Skip to content

Commit

Permalink
feat(cloudasset): update the API
Browse files Browse the repository at this point in the history 
#### cloudasset:v1

The following keys were added:
- resources.v1.methods.analyzeIamPolicy.parameters.analysisQuery.conditionContext.accessTime.description
- resources.v1.methods.analyzeIamPolicy.parameters.analysisQuery.conditionContext.accessTime.format
- resources.v1.methods.analyzeIamPolicy.parameters.analysisQuery.conditionContext.accessTime.location
- resources.v1.methods.analyzeIamPolicy.parameters.analysisQuery.conditionContext.accessTime.type
- schemas.ConditionContext.description
- schemas.ConditionContext.id
- schemas.ConditionContext.properties.accessTime.description
- schemas.ConditionContext.properties.accessTime.format
- schemas.ConditionContext.properties.accessTime.type
- schemas.ConditionContext.type
- schemas.ConditionEvaluation.description
- schemas.ConditionEvaluation.id
- schemas.ConditionEvaluation.properties.evaluationValue.description
- schemas.ConditionEvaluation.properties.evaluationValue.enum
- schemas.ConditionEvaluation.properties.evaluationValue.enumDescriptions
- schemas.ConditionEvaluation.properties.evaluationValue.type
- schemas.ConditionEvaluation.type
- schemas.GoogleCloudAssetV1AccessControlList.properties.conditionEvaluation.$ref
- schemas.GoogleCloudAssetV1AccessControlList.properties.conditionEvaluation.description
- schemas.IamPolicyAnalysisQuery.properties.conditionContext.$ref
- schemas.IamPolicyAnalysisQuery.properties.conditionContext.description
  • Loading branch information
@yoshi-automation @sofisl
yoshi-automation authored and sofisl committed Apr 20, 2021
1 parent 3eca406 commit 038fd10
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 1 deletion.
51 changes: 50 additions & 1 deletion discovery/cloudasset-v1.json
View file
Expand Up @@ -292,6 +292,12 @@
"repeated": true,
"type": "string"
},
"analysisQuery.conditionContext.accessTime": {
"description": "The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.",
"format": "google-datetime",
"location": "query",
"type": "string"
},
"analysisQuery.identitySelector.identity": {
"description": "Required. The identity appear in the form of members in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: \"user:mike@example.com\", \"group:admins@example.com\", \"domain:google.com\", \"serviceAccount:my-project-id@appspot.gserviceaccount.com\". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.",
"location": "query",
Expand Down Expand Up @@ -570,7 +576,7 @@
}
}
},
"revision": "20210326",
"revision": "20210409",
"rootUrl": "https://cloudasset.googleapis.com/",
"schemas": {
"AccessSelector": {
Expand Down Expand Up @@ -806,6 +812,41 @@
},
"type": "object"
},
"ConditionContext": {
"description": "The IAM conditions context.",
"id": "ConditionContext",
"properties": {
"accessTime": {
"description": "The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.",
"format": "google-datetime",
"type": "string"
}
},
"type": "object"
},
"ConditionEvaluation": {
"description": "The Condition evaluation.",
"id": "ConditionEvaluation",
"properties": {
"evaluationValue": {
"description": "The evaluation result.",
"enum": [
"EVALUATION_VALUE_UNSPECIFIED",
"TRUE",
"FALSE",
"CONDITIONAL"
],
"enumDescriptions": [
"Reserved for future use.",
"The evaluation result is `true`.",
"The evaluation result is `false`.",
"The evaluation result is `conditional` when the condition expression contains variables that are either missing input values or have not been supported by Analyzer yet."
],
"type": "string"
}
},
"type": "object"
},
"CreateFeedRequest": {
"description": "Create asset feed request.",
"id": "CreateFeedRequest",
Expand Down Expand Up @@ -1016,6 +1057,10 @@
},
"type": "array"
},
"conditionEvaluation": {
"$ref": "ConditionEvaluation",
"description": "Condition evaluation for this AccessControlList, if there is a condition defined in the above IAM policy binding."
},
"resourceEdges": {
"description": "Resource edges of the graph starting from the policy attached resource to any descendant resources. The Edge.source_node contains the full resource name of a parent resource and Edge.target_node contains the full resource name of a child resource. This field is present only if the output_resource_edges option is enabled in request.",
"items": {
Expand Down Expand Up @@ -1976,6 +2021,10 @@
"$ref": "AccessSelector",
"description": "Optional. Specifies roles or permissions for analysis. This is optional."
},
"conditionContext": {
"$ref": "ConditionContext",
"description": "Optional. The hypothetical context for IAM conditions evaluation."
},
"identitySelector": {
"$ref": "IdentitySelector",
"description": "Optional. Specifies an identity for analysis."
Expand Down
32 changes: 32 additions & 0 deletions src/apis/cloudasset/v1.ts
View file
Expand Up @@ -302,6 +302,24 @@ export namespace cloudasset_v1 {
*/
role?: string | null;
}
/**
* The IAM conditions context.
*/
export interface Schema$ConditionContext {
/**
* The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
*/
accessTime?: string | null;
}
/**
* The Condition evaluation.
*/
export interface Schema$ConditionEvaluation {
/**
* The evaluation result.
*/
evaluationValue?: string | null;
}
/**
* Create asset feed request.
*/
Expand Down Expand Up @@ -446,6 +464,10 @@ export namespace cloudasset_v1 {
* The accesses that match one of the following conditions: - The access_selector, if it is specified in request; - Otherwise, access specifiers reachable from the policy binding's role.
*/
accesses?: Schema$GoogleCloudAssetV1Access[];
/**
* Condition evaluation for this AccessControlList, if there is a condition defined in the above IAM policy binding.
*/
conditionEvaluation?: Schema$ConditionEvaluation;
/**
* Resource edges of the graph starting from the policy attached resource to any descendant resources. The Edge.source_node contains the full resource name of a parent resource and Edge.target_node contains the full resource name of a child resource. This field is present only if the output_resource_edges option is enabled in request.
*/
Expand Down Expand Up @@ -1122,6 +1144,10 @@ export namespace cloudasset_v1 {
* Optional. Specifies roles or permissions for analysis. This is optional.
*/
accessSelector?: Schema$AccessSelector;
/**
* Optional. The hypothetical context for IAM conditions evaluation.
*/
conditionContext?: Schema$ConditionContext;
/**
* Optional. Specifies an identity for analysis.
*/
Expand Down Expand Up @@ -2664,6 +2690,8 @@ export namespace cloudasset_v1 {
* 'analysisQuery.accessSelector.permissions': 'placeholder-value',
* // Optional. The roles to appear in result.
* 'analysisQuery.accessSelector.roles': 'placeholder-value',
* // The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
* 'analysisQuery.conditionContext.accessTime': 'placeholder-value',
* // Required. The identity appear in the form of members in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
* 'analysisQuery.identitySelector.identity': 'placeholder-value',
* // Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Default is false.
Expand Down Expand Up @@ -3530,6 +3558,10 @@ export namespace cloudasset_v1 {
* Optional. The roles to appear in result.
*/
'analysisQuery.accessSelector.roles'?: string[];
/**
* The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
*/
'analysisQuery.conditionContext.accessTime'?: string;
/**
* Required. The identity appear in the form of members in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
*/
Expand Down

0 comments on commit 038fd10

Please sign in to comment.