
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
+              identityType_);
+      return result == null
+          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+              .UNRECOGNIZED
+          : result;
     }
 
     private byte memoizedIsInitialized = -1;
@@ -10818,11 +10364,14 @@ public final boolean isInitialized() {
 
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
-      if (ingressFrom_ != null) {
-        output.writeMessage(1, getIngressFrom());
+      for (int i = 0; i < identities_.size(); i++) {
+        com.google.protobuf.GeneratedMessageV3.writeString(output, 1, identities_.getRaw(i));
       }
-      if (ingressTo_ != null) {
-        output.writeMessage(2, getIngressTo());
+      if (identityType_
+          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+              .IDENTITY_TYPE_UNSPECIFIED
+              .getNumber()) {
+        output.writeEnum(2, identityType_);
       }
       getUnknownFields().writeTo(output);
     }
@@ -10833,11 +10382,19 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (ingressFrom_ != null) {
-        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, getIngressFrom());
+      {
+        int dataSize = 0;
+        for (int i = 0; i < identities_.size(); i++) {
+          dataSize += computeStringSizeNoTag(identities_.getRaw(i));
+        }
+        size += dataSize;
+        size += 1 * getIdentitiesList().size();
       }
-      if (ingressTo_ != null) {
-        size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, getIngressTo());
+      if (identityType_
+          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+              .IDENTITY_TYPE_UNSPECIFIED
+              .getNumber()) {
+        size += com.google.protobuf.CodedOutputStream.computeEnumSize(2, identityType_);
       }
       size += getUnknownFields().getSerializedSize();
       memoizedSize = size;
@@ -10851,20 +10408,14 @@ public boolean equals(final java.lang.Object obj) {
       }
       if (!(obj
           instanceof
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)) {
         return super.equals(obj);
       }
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy other =
-          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy) obj;
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom other =
+          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom) obj;
 
-      if (hasIngressFrom() != other.hasIngressFrom()) return false;
-      if (hasIngressFrom()) {
-        if (!getIngressFrom().equals(other.getIngressFrom())) return false;
-      }
-      if (hasIngressTo() != other.hasIngressTo()) return false;
-      if (hasIngressTo()) {
-        if (!getIngressTo().equals(other.getIngressTo())) return false;
-      }
+      if (!getIdentitiesList().equals(other.getIdentitiesList())) return false;
+      if (identityType_ != other.identityType_) return false;
       if (!getUnknownFields().equals(other.getUnknownFields())) return false;
       return true;
     }
@@ -10876,39 +10427,37 @@ public int hashCode() {
       }
       int hash = 41;
       hash = (19 * hash) + getDescriptor().hashCode();
-      if (hasIngressFrom()) {
-        hash = (37 * hash) + INGRESS_FROM_FIELD_NUMBER;
-        hash = (53 * hash) + getIngressFrom().hashCode();
-      }
-      if (hasIngressTo()) {
-        hash = (37 * hash) + INGRESS_TO_FIELD_NUMBER;
-        hash = (53 * hash) + getIngressTo().hashCode();
+      if (getIdentitiesCount() > 0) {
+        hash = (37 * hash) + IDENTITIES_FIELD_NUMBER;
+        hash = (53 * hash) + getIdentitiesList().hashCode();
       }
+      hash = (37 * hash) + IDENTITY_TYPE_FIELD_NUMBER;
+      hash = (53 * hash) + identityType_;
       hash = (29 * hash) + getUnknownFields().hashCode();
       memoizedHashCode = hash;
       return hash;
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(java.nio.ByteBuffer data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(
             java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(com.google.protobuf.ByteString data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(
             com.google.protobuf.ByteString data,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -10916,23 +10465,23 @@ public int hashCode() {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -10940,12 +10489,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseDelimitedFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -10953,12 +10502,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         parseFrom(
             com.google.protobuf.CodedInputStream input,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -10977,8 +10526,7 @@ public static Builder newBuilder() {
     }
 
     public static Builder newBuilder(
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
-            prototype) {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom prototype) {
       return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
     }
 
@@ -10997,52 +10545,45 @@ protected Builder newBuilderForType(
      *
      *
      * 
-     * Policy for ingress into [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter].
-     * [IngressPolicies]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * match requests based on `ingress_from` and `ingress_to` stanzas.  For an
-     * ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
-     * must be matched. If an [IngressPolicy]
+     * Defines the conditions under which an [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * matches a request. Conditions based on information about the source of the
+     * request. Note that if the destination of the request is also protected by a
+     * [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+     * [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+     * an [IngressPolicy]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * matches a request, the request is allowed through the perimeter boundary
-     * from outside the perimeter.
-     * For example, access from the internet can be allowed either
-     * based on an [AccessLevel]
-     * [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
-     * hosted on Google Cloud, the project of the source network. For access from
-     * private networks, using the project of the hosting network is required.
-     * Individual ingress policies can be limited by restricting which
-     * services and/or actions they match using the `ingress_to` field.
+     * which allows access in order for this request to succeed.
      * 

      *
      * Protobuf type {@code
-     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy}
+     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom}
      */
     public static final class Builder
         extends com.google.protobuf.GeneratedMessageV3.Builder
         implements
-        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicyOrBuilder {
+        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder {
       public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor;
       }
 
       @java.lang.Override
       protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
           internalGetFieldAccessorTable() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_fieldAccessorTable
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_fieldAccessorTable
             .ensureFieldAccessorsInitialized(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
-                    .class,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.class,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
                     .Builder.class);
       }
 
       // Construct using
-      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy.newBuilder()
+      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.newBuilder()
       private Builder() {}
 
       private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
@@ -11052,38 +10593,29 @@ private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        if (ingressFromBuilder_ == null) {
-          ingressFrom_ = null;
-        } else {
-          ingressFrom_ = null;
-          ingressFromBuilder_ = null;
-        }
-        if (ingressToBuilder_ == null) {
-          ingressTo_ = null;
-        } else {
-          ingressTo_ = null;
-          ingressToBuilder_ = null;
-        }
+        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        identityType_ = 0;
+
         return this;
       }
 
       @java.lang.Override
       public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor;
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
           getDefaultInstanceForType() {
-        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
             .getDefaultInstance();
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
-          build() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy result =
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom build() {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom result =
             buildPartial();
         if (!result.isInitialized()) {
           throw newUninitializedMessageException(result);
@@ -11092,21 +10624,17 @@ public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
           buildPartial() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy result =
-            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy(
-                this);
-        if (ingressFromBuilder_ == null) {
-          result.ingressFrom_ = ingressFrom_;
-        } else {
-          result.ingressFrom_ = ingressFromBuilder_.build();
-        }
-        if (ingressToBuilder_ == null) {
-          result.ingressTo_ = ingressTo_;
-        } else {
-          result.ingressTo_ = ingressToBuilder_.build();
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom result =
+            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom(this);
+        int from_bitField0_ = bitField0_;
+        if (((bitField0_ & 0x00000001) != 0)) {
+          identities_ = identities_.getUnmodifiableView();
+          bitField0_ = (bitField0_ & ~0x00000001);
         }
+        result.identities_ = identities_;
+        result.identityType_ = identityType_;
         onBuilt();
         return result;
       }
@@ -11150,9 +10678,9 @@ public Builder addRepeatedField(
       public Builder mergeFrom(com.google.protobuf.Message other) {
         if (other
             instanceof
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy) {
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom) {
           return mergeFrom(
-              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
+              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
                   other);
         } else {
           super.mergeFrom(other);
@@ -11161,15 +10689,22 @@ public Builder mergeFrom(com.google.protobuf.Message other) {
       }
 
       public Builder mergeFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy other) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom other) {
         if (other
-            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
                 .getDefaultInstance()) return this;
-        if (other.hasIngressFrom()) {
-          mergeIngressFrom(other.getIngressFrom());
+        if (!other.identities_.isEmpty()) {
+          if (identities_.isEmpty()) {
+            identities_ = other.identities_;
+            bitField0_ = (bitField0_ & ~0x00000001);
+          } else {
+            ensureIdentitiesIsMutable();
+            identities_.addAll(other.identities_);
+          }
+          onChanged();
         }
-        if (other.hasIngressTo()) {
-          mergeIngressTo(other.getIngressTo());
+        if (other.identityType_ != 0) {
+          setIdentityTypeValue(other.getIdentityTypeValue());
         }
         this.mergeUnknownFields(other.getUnknownFields());
         onChanged();
@@ -11199,16 +10734,17 @@ public Builder mergeFrom(
                 break;
               case 10:
                 {
-                  input.readMessage(getIngressFromFieldBuilder().getBuilder(), extensionRegistry);
-
+                  java.lang.String s = input.readStringRequireUtf8();
+                  ensureIdentitiesIsMutable();
+                  identities_.add(s);
                   break;
                 } // case 10
-              case 18:
+              case 16:
                 {
-                  input.readMessage(getIngressToFieldBuilder().getBuilder(), extensionRegistry);
+                  identityType_ = input.readEnum();
 
                   break;
-                } // case 18
+                } // case 16
               default:
                 {
                   if (!super.parseUnknownField(input, extensionRegistry, tag)) {
@@ -11226,501 +10762,309 @@ public Builder mergeFrom(
         return this;
       }
 
-      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-          ingressFrom_;
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                  .Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .IngressFromOrBuilder>
-          ingressFromBuilder_;
+      private int bitField0_;
+
+      private com.google.protobuf.LazyStringList identities_ =
+          com.google.protobuf.LazyStringArrayList.EMPTY;
+
+      private void ensureIdentitiesIsMutable() {
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          identities_ = new com.google.protobuf.LazyStringArrayList(identities_);
+          bitField0_ |= 0x00000001;
+        }
+      }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
        *
-       * @return Whether the ingressFrom field is set.
+       * @return A list containing the identities.
        */
-      public boolean hasIngressFrom() {
-        return ingressFromBuilder_ != null || ingressFrom_ != null;
+      public com.google.protobuf.ProtocolStringList getIdentitiesList() {
+        return identities_.getUnmodifiableView();
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
        *
-       * @return The ingressFrom.
+       * @return The count of identities.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-          getIngressFrom() {
-        if (ingressFromBuilder_ == null) {
-          return ingressFrom_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                  .getDefaultInstance()
-              : ingressFrom_;
-        } else {
-          return ingressFromBuilder_.getMessage();
-        }
+      public int getIdentitiesCount() {
+        return identities_.size();
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
+       *
+       * @param index The index of the element to return.
+       * @return The identities at the given index.
        */
-      public Builder setIngressFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom value) {
-        if (ingressFromBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
-          }
-          ingressFrom_ = value;
-          onChanged();
-        } else {
-          ingressFromBuilder_.setMessage(value);
-        }
-
-        return this;
+      public java.lang.String getIdentities(int index) {
+        return identities_.get(index);
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
+       *
+       * @param index The index of the value to return.
+       * @return The bytes of the identities at the given index.
        */
-      public Builder setIngressFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.Builder
-              builderForValue) {
-        if (ingressFromBuilder_ == null) {
-          ingressFrom_ = builderForValue.build();
-          onChanged();
-        } else {
-          ingressFromBuilder_.setMessage(builderForValue.build());
-        }
-
-        return this;
+      public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
+        return identities_.getByteString(index);
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
+       *
+       * @param index The index to set the value at.
+       * @param value The identities to set.
+       * @return This builder for chaining.
        */
-      public Builder mergeIngressFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom value) {
-        if (ingressFromBuilder_ == null) {
-          if (ingressFrom_ != null) {
-            ingressFrom_ =
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                    .newBuilder(ingressFrom_)
-                    .mergeFrom(value)
-                    .buildPartial();
-          } else {
-            ingressFrom_ = value;
-          }
-          onChanged();
-        } else {
-          ingressFromBuilder_.mergeFrom(value);
+      public Builder setIdentities(int index, java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
-
+        ensureIdentitiesIsMutable();
+        identities_.set(index, value);
+        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
+       *
+       * @param value The identities to add.
+       * @return This builder for chaining.
        */
-      public Builder clearIngressFrom() {
-        if (ingressFromBuilder_ == null) {
-          ingressFrom_ = null;
-          onChanged();
-        } else {
-          ingressFrom_ = null;
-          ingressFromBuilder_ = null;
+      public Builder addIdentities(java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
-
+        ensureIdentitiesIsMutable();
+        identities_.add(value);
+        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
+       *
+       * @param values The identities to add.
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom.Builder
-          getIngressFromBuilder() {
-
+      public Builder addAllIdentities(java.lang.Iterable values) {
+        ensureIdentitiesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, identities_);
         onChanged();
-        return getIngressFromFieldBuilder().getBuilder();
+        return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
+       *
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFromOrBuilder
-          getIngressFromOrBuilder() {
-        if (ingressFromBuilder_ != null) {
-          return ingressFromBuilder_.getMessageOrBuilder();
-        } else {
-          return ingressFrom_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                  .getDefaultInstance()
-              : ingressFrom_;
-        }
+      public Builder clearIdentities() {
+        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        onChanged();
+        return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the source of a request causing this
-       * [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * A list of identities that are allowed access through this [EgressPolicy].
+       * Should be in the format of email address. The email address should
+       * represent individual user or service account only.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom ingress_from = 1;
-       * 
+       * repeated string identities = 1;
+       *
+       * @param value The bytes of the identities to add.
+       * @return This builder for chaining.
        */
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                  .Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .IngressFromOrBuilder>
-          getIngressFromFieldBuilder() {
-        if (ingressFromBuilder_ == null) {
-          ingressFromBuilder_ =
-              new com.google.protobuf.SingleFieldBuilderV3<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom
-                      .Builder,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .IngressFromOrBuilder>(getIngressFrom(), getParentForChildren(), isClean());
-          ingressFrom_ = null;
+      public Builder addIdentitiesBytes(com.google.protobuf.ByteString value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
-        return ingressFromBuilder_;
+        checkByteStringIsUtf8(value);
+        ensureIdentitiesIsMutable();
+        identities_.add(value);
+        onChanged();
+        return this;
       }
 
-      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-          ingressTo_;
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder>
-          ingressToBuilder_;
+      private int identityType_ = 0;
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * Specifies the type of identities that are allowed access to outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
        * 
        *
-       * @return Whether the ingressTo field is set.
+       * @return The enum numeric value on the wire for identityType.
        */
-      public boolean hasIngressTo() {
-        return ingressToBuilder_ != null || ingressTo_ != null;
+      @java.lang.Override
+      public int getIdentityTypeValue() {
+        return identityType_;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * Specifies the type of identities that are allowed access to outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
        * 
        *
-       * @return The ingressTo.
+       * @param value The enum numeric value on the wire for identityType to set.
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-          getIngressTo() {
-        if (ingressToBuilder_ == null) {
-          return ingressTo_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-                  .getDefaultInstance()
-              : ingressTo_;
-        } else {
-          return ingressToBuilder_.getMessage();
-        }
+      public Builder setIdentityTypeValue(int value) {
+
+        identityType_ = value;
+        onChanged();
+        return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * Specifies the type of identities that are allowed access to outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
        * 
+       *
+       * @return The identityType.
        */
-      public Builder setIngressTo(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo value) {
-        if (ingressToBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
-          }
-          ingressTo_ = value;
-          onChanged();
-        } else {
-          ingressToBuilder_.setMessage(value);
-        }
-
-        return this;
+      @java.lang.Override
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+          getIdentityType() {
+        @SuppressWarnings("deprecation")
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
+                identityType_);
+        return result == null
+            ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
+                .UNRECOGNIZED
+            : result;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
-       * 
-       */
-      public Builder setIngressTo(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
-              builderForValue) {
-        if (ingressToBuilder_ == null) {
-          ingressTo_ = builderForValue.build();
-          onChanged();
-        } else {
-          ingressToBuilder_.setMessage(builderForValue.build());
-        }
-
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * Specifies the type of identities that are allowed access to outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
        * 
-       */
-      public Builder mergeIngressTo(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo value) {
-        if (ingressToBuilder_ == null) {
-          if (ingressTo_ != null) {
-            ingressTo_ =
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-                    .newBuilder(ingressTo_)
-                    .mergeFrom(value)
-                    .buildPartial();
-          } else {
-            ingressTo_ = value;
-          }
-          onChanged();
-        } else {
-          ingressToBuilder_.mergeFrom(value);
-        }
-
-        return this;
-      }
-      /**
-       *
-       *
-       * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
-       * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
-       * 
+       * @param value The identityType to set.
+       * @return This builder for chaining.
        */
-      public Builder clearIngressTo() {
-        if (ingressToBuilder_ == null) {
-          ingressTo_ = null;
-          onChanged();
-        } else {
-          ingressTo_ = null;
-          ingressToBuilder_ = null;
+      public Builder setIdentityType(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
 
+        identityType_ = value.getNumber();
+        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
+       * Specifies the type of identities that are allowed access to outside the
+       * perimeter. If left unspecified, then members of `identities` field will
+       * be allowed access.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
        * 
+       *
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder
-          getIngressToBuilder() {
+      public Builder clearIdentityType() {
 
+        identityType_ = 0;
         onChanged();
-        return getIngressToFieldBuilder().getBuilder();
-      }
-      /**
-       *
-       *
-       * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
-       * 
-       */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder
-          getIngressToOrBuilder() {
-        if (ingressToBuilder_ != null) {
-          return ingressToBuilder_.getMessageOrBuilder();
-        } else {
-          return ingressTo_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-                  .getDefaultInstance()
-              : ingressTo_;
-        }
-      }
-      /**
-       *
-       *
-       * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and request destination that cause this [IngressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-       * to apply.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo ingress_to = 2;
-       * 
-       */
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo.Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressToOrBuilder>
-          getIngressToFieldBuilder() {
-        if (ingressToBuilder_ == null) {
-          ingressToBuilder_ =
-              new com.google.protobuf.SingleFieldBuilderV3<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo
-                      .Builder,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .IngressToOrBuilder>(getIngressTo(), getParentForChildren(), isClean());
-          ingressTo_ = null;
-        }
-        return ingressToBuilder_;
+        return this;
       }
 
       @java.lang.Override
@@ -11735,28 +11079,28 @@ public final Builder mergeUnknownFields(
         return super.mergeUnknownFields(unknownFields);
       }
 
-      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
+      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
     }
 
-    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy)
+    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
     private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-            .IngressPolicy
+            .EgressFrom
         DEFAULT_INSTANCE;
 
     static {
       DEFAULT_INSTANCE =
-          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy();
+          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom();
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         getDefaultInstance() {
       return DEFAULT_INSTANCE;
     }
 
-    private static final com.google.protobuf.Parser PARSER =
-        new com.google.protobuf.AbstractParser() {
+    private static final com.google.protobuf.Parser PARSER =
+        new com.google.protobuf.AbstractParser() {
           @java.lang.Override
-          public IngressPolicy parsePartialFrom(
+          public EgressFrom parsePartialFrom(
               com.google.protobuf.CodedInputStream input,
               com.google.protobuf.ExtensionRegistryLite extensionRegistry)
               throws com.google.protobuf.InvalidProtocolBufferException {
@@ -11776,177 +11120,313 @@ public IngressPolicy parsePartialFrom(
           }
         };
 
-    public static com.google.protobuf.Parser parser() {
+    public static com.google.protobuf.Parser parser() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.protobuf.Parser getParserForType() {
+    public com.google.protobuf.Parser getParserForType() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
         getDefaultInstanceForType() {
       return DEFAULT_INSTANCE;
     }
   }
 
-  public interface EgressPolicyOrBuilder
+  public interface EgressToOrBuilder
       extends
-      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
+      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
       com.google.protobuf.MessageOrBuilder {
 
     /**
      *
      *
      * 
-     * Defines conditions on the source of a request causing this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-     * 
+     * repeated string resources = 1;
      *
-     * @return Whether the egressFrom field is set.
+     * @return A list containing the resources.
      */
-    boolean hasEgressFrom();
+    java.util.List getResourcesList();
     /**
      *
      *
      * 
-     * Defines conditions on the source of a request causing this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-     * 
+     * repeated string resources = 1;
      *
-     * @return The egressFrom.
+     * @return The count of resources.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom getEgressFrom();
+    int getResourcesCount();
     /**
      *
      *
      * 
-     * Defines conditions on the source of a request causing this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-     * 
+     * repeated string resources = 1;
+     *
+     * @param index The index of the element to return.
+     * @return The resources at the given index.
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder
-        getEgressFromOrBuilder();
-
+    java.lang.String getResources(int index);
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and destination resources that cause this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
      * 

      *
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-     * 
+     * repeated string resources = 1;
      *
-     * @return Whether the egressTo field is set.
+     * @param index The index of the value to return.
+     * @return The bytes of the resources at the given index.
      */
-    boolean hasEgressTo();
+    com.google.protobuf.ByteString getResourcesBytes(int index);
+
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
+     * A list of [ApiOperations]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and destination resources that cause this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
      * 

      *
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
      * 
+     */
+    java.util.List
+        getOperationsList();
+    /**
      *
-     * @return The egressTo.
+     *
+     * 
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
+     * 

+     *
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * 
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo getEgressTo();
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation getOperations(
+        int index);
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
+     * A list of [ApiOperations]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and destination resources that cause this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
      * 

      *
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
      * 
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder
-        getEgressToOrBuilder();
+    int getOperationsCount();
+    /**
+     *
+     *
+     * 
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
+     * 

+     *
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * 
+     */
+    java.util.List<
+            ? extends
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                    .ApiOperationOrBuilder>
+        getOperationsOrBuilderList();
+    /**
+     *
+     *
+     * 
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
+     * 

+     *
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * 
+     */
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
+        getOperationsOrBuilder(int index);
+
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @return A list containing the externalResources.
+     */
+    java.util.List getExternalResourcesList();
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @return The count of externalResources.
+     */
+    int getExternalResourcesCount();
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @param index The index of the element to return.
+     * @return The externalResources at the given index.
+     */
+    java.lang.String getExternalResources(int index);
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @param index The index of the value to return.
+     * @return The bytes of the externalResources at the given index.
+     */
+    com.google.protobuf.ByteString getExternalResourcesBytes(int index);
   }
   /**
    *
    *
    * 
-   * Policy for egress from perimeter.
-   * [EgressPolicies]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-   * match requests based on `egress_from` and `egress_to` stanzas.  For an
-   * [EgressPolicy]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-   * to match, both `egress_from` and `egress_to` stanzas must be matched. If an
-   * [EgressPolicy]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-   * matches a request, the request is allowed to span the [ServicePerimeter]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
-   * For example, an [EgressPolicy]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-   * can be used to allow VMs on networks within the [ServicePerimeter]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
-   * defined set of projects outside the perimeter in certain contexts (e.g. to
-   * read data from a Cloud Storage bucket or query against a BigQuery dataset).
-   * [EgressPolicies]
+   * Defines the conditions under which an [EgressPolicy]
    * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-   * are concerned with the *resources* that a request relates as well as the
-   * API services and API actions being used.  They do not related to the
-   * direction of data movement.  More detailed documentation for this concept
-   * can be found in the descriptions of [EgressFrom]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
-   * and [EgressTo]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
+   * matches a request. Conditions are based on information about the
+   * [ApiOperation]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+   * intended to be performed on the `resources` specified. Note that if the
+   * destination of the request is also protected by a [ServicePerimeter]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+   * [ServicePerimeter]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+   * an [IngressPolicy]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+   * which allows access in order for this request to succeed. The request must
+   * match `operations` AND `resources` fields in order to be allowed egress out
+   * of the perimeter.
    * 

    *
-   * Protobuf type {@code
-   * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy}
+   * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo}
    */
-  public static final class EgressPolicy extends com.google.protobuf.GeneratedMessageV3
+  public static final class EgressTo extends com.google.protobuf.GeneratedMessageV3
       implements
-      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
-      EgressPolicyOrBuilder {
+      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
+      EgressToOrBuilder {
     private static final long serialVersionUID = 0L;
-    // Use EgressPolicy.newBuilder() to construct.
-    private EgressPolicy(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    // Use EgressTo.newBuilder() to construct.
+    private EgressTo(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
 
-    private EgressPolicy() {}
+    private EgressTo() {
+      resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      operations_ = java.util.Collections.emptyList();
+      externalResources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+    }
 
     @java.lang.Override
     @SuppressWarnings({"unused"})
     protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
-      return new EgressPolicy();
+      return new EgressTo();
     }
 
     @java.lang.Override
@@ -11956,148 +11436,301 @@ public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
 
     public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
     }
 
     @java.lang.Override
     protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
         internalGetFieldAccessorTable() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable
           .ensureFieldAccessorsInitialized(
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy.class,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
-                  .Builder.class);
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.class,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
+                  .class);
     }
 
-    public static final int EGRESS_FROM_FIELD_NUMBER = 1;
-    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-        egressFrom_;
+    public static final int RESOURCES_FIELD_NUMBER = 1;
+    private com.google.protobuf.LazyStringList resources_;
     /**
      *
      *
      * 
-     * Defines conditions on the source of a request causing this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-     * 
+     * repeated string resources = 1;
      *
-     * @return Whether the egressFrom field is set.
+     * @return A list containing the resources.
      */
-    @java.lang.Override
-    public boolean hasEgressFrom() {
-      return egressFrom_ != null;
+    public com.google.protobuf.ProtocolStringList getResourcesList() {
+      return resources_;
     }
     /**
      *
      *
      * 
-     * Defines conditions on the source of a request causing this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-     * 
+     * repeated string resources = 1;
      *
-     * @return The egressFrom.
+     * @return The count of resources.
      */
-    @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-        getEgressFrom() {
-      return egressFrom_ == null
-          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-              .getDefaultInstance()
-          : egressFrom_;
+    public int getResourcesCount() {
+      return resources_.size();
     }
     /**
      *
      *
      * 
-     * Defines conditions on the source of a request causing this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
-     * 

-     *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-     * 
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
+     * 

+     *
+     * repeated string resources = 1;
+     *
+     * @param index The index of the element to return.
+     * @return The resources at the given index.
      */
-    @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder
-        getEgressFromOrBuilder() {
-      return getEgressFrom();
+    public java.lang.String getResources(int index) {
+      return resources_.get(index);
+    }
+    /**
+     *
+     *
+     * 
+     * A list of resources, currently only projects in the form
+     * `projects/<projectnumber>`, that are allowed to be accessed by sources
+     * defined in the corresponding [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it contains a resource in this list.  If `*` is
+     * specified for `resources`, then this [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+     * rule will authorize access to all resources outside the perimeter.
+     * 

+     *
+     * repeated string resources = 1;
+     *
+     * @param index The index of the value to return.
+     * @return The bytes of the resources at the given index.
+     */
+    public com.google.protobuf.ByteString getResourcesBytes(int index) {
+      return resources_.getByteString(index);
     }
 
-    public static final int EGRESS_TO_FIELD_NUMBER = 2;
-    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egressTo_;
+    public static final int OPERATIONS_FIELD_NUMBER = 2;
+    private java.util.List<
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+        operations_;
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
+     * A list of [ApiOperations]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and destination resources that cause this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
      * 

      *
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
      * 
+     */
+    @java.lang.Override
+    public java.util.List<
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+        getOperationsList() {
+      return operations_;
+    }
+    /**
      *
-     * @return Whether the egressTo field is set.
+     *
+     * 
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
+     * 

+     *
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * 
      */
     @java.lang.Override
-    public boolean hasEgressTo() {
-      return egressTo_ != null;
+    public java.util.List<
+            ? extends
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                    .ApiOperationOrBuilder>
+        getOperationsOrBuilderList() {
+      return operations_;
     }
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
+     * A list of [ApiOperations]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and destination resources that cause this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
      * 

      *
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
      * 
+     */
+    @java.lang.Override
+    public int getOperationsCount() {
+      return operations_.size();
+    }
+    /**
      *
-     * @return The egressTo.
+     *
+     * 
+     * A list of [ApiOperations]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
+     * 

+     *
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+     * 
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
-        getEgressTo() {
-      return egressTo_ == null
-          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
-              .getDefaultInstance()
-          : egressTo_;
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+        getOperations(int index) {
+      return operations_.get(index);
     }
     /**
      *
      *
      * 
-     * Defines the conditions on the [ApiOperation]
+     * A list of [ApiOperations]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-     * and destination resources that cause this [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to apply.
+     * allowed to be performed by the sources specified in the corresponding
+     * [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+     * A request matches if it uses an operation/service in this list.
      * 

      *
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
+     * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
      * 
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder
-        getEgressToOrBuilder() {
-      return getEgressTo();
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperationOrBuilder
+        getOperationsOrBuilder(int index) {
+      return operations_.get(index);
+    }
+
+    public static final int EXTERNAL_RESOURCES_FIELD_NUMBER = 3;
+    private com.google.protobuf.LazyStringList externalResources_;
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @return A list containing the externalResources.
+     */
+    public com.google.protobuf.ProtocolStringList getExternalResourcesList() {
+      return externalResources_;
+    }
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @return The count of externalResources.
+     */
+    public int getExternalResourcesCount() {
+      return externalResources_.size();
+    }
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @param index The index of the element to return.
+     * @return The externalResources at the given index.
+     */
+    public java.lang.String getExternalResources(int index) {
+      return externalResources_.get(index);
+    }
+    /**
+     *
+     *
+     * 
+     * A list of external resources that are allowed to be accessed. Only AWS
+     * and Azure resources are supported. For Amazon S3, the supported format is
+     * s3://BUCKET_NAME. For Azure Storage, the supported format is
+     * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+     * if it contains an external resource in this list (Example:
+     * s3://bucket/path). Currently '*' is not allowed.
+     * 

+     *
+     * repeated string external_resources = 3;
+     *
+     * @param index The index of the value to return.
+     * @return The bytes of the externalResources at the given index.
+     */
+    public com.google.protobuf.ByteString getExternalResourcesBytes(int index) {
+      return externalResources_.getByteString(index);
     }
 
     private byte memoizedIsInitialized = -1;
@@ -12114,11 +11747,14 @@ public final boolean isInitialized() {
 
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
-      if (egressFrom_ != null) {
-        output.writeMessage(1, getEgressFrom());
+      for (int i = 0; i < resources_.size(); i++) {
+        com.google.protobuf.GeneratedMessageV3.writeString(output, 1, resources_.getRaw(i));
       }
-      if (egressTo_ != null) {
-        output.writeMessage(2, getEgressTo());
+      for (int i = 0; i < operations_.size(); i++) {
+        output.writeMessage(2, operations_.get(i));
+      }
+      for (int i = 0; i < externalResources_.size(); i++) {
+        com.google.protobuf.GeneratedMessageV3.writeString(output, 3, externalResources_.getRaw(i));
       }
       getUnknownFields().writeTo(output);
     }
@@ -12129,11 +11765,24 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      if (egressFrom_ != null) {
-        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, getEgressFrom());
+      {
+        int dataSize = 0;
+        for (int i = 0; i < resources_.size(); i++) {
+          dataSize += computeStringSizeNoTag(resources_.getRaw(i));
+        }
+        size += dataSize;
+        size += 1 * getResourcesList().size();
       }
-      if (egressTo_ != null) {
-        size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, getEgressTo());
+      for (int i = 0; i < operations_.size(); i++) {
+        size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, operations_.get(i));
+      }
+      {
+        int dataSize = 0;
+        for (int i = 0; i < externalResources_.size(); i++) {
+          dataSize += computeStringSizeNoTag(externalResources_.getRaw(i));
+        }
+        size += dataSize;
+        size += 1 * getExternalResourcesList().size();
       }
       size += getUnknownFields().getSerializedSize();
       memoizedSize = size;
@@ -12146,21 +11795,15 @@ public boolean equals(final java.lang.Object obj) {
         return true;
       }
       if (!(obj
-          instanceof
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)) {
+          instanceof com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)) {
         return super.equals(obj);
       }
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy other =
-          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy) obj;
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo other =
+          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo) obj;
 
-      if (hasEgressFrom() != other.hasEgressFrom()) return false;
-      if (hasEgressFrom()) {
-        if (!getEgressFrom().equals(other.getEgressFrom())) return false;
-      }
-      if (hasEgressTo() != other.hasEgressTo()) return false;
-      if (hasEgressTo()) {
-        if (!getEgressTo().equals(other.getEgressTo())) return false;
-      }
+      if (!getResourcesList().equals(other.getResourcesList())) return false;
+      if (!getOperationsList().equals(other.getOperationsList())) return false;
+      if (!getExternalResourcesList().equals(other.getExternalResourcesList())) return false;
       if (!getUnknownFields().equals(other.getUnknownFields())) return false;
       return true;
     }
@@ -12172,39 +11815,43 @@ public int hashCode() {
       }
       int hash = 41;
       hash = (19 * hash) + getDescriptor().hashCode();
-      if (hasEgressFrom()) {
-        hash = (37 * hash) + EGRESS_FROM_FIELD_NUMBER;
-        hash = (53 * hash) + getEgressFrom().hashCode();
+      if (getResourcesCount() > 0) {
+        hash = (37 * hash) + RESOURCES_FIELD_NUMBER;
+        hash = (53 * hash) + getResourcesList().hashCode();
       }
-      if (hasEgressTo()) {
-        hash = (37 * hash) + EGRESS_TO_FIELD_NUMBER;
-        hash = (53 * hash) + getEgressTo().hashCode();
+      if (getOperationsCount() > 0) {
+        hash = (37 * hash) + OPERATIONS_FIELD_NUMBER;
+        hash = (53 * hash) + getOperationsList().hashCode();
+      }
+      if (getExternalResourcesCount() > 0) {
+        hash = (37 * hash) + EXTERNAL_RESOURCES_FIELD_NUMBER;
+        hash = (53 * hash) + getExternalResourcesList().hashCode();
       }
       hash = (29 * hash) + getUnknownFields().hashCode();
       memoizedHashCode = hash;
       return hash;
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(java.nio.ByteBuffer data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(
             java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(com.google.protobuf.ByteString data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(
             com.google.protobuf.ByteString data,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -12212,23 +11859,23 @@ public int hashCode() {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -12236,12 +11883,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseDelimitedFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -12249,12 +11896,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         parseFrom(
             com.google.protobuf.CodedInputStream input,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -12273,7 +11920,7 @@ public static Builder newBuilder() {
     }
 
     public static Builder newBuilder(
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy prototype) {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo prototype) {
       return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
     }
 
@@ -12292,61 +11939,48 @@ protected Builder newBuilderForType(
      *
      *
      * 
-     * Policy for egress from perimeter.
-     * [EgressPolicies]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * match requests based on `egress_from` and `egress_to` stanzas.  For an
-     * [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * to match, both `egress_from` and `egress_to` stanzas must be matched. If an
-     * [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * matches a request, the request is allowed to span the [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
-     * For example, an [EgressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * can be used to allow VMs on networks within the [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
-     * defined set of projects outside the perimeter in certain contexts (e.g. to
-     * read data from a Cloud Storage bucket or query against a BigQuery dataset).
-     * [EgressPolicies]
+     * Defines the conditions under which an [EgressPolicy]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * are concerned with the *resources* that a request relates as well as the
-     * API services and API actions being used.  They do not related to the
-     * direction of data movement.  More detailed documentation for this concept
-     * can be found in the descriptions of [EgressFrom]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
-     * and [EgressTo]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
+     * matches a request. Conditions are based on information about the
+     * [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * intended to be performed on the `resources` specified. Note that if the
+     * destination of the request is also protected by a [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+     * [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+     * an [IngressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+     * which allows access in order for this request to succeed. The request must
+     * match `operations` AND `resources` fields in order to be allowed egress out
+     * of the perimeter.
      * 

      *
-     * Protobuf type {@code
-     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy}
+     * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo}
      */
     public static final class Builder
         extends com.google.protobuf.GeneratedMessageV3.Builder
         implements
-        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicyOrBuilder {
+        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder {
       public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
       }
 
       @java.lang.Override
       protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
           internalGetFieldAccessorTable() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable
             .ensureFieldAccessorsInitialized(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
-                    .class,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
-                    .Builder.class);
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.class,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
+                    .class);
       }
 
       // Construct using
-      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy.newBuilder()
+      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.newBuilder()
       private Builder() {}
 
       private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
@@ -12356,38 +11990,36 @@ private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        if (egressFromBuilder_ == null) {
-          egressFrom_ = null;
-        } else {
-          egressFrom_ = null;
-          egressFromBuilder_ = null;
-        }
-        if (egressToBuilder_ == null) {
-          egressTo_ = null;
+        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        if (operationsBuilder_ == null) {
+          operations_ = java.util.Collections.emptyList();
         } else {
-          egressTo_ = null;
-          egressToBuilder_ = null;
+          operations_ = null;
+          operationsBuilder_.clear();
         }
+        bitField0_ = (bitField0_ & ~0x00000002);
+        externalResources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000004);
         return this;
       }
 
       @java.lang.Override
       public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
           getDefaultInstanceForType() {
-        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
             .getDefaultInstance();
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
-          build() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy result =
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo build() {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo result =
             buildPartial();
         if (!result.isInitialized()) {
           throw newUninitializedMessageException(result);
@@ -12396,21 +12028,30 @@ public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
           buildPartial() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy result =
-            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy(
-                this);
-        if (egressFromBuilder_ == null) {
-          result.egressFrom_ = egressFrom_;
-        } else {
-          result.egressFrom_ = egressFromBuilder_.build();
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo result =
+            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo(this);
+        int from_bitField0_ = bitField0_;
+        if (((bitField0_ & 0x00000001) != 0)) {
+          resources_ = resources_.getUnmodifiableView();
+          bitField0_ = (bitField0_ & ~0x00000001);
         }
-        if (egressToBuilder_ == null) {
-          result.egressTo_ = egressTo_;
+        result.resources_ = resources_;
+        if (operationsBuilder_ == null) {
+          if (((bitField0_ & 0x00000002) != 0)) {
+            operations_ = java.util.Collections.unmodifiableList(operations_);
+            bitField0_ = (bitField0_ & ~0x00000002);
+          }
+          result.operations_ = operations_;
         } else {
-          result.egressTo_ = egressToBuilder_.build();
+          result.operations_ = operationsBuilder_.build();
+        }
+        if (((bitField0_ & 0x00000004) != 0)) {
+          externalResources_ = externalResources_.getUnmodifiableView();
+          bitField0_ = (bitField0_ & ~0x00000004);
         }
+        result.externalResources_ = externalResources_;
         onBuilt();
         return result;
       }
@@ -12454,10 +12095,9 @@ public Builder addRepeatedField(
       public Builder mergeFrom(com.google.protobuf.Message other) {
         if (other
             instanceof
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy) {
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo) {
           return mergeFrom(
-              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
-                  other);
+              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo) other);
         } else {
           super.mergeFrom(other);
           return this;
@@ -12465,15 +12105,56 @@ public Builder mergeFrom(com.google.protobuf.Message other) {
       }
 
       public Builder mergeFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy other) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo other) {
         if (other
-            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
                 .getDefaultInstance()) return this;
-        if (other.hasEgressFrom()) {
-          mergeEgressFrom(other.getEgressFrom());
+        if (!other.resources_.isEmpty()) {
+          if (resources_.isEmpty()) {
+            resources_ = other.resources_;
+            bitField0_ = (bitField0_ & ~0x00000001);
+          } else {
+            ensureResourcesIsMutable();
+            resources_.addAll(other.resources_);
+          }
+          onChanged();
         }
-        if (other.hasEgressTo()) {
-          mergeEgressTo(other.getEgressTo());
+        if (operationsBuilder_ == null) {
+          if (!other.operations_.isEmpty()) {
+            if (operations_.isEmpty()) {
+              operations_ = other.operations_;
+              bitField0_ = (bitField0_ & ~0x00000002);
+            } else {
+              ensureOperationsIsMutable();
+              operations_.addAll(other.operations_);
+            }
+            onChanged();
+          }
+        } else {
+          if (!other.operations_.isEmpty()) {
+            if (operationsBuilder_.isEmpty()) {
+              operationsBuilder_.dispose();
+              operationsBuilder_ = null;
+              operations_ = other.operations_;
+              bitField0_ = (bitField0_ & ~0x00000002);
+              operationsBuilder_ =
+                  com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders
+                      ? getOperationsFieldBuilder()
+                      : null;
+            } else {
+              operationsBuilder_.addAllMessages(other.operations_);
+            }
+          }
+        }
+        if (!other.externalResources_.isEmpty()) {
+          if (externalResources_.isEmpty()) {
+            externalResources_ = other.externalResources_;
+            bitField0_ = (bitField0_ & ~0x00000004);
+          } else {
+            ensureExternalResourcesIsMutable();
+            externalResources_.addAll(other.externalResources_);
+          }
+          onChanged();
         }
         this.mergeUnknownFields(other.getUnknownFields());
         onChanged();
@@ -12503,16 +12184,34 @@ public Builder mergeFrom(
                 break;
               case 10:
                 {
-                  input.readMessage(getEgressFromFieldBuilder().getBuilder(), extensionRegistry);
-
+                  java.lang.String s = input.readStringRequireUtf8();
+                  ensureResourcesIsMutable();
+                  resources_.add(s);
                   break;
                 } // case 10
               case 18:
                 {
-                  input.readMessage(getEgressToFieldBuilder().getBuilder(), extensionRegistry);
-
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+                      m =
+                          input.readMessage(
+                              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                                  .ApiOperation.parser(),
+                              extensionRegistry);
+                  if (operationsBuilder_ == null) {
+                    ensureOperationsIsMutable();
+                    operations_.add(m);
+                  } else {
+                    operationsBuilder_.addMessage(m);
+                  }
                   break;
                 } // case 18
+              case 26:
+                {
+                  java.lang.String s = input.readStringRequireUtf8();
+                  ensureExternalResourcesIsMutable();
+                  externalResources_.add(s);
+                  break;
+                } // case 26
               default:
                 {
                   if (!super.parseUnknownField(input, extensionRegistry, tag)) {
@@ -12530,489 +12229,968 @@ public Builder mergeFrom(
         return this;
       }
 
-      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-          egressFrom_;
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .EgressFromOrBuilder>
-          egressFromBuilder_;
+      private int bitField0_;
+
+      private com.google.protobuf.LazyStringList resources_ =
+          com.google.protobuf.LazyStringArrayList.EMPTY;
+
+      private void ensureResourcesIsMutable() {
+        if (!((bitField0_ & 0x00000001) != 0)) {
+          resources_ = new com.google.protobuf.LazyStringArrayList(resources_);
+          bitField0_ |= 0x00000001;
+        }
+      }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-       * 
+       * repeated string resources = 1;
        *
-       * @return Whether the egressFrom field is set.
+       * @return A list containing the resources.
        */
-      public boolean hasEgressFrom() {
-        return egressFromBuilder_ != null || egressFrom_ != null;
+      public com.google.protobuf.ProtocolStringList getResourcesList() {
+        return resources_.getUnmodifiableView();
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
-       * 

-       *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
-       * 
-       *
-       * @return The egressFrom.
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @return The count of resources.
+       */
+      public int getResourcesCount() {
+        return resources_.size();
+      }
+      /**
+       *
+       *
+       * 
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @param index The index of the element to return.
+       * @return The resources at the given index.
+       */
+      public java.lang.String getResources(int index) {
+        return resources_.get(index);
+      }
+      /**
+       *
+       *
+       * 
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @param index The index of the value to return.
+       * @return The bytes of the resources at the given index.
+       */
+      public com.google.protobuf.ByteString getResourcesBytes(int index) {
+        return resources_.getByteString(index);
+      }
+      /**
+       *
+       *
+       * 
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @param index The index to set the value at.
+       * @param value The resources to set.
+       * @return This builder for chaining.
+       */
+      public Builder setResources(int index, java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureResourcesIsMutable();
+        resources_.set(index, value);
+        onChanged();
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @param value The resources to add.
+       * @return This builder for chaining.
+       */
+      public Builder addResources(java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureResourcesIsMutable();
+        resources_.add(value);
+        onChanged();
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @param values The resources to add.
+       * @return This builder for chaining.
+       */
+      public Builder addAllResources(java.lang.Iterable values) {
+        ensureResourcesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, resources_);
+        onChanged();
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @return This builder for chaining.
+       */
+      public Builder clearResources() {
+        resources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000001);
+        onChanged();
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of resources, currently only projects in the form
+       * `projects/<projectnumber>`, that are allowed to be accessed by sources
+       * defined in the corresponding [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it contains a resource in this list.  If `*` is
+       * specified for `resources`, then this [EgressTo]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+       * rule will authorize access to all resources outside the perimeter.
+       * 

+       *
+       * repeated string resources = 1;
+       *
+       * @param value The bytes of the resources to add.
+       * @return This builder for chaining.
+       */
+      public Builder addResourcesBytes(com.google.protobuf.ByteString value) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        checkByteStringIsUtf8(value);
+        ensureResourcesIsMutable();
+        resources_.add(value);
+        onChanged();
+        return this;
+      }
+
+      private java.util.List<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+          operations_ = java.util.Collections.emptyList();
+
+      private void ensureOperationsIsMutable() {
+        if (!((bitField0_ & 0x00000002) != 0)) {
+          operations_ =
+              new java.util.ArrayList<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>(
+                  operations_);
+          bitField0_ |= 0x00000002;
+        }
+      }
+
+      private com.google.protobuf.RepeatedFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+                  .Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                  .ApiOperationOrBuilder>
+          operationsBuilder_;
+
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public java.util.List<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation>
+          getOperationsList() {
+        if (operationsBuilder_ == null) {
+          return java.util.Collections.unmodifiableList(operations_);
+        } else {
+          return operationsBuilder_.getMessageList();
+        }
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public int getOperationsCount() {
+        if (operationsBuilder_ == null) {
+          return operations_.size();
+        } else {
+          return operationsBuilder_.getCount();
+        }
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-          getEgressFrom() {
-        if (egressFromBuilder_ == null) {
-          return egressFrom_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-                  .getDefaultInstance()
-              : egressFrom_;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+          getOperations(int index) {
+        if (operationsBuilder_ == null) {
+          return operations_.get(index);
         } else {
-          return egressFromBuilder_.getMessage();
+          return operationsBuilder_.getMessage(index);
         }
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
        * 
        */
-      public Builder setEgressFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom value) {
-        if (egressFromBuilder_ == null) {
+      public Builder setOperations(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
+        if (operationsBuilder_ == null) {
           if (value == null) {
             throw new NullPointerException();
           }
-          egressFrom_ = value;
+          ensureOperationsIsMutable();
+          operations_.set(index, value);
+          onChanged();
+        } else {
+          operationsBuilder_.setMessage(index, value);
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder setOperations(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+              builderForValue) {
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.set(index, builderForValue.build());
+          onChanged();
+        } else {
+          operationsBuilder_.setMessage(index, builderForValue.build());
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder addOperations(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
+        if (operationsBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          ensureOperationsIsMutable();
+          operations_.add(value);
+          onChanged();
+        } else {
+          operationsBuilder_.addMessage(value);
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder addOperations(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation value) {
+        if (operationsBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          ensureOperationsIsMutable();
+          operations_.add(index, value);
+          onChanged();
+        } else {
+          operationsBuilder_.addMessage(index, value);
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder addOperations(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+              builderForValue) {
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.add(builderForValue.build());
+          onChanged();
+        } else {
+          operationsBuilder_.addMessage(builderForValue.build());
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder addOperations(
+          int index,
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+              builderForValue) {
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.add(index, builderForValue.build());
+          onChanged();
+        } else {
+          operationsBuilder_.addMessage(index, builderForValue.build());
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder addAllOperations(
+          java.lang.Iterable<
+                  ? extends
+                      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                          .ApiOperation>
+              values) {
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          com.google.protobuf.AbstractMessageLite.Builder.addAll(values, operations_);
+          onChanged();
+        } else {
+          operationsBuilder_.addAllMessages(values);
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder clearOperations() {
+        if (operationsBuilder_ == null) {
+          operations_ = java.util.Collections.emptyList();
+          bitField0_ = (bitField0_ & ~0x00000002);
+          onChanged();
+        } else {
+          operationsBuilder_.clear();
+        }
+        return this;
+      }
+      /**
+       *
+       *
+       * 
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
+       * 

+       *
+       * 
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
+       * 
+       */
+      public Builder removeOperations(int index) {
+        if (operationsBuilder_ == null) {
+          ensureOperationsIsMutable();
+          operations_.remove(index);
           onChanged();
         } else {
-          egressFromBuilder_.setMessage(value);
+          operationsBuilder_.remove(index);
         }
-
         return this;
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
        * 
        */
-      public Builder setEgressFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder
-              builderForValue) {
-        if (egressFromBuilder_ == null) {
-          egressFrom_ = builderForValue.build();
-          onChanged();
-        } else {
-          egressFromBuilder_.setMessage(builderForValue.build());
-        }
-
-        return this;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+          getOperationsBuilder(int index) {
+        return getOperationsFieldBuilder().getBuilder(index);
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
        * 
        */
-      public Builder mergeEgressFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom value) {
-        if (egressFromBuilder_ == null) {
-          if (egressFrom_ != null) {
-            egressFrom_ =
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-                    .newBuilder(egressFrom_)
-                    .mergeFrom(value)
-                    .buildPartial();
-          } else {
-            egressFrom_ = value;
-          }
-          onChanged();
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+              .ApiOperationOrBuilder
+          getOperationsOrBuilder(int index) {
+        if (operationsBuilder_ == null) {
+          return operations_.get(index);
         } else {
-          egressFromBuilder_.mergeFrom(value);
+          return operationsBuilder_.getMessageOrBuilder(index);
         }
-
-        return this;
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
        * 
        */
-      public Builder clearEgressFrom() {
-        if (egressFromBuilder_ == null) {
-          egressFrom_ = null;
-          onChanged();
+      public java.util.List<
+              ? extends
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                      .ApiOperationOrBuilder>
+          getOperationsOrBuilderList() {
+        if (operationsBuilder_ != null) {
+          return operationsBuilder_.getMessageOrBuilderList();
         } else {
-          egressFrom_ = null;
-          egressFromBuilder_ = null;
+          return java.util.Collections.unmodifiableList(operations_);
         }
-
-        return this;
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder
-          getEgressFromBuilder() {
-
-        onChanged();
-        return getEgressFromFieldBuilder().getBuilder();
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+          addOperationsBuilder() {
+        return getOperationsFieldBuilder()
+            .addBuilder(
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+                    .getDefaultInstance());
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
        * 
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder
-          getEgressFromOrBuilder() {
-        if (egressFromBuilder_ != null) {
-          return egressFromBuilder_.getMessageOrBuilder();
-        } else {
-          return egressFrom_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
-                  .getDefaultInstance()
-              : egressFrom_;
-        }
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation.Builder
+          addOperationsBuilder(int index) {
+        return getOperationsFieldBuilder()
+            .addBuilder(
+                index,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+                    .getDefaultInstance());
       }
       /**
        *
        *
        * 
-       * Defines conditions on the source of a request causing this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of [ApiOperations]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * allowed to be performed by the sources specified in the corresponding
+       * [EgressFrom]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+       * A request matches if it uses an operation/service in this list.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * repeated .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation operations = 2;
        * 
        */
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder,
+      public java.util.List<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+                  .Builder>
+          getOperationsBuilderList() {
+        return getOperationsFieldBuilder().getBuilderList();
+      }
+
+      private com.google.protobuf.RepeatedFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
+                  .Builder,
               com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                  .EgressFromOrBuilder>
-          getEgressFromFieldBuilder() {
-        if (egressFromBuilder_ == null) {
-          egressFromBuilder_ =
-              new com.google.protobuf.SingleFieldBuilderV3<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+                  .ApiOperationOrBuilder>
+          getOperationsFieldBuilder() {
+        if (operationsBuilder_ == null) {
+          operationsBuilder_ =
+              new com.google.protobuf.RepeatedFieldBuilderV3<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation
                       .Builder,
                   com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .EgressFromOrBuilder>(getEgressFrom(), getParentForChildren(), isClean());
-          egressFrom_ = null;
+                      .ApiOperationOrBuilder>(
+                  operations_, ((bitField0_ & 0x00000002) != 0), getParentForChildren(), isClean());
+          operations_ = null;
         }
-        return egressFromBuilder_;
+        return operationsBuilder_;
       }
 
-      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egressTo_;
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder>
-          egressToBuilder_;
+      private com.google.protobuf.LazyStringList externalResources_ =
+          com.google.protobuf.LazyStringArrayList.EMPTY;
+
+      private void ensureExternalResourcesIsMutable() {
+        if (!((bitField0_ & 0x00000004) != 0)) {
+          externalResources_ = new com.google.protobuf.LazyStringArrayList(externalResources_);
+          bitField0_ |= 0x00000004;
+        }
+      }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
        *
-       * @return Whether the egressTo field is set.
+       * @return A list containing the externalResources.
        */
-      public boolean hasEgressTo() {
-        return egressToBuilder_ != null || egressTo_ != null;
+      public com.google.protobuf.ProtocolStringList getExternalResourcesList() {
+        return externalResources_.getUnmodifiableView();
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
        *
-       * @return The egressTo.
+       * @return The count of externalResources.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
-          getEgressTo() {
-        if (egressToBuilder_ == null) {
-          return egressTo_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
-                  .getDefaultInstance()
-              : egressTo_;
-        } else {
-          return egressToBuilder_.getMessage();
-        }
+      public int getExternalResourcesCount() {
+        return externalResources_.size();
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
+       *
+       * @param index The index of the element to return.
+       * @return The externalResources at the given index.
        */
-      public Builder setEgressTo(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo value) {
-        if (egressToBuilder_ == null) {
-          if (value == null) {
-            throw new NullPointerException();
-          }
-          egressTo_ = value;
-          onChanged();
-        } else {
-          egressToBuilder_.setMessage(value);
-        }
-
-        return this;
+      public java.lang.String getExternalResources(int index) {
+        return externalResources_.get(index);
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
+       *
+       * @param index The index of the value to return.
+       * @return The bytes of the externalResources at the given index.
        */
-      public Builder setEgressTo(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
-              builderForValue) {
-        if (egressToBuilder_ == null) {
-          egressTo_ = builderForValue.build();
-          onChanged();
-        } else {
-          egressToBuilder_.setMessage(builderForValue.build());
-        }
-
-        return this;
+      public com.google.protobuf.ByteString getExternalResourcesBytes(int index) {
+        return externalResources_.getByteString(index);
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
+       *
+       * @param index The index to set the value at.
+       * @param value The externalResources to set.
+       * @return This builder for chaining.
        */
-      public Builder mergeEgressTo(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo value) {
-        if (egressToBuilder_ == null) {
-          if (egressTo_ != null) {
-            egressTo_ =
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
-                    .newBuilder(egressTo_)
-                    .mergeFrom(value)
-                    .buildPartial();
-          } else {
-            egressTo_ = value;
-          }
-          onChanged();
-        } else {
-          egressToBuilder_.mergeFrom(value);
+      public Builder setExternalResources(int index, java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
-
+        ensureExternalResourcesIsMutable();
+        externalResources_.set(index, value);
+        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
+       *
+       * @param value The externalResources to add.
+       * @return This builder for chaining.
        */
-      public Builder clearEgressTo() {
-        if (egressToBuilder_ == null) {
-          egressTo_ = null;
-          onChanged();
-        } else {
-          egressTo_ = null;
-          egressToBuilder_ = null;
+      public Builder addExternalResources(java.lang.String value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
-
+        ensureExternalResourcesIsMutable();
+        externalResources_.add(value);
+        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
+       *
+       * @param values The externalResources to add.
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
-          getEgressToBuilder() {
-
+      public Builder addAllExternalResources(java.lang.Iterable values) {
+        ensureExternalResourcesIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, externalResources_);
         onChanged();
-        return getEgressToFieldBuilder().getBuilder();
+        return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
+       *
+       * @return This builder for chaining.
        */
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder
-          getEgressToOrBuilder() {
-        if (egressToBuilder_ != null) {
-          return egressToBuilder_.getMessageOrBuilder();
-        } else {
-          return egressTo_ == null
-              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
-                  .getDefaultInstance()
-              : egressTo_;
-        }
+      public Builder clearExternalResources() {
+        externalResources_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+        bitField0_ = (bitField0_ & ~0x00000004);
+        onChanged();
+        return this;
       }
       /**
        *
        *
        * 
-       * Defines the conditions on the [ApiOperation]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-       * and destination resources that cause this [EgressPolicy]
-       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-       * to apply.
+       * A list of external resources that are allowed to be accessed. Only AWS
+       * and Azure resources are supported. For Amazon S3, the supported format is
+       * s3://BUCKET_NAME. For Azure Storage, the supported format is
+       * azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+       * if it contains an external resource in this list (Example:
+       * s3://bucket/path). Currently '*' is not allowed.
        * 

        *
-       * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
-       * 
+       * repeated string external_resources = 3;
+       *
+       * @param value The bytes of the externalResources to add.
+       * @return This builder for chaining.
        */
-      private com.google.protobuf.SingleFieldBuilderV3<
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder>
-          getEgressToFieldBuilder() {
-        if (egressToBuilder_ == null) {
-          egressToBuilder_ =
-              new com.google.protobuf.SingleFieldBuilderV3<
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
-                      .Builder,
-                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-                      .EgressToOrBuilder>(getEgressTo(), getParentForChildren(), isClean());
-          egressTo_ = null;
+      public Builder addExternalResourcesBytes(com.google.protobuf.ByteString value) {
+        if (value == null) {
+          throw new NullPointerException();
         }
-        return egressToBuilder_;
+        checkByteStringIsUtf8(value);
+        ensureExternalResourcesIsMutable();
+        externalResources_.add(value);
+        onChanged();
+        return this;
       }
 
       @java.lang.Override
@@ -13027,28 +13205,27 @@ public final Builder mergeUnknownFields(
         return super.mergeUnknownFields(unknownFields);
       }
 
-      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
+      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
     }
 
-    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
-    private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-            .EgressPolicy
+    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo)
+    private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         DEFAULT_INSTANCE;
 
     static {
       DEFAULT_INSTANCE =
-          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy();
+          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo();
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         getDefaultInstance() {
       return DEFAULT_INSTANCE;
     }
 
-    private static final com.google.protobuf.Parser PARSER =
-        new com.google.protobuf.AbstractParser() {
+    private static final com.google.protobuf.Parser PARSER =
+        new com.google.protobuf.AbstractParser() {
           @java.lang.Override
-          public EgressPolicy parsePartialFrom(
+          public EgressTo parsePartialFrom(
               com.google.protobuf.CodedInputStream input,
               com.google.protobuf.ExtensionRegistryLite extensionRegistry)
               throws com.google.protobuf.InvalidProtocolBufferException {
@@ -13068,158 +13245,177 @@ public EgressPolicy parsePartialFrom(
           }
         };
 
-    public static com.google.protobuf.Parser parser() {
+    public static com.google.protobuf.Parser parser() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.protobuf.Parser getParserForType() {
+    public com.google.protobuf.Parser getParserForType() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
         getDefaultInstanceForType() {
       return DEFAULT_INSTANCE;
     }
   }
 
-  public interface EgressFromOrBuilder
+  public interface EgressPolicyOrBuilder
       extends
-      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
+      // @@protoc_insertion_point(interface_extends:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
       com.google.protobuf.MessageOrBuilder {
 
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines conditions on the source of a request causing this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+     * 
      *
-     * @return A list containing the identities.
+     * @return Whether the egressFrom field is set.
      */
-    java.util.List getIdentitiesList();
+    boolean hasEgressFrom();
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines conditions on the source of a request causing this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+     * 
      *
-     * @return The count of identities.
+     * @return The egressFrom.
      */
-    int getIdentitiesCount();
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom getEgressFrom();
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines conditions on the source of a request causing this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
-     *
-     * @param index The index of the element to return.
-     * @return The identities at the given index.
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+     * 
      */
-    java.lang.String getIdentities(int index);
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder
+        getEgressFromOrBuilder();
+
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and destination resources that cause this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
      *
-     * @param index The index of the value to return.
-     * @return The bytes of the identities at the given index.
+     * @return Whether the egressTo field is set.
      */
-    com.google.protobuf.ByteString getIdentitiesBytes(int index);
-
+    boolean hasEgressTo();
     /**
      *
      *
      * 
-     * Specifies the type of identities that are allowed access to outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and destination resources that cause this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
      * 
      *
-     * @return The enum numeric value on the wire for identityType.
+     * @return The egressTo.
      */
-    int getIdentityTypeValue();
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo getEgressTo();
     /**
      *
      *
      * 
-     * Specifies the type of identities that are allowed access to outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and destination resources that cause this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
-     * 
-     *
-     * @return The identityType.
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
      */
-    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-        getIdentityType();
+    com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder
+        getEgressToOrBuilder();
   }
   /**
    *
    *
    * 
-   * Defines the conditions under which an [EgressPolicy]
+   * Policy for egress from perimeter.
+   * [EgressPolicies]
    * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-   * matches a request. Conditions based on information about the source of the
-   * request. Note that if the destination of the request is also protected by a
-   * [ServicePerimeter]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
-   * [ServicePerimeter]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
-   * an [IngressPolicy]
-   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-   * which allows access in order for this request to succeed.
+   * match requests based on `egress_from` and `egress_to` stanzas.  For an
+   * [EgressPolicy]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+   * to match, both `egress_from` and `egress_to` stanzas must be matched. If an
+   * [EgressPolicy]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+   * matches a request, the request is allowed to span the [ServicePerimeter]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
+   * For example, an [EgressPolicy]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+   * can be used to allow VMs on networks within the [ServicePerimeter]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
+   * defined set of projects outside the perimeter in certain contexts (e.g. to
+   * read data from a Cloud Storage bucket or query against a BigQuery dataset).
+   * [EgressPolicies]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+   * are concerned with the *resources* that a request relates as well as the
+   * API services and API actions being used.  They do not related to the
+   * direction of data movement.  More detailed documentation for this concept
+   * can be found in the descriptions of [EgressFrom]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
+   * and [EgressTo]
+   * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
    * 

    *
-   * Protobuf type {@code google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom}
+   * Protobuf type {@code
+   * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy}
    */
-  public static final class EgressFrom extends com.google.protobuf.GeneratedMessageV3
+  public static final class EgressPolicy extends com.google.protobuf.GeneratedMessageV3
       implements
-      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
-      EgressFromOrBuilder {
+      // @@protoc_insertion_point(message_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
+      EgressPolicyOrBuilder {
     private static final long serialVersionUID = 0L;
-    // Use EgressFrom.newBuilder() to construct.
-    private EgressFrom(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    // Use EgressPolicy.newBuilder() to construct.
+    private EgressPolicy(com.google.protobuf.GeneratedMessageV3.Builder builder) {
       super(builder);
     }
 
-    private EgressFrom() {
-      identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-      identityType_ = 0;
-    }
+    private EgressPolicy() {}
 
     @java.lang.Override
     @SuppressWarnings({"unused"})
     protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
-      return new EgressFrom();
+      return new EgressPolicy();
     }
 
     @java.lang.Override
@@ -13229,136 +13425,148 @@ public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
 
     public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor;
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
     }
 
     @java.lang.Override
     protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
         internalGetFieldAccessorTable() {
       return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_fieldAccessorTable
+          .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable
           .ensureFieldAccessorsInitialized(
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.class,
-              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder
-                  .class);
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy.class,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+                  .Builder.class);
     }
 
-    public static final int IDENTITIES_FIELD_NUMBER = 1;
-    private com.google.protobuf.LazyStringList identities_;
+    public static final int EGRESS_FROM_FIELD_NUMBER = 1;
+    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+        egressFrom_;
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines conditions on the source of a request causing this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+     * 
      *
-     * @return A list containing the identities.
+     * @return Whether the egressFrom field is set.
      */
-    public com.google.protobuf.ProtocolStringList getIdentitiesList() {
-      return identities_;
+    @java.lang.Override
+    public boolean hasEgressFrom() {
+      return egressFrom_ != null;
     }
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines conditions on the source of a request causing this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+     * 
      *
-     * @return The count of identities.
+     * @return The egressFrom.
      */
-    public int getIdentitiesCount() {
-      return identities_.size();
+    @java.lang.Override
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+        getEgressFrom() {
+      return egressFrom_ == null
+          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+              .getDefaultInstance()
+          : egressFrom_;
     }
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines conditions on the source of a request causing this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
-     *
-     * @param index The index of the element to return.
-     * @return The identities at the given index.
+     * 
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+     * 
      */
-    public java.lang.String getIdentities(int index) {
-      return identities_.get(index);
+    @java.lang.Override
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder
+        getEgressFromOrBuilder() {
+      return getEgressFrom();
     }
+
+    public static final int EGRESS_TO_FIELD_NUMBER = 2;
+    private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egressTo_;
     /**
      *
      *
      * 
-     * A list of identities that are allowed access through this [EgressPolicy].
-     * Should be in the format of email address. The email address should
-     * represent individual user or service account only.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and destination resources that cause this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * repeated string identities = 1;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+     * 
      *
-     * @param index The index of the value to return.
-     * @return The bytes of the identities at the given index.
+     * @return Whether the egressTo field is set.
      */
-    public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
-      return identities_.getByteString(index);
+    @java.lang.Override
+    public boolean hasEgressTo() {
+      return egressTo_ != null;
     }
-
-    public static final int IDENTITY_TYPE_FIELD_NUMBER = 2;
-    private int identityType_;
     /**
      *
      *
      * 
-     * Specifies the type of identities that are allowed access to outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and destination resources that cause this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
      * 
      *
-     * @return The enum numeric value on the wire for identityType.
+     * @return The egressTo.
      */
     @java.lang.Override
-    public int getIdentityTypeValue() {
-      return identityType_;
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+        getEgressTo() {
+      return egressTo_ == null
+          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+              .getDefaultInstance()
+          : egressTo_;
     }
     /**
      *
      *
      * 
-     * Specifies the type of identities that are allowed access to outside the
-     * perimeter. If left unspecified, then members of `identities` field will
-     * be allowed access.
+     * Defines the conditions on the [ApiOperation]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+     * and destination resources that cause this [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to apply.
      * 

      *
-     * 
-     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+     * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
      * 
-     *
-     * @return The identityType.
      */
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-        getIdentityType() {
-      @SuppressWarnings("deprecation")
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
-              identityType_);
-      return result == null
-          ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-              .UNRECOGNIZED
-          : result;
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder
+        getEgressToOrBuilder() {
+      return getEgressTo();
     }
 
     private byte memoizedIsInitialized = -1;
@@ -13375,14 +13583,11 @@ public final boolean isInitialized() {
 
     @java.lang.Override
     public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
-      for (int i = 0; i < identities_.size(); i++) {
-        com.google.protobuf.GeneratedMessageV3.writeString(output, 1, identities_.getRaw(i));
+      if (egressFrom_ != null) {
+        output.writeMessage(1, getEgressFrom());
       }
-      if (identityType_
-          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-              .IDENTITY_TYPE_UNSPECIFIED
-              .getNumber()) {
-        output.writeEnum(2, identityType_);
+      if (egressTo_ != null) {
+        output.writeMessage(2, getEgressTo());
       }
       getUnknownFields().writeTo(output);
     }
@@ -13393,19 +13598,11 @@ public int getSerializedSize() {
       if (size != -1) return size;
 
       size = 0;
-      {
-        int dataSize = 0;
-        for (int i = 0; i < identities_.size(); i++) {
-          dataSize += computeStringSizeNoTag(identities_.getRaw(i));
-        }
-        size += dataSize;
-        size += 1 * getIdentitiesList().size();
+      if (egressFrom_ != null) {
+        size += com.google.protobuf.CodedOutputStream.computeMessageSize(1, getEgressFrom());
       }
-      if (identityType_
-          != com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-              .IDENTITY_TYPE_UNSPECIFIED
-              .getNumber()) {
-        size += com.google.protobuf.CodedOutputStream.computeEnumSize(2, identityType_);
+      if (egressTo_ != null) {
+        size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, getEgressTo());
       }
       size += getUnknownFields().getSerializedSize();
       memoizedSize = size;
@@ -13419,14 +13616,20 @@ public boolean equals(final java.lang.Object obj) {
       }
       if (!(obj
           instanceof
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)) {
         return super.equals(obj);
       }
-      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom other =
-          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom) obj;
+      com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy other =
+          (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy) obj;
 
-      if (!getIdentitiesList().equals(other.getIdentitiesList())) return false;
-      if (identityType_ != other.identityType_) return false;
+      if (hasEgressFrom() != other.hasEgressFrom()) return false;
+      if (hasEgressFrom()) {
+        if (!getEgressFrom().equals(other.getEgressFrom())) return false;
+      }
+      if (hasEgressTo() != other.hasEgressTo()) return false;
+      if (hasEgressTo()) {
+        if (!getEgressTo().equals(other.getEgressTo())) return false;
+      }
       if (!getUnknownFields().equals(other.getUnknownFields())) return false;
       return true;
     }
@@ -13438,37 +13641,39 @@ public int hashCode() {
       }
       int hash = 41;
       hash = (19 * hash) + getDescriptor().hashCode();
-      if (getIdentitiesCount() > 0) {
-        hash = (37 * hash) + IDENTITIES_FIELD_NUMBER;
-        hash = (53 * hash) + getIdentitiesList().hashCode();
+      if (hasEgressFrom()) {
+        hash = (37 * hash) + EGRESS_FROM_FIELD_NUMBER;
+        hash = (53 * hash) + getEgressFrom().hashCode();
+      }
+      if (hasEgressTo()) {
+        hash = (37 * hash) + EGRESS_TO_FIELD_NUMBER;
+        hash = (53 * hash) + getEgressTo().hashCode();
       }
-      hash = (37 * hash) + IDENTITY_TYPE_FIELD_NUMBER;
-      hash = (53 * hash) + identityType_;
       hash = (29 * hash) + getUnknownFields().hashCode();
       memoizedHashCode = hash;
       return hash;
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(java.nio.ByteBuffer data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(
             java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(com.google.protobuf.ByteString data)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(
             com.google.protobuf.ByteString data,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -13476,23 +13681,23 @@ public int hashCode() {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws com.google.protobuf.InvalidProtocolBufferException {
       return PARSER.parseFrom(data, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -13500,12 +13705,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseDelimitedFrom(
             java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
             throws java.io.IOException {
@@ -13513,12 +13718,12 @@ public int hashCode() {
           PARSER, input, extensionRegistry);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
       return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         parseFrom(
             com.google.protobuf.CodedInputStream input,
             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
@@ -13537,7 +13742,7 @@ public static Builder newBuilder() {
     }
 
     public static Builder newBuilder(
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom prototype) {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy prototype) {
       return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
     }
 
@@ -13556,45 +13761,61 @@ protected Builder newBuilderForType(
      *
      *
      * 
-     * Defines the conditions under which an [EgressPolicy]
+     * Policy for egress from perimeter.
+     * [EgressPolicies]
      * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-     * matches a request. Conditions based on information about the source of the
-     * request. Note that if the destination of the request is also protected by a
-     * [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
-     * [ServicePerimeter]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
-     * an [IngressPolicy]
-     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-     * which allows access in order for this request to succeed.
+     * match requests based on `egress_from` and `egress_to` stanzas.  For an
+     * [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * to match, both `egress_from` and `egress_to` stanzas must be matched. If an
+     * [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * matches a request, the request is allowed to span the [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
+     * For example, an [EgressPolicy]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * can be used to allow VMs on networks within the [ServicePerimeter]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
+     * defined set of projects outside the perimeter in certain contexts (e.g. to
+     * read data from a Cloud Storage bucket or query against a BigQuery dataset).
+     * [EgressPolicies]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+     * are concerned with the *resources* that a request relates as well as the
+     * API services and API actions being used.  They do not related to the
+     * direction of data movement.  More detailed documentation for this concept
+     * can be found in the descriptions of [EgressFrom]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
+     * and [EgressTo]
+     * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
      * 

      *
      * Protobuf type {@code
-     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom}
+     * google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy}
      */
     public static final class Builder
         extends com.google.protobuf.GeneratedMessageV3.Builder
         implements
-        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder {
+        // @@protoc_insertion_point(builder_implements:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicyOrBuilder {
       public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
       }
 
       @java.lang.Override
       protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
           internalGetFieldAccessorTable() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_fieldAccessorTable
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable
             .ensureFieldAccessorsInitialized(
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.class,
-                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+                    .class,
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
                     .Builder.class);
       }
 
       // Construct using
-      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.newBuilder()
+      // com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy.newBuilder()
       private Builder() {}
 
       private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
@@ -13604,29 +13825,38 @@ private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
       @java.lang.Override
       public Builder clear() {
         super.clear();
-        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-        bitField0_ = (bitField0_ & ~0x00000001);
-        identityType_ = 0;
-
+        if (egressFromBuilder_ == null) {
+          egressFrom_ = null;
+        } else {
+          egressFrom_ = null;
+          egressFromBuilder_ = null;
+        }
+        if (egressToBuilder_ == null) {
+          egressTo_ = null;
+        } else {
+          egressTo_ = null;
+          egressToBuilder_ = null;
+        }
         return this;
       }
 
       @java.lang.Override
       public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
         return com.google.identity.accesscontextmanager.v1.ServicePerimeterProto
-            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor;
+            .internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
           getDefaultInstanceForType() {
-        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+        return com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
             .getDefaultInstance();
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom build() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom result =
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
+          build() {
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy result =
             buildPartial();
         if (!result.isInitialized()) {
           throw newUninitializedMessageException(result);
@@ -13635,17 +13865,21 @@ public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.Egress
       }
 
       @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
           buildPartial() {
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom result =
-            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom(this);
-        int from_bitField0_ = bitField0_;
-        if (((bitField0_ & 0x00000001) != 0)) {
-          identities_ = identities_.getUnmodifiableView();
-          bitField0_ = (bitField0_ & ~0x00000001);
+        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy result =
+            new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy(
+                this);
+        if (egressFromBuilder_ == null) {
+          result.egressFrom_ = egressFrom_;
+        } else {
+          result.egressFrom_ = egressFromBuilder_.build();
+        }
+        if (egressToBuilder_ == null) {
+          result.egressTo_ = egressTo_;
+        } else {
+          result.egressTo_ = egressToBuilder_.build();
         }
-        result.identities_ = identities_;
-        result.identityType_ = identityType_;
         onBuilt();
         return result;
       }
@@ -13689,9 +13923,9 @@ public Builder addRepeatedField(
       public Builder mergeFrom(com.google.protobuf.Message other) {
         if (other
             instanceof
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom) {
+            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy) {
           return mergeFrom(
-              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
+              (com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
                   other);
         } else {
           super.mergeFrom(other);
@@ -13700,22 +13934,15 @@ public Builder mergeFrom(com.google.protobuf.Message other) {
       }
 
       public Builder mergeFrom(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom other) {
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy other) {
         if (other
-            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+            == com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
                 .getDefaultInstance()) return this;
-        if (!other.identities_.isEmpty()) {
-          if (identities_.isEmpty()) {
-            identities_ = other.identities_;
-            bitField0_ = (bitField0_ & ~0x00000001);
-          } else {
-            ensureIdentitiesIsMutable();
-            identities_.addAll(other.identities_);
-          }
-          onChanged();
+        if (other.hasEgressFrom()) {
+          mergeEgressFrom(other.getEgressFrom());
         }
-        if (other.identityType_ != 0) {
-          setIdentityTypeValue(other.getIdentityTypeValue());
+        if (other.hasEgressTo()) {
+          mergeEgressTo(other.getEgressTo());
         }
         this.mergeUnknownFields(other.getUnknownFields());
         onChanged();
@@ -13735,347 +13962,526 @@ public Builder mergeFrom(
         if (extensionRegistry == null) {
           throw new java.lang.NullPointerException();
         }
-        try {
-          boolean done = false;
-          while (!done) {
-            int tag = input.readTag();
-            switch (tag) {
-              case 0:
-                done = true;
-                break;
-              case 10:
-                {
-                  java.lang.String s = input.readStringRequireUtf8();
-                  ensureIdentitiesIsMutable();
-                  identities_.add(s);
-                  break;
-                } // case 10
-              case 16:
-                {
-                  identityType_ = input.readEnum();
+        try {
+          boolean done = false;
+          while (!done) {
+            int tag = input.readTag();
+            switch (tag) {
+              case 0:
+                done = true;
+                break;
+              case 10:
+                {
+                  input.readMessage(getEgressFromFieldBuilder().getBuilder(), extensionRegistry);
+
+                  break;
+                } // case 10
+              case 18:
+                {
+                  input.readMessage(getEgressToFieldBuilder().getBuilder(), extensionRegistry);
+
+                  break;
+                } // case 18
+              default:
+                {
+                  if (!super.parseUnknownField(input, extensionRegistry, tag)) {
+                    done = true; // was an endgroup tag
+                  }
+                  break;
+                } // default:
+            } // switch (tag)
+          } // while (!done)
+        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+          throw e.unwrapIOException();
+        } finally {
+          onChanged();
+        } // finally
+        return this;
+      }
+
+      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+          egressFrom_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                  .EgressFromOrBuilder>
+          egressFromBuilder_;
+      /**
+       *
+       *
+       * 
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
+       * 

+       *
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
+       *
+       * @return Whether the egressFrom field is set.
+       */
+      public boolean hasEgressFrom() {
+        return egressFromBuilder_ != null || egressFrom_ != null;
+      }
+      /**
+       *
+       *
+       * 
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
+       * 

+       *
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
+       *
+       * @return The egressFrom.
+       */
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+          getEgressFrom() {
+        if (egressFromBuilder_ == null) {
+          return egressFrom_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+                  .getDefaultInstance()
+              : egressFrom_;
+        } else {
+          return egressFromBuilder_.getMessage();
+        }
+      }
+      /**
+       *
+       *
+       * 
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
+       * 

+       *
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
+       */
+      public Builder setEgressFrom(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom value) {
+        if (egressFromBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          egressFrom_ = value;
+          onChanged();
+        } else {
+          egressFromBuilder_.setMessage(value);
+        }
 
-                  break;
-                } // case 16
-              default:
-                {
-                  if (!super.parseUnknownField(input, extensionRegistry, tag)) {
-                    done = true; // was an endgroup tag
-                  }
-                  break;
-                } // default:
-            } // switch (tag)
-          } // while (!done)
-        } catch (com.google.protobuf.InvalidProtocolBufferException e) {
-          throw e.unwrapIOException();
-        } finally {
-          onChanged();
-        } // finally
         return this;
       }
-
-      private int bitField0_;
-
-      private com.google.protobuf.LazyStringList identities_ =
-          com.google.protobuf.LazyStringArrayList.EMPTY;
-
-      private void ensureIdentitiesIsMutable() {
-        if (!((bitField0_ & 0x00000001) != 0)) {
-          identities_ = new com.google.protobuf.LazyStringArrayList(identities_);
-          bitField0_ |= 0x00000001;
+      /**
+       *
+       *
+       * 
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
+       * 

+       *
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
+       */
+      public Builder setEgressFrom(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder
+              builderForValue) {
+        if (egressFromBuilder_ == null) {
+          egressFrom_ = builderForValue.build();
+          onChanged();
+        } else {
+          egressFromBuilder_.setMessage(builderForValue.build());
         }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
-       *
-       * @return A list containing the identities.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
        */
-      public com.google.protobuf.ProtocolStringList getIdentitiesList() {
-        return identities_.getUnmodifiableView();
+      public Builder mergeEgressFrom(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom value) {
+        if (egressFromBuilder_ == null) {
+          if (egressFrom_ != null) {
+            egressFrom_ =
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+                    .newBuilder(egressFrom_)
+                    .mergeFrom(value)
+                    .buildPartial();
+          } else {
+            egressFrom_ = value;
+          }
+          onChanged();
+        } else {
+          egressFromBuilder_.mergeFrom(value);
+        }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
-       *
-       * @return The count of identities.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
        */
-      public int getIdentitiesCount() {
-        return identities_.size();
+      public Builder clearEgressFrom() {
+        if (egressFromBuilder_ == null) {
+          egressFrom_ = null;
+          onChanged();
+        } else {
+          egressFrom_ = null;
+          egressFromBuilder_ = null;
+        }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
-       *
-       * @param index The index of the element to return.
-       * @return The identities at the given index.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
        */
-      public java.lang.String getIdentities(int index) {
-        return identities_.get(index);
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder
+          getEgressFromBuilder() {
+
+        onChanged();
+        return getEgressFromFieldBuilder().getBuilder();
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
-       *
-       * @param index The index of the value to return.
-       * @return The bytes of the identities at the given index.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
        */
-      public com.google.protobuf.ByteString getIdentitiesBytes(int index) {
-        return identities_.getByteString(index);
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFromOrBuilder
+          getEgressFromOrBuilder() {
+        if (egressFromBuilder_ != null) {
+          return egressFromBuilder_.getMessageOrBuilder();
+        } else {
+          return egressFrom_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+                  .getDefaultInstance()
+              : egressFrom_;
+        }
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines conditions on the source of a request causing this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
-       *
-       * @param index The index to set the value at.
-       * @param value The identities to set.
-       * @return This builder for chaining.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom egress_from = 1;
+       * 
        */
-      public Builder setIdentities(int index, java.lang.String value) {
-        if (value == null) {
-          throw new NullPointerException();
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom.Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                  .EgressFromOrBuilder>
+          getEgressFromFieldBuilder() {
+        if (egressFromBuilder_ == null) {
+          egressFromBuilder_ =
+              new com.google.protobuf.SingleFieldBuilderV3<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+                      .Builder,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                      .EgressFromOrBuilder>(getEgressFrom(), getParentForChildren(), isClean());
+          egressFrom_ = null;
         }
-        ensureIdentitiesIsMutable();
-        identities_.set(index, value);
-        onChanged();
-        return this;
+        return egressFromBuilder_;
       }
+
+      private com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egressTo_;
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder>
+          egressToBuilder_;
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+       * 
        *
-       * @param value The identities to add.
-       * @return This builder for chaining.
+       * @return Whether the egressTo field is set.
        */
-      public Builder addIdentities(java.lang.String value) {
-        if (value == null) {
-          throw new NullPointerException();
-        }
-        ensureIdentitiesIsMutable();
-        identities_.add(value);
-        onChanged();
-        return this;
+      public boolean hasEgressTo() {
+        return egressToBuilder_ != null || egressTo_ != null;
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+       * 
        *
-       * @param values The identities to add.
-       * @return This builder for chaining.
+       * @return The egressTo.
        */
-      public Builder addAllIdentities(java.lang.Iterable values) {
-        ensureIdentitiesIsMutable();
-        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, identities_);
-        onChanged();
-        return this;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+          getEgressTo() {
+        if (egressToBuilder_ == null) {
+          return egressTo_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+                  .getDefaultInstance()
+              : egressTo_;
+        } else {
+          return egressToBuilder_.getMessage();
+        }
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
-       *
-       * @return This builder for chaining.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+       * 
        */
-      public Builder clearIdentities() {
-        identities_ = com.google.protobuf.LazyStringArrayList.EMPTY;
-        bitField0_ = (bitField0_ & ~0x00000001);
-        onChanged();
+      public Builder setEgressTo(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo value) {
+        if (egressToBuilder_ == null) {
+          if (value == null) {
+            throw new NullPointerException();
+          }
+          egressTo_ = value;
+          onChanged();
+        } else {
+          egressToBuilder_.setMessage(value);
+        }
+
         return this;
       }
       /**
        *
        *
        * 
-       * A list of identities that are allowed access through this [EgressPolicy].
-       * Should be in the format of email address. The email address should
-       * represent individual user or service account only.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
-       * repeated string identities = 1;
-       *
-       * @param value The bytes of the identities to add.
-       * @return This builder for chaining.
+       * 
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
+       * 
        */
-      public Builder addIdentitiesBytes(com.google.protobuf.ByteString value) {
-        if (value == null) {
-          throw new NullPointerException();
+      public Builder setEgressTo(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
+              builderForValue) {
+        if (egressToBuilder_ == null) {
+          egressTo_ = builderForValue.build();
+          onChanged();
+        } else {
+          egressToBuilder_.setMessage(builderForValue.build());
         }
-        checkByteStringIsUtf8(value);
-        ensureIdentitiesIsMutable();
-        identities_.add(value);
-        onChanged();
+
         return this;
       }
-
-      private int identityType_ = 0;
       /**
        *
        *
        * 
-       * Specifies the type of identities that are allowed access to outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
        * 
-       *
-       * @return The enum numeric value on the wire for identityType.
        */
-      @java.lang.Override
-      public int getIdentityTypeValue() {
-        return identityType_;
+      public Builder mergeEgressTo(
+          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo value) {
+        if (egressToBuilder_ == null) {
+          if (egressTo_ != null) {
+            egressTo_ =
+                com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+                    .newBuilder(egressTo_)
+                    .mergeFrom(value)
+                    .buildPartial();
+          } else {
+            egressTo_ = value;
+          }
+          onChanged();
+        } else {
+          egressToBuilder_.mergeFrom(value);
+        }
+
+        return this;
       }
       /**
        *
        *
        * 
-       * Specifies the type of identities that are allowed access to outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
        * 
-       *
-       * @param value The enum numeric value on the wire for identityType to set.
-       * @return This builder for chaining.
        */
-      public Builder setIdentityTypeValue(int value) {
+      public Builder clearEgressTo() {
+        if (egressToBuilder_ == null) {
+          egressTo_ = null;
+          onChanged();
+        } else {
+          egressTo_ = null;
+          egressToBuilder_ = null;
+        }
 
-        identityType_ = value;
-        onChanged();
         return this;
       }
       /**
        *
        *
        * 
-       * Specifies the type of identities that are allowed access to outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
        * 
-       *
-       * @return The identityType.
        */
-      @java.lang.Override
-      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-          getIdentityType() {
-        @SuppressWarnings("deprecation")
-        com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType result =
-            com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType.valueOf(
-                identityType_);
-        return result == null
-            ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType
-                .UNRECOGNIZED
-            : result;
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder
+          getEgressToBuilder() {
+
+        onChanged();
+        return getEgressToFieldBuilder().getBuilder();
       }
       /**
        *
        *
        * 
-       * Specifies the type of identities that are allowed access to outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
        * 
-       *
-       * @param value The identityType to set.
-       * @return This builder for chaining.
        */
-      public Builder setIdentityType(
-          com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType value) {
-        if (value == null) {
-          throw new NullPointerException();
+      public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder
+          getEgressToOrBuilder() {
+        if (egressToBuilder_ != null) {
+          return egressToBuilder_.getMessageOrBuilder();
+        } else {
+          return egressTo_ == null
+              ? com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+                  .getDefaultInstance()
+              : egressTo_;
         }
-
-        identityType_ = value.getNumber();
-        onChanged();
-        return this;
       }
       /**
        *
        *
        * 
-       * Specifies the type of identities that are allowed access to outside the
-       * perimeter. If left unspecified, then members of `identities` field will
-       * be allowed access.
+       * Defines the conditions on the [ApiOperation]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+       * and destination resources that cause this [EgressPolicy]
+       * [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+       * to apply.
        * 

        *
        * 
-       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType identity_type = 2;
+       * .google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo egress_to = 2;
        * 
-       *
-       * @return This builder for chaining.
        */
-      public Builder clearIdentityType() {
-
-        identityType_ = 0;
-        onChanged();
-        return this;
+      private com.google.protobuf.SingleFieldBuilderV3<
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo.Builder,
+              com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressToOrBuilder>
+          getEgressToFieldBuilder() {
+        if (egressToBuilder_ == null) {
+          egressToBuilder_ =
+              new com.google.protobuf.SingleFieldBuilderV3<
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo
+                      .Builder,
+                  com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
+                      .EgressToOrBuilder>(getEgressTo(), getParentForChildren(), isClean());
+          egressTo_ = null;
+        }
+        return egressToBuilder_;
       }
 
       @java.lang.Override
@@ -14090,28 +14496,28 @@ public final Builder mergeUnknownFields(
         return super.mergeUnknownFields(unknownFields);
       }
 
-      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
+      // @@protoc_insertion_point(builder_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
     }
 
-    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom)
+    // @@protoc_insertion_point(class_scope:google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy)
     private static final com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig
-            .EgressFrom
+            .EgressPolicy
         DEFAULT_INSTANCE;
 
     static {
       DEFAULT_INSTANCE =
-          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom();
+          new com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy();
     }
 
-    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public static com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         getDefaultInstance() {
       return DEFAULT_INSTANCE;
     }
 
-    private static final com.google.protobuf.Parser PARSER =
-        new com.google.protobuf.AbstractParser() {
+    private static final com.google.protobuf.Parser PARSER =
+        new com.google.protobuf.AbstractParser() {
           @java.lang.Override
-          public EgressFrom parsePartialFrom(
+          public EgressPolicy parsePartialFrom(
               com.google.protobuf.CodedInputStream input,
               com.google.protobuf.ExtensionRegistryLite extensionRegistry)
               throws com.google.protobuf.InvalidProtocolBufferException {
@@ -14131,17 +14537,17 @@ public EgressFrom parsePartialFrom(
           }
         };
 
-    public static com.google.protobuf.Parser parser() {
+    public static com.google.protobuf.Parser parser() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.protobuf.Parser getParserForType() {
+    public com.google.protobuf.Parser getParserForType() {
       return PARSER;
     }
 
     @java.lang.Override
-    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom
+    public com.google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy
         getDefaultInstanceForType() {
       return DEFAULT_INSTANCE;
     }
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterProto.java b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterProto.java
index 3deea747f592..7e5415dbd5d3 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterProto.java
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/java/com/google/identity/accesscontextmanager/v1/ServicePerimeterProto.java
@@ -51,10 +51,6 @@ public static void registerAllExtensions(com.google.protobuf.ExtensionRegistry r
       internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressSource_descriptor;
   static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
       internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressSource_fieldAccessorTable;
-  static final com.google.protobuf.Descriptors.Descriptor
-      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
-  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
-      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable;
   static final com.google.protobuf.Descriptors.Descriptor
       internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor;
   static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
@@ -67,14 +63,18 @@ public static void registerAllExtensions(com.google.protobuf.ExtensionRegistry r
       internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor;
   static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
       internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_fieldAccessorTable;
-  static final com.google.protobuf.Descriptors.Descriptor
-      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
-  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
-      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable;
   static final com.google.protobuf.Descriptors.Descriptor
       internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor;
   static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
       internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_fieldAccessorTable;
+  static final com.google.protobuf.Descriptors.Descriptor
+      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor;
+  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable;
+  static final com.google.protobuf.Descriptors.Descriptor
+      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor;
+  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable;
 
   public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
     return descriptor;
@@ -104,7 +104,7 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
           + "METER_TYPE_BRIDGE\020\001:\177\352A|\n4accesscontextm"
           + "anager.googleapis.com/ServicePerimeter\022D"
           + "accessPolicies/{access_policy}/servicePe"
-          + "rimeters/{service_perimeter}\"\230\017\n\026Service"
+          + "rimeters/{service_perimeter}\"\265\017\n\026Service"
           + "PerimeterConfig\022\021\n\tresources\030\001 \003(\t\022\025\n\rac"
           + "cess_levels\030\002 \003(\t\022\033\n\023restricted_services"
           + "\030\004 \003(\t\022v\n\027vpc_accessible_services\030\n \001(\0132"
@@ -124,44 +124,44 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
           + "ty.accesscontextmanager.v1.ServicePerime"
           + "terConfig.MethodSelector\032E\n\rIngressSourc"
           + "e\022\026\n\014access_level\030\001 \001(\tH\000\022\022\n\010resource\030\002 "
-          + "\001(\tH\000B\010\n\006source\032\177\n\010EgressTo\022\021\n\tresources"
-          + "\030\001 \003(\t\022`\n\noperations\030\002 \003(\0132L.google.iden"
-          + "tity.accesscontextmanager.v1.ServicePeri"
-          + "meterConfig.ApiOperation\032\346\001\n\013IngressFrom"
-          + "\022^\n\007sources\030\001 \003(\0132M.google.identity.acce"
-          + "sscontextmanager.v1.ServicePerimeterConf"
-          + "ig.IngressSource\022\022\n\nidentities\030\002 \003(\t\022c\n\r"
-          + "identity_type\030\003 \001(\0162L.google.identity.ac"
+          + "\001(\tH\000B\010\n\006source\032\346\001\n\013IngressFrom\022^\n\007sourc"
+          + "es\030\001 \003(\0132M.google.identity.accesscontext"
+          + "manager.v1.ServicePerimeterConfig.Ingres"
+          + "sSource\022\022\n\nidentities\030\002 \003(\t\022c\n\ridentity_"
+          + "type\030\003 \001(\0162L.google.identity.accessconte"
+          + "xtmanager.v1.ServicePerimeterConfig.Iden"
+          + "tityType\032\200\001\n\tIngressTo\022`\n\noperations\030\001 \003"
+          + "(\0132L.google.identity.accesscontextmanage"
+          + "r.v1.ServicePerimeterConfig.ApiOperation"
+          + "\022\021\n\tresources\030\002 \003(\t\032\321\001\n\rIngressPolicy\022a\n"
+          + "\014ingress_from\030\001 \001(\0132K.google.identity.ac"
+          + "cesscontextmanager.v1.ServicePerimeterCo"
+          + "nfig.IngressFrom\022]\n\ningress_to\030\002 \001(\0132I.g"
+          + "oogle.identity.accesscontextmanager.v1.S"
+          + "ervicePerimeterConfig.IngressTo\032\205\001\n\nEgre"
+          + "ssFrom\022\022\n\nidentities\030\001 \003(\t\022c\n\ridentity_t"
+          + "ype\030\002 \001(\0162L.google.identity.accesscontex"
+          + "tmanager.v1.ServicePerimeterConfig.Ident"
+          + "ityType\032\233\001\n\010EgressTo\022\021\n\tresources\030\001 \003(\t\022"
+          + "`\n\noperations\030\002 \003(\0132L.google.identity.ac"
           + "cesscontextmanager.v1.ServicePerimeterCo"
-          + "nfig.IdentityType\032\200\001\n\tIngressTo\022`\n\nopera"
-          + "tions\030\001 \003(\0132L.google.identity.accesscont"
-          + "extmanager.v1.ServicePerimeterConfig.Api"
-          + "Operation\022\021\n\tresources\030\002 \003(\t\032\321\001\n\rIngress"
-          + "Policy\022a\n\014ingress_from\030\001 \001(\0132K.google.id"
-          + "entity.accesscontextmanager.v1.ServicePe"
-          + "rimeterConfig.IngressFrom\022]\n\ningress_to\030"
-          + "\002 \001(\0132I.google.identity.accesscontextman"
-          + "ager.v1.ServicePerimeterConfig.IngressTo"
-          + "\032\314\001\n\014EgressPolicy\022_\n\013egress_from\030\001 \001(\0132J"
-          + ".google.identity.accesscontextmanager.v1"
-          + ".ServicePerimeterConfig.EgressFrom\022[\n\teg"
-          + "ress_to\030\002 \001(\0132H.google.identity.accessco"
-          + "ntextmanager.v1.ServicePerimeterConfig.E"
-          + "gressTo\032\205\001\n\nEgressFrom\022\022\n\nidentities\030\001 \003"
-          + "(\t\022c\n\ridentity_type\030\002 \001(\0162L.google.ident"
-          + "ity.accesscontextmanager.v1.ServicePerim"
-          + "eterConfig.IdentityType\"n\n\014IdentityType\022"
-          + "\035\n\031IDENTITY_TYPE_UNSPECIFIED\020\000\022\020\n\014ANY_ID"
-          + "ENTITY\020\001\022\024\n\020ANY_USER_ACCOUNT\020\002\022\027\n\023ANY_SE"
-          + "RVICE_ACCOUNT\020\003B\253\002\n+com.google.identity."
-          + "accesscontextmanager.v1B\025ServicePerimete"
-          + "rProtoP\001Z[google.golang.org/genproto/goo"
-          + "gleapis/identity/accesscontextmanager/v1"
-          + ";accesscontextmanager\242\002\004GACM\252\002\'Google.Id"
-          + "entity.AccessContextManager.V1\312\002\'Google\\"
-          + "Identity\\AccessContextManager\\V1\352\002*Googl"
-          + "e::Identity::AccessContextManager::V1b\006p"
-          + "roto3"
+          + "nfig.ApiOperation\022\032\n\022external_resources\030"
+          + "\003 \003(\t\032\314\001\n\014EgressPolicy\022_\n\013egress_from\030\001 "
+          + "\001(\0132J.google.identity.accesscontextmanag"
+          + "er.v1.ServicePerimeterConfig.EgressFrom\022"
+          + "[\n\tegress_to\030\002 \001(\0132H.google.identity.acc"
+          + "esscontextmanager.v1.ServicePerimeterCon"
+          + "fig.EgressTo\"n\n\014IdentityType\022\035\n\031IDENTITY"
+          + "_TYPE_UNSPECIFIED\020\000\022\020\n\014ANY_IDENTITY\020\001\022\024\n"
+          + "\020ANY_USER_ACCOUNT\020\002\022\027\n\023ANY_SERVICE_ACCOU"
+          + "NT\020\003B\253\002\n+com.google.identity.accessconte"
+          + "xtmanager.v1B\025ServicePerimeterProtoP\001Z[g"
+          + "oogle.golang.org/genproto/googleapis/ide"
+          + "ntity/accesscontextmanager/v1;accesscont"
+          + "extmanager\242\002\004GACM\252\002\'Google.Identity.Acce"
+          + "ssContextManager.V1\312\002\'Google\\Identity\\Ac"
+          + "cessContextManager\\V1\352\002*Google::Identity"
+          + "::AccessContextManager::V1b\006proto3"
     };
     descriptor =
         com.google.protobuf.Descriptors.FileDescriptor.internalBuildGeneratedFileFrom(
@@ -239,20 +239,10 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
             new java.lang.String[] {
               "AccessLevel", "Resource", "Source",
             });
-    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor =
-        internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_descriptor
-            .getNestedTypes()
-            .get(4);
-    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable =
-        new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
-            internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor,
-            new java.lang.String[] {
-              "Resources", "Operations",
-            });
     internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor =
         internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_descriptor
             .getNestedTypes()
-            .get(5);
+            .get(4);
     internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressFrom_descriptor,
@@ -262,7 +252,7 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
     internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor =
         internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_descriptor
             .getNestedTypes()
-            .get(6);
+            .get(5);
     internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressTo_descriptor,
@@ -272,32 +262,42 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
     internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor =
         internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_descriptor
             .getNestedTypes()
-            .get(7);
+            .get(6);
     internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_IngressPolicy_descriptor,
             new java.lang.String[] {
               "IngressFrom", "IngressTo",
             });
-    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor =
+    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor =
+        internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_descriptor
+            .getNestedTypes()
+            .get(7);
+    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_fieldAccessorTable =
+        new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+            internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor,
+            new java.lang.String[] {
+              "Identities", "IdentityType",
+            });
+    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor =
         internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_descriptor
             .getNestedTypes()
             .get(8);
-    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable =
+    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
-            internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor,
+            internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressTo_descriptor,
             new java.lang.String[] {
-              "EgressFrom", "EgressTo",
+              "Resources", "Operations", "ExternalResources",
             });
-    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor =
+    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor =
         internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_descriptor
             .getNestedTypes()
             .get(9);
-    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_fieldAccessorTable =
+    internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
-            internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressFrom_descriptor,
+            internal_static_google_identity_accesscontextmanager_v1_ServicePerimeterConfig_EgressPolicy_descriptor,
             new java.lang.String[] {
-              "Identities", "IdentityType",
+              "EgressFrom", "EgressTo",
             });
     com.google.protobuf.ExtensionRegistry registry =
         com.google.protobuf.ExtensionRegistry.newInstance();
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_context_manager.proto b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_context_manager.proto
index 84a645018038..3a71d81f34e0 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_context_manager.proto
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_context_manager.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -20,6 +20,8 @@ import "google/api/annotations.proto";
 import "google/api/client.proto";
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
+import "google/iam/v1/iam_policy.proto";
+import "google/iam/v1/policy.proto";
 import "google/identity/accesscontextmanager/v1/access_level.proto";
 import "google/identity/accesscontextmanager/v1/access_policy.proto";
 import "google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto";
@@ -36,32 +38,32 @@ option objc_class_prefix = "GACM";
 option php_namespace = "Google\\Identity\\AccessContextManager\\V1";
 option ruby_package = "Google::Identity::AccessContextManager::V1";
 
-// API for setting [Access Levels]
-// [google.identity.accesscontextmanager.v1.AccessLevel] and [Service
-// Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
-// for Google Cloud Projects. Each organization has one [AccessPolicy]
-// [google.identity.accesscontextmanager.v1.AccessPolicy] containing the
-// [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
-// and [Service Perimeters]
+// API for setting [access levels]
+// [google.identity.accesscontextmanager.v1.AccessLevel] and [service
+// perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
+// for Google Cloud projects. Each organization has one [access policy]
+// [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
+// [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
+// and [service perimeters]
 // [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
-// [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
+// [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
 // applicable to all resources in the organization.
 // AccessPolicies
 service AccessContextManager {
   option (google.api.default_host) = "accesscontextmanager.googleapis.com";
   option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
 
-  // List all [AccessPolicies]
-  // [google.identity.accesscontextmanager.v1.AccessPolicy] under a
-  // container.
+  // Lists all [access policies]
+  // [google.identity.accesscontextmanager.v1.AccessPolicy] in an
+  // organization.
   rpc ListAccessPolicies(ListAccessPoliciesRequest) returns (ListAccessPoliciesResponse) {
     option (google.api.http) = {
       get: "/v1/accessPolicies"
     };
   }
 
-  // Get an [AccessPolicy]
-  // [google.identity.accesscontextmanager.v1.AccessPolicy] by name.
+  // Returns an [access policy]
+  // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name.
   rpc GetAccessPolicy(GetAccessPolicyRequest) returns (AccessPolicy) {
     option (google.api.http) = {
       get: "/v1/{name=accessPolicies/*}"
@@ -69,10 +71,10 @@ service AccessContextManager {
     option (google.api.method_signature) = "name";
   }
 
-  // Create an `AccessPolicy`. Fails if this organization already has a
-  // `AccessPolicy`. The longrunning Operation will have a successful status
-  // once the `AccessPolicy` has propagated to long-lasting storage.
-  // Syntactic and basic semantic errors will be returned in `metadata` as a
+  // Creates an access policy. This method fails if the organization already has
+  // an access policy. The long-running operation has a successful status
+  // after the access policy propagates to long-lasting storage.
+  // Syntactic and basic semantic errors are returned in `metadata` as a
   // BadRequest proto.
   rpc CreateAccessPolicy(AccessPolicy) returns (google.longrunning.Operation) {
     option (google.api.http) = {
@@ -85,13 +87,12 @@ service AccessContextManager {
     };
   }
 
-  // Update an [AccessPolicy]
+  // Updates an [access policy]
   // [google.identity.accesscontextmanager.v1.AccessPolicy]. The
-  // longrunning Operation from this RPC will have a successful status once the
-  // changes to the [AccessPolicy]
-  // [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated
-  // to long-lasting storage. Syntactic and basic semantic errors will be
-  // returned in `metadata` as a BadRequest proto.
+  // long-running operation from this RPC has a successful status after the
+  // changes to the [access policy]
+  // [google.identity.accesscontextmanager.v1.AccessPolicy] propagate
+  // to long-lasting storage.
   rpc UpdateAccessPolicy(UpdateAccessPolicyRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       patch: "/v1/{policy.name=accessPolicies/*}"
@@ -104,11 +105,11 @@ service AccessContextManager {
     };
   }
 
-  // Delete an [AccessPolicy]
-  // [google.identity.accesscontextmanager.v1.AccessPolicy] by resource
-  // name. The longrunning Operation will have a successful status once the
-  // [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-  // has been removed from long-lasting storage.
+  // Deletes an [access policy]
+  // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the
+  // resource name. The long-running operation has a successful status after the
+  // [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
+  // is removed from long-lasting storage.
   rpc DeleteAccessPolicy(DeleteAccessPolicyRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       delete: "/v1/{name=accessPolicies/*}"
@@ -120,7 +121,7 @@ service AccessContextManager {
     };
   }
 
-  // List all [Access Levels]
+  // Lists all [access levels]
   // [google.identity.accesscontextmanager.v1.AccessLevel] for an access
   // policy.
   rpc ListAccessLevels(ListAccessLevelsRequest) returns (ListAccessLevelsResponse) {
@@ -130,8 +131,8 @@ service AccessContextManager {
     option (google.api.method_signature) = "parent";
   }
 
-  // Get an [Access Level]
-  // [google.identity.accesscontextmanager.v1.AccessLevel] by resource
+  // Gets an [access level]
+  // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
   // name.
   rpc GetAccessLevel(GetAccessLevelRequest) returns (AccessLevel) {
     option (google.api.http) = {
@@ -140,13 +141,13 @@ service AccessContextManager {
     option (google.api.method_signature) = "name";
   }
 
-  // Create an [Access Level]
-  // [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-  // operation from this RPC will have a successful status once the [Access
-  // Level] [google.identity.accesscontextmanager.v1.AccessLevel] has
-  // propagated to long-lasting storage. [Access Levels]
-  // [google.identity.accesscontextmanager.v1.AccessLevel] containing
-  // errors will result in an error response for the first error encountered.
+  // Creates an [access level]
+  // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+  // operation from this RPC has a successful status after the [access
+  // level] [google.identity.accesscontextmanager.v1.AccessLevel]
+  // propagates to long-lasting storage. If [access levels]
+  // [google.identity.accesscontextmanager.v1.AccessLevel] contain
+  // errors, an error response is returned for the first error encountered.
   rpc CreateAccessLevel(CreateAccessLevelRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       post: "/v1/{parent=accessPolicies/*}/accessLevels"
@@ -159,14 +160,14 @@ service AccessContextManager {
     };
   }
 
-  // Update an [Access Level]
-  // [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning
-  // operation from this RPC will have a successful status once the changes to
-  // the [Access Level]
-  // [google.identity.accesscontextmanager.v1.AccessLevel] have propagated
-  // to long-lasting storage. [Access Levels]
-  // [google.identity.accesscontextmanager.v1.AccessLevel] containing
-  // errors will result in an error response for the first error encountered.
+  // Updates an [access level]
+  // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
+  // operation from this RPC has a successful status after the changes to
+  // the [access level]
+  // [google.identity.accesscontextmanager.v1.AccessLevel] propagate
+  // to long-lasting storage. If [access levels]
+  // [google.identity.accesscontextmanager.v1.AccessLevel] contain
+  // errors, an error response is returned for the first error encountered.
   rpc UpdateAccessLevel(UpdateAccessLevelRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       patch: "/v1/{access_level.name=accessPolicies/*/accessLevels/*}"
@@ -179,10 +180,10 @@ service AccessContextManager {
     };
   }
 
-  // Delete an [Access Level]
-  // [google.identity.accesscontextmanager.v1.AccessLevel] by resource
-  // name. The longrunning operation from this RPC will have a successful status
-  // once the [Access Level]
+  // Deletes an [access level]
+  // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
+  // name. The long-running operation from this RPC has a successful status
+  // after the [access level]
   // [google.identity.accesscontextmanager.v1.AccessLevel] has been removed
   // from long-lasting storage.
   rpc DeleteAccessLevel(DeleteAccessLevelRequest) returns (google.longrunning.Operation) {
@@ -196,22 +197,22 @@ service AccessContextManager {
     };
   }
 
-  // Replace all existing [Access Levels]
-  // [google.identity.accesscontextmanager.v1.AccessLevel] in an [Access
-  // Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
-  // the [Access Levels]
+  // Replaces all existing [access levels]
+  // [google.identity.accesscontextmanager.v1.AccessLevel] in an [access
+  // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
+  // the [access levels]
   // [google.identity.accesscontextmanager.v1.AccessLevel] provided. This
-  // is done atomically. The longrunning operation from this RPC will have a
-  // successful status once all replacements have propagated to long-lasting
-  // storage. Replacements containing errors will result in an error response
-  // for the first error encountered.  Replacement will be cancelled on error,
-  // existing [Access Levels]
-  // [google.identity.accesscontextmanager.v1.AccessLevel] will not be
-  // affected. Operation.response field will contain
-  // ReplaceAccessLevelsResponse. Removing [Access Levels]
+  // is done atomically. The long-running operation from this RPC has a
+  // successful status after all replacements propagate to long-lasting
+  // storage. If the replacement contains errors, an error response is returned
+  // for the first error encountered.  Upon error, the replacement is cancelled,
+  // and existing [access levels]
+  // [google.identity.accesscontextmanager.v1.AccessLevel] are not
+  // affected. The Operation.response field contains
+  // ReplaceAccessLevelsResponse. Removing [access levels]
   // [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing
-  // [Service Perimeters]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in
+  // [service perimeters]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an
   // error.
   rpc ReplaceAccessLevels(ReplaceAccessLevelsRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
@@ -224,7 +225,7 @@ service AccessContextManager {
     };
   }
 
-  // List all [Service Perimeters]
+  // Lists all [service perimeters]
   // [google.identity.accesscontextmanager.v1.ServicePerimeter] for an
   // access policy.
   rpc ListServicePerimeters(ListServicePerimetersRequest) returns (ListServicePerimetersResponse) {
@@ -234,9 +235,9 @@ service AccessContextManager {
     option (google.api.method_signature) = "parent";
   }
 
-  // Get a [Service Perimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-  // name.
+  // Gets a [service perimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+  // resource name.
   rpc GetServicePerimeter(GetServicePerimeterRequest) returns (ServicePerimeter) {
     option (google.api.http) = {
       get: "/v1/{name=accessPolicies/*/servicePerimeters/*}"
@@ -244,14 +245,14 @@ service AccessContextManager {
     option (google.api.method_signature) = "name";
   }
 
-  // Create a [Service Perimeter]
+  // Creates a [service perimeter]
   // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-  // longrunning operation from this RPC will have a successful status once the
-  // [Service Perimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] has
-  // propagated to long-lasting storage. [Service Perimeters]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-  // errors will result in an error response for the first error encountered.
+  // long-running operation from this RPC has a successful status after the
+  // [service perimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter]
+  // propagates to long-lasting storage. If a [service perimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+  // errors, an error response is returned for the first error encountered.
   rpc CreateServicePerimeter(CreateServicePerimeterRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       post: "/v1/{parent=accessPolicies/*}/servicePerimeters"
@@ -264,14 +265,14 @@ service AccessContextManager {
     };
   }
 
-  // Update a [Service Perimeter]
+  // Updates a [service perimeter]
   // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
-  // longrunning operation from this RPC will have a successful status once the
-  // changes to the [Service Perimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] have
-  // propagated to long-lasting storage. [Service Perimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] containing
-  // errors will result in an error response for the first error encountered.
+  // long-running operation from this RPC has a successful status after the
+  // [service perimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter]
+  // propagates to long-lasting storage. If a [service perimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
+  // errors, an error response is returned for the first error encountered.
   rpc UpdateServicePerimeter(UpdateServicePerimeterRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       patch: "/v1/{service_perimeter.name=accessPolicies/*/servicePerimeters/*}"
@@ -284,12 +285,12 @@ service AccessContextManager {
     };
   }
 
-  // Delete a [Service Perimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource
-  // name. The longrunning operation from this RPC will have a successful status
-  // once the [Service Perimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] has been
-  // removed from long-lasting storage.
+  // Deletes a [service perimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
+  // resource name. The long-running operation from this RPC has a successful
+  // status after the [service perimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from
+  // long-lasting storage.
   rpc DeleteServicePerimeter(DeleteServicePerimeterRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       delete: "/v1/{name=accessPolicies/*/servicePerimeters/*}"
@@ -301,18 +302,18 @@ service AccessContextManager {
     };
   }
 
-  // Replace all existing [Service Perimeters]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-  // [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
-  // with the [Service Perimeters]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] provided.
-  // This is done atomically. The longrunning operation from this
-  // RPC will have a successful status once all replacements have propagated to
-  // long-lasting storage. Replacements containing errors will result in an
-  // error response for the first error encountered. Replacement will be
-  // cancelled on error, existing [Service Perimeters]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be
-  // affected. Operation.response field will contain
+  // Replace all existing [service perimeters]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access
+  // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the
+  // [service perimeters]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This
+  // is done atomically. The long-running operation from this RPC has a
+  // successful status after all replacements propagate to long-lasting storage.
+  // Replacements containing errors result in an error response for the first
+  // error encountered. Upon an error, replacement are cancelled and existing
+  // [service perimeters]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] are not
+  // affected. The Operation.response field contains
   // ReplaceServicePerimetersResponse.
   rpc ReplaceServicePerimeters(ReplaceServicePerimetersRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
@@ -325,21 +326,21 @@ service AccessContextManager {
     };
   }
 
-  // Commit the dry-run spec for all the [Service Perimeters]
+  // Commits the dry-run specification for all the [service perimeters]
   // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
-  // [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
-  // A commit operation on a Service Perimeter involves copying its `spec` field
-  // to that Service Perimeter's `status` field. Only [Service Perimeters]
+  // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+  // A commit operation on a service perimeter involves copying its `spec` field
+  // to the `status` field of the service perimeter. Only [service perimeters]
   // [google.identity.accesscontextmanager.v1.ServicePerimeter] with
   // `use_explicit_dry_run_spec` field set to true are affected by a commit
-  // operation. The longrunning operation from this RPC will have a successful
-  // status once the dry-run specs for all the [Service Perimeters]
+  // operation. The long-running operation from this RPC has a successful
+  // status after the dry-run specifications for all the [service perimeters]
   // [google.identity.accesscontextmanager.v1.ServicePerimeter] have been
-  // committed. If a commit fails, it will cause the longrunning operation to
-  // return an error response and the entire commit operation will be cancelled.
-  // When successful, Operation.response field will contain
-  // CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will
-  // be cleared after a successful commit operation.
+  // committed. If a commit fails, it causes the long-running operation to
+  // return an error response and the entire commit operation is cancelled.
+  // When successful, the Operation.response field contains
+  // CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are
+  // cleared after a successful commit operation.
   rpc CommitServicePerimeters(CommitServicePerimetersRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       post: "/v1/{parent=accessPolicies/*}/servicePerimeters:commit"
@@ -375,7 +376,7 @@ service AccessContextManager {
   // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the
   // client specifies a [name]
   // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name],
-  // the server will ignore it. Fails if a resource already exists with the same
+  // the server ignores it. Fails if a resource already exists with the same
   // [group_key]
   // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key].
   // Completion of this long-running operation does not necessarily signify that
@@ -425,6 +426,49 @@ service AccessContextManager {
       metadata_type: "GcpUserAccessBindingOperationMetadata"
     };
   }
+
+  // Sets the IAM policy for the specified Access Context Manager
+  // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+  // This method replaces the existing IAM policy on the access policy. The IAM
+  // policy controls the set of users who can perform specific operations on the
+  // Access Context Manager [access
+  // policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
+    option (google.api.http) = {
+      post: "/v1/{resource=accessPolicies/*}:setIamPolicy"
+      body: "*"
+    };
+  }
+
+  // Gets the IAM policy for the specified Access Context Manager
+  // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
+  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
+    option (google.api.http) = {
+      post: "/v1/{resource=accessPolicies/*}:getIamPolicy"
+      body: "*"
+    };
+  }
+
+  // Returns the IAM permissions that the caller has on the specified Access
+  // Context Manager resource. The resource can be an
+  // [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy],
+  // [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or
+  // [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter
+  // ]. This method does not support other resources.
+  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
+    option (google.api.http) = {
+      post: "/v1/{resource=accessPolicies/*}:testIamPermissions"
+      body: "*"
+      additional_bindings {
+        post: "/v1/{resource=accessPolicies/*/accessLevels/*}:testIamPermissions"
+        body: "*"
+      }
+      additional_bindings {
+        post: "/v1/{resource=accessPolicies/*/servicePerimeters/*}:testIamPermissions"
+        body: "*"
+      }
+    };
+  }
 }
 
 // A request to list all `AccessPolicies` for a container.
@@ -807,7 +851,7 @@ message CommitServicePerimetersRequest {
   ];
 
   // Optional. The etag for the version of the [Access Policy]
-  // [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this
+  // [google.identity.accesscontextmanager.v1.AccessPolicy] that this
   // commit operation is to be performed on. If, at the time of commit, the
   // etag for the Access Policy stored in Access Context Manager is different
   // from the specified etag, then the commit operation will not be performed
@@ -826,6 +870,20 @@ message CommitServicePerimetersResponse {
   repeated ServicePerimeter service_perimeters = 1;
 }
 
+// The format used in an `AccessLevel`.
+enum LevelFormat {
+  // The format was not specified.
+  LEVEL_FORMAT_UNSPECIFIED = 0;
+
+  // Uses the format the resource was defined in. BasicLevels are returned as
+  // BasicLevels, CustomLevels are returned as CustomLevels.
+  AS_DEFINED = 1;
+
+  // Use Cloud Common Expression Language when returning the resource.  Both
+  // BasicLevels and CustomLevels are returned as CustomLevels.
+  CEL = 2;
+}
+
 // Request of [ListGcpUserAccessBindings]
 // [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
 message ListGcpUserAccessBindingsRequest {
@@ -848,20 +906,6 @@ message ListGcpUserAccessBindingsRequest {
   string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
 }
 
-// The format used in an `AccessLevel`.
-enum LevelFormat {
-  // The format was not specified.
-  LEVEL_FORMAT_UNSPECIFIED = 0;
-
-  // Uses the format the resource was defined in. BasicLevels are returned as
-  // BasicLevels, CustomLevels are returned as CustomLevels.
-  AS_DEFINED = 1;
-
-  // Use Cloud Common Expression Language when returning the resource.  Both
-  // BasicLevels and CustomLevels are returned as CustomLevels.
-  CEL = 2;
-}
-
 // Response of [ListGcpUserAccessBindings]
 // [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
 message ListGcpUserAccessBindingsResponse {
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_level.proto b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_level.proto
index c4eece0a5df0..b7b9c75c620e 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_level.proto
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_level.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_policy.proto b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_policy.proto
index 59f2d9119d0a..747464784573 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_policy.proto
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/access_policy.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -51,6 +51,22 @@ message AccessPolicy {
   // Required. Human readable title. Does not affect behavior.
   string title = 3;
 
+  // The scopes of a policy define which resources an ACM policy can restrict,
+  // and where ACM resources can be referenced.
+  // For example, a policy with scopes=["folders/123"] has the following
+  // behavior:
+  // - vpcsc perimeters can only restrict projects within folders/123
+  // - access levels can only be referenced by resources within folders/123.
+  // If empty, there are no limitations on which resources can be restricted by
+  // an ACM policy, and there are no limitations on where ACM resources can be
+  // referenced.
+  // Only one policy can include a given scope (attempting to create a second
+  // policy which includes "folders/123" will result in an error).
+  // Currently, scopes cannot be modified after a policy is created.
+  // Currently, policies can only have a single scope.
+  // Format: list of `folders/{folder_number}` or `projects/{project_number}`
+  repeated string scopes = 7;
+
   // Output only. Time the `AccessPolicy` was created in UTC.
   google.protobuf.Timestamp create_time = 4;
 
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto
index 28e06a68ab4f..5dbded9cc493 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/service_perimeter.proto b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/service_perimeter.proto
index 3a676d22e9d4..c0851cbe1d97 100644
--- a/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/service_perimeter.proto
+++ b/java-accesscontextmanager/proto-google-identity-accesscontextmanager-v1/src/main/proto/google/identity/accesscontextmanager/v1/service_perimeter.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -135,6 +135,26 @@ message ServicePerimeterConfig {
     repeated string allowed_services = 2;
   }
 
+  // Specifies the types of identities that are allowed access in either
+  // [IngressFrom]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+  // or [EgressFrom]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
+  // rules.
+  enum IdentityType {
+    // No blanket identity group specified.
+    IDENTITY_TYPE_UNSPECIFIED = 0;
+
+    // Authorize access from all identities outside the perimeter.
+    ANY_IDENTITY = 1;
+
+    // Authorize access from all human users outside the perimeter.
+    ANY_USER_ACCOUNT = 2;
+
+    // Authorize access from all service accounts outside the perimeter.
+    ANY_SERVICE_ACCOUNT = 3;
+  }
+
   // An allowed method or permission of a service specified in [ApiOperation]
   // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
   message MethodSelector {
@@ -213,41 +233,6 @@ message ServicePerimeterConfig {
     }
   }
 
-  // Defines the conditions under which an [EgressPolicy]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-  // matches a request. Conditions are based on information about the
-  // [ApiOperation]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-  // intended to be performed on the `resources` specified. Note that if the
-  // destination of the request is also protected by a [ServicePerimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
-  // [ServicePerimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
-  // an [IngressPolicy]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-  // which allows access in order for this request to succeed. The request must
-  // match `operations` AND `resources` fields in order to be allowed egress out
-  // of the perimeter.
-  message EgressTo {
-    // A list of resources, currently only projects in the form
-    // `projects/`, that are allowed to be accessed by sources
-    // defined in the corresponding [EgressFrom]
-    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-    // A request matches if it contains a resource in this list.  If `*` is
-    // specified for `resources`, then this [EgressTo]
-    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
-    // rule will authorize access to all resources outside the perimeter.
-    repeated string resources = 1;
-
-    // A list of [ApiOperations]
-    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
-    // allowed to be performed by the sources specified in the corresponding
-    // [EgressFrom]
-    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
-    // A request matches if it uses an operation/service in this list.
-    repeated ApiOperation operations = 2;
-  }
-
   // Defines the conditions under which an [IngressPolicy]
   // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
   // matches a request. Conditions are based on information about the source of
@@ -334,6 +319,72 @@ message ServicePerimeterConfig {
     IngressTo ingress_to = 2;
   }
 
+  // Defines the conditions under which an [EgressPolicy]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+  // matches a request. Conditions based on information about the source of the
+  // request. Note that if the destination of the request is also protected by a
+  // [ServicePerimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+  // [ServicePerimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+  // an [IngressPolicy]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+  // which allows access in order for this request to succeed.
+  message EgressFrom {
+    // A list of identities that are allowed access through this [EgressPolicy].
+    // Should be in the format of email address. The email address should
+    // represent individual user or service account only.
+    repeated string identities = 1;
+
+    // Specifies the type of identities that are allowed access to outside the
+    // perimeter. If left unspecified, then members of `identities` field will
+    // be allowed access.
+    IdentityType identity_type = 2;
+  }
+
+  // Defines the conditions under which an [EgressPolicy]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+  // matches a request. Conditions are based on information about the
+  // [ApiOperation]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+  // intended to be performed on the `resources` specified. Note that if the
+  // destination of the request is also protected by a [ServicePerimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+  // [ServicePerimeter]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+  // an [IngressPolicy]
+  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+  // which allows access in order for this request to succeed. The request must
+  // match `operations` AND `resources` fields in order to be allowed egress out
+  // of the perimeter.
+  message EgressTo {
+    // A list of resources, currently only projects in the form
+    // `projects/`, that are allowed to be accessed by sources
+    // defined in the corresponding [EgressFrom]
+    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+    // A request matches if it contains a resource in this list.  If `*` is
+    // specified for `resources`, then this [EgressTo]
+    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+    // rule will authorize access to all resources outside the perimeter.
+    repeated string resources = 1;
+
+    // A list of [ApiOperations]
+    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+    // allowed to be performed by the sources specified in the corresponding
+    // [EgressFrom]
+    // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+    // A request matches if it uses an operation/service in this list.
+    repeated ApiOperation operations = 2;
+
+    // A list of external resources that are allowed to be accessed. Only AWS
+    // and Azure resources are supported. For Amazon S3, the supported format is
+    // s3://BUCKET_NAME. For Azure Storage, the supported format is
+    // azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches
+    // if it contains an external resource in this list (Example:
+    // s3://bucket/path). Currently '*' is not allowed.
+    repeated string external_resources = 3;
+  }
+
   // Policy for egress from perimeter.
   //
   // [EgressPolicies]
@@ -376,49 +427,6 @@ message ServicePerimeterConfig {
     EgressTo egress_to = 2;
   }
 
-  // Defines the conditions under which an [EgressPolicy]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
-  // matches a request. Conditions based on information about the source of the
-  // request. Note that if the destination of the request is also protected by a
-  // [ServicePerimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
-  // [ServicePerimeter]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
-  // an [IngressPolicy]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
-  // which allows access in order for this request to succeed.
-  message EgressFrom {
-    // A list of identities that are allowed access through this [EgressPolicy].
-    // Should be in the format of email address. The email address should
-    // represent individual user or service account only.
-    repeated string identities = 1;
-
-    // Specifies the type of identities that are allowed access to outside the
-    // perimeter. If left unspecified, then members of `identities` field will
-    // be allowed access.
-    IdentityType identity_type = 2;
-  }
-
-  // Specifies the types of identities that are allowed access in either
-  // [IngressFrom]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
-  // or [EgressFrom]
-  // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
-  // rules.
-  enum IdentityType {
-    // No blanket identity group specified.
-    IDENTITY_TYPE_UNSPECIFIED = 0;
-
-    // Authorize access from all identities outside the perimeter.
-    ANY_IDENTITY = 1;
-
-    // Authorize access from all human users outside the perimeter.
-    ANY_USER_ACCOUNT = 2;
-
-    // Authorize access from all service accounts outside the perimeter.
-    ANY_SERVICE_ACCOUNT = 3;
-  }
-
   // A list of Google Cloud resources that are inside of the service perimeter.
   // Currently only projects are allowed. Format: `projects/{project_number}`
   repeated string resources = 1;