diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources.proto b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources.proto new file mode 100644 index 000000000000..3620c82dca95 --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources.proto @@ -0,0 +1,83 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.identity.accesscontextmanager.type; + +option csharp_namespace = "Google.Identity.AccessContextManager.Type"; +option go_package = "google.golang.org/genproto/googleapis/identity/accesscontextmanager/type"; +option java_package = "com.google.identity.accesscontextmanager.type"; +option java_multiple_files = true; +option java_outer_classname = "TypeProto"; +option php_namespace = "Google\\Identity\\AccessContextManager\\Type"; +option ruby_package = "Google::Identity::AccessContextManager::Type"; + +// The encryption state of the device. +enum DeviceEncryptionStatus { + // The encryption status of the device is not specified or not known. + ENCRYPTION_UNSPECIFIED = 0; + + // The device does not support encryption. + ENCRYPTION_UNSUPPORTED = 1; + + // The device supports encryption, but is currently unencrypted. + UNENCRYPTED = 2; + + // The device is encrypted. + ENCRYPTED = 3; +} + +// The operating system type of the device. +// Next id: 7 +enum OsType { + // The operating system of the device is not specified or not known. + OS_UNSPECIFIED = 0; + + // A desktop Mac operating system. + DESKTOP_MAC = 1; + + // A desktop Windows operating system. + DESKTOP_WINDOWS = 2; + + // A desktop Linux operating system. + DESKTOP_LINUX = 3; + + // A desktop ChromeOS operating system. + DESKTOP_CHROME_OS = 6; + + // An Android operating system. + ANDROID = 4; + + // An iOS operating system. + IOS = 5; +} + +// The degree to which the device is managed by the Cloud organization. +enum DeviceManagementLevel { + // The device's management level is not specified or not known. + MANAGEMENT_UNSPECIFIED = 0; + + // The device is not managed. + NONE = 1; + + // Basic management is enabled, which is generally limited to monitoring and + // wiping the corporate account. + BASIC = 2; + + // Complete device management. This includes more thorough monitoring and the + // ability to directly manage the device (such as remote wiping). This can be + // enabled through the Android Enterprise Platform. + COMPLETE = 3; +} diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources_pb2.py b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources_pb2.py index 594894e11a6d..9aa7402f7788 100644 --- a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources_pb2.py +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources_pb2.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ # Generated by the protocol buffer compiler. DO NOT EDIT! # source: google/identity/accesscontextmanager/type/device_resources.proto +# Protobuf Python Version: 4.25.3 """Generated protocol buffer code.""" from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool @@ -39,8 +40,10 @@ _globals, ) if _descriptor._USE_C_DESCRIPTORS == False: - DESCRIPTOR._options = None - DESCRIPTOR._serialized_options = b"\n-com.google.identity.accesscontextmanager.typeB\tTypeProtoP\001ZHgoogle.golang.org/genproto/googleapis/identity/accesscontextmanager/type\252\002)Google.Identity.AccessContextManager.Type\312\002)Google\\Identity\\AccessContextManager\\Type\352\002,Google::Identity::AccessContextManager::Type" + _globals["DESCRIPTOR"]._options = None + _globals[ + "DESCRIPTOR" + ]._serialized_options = b"\n-com.google.identity.accesscontextmanager.typeB\tTypeProtoP\001ZHgoogle.golang.org/genproto/googleapis/identity/accesscontextmanager/type\252\002)Google.Identity.AccessContextManager.Type\312\002)Google\\Identity\\AccessContextManager\\Type\352\002,Google::Identity::AccessContextManager::Type" _globals["_DEVICEENCRYPTIONSTATUS"]._serialized_start = 111 _globals["_DEVICEENCRYPTIONSTATUS"]._serialized_end = 223 _globals["_OSTYPE"]._serialized_start = 226 diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources_pb2.pyi b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources_pb2.pyi new file mode 100644 index 000000000000..f5a8839c970b --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/type/device_resources_pb2.pyi @@ -0,0 +1,60 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from typing import ClassVar as _ClassVar + +from google.protobuf import descriptor as _descriptor +from google.protobuf.internal import enum_type_wrapper as _enum_type_wrapper + +DESCRIPTOR: _descriptor.FileDescriptor + +class DeviceEncryptionStatus(int, metaclass=_enum_type_wrapper.EnumTypeWrapper): + __slots__ = () + ENCRYPTION_UNSPECIFIED: _ClassVar[DeviceEncryptionStatus] + ENCRYPTION_UNSUPPORTED: _ClassVar[DeviceEncryptionStatus] + UNENCRYPTED: _ClassVar[DeviceEncryptionStatus] + ENCRYPTED: _ClassVar[DeviceEncryptionStatus] + +class OsType(int, metaclass=_enum_type_wrapper.EnumTypeWrapper): + __slots__ = () + OS_UNSPECIFIED: _ClassVar[OsType] + DESKTOP_MAC: _ClassVar[OsType] + DESKTOP_WINDOWS: _ClassVar[OsType] + DESKTOP_LINUX: _ClassVar[OsType] + DESKTOP_CHROME_OS: _ClassVar[OsType] + ANDROID: _ClassVar[OsType] + IOS: _ClassVar[OsType] + +class DeviceManagementLevel(int, metaclass=_enum_type_wrapper.EnumTypeWrapper): + __slots__ = () + MANAGEMENT_UNSPECIFIED: _ClassVar[DeviceManagementLevel] + NONE: _ClassVar[DeviceManagementLevel] + BASIC: _ClassVar[DeviceManagementLevel] + COMPLETE: _ClassVar[DeviceManagementLevel] + +ENCRYPTION_UNSPECIFIED: DeviceEncryptionStatus +ENCRYPTION_UNSUPPORTED: DeviceEncryptionStatus +UNENCRYPTED: DeviceEncryptionStatus +ENCRYPTED: DeviceEncryptionStatus +OS_UNSPECIFIED: OsType +DESKTOP_MAC: OsType +DESKTOP_WINDOWS: OsType +DESKTOP_LINUX: OsType +DESKTOP_CHROME_OS: OsType +ANDROID: OsType +IOS: OsType +MANAGEMENT_UNSPECIFIED: DeviceManagementLevel +NONE: DeviceManagementLevel +BASIC: DeviceManagementLevel +COMPLETE: DeviceManagementLevel diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager.proto b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager.proto new file mode 100644 index 000000000000..25b20d671c9d --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager.proto @@ -0,0 +1,986 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.identity.accesscontextmanager.v1; + +import "google/api/annotations.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/identity/accesscontextmanager/v1/access_level.proto"; +import "google/identity/accesscontextmanager/v1/access_policy.proto"; +import "google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto"; +import "google/identity/accesscontextmanager/v1/service_perimeter.proto"; +import "google/longrunning/operations.proto"; +import "google/protobuf/field_mask.proto"; + +option csharp_namespace = "Google.Identity.AccessContextManager.V1"; +option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; +option java_multiple_files = true; +option java_outer_classname = "AccessContextManagerProto"; +option java_package = "com.google.identity.accesscontextmanager.v1"; +option objc_class_prefix = "GACM"; +option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; +option ruby_package = "Google::Identity::AccessContextManager::V1"; + +// API for setting [access levels] +// [google.identity.accesscontextmanager.v1.AccessLevel] and [service +// perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] +// for Google Cloud projects. Each organization has one [access policy] +// [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the +// [access levels] [google.identity.accesscontextmanager.v1.AccessLevel] +// and [service perimeters] +// [google.identity.accesscontextmanager.v1.ServicePerimeter]. This +// [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is +// applicable to all resources in the organization. +// AccessPolicies +service AccessContextManager { + option (google.api.default_host) = "accesscontextmanager.googleapis.com"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + + // Lists all [access policies] + // [google.identity.accesscontextmanager.v1.AccessPolicy] in an + // organization. + rpc ListAccessPolicies(ListAccessPoliciesRequest) returns (ListAccessPoliciesResponse) { + option (google.api.http) = { + get: "/v1/accessPolicies" + }; + } + + // Returns an [access policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name. + rpc GetAccessPolicy(GetAccessPolicyRequest) returns (AccessPolicy) { + option (google.api.http) = { + get: "/v1/{name=accessPolicies/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Creates an access policy. This method fails if the organization already has + // an access policy. The long-running operation has a successful status + // after the access policy propagates to long-lasting storage. + // Syntactic and basic semantic errors are returned in `metadata` as a + // BadRequest proto. + rpc CreateAccessPolicy(AccessPolicy) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/accessPolicies" + body: "*" + }; + option (google.longrunning.operation_info) = { + response_type: "AccessPolicy" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Updates an [access policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy]. The + // long-running operation from this RPC has a successful status after the + // changes to the [access policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy] propagate + // to long-lasting storage. + rpc UpdateAccessPolicy(UpdateAccessPolicyRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + patch: "/v1/{policy.name=accessPolicies/*}" + body: "policy" + }; + option (google.api.method_signature) = "policy,update_mask"; + option (google.longrunning.operation_info) = { + response_type: "AccessPolicy" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Deletes an [access policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the + // resource name. The long-running operation has a successful status after the + // [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] + // is removed from long-lasting storage. + rpc DeleteAccessPolicy(DeleteAccessPolicyRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + delete: "/v1/{name=accessPolicies/*}" + }; + option (google.api.method_signature) = "name"; + option (google.longrunning.operation_info) = { + response_type: "google.protobuf.Empty" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Lists all [access levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] for an access + // policy. + rpc ListAccessLevels(ListAccessLevelsRequest) returns (ListAccessLevelsResponse) { + option (google.api.http) = { + get: "/v1/{parent=accessPolicies/*}/accessLevels" + }; + option (google.api.method_signature) = "parent"; + } + + // Gets an [access level] + // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource + // name. + rpc GetAccessLevel(GetAccessLevelRequest) returns (AccessLevel) { + option (google.api.http) = { + get: "/v1/{name=accessPolicies/*/accessLevels/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Creates an [access level] + // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running + // operation from this RPC has a successful status after the [access + // level] [google.identity.accesscontextmanager.v1.AccessLevel] + // propagates to long-lasting storage. If [access levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] contain + // errors, an error response is returned for the first error encountered. + rpc CreateAccessLevel(CreateAccessLevelRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=accessPolicies/*}/accessLevels" + body: "access_level" + }; + option (google.api.method_signature) = "parent,access_level"; + option (google.longrunning.operation_info) = { + response_type: "AccessLevel" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Updates an [access level] + // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running + // operation from this RPC has a successful status after the changes to + // the [access level] + // [google.identity.accesscontextmanager.v1.AccessLevel] propagate + // to long-lasting storage. If [access levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] contain + // errors, an error response is returned for the first error encountered. + rpc UpdateAccessLevel(UpdateAccessLevelRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + patch: "/v1/{access_level.name=accessPolicies/*/accessLevels/*}" + body: "access_level" + }; + option (google.api.method_signature) = "access_level,update_mask"; + option (google.longrunning.operation_info) = { + response_type: "AccessLevel" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Deletes an [access level] + // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource + // name. The long-running operation from this RPC has a successful status + // after the [access level] + // [google.identity.accesscontextmanager.v1.AccessLevel] has been removed + // from long-lasting storage. + rpc DeleteAccessLevel(DeleteAccessLevelRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + delete: "/v1/{name=accessPolicies/*/accessLevels/*}" + }; + option (google.api.method_signature) = "name"; + option (google.longrunning.operation_info) = { + response_type: "google.protobuf.Empty" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Replaces all existing [access levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] in an [access + // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with + // the [access levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] provided. This + // is done atomically. The long-running operation from this RPC has a + // successful status after all replacements propagate to long-lasting + // storage. If the replacement contains errors, an error response is returned + // for the first error encountered. Upon error, the replacement is cancelled, + // and existing [access levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] are not + // affected. The Operation.response field contains + // ReplaceAccessLevelsResponse. Removing [access levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing + // [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an + // error. + rpc ReplaceAccessLevels(ReplaceAccessLevelsRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=accessPolicies/*}/accessLevels:replaceAll" + body: "*" + }; + option (google.longrunning.operation_info) = { + response_type: "ReplaceAccessLevelsResponse" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Lists all [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] for an + // access policy. + rpc ListServicePerimeters(ListServicePerimetersRequest) returns (ListServicePerimetersResponse) { + option (google.api.http) = { + get: "/v1/{parent=accessPolicies/*}/servicePerimeters" + }; + option (google.api.method_signature) = "parent"; + } + + // Gets a [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the + // resource name. + rpc GetServicePerimeter(GetServicePerimeterRequest) returns (ServicePerimeter) { + option (google.api.http) = { + get: "/v1/{name=accessPolicies/*/servicePerimeters/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Creates a [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + // long-running operation from this RPC has a successful status after the + // [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] + // propagates to long-lasting storage. If a [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + // errors, an error response is returned for the first error encountered. + rpc CreateServicePerimeter(CreateServicePerimeterRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=accessPolicies/*}/servicePerimeters" + body: "service_perimeter" + }; + option (google.api.method_signature) = "parent,service_perimeter"; + option (google.longrunning.operation_info) = { + response_type: "ServicePerimeter" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Updates a [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The + // long-running operation from this RPC has a successful status after the + // [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] + // propagates to long-lasting storage. If a [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains + // errors, an error response is returned for the first error encountered. + rpc UpdateServicePerimeter(UpdateServicePerimeterRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + patch: "/v1/{service_perimeter.name=accessPolicies/*/servicePerimeters/*}" + body: "service_perimeter" + }; + option (google.api.method_signature) = "service_perimeter,update_mask"; + option (google.longrunning.operation_info) = { + response_type: "ServicePerimeter" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Deletes a [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the + // resource name. The long-running operation from this RPC has a successful + // status after the [service perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from + // long-lasting storage. + rpc DeleteServicePerimeter(DeleteServicePerimeterRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + delete: "/v1/{name=accessPolicies/*/servicePerimeters/*}" + }; + option (google.api.method_signature) = "name"; + option (google.longrunning.operation_info) = { + response_type: "google.protobuf.Empty" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Replace all existing [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access + // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the + // [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This + // is done atomically. The long-running operation from this RPC has a + // successful status after all replacements propagate to long-lasting storage. + // Replacements containing errors result in an error response for the first + // error encountered. Upon an error, replacement are cancelled and existing + // [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] are not + // affected. The Operation.response field contains + // ReplaceServicePerimetersResponse. + rpc ReplaceServicePerimeters(ReplaceServicePerimetersRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=accessPolicies/*}/servicePerimeters:replaceAll" + body: "*" + }; + option (google.longrunning.operation_info) = { + response_type: "ReplaceServicePerimetersResponse" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Commits the dry-run specification for all the [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an + // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + // A commit operation on a service perimeter involves copying its `spec` field + // to the `status` field of the service perimeter. Only [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] with + // `use_explicit_dry_run_spec` field set to true are affected by a commit + // operation. The long-running operation from this RPC has a successful + // status after the dry-run specifications for all the [service perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] have been + // committed. If a commit fails, it causes the long-running operation to + // return an error response and the entire commit operation is cancelled. + // When successful, the Operation.response field contains + // CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are + // cleared after a successful commit operation. + rpc CommitServicePerimeters(CommitServicePerimetersRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=accessPolicies/*}/servicePerimeters:commit" + body: "*" + }; + option (google.longrunning.operation_info) = { + response_type: "CommitServicePerimetersResponse" + metadata_type: "AccessContextManagerOperationMetadata" + }; + } + + // Lists all [GcpUserAccessBindings] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] for a + // Google Cloud organization. + rpc ListGcpUserAccessBindings(ListGcpUserAccessBindingsRequest) returns (ListGcpUserAccessBindingsResponse) { + option (google.api.http) = { + get: "/v1/{parent=organizations/*}/gcpUserAccessBindings" + }; + option (google.api.method_signature) = "parent"; + } + + // Gets the [GcpUserAccessBinding] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] with + // the given name. + rpc GetGcpUserAccessBinding(GetGcpUserAccessBindingRequest) returns (GcpUserAccessBinding) { + option (google.api.http) = { + get: "/v1/{name=organizations/*/gcpUserAccessBindings/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Creates a [GcpUserAccessBinding] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the + // client specifies a [name] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], + // the server ignores it. Fails if a resource already exists with the same + // [group_key] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. + // Completion of this long-running operation does not necessarily signify that + // the new binding is deployed onto all affected users, which may take more + // time. + rpc CreateGcpUserAccessBinding(CreateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/gcpUserAccessBindings" + body: "gcp_user_access_binding" + }; + option (google.api.method_signature) = "parent,gcp_user_access_binding"; + option (google.longrunning.operation_info) = { + response_type: "GcpUserAccessBinding" + metadata_type: "GcpUserAccessBindingOperationMetadata" + }; + } + + // Updates a [GcpUserAccessBinding] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. + // Completion of this long-running operation does not necessarily signify that + // the changed binding is deployed onto all affected users, which may take + // more time. + rpc UpdateGcpUserAccessBinding(UpdateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + patch: "/v1/{gcp_user_access_binding.name=organizations/*/gcpUserAccessBindings/*}" + body: "gcp_user_access_binding" + }; + option (google.api.method_signature) = "gcp_user_access_binding,update_mask"; + option (google.longrunning.operation_info) = { + response_type: "GcpUserAccessBinding" + metadata_type: "GcpUserAccessBindingOperationMetadata" + }; + } + + // Deletes a [GcpUserAccessBinding] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. + // Completion of this long-running operation does not necessarily signify that + // the binding deletion is deployed onto all affected users, which may take + // more time. + rpc DeleteGcpUserAccessBinding(DeleteGcpUserAccessBindingRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + delete: "/v1/{name=organizations/*/gcpUserAccessBindings/*}" + }; + option (google.api.method_signature) = "name"; + option (google.longrunning.operation_info) = { + response_type: "google.protobuf.Empty" + metadata_type: "GcpUserAccessBindingOperationMetadata" + }; + } + + // Sets the IAM policy for the specified Access Context Manager + // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + // This method replaces the existing IAM policy on the access policy. The IAM + // policy controls the set of users who can perform specific operations on the + // Access Context Manager [access + // policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1/{resource=accessPolicies/*}:setIamPolicy" + body: "*" + }; + } + + // Gets the IAM policy for the specified Access Context Manager + // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy]. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1/{resource=accessPolicies/*}:getIamPolicy" + body: "*" + }; + } + + // Returns the IAM permissions that the caller has on the specified Access + // Context Manager resource. The resource can be an + // [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy], + // [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or + // [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter + // ]. This method does not support other resources. + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { + option (google.api.http) = { + post: "/v1/{resource=accessPolicies/*}:testIamPermissions" + body: "*" + additional_bindings { + post: "/v1/{resource=accessPolicies/*/accessLevels/*}:testIamPermissions" + body: "*" + } + additional_bindings { + post: "/v1/{resource=accessPolicies/*/servicePerimeters/*}:testIamPermissions" + body: "*" + } + }; + } +} + +// A request to list all `AccessPolicies` for a container. +message ListAccessPoliciesRequest { + // Required. Resource name for the container to list AccessPolicy instances + // from. + // + // Format: + // `organizations/{org_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Number of AccessPolicy instances to include in the list. Default 100. + int32 page_size = 2; + + // Next page token for the next batch of AccessPolicy instances. Defaults to + // the first page of results. + string page_token = 3; +} + +// A response to `ListAccessPoliciesRequest`. +message ListAccessPoliciesResponse { + // List of the AccessPolicy instances. + repeated AccessPolicy access_policies = 1; + + // The pagination token to retrieve the next page of results. If the value is + // empty, no further results remain. + string next_page_token = 2; +} + +// A request to get a particular `AccessPolicy`. +message GetAccessPolicyRequest { + // Required. Resource name for the access policy to get. + // + // Format `accessPolicies/{policy_id}` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/AccessPolicy" + } + ]; +} + +// A request to update an `AccessPolicy`. +message UpdateAccessPolicyRequest { + // Required. The updated AccessPolicy. + AccessPolicy policy = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. Mask to control which fields get updated. Must be non-empty. + google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// A request to delete an `AccessPolicy`. +message DeleteAccessPolicyRequest { + // Required. Resource name for the access policy to delete. + // + // Format `accessPolicies/{policy_id}` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/AccessPolicy" + } + ]; +} + +// A request to list all `AccessLevels` in an `AccessPolicy`. +message ListAccessLevelsRequest { + // Required. Resource name for the access policy to list [Access Levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] from. + // + // Format: + // `accessPolicies/{policy_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "accesscontextmanager.googleapis.com/AccessLevel" + } + ]; + + // Number of [Access Levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] to include in + // the list. Default 100. + int32 page_size = 2; + + // Next page token for the next batch of [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel] instances. + // Defaults to the first page of results. + string page_token = 3; + + // Whether to return `BasicLevels` in the Cloud Common Expression language, as + // `CustomLevels`, rather than as `BasicLevels`. Defaults to returning + // `AccessLevels` in the format they were defined. + LevelFormat access_level_format = 4; +} + +// A response to `ListAccessLevelsRequest`. +message ListAccessLevelsResponse { + // List of the [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel] instances. + repeated AccessLevel access_levels = 1; + + // The pagination token to retrieve the next page of results. If the value is + // empty, no further results remain. + string next_page_token = 2; +} + +// A request to get a particular `AccessLevel`. +message GetAccessLevelRequest { + // Required. Resource name for the [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel]. + // + // Format: + // `accessPolicies/{policy_id}/accessLevels/{access_level_id}` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/AccessLevel" + } + ]; + + // Whether to return `BasicLevels` in the Cloud Common Expression + // Language rather than as `BasicLevels`. Defaults to AS_DEFINED, where + // [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] + // are returned as `BasicLevels` or `CustomLevels` based on how they were + // created. If set to CEL, all [Access Levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] are returned as + // `CustomLevels`. In the CEL case, `BasicLevels` are translated to equivalent + // `CustomLevels`. + LevelFormat access_level_format = 2; +} + +// A request to create an `AccessLevel`. +message CreateAccessLevelRequest { + // Required. Resource name for the access policy which owns this [Access + // Level] [google.identity.accesscontextmanager.v1.AccessLevel]. + // + // Format: `accessPolicies/{policy_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "accesscontextmanager.googleapis.com/AccessLevel" + } + ]; + + // Required. The [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel] to create. + // Syntactic correctness of the [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel] is a + // precondition for creation. + AccessLevel access_level = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// A request to update an `AccessLevel`. +message UpdateAccessLevelRequest { + // Required. The updated [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel]. Syntactic + // correctness of the [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel] is a + // precondition for creation. + AccessLevel access_level = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. Mask to control which fields get updated. Must be non-empty. + google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// A request to delete an `AccessLevel`. +message DeleteAccessLevelRequest { + // Required. Resource name for the [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel]. + // + // Format: + // `accessPolicies/{policy_id}/accessLevels/{access_level_id}` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/AccessLevel" + } + ]; +} + +// A request to replace all existing Access Levels in an Access Policy with +// the Access Levels provided. This is done atomically. +message ReplaceAccessLevelsRequest { + // Required. Resource name for the access policy which owns these + // [Access Levels] + // [google.identity.accesscontextmanager.v1.AccessLevel]. + // + // Format: `accessPolicies/{policy_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "accesscontextmanager.googleapis.com/AccessLevel" + } + ]; + + // Required. The desired [Access Levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] that should + // replace all existing [Access Levels] + // [google.identity.accesscontextmanager.v1.AccessLevel] in the + // [Access Policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy]. + repeated AccessLevel access_levels = 2 [(google.api.field_behavior) = REQUIRED]; + + // Optional. The etag for the version of the [Access Policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy] that this + // replace operation is to be performed on. If, at the time of replace, the + // etag for the Access Policy stored in Access Context Manager is different + // from the specified etag, then the replace operation will not be performed + // and the call will fail. This field is not required. If etag is not + // provided, the operation will be performed as if a valid etag is provided. + string etag = 4; +} + +// A response to ReplaceAccessLevelsRequest. This will be put inside of +// Operation.response field. +message ReplaceAccessLevelsResponse { + // List of the [Access Level] + // [google.identity.accesscontextmanager.v1.AccessLevel] instances. + repeated AccessLevel access_levels = 1; +} + +// A request to list all `ServicePerimeters` in an `AccessPolicy`. +message ListServicePerimetersRequest { + // Required. Resource name for the access policy to list [Service Perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] from. + // + // Format: + // `accessPolicies/{policy_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" + } + ]; + + // Number of [Service Perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] to include + // in the list. Default 100. + int32 page_size = 2; + + // Next page token for the next batch of [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances. + // Defaults to the first page of results. + string page_token = 3; +} + +// A response to `ListServicePerimetersRequest`. +message ListServicePerimetersResponse { + // List of the [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances. + repeated ServicePerimeter service_perimeters = 1; + + // The pagination token to retrieve the next page of results. If the value is + // empty, no further results remain. + string next_page_token = 2; +} + +// A request to get a particular `ServicePerimeter`. +message GetServicePerimeterRequest { + // Required. Resource name for the [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. + // + // Format: + // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeters_id}` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/ServicePerimeter" + } + ]; +} + +// A request to create a `ServicePerimeter`. +message CreateServicePerimeterRequest { + // Required. Resource name for the access policy which owns this [Service + // Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. + // + // Format: `accessPolicies/{policy_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" + } + ]; + + // Required. The [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] to create. + // Syntactic correctness of the [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] is a + // precondition for creation. + ServicePerimeter service_perimeter = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// A request to update a `ServicePerimeter`. +message UpdateServicePerimeterRequest { + // Required. The updated `ServicePerimeter`. Syntactic correctness of the + // `ServicePerimeter` is a precondition for creation. + ServicePerimeter service_perimeter = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. Mask to control which fields get updated. Must be non-empty. + google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// A request to delete a `ServicePerimeter`. +message DeleteServicePerimeterRequest { + // Required. Resource name for the [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. + // + // Format: + // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeter_id}` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/ServicePerimeter" + } + ]; +} + +// A request to replace all existing Service Perimeters in an Access Policy +// with the Service Perimeters provided. This is done atomically. +message ReplaceServicePerimetersRequest { + // Required. Resource name for the access policy which owns these + // [Service Perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. + // + // Format: `accessPolicies/{policy_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" + } + ]; + + // Required. The desired [Service Perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] that should + // replace all existing [Service Perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] in the + // [Access Policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy]. + repeated ServicePerimeter service_perimeters = 2 [(google.api.field_behavior) = REQUIRED]; + + // Optional. The etag for the version of the [Access Policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy] that this + // replace operation is to be performed on. If, at the time of replace, the + // etag for the Access Policy stored in Access Context Manager is different + // from the specified etag, then the replace operation will not be performed + // and the call will fail. This field is not required. If etag is not + // provided, the operation will be performed as if a valid etag is provided. + string etag = 3; +} + +// A response to ReplaceServicePerimetersRequest. This will be put inside of +// Operation.response field. +message ReplaceServicePerimetersResponse { + // List of the [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances. + repeated ServicePerimeter service_perimeters = 1; +} + +// A request to commit dry-run specs in all [Service Perimeters] +// [google.identity.accesscontextmanager.v1.ServicePerimeter] belonging to +// an [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy]. +message CommitServicePerimetersRequest { + // Required. Resource name for the parent [Access Policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy] which owns all + // [Service Perimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] in scope for + // the commit operation. + // + // Format: `accessPolicies/{policy_id}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" + } + ]; + + // Optional. The etag for the version of the [Access Policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy] that this + // commit operation is to be performed on. If, at the time of commit, the + // etag for the Access Policy stored in Access Context Manager is different + // from the specified etag, then the commit operation will not be performed + // and the call will fail. This field is not required. If etag is not + // provided, the operation will be performed as if a valid etag is provided. + string etag = 2; +} + +// A response to CommitServicePerimetersRequest. This will be put inside of +// Operation.response field. +message CommitServicePerimetersResponse { + // List of all the [Service Perimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances in + // the [Access Policy] + // [google.identity.accesscontextmanager.v1.AccessPolicy]. + repeated ServicePerimeter service_perimeters = 1; +} + +// The format used in an `AccessLevel`. +enum LevelFormat { + // The format was not specified. + LEVEL_FORMAT_UNSPECIFIED = 0; + + // Uses the format the resource was defined in. BasicLevels are returned as + // BasicLevels, CustomLevels are returned as CustomLevels. + AS_DEFINED = 1; + + // Use Cloud Common Expression Language when returning the resource. Both + // BasicLevels and CustomLevels are returned as CustomLevels. + CEL = 2; +} + +// Request of [ListGcpUserAccessBindings] +// [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings]. +message ListGcpUserAccessBindingsRequest { + // Required. Example: "organizations/256" + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Optional. Maximum number of items to return. The server may return fewer items. + // If left blank, the server may return any number of items. + int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. If left blank, returns the first page. To enumerate all items, use the + // [next_page_token] + // [google.identity.accesscontextmanager.v1.ListGcpUserAccessBindingsResponse.next_page_token] + // from your previous list operation. + string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; +} + +// Response of [ListGcpUserAccessBindings] +// [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings]. +message ListGcpUserAccessBindingsResponse { + // [GcpUserAccessBinding] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] + repeated GcpUserAccessBinding gcp_user_access_bindings = 1; + + // Token to get the next page of items. If blank, there are no more items. + string next_page_token = 2; +} + +// Request of [GetGcpUserAccessBinding] +// [google.identity.accesscontextmanager.v1.AccessContextManager.GetGcpUserAccessBinding]. +message GetGcpUserAccessBindingRequest { + // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding" + } + ]; +} + +// Request of [CreateGcpUserAccessBinding] +// [google.identity.accesscontextmanager.v1.AccessContextManager.CreateGcpUserAccessBinding]. +message CreateGcpUserAccessBindingRequest { + // Required. Example: "organizations/256" + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Required. [GcpUserAccessBinding] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] + GcpUserAccessBinding gcp_user_access_binding = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request of [UpdateGcpUserAccessBinding] +// [google.identity.accesscontextmanager.v1.AccessContextManager.UpdateGcpUserAccessBinding]. +message UpdateGcpUserAccessBindingRequest { + // Required. [GcpUserAccessBinding] + // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] + GcpUserAccessBinding gcp_user_access_binding = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. Only the fields specified in this mask are updated. Because name and + // group_key cannot be changed, update_mask is required and must always be: + // + // update_mask { + // paths: "access_levels" + // } + google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request of [DeleteGcpUserAccessBinding] +// [google.identity.accesscontextmanager.v1.AccessContextManager.DeleteGcpUserAccessBinding]. +message DeleteGcpUserAccessBindingRequest { + // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding" + } + ]; +} + +// Currently, a completed operation means nothing. In the future, this metadata +// and a completed operation may indicate that the binding has taken effect and +// is affecting access decisions for all users. +message GcpUserAccessBindingOperationMetadata { + +} + +// Metadata of Access Context Manager's Long Running Operations. +message AccessContextManagerOperationMetadata { + +} diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager_pb2.py b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager_pb2.py index a8fc8ebd2d3b..a5fccf621ef9 100644 --- a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager_pb2.py +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager_pb2.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ # Generated by the protocol buffer compiler. DO NOT EDIT! # source: google/identity/accesscontextmanager/v1/access_context_manager.proto +# Protobuf Python Version: 4.25.3 """Generated protocol buffer code.""" from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool @@ -27,17 +28,12 @@ _sym_db = _symbol_database.Default() -from google.api import field_behavior_pb2 as google_dot_api_dot_field__behavior__pb2 from google.api import annotations_pb2 as google_dot_api_dot_annotations__pb2 from google.api import client_pb2 as google_dot_api_dot_client__pb2 +from google.api import field_behavior_pb2 as google_dot_api_dot_field__behavior__pb2 from google.api import resource_pb2 as google_dot_api_dot_resource__pb2 from google.iam.v1 import iam_policy_pb2 as google_dot_iam_dot_v1_dot_iam__policy__pb2 from google.iam.v1 import policy_pb2 as google_dot_iam_dot_v1_dot_policy__pb2 -from google.longrunning import ( - operations_pb2 as google_dot_longrunning_dot_operations__pb2, -) -from google.protobuf import field_mask_pb2 as google_dot_protobuf_dot_field__mask__pb2 - from google.identity.accesscontextmanager.v1 import ( access_level_pb2 as google_dot_identity_dot_accesscontextmanager_dot_v1_dot_access__level__pb2, ) @@ -50,6 +46,10 @@ from google.identity.accesscontextmanager.v1 import ( service_perimeter_pb2 as google_dot_identity_dot_accesscontextmanager_dot_v1_dot_service__perimeter__pb2, ) +from google.longrunning import ( + operations_pb2 as google_dot_longrunning_dot_operations__pb2, +) +from google.protobuf import field_mask_pb2 as google_dot_protobuf_dot_field__mask__pb2 DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile( b'\nDgoogle/identity/accesscontextmanager/v1/access_context_manager.proto\x12\'google.identity.accesscontextmanager.v1\x1a\x1cgoogle/api/annotations.proto\x1a\x17google/api/client.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x19google/api/resource.proto\x1a\x1egoogle/iam/v1/iam_policy.proto\x1a\x1agoogle/iam/v1/policy.proto\x1a:google/identity/accesscontextmanager/v1/access_level.proto\x1a;google/identity/accesscontextmanager/v1/access_policy.proto\x1a\x45google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto\x1a?google/identity/accesscontextmanager/v1/service_perimeter.proto\x1a#google/longrunning/operations.proto\x1a google/protobuf/field_mask.proto"\x8c\x01\n\x19ListAccessPoliciesRequest\x12H\n\x06parent\x18\x01 \x01(\tB8\xe0\x41\x02\xfa\x41\x32\n0cloudresourcemanager.googleapis.com/Organization\x12\x11\n\tpage_size\x18\x02 \x01(\x05\x12\x12\n\npage_token\x18\x03 \x01(\t"\x85\x01\n\x1aListAccessPoliciesResponse\x12N\n\x0f\x61\x63\x63\x65ss_policies\x18\x01 \x03(\x0b\x32\x35.google.identity.accesscontextmanager.v1.AccessPolicy\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t"`\n\x16GetAccessPolicyRequest\x12\x46\n\x04name\x18\x01 \x01(\tB8\xe0\x41\x02\xfa\x41\x32\n0accesscontextmanager.googleapis.com/AccessPolicy"\x9d\x01\n\x19UpdateAccessPolicyRequest\x12J\n\x06policy\x18\x01 \x01(\x0b\x32\x35.google.identity.accesscontextmanager.v1.AccessPolicyB\x03\xe0\x41\x02\x12\x34\n\x0bupdate_mask\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.FieldMaskB\x03\xe0\x41\x02"c\n\x19\x44\x65leteAccessPolicyRequest\x12\x46\n\x04name\x18\x01 \x01(\tB8\xe0\x41\x02\xfa\x41\x32\n0accesscontextmanager.googleapis.com/AccessPolicy"\xdc\x01\n\x17ListAccessLevelsRequest\x12G\n\x06parent\x18\x01 \x01(\tB7\xe0\x41\x02\xfa\x41\x31\x12/accesscontextmanager.googleapis.com/AccessLevel\x12\x11\n\tpage_size\x18\x02 \x01(\x05\x12\x12\n\npage_token\x18\x03 \x01(\t\x12Q\n\x13\x61\x63\x63\x65ss_level_format\x18\x04 \x01(\x0e\x32\x34.google.identity.accesscontextmanager.v1.LevelFormat"\x80\x01\n\x18ListAccessLevelsResponse\x12K\n\raccess_levels\x18\x01 \x03(\x0b\x32\x34.google.identity.accesscontextmanager.v1.AccessLevel\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t"\xb1\x01\n\x15GetAccessLevelRequest\x12\x45\n\x04name\x18\x01 \x01(\tB7\xe0\x41\x02\xfa\x41\x31\n/accesscontextmanager.googleapis.com/AccessLevel\x12Q\n\x13\x61\x63\x63\x65ss_level_format\x18\x02 \x01(\x0e\x32\x34.google.identity.accesscontextmanager.v1.LevelFormat"\xb4\x01\n\x18\x43reateAccessLevelRequest\x12G\n\x06parent\x18\x01 \x01(\tB7\xe0\x41\x02\xfa\x41\x31\x12/accesscontextmanager.googleapis.com/AccessLevel\x12O\n\x0c\x61\x63\x63\x65ss_level\x18\x02 \x01(\x0b\x32\x34.google.identity.accesscontextmanager.v1.AccessLevelB\x03\xe0\x41\x02"\xa1\x01\n\x18UpdateAccessLevelRequest\x12O\n\x0c\x61\x63\x63\x65ss_level\x18\x01 \x01(\x0b\x32\x34.google.identity.accesscontextmanager.v1.AccessLevelB\x03\xe0\x41\x02\x12\x34\n\x0bupdate_mask\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.FieldMaskB\x03\xe0\x41\x02"a\n\x18\x44\x65leteAccessLevelRequest\x12\x45\n\x04name\x18\x01 \x01(\tB7\xe0\x41\x02\xfa\x41\x31\n/accesscontextmanager.googleapis.com/AccessLevel"\xc5\x01\n\x1aReplaceAccessLevelsRequest\x12G\n\x06parent\x18\x01 \x01(\tB7\xe0\x41\x02\xfa\x41\x31\x12/accesscontextmanager.googleapis.com/AccessLevel\x12P\n\raccess_levels\x18\x02 \x03(\x0b\x32\x34.google.identity.accesscontextmanager.v1.AccessLevelB\x03\xe0\x41\x02\x12\x0c\n\x04\x65tag\x18\x04 \x01(\t"j\n\x1bReplaceAccessLevelsResponse\x12K\n\raccess_levels\x18\x01 \x03(\x0b\x32\x34.google.identity.accesscontextmanager.v1.AccessLevel"\x93\x01\n\x1cListServicePerimetersRequest\x12L\n\x06parent\x18\x01 \x01(\tB<\xe0\x41\x02\xfa\x41\x36\x12\x34\x61\x63\x63\x65sscontextmanager.googleapis.com/ServicePerimeter\x12\x11\n\tpage_size\x18\x02 \x01(\x05\x12\x12\n\npage_token\x18\x03 \x01(\t"\x8f\x01\n\x1dListServicePerimetersResponse\x12U\n\x12service_perimeters\x18\x01 \x03(\x0b\x32\x39.google.identity.accesscontextmanager.v1.ServicePerimeter\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t"h\n\x1aGetServicePerimeterRequest\x12J\n\x04name\x18\x01 \x01(\tB<\xe0\x41\x02\xfa\x41\x36\n4accesscontextmanager.googleapis.com/ServicePerimeter"\xc8\x01\n\x1d\x43reateServicePerimeterRequest\x12L\n\x06parent\x18\x01 \x01(\tB<\xe0\x41\x02\xfa\x41\x36\x12\x34\x61\x63\x63\x65sscontextmanager.googleapis.com/ServicePerimeter\x12Y\n\x11service_perimeter\x18\x02 \x01(\x0b\x32\x39.google.identity.accesscontextmanager.v1.ServicePerimeterB\x03\xe0\x41\x02"\xb0\x01\n\x1dUpdateServicePerimeterRequest\x12Y\n\x11service_perimeter\x18\x01 \x01(\x0b\x32\x39.google.identity.accesscontextmanager.v1.ServicePerimeterB\x03\xe0\x41\x02\x12\x34\n\x0bupdate_mask\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.FieldMaskB\x03\xe0\x41\x02"k\n\x1d\x44\x65leteServicePerimeterRequest\x12J\n\x04name\x18\x01 \x01(\tB<\xe0\x41\x02\xfa\x41\x36\n4accesscontextmanager.googleapis.com/ServicePerimeter"\xd9\x01\n\x1fReplaceServicePerimetersRequest\x12L\n\x06parent\x18\x01 \x01(\tB<\xe0\x41\x02\xfa\x41\x36\x12\x34\x61\x63\x63\x65sscontextmanager.googleapis.com/ServicePerimeter\x12Z\n\x12service_perimeters\x18\x02 \x03(\x0b\x32\x39.google.identity.accesscontextmanager.v1.ServicePerimeterB\x03\xe0\x41\x02\x12\x0c\n\x04\x65tag\x18\x03 \x01(\t"y\n ReplaceServicePerimetersResponse\x12U\n\x12service_perimeters\x18\x01 \x03(\x0b\x32\x39.google.identity.accesscontextmanager.v1.ServicePerimeter"|\n\x1e\x43ommitServicePerimetersRequest\x12L\n\x06parent\x18\x01 \x01(\tB<\xe0\x41\x02\xfa\x41\x36\x12\x34\x61\x63\x63\x65sscontextmanager.googleapis.com/ServicePerimeter\x12\x0c\n\x04\x65tag\x18\x02 \x01(\t"x\n\x1f\x43ommitServicePerimetersResponse\x12U\n\x12service_perimeters\x18\x01 \x03(\x0b\x32\x39.google.identity.accesscontextmanager.v1.ServicePerimeter"\x9d\x01\n ListGcpUserAccessBindingsRequest\x12H\n\x06parent\x18\x01 \x01(\tB8\xe0\x41\x02\xfa\x41\x32\n0cloudresourcemanager.googleapis.com/Organization\x12\x16\n\tpage_size\x18\x02 \x01(\x05\x42\x03\xe0\x41\x01\x12\x17\n\npage_token\x18\x03 \x01(\tB\x03\xe0\x41\x01"\x9d\x01\n!ListGcpUserAccessBindingsResponse\x12_\n\x18gcp_user_access_bindings\x18\x01 \x03(\x0b\x32=.google.identity.accesscontextmanager.v1.GcpUserAccessBinding\x12\x17\n\x0fnext_page_token\x18\x02 \x01(\t"p\n\x1eGetGcpUserAccessBindingRequest\x12N\n\x04name\x18\x01 \x01(\tB@\xe0\x41\x02\xfa\x41:\n8accesscontextmanager.googleapis.com/GcpUserAccessBinding"\xd2\x01\n!CreateGcpUserAccessBindingRequest\x12H\n\x06parent\x18\x01 \x01(\tB8\xe0\x41\x02\xfa\x41\x32\n0cloudresourcemanager.googleapis.com/Organization\x12\x63\n\x17gcp_user_access_binding\x18\x02 \x01(\x0b\x32=.google.identity.accesscontextmanager.v1.GcpUserAccessBindingB\x03\xe0\x41\x02"\xbe\x01\n!UpdateGcpUserAccessBindingRequest\x12\x63\n\x17gcp_user_access_binding\x18\x01 \x01(\x0b\x32=.google.identity.accesscontextmanager.v1.GcpUserAccessBindingB\x03\xe0\x41\x02\x12\x34\n\x0bupdate_mask\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.FieldMaskB\x03\xe0\x41\x02"s\n!DeleteGcpUserAccessBindingRequest\x12N\n\x04name\x18\x01 \x01(\tB@\xe0\x41\x02\xfa\x41:\n8accesscontextmanager.googleapis.com/GcpUserAccessBinding"\'\n%GcpUserAccessBindingOperationMetadata"\'\n%AccessContextManagerOperationMetadata*D\n\x0bLevelFormat\x12\x1c\n\x18LEVEL_FORMAT_UNSPECIFIED\x10\x00\x12\x0e\n\nAS_DEFINED\x10\x01\x12\x07\n\x03\x43\x45L\x10\x02\x32\xf1\x32\n\x14\x41\x63\x63\x65ssContextManager\x12\xb9\x01\n\x12ListAccessPolicies\x12\x42.google.identity.accesscontextmanager.v1.ListAccessPoliciesRequest\x1a\x43.google.identity.accesscontextmanager.v1.ListAccessPoliciesResponse"\x1a\x82\xd3\xe4\x93\x02\x14\x12\x12/v1/accessPolicies\x12\xb5\x01\n\x0fGetAccessPolicy\x12?.google.identity.accesscontextmanager.v1.GetAccessPolicyRequest\x1a\x35.google.identity.accesscontextmanager.v1.AccessPolicy"*\xda\x41\x04name\x82\xd3\xe4\x93\x02\x1d\x12\x1b/v1/{name=accessPolicies/*}\x12\xc1\x01\n\x12\x43reateAccessPolicy\x12\x35.google.identity.accesscontextmanager.v1.AccessPolicy\x1a\x1d.google.longrunning.Operation"U\xca\x41\x35\n\x0c\x41\x63\x63\x65ssPolicy\x12%AccessContextManagerOperationMetadata\x82\xd3\xe4\x93\x02\x17"\x12/v1/accessPolicies:\x01*\x12\xf8\x01\n\x12UpdateAccessPolicy\x12\x42.google.identity.accesscontextmanager.v1.UpdateAccessPolicyRequest\x1a\x1d.google.longrunning.Operation"\x7f\xca\x41\x35\n\x0c\x41\x63\x63\x65ssPolicy\x12%AccessContextManagerOperationMetadata\xda\x41\x12policy,update_mask\x82\xd3\xe4\x93\x02,2"/v1/{policy.name=accessPolicies/*}:\x06policy\x12\xe4\x01\n\x12\x44\x65leteAccessPolicy\x12\x42.google.identity.accesscontextmanager.v1.DeleteAccessPolicyRequest\x1a\x1d.google.longrunning.Operation"k\xca\x41>\n\x15google.protobuf.Empty\x12%AccessContextManagerOperationMetadata\xda\x41\x04name\x82\xd3\xe4\x93\x02\x1d*\x1b/v1/{name=accessPolicies/*}\x12\xd4\x01\n\x10ListAccessLevels\x12@.google.identity.accesscontextmanager.v1.ListAccessLevelsRequest\x1a\x41.google.identity.accesscontextmanager.v1.ListAccessLevelsResponse";\xda\x41\x06parent\x82\xd3\xe4\x93\x02,\x12*/v1/{parent=accessPolicies/*}/accessLevels\x12\xc1\x01\n\x0eGetAccessLevel\x12>.google.identity.accesscontextmanager.v1.GetAccessLevelRequest\x1a\x34.google.identity.accesscontextmanager.v1.AccessLevel"9\xda\x41\x04name\x82\xd3\xe4\x93\x02,\x12*/v1/{name=accessPolicies/*/accessLevels/*}\x12\x85\x02\n\x11\x43reateAccessLevel\x12\x41.google.identity.accesscontextmanager.v1.CreateAccessLevelRequest\x1a\x1d.google.longrunning.Operation"\x8d\x01\xca\x41\x34\n\x0b\x41\x63\x63\x65ssLevel\x12%AccessContextManagerOperationMetadata\xda\x41\x13parent,access_level\x82\xd3\xe4\x93\x02:"*/v1/{parent=accessPolicies/*}/accessLevels:\x0c\x61\x63\x63\x65ss_level\x12\x97\x02\n\x11UpdateAccessLevel\x12\x41.google.identity.accesscontextmanager.v1.UpdateAccessLevelRequest\x1a\x1d.google.longrunning.Operation"\x9f\x01\xca\x41\x34\n\x0b\x41\x63\x63\x65ssLevel\x12%AccessContextManagerOperationMetadata\xda\x41\x18\x61\x63\x63\x65ss_level,update_mask\x82\xd3\xe4\x93\x02G27/v1/{access_level.name=accessPolicies/*/accessLevels/*}:\x0c\x61\x63\x63\x65ss_level\x12\xf1\x01\n\x11\x44\x65leteAccessLevel\x12\x41.google.identity.accesscontextmanager.v1.DeleteAccessLevelRequest\x1a\x1d.google.longrunning.Operation"z\xca\x41>\n\x15google.protobuf.Empty\x12%AccessContextManagerOperationMetadata\xda\x41\x04name\x82\xd3\xe4\x93\x02,**/v1/{name=accessPolicies/*/accessLevels/*}\x12\x83\x02\n\x13ReplaceAccessLevels\x12\x43.google.identity.accesscontextmanager.v1.ReplaceAccessLevelsRequest\x1a\x1d.google.longrunning.Operation"\x87\x01\xca\x41\x44\n\x1bReplaceAccessLevelsResponse\x12%AccessContextManagerOperationMetadata\x82\xd3\xe4\x93\x02:"5/v1/{parent=accessPolicies/*}/accessLevels:replaceAll:\x01*\x12\xe8\x01\n\x15ListServicePerimeters\x12\x45.google.identity.accesscontextmanager.v1.ListServicePerimetersRequest\x1a\x46.google.identity.accesscontextmanager.v1.ListServicePerimetersResponse"@\xda\x41\x06parent\x82\xd3\xe4\x93\x02\x31\x12//v1/{parent=accessPolicies/*}/servicePerimeters\x12\xd5\x01\n\x13GetServicePerimeter\x12\x43.google.identity.accesscontextmanager.v1.GetServicePerimeterRequest\x1a\x39.google.identity.accesscontextmanager.v1.ServicePerimeter">\xda\x41\x04name\x82\xd3\xe4\x93\x02\x31\x12//v1/{name=accessPolicies/*/servicePerimeters/*}\x12\xa3\x02\n\x16\x43reateServicePerimeter\x12\x46.google.identity.accesscontextmanager.v1.CreateServicePerimeterRequest\x1a\x1d.google.longrunning.Operation"\xa1\x01\xca\x41\x39\n\x10ServicePerimeter\x12%AccessContextManagerOperationMetadata\xda\x41\x18parent,service_perimeter\x82\xd3\xe4\x93\x02\x44"//v1/{parent=accessPolicies/*}/servicePerimeters:\x11service_perimeter\x12\xba\x02\n\x16UpdateServicePerimeter\x12\x46.google.identity.accesscontextmanager.v1.UpdateServicePerimeterRequest\x1a\x1d.google.longrunning.Operation"\xb8\x01\xca\x41\x39\n\x10ServicePerimeter\x12%AccessContextManagerOperationMetadata\xda\x41\x1dservice_perimeter,update_mask\x82\xd3\xe4\x93\x02V2A/v1/{service_perimeter.name=accessPolicies/*/servicePerimeters/*}:\x11service_perimeter\x12\x80\x02\n\x16\x44\x65leteServicePerimeter\x12\x46.google.identity.accesscontextmanager.v1.DeleteServicePerimeterRequest\x1a\x1d.google.longrunning.Operation"\x7f\xca\x41>\n\x15google.protobuf.Empty\x12%AccessContextManagerOperationMetadata\xda\x41\x04name\x82\xd3\xe4\x93\x02\x31*//v1/{name=accessPolicies/*/servicePerimeters/*}\x12\x97\x02\n\x18ReplaceServicePerimeters\x12H.google.identity.accesscontextmanager.v1.ReplaceServicePerimetersRequest\x1a\x1d.google.longrunning.Operation"\x91\x01\xca\x41I\n ReplaceServicePerimetersResponse\x12%AccessContextManagerOperationMetadata\x82\xd3\xe4\x93\x02?":/v1/{parent=accessPolicies/*}/servicePerimeters:replaceAll:\x01*\x12\x90\x02\n\x17\x43ommitServicePerimeters\x12G.google.identity.accesscontextmanager.v1.CommitServicePerimetersRequest\x1a\x1d.google.longrunning.Operation"\x8c\x01\xca\x41H\n\x1f\x43ommitServicePerimetersResponse\x12%AccessContextManagerOperationMetadata\x82\xd3\xe4\x93\x02;"6/v1/{parent=accessPolicies/*}/servicePerimeters:commit:\x01*\x12\xf7\x01\n\x19ListGcpUserAccessBindings\x12I.google.identity.accesscontextmanager.v1.ListGcpUserAccessBindingsRequest\x1aJ.google.identity.accesscontextmanager.v1.ListGcpUserAccessBindingsResponse"C\xda\x41\x06parent\x82\xd3\xe4\x93\x02\x34\x12\x32/v1/{parent=organizations/*}/gcpUserAccessBindings\x12\xe4\x01\n\x17GetGcpUserAccessBinding\x12G.google.identity.accesscontextmanager.v1.GetGcpUserAccessBindingRequest\x1a=.google.identity.accesscontextmanager.v1.GcpUserAccessBinding"A\xda\x41\x04name\x82\xd3\xe4\x93\x02\x34\x12\x32/v1/{name=organizations/*/gcpUserAccessBindings/*}\x12\xbe\x02\n\x1a\x43reateGcpUserAccessBinding\x12J.google.identity.accesscontextmanager.v1.CreateGcpUserAccessBindingRequest\x1a\x1d.google.longrunning.Operation"\xb4\x01\xca\x41=\n\x14GcpUserAccessBinding\x12%GcpUserAccessBindingOperationMetadata\xda\x41\x1eparent,gcp_user_access_binding\x82\xd3\xe4\x93\x02M"2/v1/{parent=organizations/*}/gcpUserAccessBindings:\x17gcp_user_access_binding\x12\xdb\x02\n\x1aUpdateGcpUserAccessBinding\x12J.google.identity.accesscontextmanager.v1.UpdateGcpUserAccessBindingRequest\x1a\x1d.google.longrunning.Operation"\xd1\x01\xca\x41=\n\x14GcpUserAccessBinding\x12%GcpUserAccessBindingOperationMetadata\xda\x41#gcp_user_access_binding,update_mask\x82\xd3\xe4\x93\x02\x65\x32J/v1/{gcp_user_access_binding.name=organizations/*/gcpUserAccessBindings/*}:\x17gcp_user_access_binding\x12\x8c\x02\n\x1a\x44\x65leteGcpUserAccessBinding\x12J.google.identity.accesscontextmanager.v1.DeleteGcpUserAccessBindingRequest\x1a\x1d.google.longrunning.Operation"\x82\x01\xca\x41>\n\x15google.protobuf.Empty\x12%GcpUserAccessBindingOperationMetadata\xda\x41\x04name\x82\xd3\xe4\x93\x02\x34*2/v1/{name=organizations/*/gcpUserAccessBindings/*}\x12\x82\x01\n\x0cSetIamPolicy\x12".google.iam.v1.SetIamPolicyRequest\x1a\x15.google.iam.v1.Policy"7\x82\xd3\xe4\x93\x02\x31",/v1/{resource=accessPolicies/*}:setIamPolicy:\x01*\x12\x82\x01\n\x0cGetIamPolicy\x12".google.iam.v1.GetIamPolicyRequest\x1a\x15.google.iam.v1.Policy"7\x82\xd3\xe4\x93\x02\x31",/v1/{resource=accessPolicies/*}:getIamPolicy:\x01*\x12\xbf\x02\n\x12TestIamPermissions\x12(.google.iam.v1.TestIamPermissionsRequest\x1a).google.iam.v1.TestIamPermissionsResponse"\xd3\x01\x82\xd3\xe4\x93\x02\xcc\x01"2/v1/{resource=accessPolicies/*}:testIamPermissions:\x01*ZF"A/v1/{resource=accessPolicies/*/accessLevels/*}:testIamPermissions:\x01*ZK"F/v1/{resource=accessPolicies/*/servicePerimeters/*}:testIamPermissions:\x01*\x1aW\xca\x41#accesscontextmanager.googleapis.com\xd2\x41.https://www.googleapis.com/auth/cloud-platformB\xb0\x02\n+com.google.identity.accesscontextmanager.v1B\x19\x41\x63\x63\x65ssContextManagerProtoP\x01Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\xa2\x02\x04GACM\xaa\x02\'Google.Identity.AccessContextManager.V1\xca\x02\'Google\\Identity\\AccessContextManager\\V1\xea\x02*Google::Identity::AccessContextManager::V1b\x06proto3' @@ -63,292 +63,362 @@ _globals, ) if _descriptor._USE_C_DESCRIPTORS == False: - DESCRIPTOR._options = None - DESCRIPTOR._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\031AccessContextManagerProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" - _LISTACCESSPOLICIESREQUEST.fields_by_name["parent"]._options = None - _LISTACCESSPOLICIESREQUEST.fields_by_name[ + _globals["DESCRIPTOR"]._options = None + _globals[ + "DESCRIPTOR" + ]._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\031AccessContextManagerProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" + _globals["_LISTACCESSPOLICIESREQUEST"].fields_by_name["parent"]._options = None + _globals["_LISTACCESSPOLICIESREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A2\n0cloudresourcemanager.googleapis.com/Organization" ) - _GETACCESSPOLICYREQUEST.fields_by_name["name"]._options = None - _GETACCESSPOLICYREQUEST.fields_by_name[ + _globals["_GETACCESSPOLICYREQUEST"].fields_by_name["name"]._options = None + _globals["_GETACCESSPOLICYREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A2\n0accesscontextmanager.googleapis.com/AccessPolicy" ) - _UPDATEACCESSPOLICYREQUEST.fields_by_name["policy"]._options = None - _UPDATEACCESSPOLICYREQUEST.fields_by_name[ + _globals["_UPDATEACCESSPOLICYREQUEST"].fields_by_name["policy"]._options = None + _globals["_UPDATEACCESSPOLICYREQUEST"].fields_by_name[ "policy" ]._serialized_options = b"\340A\002" - _UPDATEACCESSPOLICYREQUEST.fields_by_name["update_mask"]._options = None - _UPDATEACCESSPOLICYREQUEST.fields_by_name[ + _globals["_UPDATEACCESSPOLICYREQUEST"].fields_by_name["update_mask"]._options = None + _globals["_UPDATEACCESSPOLICYREQUEST"].fields_by_name[ "update_mask" ]._serialized_options = b"\340A\002" - _DELETEACCESSPOLICYREQUEST.fields_by_name["name"]._options = None - _DELETEACCESSPOLICYREQUEST.fields_by_name[ + _globals["_DELETEACCESSPOLICYREQUEST"].fields_by_name["name"]._options = None + _globals["_DELETEACCESSPOLICYREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A2\n0accesscontextmanager.googleapis.com/AccessPolicy" ) - _LISTACCESSLEVELSREQUEST.fields_by_name["parent"]._options = None - _LISTACCESSLEVELSREQUEST.fields_by_name[ + _globals["_LISTACCESSLEVELSREQUEST"].fields_by_name["parent"]._options = None + _globals["_LISTACCESSLEVELSREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A1\022/accesscontextmanager.googleapis.com/AccessLevel" ) - _GETACCESSLEVELREQUEST.fields_by_name["name"]._options = None - _GETACCESSLEVELREQUEST.fields_by_name[ + _globals["_GETACCESSLEVELREQUEST"].fields_by_name["name"]._options = None + _globals["_GETACCESSLEVELREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A1\n/accesscontextmanager.googleapis.com/AccessLevel" ) - _CREATEACCESSLEVELREQUEST.fields_by_name["parent"]._options = None - _CREATEACCESSLEVELREQUEST.fields_by_name[ + _globals["_CREATEACCESSLEVELREQUEST"].fields_by_name["parent"]._options = None + _globals["_CREATEACCESSLEVELREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A1\022/accesscontextmanager.googleapis.com/AccessLevel" ) - _CREATEACCESSLEVELREQUEST.fields_by_name["access_level"]._options = None - _CREATEACCESSLEVELREQUEST.fields_by_name[ + _globals["_CREATEACCESSLEVELREQUEST"].fields_by_name["access_level"]._options = None + _globals["_CREATEACCESSLEVELREQUEST"].fields_by_name[ "access_level" ]._serialized_options = b"\340A\002" - _UPDATEACCESSLEVELREQUEST.fields_by_name["access_level"]._options = None - _UPDATEACCESSLEVELREQUEST.fields_by_name[ + _globals["_UPDATEACCESSLEVELREQUEST"].fields_by_name["access_level"]._options = None + _globals["_UPDATEACCESSLEVELREQUEST"].fields_by_name[ "access_level" ]._serialized_options = b"\340A\002" - _UPDATEACCESSLEVELREQUEST.fields_by_name["update_mask"]._options = None - _UPDATEACCESSLEVELREQUEST.fields_by_name[ + _globals["_UPDATEACCESSLEVELREQUEST"].fields_by_name["update_mask"]._options = None + _globals["_UPDATEACCESSLEVELREQUEST"].fields_by_name[ "update_mask" ]._serialized_options = b"\340A\002" - _DELETEACCESSLEVELREQUEST.fields_by_name["name"]._options = None - _DELETEACCESSLEVELREQUEST.fields_by_name[ + _globals["_DELETEACCESSLEVELREQUEST"].fields_by_name["name"]._options = None + _globals["_DELETEACCESSLEVELREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A1\n/accesscontextmanager.googleapis.com/AccessLevel" ) - _REPLACEACCESSLEVELSREQUEST.fields_by_name["parent"]._options = None - _REPLACEACCESSLEVELSREQUEST.fields_by_name[ + _globals["_REPLACEACCESSLEVELSREQUEST"].fields_by_name["parent"]._options = None + _globals["_REPLACEACCESSLEVELSREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A1\022/accesscontextmanager.googleapis.com/AccessLevel" ) - _REPLACEACCESSLEVELSREQUEST.fields_by_name["access_levels"]._options = None - _REPLACEACCESSLEVELSREQUEST.fields_by_name[ + _globals["_REPLACEACCESSLEVELSREQUEST"].fields_by_name[ + "access_levels" + ]._options = None + _globals["_REPLACEACCESSLEVELSREQUEST"].fields_by_name[ "access_levels" ]._serialized_options = b"\340A\002" - _LISTSERVICEPERIMETERSREQUEST.fields_by_name["parent"]._options = None - _LISTSERVICEPERIMETERSREQUEST.fields_by_name[ + _globals["_LISTSERVICEPERIMETERSREQUEST"].fields_by_name["parent"]._options = None + _globals["_LISTSERVICEPERIMETERSREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A6\0224accesscontextmanager.googleapis.com/ServicePerimeter" ) - _GETSERVICEPERIMETERREQUEST.fields_by_name["name"]._options = None - _GETSERVICEPERIMETERREQUEST.fields_by_name[ + _globals["_GETSERVICEPERIMETERREQUEST"].fields_by_name["name"]._options = None + _globals["_GETSERVICEPERIMETERREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A6\n4accesscontextmanager.googleapis.com/ServicePerimeter" ) - _CREATESERVICEPERIMETERREQUEST.fields_by_name["parent"]._options = None - _CREATESERVICEPERIMETERREQUEST.fields_by_name[ + _globals["_CREATESERVICEPERIMETERREQUEST"].fields_by_name["parent"]._options = None + _globals["_CREATESERVICEPERIMETERREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A6\0224accesscontextmanager.googleapis.com/ServicePerimeter" ) - _CREATESERVICEPERIMETERREQUEST.fields_by_name["service_perimeter"]._options = None - _CREATESERVICEPERIMETERREQUEST.fields_by_name[ + _globals["_CREATESERVICEPERIMETERREQUEST"].fields_by_name[ + "service_perimeter" + ]._options = None + _globals["_CREATESERVICEPERIMETERREQUEST"].fields_by_name[ "service_perimeter" ]._serialized_options = b"\340A\002" - _UPDATESERVICEPERIMETERREQUEST.fields_by_name["service_perimeter"]._options = None - _UPDATESERVICEPERIMETERREQUEST.fields_by_name[ + _globals["_UPDATESERVICEPERIMETERREQUEST"].fields_by_name[ + "service_perimeter" + ]._options = None + _globals["_UPDATESERVICEPERIMETERREQUEST"].fields_by_name[ "service_perimeter" ]._serialized_options = b"\340A\002" - _UPDATESERVICEPERIMETERREQUEST.fields_by_name["update_mask"]._options = None - _UPDATESERVICEPERIMETERREQUEST.fields_by_name[ + _globals["_UPDATESERVICEPERIMETERREQUEST"].fields_by_name[ + "update_mask" + ]._options = None + _globals["_UPDATESERVICEPERIMETERREQUEST"].fields_by_name[ "update_mask" ]._serialized_options = b"\340A\002" - _DELETESERVICEPERIMETERREQUEST.fields_by_name["name"]._options = None - _DELETESERVICEPERIMETERREQUEST.fields_by_name[ + _globals["_DELETESERVICEPERIMETERREQUEST"].fields_by_name["name"]._options = None + _globals["_DELETESERVICEPERIMETERREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A6\n4accesscontextmanager.googleapis.com/ServicePerimeter" ) - _REPLACESERVICEPERIMETERSREQUEST.fields_by_name["parent"]._options = None - _REPLACESERVICEPERIMETERSREQUEST.fields_by_name[ + _globals["_REPLACESERVICEPERIMETERSREQUEST"].fields_by_name[ + "parent" + ]._options = None + _globals["_REPLACESERVICEPERIMETERSREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A6\0224accesscontextmanager.googleapis.com/ServicePerimeter" ) - _REPLACESERVICEPERIMETERSREQUEST.fields_by_name[ + _globals["_REPLACESERVICEPERIMETERSREQUEST"].fields_by_name[ "service_perimeters" ]._options = None - _REPLACESERVICEPERIMETERSREQUEST.fields_by_name[ + _globals["_REPLACESERVICEPERIMETERSREQUEST"].fields_by_name[ "service_perimeters" ]._serialized_options = b"\340A\002" - _COMMITSERVICEPERIMETERSREQUEST.fields_by_name["parent"]._options = None - _COMMITSERVICEPERIMETERSREQUEST.fields_by_name[ + _globals["_COMMITSERVICEPERIMETERSREQUEST"].fields_by_name["parent"]._options = None + _globals["_COMMITSERVICEPERIMETERSREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A6\0224accesscontextmanager.googleapis.com/ServicePerimeter" ) - _LISTGCPUSERACCESSBINDINGSREQUEST.fields_by_name["parent"]._options = None - _LISTGCPUSERACCESSBINDINGSREQUEST.fields_by_name[ + _globals["_LISTGCPUSERACCESSBINDINGSREQUEST"].fields_by_name[ + "parent" + ]._options = None + _globals["_LISTGCPUSERACCESSBINDINGSREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A2\n0cloudresourcemanager.googleapis.com/Organization" ) - _LISTGCPUSERACCESSBINDINGSREQUEST.fields_by_name["page_size"]._options = None - _LISTGCPUSERACCESSBINDINGSREQUEST.fields_by_name[ + _globals["_LISTGCPUSERACCESSBINDINGSREQUEST"].fields_by_name[ + "page_size" + ]._options = None + _globals["_LISTGCPUSERACCESSBINDINGSREQUEST"].fields_by_name[ "page_size" ]._serialized_options = b"\340A\001" - _LISTGCPUSERACCESSBINDINGSREQUEST.fields_by_name["page_token"]._options = None - _LISTGCPUSERACCESSBINDINGSREQUEST.fields_by_name[ + _globals["_LISTGCPUSERACCESSBINDINGSREQUEST"].fields_by_name[ + "page_token" + ]._options = None + _globals["_LISTGCPUSERACCESSBINDINGSREQUEST"].fields_by_name[ "page_token" ]._serialized_options = b"\340A\001" - _GETGCPUSERACCESSBINDINGREQUEST.fields_by_name["name"]._options = None - _GETGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_GETGCPUSERACCESSBINDINGREQUEST"].fields_by_name["name"]._options = None + _globals["_GETGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A:\n8accesscontextmanager.googleapis.com/GcpUserAccessBinding" ) - _CREATEGCPUSERACCESSBINDINGREQUEST.fields_by_name["parent"]._options = None - _CREATEGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_CREATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ + "parent" + ]._options = None + _globals["_CREATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "parent" ]._serialized_options = ( b"\340A\002\372A2\n0cloudresourcemanager.googleapis.com/Organization" ) - _CREATEGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_CREATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "gcp_user_access_binding" ]._options = None - _CREATEGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_CREATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "gcp_user_access_binding" ]._serialized_options = b"\340A\002" - _UPDATEGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_UPDATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "gcp_user_access_binding" ]._options = None - _UPDATEGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_UPDATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "gcp_user_access_binding" ]._serialized_options = b"\340A\002" - _UPDATEGCPUSERACCESSBINDINGREQUEST.fields_by_name["update_mask"]._options = None - _UPDATEGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_UPDATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ + "update_mask" + ]._options = None + _globals["_UPDATEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "update_mask" ]._serialized_options = b"\340A\002" - _DELETEGCPUSERACCESSBINDINGREQUEST.fields_by_name["name"]._options = None - _DELETEGCPUSERACCESSBINDINGREQUEST.fields_by_name[ + _globals["_DELETEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ + "name" + ]._options = None + _globals["_DELETEGCPUSERACCESSBINDINGREQUEST"].fields_by_name[ "name" ]._serialized_options = ( b"\340A\002\372A:\n8accesscontextmanager.googleapis.com/GcpUserAccessBinding" ) - _ACCESSCONTEXTMANAGER._options = None - _ACCESSCONTEXTMANAGER._serialized_options = b"\312A#accesscontextmanager.googleapis.com\322A.https://www.googleapis.com/auth/cloud-platform" - _ACCESSCONTEXTMANAGER.methods_by_name["ListAccessPolicies"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"]._options = None + _globals[ + "_ACCESSCONTEXTMANAGER" + ]._serialized_options = b"\312A#accesscontextmanager.googleapis.com\322A.https://www.googleapis.com/auth/cloud-platform" + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "ListAccessPolicies" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "ListAccessPolicies" ]._serialized_options = b"\202\323\344\223\002\024\022\022/v1/accessPolicies" - _ACCESSCONTEXTMANAGER.methods_by_name["GetAccessPolicy"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name["GetAccessPolicy"]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "GetAccessPolicy" ]._serialized_options = ( b"\332A\004name\202\323\344\223\002\035\022\033/v1/{name=accessPolicies/*}" ) - _ACCESSCONTEXTMANAGER.methods_by_name["CreateAccessPolicy"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "CreateAccessPolicy" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "CreateAccessPolicy" ]._serialized_options = b'\312A5\n\014AccessPolicy\022%AccessContextManagerOperationMetadata\202\323\344\223\002\027"\022/v1/accessPolicies:\001*' - _ACCESSCONTEXTMANAGER.methods_by_name["UpdateAccessPolicy"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "UpdateAccessPolicy" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "UpdateAccessPolicy" ]._serialized_options = b'\312A5\n\014AccessPolicy\022%AccessContextManagerOperationMetadata\332A\022policy,update_mask\202\323\344\223\002,2"/v1/{policy.name=accessPolicies/*}:\006policy' - _ACCESSCONTEXTMANAGER.methods_by_name["DeleteAccessPolicy"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "DeleteAccessPolicy" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "DeleteAccessPolicy" ]._serialized_options = b"\312A>\n\025google.protobuf.Empty\022%AccessContextManagerOperationMetadata\332A\004name\202\323\344\223\002\035*\033/v1/{name=accessPolicies/*}" - _ACCESSCONTEXTMANAGER.methods_by_name["ListAccessLevels"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "ListAccessLevels" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "ListAccessLevels" ]._serialized_options = b"\332A\006parent\202\323\344\223\002,\022*/v1/{parent=accessPolicies/*}/accessLevels" - _ACCESSCONTEXTMANAGER.methods_by_name["GetAccessLevel"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name["GetAccessLevel"]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "GetAccessLevel" ]._serialized_options = b"\332A\004name\202\323\344\223\002,\022*/v1/{name=accessPolicies/*/accessLevels/*}" - _ACCESSCONTEXTMANAGER.methods_by_name["CreateAccessLevel"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "CreateAccessLevel" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "CreateAccessLevel" ]._serialized_options = b'\312A4\n\013AccessLevel\022%AccessContextManagerOperationMetadata\332A\023parent,access_level\202\323\344\223\002:"*/v1/{parent=accessPolicies/*}/accessLevels:\014access_level' - _ACCESSCONTEXTMANAGER.methods_by_name["UpdateAccessLevel"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "UpdateAccessLevel" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "UpdateAccessLevel" ]._serialized_options = b"\312A4\n\013AccessLevel\022%AccessContextManagerOperationMetadata\332A\030access_level,update_mask\202\323\344\223\002G27/v1/{access_level.name=accessPolicies/*/accessLevels/*}:\014access_level" - _ACCESSCONTEXTMANAGER.methods_by_name["DeleteAccessLevel"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "DeleteAccessLevel" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "DeleteAccessLevel" ]._serialized_options = b"\312A>\n\025google.protobuf.Empty\022%AccessContextManagerOperationMetadata\332A\004name\202\323\344\223\002,**/v1/{name=accessPolicies/*/accessLevels/*}" - _ACCESSCONTEXTMANAGER.methods_by_name["ReplaceAccessLevels"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "ReplaceAccessLevels" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "ReplaceAccessLevels" ]._serialized_options = b'\312AD\n\033ReplaceAccessLevelsResponse\022%AccessContextManagerOperationMetadata\202\323\344\223\002:"5/v1/{parent=accessPolicies/*}/accessLevels:replaceAll:\001*' - _ACCESSCONTEXTMANAGER.methods_by_name["ListServicePerimeters"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "ListServicePerimeters" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "ListServicePerimeters" ]._serialized_options = b"\332A\006parent\202\323\344\223\0021\022//v1/{parent=accessPolicies/*}/servicePerimeters" - _ACCESSCONTEXTMANAGER.methods_by_name["GetServicePerimeter"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "GetServicePerimeter" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "GetServicePerimeter" ]._serialized_options = b"\332A\004name\202\323\344\223\0021\022//v1/{name=accessPolicies/*/servicePerimeters/*}" - _ACCESSCONTEXTMANAGER.methods_by_name["CreateServicePerimeter"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "CreateServicePerimeter" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "CreateServicePerimeter" ]._serialized_options = b'\312A9\n\020ServicePerimeter\022%AccessContextManagerOperationMetadata\332A\030parent,service_perimeter\202\323\344\223\002D"//v1/{parent=accessPolicies/*}/servicePerimeters:\021service_perimeter' - _ACCESSCONTEXTMANAGER.methods_by_name["UpdateServicePerimeter"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "UpdateServicePerimeter" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "UpdateServicePerimeter" ]._serialized_options = b"\312A9\n\020ServicePerimeter\022%AccessContextManagerOperationMetadata\332A\035service_perimeter,update_mask\202\323\344\223\002V2A/v1/{service_perimeter.name=accessPolicies/*/servicePerimeters/*}:\021service_perimeter" - _ACCESSCONTEXTMANAGER.methods_by_name["DeleteServicePerimeter"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "DeleteServicePerimeter" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "DeleteServicePerimeter" ]._serialized_options = b"\312A>\n\025google.protobuf.Empty\022%AccessContextManagerOperationMetadata\332A\004name\202\323\344\223\0021*//v1/{name=accessPolicies/*/servicePerimeters/*}" - _ACCESSCONTEXTMANAGER.methods_by_name["ReplaceServicePerimeters"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "ReplaceServicePerimeters" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "ReplaceServicePerimeters" ]._serialized_options = b'\312AI\n ReplaceServicePerimetersResponse\022%AccessContextManagerOperationMetadata\202\323\344\223\002?":/v1/{parent=accessPolicies/*}/servicePerimeters:replaceAll:\001*' - _ACCESSCONTEXTMANAGER.methods_by_name["CommitServicePerimeters"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "CommitServicePerimeters" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "CommitServicePerimeters" ]._serialized_options = b'\312AH\n\037CommitServicePerimetersResponse\022%AccessContextManagerOperationMetadata\202\323\344\223\002;"6/v1/{parent=accessPolicies/*}/servicePerimeters:commit:\001*' - _ACCESSCONTEXTMANAGER.methods_by_name["ListGcpUserAccessBindings"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "ListGcpUserAccessBindings" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "ListGcpUserAccessBindings" ]._serialized_options = b"\332A\006parent\202\323\344\223\0024\0222/v1/{parent=organizations/*}/gcpUserAccessBindings" - _ACCESSCONTEXTMANAGER.methods_by_name["GetGcpUserAccessBinding"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "GetGcpUserAccessBinding" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "GetGcpUserAccessBinding" ]._serialized_options = b"\332A\004name\202\323\344\223\0024\0222/v1/{name=organizations/*/gcpUserAccessBindings/*}" - _ACCESSCONTEXTMANAGER.methods_by_name["CreateGcpUserAccessBinding"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "CreateGcpUserAccessBinding" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "CreateGcpUserAccessBinding" ]._serialized_options = b'\312A=\n\024GcpUserAccessBinding\022%GcpUserAccessBindingOperationMetadata\332A\036parent,gcp_user_access_binding\202\323\344\223\002M"2/v1/{parent=organizations/*}/gcpUserAccessBindings:\027gcp_user_access_binding' - _ACCESSCONTEXTMANAGER.methods_by_name["UpdateGcpUserAccessBinding"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "UpdateGcpUserAccessBinding" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "UpdateGcpUserAccessBinding" ]._serialized_options = b"\312A=\n\024GcpUserAccessBinding\022%GcpUserAccessBindingOperationMetadata\332A#gcp_user_access_binding,update_mask\202\323\344\223\002e2J/v1/{gcp_user_access_binding.name=organizations/*/gcpUserAccessBindings/*}:\027gcp_user_access_binding" - _ACCESSCONTEXTMANAGER.methods_by_name["DeleteGcpUserAccessBinding"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "DeleteGcpUserAccessBinding" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "DeleteGcpUserAccessBinding" ]._serialized_options = b"\312A>\n\025google.protobuf.Empty\022%GcpUserAccessBindingOperationMetadata\332A\004name\202\323\344\223\0024*2/v1/{name=organizations/*/gcpUserAccessBindings/*}" - _ACCESSCONTEXTMANAGER.methods_by_name["SetIamPolicy"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name["SetIamPolicy"]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "SetIamPolicy" ]._serialized_options = ( b'\202\323\344\223\0021",/v1/{resource=accessPolicies/*}:setIamPolicy:\001*' ) - _ACCESSCONTEXTMANAGER.methods_by_name["GetIamPolicy"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name["GetIamPolicy"]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "GetIamPolicy" ]._serialized_options = ( b'\202\323\344\223\0021",/v1/{resource=accessPolicies/*}:getIamPolicy:\001*' ) - _ACCESSCONTEXTMANAGER.methods_by_name["TestIamPermissions"]._options = None - _ACCESSCONTEXTMANAGER.methods_by_name[ + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ + "TestIamPermissions" + ]._options = None + _globals["_ACCESSCONTEXTMANAGER"].methods_by_name[ "TestIamPermissions" ]._serialized_options = b'\202\323\344\223\002\314\001"2/v1/{resource=accessPolicies/*}:testIamPermissions:\001*ZF"A/v1/{resource=accessPolicies/*/accessLevels/*}:testIamPermissions:\001*ZK"F/v1/{resource=accessPolicies/*/servicePerimeters/*}:testIamPermissions:\001*' _globals["_LEVELFORMAT"]._serialized_start = 5065 diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager_pb2.pyi b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager_pb2.pyi new file mode 100644 index 000000000000..18dd69c9ff91 --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_context_manager_pb2.pyi @@ -0,0 +1,426 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from typing import ClassVar as _ClassVar +from typing import Iterable as _Iterable +from typing import Mapping as _Mapping +from typing import Optional as _Optional +from typing import Union as _Union + +from google.api import annotations_pb2 as _annotations_pb2 +from google.api import client_pb2 as _client_pb2 +from google.api import field_behavior_pb2 as _field_behavior_pb2 +from google.api import resource_pb2 as _resource_pb2 +from google.iam.v1 import iam_policy_pb2 as _iam_policy_pb2 +from google.iam.v1 import policy_pb2 as _policy_pb2 +from google.identity.accesscontextmanager.v1 import ( + access_level_pb2 as _access_level_pb2, +) +from google.identity.accesscontextmanager.v1 import ( + access_policy_pb2 as _access_policy_pb2, +) +from google.identity.accesscontextmanager.v1 import ( + gcp_user_access_binding_pb2 as _gcp_user_access_binding_pb2, +) +from google.identity.accesscontextmanager.v1 import ( + service_perimeter_pb2 as _service_perimeter_pb2, +) +from google.longrunning import operations_pb2 as _operations_pb2 +from google.protobuf import descriptor as _descriptor +from google.protobuf import field_mask_pb2 as _field_mask_pb2 +from google.protobuf import message as _message +from google.protobuf.internal import containers as _containers +from google.protobuf.internal import enum_type_wrapper as _enum_type_wrapper + +DESCRIPTOR: _descriptor.FileDescriptor + +class LevelFormat(int, metaclass=_enum_type_wrapper.EnumTypeWrapper): + __slots__ = () + LEVEL_FORMAT_UNSPECIFIED: _ClassVar[LevelFormat] + AS_DEFINED: _ClassVar[LevelFormat] + CEL: _ClassVar[LevelFormat] + +LEVEL_FORMAT_UNSPECIFIED: LevelFormat +AS_DEFINED: LevelFormat +CEL: LevelFormat + +class ListAccessPoliciesRequest(_message.Message): + __slots__ = ("parent", "page_size", "page_token") + PARENT_FIELD_NUMBER: _ClassVar[int] + PAGE_SIZE_FIELD_NUMBER: _ClassVar[int] + PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + parent: str + page_size: int + page_token: str + def __init__( + self, + parent: _Optional[str] = ..., + page_size: _Optional[int] = ..., + page_token: _Optional[str] = ..., + ) -> None: ... + +class ListAccessPoliciesResponse(_message.Message): + __slots__ = ("access_policies", "next_page_token") + ACCESS_POLICIES_FIELD_NUMBER: _ClassVar[int] + NEXT_PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + access_policies: _containers.RepeatedCompositeFieldContainer[ + _access_policy_pb2.AccessPolicy + ] + next_page_token: str + def __init__( + self, + access_policies: _Optional[ + _Iterable[_Union[_access_policy_pb2.AccessPolicy, _Mapping]] + ] = ..., + next_page_token: _Optional[str] = ..., + ) -> None: ... + +class GetAccessPolicyRequest(_message.Message): + __slots__ = ("name",) + NAME_FIELD_NUMBER: _ClassVar[int] + name: str + def __init__(self, name: _Optional[str] = ...) -> None: ... + +class UpdateAccessPolicyRequest(_message.Message): + __slots__ = ("policy", "update_mask") + POLICY_FIELD_NUMBER: _ClassVar[int] + UPDATE_MASK_FIELD_NUMBER: _ClassVar[int] + policy: _access_policy_pb2.AccessPolicy + update_mask: _field_mask_pb2.FieldMask + def __init__( + self, + policy: _Optional[_Union[_access_policy_pb2.AccessPolicy, _Mapping]] = ..., + update_mask: _Optional[_Union[_field_mask_pb2.FieldMask, _Mapping]] = ..., + ) -> None: ... + +class DeleteAccessPolicyRequest(_message.Message): + __slots__ = ("name",) + NAME_FIELD_NUMBER: _ClassVar[int] + name: str + def __init__(self, name: _Optional[str] = ...) -> None: ... + +class ListAccessLevelsRequest(_message.Message): + __slots__ = ("parent", "page_size", "page_token", "access_level_format") + PARENT_FIELD_NUMBER: _ClassVar[int] + PAGE_SIZE_FIELD_NUMBER: _ClassVar[int] + PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + ACCESS_LEVEL_FORMAT_FIELD_NUMBER: _ClassVar[int] + parent: str + page_size: int + page_token: str + access_level_format: LevelFormat + def __init__( + self, + parent: _Optional[str] = ..., + page_size: _Optional[int] = ..., + page_token: _Optional[str] = ..., + access_level_format: _Optional[_Union[LevelFormat, str]] = ..., + ) -> None: ... + +class ListAccessLevelsResponse(_message.Message): + __slots__ = ("access_levels", "next_page_token") + ACCESS_LEVELS_FIELD_NUMBER: _ClassVar[int] + NEXT_PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + access_levels: _containers.RepeatedCompositeFieldContainer[ + _access_level_pb2.AccessLevel + ] + next_page_token: str + def __init__( + self, + access_levels: _Optional[ + _Iterable[_Union[_access_level_pb2.AccessLevel, _Mapping]] + ] = ..., + next_page_token: _Optional[str] = ..., + ) -> None: ... + +class GetAccessLevelRequest(_message.Message): + __slots__ = ("name", "access_level_format") + NAME_FIELD_NUMBER: _ClassVar[int] + ACCESS_LEVEL_FORMAT_FIELD_NUMBER: _ClassVar[int] + name: str + access_level_format: LevelFormat + def __init__( + self, + name: _Optional[str] = ..., + access_level_format: _Optional[_Union[LevelFormat, str]] = ..., + ) -> None: ... + +class CreateAccessLevelRequest(_message.Message): + __slots__ = ("parent", "access_level") + PARENT_FIELD_NUMBER: _ClassVar[int] + ACCESS_LEVEL_FIELD_NUMBER: _ClassVar[int] + parent: str + access_level: _access_level_pb2.AccessLevel + def __init__( + self, + parent: _Optional[str] = ..., + access_level: _Optional[_Union[_access_level_pb2.AccessLevel, _Mapping]] = ..., + ) -> None: ... + +class UpdateAccessLevelRequest(_message.Message): + __slots__ = ("access_level", "update_mask") + ACCESS_LEVEL_FIELD_NUMBER: _ClassVar[int] + UPDATE_MASK_FIELD_NUMBER: _ClassVar[int] + access_level: _access_level_pb2.AccessLevel + update_mask: _field_mask_pb2.FieldMask + def __init__( + self, + access_level: _Optional[_Union[_access_level_pb2.AccessLevel, _Mapping]] = ..., + update_mask: _Optional[_Union[_field_mask_pb2.FieldMask, _Mapping]] = ..., + ) -> None: ... + +class DeleteAccessLevelRequest(_message.Message): + __slots__ = ("name",) + NAME_FIELD_NUMBER: _ClassVar[int] + name: str + def __init__(self, name: _Optional[str] = ...) -> None: ... + +class ReplaceAccessLevelsRequest(_message.Message): + __slots__ = ("parent", "access_levels", "etag") + PARENT_FIELD_NUMBER: _ClassVar[int] + ACCESS_LEVELS_FIELD_NUMBER: _ClassVar[int] + ETAG_FIELD_NUMBER: _ClassVar[int] + parent: str + access_levels: _containers.RepeatedCompositeFieldContainer[ + _access_level_pb2.AccessLevel + ] + etag: str + def __init__( + self, + parent: _Optional[str] = ..., + access_levels: _Optional[ + _Iterable[_Union[_access_level_pb2.AccessLevel, _Mapping]] + ] = ..., + etag: _Optional[str] = ..., + ) -> None: ... + +class ReplaceAccessLevelsResponse(_message.Message): + __slots__ = ("access_levels",) + ACCESS_LEVELS_FIELD_NUMBER: _ClassVar[int] + access_levels: _containers.RepeatedCompositeFieldContainer[ + _access_level_pb2.AccessLevel + ] + def __init__( + self, + access_levels: _Optional[ + _Iterable[_Union[_access_level_pb2.AccessLevel, _Mapping]] + ] = ..., + ) -> None: ... + +class ListServicePerimetersRequest(_message.Message): + __slots__ = ("parent", "page_size", "page_token") + PARENT_FIELD_NUMBER: _ClassVar[int] + PAGE_SIZE_FIELD_NUMBER: _ClassVar[int] + PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + parent: str + page_size: int + page_token: str + def __init__( + self, + parent: _Optional[str] = ..., + page_size: _Optional[int] = ..., + page_token: _Optional[str] = ..., + ) -> None: ... + +class ListServicePerimetersResponse(_message.Message): + __slots__ = ("service_perimeters", "next_page_token") + SERVICE_PERIMETERS_FIELD_NUMBER: _ClassVar[int] + NEXT_PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + service_perimeters: _containers.RepeatedCompositeFieldContainer[ + _service_perimeter_pb2.ServicePerimeter + ] + next_page_token: str + def __init__( + self, + service_perimeters: _Optional[ + _Iterable[_Union[_service_perimeter_pb2.ServicePerimeter, _Mapping]] + ] = ..., + next_page_token: _Optional[str] = ..., + ) -> None: ... + +class GetServicePerimeterRequest(_message.Message): + __slots__ = ("name",) + NAME_FIELD_NUMBER: _ClassVar[int] + name: str + def __init__(self, name: _Optional[str] = ...) -> None: ... + +class CreateServicePerimeterRequest(_message.Message): + __slots__ = ("parent", "service_perimeter") + PARENT_FIELD_NUMBER: _ClassVar[int] + SERVICE_PERIMETER_FIELD_NUMBER: _ClassVar[int] + parent: str + service_perimeter: _service_perimeter_pb2.ServicePerimeter + def __init__( + self, + parent: _Optional[str] = ..., + service_perimeter: _Optional[ + _Union[_service_perimeter_pb2.ServicePerimeter, _Mapping] + ] = ..., + ) -> None: ... + +class UpdateServicePerimeterRequest(_message.Message): + __slots__ = ("service_perimeter", "update_mask") + SERVICE_PERIMETER_FIELD_NUMBER: _ClassVar[int] + UPDATE_MASK_FIELD_NUMBER: _ClassVar[int] + service_perimeter: _service_perimeter_pb2.ServicePerimeter + update_mask: _field_mask_pb2.FieldMask + def __init__( + self, + service_perimeter: _Optional[ + _Union[_service_perimeter_pb2.ServicePerimeter, _Mapping] + ] = ..., + update_mask: _Optional[_Union[_field_mask_pb2.FieldMask, _Mapping]] = ..., + ) -> None: ... + +class DeleteServicePerimeterRequest(_message.Message): + __slots__ = ("name",) + NAME_FIELD_NUMBER: _ClassVar[int] + name: str + def __init__(self, name: _Optional[str] = ...) -> None: ... + +class ReplaceServicePerimetersRequest(_message.Message): + __slots__ = ("parent", "service_perimeters", "etag") + PARENT_FIELD_NUMBER: _ClassVar[int] + SERVICE_PERIMETERS_FIELD_NUMBER: _ClassVar[int] + ETAG_FIELD_NUMBER: _ClassVar[int] + parent: str + service_perimeters: _containers.RepeatedCompositeFieldContainer[ + _service_perimeter_pb2.ServicePerimeter + ] + etag: str + def __init__( + self, + parent: _Optional[str] = ..., + service_perimeters: _Optional[ + _Iterable[_Union[_service_perimeter_pb2.ServicePerimeter, _Mapping]] + ] = ..., + etag: _Optional[str] = ..., + ) -> None: ... + +class ReplaceServicePerimetersResponse(_message.Message): + __slots__ = ("service_perimeters",) + SERVICE_PERIMETERS_FIELD_NUMBER: _ClassVar[int] + service_perimeters: _containers.RepeatedCompositeFieldContainer[ + _service_perimeter_pb2.ServicePerimeter + ] + def __init__( + self, + service_perimeters: _Optional[ + _Iterable[_Union[_service_perimeter_pb2.ServicePerimeter, _Mapping]] + ] = ..., + ) -> None: ... + +class CommitServicePerimetersRequest(_message.Message): + __slots__ = ("parent", "etag") + PARENT_FIELD_NUMBER: _ClassVar[int] + ETAG_FIELD_NUMBER: _ClassVar[int] + parent: str + etag: str + def __init__( + self, parent: _Optional[str] = ..., etag: _Optional[str] = ... + ) -> None: ... + +class CommitServicePerimetersResponse(_message.Message): + __slots__ = ("service_perimeters",) + SERVICE_PERIMETERS_FIELD_NUMBER: _ClassVar[int] + service_perimeters: _containers.RepeatedCompositeFieldContainer[ + _service_perimeter_pb2.ServicePerimeter + ] + def __init__( + self, + service_perimeters: _Optional[ + _Iterable[_Union[_service_perimeter_pb2.ServicePerimeter, _Mapping]] + ] = ..., + ) -> None: ... + +class ListGcpUserAccessBindingsRequest(_message.Message): + __slots__ = ("parent", "page_size", "page_token") + PARENT_FIELD_NUMBER: _ClassVar[int] + PAGE_SIZE_FIELD_NUMBER: _ClassVar[int] + PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + parent: str + page_size: int + page_token: str + def __init__( + self, + parent: _Optional[str] = ..., + page_size: _Optional[int] = ..., + page_token: _Optional[str] = ..., + ) -> None: ... + +class ListGcpUserAccessBindingsResponse(_message.Message): + __slots__ = ("gcp_user_access_bindings", "next_page_token") + GCP_USER_ACCESS_BINDINGS_FIELD_NUMBER: _ClassVar[int] + NEXT_PAGE_TOKEN_FIELD_NUMBER: _ClassVar[int] + gcp_user_access_bindings: _containers.RepeatedCompositeFieldContainer[ + _gcp_user_access_binding_pb2.GcpUserAccessBinding + ] + next_page_token: str + def __init__( + self, + gcp_user_access_bindings: _Optional[ + _Iterable[ + _Union[_gcp_user_access_binding_pb2.GcpUserAccessBinding, _Mapping] + ] + ] = ..., + next_page_token: _Optional[str] = ..., + ) -> None: ... + +class GetGcpUserAccessBindingRequest(_message.Message): + __slots__ = ("name",) + NAME_FIELD_NUMBER: _ClassVar[int] + name: str + def __init__(self, name: _Optional[str] = ...) -> None: ... + +class CreateGcpUserAccessBindingRequest(_message.Message): + __slots__ = ("parent", "gcp_user_access_binding") + PARENT_FIELD_NUMBER: _ClassVar[int] + GCP_USER_ACCESS_BINDING_FIELD_NUMBER: _ClassVar[int] + parent: str + gcp_user_access_binding: _gcp_user_access_binding_pb2.GcpUserAccessBinding + def __init__( + self, + parent: _Optional[str] = ..., + gcp_user_access_binding: _Optional[ + _Union[_gcp_user_access_binding_pb2.GcpUserAccessBinding, _Mapping] + ] = ..., + ) -> None: ... + +class UpdateGcpUserAccessBindingRequest(_message.Message): + __slots__ = ("gcp_user_access_binding", "update_mask") + GCP_USER_ACCESS_BINDING_FIELD_NUMBER: _ClassVar[int] + UPDATE_MASK_FIELD_NUMBER: _ClassVar[int] + gcp_user_access_binding: _gcp_user_access_binding_pb2.GcpUserAccessBinding + update_mask: _field_mask_pb2.FieldMask + def __init__( + self, + gcp_user_access_binding: _Optional[ + _Union[_gcp_user_access_binding_pb2.GcpUserAccessBinding, _Mapping] + ] = ..., + update_mask: _Optional[_Union[_field_mask_pb2.FieldMask, _Mapping]] = ..., + ) -> None: ... + +class DeleteGcpUserAccessBindingRequest(_message.Message): + __slots__ = ("name",) + NAME_FIELD_NUMBER: _ClassVar[int] + name: str + def __init__(self, name: _Optional[str] = ...) -> None: ... + +class GcpUserAccessBindingOperationMetadata(_message.Message): + __slots__ = () + def __init__(self) -> None: ... + +class AccessContextManagerOperationMetadata(_message.Message): + __slots__ = () + def __init__(self) -> None: ... diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level.proto b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level.proto new file mode 100644 index 000000000000..74080d398b67 --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level.proto @@ -0,0 +1,192 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.identity.accesscontextmanager.v1; + +import "google/api/resource.proto"; +import "google/identity/accesscontextmanager/type/device_resources.proto"; +import "google/protobuf/timestamp.proto"; +import "google/type/expr.proto"; + +option csharp_namespace = "Google.Identity.AccessContextManager.V1"; +option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; +option java_multiple_files = true; +option java_outer_classname = "AccessLevelProto"; +option java_package = "com.google.identity.accesscontextmanager.v1"; +option objc_class_prefix = "GACM"; +option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; +option ruby_package = "Google::Identity::AccessContextManager::V1"; + +// An `AccessLevel` is a label that can be applied to requests to Google Cloud +// services, along with a list of requirements necessary for the label to be +// applied. +message AccessLevel { + option (google.api.resource) = { + type: "accesscontextmanager.googleapis.com/AccessLevel" + pattern: "accessPolicies/{access_policy}/accessLevels/{access_level}" + }; + + // Required. Resource name for the Access Level. The `short_name` component + // must begin with a letter and only include alphanumeric and '_'. Format: + // `accessPolicies/{access_policy}/accessLevels/{access_level}`. The maximum + // length of the `access_level` component is 50 characters. + string name = 1; + + // Human readable title. Must be unique within the Policy. + string title = 2; + + // Description of the `AccessLevel` and its use. Does not affect behavior. + string description = 3; + + // Required. Describes the necessary conditions for the level to apply. + oneof level { + // A `BasicLevel` composed of `Conditions`. + BasicLevel basic = 4; + + // A `CustomLevel` written in the Common Expression Language. + CustomLevel custom = 5; + } + + // Output only. Time the `AccessLevel` was created in UTC. + google.protobuf.Timestamp create_time = 6; + + // Output only. Time the `AccessLevel` was updated in UTC. + google.protobuf.Timestamp update_time = 7; +} + +// `BasicLevel` is an `AccessLevel` using a set of recommended features. +message BasicLevel { + // Options for how the `conditions` list should be combined to determine if + // this `AccessLevel` is applied. Default is AND. + enum ConditionCombiningFunction { + // All `Conditions` must be true for the `BasicLevel` to be true. + AND = 0; + + // If at least one `Condition` is true, then the `BasicLevel` is true. + OR = 1; + } + + // Required. A list of requirements for the `AccessLevel` to be granted. + repeated Condition conditions = 1; + + // How the `conditions` list should be combined to determine if a request is + // granted this `AccessLevel`. If AND is used, each `Condition` in + // `conditions` must be satisfied for the `AccessLevel` to be applied. If OR + // is used, at least one `Condition` in `conditions` must be satisfied for the + // `AccessLevel` to be applied. Default behavior is AND. + ConditionCombiningFunction combining_function = 2; +} + +// A condition necessary for an `AccessLevel` to be granted. The Condition is an +// AND over its fields. So a Condition is true if: 1) the request IP is from one +// of the listed subnetworks AND 2) the originating device complies with the +// listed device policy AND 3) all listed access levels are granted AND 4) the +// request was sent at a time allowed by the DateTimeRestriction. +message Condition { + // CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for + // a CIDR IP address block, the specified IP address portion must be properly + // truncated (i.e. all the host bits must be zero) or the input is considered + // malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is + // not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas + // "2001:db8::1/32" is not. The originating IP of a request must be in one of + // the listed subnets in order for this Condition to be true. If empty, all IP + // addresses are allowed. + repeated string ip_subnetworks = 1; + + // Device specific restrictions, all restrictions must hold for the + // Condition to be true. If not specified, all devices are allowed. + DevicePolicy device_policy = 2; + + // A list of other access levels defined in the same `Policy`, referenced by + // resource name. Referencing an `AccessLevel` which does not exist is an + // error. All access levels listed must be granted for the Condition + // to be true. Example: + // "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"` + repeated string required_access_levels = 3; + + // Whether to negate the Condition. If true, the Condition becomes a NAND over + // its non-empty fields, each field must be false for the Condition overall to + // be satisfied. Defaults to false. + bool negate = 5; + + // The request must be made by one of the provided user or service + // accounts. Groups are not supported. + // Syntax: + // `user:{emailid}` + // `serviceAccount:{emailid}` + // If not specified, a request may come from any user. + repeated string members = 6; + + // The request must originate from one of the provided countries/regions. + // Must be valid ISO 3166-1 alpha-2 codes. + repeated string regions = 7; +} + +// `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language +// to represent the necessary conditions for the level to apply to a request. +// See CEL spec at: https://github.com/google/cel-spec +message CustomLevel { + // Required. A Cloud CEL expression evaluating to a boolean. + google.type.Expr expr = 1; +} + +// `DevicePolicy` specifies device specific restrictions necessary to acquire a +// given access level. A `DevicePolicy` specifies requirements for requests from +// devices to be granted access levels, it does not do any enforcement on the +// device. `DevicePolicy` acts as an AND over all specified fields, and each +// repeated field is an OR over its elements. Any unset fields are ignored. For +// example, if the proto is { os_type : DESKTOP_WINDOWS, os_type : +// DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be +// true for requests originating from encrypted Linux desktops and encrypted +// Windows desktops. +message DevicePolicy { + // Whether or not screenlock is required for the DevicePolicy to be true. + // Defaults to `false`. + bool require_screenlock = 1; + + // Allowed encryptions statuses, an empty list allows all statuses. + repeated google.identity.accesscontextmanager.type.DeviceEncryptionStatus allowed_encryption_statuses = 2; + + // Allowed OS versions, an empty list allows all types and all versions. + repeated OsConstraint os_constraints = 3; + + // Allowed device management levels, an empty list allows all management + // levels. + repeated google.identity.accesscontextmanager.type.DeviceManagementLevel allowed_device_management_levels = 6; + + // Whether the device needs to be approved by the customer admin. + bool require_admin_approval = 7; + + // Whether the device needs to be corp owned. + bool require_corp_owned = 8; +} + +// A restriction on the OS type and version of devices making requests. +message OsConstraint { + // Required. The allowed OS type. + google.identity.accesscontextmanager.type.OsType os_type = 1; + + // The minimum allowed OS version. If not set, any version of this OS + // satisfies the constraint. Format: `"major.minor.patch"`. + // Examples: `"10.5.301"`, `"9.2.1"`. + string minimum_version = 2; + + // Only allows requests from devices with a verified Chrome OS. + // Verifications includes requirements that the device is enterprise-managed, + // conformant to domain policies, and the caller has permission to call + // the API targeted by the request. + bool require_verified_chrome_os = 3; +} diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level_pb2.py b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level_pb2.py index 68b139c81757..c29c1e796d29 100644 --- a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level_pb2.py +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level_pb2.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ # Generated by the protocol buffer compiler. DO NOT EDIT! # source: google/identity/accesscontextmanager/v1/access_level.proto +# Protobuf Python Version: 4.25.3 """Generated protocol buffer code.""" from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool @@ -28,12 +29,11 @@ from google.api import resource_pb2 as google_dot_api_dot_resource__pb2 -from google.protobuf import timestamp_pb2 as google_dot_protobuf_dot_timestamp__pb2 -from google.type import expr_pb2 as google_dot_type_dot_expr__pb2 - from google.identity.accesscontextmanager.type import ( device_resources_pb2 as google_dot_identity_dot_accesscontextmanager_dot_type_dot_device__resources__pb2, ) +from google.protobuf import timestamp_pb2 as google_dot_protobuf_dot_timestamp__pb2 +from google.type import expr_pb2 as google_dot_type_dot_expr__pb2 DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile( b'\n:google/identity/accesscontextmanager/v1/access_level.proto\x12\'google.identity.accesscontextmanager.v1\x1a\x19google/api/resource.proto\x1a@google/identity/accesscontextmanager/type/device_resources.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x16google/type/expr.proto"\xaa\x03\n\x0b\x41\x63\x63\x65ssLevel\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\r\n\x05title\x18\x02 \x01(\t\x12\x13\n\x0b\x64\x65scription\x18\x03 \x01(\t\x12\x44\n\x05\x62\x61sic\x18\x04 \x01(\x0b\x32\x33.google.identity.accesscontextmanager.v1.BasicLevelH\x00\x12\x46\n\x06\x63ustom\x18\x05 \x01(\x0b\x32\x34.google.identity.accesscontextmanager.v1.CustomLevelH\x00\x12/\n\x0b\x63reate_time\x18\x06 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12/\n\x0bupdate_time\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.Timestamp:p\xea\x41m\n/accesscontextmanager.googleapis.com/AccessLevel\x12:accessPolicies/{access_policy}/accessLevels/{access_level}B\x07\n\x05level"\xef\x01\n\nBasicLevel\x12\x46\n\nconditions\x18\x01 \x03(\x0b\x32\x32.google.identity.accesscontextmanager.v1.Condition\x12j\n\x12\x63ombining_function\x18\x02 \x01(\x0e\x32N.google.identity.accesscontextmanager.v1.BasicLevel.ConditionCombiningFunction"-\n\x1a\x43onditionCombiningFunction\x12\x07\n\x03\x41ND\x10\x00\x12\x06\n\x02OR\x10\x01"\xc3\x01\n\tCondition\x12\x16\n\x0eip_subnetworks\x18\x01 \x03(\t\x12L\n\rdevice_policy\x18\x02 \x01(\x0b\x32\x35.google.identity.accesscontextmanager.v1.DevicePolicy\x12\x1e\n\x16required_access_levels\x18\x03 \x03(\t\x12\x0e\n\x06negate\x18\x05 \x01(\x08\x12\x0f\n\x07members\x18\x06 \x03(\t\x12\x0f\n\x07regions\x18\x07 \x03(\t".\n\x0b\x43ustomLevel\x12\x1f\n\x04\x65xpr\x18\x01 \x01(\x0b\x32\x11.google.type.Expr"\x89\x03\n\x0c\x44\x65vicePolicy\x12\x1a\n\x12require_screenlock\x18\x01 \x01(\x08\x12\x66\n\x1b\x61llowed_encryption_statuses\x18\x02 \x03(\x0e\x32\x41.google.identity.accesscontextmanager.type.DeviceEncryptionStatus\x12M\n\x0eos_constraints\x18\x03 \x03(\x0b\x32\x35.google.identity.accesscontextmanager.v1.OsConstraint\x12j\n allowed_device_management_levels\x18\x06 \x03(\x0e\x32@.google.identity.accesscontextmanager.type.DeviceManagementLevel\x12\x1e\n\x16require_admin_approval\x18\x07 \x01(\x08\x12\x1a\n\x12require_corp_owned\x18\x08 \x01(\x08"\x8f\x01\n\x0cOsConstraint\x12\x42\n\x07os_type\x18\x01 \x01(\x0e\x32\x31.google.identity.accesscontextmanager.type.OsType\x12\x17\n\x0fminimum_version\x18\x02 \x01(\t\x12"\n\x1arequire_verified_chrome_os\x18\x03 \x01(\x08\x42\xa7\x02\n+com.google.identity.accesscontextmanager.v1B\x10\x41\x63\x63\x65ssLevelProtoP\x01Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\xa2\x02\x04GACM\xaa\x02\'Google.Identity.AccessContextManager.V1\xca\x02\'Google\\Identity\\AccessContextManager\\V1\xea\x02*Google::Identity::AccessContextManager::V1b\x06proto3' @@ -45,10 +45,14 @@ DESCRIPTOR, "google.identity.accesscontextmanager.v1.access_level_pb2", _globals ) if _descriptor._USE_C_DESCRIPTORS == False: - DESCRIPTOR._options = None - DESCRIPTOR._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\020AccessLevelProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" - _ACCESSLEVEL._options = None - _ACCESSLEVEL._serialized_options = b"\352Am\n/accesscontextmanager.googleapis.com/AccessLevel\022:accessPolicies/{access_policy}/accessLevels/{access_level}" + _globals["DESCRIPTOR"]._options = None + _globals[ + "DESCRIPTOR" + ]._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\020AccessLevelProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" + _globals["_ACCESSLEVEL"]._options = None + _globals[ + "_ACCESSLEVEL" + ]._serialized_options = b"\352Am\n/accesscontextmanager.googleapis.com/AccessLevel\022:accessPolicies/{access_policy}/accessLevels/{access_level}" _globals["_ACCESSLEVEL"]._serialized_start = 254 _globals["_ACCESSLEVEL"]._serialized_end = 680 _globals["_BASICLEVEL"]._serialized_start = 683 diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level_pb2.pyi b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level_pb2.pyi new file mode 100644 index 000000000000..e02ef157b139 --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_level_pb2.pyi @@ -0,0 +1,181 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from typing import ClassVar as _ClassVar +from typing import Iterable as _Iterable +from typing import Mapping as _Mapping +from typing import Optional as _Optional +from typing import Union as _Union + +from google.api import resource_pb2 as _resource_pb2 +from google.identity.accesscontextmanager.type import ( + device_resources_pb2 as _device_resources_pb2, +) +from google.protobuf import descriptor as _descriptor +from google.protobuf import message as _message +from google.protobuf import timestamp_pb2 as _timestamp_pb2 +from google.protobuf.internal import containers as _containers +from google.protobuf.internal import enum_type_wrapper as _enum_type_wrapper +from google.type import expr_pb2 as _expr_pb2 + +DESCRIPTOR: _descriptor.FileDescriptor + +class AccessLevel(_message.Message): + __slots__ = ( + "name", + "title", + "description", + "basic", + "custom", + "create_time", + "update_time", + ) + NAME_FIELD_NUMBER: _ClassVar[int] + TITLE_FIELD_NUMBER: _ClassVar[int] + DESCRIPTION_FIELD_NUMBER: _ClassVar[int] + BASIC_FIELD_NUMBER: _ClassVar[int] + CUSTOM_FIELD_NUMBER: _ClassVar[int] + CREATE_TIME_FIELD_NUMBER: _ClassVar[int] + UPDATE_TIME_FIELD_NUMBER: _ClassVar[int] + name: str + title: str + description: str + basic: BasicLevel + custom: CustomLevel + create_time: _timestamp_pb2.Timestamp + update_time: _timestamp_pb2.Timestamp + def __init__( + self, + name: _Optional[str] = ..., + title: _Optional[str] = ..., + description: _Optional[str] = ..., + basic: _Optional[_Union[BasicLevel, _Mapping]] = ..., + custom: _Optional[_Union[CustomLevel, _Mapping]] = ..., + create_time: _Optional[_Union[_timestamp_pb2.Timestamp, _Mapping]] = ..., + update_time: _Optional[_Union[_timestamp_pb2.Timestamp, _Mapping]] = ..., + ) -> None: ... + +class BasicLevel(_message.Message): + __slots__ = ("conditions", "combining_function") + + class ConditionCombiningFunction(int, metaclass=_enum_type_wrapper.EnumTypeWrapper): + __slots__ = () + AND: _ClassVar[BasicLevel.ConditionCombiningFunction] + OR: _ClassVar[BasicLevel.ConditionCombiningFunction] + AND: BasicLevel.ConditionCombiningFunction + OR: BasicLevel.ConditionCombiningFunction + CONDITIONS_FIELD_NUMBER: _ClassVar[int] + COMBINING_FUNCTION_FIELD_NUMBER: _ClassVar[int] + conditions: _containers.RepeatedCompositeFieldContainer[Condition] + combining_function: BasicLevel.ConditionCombiningFunction + def __init__( + self, + conditions: _Optional[_Iterable[_Union[Condition, _Mapping]]] = ..., + combining_function: _Optional[ + _Union[BasicLevel.ConditionCombiningFunction, str] + ] = ..., + ) -> None: ... + +class Condition(_message.Message): + __slots__ = ( + "ip_subnetworks", + "device_policy", + "required_access_levels", + "negate", + "members", + "regions", + ) + IP_SUBNETWORKS_FIELD_NUMBER: _ClassVar[int] + DEVICE_POLICY_FIELD_NUMBER: _ClassVar[int] + REQUIRED_ACCESS_LEVELS_FIELD_NUMBER: _ClassVar[int] + NEGATE_FIELD_NUMBER: _ClassVar[int] + MEMBERS_FIELD_NUMBER: _ClassVar[int] + REGIONS_FIELD_NUMBER: _ClassVar[int] + ip_subnetworks: _containers.RepeatedScalarFieldContainer[str] + device_policy: DevicePolicy + required_access_levels: _containers.RepeatedScalarFieldContainer[str] + negate: bool + members: _containers.RepeatedScalarFieldContainer[str] + regions: _containers.RepeatedScalarFieldContainer[str] + def __init__( + self, + ip_subnetworks: _Optional[_Iterable[str]] = ..., + device_policy: _Optional[_Union[DevicePolicy, _Mapping]] = ..., + required_access_levels: _Optional[_Iterable[str]] = ..., + negate: bool = ..., + members: _Optional[_Iterable[str]] = ..., + regions: _Optional[_Iterable[str]] = ..., + ) -> None: ... + +class CustomLevel(_message.Message): + __slots__ = ("expr",) + EXPR_FIELD_NUMBER: _ClassVar[int] + expr: _expr_pb2.Expr + def __init__( + self, expr: _Optional[_Union[_expr_pb2.Expr, _Mapping]] = ... + ) -> None: ... + +class DevicePolicy(_message.Message): + __slots__ = ( + "require_screenlock", + "allowed_encryption_statuses", + "os_constraints", + "allowed_device_management_levels", + "require_admin_approval", + "require_corp_owned", + ) + REQUIRE_SCREENLOCK_FIELD_NUMBER: _ClassVar[int] + ALLOWED_ENCRYPTION_STATUSES_FIELD_NUMBER: _ClassVar[int] + OS_CONSTRAINTS_FIELD_NUMBER: _ClassVar[int] + ALLOWED_DEVICE_MANAGEMENT_LEVELS_FIELD_NUMBER: _ClassVar[int] + REQUIRE_ADMIN_APPROVAL_FIELD_NUMBER: _ClassVar[int] + REQUIRE_CORP_OWNED_FIELD_NUMBER: _ClassVar[int] + require_screenlock: bool + allowed_encryption_statuses: _containers.RepeatedScalarFieldContainer[ + _device_resources_pb2.DeviceEncryptionStatus + ] + os_constraints: _containers.RepeatedCompositeFieldContainer[OsConstraint] + allowed_device_management_levels: _containers.RepeatedScalarFieldContainer[ + _device_resources_pb2.DeviceManagementLevel + ] + require_admin_approval: bool + require_corp_owned: bool + def __init__( + self, + require_screenlock: bool = ..., + allowed_encryption_statuses: _Optional[ + _Iterable[_Union[_device_resources_pb2.DeviceEncryptionStatus, str]] + ] = ..., + os_constraints: _Optional[_Iterable[_Union[OsConstraint, _Mapping]]] = ..., + allowed_device_management_levels: _Optional[ + _Iterable[_Union[_device_resources_pb2.DeviceManagementLevel, str]] + ] = ..., + require_admin_approval: bool = ..., + require_corp_owned: bool = ..., + ) -> None: ... + +class OsConstraint(_message.Message): + __slots__ = ("os_type", "minimum_version", "require_verified_chrome_os") + OS_TYPE_FIELD_NUMBER: _ClassVar[int] + MINIMUM_VERSION_FIELD_NUMBER: _ClassVar[int] + REQUIRE_VERIFIED_CHROME_OS_FIELD_NUMBER: _ClassVar[int] + os_type: _device_resources_pb2.OsType + minimum_version: str + require_verified_chrome_os: bool + def __init__( + self, + os_type: _Optional[_Union[_device_resources_pb2.OsType, str]] = ..., + minimum_version: _Optional[str] = ..., + require_verified_chrome_os: bool = ..., + ) -> None: ... diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy.proto b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy.proto new file mode 100644 index 000000000000..f38abcd8ba31 --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy.proto @@ -0,0 +1,81 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.identity.accesscontextmanager.v1; + +import "google/api/resource.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Identity.AccessContextManager.V1"; +option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; +option java_multiple_files = true; +option java_outer_classname = "PolicyProto"; +option java_package = "com.google.identity.accesscontextmanager.v1"; +option objc_class_prefix = "GACM"; +option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; +option ruby_package = "Google::Identity::AccessContextManager::V1"; + +// `AccessPolicy` is a container for `AccessLevels` (which define the necessary +// attributes to use Google Cloud services) and `ServicePerimeters` (which +// define regions of services able to freely pass data within a perimeter). An +// access policy is globally visible within an organization, and the +// restrictions it specifies apply to all projects within an organization. +message AccessPolicy { + option (google.api.resource) = { + type: "accesscontextmanager.googleapis.com/AccessPolicy" + pattern: "accessPolicies/{access_policy}" + }; + + // Output only. Resource name of the `AccessPolicy`. Format: + // `accessPolicies/{access_policy}` + string name = 1; + + // Required. The parent of this `AccessPolicy` in the Cloud Resource + // Hierarchy. Currently immutable once created. Format: + // `organizations/{organization_id}` + string parent = 2; + + // Required. Human readable title. Does not affect behavior. + string title = 3; + + // The scopes of a policy define which resources an ACM policy can restrict, + // and where ACM resources can be referenced. + // For example, a policy with scopes=["folders/123"] has the following + // behavior: + // - vpcsc perimeters can only restrict projects within folders/123 + // - access levels can only be referenced by resources within folders/123. + // If empty, there are no limitations on which resources can be restricted by + // an ACM policy, and there are no limitations on where ACM resources can be + // referenced. + // Only one policy can include a given scope (attempting to create a second + // policy which includes "folders/123" will result in an error). + // Currently, scopes cannot be modified after a policy is created. + // Currently, policies can only have a single scope. + // Format: list of `folders/{folder_number}` or `projects/{project_number}` + repeated string scopes = 7; + + // Output only. Time the `AccessPolicy` was created in UTC. + google.protobuf.Timestamp create_time = 4; + + // Output only. Time the `AccessPolicy` was updated in UTC. + google.protobuf.Timestamp update_time = 5; + + // Output only. An opaque identifier for the current version of the + // `AccessPolicy`. This will always be a strongly validated etag, meaning that + // two Access Polices will be identical if and only if their etags are + // identical. Clients should not expect this to be in any specific format. + string etag = 6; +} diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy_pb2.py b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy_pb2.py index 5867beec87b4..50f7aa352871 100644 --- a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy_pb2.py +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy_pb2.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ # Generated by the protocol buffer compiler. DO NOT EDIT! # source: google/identity/accesscontextmanager/v1/access_policy.proto +# Protobuf Python Version: 4.25.3 """Generated protocol buffer code.""" from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool @@ -40,10 +41,14 @@ DESCRIPTOR, "google.identity.accesscontextmanager.v1.access_policy_pb2", _globals ) if _descriptor._USE_C_DESCRIPTORS == False: - DESCRIPTOR._options = None - DESCRIPTOR._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\013PolicyProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" - _ACCESSPOLICY._options = None - _ACCESSPOLICY._serialized_options = b"\352AR\n0accesscontextmanager.googleapis.com/AccessPolicy\022\036accessPolicies/{access_policy}" + _globals["DESCRIPTOR"]._options = None + _globals[ + "DESCRIPTOR" + ]._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\013PolicyProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" + _globals["_ACCESSPOLICY"]._options = None + _globals[ + "_ACCESSPOLICY" + ]._serialized_options = b"\352AR\n0accesscontextmanager.googleapis.com/AccessPolicy\022\036accessPolicies/{access_policy}" _globals["_ACCESSPOLICY"]._serialized_start = 165 _globals["_ACCESSPOLICY"]._serialized_end = 439 # @@protoc_insertion_point(module_scope) diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy_pb2.pyi b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy_pb2.pyi new file mode 100644 index 000000000000..252dc50bca42 --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/access_policy_pb2.pyi @@ -0,0 +1,62 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from typing import ClassVar as _ClassVar +from typing import Iterable as _Iterable +from typing import Mapping as _Mapping +from typing import Optional as _Optional +from typing import Union as _Union + +from google.api import resource_pb2 as _resource_pb2 +from google.protobuf import descriptor as _descriptor +from google.protobuf import message as _message +from google.protobuf import timestamp_pb2 as _timestamp_pb2 +from google.protobuf.internal import containers as _containers + +DESCRIPTOR: _descriptor.FileDescriptor + +class AccessPolicy(_message.Message): + __slots__ = ( + "name", + "parent", + "title", + "scopes", + "create_time", + "update_time", + "etag", + ) + NAME_FIELD_NUMBER: _ClassVar[int] + PARENT_FIELD_NUMBER: _ClassVar[int] + TITLE_FIELD_NUMBER: _ClassVar[int] + SCOPES_FIELD_NUMBER: _ClassVar[int] + CREATE_TIME_FIELD_NUMBER: _ClassVar[int] + UPDATE_TIME_FIELD_NUMBER: _ClassVar[int] + ETAG_FIELD_NUMBER: _ClassVar[int] + name: str + parent: str + title: str + scopes: _containers.RepeatedScalarFieldContainer[str] + create_time: _timestamp_pb2.Timestamp + update_time: _timestamp_pb2.Timestamp + etag: str + def __init__( + self, + name: _Optional[str] = ..., + parent: _Optional[str] = ..., + title: _Optional[str] = ..., + scopes: _Optional[_Iterable[str]] = ..., + create_time: _Optional[_Union[_timestamp_pb2.Timestamp, _Mapping]] = ..., + update_time: _Optional[_Union[_timestamp_pb2.Timestamp, _Mapping]] = ..., + etag: _Optional[str] = ..., + ) -> None: ... diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto new file mode 100644 index 000000000000..be879bbbd92c --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto @@ -0,0 +1,68 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.identity.accesscontextmanager.v1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Identity.AccessContextManager.V1"; +option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; +option java_multiple_files = true; +option java_outer_classname = "GcpUserAccessBindingProto"; +option java_package = "com.google.identity.accesscontextmanager.v1"; +option objc_class_prefix = "GACM"; +option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; +option ruby_package = "Google::Identity::AccessContextManager::V1"; + +// Restricts access to Cloud Console and Google Cloud APIs for a set of users +// using Context-Aware Access. +message GcpUserAccessBinding { + option (google.api.resource) = { + type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding" + pattern: "organizations/{organization}/gcpUserAccessBindings/{gcp_user_access_binding}" + }; + + // Immutable. Assigned by the server during creation. The last segment has an arbitrary + // length and has only URI unreserved characters (as defined by + // [RFC 3986 Section 2.3](https://tools.ietf.org/html/rfc3986#section-2.3)). + // Should not be specified by the client during creation. + // Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" + string name = 1 [(google.api.field_behavior) = IMMUTABLE]; + + // Required. Immutable. Google Group id whose members are subject to this binding's restrictions. + // See "id" in the [G Suite Directory API's Groups resource] + // (https://developers.google.com/admin-sdk/directory/v1/reference/groups#resource). + // If a group's email address/alias is changed, this resource will continue + // to point at the changed group. This field does not accept group email + // addresses or aliases. + // Example: "01d520gv4vjcrht" + string group_key = 2 [ + (google.api.field_behavior) = REQUIRED, + (google.api.field_behavior) = IMMUTABLE + ]; + + // Required. Access level that a user must have to be granted access. Only one access + // level is supported, not multiple. This repeated field must have exactly + // one element. + // Example: "accessPolicies/9522/accessLevels/device_trusted" + repeated string access_levels = 3 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "accesscontextmanager.googleapis.com/AccessLevel" + } + ]; +} diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb2.py b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb2.py index 203b0b30aead..146166962cdb 100644 --- a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb2.py +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb2.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ # Generated by the protocol buffer compiler. DO NOT EDIT! # source: google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto +# Protobuf Python Version: 4.25.3 """Generated protocol buffer code.""" from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool @@ -42,22 +43,28 @@ _globals, ) if _descriptor._USE_C_DESCRIPTORS == False: - DESCRIPTOR._options = None - DESCRIPTOR._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\031GcpUserAccessBindingProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" - _GCPUSERACCESSBINDING.fields_by_name["name"]._options = None - _GCPUSERACCESSBINDING.fields_by_name["name"]._serialized_options = b"\340A\005" - _GCPUSERACCESSBINDING.fields_by_name["group_key"]._options = None - _GCPUSERACCESSBINDING.fields_by_name[ + _globals["DESCRIPTOR"]._options = None + _globals[ + "DESCRIPTOR" + ]._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\031GcpUserAccessBindingProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" + _globals["_GCPUSERACCESSBINDING"].fields_by_name["name"]._options = None + _globals["_GCPUSERACCESSBINDING"].fields_by_name[ + "name" + ]._serialized_options = b"\340A\005" + _globals["_GCPUSERACCESSBINDING"].fields_by_name["group_key"]._options = None + _globals["_GCPUSERACCESSBINDING"].fields_by_name[ "group_key" ]._serialized_options = b"\340A\002\340A\005" - _GCPUSERACCESSBINDING.fields_by_name["access_levels"]._options = None - _GCPUSERACCESSBINDING.fields_by_name[ + _globals["_GCPUSERACCESSBINDING"].fields_by_name["access_levels"]._options = None + _globals["_GCPUSERACCESSBINDING"].fields_by_name[ "access_levels" ]._serialized_options = ( b"\340A\002\372A1\n/accesscontextmanager.googleapis.com/AccessLevel" ) - _GCPUSERACCESSBINDING._options = None - _GCPUSERACCESSBINDING._serialized_options = b"\352A\210\001\n8accesscontextmanager.googleapis.com/GcpUserAccessBinding\022Lorganizations/{organization}/gcpUserAccessBindings/{gcp_user_access_binding}" + _globals["_GCPUSERACCESSBINDING"]._options = None + _globals[ + "_GCPUSERACCESSBINDING" + ]._serialized_options = b"\352A\210\001\n8accesscontextmanager.googleapis.com/GcpUserAccessBinding\022Lorganizations/{organization}/gcpUserAccessBindings/{gcp_user_access_binding}" _globals["_GCPUSERACCESSBINDING"]._serialized_start = 175 _globals["_GCPUSERACCESSBINDING"]._serialized_end = 466 # @@protoc_insertion_point(module_scope) diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb2.pyi b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb2.pyi new file mode 100644 index 000000000000..f6151c4c2fcf --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb2.pyi @@ -0,0 +1,40 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from typing import ClassVar as _ClassVar +from typing import Iterable as _Iterable +from typing import Optional as _Optional + +from google.api import field_behavior_pb2 as _field_behavior_pb2 +from google.api import resource_pb2 as _resource_pb2 +from google.protobuf import descriptor as _descriptor +from google.protobuf import message as _message +from google.protobuf.internal import containers as _containers + +DESCRIPTOR: _descriptor.FileDescriptor + +class GcpUserAccessBinding(_message.Message): + __slots__ = ("name", "group_key", "access_levels") + NAME_FIELD_NUMBER: _ClassVar[int] + GROUP_KEY_FIELD_NUMBER: _ClassVar[int] + ACCESS_LEVELS_FIELD_NUMBER: _ClassVar[int] + name: str + group_key: str + access_levels: _containers.RepeatedScalarFieldContainer[str] + def __init__( + self, + name: _Optional[str] = ..., + group_key: _Optional[str] = ..., + access_levels: _Optional[_Iterable[str]] = ..., + ) -> None: ... diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter.proto b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter.proto new file mode 100644 index 000000000000..757fed1b00c9 --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter.proto @@ -0,0 +1,472 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.identity.accesscontextmanager.v1; + +import "google/api/resource.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Identity.AccessContextManager.V1"; +option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; +option java_multiple_files = true; +option java_outer_classname = "ServicePerimeterProto"; +option java_package = "com.google.identity.accesscontextmanager.v1"; +option objc_class_prefix = "GACM"; +option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; +option ruby_package = "Google::Identity::AccessContextManager::V1"; + +// `ServicePerimeter` describes a set of Google Cloud resources which can freely +// import and export data amongst themselves, but not export outside of the +// `ServicePerimeter`. If a request with a source within this `ServicePerimeter` +// has a target outside of the `ServicePerimeter`, the request will be blocked. +// Otherwise the request is allowed. There are two types of Service Perimeter - +// Regular and Bridge. Regular Service Perimeters cannot overlap, a single +// Google Cloud project can only belong to a single regular Service Perimeter. +// Service Perimeter Bridges can contain only Google Cloud projects as members, +// a single Google Cloud project may belong to multiple Service Perimeter +// Bridges. +message ServicePerimeter { + option (google.api.resource) = { + type: "accesscontextmanager.googleapis.com/ServicePerimeter" + pattern: "accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}" + }; + + // Specifies the type of the Perimeter. There are two types: regular and + // bridge. Regular Service Perimeter contains resources, access levels, and + // restricted services. Every resource can be in at most ONE + // regular Service Perimeter. + // + // In addition to being in a regular service perimeter, a resource can also + // be in zero or more perimeter bridges. A perimeter bridge only contains + // resources. Cross project operations are permitted if all effected + // resources share some perimeter (whether bridge or regular). Perimeter + // Bridge does not contain access levels or services: those are governed + // entirely by the regular perimeter that resource is in. + // + // Perimeter Bridges are typically useful when building more complex toplogies + // with many independent perimeters that need to share some data with a common + // perimeter, but should not be able to share data among themselves. + enum PerimeterType { + // Regular Perimeter. + PERIMETER_TYPE_REGULAR = 0; + + // Perimeter Bridge. + PERIMETER_TYPE_BRIDGE = 1; + } + + // Required. Resource name for the ServicePerimeter. The `short_name` + // component must begin with a letter and only include alphanumeric and '_'. + // Format: + // `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` + string name = 1; + + // Human readable title. Must be unique within the Policy. + string title = 2; + + // Description of the `ServicePerimeter` and its use. Does not affect + // behavior. + string description = 3; + + // Output only. Time the `ServicePerimeter` was created in UTC. + google.protobuf.Timestamp create_time = 4; + + // Output only. Time the `ServicePerimeter` was updated in UTC. + google.protobuf.Timestamp update_time = 5; + + // Perimeter type indicator. A single project is + // allowed to be a member of single regular perimeter, but multiple service + // perimeter bridges. A project cannot be a included in a perimeter bridge + // without being included in regular perimeter. For perimeter bridges, + // the restricted service list as well as access level lists must be + // empty. + PerimeterType perimeter_type = 6; + + // Current ServicePerimeter configuration. Specifies sets of resources, + // restricted services and access levels that determine perimeter + // content and boundaries. + ServicePerimeterConfig status = 7; + + // Proposed (or dry run) ServicePerimeter configuration. This configuration + // allows to specify and test ServicePerimeter configuration without enforcing + // actual access restrictions. Only allowed to be set when the + // "use_explicit_dry_run_spec" flag is set. + ServicePerimeterConfig spec = 8; + + // Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly + // exists for all Service Perimeters, and that spec is identical to the + // status for those Service Perimeters. When this flag is set, it inhibits the + // generation of the implicit spec, thereby allowing the user to explicitly + // provide a configuration ("spec") to use in a dry-run version of the Service + // Perimeter. This allows the user to test changes to the enforced config + // ("status") without actually enforcing them. This testing is done through + // analyzing the differences between currently enforced and suggested + // restrictions. use_explicit_dry_run_spec must bet set to True if any of the + // fields in the spec are set to non-default values. + bool use_explicit_dry_run_spec = 9; +} + +// `ServicePerimeterConfig` specifies a set of Google Cloud resources that +// describe specific Service Perimeter configuration. +message ServicePerimeterConfig { + // Specifies how APIs are allowed to communicate within the Service + // Perimeter. + message VpcAccessibleServices { + // Whether to restrict API calls within the Service Perimeter to the list of + // APIs specified in 'allowed_services'. + bool enable_restriction = 1; + + // The list of APIs usable within the Service Perimeter. Must be empty + // unless 'enable_restriction' is True. You can specify a list of individual + // services, as well as include the 'RESTRICTED-SERVICES' value, which + // automatically includes all of the services protected by the perimeter. + repeated string allowed_services = 2; + } + + // Specifies the types of identities that are allowed access in either + // [IngressFrom] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom] + // or [EgressFrom] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] + // rules. + enum IdentityType { + // No blanket identity group specified. + IDENTITY_TYPE_UNSPECIFIED = 0; + + // Authorize access from all identities outside the perimeter. + ANY_IDENTITY = 1; + + // Authorize access from all human users outside the perimeter. + ANY_USER_ACCOUNT = 2; + + // Authorize access from all service accounts outside the perimeter. + ANY_SERVICE_ACCOUNT = 3; + } + + // An allowed method or permission of a service specified in [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]. + message MethodSelector { + // The API method name or Cloud IAM permission name to allow. + oneof kind { + // Value for `method` should be a valid method name for the corresponding + // `service_name` in [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]. + // If `*` used as value for `method`, then ALL methods and permissions are + // allowed. + string method = 1; + + // Value for `permission` should be a valid Cloud IAM permission for the + // corresponding `service_name` in [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]. + string permission = 2; + } + } + + // Identification for an API Operation. + message ApiOperation { + // The name of the API whose methods or permissions the [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // or [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // want to allow. A single [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] + // with `service_name` field set to `*` will allow all methods AND + // permissions for all services. + string service_name = 1; + + // API methods or permissions to allow. Method or permission must belong to + // the service specified by `service_name` field. A single [MethodSelector] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector] + // entry with `*` specified for the `method` field will allow all methods + // AND permissions for the service specified in `service_name`. + repeated MethodSelector method_selectors = 2; + } + + // The source that [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // authorizes access from. + message IngressSource { + // Allowed ingress source. It can be one of [AccessLevel] + // [google.identity.accesscontextmanager.v1.AccessLevel] or Google + // Cloud resource. + oneof source { + // An [AccessLevel] + // [google.identity.accesscontextmanager.v1.AccessLevel] resource + // name that allow resources within the [ServicePerimeters] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] to be + // accessed from the internet. [AccessLevels] + // [google.identity.accesscontextmanager.v1.AccessLevel] listed must + // be in the same policy as this [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. + // Referencing a nonexistent [AccessLevel] + // [google.identity.accesscontextmanager.v1.AccessLevel] will cause + // an error. If no [AccessLevel] + // [google.identity.accesscontextmanager.v1.AccessLevel] names are + // listed, resources within the perimeter can only be accessed via Google + // Cloud calls with request origins within the perimeter. Example: + // `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is + // specified for `access_level`, then all [IngressSources] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource] + // will be allowed. + string access_level = 1; + + // A Google Cloud resource that is allowed to ingress the perimeter. + // Requests from these resources will be allowed to access perimeter data. + // Currently only projects are allowed. + // Format: `projects/{project_number}` + // The project may be in any Google Cloud organization, not just the + // organization that the perimeter is defined in. `*` is not allowed, the + // case of allowing all Google Cloud resources only is not supported. + string resource = 2; + } + } + + // Defines the conditions under which an [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // matches a request. Conditions are based on information about the source of + // the request. The request must satisfy what is defined in `sources` AND + // identity related fields in order to match. + message IngressFrom { + // Sources that this [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // authorizes access from. + repeated IngressSource sources = 1; + + // A list of identities that are allowed access through this ingress + // policy. Should be in the format of email address. The email address + // should represent individual user or service account only. + repeated string identities = 2; + + // Specifies the type of identities that are allowed access from outside the + // perimeter. If left unspecified, then members of `identities` field will + // be allowed access. + IdentityType identity_type = 3; + } + + // Defines the conditions under which an [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // matches a request. Conditions are based on information about the + // [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] + // intended to be performed on the target resource of the request. The request + // must satisfy what is defined in `operations` AND `resources` in order to + // match. + message IngressTo { + // A list of [ApiOperations] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] + // allowed to be performed by the sources specified in corresponding + // [IngressFrom] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom] + // in this [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. + repeated ApiOperation operations = 1; + + // A list of resources, currently only projects in the form + // `projects/`, protected by this [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] that are + // allowed to be accessed by sources defined in the corresponding + // [IngressFrom] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]. + // If a single `*` is specified, then access to all resources inside the + // perimeter are allowed. + repeated string resources = 2; + } + + // Policy for ingress into [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter]. + // + // [IngressPolicies] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // match requests based on `ingress_from` and `ingress_to` stanzas. For an + // ingress policy to match, both the `ingress_from` and `ingress_to` stanzas + // must be matched. If an [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // matches a request, the request is allowed through the perimeter boundary + // from outside the perimeter. + // + // For example, access from the internet can be allowed either + // based on an [AccessLevel] + // [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic + // hosted on Google Cloud, the project of the source network. For access from + // private networks, using the project of the hosting network is required. + // + // Individual ingress policies can be limited by restricting which + // services and/or actions they match using the `ingress_to` field. + message IngressPolicy { + // Defines the conditions on the source of a request causing this + // [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // to apply. + IngressFrom ingress_from = 1; + + // Defines the conditions on the [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] + // and request destination that cause this [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // to apply. + IngressTo ingress_to = 2; + } + + // Defines the conditions under which an [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // matches a request. Conditions based on information about the source of the + // request. Note that if the destination of the request is also protected by a + // [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that + // [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have + // an [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // which allows access in order for this request to succeed. + message EgressFrom { + // A list of identities that are allowed access through this [EgressPolicy]. + // Should be in the format of email address. The email address should + // represent individual user or service account only. + repeated string identities = 1; + + // Specifies the type of identities that are allowed access to outside the + // perimeter. If left unspecified, then members of `identities` field will + // be allowed access. + IdentityType identity_type = 2; + } + + // Defines the conditions under which an [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // matches a request. Conditions are based on information about the + // [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] + // intended to be performed on the `resources` specified. Note that if the + // destination of the request is also protected by a [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter], then that + // [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] must have + // an [IngressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // which allows access in order for this request to succeed. The request must + // match `operations` AND `resources` fields in order to be allowed egress out + // of the perimeter. + message EgressTo { + // A list of resources, currently only projects in the form + // `projects/`, that are allowed to be accessed by sources + // defined in the corresponding [EgressFrom] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]. + // A request matches if it contains a resource in this list. If `*` is + // specified for `resources`, then this [EgressTo] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo] + // rule will authorize access to all resources outside the perimeter. + repeated string resources = 1; + + // A list of [ApiOperations] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] + // allowed to be performed by the sources specified in the corresponding + // [EgressFrom] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]. + // A request matches if it uses an operation/service in this list. + repeated ApiOperation operations = 2; + + // A list of external resources that are allowed to be accessed. Only AWS + // and Azure resources are supported. For Amazon S3, the supported format is + // s3://BUCKET_NAME. For Azure Storage, the supported format is + // azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches + // if it contains an external resource in this list (Example: + // s3://bucket/path). Currently '*' is not allowed. + repeated string external_resources = 3; + } + + // Policy for egress from perimeter. + // + // [EgressPolicies] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // match requests based on `egress_from` and `egress_to` stanzas. For an + // [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // to match, both `egress_from` and `egress_to` stanzas must be matched. If an + // [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // matches a request, the request is allowed to span the [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary. + // For example, an [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // can be used to allow VMs on networks within the [ServicePerimeter] + // [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a + // defined set of projects outside the perimeter in certain contexts (e.g. to + // read data from a Cloud Storage bucket or query against a BigQuery dataset). + // + // [EgressPolicies] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // are concerned with the *resources* that a request relates as well as the + // API services and API actions being used. They do not related to the + // direction of data movement. More detailed documentation for this concept + // can be found in the descriptions of [EgressFrom] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] + // and [EgressTo] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]. + message EgressPolicy { + // Defines conditions on the source of a request causing this [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // to apply. + EgressFrom egress_from = 1; + + // Defines the conditions on the [ApiOperation] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] + // and destination resources that cause this [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // to apply. + EgressTo egress_to = 2; + } + + // A list of Google Cloud resources that are inside of the service perimeter. + // Currently only projects are allowed. Format: `projects/{project_number}` + repeated string resources = 1; + + // A list of `AccessLevel` resource names that allow resources within the + // `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed + // must be in the same policy as this `ServicePerimeter`. Referencing a + // nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are + // listed, resources within the perimeter can only be accessed via Google + // Cloud calls with request origins within the perimeter. Example: + // `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`. + // For Service Perimeter Bridge, must be empty. + repeated string access_levels = 2; + + // Google Cloud services that are subject to the Service Perimeter + // restrictions. For example, if `storage.googleapis.com` is specified, access + // to the storage buckets inside the perimeter must meet the perimeter's + // access restrictions. + repeated string restricted_services = 4; + + // Configuration for APIs allowed within Perimeter. + VpcAccessibleServices vpc_accessible_services = 10; + + // List of [IngressPolicies] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // to apply to the perimeter. A perimeter may have multiple [IngressPolicies] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy], + // each of which is evaluated separately. Access is granted if any [Ingress + // Policy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] + // grants it. Must be empty for a perimeter bridge. + repeated IngressPolicy ingress_policies = 8; + + // List of [EgressPolicies] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // to apply to the perimeter. A perimeter may have multiple [EgressPolicies] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy], + // each of which is evaluated separately. Access is granted if any + // [EgressPolicy] + // [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] + // grants it. Must be empty for a perimeter bridge. + repeated EgressPolicy egress_policies = 9; +} diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter_pb2.py b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter_pb2.py index d0aac31c2f4b..efc833133371 100644 --- a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter_pb2.py +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter_pb2.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ # Generated by the protocol buffer compiler. DO NOT EDIT! # source: google/identity/accesscontextmanager/v1/service_perimeter.proto +# Protobuf Python Version: 4.25.3 """Generated protocol buffer code.""" from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool @@ -42,10 +43,14 @@ _globals, ) if _descriptor._USE_C_DESCRIPTORS == False: - DESCRIPTOR._options = None - DESCRIPTOR._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\025ServicePerimeterProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" - _SERVICEPERIMETER._options = None - _SERVICEPERIMETER._serialized_options = b"\352A|\n4accesscontextmanager.googleapis.com/ServicePerimeter\022DaccessPolicies/{access_policy}/servicePerimeters/{service_perimeter}" + _globals["DESCRIPTOR"]._options = None + _globals[ + "DESCRIPTOR" + ]._serialized_options = b"\n+com.google.identity.accesscontextmanager.v1B\025ServicePerimeterProtoP\001Z\\cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb\242\002\004GACM\252\002'Google.Identity.AccessContextManager.V1\312\002'Google\\Identity\\AccessContextManager\\V1\352\002*Google::Identity::AccessContextManager::V1" + _globals["_SERVICEPERIMETER"]._options = None + _globals[ + "_SERVICEPERIMETER" + ]._serialized_options = b"\352A|\n4accesscontextmanager.googleapis.com/ServicePerimeter\022DaccessPolicies/{access_policy}/servicePerimeters/{service_perimeter}" _globals["_SERVICEPERIMETER"]._serialized_start = 169 _globals["_SERVICEPERIMETER"]._serialized_end = 828 _globals["_SERVICEPERIMETER_PERIMETERTYPE"]._serialized_start = 629 diff --git a/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter_pb2.pyi b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter_pb2.pyi new file mode 100644 index 000000000000..ff42a2fc7b8c --- /dev/null +++ b/packages/google-cloud-access-context-manager/google/identity/accesscontextmanager/v1/service_perimeter_pb2.pyi @@ -0,0 +1,280 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from typing import ClassVar as _ClassVar +from typing import Iterable as _Iterable +from typing import Mapping as _Mapping +from typing import Optional as _Optional +from typing import Union as _Union + +from google.api import resource_pb2 as _resource_pb2 +from google.protobuf import descriptor as _descriptor +from google.protobuf import message as _message +from google.protobuf import timestamp_pb2 as _timestamp_pb2 +from google.protobuf.internal import containers as _containers +from google.protobuf.internal import enum_type_wrapper as _enum_type_wrapper + +DESCRIPTOR: _descriptor.FileDescriptor + +class ServicePerimeter(_message.Message): + __slots__ = ( + "name", + "title", + "description", + "create_time", + "update_time", + "perimeter_type", + "status", + "spec", + "use_explicit_dry_run_spec", + ) + + class PerimeterType(int, metaclass=_enum_type_wrapper.EnumTypeWrapper): + __slots__ = () + PERIMETER_TYPE_REGULAR: _ClassVar[ServicePerimeter.PerimeterType] + PERIMETER_TYPE_BRIDGE: _ClassVar[ServicePerimeter.PerimeterType] + PERIMETER_TYPE_REGULAR: ServicePerimeter.PerimeterType + PERIMETER_TYPE_BRIDGE: ServicePerimeter.PerimeterType + NAME_FIELD_NUMBER: _ClassVar[int] + TITLE_FIELD_NUMBER: _ClassVar[int] + DESCRIPTION_FIELD_NUMBER: _ClassVar[int] + CREATE_TIME_FIELD_NUMBER: _ClassVar[int] + UPDATE_TIME_FIELD_NUMBER: _ClassVar[int] + PERIMETER_TYPE_FIELD_NUMBER: _ClassVar[int] + STATUS_FIELD_NUMBER: _ClassVar[int] + SPEC_FIELD_NUMBER: _ClassVar[int] + USE_EXPLICIT_DRY_RUN_SPEC_FIELD_NUMBER: _ClassVar[int] + name: str + title: str + description: str + create_time: _timestamp_pb2.Timestamp + update_time: _timestamp_pb2.Timestamp + perimeter_type: ServicePerimeter.PerimeterType + status: ServicePerimeterConfig + spec: ServicePerimeterConfig + use_explicit_dry_run_spec: bool + def __init__( + self, + name: _Optional[str] = ..., + title: _Optional[str] = ..., + description: _Optional[str] = ..., + create_time: _Optional[_Union[_timestamp_pb2.Timestamp, _Mapping]] = ..., + update_time: _Optional[_Union[_timestamp_pb2.Timestamp, _Mapping]] = ..., + perimeter_type: _Optional[_Union[ServicePerimeter.PerimeterType, str]] = ..., + status: _Optional[_Union[ServicePerimeterConfig, _Mapping]] = ..., + spec: _Optional[_Union[ServicePerimeterConfig, _Mapping]] = ..., + use_explicit_dry_run_spec: bool = ..., + ) -> None: ... + +class ServicePerimeterConfig(_message.Message): + __slots__ = ( + "resources", + "access_levels", + "restricted_services", + "vpc_accessible_services", + "ingress_policies", + "egress_policies", + ) + + class IdentityType(int, metaclass=_enum_type_wrapper.EnumTypeWrapper): + __slots__ = () + IDENTITY_TYPE_UNSPECIFIED: _ClassVar[ServicePerimeterConfig.IdentityType] + ANY_IDENTITY: _ClassVar[ServicePerimeterConfig.IdentityType] + ANY_USER_ACCOUNT: _ClassVar[ServicePerimeterConfig.IdentityType] + ANY_SERVICE_ACCOUNT: _ClassVar[ServicePerimeterConfig.IdentityType] + IDENTITY_TYPE_UNSPECIFIED: ServicePerimeterConfig.IdentityType + ANY_IDENTITY: ServicePerimeterConfig.IdentityType + ANY_USER_ACCOUNT: ServicePerimeterConfig.IdentityType + ANY_SERVICE_ACCOUNT: ServicePerimeterConfig.IdentityType + + class VpcAccessibleServices(_message.Message): + __slots__ = ("enable_restriction", "allowed_services") + ENABLE_RESTRICTION_FIELD_NUMBER: _ClassVar[int] + ALLOWED_SERVICES_FIELD_NUMBER: _ClassVar[int] + enable_restriction: bool + allowed_services: _containers.RepeatedScalarFieldContainer[str] + def __init__( + self, + enable_restriction: bool = ..., + allowed_services: _Optional[_Iterable[str]] = ..., + ) -> None: ... + + class MethodSelector(_message.Message): + __slots__ = ("method", "permission") + METHOD_FIELD_NUMBER: _ClassVar[int] + PERMISSION_FIELD_NUMBER: _ClassVar[int] + method: str + permission: str + def __init__( + self, method: _Optional[str] = ..., permission: _Optional[str] = ... + ) -> None: ... + + class ApiOperation(_message.Message): + __slots__ = ("service_name", "method_selectors") + SERVICE_NAME_FIELD_NUMBER: _ClassVar[int] + METHOD_SELECTORS_FIELD_NUMBER: _ClassVar[int] + service_name: str + method_selectors: _containers.RepeatedCompositeFieldContainer[ + ServicePerimeterConfig.MethodSelector + ] + def __init__( + self, + service_name: _Optional[str] = ..., + method_selectors: _Optional[ + _Iterable[_Union[ServicePerimeterConfig.MethodSelector, _Mapping]] + ] = ..., + ) -> None: ... + + class IngressSource(_message.Message): + __slots__ = ("access_level", "resource") + ACCESS_LEVEL_FIELD_NUMBER: _ClassVar[int] + RESOURCE_FIELD_NUMBER: _ClassVar[int] + access_level: str + resource: str + def __init__( + self, access_level: _Optional[str] = ..., resource: _Optional[str] = ... + ) -> None: ... + + class IngressFrom(_message.Message): + __slots__ = ("sources", "identities", "identity_type") + SOURCES_FIELD_NUMBER: _ClassVar[int] + IDENTITIES_FIELD_NUMBER: _ClassVar[int] + IDENTITY_TYPE_FIELD_NUMBER: _ClassVar[int] + sources: _containers.RepeatedCompositeFieldContainer[ + ServicePerimeterConfig.IngressSource + ] + identities: _containers.RepeatedScalarFieldContainer[str] + identity_type: ServicePerimeterConfig.IdentityType + def __init__( + self, + sources: _Optional[ + _Iterable[_Union[ServicePerimeterConfig.IngressSource, _Mapping]] + ] = ..., + identities: _Optional[_Iterable[str]] = ..., + identity_type: _Optional[ + _Union[ServicePerimeterConfig.IdentityType, str] + ] = ..., + ) -> None: ... + + class IngressTo(_message.Message): + __slots__ = ("operations", "resources") + OPERATIONS_FIELD_NUMBER: _ClassVar[int] + RESOURCES_FIELD_NUMBER: _ClassVar[int] + operations: _containers.RepeatedCompositeFieldContainer[ + ServicePerimeterConfig.ApiOperation + ] + resources: _containers.RepeatedScalarFieldContainer[str] + def __init__( + self, + operations: _Optional[ + _Iterable[_Union[ServicePerimeterConfig.ApiOperation, _Mapping]] + ] = ..., + resources: _Optional[_Iterable[str]] = ..., + ) -> None: ... + + class IngressPolicy(_message.Message): + __slots__ = ("ingress_from", "ingress_to") + INGRESS_FROM_FIELD_NUMBER: _ClassVar[int] + INGRESS_TO_FIELD_NUMBER: _ClassVar[int] + ingress_from: ServicePerimeterConfig.IngressFrom + ingress_to: ServicePerimeterConfig.IngressTo + def __init__( + self, + ingress_from: _Optional[ + _Union[ServicePerimeterConfig.IngressFrom, _Mapping] + ] = ..., + ingress_to: _Optional[ + _Union[ServicePerimeterConfig.IngressTo, _Mapping] + ] = ..., + ) -> None: ... + + class EgressFrom(_message.Message): + __slots__ = ("identities", "identity_type") + IDENTITIES_FIELD_NUMBER: _ClassVar[int] + IDENTITY_TYPE_FIELD_NUMBER: _ClassVar[int] + identities: _containers.RepeatedScalarFieldContainer[str] + identity_type: ServicePerimeterConfig.IdentityType + def __init__( + self, + identities: _Optional[_Iterable[str]] = ..., + identity_type: _Optional[ + _Union[ServicePerimeterConfig.IdentityType, str] + ] = ..., + ) -> None: ... + + class EgressTo(_message.Message): + __slots__ = ("resources", "operations", "external_resources") + RESOURCES_FIELD_NUMBER: _ClassVar[int] + OPERATIONS_FIELD_NUMBER: _ClassVar[int] + EXTERNAL_RESOURCES_FIELD_NUMBER: _ClassVar[int] + resources: _containers.RepeatedScalarFieldContainer[str] + operations: _containers.RepeatedCompositeFieldContainer[ + ServicePerimeterConfig.ApiOperation + ] + external_resources: _containers.RepeatedScalarFieldContainer[str] + def __init__( + self, + resources: _Optional[_Iterable[str]] = ..., + operations: _Optional[ + _Iterable[_Union[ServicePerimeterConfig.ApiOperation, _Mapping]] + ] = ..., + external_resources: _Optional[_Iterable[str]] = ..., + ) -> None: ... + + class EgressPolicy(_message.Message): + __slots__ = ("egress_from", "egress_to") + EGRESS_FROM_FIELD_NUMBER: _ClassVar[int] + EGRESS_TO_FIELD_NUMBER: _ClassVar[int] + egress_from: ServicePerimeterConfig.EgressFrom + egress_to: ServicePerimeterConfig.EgressTo + def __init__( + self, + egress_from: _Optional[ + _Union[ServicePerimeterConfig.EgressFrom, _Mapping] + ] = ..., + egress_to: _Optional[ + _Union[ServicePerimeterConfig.EgressTo, _Mapping] + ] = ..., + ) -> None: ... + RESOURCES_FIELD_NUMBER: _ClassVar[int] + ACCESS_LEVELS_FIELD_NUMBER: _ClassVar[int] + RESTRICTED_SERVICES_FIELD_NUMBER: _ClassVar[int] + VPC_ACCESSIBLE_SERVICES_FIELD_NUMBER: _ClassVar[int] + INGRESS_POLICIES_FIELD_NUMBER: _ClassVar[int] + EGRESS_POLICIES_FIELD_NUMBER: _ClassVar[int] + resources: _containers.RepeatedScalarFieldContainer[str] + access_levels: _containers.RepeatedScalarFieldContainer[str] + restricted_services: _containers.RepeatedScalarFieldContainer[str] + vpc_accessible_services: ServicePerimeterConfig.VpcAccessibleServices + ingress_policies: _containers.RepeatedCompositeFieldContainer[ + ServicePerimeterConfig.IngressPolicy + ] + egress_policies: _containers.RepeatedCompositeFieldContainer[ + ServicePerimeterConfig.EgressPolicy + ] + def __init__( + self, + resources: _Optional[_Iterable[str]] = ..., + access_levels: _Optional[_Iterable[str]] = ..., + restricted_services: _Optional[_Iterable[str]] = ..., + vpc_accessible_services: _Optional[ + _Union[ServicePerimeterConfig.VpcAccessibleServices, _Mapping] + ] = ..., + ingress_policies: _Optional[ + _Iterable[_Union[ServicePerimeterConfig.IngressPolicy, _Mapping]] + ] = ..., + egress_policies: _Optional[ + _Iterable[_Union[ServicePerimeterConfig.EgressPolicy, _Mapping]] + ] = ..., + ) -> None: ...