| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="cloudresourcemanager_v1.html">Google Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.projects.html">projects</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Clears a `Policy` from a resource.</p> |
| <p class="toc_element"> |
| <code><a href="#create">create(body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Request that a new Project be created. The result is an Operation which</p> |
| <p class="toc_element"> |
| <code><a href="#delete">delete(projectId, x__xgafv=None)</a></code></p> |
| <p class="firstline">Marks the Project identified by the specified</p> |
| <p class="toc_element"> |
| <code><a href="#get">get(projectId, x__xgafv=None)</a></code></p> |
| <p class="firstline">Retrieves the Project identified by the specified</p> |
| <p class="toc_element"> |
| <code><a href="#getAncestry">getAncestry(projectId, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets a list of ancestors in the resource hierarchy for the Project</p> |
| <p class="toc_element"> |
| <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p> |
| <p class="toc_element"> |
| <code><a href="#getIamPolicy">getIamPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns the IAM access control policy for the specified Project.</p> |
| <p class="toc_element"> |
| <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets a `Policy` on a resource.</p> |
| <p class="toc_element"> |
| <code><a href="#list">list(pageSize=None, filter=None, pageToken=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists Projects that are visible to the user and satisfy the</p> |
| <p class="toc_element"> |
| <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists all the `Policies` set for a particular resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Sets the IAM access control policy for the specified Project. Replaces</p> |
| <p class="toc_element"> |
| <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p> |
| <p class="toc_element"> |
| <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns permissions that a caller has on the specified Project.</p> |
| <p class="toc_element"> |
| <code><a href="#undelete">undelete(projectId, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Restores the Project identified by the specified</p> |
| <p class="toc_element"> |
| <code><a href="#update">update(projectId, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Updates the attributes of the Project identified by the specified</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Clears a `Policy` from a resource. |
| |
| Args: |
| resource: string, Name of the resource for the `Policy` to clear. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the ClearOrgPolicy method. |
| "etag": "A String", # The current version, for concurrency control. Not sending an `etag` |
| # will cause the `Policy` to be cleared blindly. |
| "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A generic empty message that you can re-use to avoid defining duplicated |
| # empty messages in your APIs. A typical example is to use it as the request |
| # or the response type of an API method. For instance: |
| # |
| # service Foo { |
| # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); |
| # } |
| # |
| # The JSON representation for `Empty` is empty JSON object `{}`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="create">create(body, x__xgafv=None)</code> |
| <pre>Request that a new Project be created. The result is an Operation which |
| can be used to track the creation process. It is automatically deleted |
| after a few hours, so there is no need to call DeleteOperation. |
| |
| Our SLO permits Project creation to take up to 30 seconds at the 90th |
| percentile. As of 2016-08-29, we are observing 6 seconds 50th percentile |
| latency. 95th percentile latency is around 11 seconds. We recommend |
| polling at the 5th second with an exponential backoff. |
| |
| Args: |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # A Project is a high-level Google Cloud Platform entity. It is a |
| # container for ACLs, APIs, App Engine Apps, VMs, and other |
| # Google Cloud Platform resources. |
| "name": "A String", # The user-assigned display name of the Project. |
| # It must be 4 to 30 characters. |
| # Allowed characters are: lowercase and uppercase letters, numbers, |
| # hyphen, single-quote, double-quote, space, and exclamation point. |
| # |
| # Example: <code>My Project</code> |
| # Read-write. |
| "parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource. |
| # |
| # The only supported parent type is "organization". Once set, the parent |
| # cannot be modified. The `parent` can be set on creation or using the |
| # `UpdateProject` method; the end user must have the |
| # `resourcemanager.projects.create` permission on the parent. |
| # |
| # Read-write. |
| # Cloud Platform is a generic term for something you (a developer) may want to |
| # interact with through one of our API's. Some examples are an App Engine app, |
| # a Compute Engine instance, a Cloud SQL database, and so on. |
| "type": "A String", # Required field representing the resource type this id is for. |
| # At present, the valid types are: "organization" |
| "id": "A String", # Required field for the type-specific id. This should correspond to the id |
| # used in the type-specific API's. |
| }, |
| "projectId": "A String", # The unique, user-assigned ID of the Project. |
| # It must be 6 to 30 lowercase letters, digits, or hyphens. |
| # It must start with a letter. |
| # Trailing hyphens are prohibited. |
| # |
| # Example: <code>tokyo-rain-123</code> |
| # Read-only after creation. |
| "labels": { # The labels associated with this Project. |
| # |
| # Label keys must be between 1 and 63 characters long and must conform |
| # to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?. |
| # |
| # Label values must be between 0 and 63 characters long and must conform |
| # to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. |
| # |
| # No more than 256 labels can be associated with a given resource. |
| # |
| # Clients should store labels in a representation such as JSON that does not |
| # depend on specific characters being disallowed. |
| # |
| # Example: <code>"environment" : "dev"</code> |
| # Read-write. |
| "a_key": "A String", |
| }, |
| "createTime": "A String", # Creation time. |
| # |
| # Read-only. |
| "lifecycleState": "A String", # The Project lifecycle state. |
| # |
| # Read-only. |
| "projectNumber": "A String", # The number uniquely identifying the project. |
| # |
| # Example: <code>415104041262</code> |
| # Read-only. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # This resource represents a long-running operation that is the result of a |
| # network API call. |
| "metadata": { # Service-specific metadata associated with the operation. It typically |
| # contains progress information and common metadata such as create time. |
| # Some services might not provide such metadata. Any method that returns a |
| # long-running operation should document the metadata type, if any. |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| "error": { # The `Status` type defines a logical error model that is suitable for different # The error result of the operation in case of failure or cancellation. |
| # programming environments, including REST APIs and RPC APIs. It is used by |
| # [gRPC](https://github.com/grpc). The error model is designed to be: |
| # |
| # - Simple to use and understand for most users |
| # - Flexible enough to meet unexpected needs |
| # |
| # # Overview |
| # |
| # The `Status` message contains three pieces of data: error code, error message, |
| # and error details. The error code should be an enum value of |
| # google.rpc.Code, but it may accept additional error codes if needed. The |
| # error message should be a developer-facing English message that helps |
| # developers *understand* and *resolve* the error. If a localized user-facing |
| # error message is needed, put the localized message in the error details or |
| # localize it in the client. The optional error details may contain arbitrary |
| # information about the error. There is a predefined set of error detail types |
| # in the package `google.rpc` that can be used for common error conditions. |
| # |
| # # Language mapping |
| # |
| # The `Status` message is the logical representation of the error model, but it |
| # is not necessarily the actual wire format. When the `Status` message is |
| # exposed in different client libraries and different wire protocols, it can be |
| # mapped differently. For example, it will likely be mapped to some exceptions |
| # in Java, but more likely mapped to some error codes in C. |
| # |
| # # Other uses |
| # |
| # The error model and the `Status` message can be used in a variety of |
| # environments, either with or without APIs, to provide a |
| # consistent developer experience across different environments. |
| # |
| # Example uses of this error model include: |
| # |
| # - Partial errors. If a service needs to return partial errors to the client, |
| # it may embed the `Status` in the normal response to indicate the partial |
| # errors. |
| # |
| # - Workflow errors. A typical workflow has multiple steps. Each step may |
| # have a `Status` message for error reporting. |
| # |
| # - Batch operations. If a client uses batch request and batch response, the |
| # `Status` message should be used directly inside batch response, one for |
| # each error sub-response. |
| # |
| # - Asynchronous operations. If an API call embeds asynchronous operation |
| # results in its response, the status of those operations should be |
| # represented directly using the `Status` message. |
| # |
| # - Logging. If some API errors are stored in logs, the message `Status` could |
| # be used directly after any stripping needed for security/privacy reasons. |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There will be a |
| # common set of message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| }, |
| "done": True or False, # If the value is `false`, it means the operation is still in progress. |
| # If true, the operation is completed, and either `error` or `response` is |
| # available. |
| "response": { # The normal response of the operation in case of success. If the original |
| # method returns no data on success, such as `Delete`, the response is |
| # `google.protobuf.Empty`. If the original method is standard |
| # `Get`/`Create`/`Update`, the response should be the resource. For other |
| # methods, the response should have the type `XxxResponse`, where `Xxx` |
| # is the original method name. For example, if the original method name |
| # is `TakeSnapshot()`, the inferred response type is |
| # `TakeSnapshotResponse`. |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| "name": "A String", # The server-assigned name, which is only unique within the same service that |
| # originally returns it. If you use the default HTTP mapping, the |
| # `name` should have the format of `operations/some/unique/name`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="delete">delete(projectId, x__xgafv=None)</code> |
| <pre>Marks the Project identified by the specified |
| `project_id` (for example, `my-project-123`) for deletion. |
| This method will only affect the Project if the following criteria are met: |
| |
| + The Project does not have a billing account associated with it. |
| + The Project has a lifecycle state of |
| ACTIVE. |
| |
| This method changes the Project's lifecycle state from |
| ACTIVE |
| to DELETE_REQUESTED. |
| The deletion starts at an unspecified time, |
| at which point the Project is no longer accessible. |
| |
| Until the deletion completes, you can check the lifecycle state |
| checked by retrieving the Project with GetProject, |
| and the Project remains visible to ListProjects. |
| However, you cannot update the project. |
| |
| After the deletion completes, the Project is not retrievable by |
| the GetProject and |
| ListProjects methods. |
| |
| The caller must have modify permissions for this Project. |
| |
| Args: |
| projectId: string, The Project ID (for example, `foo-bar-123`). |
| |
| Required. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A generic empty message that you can re-use to avoid defining duplicated |
| # empty messages in your APIs. A typical example is to use it as the request |
| # or the response type of an API method. For instance: |
| # |
| # service Foo { |
| # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); |
| # } |
| # |
| # The JSON representation for `Empty` is empty JSON object `{}`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="get">get(projectId, x__xgafv=None)</code> |
| <pre>Retrieves the Project identified by the specified |
| `project_id` (for example, `my-project-123`). |
| |
| The caller must have read permissions for this Project. |
| |
| Args: |
| projectId: string, The Project ID (for example, `my-project-123`). |
| |
| Required. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A Project is a high-level Google Cloud Platform entity. It is a |
| # container for ACLs, APIs, App Engine Apps, VMs, and other |
| # Google Cloud Platform resources. |
| "name": "A String", # The user-assigned display name of the Project. |
| # It must be 4 to 30 characters. |
| # Allowed characters are: lowercase and uppercase letters, numbers, |
| # hyphen, single-quote, double-quote, space, and exclamation point. |
| # |
| # Example: <code>My Project</code> |
| # Read-write. |
| "parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource. |
| # |
| # The only supported parent type is "organization". Once set, the parent |
| # cannot be modified. The `parent` can be set on creation or using the |
| # `UpdateProject` method; the end user must have the |
| # `resourcemanager.projects.create` permission on the parent. |
| # |
| # Read-write. |
| # Cloud Platform is a generic term for something you (a developer) may want to |
| # interact with through one of our API's. Some examples are an App Engine app, |
| # a Compute Engine instance, a Cloud SQL database, and so on. |
| "type": "A String", # Required field representing the resource type this id is for. |
| # At present, the valid types are: "organization" |
| "id": "A String", # Required field for the type-specific id. This should correspond to the id |
| # used in the type-specific API's. |
| }, |
| "projectId": "A String", # The unique, user-assigned ID of the Project. |
| # It must be 6 to 30 lowercase letters, digits, or hyphens. |
| # It must start with a letter. |
| # Trailing hyphens are prohibited. |
| # |
| # Example: <code>tokyo-rain-123</code> |
| # Read-only after creation. |
| "labels": { # The labels associated with this Project. |
| # |
| # Label keys must be between 1 and 63 characters long and must conform |
| # to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?. |
| # |
| # Label values must be between 0 and 63 characters long and must conform |
| # to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. |
| # |
| # No more than 256 labels can be associated with a given resource. |
| # |
| # Clients should store labels in a representation such as JSON that does not |
| # depend on specific characters being disallowed. |
| # |
| # Example: <code>"environment" : "dev"</code> |
| # Read-write. |
| "a_key": "A String", |
| }, |
| "createTime": "A String", # Creation time. |
| # |
| # Read-only. |
| "lifecycleState": "A String", # The Project lifecycle state. |
| # |
| # Read-only. |
| "projectNumber": "A String", # The number uniquely identifying the project. |
| # |
| # Example: <code>415104041262</code> |
| # Read-only. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getAncestry">getAncestry(projectId, body, x__xgafv=None)</code> |
| <pre>Gets a list of ancestors in the resource hierarchy for the Project |
| identified by the specified `project_id` (for example, `my-project-123`). |
| |
| The caller must have read permissions for this Project. |
| |
| Args: |
| projectId: string, The Project ID (for example, `my-project-123`). |
| |
| Required. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the |
| # GetAncestry |
| # method. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Response from the GetAncestry method. |
| "ancestor": [ # Ancestors are ordered from bottom to top of the resource hierarchy. The |
| # first ancestor is the project itself, followed by the project's parent, |
| # etc. |
| { # Identifying information for a single ancestor of a project. |
| "resourceId": { # A container to reference an id for any resource type. A `resource` in Google # Resource id of the ancestor. |
| # Cloud Platform is a generic term for something you (a developer) may want to |
| # interact with through one of our API's. Some examples are an App Engine app, |
| # a Compute Engine instance, a Cloud SQL database, and so on. |
| "type": "A String", # Required field representing the resource type this id is for. |
| # At present, the valid types are: "organization" |
| "id": "A String", # Required field for the type-specific id. This should correspond to the id |
| # used in the type-specific API's. |
| }, |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Gets the effective `Policy` on a resource. This is the result of merging |
| `Policies` in the resource hierarchy. The returned `Policy` will not have |
| an `etag`set because it is a computed `Policy` across multiple resources. |
| |
| Args: |
| resource: string, The name of the resource to start computing the effective `Policy`. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the GetEffectiveOrgPolicy method. |
| "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # A `ListPolicy` can define specific values that are allowed or denied by |
| # setting either the `allowed_values` or `denied_values` fields. It can also |
| # be used to allow or deny all values, by setting the `all_values` field. If |
| # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` |
| # or `denied_values` must be set (attempting to set both or neither will |
| # result in a failed request). If `all_values` is set to either `ALLOW` or |
| # `DENY`, `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. an only be set if no values are |
| # set for `denied_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # ``projects/bar`` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if no values are |
| # set for `allowed_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` |
| # with `constraint_default` set to `ALLOW`. A `Policy` for that |
| # `Constraint` exhibits the following behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getIamPolicy">getIamPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Returns the IAM access control policy for the specified Project. |
| Permission is denied if the policy or the resource does not exist. |
| |
| Args: |
| resource: string, REQUIRED: The resource for which the policy is being requested. |
| See the operation documentation for the appropriate value for this field. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request message for `GetIamPolicy` method. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines an Identity and Access Management (IAM) policy. It is used to |
| # specify access control policies for Cloud Platform resources. |
| # |
| # |
| # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of |
| # `members` to a `role`, where the members can be user accounts, Google groups, |
| # Google domains, and service accounts. A `role` is a named list of permissions |
| # defined by IAM. |
| # |
| # **Example** |
| # |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/owner", |
| # "members": [ |
| # "user:mike@example.com", |
| # "group:admins@example.com", |
| # "domain:google.com", |
| # "serviceAccount:my-other-app@appspot.gserviceaccount.com", |
| # ] |
| # }, |
| # { |
| # "role": "roles/viewer", |
| # "members": ["user:sean@example.com"] |
| # } |
| # ] |
| # } |
| # |
| # For a description of IAM and its features, see the |
| # [IAM developer's guide](https://cloud.google.com/iam). |
| "bindings": [ # Associates a list of `members` to a `role`. |
| # Multiple `bindings` must not be specified for the same `role`. |
| # `bindings` with no members will result in an error. |
| { # Associates `members` with a `role`. |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # Required |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `alice@gmail.com` or `joe@example.com`. |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `admins@example.com`. |
| # |
| # |
| # * `domain:{domain}`: A Google Apps domain name that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| }, |
| ], |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:foo@gmail.com" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # }, |
| # { |
| # "log_type": "ADMIN_READ", |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "fooservice.googleapis.com" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:bar@gmail.com" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts foo@gmail.com from DATA_READ logging, and |
| # bar@gmail.com from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| # Next ID: 4 |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:foo@gmail.com" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # foo@gmail.com from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # If no `etag` is provided in the call to `setIamPolicy`, then the existing |
| # policy is overwritten blindly. |
| "version": 42, # Version of the `Policy`. The default version is 0. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Gets a `Policy` on a resource. |
| |
| If no `Policy` is set on the resource, a `Policy` is returned with default |
| values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The |
| `etag` value can be used with `SetOrgPolicy()` to create or update a |
| `Policy` during read-modify-write. |
| |
| Args: |
| resource: string, Name of the resource the `Policy` is set on. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the GetOrgPolicy method. |
| "constraint": "A String", # Name of the `Constraint` to get the `Policy`. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # A `ListPolicy` can define specific values that are allowed or denied by |
| # setting either the `allowed_values` or `denied_values` fields. It can also |
| # be used to allow or deny all values, by setting the `all_values` field. If |
| # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` |
| # or `denied_values` must be set (attempting to set both or neither will |
| # result in a failed request). If `all_values` is set to either `ALLOW` or |
| # `DENY`, `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. an only be set if no values are |
| # set for `denied_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # ``projects/bar`` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if no values are |
| # set for `allowed_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` |
| # with `constraint_default` set to `ALLOW`. A `Policy` for that |
| # `Constraint` exhibits the following behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list">list(pageSize=None, filter=None, pageToken=None, x__xgafv=None)</code> |
| <pre>Lists Projects that are visible to the user and satisfy the |
| specified filter. This method returns Projects in an unspecified order. |
| New Projects do not necessarily appear at the end of the list. |
| |
| Args: |
| pageSize: integer, The maximum number of Projects to return in the response. |
| The server can return fewer Projects than requested. |
| If unspecified, server picks an appropriate default. |
| |
| Optional. |
| filter: string, An expression for filtering the results of the request. Filter rules are |
| case insensitive. The fields eligible for filtering are: |
| |
| + `name` |
| + `id` |
| + <code>labels.<em>key</em></code> where *key* is the name of a label |
| |
| Some examples of using labels as filters: |
| |
| |Filter|Description| |
| |------|-----------| |
| |name:how*|The project's name starts with "how".| |
| |name:Howl|The project's name is `Howl` or `howl`.| |
| |name:HOWL|Equivalent to above.| |
| |NAME:howl|Equivalent to above.| |
| |labels.color:*|The project has the label `color`.| |
| |labels.color:red|The project's label `color` has the value `red`.| |
| |labels.color:red labels.size:big|The project's label `color` has the |
| value `red` and its label `size` has the value `big`. |
| |
| Optional. |
| pageToken: string, A pagination token returned from a previous call to ListProjects |
| that indicates from where listing should continue. |
| |
| Optional. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A page of the response received from the |
| # ListProjects |
| # method. |
| # |
| # A paginated response where more pages are available has |
| # `next_page_token` set. This token can be used in a subsequent request to |
| # retrieve the next request page. |
| "nextPageToken": "A String", # Pagination token. |
| # |
| # If the result set is too large to fit in a single response, this token |
| # is returned. It encodes the position of the current result cursor. |
| # Feeding this value into a new list request with the `page_token` parameter |
| # gives the next page of the results. |
| # |
| # When `next_page_token` is not filled in, there is no next page and |
| # the list returned is the last page in the result set. |
| # |
| # Pagination tokens have a limited lifetime. |
| "projects": [ # The list of Projects that matched the list filter. This list can |
| # be paginated. |
| { # A Project is a high-level Google Cloud Platform entity. It is a |
| # container for ACLs, APIs, App Engine Apps, VMs, and other |
| # Google Cloud Platform resources. |
| "name": "A String", # The user-assigned display name of the Project. |
| # It must be 4 to 30 characters. |
| # Allowed characters are: lowercase and uppercase letters, numbers, |
| # hyphen, single-quote, double-quote, space, and exclamation point. |
| # |
| # Example: <code>My Project</code> |
| # Read-write. |
| "parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource. |
| # |
| # The only supported parent type is "organization". Once set, the parent |
| # cannot be modified. The `parent` can be set on creation or using the |
| # `UpdateProject` method; the end user must have the |
| # `resourcemanager.projects.create` permission on the parent. |
| # |
| # Read-write. |
| # Cloud Platform is a generic term for something you (a developer) may want to |
| # interact with through one of our API's. Some examples are an App Engine app, |
| # a Compute Engine instance, a Cloud SQL database, and so on. |
| "type": "A String", # Required field representing the resource type this id is for. |
| # At present, the valid types are: "organization" |
| "id": "A String", # Required field for the type-specific id. This should correspond to the id |
| # used in the type-specific API's. |
| }, |
| "projectId": "A String", # The unique, user-assigned ID of the Project. |
| # It must be 6 to 30 lowercase letters, digits, or hyphens. |
| # It must start with a letter. |
| # Trailing hyphens are prohibited. |
| # |
| # Example: <code>tokyo-rain-123</code> |
| # Read-only after creation. |
| "labels": { # The labels associated with this Project. |
| # |
| # Label keys must be between 1 and 63 characters long and must conform |
| # to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?. |
| # |
| # Label values must be between 0 and 63 characters long and must conform |
| # to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. |
| # |
| # No more than 256 labels can be associated with a given resource. |
| # |
| # Clients should store labels in a representation such as JSON that does not |
| # depend on specific characters being disallowed. |
| # |
| # Example: <code>"environment" : "dev"</code> |
| # Read-write. |
| "a_key": "A String", |
| }, |
| "createTime": "A String", # Creation time. |
| # |
| # Read-only. |
| "lifecycleState": "A String", # The Project lifecycle state. |
| # |
| # Read-only. |
| "projectNumber": "A String", # The number uniquely identifying the project. |
| # |
| # Example: <code>415104041262</code> |
| # Read-only. |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code> |
| <pre>Lists `Constraints` that could be applied on the specified resource. |
| |
| Args: |
| resource: string, Name of the resource to list `Constraints` for. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the [ListAvailableOrgPolicyConstraints] |
| # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method. |
| "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported |
| # and will be ignored. The server may at any point start using this field. |
| "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will |
| # be ignored. The server may at any point start using this field to limit |
| # page size. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The response returned from the ListAvailableOrgPolicyConstraints method. |
| # Returns all `Constraints` that could be set at this level of the hierarchy |
| # (contrast with the response from `ListPolicies`, which returns all policies |
| # which are set). |
| "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used. |
| "constraints": [ # The collection of constraints that are settable on the request resource. |
| { # A `Constraint` describes a way in which a resource's configuration can be |
| # restricted. For example, it controls which cloud services can be activated |
| # across an organization, or whether a Compute Engine instance can have |
| # serial port connections established. `Constraints` can be configured by the |
| # organization's policy adminstrator to fit the needs of the organzation by |
| # setting Policies for `Constraints` at different locations in the |
| # organization's resource hierarchy. Policies are inherited down the resource |
| # hierarchy from higher levels, but can also be overridden. For details about |
| # the inheritance rules please read about |
| # Policies. |
| # |
| # `Constraints` have a default behavior determined by the `constraint_default` |
| # field, which is the enforcement behavior that is used in the absence of a |
| # `Policy` being defined or inherited for the resource in question. |
| "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'. |
| "displayName": "A String", # The human readable name. |
| # |
| # Mutable. |
| "description": "A String", # Detailed description of what this `Constraint` controls as well as how and |
| # where it is enforced. |
| # |
| # Mutable. |
| "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint. |
| # |
| # For example a constraint `constraints/compute.disableSerialPortAccess`. |
| # If it is enforced on a VM instance, serial port connections will not be |
| # opened to that instance. |
| }, |
| "version": 42, # Version of the `Constraint`. Default version is 0; |
| "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint. |
| # configured by an Organization's policy administrator with a `Policy`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Constraint`. |
| }, |
| "name": "A String", # Immutable value, required to globally be unique. For example, |
| # `constraints/serviceuser.services` |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code> |
| <pre>Lists all the `Policies` set for a particular resource. |
| |
| Args: |
| resource: string, Name of the resource to list Policies for. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the ListOrgPolicies method. |
| "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported |
| # and will be ignored. The server may at any point start using this field. |
| "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will |
| # be ignored. The server may at any point start using this field to limit |
| # page size. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The response returned from the ListOrgPolicies method. It will be empty |
| # if no `Policies` are set on the resource. |
| "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but |
| # the server may at any point start supplying a valid token. |
| "policies": [ # The `Policies` that are set on the resource. It will be empty if no |
| # `Policies` are set. |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # A `ListPolicy` can define specific values that are allowed or denied by |
| # setting either the `allowed_values` or `denied_values` fields. It can also |
| # be used to allow or deny all values, by setting the `all_values` field. If |
| # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` |
| # or `denied_values` must be set (attempting to set both or neither will |
| # result in a failed request). If `all_values` is set to either `ALLOW` or |
| # `DENY`, `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. an only be set if no values are |
| # set for `denied_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # ``projects/bar`` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if no values are |
| # set for `allowed_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` |
| # with `constraint_default` set to `ALLOW`. A `Policy` for that |
| # `Constraint` exhibits the following behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list_next">list_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Sets the IAM access control policy for the specified Project. Replaces |
| any existing policy. |
| |
| The following constraints apply when using `setIamPolicy()`: |
| |
| + Project does not support `allUsers` and `allAuthenticatedUsers` as |
| `members` in a `Binding` of a `Policy`. |
| |
| + The owner role can be granted only to `user` and `serviceAccount`. |
| |
| + Service accounts can be made owners of a project directly |
| without any restrictions. However, to be added as an owner, a user must be |
| invited via Cloud Platform console and must accept the invitation. |
| |
| + A user cannot be granted the owner role using `setIamPolicy()`. The user |
| must be granted the owner role using the Cloud Platform Console and must |
| explicitly accept the invitation. |
| |
| + Invitations to grant the owner role cannot be sent using |
| `setIamPolicy()`; |
| they must be sent only using the Cloud Platform Console. |
| |
| + Membership changes that leave the project without any owners that have |
| accepted the Terms of Service (ToS) will be rejected. |
| |
| + There must be at least one owner who has accepted the Terms of |
| Service (ToS) agreement in the policy. Calling `setIamPolicy()` to |
| remove the last ToS-accepted owner from the policy will fail. This |
| restriction also applies to legacy projects that no longer have owners |
| who have accepted the ToS. Edits to IAM policies will be rejected until |
| the lack of a ToS-accepting owner is rectified. |
| |
| + Calling this method requires enabling the App Engine Admin API. |
| |
| Note: Removing service accounts from policies or changing their roles |
| can render services completely inoperable. It is important to understand |
| how the service account is being used before removing or updating its |
| roles. |
| |
| Args: |
| resource: string, REQUIRED: The resource for which the policy is being specified. |
| See the operation documentation for the appropriate value for this field. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request message for `SetIamPolicy` method. |
| "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of |
| # the policy is limited to a few 10s of KB. An empty policy is a |
| # valid policy but certain Cloud Platform services (such as Projects) |
| # might reject them. |
| # specify access control policies for Cloud Platform resources. |
| # |
| # |
| # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of |
| # `members` to a `role`, where the members can be user accounts, Google groups, |
| # Google domains, and service accounts. A `role` is a named list of permissions |
| # defined by IAM. |
| # |
| # **Example** |
| # |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/owner", |
| # "members": [ |
| # "user:mike@example.com", |
| # "group:admins@example.com", |
| # "domain:google.com", |
| # "serviceAccount:my-other-app@appspot.gserviceaccount.com", |
| # ] |
| # }, |
| # { |
| # "role": "roles/viewer", |
| # "members": ["user:sean@example.com"] |
| # } |
| # ] |
| # } |
| # |
| # For a description of IAM and its features, see the |
| # [IAM developer's guide](https://cloud.google.com/iam). |
| "bindings": [ # Associates a list of `members` to a `role`. |
| # Multiple `bindings` must not be specified for the same `role`. |
| # `bindings` with no members will result in an error. |
| { # Associates `members` with a `role`. |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # Required |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `alice@gmail.com` or `joe@example.com`. |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `admins@example.com`. |
| # |
| # |
| # * `domain:{domain}`: A Google Apps domain name that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| }, |
| ], |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:foo@gmail.com" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # }, |
| # { |
| # "log_type": "ADMIN_READ", |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "fooservice.googleapis.com" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:bar@gmail.com" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts foo@gmail.com from DATA_READ logging, and |
| # bar@gmail.com from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| # Next ID: 4 |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:foo@gmail.com" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # foo@gmail.com from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # If no `etag` is provided in the call to `setIamPolicy`, then the existing |
| # policy is overwritten blindly. |
| "version": 42, # Version of the `Policy`. The default version is 0. |
| }, |
| "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only |
| # the fields in the mask will be modified. If no mask is provided, the |
| # following default mask is used: |
| # paths: "bindings, etag" |
| # This field is only used by Cloud IAM. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines an Identity and Access Management (IAM) policy. It is used to |
| # specify access control policies for Cloud Platform resources. |
| # |
| # |
| # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of |
| # `members` to a `role`, where the members can be user accounts, Google groups, |
| # Google domains, and service accounts. A `role` is a named list of permissions |
| # defined by IAM. |
| # |
| # **Example** |
| # |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/owner", |
| # "members": [ |
| # "user:mike@example.com", |
| # "group:admins@example.com", |
| # "domain:google.com", |
| # "serviceAccount:my-other-app@appspot.gserviceaccount.com", |
| # ] |
| # }, |
| # { |
| # "role": "roles/viewer", |
| # "members": ["user:sean@example.com"] |
| # } |
| # ] |
| # } |
| # |
| # For a description of IAM and its features, see the |
| # [IAM developer's guide](https://cloud.google.com/iam). |
| "bindings": [ # Associates a list of `members` to a `role`. |
| # Multiple `bindings` must not be specified for the same `role`. |
| # `bindings` with no members will result in an error. |
| { # Associates `members` with a `role`. |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # Required |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `alice@gmail.com` or `joe@example.com`. |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `my-other-app@appspot.gserviceaccount.com`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `admins@example.com`. |
| # |
| # |
| # * `domain:{domain}`: A Google Apps domain name that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| }, |
| ], |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:foo@gmail.com" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # }, |
| # { |
| # "log_type": "ADMIN_READ", |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "fooservice.googleapis.com" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:bar@gmail.com" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts foo@gmail.com from DATA_READ logging, and |
| # bar@gmail.com from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| # Next ID: 4 |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:foo@gmail.com" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # foo@gmail.com from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # If no `etag` is provided in the call to `setIamPolicy`, then the existing |
| # policy is overwritten blindly. |
| "version": 42, # Version of the `Policy`. The default version is 0. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for |
| that `Constraint` on the resource if one does not exist. |
| |
| Not supplying an `etag` on the request `Policy` results in an unconditional |
| write of the `Policy`. |
| |
| Args: |
| resource: string, Resource name of the resource to attach the `Policy`. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the SetOrgPolicyRequest method. |
| "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource. |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # A `ListPolicy` can define specific values that are allowed or denied by |
| # setting either the `allowed_values` or `denied_values` fields. It can also |
| # be used to allow or deny all values, by setting the `all_values` field. If |
| # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` |
| # or `denied_values` must be set (attempting to set both or neither will |
| # result in a failed request). If `all_values` is set to either `ALLOW` or |
| # `DENY`, `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. an only be set if no values are |
| # set for `denied_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # ``projects/bar`` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if no values are |
| # set for `allowed_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` |
| # with `constraint_default` set to `ALLOW`. A `Policy` for that |
| # `Constraint` exhibits the following behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # A `ListPolicy` can define specific values that are allowed or denied by |
| # setting either the `allowed_values` or `denied_values` fields. It can also |
| # be used to allow or deny all values, by setting the `all_values` field. If |
| # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` |
| # or `denied_values` must be set (attempting to set both or neither will |
| # result in a failed request). If `all_values` is set to either `ALLOW` or |
| # `DENY`, `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. an only be set if no values are |
| # set for `denied_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # ``projects/bar`` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if no values are |
| # set for `allowed_values` and `all_values` is set to |
| # `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` |
| # with `constraint_default` set to `ALLOW`. A `Policy` for that |
| # `Constraint` exhibits the following behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> |
| <pre>Returns permissions that a caller has on the specified Project. |
| |
| Args: |
| resource: string, REQUIRED: The resource for which the policy detail is being requested. |
| See the operation documentation for the appropriate value for this field. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request message for `TestIamPermissions` method. |
| "permissions": [ # The set of permissions to check for the `resource`. Permissions with |
| # wildcards (such as '*' or 'storage.*') are not allowed. For more |
| # information see |
| # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). |
| "A String", |
| ], |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Response message for `TestIamPermissions` method. |
| "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is |
| # allowed. |
| "A String", |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="undelete">undelete(projectId, body, x__xgafv=None)</code> |
| <pre>Restores the Project identified by the specified |
| `project_id` (for example, `my-project-123`). |
| You can only use this method for a Project that has a lifecycle state of |
| DELETE_REQUESTED. |
| After deletion starts, the Project cannot be restored. |
| |
| The caller must have modify permissions for this Project. |
| |
| Args: |
| projectId: string, The project ID (for example, `foo-bar-123`). |
| |
| Required. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the UndeleteProject |
| # method. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A generic empty message that you can re-use to avoid defining duplicated |
| # empty messages in your APIs. A typical example is to use it as the request |
| # or the response type of an API method. For instance: |
| # |
| # service Foo { |
| # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); |
| # } |
| # |
| # The JSON representation for `Empty` is empty JSON object `{}`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="update">update(projectId, body, x__xgafv=None)</code> |
| <pre>Updates the attributes of the Project identified by the specified |
| `project_id` (for example, `my-project-123`). |
| |
| The caller must have modify permissions for this Project. |
| |
| Args: |
| projectId: string, The project ID (for example, `my-project-123`). |
| |
| Required. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # A Project is a high-level Google Cloud Platform entity. It is a |
| # container for ACLs, APIs, App Engine Apps, VMs, and other |
| # Google Cloud Platform resources. |
| "name": "A String", # The user-assigned display name of the Project. |
| # It must be 4 to 30 characters. |
| # Allowed characters are: lowercase and uppercase letters, numbers, |
| # hyphen, single-quote, double-quote, space, and exclamation point. |
| # |
| # Example: <code>My Project</code> |
| # Read-write. |
| "parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource. |
| # |
| # The only supported parent type is "organization". Once set, the parent |
| # cannot be modified. The `parent` can be set on creation or using the |
| # `UpdateProject` method; the end user must have the |
| # `resourcemanager.projects.create` permission on the parent. |
| # |
| # Read-write. |
| # Cloud Platform is a generic term for something you (a developer) may want to |
| # interact with through one of our API's. Some examples are an App Engine app, |
| # a Compute Engine instance, a Cloud SQL database, and so on. |
| "type": "A String", # Required field representing the resource type this id is for. |
| # At present, the valid types are: "organization" |
| "id": "A String", # Required field for the type-specific id. This should correspond to the id |
| # used in the type-specific API's. |
| }, |
| "projectId": "A String", # The unique, user-assigned ID of the Project. |
| # It must be 6 to 30 lowercase letters, digits, or hyphens. |
| # It must start with a letter. |
| # Trailing hyphens are prohibited. |
| # |
| # Example: <code>tokyo-rain-123</code> |
| # Read-only after creation. |
| "labels": { # The labels associated with this Project. |
| # |
| # Label keys must be between 1 and 63 characters long and must conform |
| # to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?. |
| # |
| # Label values must be between 0 and 63 characters long and must conform |
| # to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. |
| # |
| # No more than 256 labels can be associated with a given resource. |
| # |
| # Clients should store labels in a representation such as JSON that does not |
| # depend on specific characters being disallowed. |
| # |
| # Example: <code>"environment" : "dev"</code> |
| # Read-write. |
| "a_key": "A String", |
| }, |
| "createTime": "A String", # Creation time. |
| # |
| # Read-only. |
| "lifecycleState": "A String", # The Project lifecycle state. |
| # |
| # Read-only. |
| "projectNumber": "A String", # The number uniquely identifying the project. |
| # |
| # Example: <code>415104041262</code> |
| # Read-only. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A Project is a high-level Google Cloud Platform entity. It is a |
| # container for ACLs, APIs, App Engine Apps, VMs, and other |
| # Google Cloud Platform resources. |
| "name": "A String", # The user-assigned display name of the Project. |
| # It must be 4 to 30 characters. |
| # Allowed characters are: lowercase and uppercase letters, numbers, |
| # hyphen, single-quote, double-quote, space, and exclamation point. |
| # |
| # Example: <code>My Project</code> |
| # Read-write. |
| "parent": { # A container to reference an id for any resource type. A `resource` in Google # An optional reference to a parent Resource. |
| # |
| # The only supported parent type is "organization". Once set, the parent |
| # cannot be modified. The `parent` can be set on creation or using the |
| # `UpdateProject` method; the end user must have the |
| # `resourcemanager.projects.create` permission on the parent. |
| # |
| # Read-write. |
| # Cloud Platform is a generic term for something you (a developer) may want to |
| # interact with through one of our API's. Some examples are an App Engine app, |
| # a Compute Engine instance, a Cloud SQL database, and so on. |
| "type": "A String", # Required field representing the resource type this id is for. |
| # At present, the valid types are: "organization" |
| "id": "A String", # Required field for the type-specific id. This should correspond to the id |
| # used in the type-specific API's. |
| }, |
| "projectId": "A String", # The unique, user-assigned ID of the Project. |
| # It must be 6 to 30 lowercase letters, digits, or hyphens. |
| # It must start with a letter. |
| # Trailing hyphens are prohibited. |
| # |
| # Example: <code>tokyo-rain-123</code> |
| # Read-only after creation. |
| "labels": { # The labels associated with this Project. |
| # |
| # Label keys must be between 1 and 63 characters long and must conform |
| # to the following regular expression: \[a-z\](\[-a-z0-9\]*\[a-z0-9\])?. |
| # |
| # Label values must be between 0 and 63 characters long and must conform |
| # to the regular expression (\[a-z\](\[-a-z0-9\]*\[a-z0-9\])?)?. |
| # |
| # No more than 256 labels can be associated with a given resource. |
| # |
| # Clients should store labels in a representation such as JSON that does not |
| # depend on specific characters being disallowed. |
| # |
| # Example: <code>"environment" : "dev"</code> |
| # Read-write. |
| "a_key": "A String", |
| }, |
| "createTime": "A String", # Creation time. |
| # |
| # Read-only. |
| "lifecycleState": "A String", # The Project lifecycle state. |
| # |
| # Read-only. |
| "projectNumber": "A String", # The number uniquely identifying the project. |
| # |
| # Example: <code>415104041262</code> |
| # Read-only. |
| }</pre> |
| </div> |
| |
| </body></html> |